From 4da0f7e207f14a03daad4663865c285eb27f93e9 Mon Sep 17 00:00:00 2001 From: Chris Evans Date: Mon, 3 Sep 2012 18:16:44 +0800 Subject: Avoid a heap use after free error For https://code.google.com/p/chromium/issues/detail?id=140368 --- libxslt/functions.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libxslt/functions.c b/libxslt/functions.c index 5a8eb79f..fe2f1caf 100644 --- a/libxslt/functions.c +++ b/libxslt/functions.c @@ -660,6 +660,7 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs) void xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){ xmlNodePtr cur = NULL; + xmlXPathObjectPtr obj = NULL; long val; xmlChar str[30]; xmlDocPtr doc; @@ -667,7 +668,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){ if (nargs == 0) { cur = ctxt->context->node; } else if (nargs == 1) { - xmlXPathObjectPtr obj; xmlNodeSetPtr nodelist; int i, ret; @@ -690,7 +690,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){ if (ret == -1) cur = nodelist->nodeTab[i]; } - xmlXPathFreeObject(obj); } else { xsltTransformError(xsltXPathGetTransformContext(ctxt), NULL, NULL, "generate-id() : invalid number of args %d\n", nargs); @@ -713,6 +712,9 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){ } + if (obj) + xmlXPathFreeObject(obj); + val = (long)((char *)cur - (char *)doc); if (val >= 0) { sprintf((char *)str, "idp%ld", val); -- cgit v1.2.3