diff options
| author | Nick Wellnhofer <wellnhofer@aevum.de> | 2018-01-16 18:59:02 +0100 |
|---|---|---|
| committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2018-01-16 19:01:55 +0100 |
| commit | 8bd32f7753ac253a54279a0b6a88d15a57076bb0 (patch) | |
| tree | 30d53c83f9598892e7658d58ab0156c473ede56c | |
| parent | 840c8e2b6ab33a02374d7a097868649e492da768 (diff) | |
| download | libxslt-8bd32f7753ac253a54279a0b6a88d15a57076bb0.tar.gz | |
Fix handling of RVTs returned from nested EXSLT functions
Set the context variable to NULL when evaluating EXSLT functions.
Fixes potential use-after-free errors or memory leaks.
Fixes bug 792580. Thanks to Clemens Gutweiler for the report.
https://bugzilla.gnome.org/show_bug.cgi?id=792580
| -rw-r--r-- | libexslt/functions.c | 4 | ||||
| -rw-r--r-- | tests/docs/bug-209.xml | 1 | ||||
| -rw-r--r-- | tests/general/bug-209.out | 2 | ||||
| -rw-r--r-- | tests/general/bug-209.xsl | 21 |
4 files changed, 28 insertions, 0 deletions
diff --git a/libexslt/functions.c b/libexslt/functions.c index 74dea1a2..2b83ca34 100644 --- a/libexslt/functions.c +++ b/libexslt/functions.c @@ -292,6 +292,7 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) { exsltFuncFunctionData *func; xmlNodePtr paramNode, oldInsert, fake; int oldBase; + void *oldCtxtVar; xsltStackElemPtr params = NULL, param; xsltTransformContextPtr tctxt = xsltXPathGetTransformContext(ctxt); int i, notSet; @@ -430,11 +431,14 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) { fake = xmlNewDocNode(tctxt->output, NULL, (const xmlChar *)"fake", NULL); oldInsert = tctxt->insert; + oldCtxtVar = tctxt->contextVariable; tctxt->insert = fake; + tctxt->contextVariable = NULL; xsltApplyOneTemplate (tctxt, tctxt->node, func->content, NULL, NULL); xsltLocalVariablePop(tctxt, tctxt->varsBase, -2); tctxt->insert = oldInsert; + tctxt->contextVariable = oldCtxtVar; tctxt->varsBase = oldBase; /* restore original scope */ if (params != NULL) xsltFreeStackElemList(params); diff --git a/tests/docs/bug-209.xml b/tests/docs/bug-209.xml new file mode 100644 index 00000000..69d62f2c --- /dev/null +++ b/tests/docs/bug-209.xml @@ -0,0 +1 @@ +<doc/> diff --git a/tests/general/bug-209.out b/tests/general/bug-209.out new file mode 100644 index 00000000..e829790a --- /dev/null +++ b/tests/general/bug-209.out @@ -0,0 +1,2 @@ +<?xml version="1.0"?> +<result/> diff --git a/tests/general/bug-209.xsl b/tests/general/bug-209.xsl new file mode 100644 index 00000000..fe69ac6f --- /dev/null +++ b/tests/general/bug-209.xsl @@ -0,0 +1,21 @@ +<xsl:stylesheet + version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:func="http://exslt.org/functions" + extension-element-prefixes="func"> + + <xsl:template match="/"> + <xsl:variable name="v" select="func:a()" /> + <xsl:copy-of select="$v"/> + </xsl:template> + + <func:function name="func:a"> + <func:result select="func:b()" /> + </func:function> + + <func:function name="func:b"> + <func:result> + <result/> + </func:result> + </func:function> +</xsl:stylesheet> |