15807903 problem in LIBRARY/LIBXSLT s11u1-sru
authorPetr Sumbera <petr.sumbera@oracle.com>
Mon, 21 Jan 2013 03:30:38 -0800
branchs11u1-sru
changeset 2471 b1f0e4a84df6
parent 2469 0b02cc321ac6
child 2472 a1822222111d
15807903 problem in LIBRARY/LIBXSLT
components/libxslt/patches/01-libxslt-Fix-direct-pattern-matching-bug.patch
components/libxslt/patches/02-libxslt-Fix-generate-id-to-not-expose-object-addresses.patch
components/libxslt/patches/03-libxslt-Fix-a-bug-in-selecting-XSLT-elements.patch
components/libxslt/patches/04-libxslt-Fix-portability-to-upcoming-libxml2-2.9.0.patch
components/libxslt/patches/05-libxslt-Fix-default-template-processing-on-namespace-nodes.patch
components/libxslt/patches/06-libxslt-Cleanup-of-the-pattern-compilation-code.patch
components/libxslt/patches/07-libxslt-Hardening-of-code-checking-node-types-in-various-entry-point.patch
components/libxslt/patches/08-libxslt-Fix-system-property-with-unknown-namespace.patch
components/libxslt/patches/09-libxslt-Hardening-of-code-checking-node-types-in-EXSLT.patch
components/libxslt/patches/10-libxslt-xsltproc-should-return-an-error-code-if-xinclude-fails.patch
components/libxslt/patches/11-libxslt-Fix-a-dictionary-string-usage.patch
components/libxslt/patches/12-libxslt-Avoid-a-heap-use-after-free-error.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxslt/patches/01-libxslt-Fix-direct-pattern-matching-bug.patch	Mon Jan 21 03:30:38 2013 -0800
@@ -0,0 +1,89 @@
+Taken as it's from:
+
+http://git.gnome.org/browse/libxslt/commit/?id=2a697a5819f8b22fc7541aae82aacf8b70135a93
+
+Removed git ignore patch part as it doesn't apply and it's not needed.
+
+From 2a697a5819f8b22fc7541aae82aacf8b70135a93 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <[email protected]>
+Date: Mon, 08 Nov 2010 09:42:33 +0000
+Subject: Fix direct pattern matching bug
+
+and adds a test case for the problem,
+also adding a .gitignore cleanup
+---
+diff --git a/libxslt/pattern.c b/libxslt/pattern.c
+index 8ce74e3..58bd6ed 100644
+--- a/libxslt/pattern.c
++++ b/libxslt/pattern.c
[email protected]@ -546,13 +546,15 @@ xsltTestCompMatchDirect(xsltTransformContextPtr ctxt, xsltCompMatchPtr comp,
+ 	xmlNodePtr parent = node->parent;
+ 	xmlDocPtr olddoc;
+ 	xmlNodePtr oldnode;
+-	int oldNsNr;
++	int oldNsNr, oldContextSize, oldProximityPosition;
+ 	xmlNsPtr *oldNamespaces;
+ 
+ 	oldnode = ctxt->xpathCtxt->node;
+ 	olddoc = ctxt->xpathCtxt->doc;
+ 	oldNsNr = ctxt->xpathCtxt->nsNr;
+ 	oldNamespaces = ctxt->xpathCtxt->namespaces;
++	oldContextSize = ctxt->xpathCtxt->contextSize;
++	oldProximityPosition = ctxt->xpathCtxt->proximityPosition;
+ 	ctxt->xpathCtxt->node = node;
+ 	ctxt->xpathCtxt->doc = doc;
+ 	ctxt->xpathCtxt->namespaces = nsList;
[email protected]@ -562,6 +564,8 @@ xsltTestCompMatchDirect(xsltTransformContextPtr ctxt, xsltCompMatchPtr comp,
+ 	ctxt->xpathCtxt->doc = olddoc;
+ 	ctxt->xpathCtxt->namespaces = oldNamespaces;
+ 	ctxt->xpathCtxt->nsNr = oldNsNr;
++	ctxt->xpathCtxt->contextSize = oldContextSize;
++	ctxt->xpathCtxt->proximityPosition = oldProximityPosition;
+ 	if (newlist == NULL)
+ 	    return(-1);
+ 	if (newlist->type != XPATH_NODESET) {
+diff --git a/tests/docs/bug-170.xml b/tests/docs/bug-170.xml
+new file mode 100644
+index 0000000..08c3c4d
+--- a/dev/null
++++ b/tests/docs/bug-170.xml
[email protected]@ -0,0 +1,3 @@
++<root>
++    <a type="b"/>
++</root>
+diff --git a/tests/general/Makefile.am b/tests/general/Makefile.am
+index 5d5baf0..e33a6c6 100644
+--- a/tests/general/Makefile.am
++++ b/tests/general/Makefile.am
[email protected]@ -177,6 +177,7 @@ EXTRA_DIST = \
+     bug-167.out bug-167.xsl \
+     bug-168.out bug-168.xsl \
+     bug-169.out bug-169.xsl bug-169.imp \
++    bug-170.out bug-170.xsl \
