From f31e72aef38c7b74b1665a1cb2699bea6d03e9b9 Mon Sep 17 00:00:00 2001
From: Chris Evans <cevans@chromium.org>
Date: Mon, 3 Sep 2012 18:16:44 +0800
Subject: [PATCH] Avoid a heap use after free error
To: libvir-list@redhat.com
For https://code.google.com/p/chromium/issues/detail?id=140368
Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
libxslt/functions.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libxslt/functions.c b/libxslt/functions.c
index 5752467..7af85a1 100644
--- a/libxslt/functions.c
+++ b/libxslt/functions.c
@@ -598,6 +598,7 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
void
xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
xmlNodePtr cur = NULL;
+ xmlXPathObjectPtr obj = NULL;
long val;
xmlChar str[30];
xmlDocPtr doc;
@@ -605,7 +606,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
if (nargs == 0) {
cur = ctxt->context->node;
} else if (nargs == 1) {
- xmlXPathObjectPtr obj;
xmlNodeSetPtr nodelist;
int i, ret;
@@ -628,7 +628,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
if (ret == -1)
cur = nodelist->nodeTab[i];
}
- xmlXPathFreeObject(obj);
} else {
xsltTransformError(xsltXPathGetTransformContext(ctxt), NULL, NULL,
"generate-id() : invalid number of args %d\n", nargs);
@@ -646,6 +645,9 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
}
+ if (obj)
+ xmlXPathFreeObject(obj);
+
val = (long)((char *)cur - (char *)doc);
if (val >= 0) {
sprintf((char *)str, "idp%ld", val);
--
1.7.11.4
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
media
>
main-src
>
by-pkgid
>
d41e7febba7533a5711c18660c676cc9
>
files
>
3
