diff options
| author | Chris Evans <cevans@chromium.org> | 2012-09-03 18:16:44 +0800 |
|---|---|---|
| committer | Daniel Veillard <veillard@redhat.com> | 2012-09-03 18:16:44 +0800 |
| commit | 4da0f7e207f14a03daad4663865c285eb27f93e9 (patch) | |
| tree | 801fd713cabbba9c22341854bc72d8b0bba739fb | |
| parent | 54977ed7966847e305a2008cb18892df26eeb065 (diff) | |
| download | libxslt-4da0f7e207f14a03daad4663865c285eb27f93e9.tar.gz libxslt-4da0f7e207f14a03daad4663865c285eb27f93e9.tar.bz2 libxslt-4da0f7e207f14a03daad4663865c285eb27f93e9.zip | |
Avoid a heap use after free error
For https://code.google.com/p/chromium/issues/detail?id=140368
| -rw-r--r-- | libxslt/functions.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/libxslt/functions.c b/libxslt/functions.c index 5a8eb79f..fe2f1caf 100644 --- a/libxslt/functions.c +++ b/libxslt/functions.c @@ -660,6 +660,7 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs) void xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){ xmlNodePtr cur = NULL; + xmlXPathObjectPtr obj = NULL; long val; xmlChar str[30]; xmlDocPtr doc; @@ -667,7 +668,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){ if (nargs == 0) { cur = ctxt->context->node; } else if (nargs == 1) { - xmlXPathObjectPtr obj; xmlNodeSetPtr nodelist; int i, ret; @@ -690,7 +690,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){ if (ret == -1) cur = nodelist->nodeTab[i]; } - xmlXPathFreeObject(obj); } else { xsltTransformError(xsltXPathGetTransformContext(ctxt), NULL, NULL, "generate-id() : invalid number of args %d\n", nargs); @@ -713,6 +712,9 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){ } + if (obj) + xmlXPathFreeObject(obj); + val = (long)((char *)cur - (char *)doc); if (val >= 0) { sprintf((char *)str, "idp%ld", val); |