+     character.out character.xsl \
+     character2.out character2.xsl \
+     itemschoose.out itemschoose.xsl \
+diff --git a/tests/general/bug-170.out b/tests/general/bug-170.out
+new file mode 100644
+index 0000000..e24f8d3
+--- a/dev/null
++++ b/tests/general/bug-170.out
[email protected]@ -0,0 +1,4 @@
++<?xml version="1.0"?>
++
++    
++
+diff --git a/tests/general/bug-170.xsl b/tests/general/bug-170.xsl
+new file mode 100644
+index 0000000..393bc4b
+--- a/dev/null
++++ b/tests/general/bug-170.xsl
[email protected]@ -0,0 +1,6 @@
++<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
++    <xsl:template match="a[@type='b']" >
++        <xsl:if test="position()"/>
++    </xsl:template>
++    <xsl:template match="a[@type='XX'][.]"/>
++</xsl:stylesheet>
+--
+cgit v0.9.0.2
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxslt/patches/02-libxslt-Fix-generate-id-to-not-expose-object-addresses.patch	Mon Jan 21 03:30:38 2013 -0800
@@ -0,0 +1,63 @@
+Taken as it's from:
+
+http://git.gnome.org/browse/libxslt/commit/?id=ecb6bcb8d1b7e44842edde3929f412d46b40c89f
+
+For https://bugzilla.redhat.com/show_bug.cgi?id=684386
+CVE-2011-1202
+
+From ecb6bcb8d1b7e44842edde3929f412d46b40c89f Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <[email protected]>
+Date: Tue, 22 Feb 2011 02:14:23 +0000
+Subject: Fix generate-id() to not expose object addresses
+
+As pointed out by Chris Evans <[email protected]> it's better
+security wise to not expose object addresses directly, use a diff
+w.r.t. the document root own address to avoid this
+* libxslt/functions.c: fix IDs generation code
+---
+diff --git a/libxslt/functions.c b/libxslt/functions.c
+index 4720c7a..de962f4 100644
+--- a/libxslt/functions.c
++++ b/libxslt/functions.c
[email protected]@ -654,8 +654,9 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
+ void
+ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+     xmlNodePtr cur = NULL;
+-    unsigned long val;
+-    xmlChar str[20];
++    long val;
++    xmlChar str[30];
++    xmlDocPtr doc;
+ 
+     if (nargs == 0) {
+ 	cur = ctxt->context->node;
[email protected]@ -694,9 +695,24 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+      * Okay this is ugly but should work, use the NodePtr address
+      * to forge the ID
+      */
+-    val = (unsigned long)((char *)cur - (char *)0);
+-    val /= sizeof(xmlNode);
+-    sprintf((char *)str, "id%ld", val);
++    if (cur->type != XML_NAMESPACE_DECL)
++        doc = cur->doc;
++    else {
++        xmlNsPtr ns = (xmlNsPtr) cur;
++
++        if (ns->context != NULL)
++            doc = ns->context;
++        else
++            doc = ctxt->context->doc;
++
++    }
++
++    val = (long)((char *)cur - (char *)doc);
++    if (val >= 0) {
++      sprintf((char *)str, "idp%ld", val);
++    } else {
++      sprintf((char *)str, "idm%ld", -val);
++    }
+     valuePush(ctxt, xmlXPathNewString(str));
+ }
+ 
+--
+cgit v0.9.0.2
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxslt/patches/03-libxslt-Fix-a-bug-in-selecting-XSLT-elements.patch	Mon Jan 21 03:30:38 2013 -0800
@@ -0,0 +1,30 @@
+Taken as it's from:
+
+http://git.gnome.org/browse/libxslt/commit/?id=e6a0bc8081271f33b9899eb78e1da1a2a0428419
+
+For https://bugzilla.redhat.com/show_bug.cgi?id=835982
+CVE-2012-2825
+
+From e6a0bc8081271f33b9899eb78e1da1a2a0428419 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <[email protected]>
+Date: Tue, 07 Aug 2012 03:26:43 +0000
+Subject: Fix a bug in selecting XSLT elements
+
+---
+diff --git a/libxslt/xsltutils.h b/libxslt/xsltutils.h
+index 3886be3..c986a9c 100644
+--- a/libxslt/xsltutils.h
++++ b/libxslt/xsltutils.h
[email protected]@ -52,8 +52,8 @@ extern "C" {
+  * Checks that the element pertains to XSLT namespace.
