Fix NULL deref in xsltDefaultSortFunctionv1.1.30-rc1

An evaluation error in a secondary sort key could lead to a NULL pointer
dereference.

Thanks to Nicolas Gregoire for the report.

Fixes bug 785588.

5 files changed, 24 insertions, 0 deletions

diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c
index c250ccfa..6bd8ed06 100644
--- a/libxslt/xsltutils.c
+++ b/libxslt/xsltutils.c
@@ -1249,6 +1249,8 @@ xsltDefaultSortFunction(xsltTransformContextPtr ctxt, xmlNodePtr *sorts,
 			if (res[j] == NULL) {
 			    if (res[j+incr] != NULL)
 				tst = 1;
+			} else if (res[j+incr] == NULL) {
+			    tst = -1;
 			} else {
 			    if (numb) {
 				/* We make NaN smaller than number in
diff --git a/tests/docs/bug-208.xml b/tests/docs/bug-208.xml
new file mode 100644
index 00000000..5d3529ae
--- /dev/null
+++ b/tests/docs/bug-208.xml
@@ -0,0 +1,8 @@
+<a>
+  <b>
+    <c>
+      <d1><d2/></d1>
+    <e/>
+    </c>
+  </b>
+</a>
diff --git a/tests/general/bug-208.err b/tests/general/bug-208.err
new file mode 100644
index 00000000..02c97121
--- /dev/null
+++ b/tests/general/bug-208.err
@@ -0,0 +1,6 @@
+XPath error : Undefined namespace prefix
+XPath error : Undefined namespace prefix
+XPath error : Undefined namespace prefix
+XPath error : Undefined namespace prefix
+XPath error : Undefined namespace prefix
+no result for ./../docs/bug-208.xml
diff --git a/tests/general/bug-208.out b/tests/general/bug-208.out
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/tests/general/bug-208.out
diff --git a/tests/general/bug-208.xsl b/tests/general/bug-208.xsl
new file mode 100644
index 00000000..322b58dc
--- /dev/null
+++ b/tests/general/bug-208.xsl
@@ -0,0 +1,8 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+  <xsl:template match="/">
+    <xsl:for-each select="//.">
+      <xsl:sort/>
+      <xsl:sort select="*[a:b]"/>;
+    </xsl:for-each>
+  </xsl:template>
+</xsl:stylesheet>