From 6c99c519d97e5fcbec7a9537d190efb442e4e833 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 10 Oct 2012 12:09:36 +0200
Subject: Crash when passing an uninitialized variable to document()

https://bugzilla.gnome.org/show_bug.cgi?id=685330

Missing check for NULL
---
 libxslt/functions.c       | 5 +++--
 tests/docs/Makefile.am    | 1 +
 tests/docs/bug-180.xml    | 2 ++
 tests/general/Makefile.am | 1 +
 tests/general/bug-180.err | 4 ++++
 tests/general/bug-180.out | 0
 tests/general/bug-180.xsl | 8 ++++++++
 7 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 tests/docs/bug-180.xml
 create mode 100644 tests/general/bug-180.err
 create mode 100644 tests/general/bug-180.out
 create mode 100644 tests/general/bug-180.xsl

diff --git a/libxslt/functions.c b/libxslt/functions.c
index ed2c1635..c754994e 100644
--- a/libxslt/functions.c
+++ b/libxslt/functions.c
@@ -260,7 +260,7 @@ xsltDocumentFunction(xmlXPathParserContextPtr ctxt, int nargs)
         obj = valuePop(ctxt);
         ret = xmlXPathNewNodeSet(NULL);
 
-        if (obj->nodesetval) {
+        if ((obj != NULL) && obj->nodesetval) {
             for (i = 0; i < obj->nodesetval->nodeNr; i++) {
                 valuePush(ctxt,
                           xmlXPathNewNodeSet(obj->nodesetval->nodeTab[i]));
@@ -280,7 +280,8 @@ xsltDocumentFunction(xmlXPathParserContextPtr ctxt, int nargs)
             }
         }
 
-        xmlXPathFreeObject(obj);
+        if (obj != NULL)
+            xmlXPathFreeObject(obj);
         if (obj2 != NULL)
             xmlXPathFreeObject(obj2);
         valuePush(ctxt, ret);
diff --git a/tests/docs/Makefile.am b/tests/docs/Makefile.am
index 59487a60..c5dad4c5 100644
--- a/tests/docs/Makefile.am
+++ b/tests/docs/Makefile.am
@@ -178,6 +178,7 @@ EXTRA_DIST =	\
 	bug-177.xml \
 	bug-178.xml \
 	bug-179.xml \
+	bug-180.xml \
 	character.xml \
 	array.xml \
 	items.xml
diff --git a/tests/docs/bug-180.xml b/tests/docs/bug-180.xml
new file mode 100644
index 00000000..2ca0eba5
--- /dev/null
+++ b/tests/docs/bug-180.xml
@@ -0,0 +1,2 @@
+<doc/>
+
diff --git a/tests/general/Makefile.am b/tests/general/Makefile.am
index 762eca9f..0c2ef307 100644
--- a/tests/general/Makefile.am
+++ b/tests/general/Makefile.am
@@ -187,6 +187,7 @@ EXTRA_DIST = \
     bug-177.out bug-177.xsl \
     bug-178.out bug-178.xsl \
     bug-179.out bug-179.xsl \
+    bug-180.out bug-180.xsl bug-180.err \
     character.out character.xsl \
     character2.out character2.xsl \
     itemschoose.out itemschoose.xsl \
diff --git a/tests/general/bug-180.err b/tests/general/bug-180.err
new file mode 100644
index 00000000..e45b36e8
--- /dev/null
+++ b/tests/general/bug-180.err
@@ -0,0 +1,4 @@
+runtime error: file ./bug-180.xsl line 4 element copy-of
+Variable 'xxx' has not been declared.
+XPath error : Stack usage errror
+xmlXPathCompiledEval: 1 objects left on the stack.
diff --git a/tests/general/bug-180.out b/tests/general/bug-180.out
new file mode 100644
index 00000000..e69de29b
diff --git a/tests/general/bug-180.xsl b/tests/general/bug-180.xsl
new file mode 100644
index 00000000..652d9fc5
--- /dev/null
+++ b/tests/general/bug-180.xsl
@@ -0,0 +1,8 @@
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+
+  <xsl:template match="/">
+      <xsl:copy-of select=" * | document($xxx) "/>
+  </xsl:template>
+
+</xsl:stylesheet>
+
-- 
cgit v1.2.3