+  */
+ #define IS_XSLT_ELEM(n)							\
+-    (((n) != NULL) && ((n)->ns != NULL) &&				\
+-     (xmlStrEqual((n)->ns->href, XSLT_NAMESPACE)))
++    (((n) != NULL) && ((n)->type == XML_ELEMENT_NODE) &&                \
++     ((n)->ns != NULL) && (xmlStrEqual((n)->ns->href, XSLT_NAMESPACE)))
+ 
+ /**
+  * IS_XSLT_NAME:
+--
+cgit v0.9.0.2
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxslt/patches/04-libxslt-Fix-portability-to-upcoming-libxml2-2.9.0.patch	Mon Jan 21 03:30:38 2013 -0800
@@ -0,0 +1,68 @@
+Taken as it's from:
+
+http://git.gnome.org/browse/libxslt/commit/?id=1d62941e10c7419bf2341dbbb17d2ba6a73ed4ae
+
+From 1d62941e10c7419bf2341dbbb17d2ba6a73ed4ae Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <[email protected]>
+Date: Wed, 08 Aug 2012 06:21:51 +0000
+Subject: Fix portability to upcoming libxml2-2.9.0
+
+A few place where an output buffer was accessed directly or as
+an xmlBuf
+---
+diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c
+index 44e80a7..7a4caf0 100644
+--- a/libxslt/xsltutils.c
++++ b/libxslt/xsltutils.c
[email protected]@ -1538,9 +1538,11 @@ xsltSaveResultTo(xmlOutputBufferPtr buf, xmlDocPtr result,
+ 
+ 	if (omitXmlDecl != 1) {
+ 	    xmlOutputBufferWriteString(buf, "<?xml version=");
+-	    if (result->version != NULL) 
+-		xmlBufferWriteQuotedString(buf->buffer, result->version);
+-	    else
++	    if (result->version != NULL) {
++		xmlOutputBufferWriteString(buf, "\"");
++		xmlOutputBufferWriteString(buf, (const char *)result->version);
++		xmlOutputBufferWriteString(buf, "\"");
++	    } else
+ 		xmlOutputBufferWriteString(buf, "\"1.0\"");
+ 	    if (encoding == NULL) {
+ 		if (result->encoding != NULL)
[email protected]@ -1552,7 +1554,9 @@ xsltSaveResultTo(xmlOutputBufferPtr buf, xmlDocPtr result,
+ 	    }
+ 	    if (encoding != NULL) {
+ 		xmlOutputBufferWriteString(buf, " encoding=");
+-		xmlBufferWriteQuotedString(buf->buffer, (xmlChar *) encoding);
++		xmlOutputBufferWriteString(buf, "\"");
++		xmlOutputBufferWriteString(buf, (const char *) encoding);
++		xmlOutputBufferWriteString(buf, "\"");
+ 	    }
+ 	    switch (standalone) {
+ 		case 0:
[email protected]@ -1755,6 +1759,15 @@ xsltSaveResultToString(xmlChar **doc_txt_ptr, int * doc_txt_len,
+     if (buf == NULL)
+ 	return(-1);
+     xsltSaveResultTo(buf, result, style);
++#ifdef LIBXML2_NEW_BUFFER
++    if (buf->conv != NULL) {
++	*doc_txt_len = xmlBufUse(buf->conv);
++	*doc_txt_ptr = xmlStrndup(xmlBufContent(buf->conv), *doc_txt_len);
++    } else {
++	*doc_txt_len = xmlBufUse(buf->buffer);
++	*doc_txt_ptr = xmlStrndup(xmlBufContent(buf->buffer), *doc_txt_len);
++    }
++#else
+     if (buf->conv != NULL) {
+ 	*doc_txt_len = buf->conv->use;
+ 	*doc_txt_ptr = xmlStrndup(buf->conv->content, *doc_txt_len);
[email protected]@ -1762,6 +1775,7 @@ xsltSaveResultToString(xmlChar **doc_txt_ptr, int * doc_txt_len,
+ 	*doc_txt_len = buf->buffer->use;
+ 	*doc_txt_ptr = xmlStrndup(buf->buffer->content, *doc_txt_len);
+     }
++#endif
+     (void)xmlOutputBufferClose(buf);
+     return 0;
+ }
+--
+cgit v0.9.0.2
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxslt/patches/05-libxslt-Fix-default-template-processing-on-namespace-nodes.patch	Mon Jan 21 03:30:38 2013 -0800
