You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
52 lines
1.6 KiB
52 lines
1.6 KiB
12 years ago
|
From 4da0f7e207f14a03daad4663865c285eb27f93e9 Mon Sep 17 00:00:00 2001
|
||
|
From: Chris Evans <cevans@chromium.org>
|
||
|
Date: Mon, 3 Sep 2012 18:16:44 +0800
|
||
|
Subject: [PATCH] Avoid a heap use after free error
|
||
|
|
||
|
For https://code.google.com/p/chromium/issues/detail?id=140368
|
||
|
---
|
||
|
libxslt/functions.c | 6 ++++--
|
||
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/libxslt/functions.c b/libxslt/functions.c
|
||
|
index 5a8eb79..fe2f1ca 100644
|
||
|
--- a/libxslt/functions.c
|
||
|
+++ b/libxslt/functions.c
|
||
|
@@ -660,6 +660,7 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
|
||
|
void
|
||
|
xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
|
||
|
xmlNodePtr cur = NULL;
|
||
|
+ xmlXPathObjectPtr obj = NULL;
|
||
|
long val;
|
||
|
xmlChar str[30];
|
||
|
xmlDocPtr doc;
|
||
|
@@ -667,7 +668,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
|
||
|
if (nargs == 0) {
|
||
|
cur = ctxt->context->node;
|
||
|
} else if (nargs == 1) {
|
||
|
- xmlXPathObjectPtr obj;
|
||
|
xmlNodeSetPtr nodelist;
|
||
|
int i, ret;
|
||
|
|
||
|
@@ -690,7 +690,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
|
||
|
if (ret == -1)
|
||
|
cur = nodelist->nodeTab[i];
|
||
|
}
|
||
|
- xmlXPathFreeObject(obj);
|
||
|
} else {
|
||
|
xsltTransformError(xsltXPathGetTransformContext(ctxt), NULL, NULL,
|
||
|
"generate-id() : invalid number of args %d\n", nargs);
|
||
|
@@ -713,6 +712,9 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
|
||
|
|
||
|
}
|
||
|
|
||
|
+ if (obj)
|
||
|
+ xmlXPathFreeObject(obj);
|
||
|
+
|
||
|
val = (long)((char *)cur - (char *)doc);
|
||
|
if (val >= 0) {
|
||
|
sprintf((char *)str, "idp%ld", val);
|
||
|
--
|
||
|
1.7.12
|
||
|
|