diff options
| author | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-02-26 16:53:59 +0100 |
|---|---|---|
| committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-02-26 16:55:37 +0100 |
| commit | cf0e40eda5ad6a3a4e6c85ce52239d6042293599 (patch) | |
| tree | 41a7dc64da5f76409f5ce4964e767b9844974b2d | |
| parent | b5e338b396b2a002dced88a88a866a548f084741 (diff) | |
| download | libxslt-cf0e40eda5ad6a3a4e6c85ce52239d6042293599.tar.gz | |
malloc-fail: Fix double-free in xsltKeyFunction
Found with libFuzzer, see #84.
| -rw-r--r-- | libxslt/functions.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libxslt/functions.c b/libxslt/functions.c index 9706a7af..5f657807 100644 --- a/libxslt/functions.c +++ b/libxslt/functions.c @@ -449,13 +449,13 @@ xsltKeyFunction(xmlXPathParserContextPtr ctxt, int nargs){ */ valuePush(ctxt, obj2); xmlXPathStringFunction(ctxt, 1); - if ((ctxt->value == NULL) || (ctxt->value->type != XPATH_STRING)) { + obj2 = valuePop(ctxt); + if ((obj2 == NULL) || (obj2->type != XPATH_STRING)) { xsltTransformError(tctxt, NULL, tctxt->inst, "key() : invalid arg expecting a string\n"); ctxt->error = XPATH_INVALID_TYPE; goto error; } - obj2 = valuePop(ctxt); value = obj2->stringval; /* |