@@ -0,0 +1,40 @@
+Taken as it's from:
+
+http://git.gnome.org/browse/libxslt/commit/?id=937ba2a3eb42d288f53c8adc211bd1122869f0bf
+
+For https://bugzilla.redhat.com/show_bug.cgi?id=852935
+CVE-2012-2871
+
+From 937ba2a3eb42d288f53c8adc211bd1122869f0bf Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <[email protected]>
+Date: Wed, 08 Aug 2012 07:31:05 +0000
+Subject: Fix default template processing on namespace nodes
+
+---
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 53eefcc..c6df19e 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
[email protected]@ -4895,7 +4895,10 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ 	list = xmlXPathNodeSetCreate(NULL);
+ 	if (list == NULL)
+ 	    goto error;
+-	cur = node->children;
++	if (node->type != XML_NAMESPACE_DECL)
++	    cur = node->children;
++	else
++	    cur = NULL;
+ 	while (cur != NULL) {
+ 	    switch (cur->type) {
+ 		case XML_TEXT_NODE:
[email protected]@ -4944,6 +4947,8 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ 		    if (cur->prev != NULL)
+ 			cur->prev->next = cur->next;
+ 		    break;
++		case XML_NAMESPACE_DECL:
++		    break;
+ 		default:
+ #ifdef WITH_XSLT_DEBUG_PROCESS
+ 		    XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext,
+--
+cgit v0.9.0.2
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxslt/patches/06-libxslt-Cleanup-of-the-pattern-compilation-code.patch	Mon Jan 21 03:30:38 2013 -0800
@@ -0,0 +1,213 @@
+Taken as it's from:
+
+http://git.gnome.org/browse/libxslt/commit/?id=8566ab4a10158d195adb5f1f61afe1ee8bfebd12
+
+Avoid potential crashes and memory leaks
+https://bugzilla.redhat.com/show_bug.cgi?id=852937
+CVE-2012-2870
+
+From 8566ab4a10158d195adb5f1f61afe1ee8bfebd12 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <[email protected]>
+Date: Thu, 09 Aug 2012 07:31:07 +0000
+Subject: Cleanup of the pattern compilation code
+
+Avoid potential crashes and memory leaks
+---
+diff --git a/libxslt/pattern.c b/libxslt/pattern.c
+index 1155b54..a6140cb 100644
+--- a/libxslt/pattern.c
++++ b/libxslt/pattern.c
[email protected]@ -303,6 +303,10 @@ xsltCompMatchAdd(xsltParserContextPtr ctxt, xsltCompMatchPtr comp,
+ 	     "xsltCompMatchAdd: memory re-allocation failure.\n");
+ 	    if (ctxt->style != NULL)
+ 		ctxt->style->errors++;
++	    if (value)
++	        xmlFree(value);
++	    if (value2)
++	        xmlFree(value2);
+ 	    return (-1);
+ 	}
+         comp->maxStep *= 2;
[email protected]@ -1384,17 +1388,22 @@ xsltCompileIdKeyPattern(xsltParserContextPtr ctxt, xmlChar *name,
+ 	NEXT;
+ 	SKIP_BLANKS;
+         lit = xsltScanLiteral(ctxt);
+-	if (ctxt->error)
++	if (ctxt->error) {
++	    xsltTransformError(NULL, NULL, NULL,
++		    "xsltCompileIdKeyPattern : Literal expected\n");
+ 	    return;
++	}
+ 	SKIP_BLANKS;
+ 	if (CUR != ')') {
+ 	    xsltTransformError(NULL, NULL, NULL,
+ 		    "xsltCompileIdKeyPattern : ) expected\n");
++	    xmlFree(lit);
+ 	    ctxt->error = 1;
+ 	    return;
+ 	}
+ 	NEXT;
+ 	PUSH(XSLT_OP_ID, lit, NULL, novar);
++	lit = NULL;
+     } else if ((aid) && (xmlStrEqual(name, (const xmlChar *)"key"))) {
