1
From: Nick Wellnhofer <wellnhofer@aevum.de>
2
Date: Fri, 20 Dec 2013 00:01:53 +0100
3
Subject: Handling of XPath function arguments in error case
5
The XPath engine tries to guarantee that every XPath function can pop
6
'nargs' non-NULL values off the stack. libxslt, for example, relies on
7
this assumption. But the check isn't thorough enough if there are errors
8
during the evaluation of arguments. This can lead to segfaults:
10
https://mail.gnome.org/archives/xslt/2013-December/msg00005.html
12
This commit makes the handling of function arguments more robust.
14
* Bail out early when evaluation of XPath function arguments fails.
15
* Make sure that there are 'nargs' arguments in the current call frame.
18
1 file changed, 7 insertions(+), 2 deletions(-)
20
diff --git a/xpath.c b/xpath.c
21
index a676989..a75df9b 100644
24
@@ -13512,10 +13512,15 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
27
frame = xmlXPathSetFrame(ctxt);
29
+ if (op->ch1 != -1) {
31
xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
32
- if (ctxt->valueNr < op->value) {
33
+ if (ctxt->error != XPATH_EXPRESSION_OK) {
34
+ xmlXPathPopFrame(ctxt, frame);
38
+ if (ctxt->valueNr < ctxt->valueFrame + op->value) {
39
xmlGenericError(xmlGenericErrorContext,
40
"xmlXPathCompOpEval: parameter error\n");
41
ctxt->error = XPATH_INVALID_OPERAND;