1 Taken as it's from:

     2 

     3 http://git.gnome.org/browse/libxslt/commit/?id=4da0f7e207f14a03daad4663865c285eb27f93e9

     4 

     5 From 4da0f7e207f14a03daad4663865c285eb27f93e9 Mon Sep 17 00:00:00 2001

     6 From: Chris Evans <[email protected]>

     7 Date: Mon, 03 Sep 2012 10:16:44 +0000

     8 Subject: Avoid a heap use after free error

     9 

    10 For https://code.google.com/p/chromium/issues/detail?id=140368

    11 ---

    12 diff --git a/libxslt/functions.c b/libxslt/functions.c

    13 index 5a8eb79..fe2f1ca 100644

    14 --- a/libxslt/functions.c

    15 +++ b/libxslt/functions.c

    16 @@ -660,6 +660,7 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)

    17  void

    18  xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){

    19      xmlNodePtr cur = NULL;

    20 +    xmlXPathObjectPtr obj = NULL;

    21      long val;

    22      xmlChar str[30];

    23      xmlDocPtr doc;

    24 @@ -667,7 +668,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){

    25      if (nargs == 0) {

    26  	cur = ctxt->context->node;

    27      } else if (nargs == 1) {

    28 -	xmlXPathObjectPtr obj;

    29  	xmlNodeSetPtr nodelist;

    30  	int i, ret;

    31  

    32 @@ -690,7 +690,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){

    33  	    if (ret == -1)

    34  	        cur = nodelist->nodeTab[i];

    35  	}

    36 -	xmlXPathFreeObject(obj);

    37      } else {

    38  	xsltTransformError(xsltXPathGetTransformContext(ctxt), NULL, NULL,

    39  		"generate-id() : invalid number of args %d\n", nargs);

    40 @@ -713,6 +712,9 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){

    41  

    42      }

    43  

    44 +    if (obj)

    45 +        xmlXPathFreeObject(obj);

    46 +

    47      val = (long)((char *)cur - (char *)doc);

    48      if (val >= 0) {

    49        sprintf((char *)str, "idp%ld", val);

    50 --

    51 cgit v0.9.0.2