+ 	if (axis != 0) {
+ 	    xsltTransformError(NULL, NULL, NULL,
[email protected]@ -1405,8 +1414,11 @@ xsltCompileIdKeyPattern(xsltParserContextPtr ctxt, xmlChar *name,
+ 	NEXT;
+ 	SKIP_BLANKS;
+         lit = xsltScanLiteral(ctxt);
+-	if (ctxt->error)
++	if (ctxt->error) {
++	    xsltTransformError(NULL, NULL, NULL,
++		    "xsltCompileIdKeyPattern : Literal expected\n");
+ 	    return;
++	}
+ 	SKIP_BLANKS;
+ 	if (CUR != ',') {
+ 	    xsltTransformError(NULL, NULL, NULL,
[email protected]@ -1417,25 +1429,36 @@ xsltCompileIdKeyPattern(xsltParserContextPtr ctxt, xmlChar *name,
+ 	NEXT;
+ 	SKIP_BLANKS;
+         lit2 = xsltScanLiteral(ctxt);
+-	if (ctxt->error)
++	if (ctxt->error) {
++	    xsltTransformError(NULL, NULL, NULL,
++		    "xsltCompileIdKeyPattern : Literal expected\n");
++	    xmlFree(lit);
+ 	    return;
++	}
+ 	SKIP_BLANKS;
+ 	if (CUR != ')') {
+ 	    xsltTransformError(NULL, NULL, NULL,
+ 		    "xsltCompileIdKeyPattern : ) expected\n");
++	    xmlFree(lit);
++	    xmlFree(lit2);
+ 	    ctxt->error = 1;
+ 	    return;
+ 	}
+ 	NEXT;
+ 	/* URGENT TODO: support namespace in keys */
+ 	PUSH(XSLT_OP_KEY, lit, lit2, novar);
++	lit = NULL;
++	lit2 = NULL;
+     } else if (xmlStrEqual(name, (const xmlChar *)"processing-instruction")) {
+ 	NEXT;
+ 	SKIP_BLANKS;
+ 	if (CUR != ')') {
+ 	    lit = xsltScanLiteral(ctxt);
+-	    if (ctxt->error)
++	    if (ctxt->error) {
++		xsltTransformError(NULL, NULL, NULL,
++			"xsltCompileIdKeyPattern : Literal expected\n");
+ 		return;
++	    }
+ 	    SKIP_BLANKS;
+ 	    if (CUR != ')') {
+ 		xsltTransformError(NULL, NULL, NULL,
[email protected]@ -1446,6 +1469,7 @@ xsltCompileIdKeyPattern(xsltParserContextPtr ctxt, xmlChar *name,
+ 	}
+ 	NEXT;
+ 	PUSH(XSLT_OP_PI, lit, NULL, novar);
++	lit = NULL;
+     } else if (xmlStrEqual(name, (const xmlChar *)"text")) {
+ 	NEXT;
+ 	SKIP_BLANKS;
[email protected]@ -1496,8 +1520,7 @@ xsltCompileIdKeyPattern(xsltParserContextPtr ctxt, xmlChar *name,
+ 	return;
+     }
+ error:
+-    if (name != NULL)
+-	xmlFree(name);
++    return;
+ }
+ 
+ /**
[email protected]@ -1560,6 +1583,8 @@ parse_node_test:
+     SKIP_BLANKS;
+     if (CUR == '(') {
+ 	xsltCompileIdKeyPattern(ctxt, token, 0, novar, axis);
++	xmlFree(token);
++	token = NULL;
+ 	if (ctxt->error)
+ 	    goto error;
+     } else if (CUR == ':') {
[email protected]@ -1578,20 +1603,24 @@ parse_node_test:
+ 	    "xsltCompileStepPattern : no namespace bound to prefix %s\n",
+ 				 prefix);
+ 		xmlFree(prefix);
++		prefix=NULL;
+ 		ctxt->error = 1;
+ 		goto error;
+ 	    } else {
+ 		URL = xmlStrdup(ns->href);
+ 	    }
+ 	    xmlFree(prefix);
++	    prefix=NULL;
+ 	    if (token == NULL) {
+ 		if (CUR == '*') {
+ 		    NEXT;
+                     if (axis == AXIS_ATTRIBUTE) {
+                         PUSH(XSLT_OP_ATTR, NULL, URL, novar);
++			URL = NULL;
+                     }
+                     else {
+                         PUSH(XSLT_OP_NS, URL, NULL, novar);
++			URL = NULL;
+                     }
+ 		} else {
+ 		    xsltTransformError(NULL, NULL, NULL,
[email protected]@ -1602,9 +1631,13 @@ parse_node_test:
+ 	    } else {
+                 if (axis == AXIS_ATTRIBUTE) {
+                     PUSH(XSLT_OP_ATTR, token, URL, novar);
++		    token = NULL;
++		    URL = NULL;
+                 }
+                 else {
+                     PUSH(XSLT_OP_ELEM, token, URL, novar);
++		    token = NULL;
++		    URL = NULL;
+                 }
+ 	    }
+ 	} else {
[email protected]@ -1626,6 +1659,7 @@ parse_node_test:
+ 		goto error;
+ 	    }
+ 	    xmlFree(token);
++	    token = NULL;
+             SKIP_BLANKS;
+             token = xsltScanNCName(ctxt);
+ 	    goto parse_node_test;
[email protected]@ -1640,9 +1674,13 @@ parse_node_test:
+ 	    URL = xmlStrdup(URI);
+         if (axis == AXIS_ATTRIBUTE) {
+             PUSH(XSLT_OP_ATTR, token, URL, novar);
++	    token = NULL;
++	    URL = NULL;
+         }
+         else {
+             PUSH(XSLT_OP_ELEM, token, URL, novar);
++	    token = NULL;
++	    URL = NULL;
+         }
+     }
+ parse_predicate:
[email protected]@ -1682,6 +1720,7 @@ parse_predicate:
+         }
+ 	ret = xmlStrndup(q, CUR_PTR - q);
+ 	PUSH(XSLT_OP_PREDICATE, ret, NULL, novar);
++	ret = NULL;
+ 	/* push the predicate lower than local test */
+ 	SWAP();
+ 	NEXT;
[email protected]@ -1790,6 +1829,8 @@ xsltCompileLocationPathPattern(xsltParserContextPtr ctxt, int novar) {
+ 	SKIP_BLANKS;
+ 	if ((CUR == '(') && !xmlXPathIsNodeType(name)) {
+ 	    xsltCompileIdKeyPattern(ctxt, name, 1, novar, 0);
++	    xmlFree(name);
++	    name = NULL;
+ 	    if ((CUR == '/') && (NXT(1) == '/')) {
+ 		PUSH(XSLT_OP_ANCESTOR, NULL, NULL, novar);
+ 		NEXT;
+--
+cgit v0.9.0.2
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxslt/patches/07-libxslt-Hardening-of-code-checking-node-types-in-various-entry-point.patch	Mon Jan 21 03:30:38 2013 -0800
@@ -0,0 +1,586 @@
+Taken as it's from:
+
+http://git.gnome.org/browse/libxslt/commit/?id=1564b30e994602a95863d9716be83612580a2fed
+
+Followup on CVE-2012-2870
+
+From 1564b30e994602a95863d9716be83612580a2fed Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <[email protected]>
+Date: Thu, 09 Aug 2012 08:18:51 +0000
+Subject: Hardening of code checking node types in various entry point
+
+---
+diff --git a/libxslt/attributes.c b/libxslt/attributes.c
+index ce47df7..11d558b 100644
+--- a/libxslt/attributes.c
++++ b/libxslt/attributes.c
[email protected]@ -293,7 +293,7 @@ xsltParseStylesheetAttributeSet(xsltStylesheetPtr style, xmlNodePtr cur) {
+     xmlNodePtr child;
+     xsltAttrElemPtr attrItems;
+ 
+-    if ((cur == NULL) || (style == NULL))
++    if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+     value = xmlGetNsProp(cur, (const xmlChar *)"name", NULL);
[email protected]@ -656,7 +656,8 @@ xsltAttributeInternal(xsltTransformContextPtr ctxt,
+     xmlNsPtr ns = NULL;
+     xmlAttrPtr attr;    
+ 
+-    if ((ctxt == NULL) || (contextNode == NULL) || (inst == NULL))
++    if ((ctxt == NULL) || (contextNode == NULL) || (inst == NULL) ||
++        (inst->type != XML_ELEMENT_NODE) )
+         return;
+ 
+     /* 
+diff --git a/libxslt/preproc.c b/libxslt/preproc.c
+index f5d265d..4d483ff 100644
+--- a/libxslt/preproc.c
++++ b/libxslt/preproc.c
[email protected]@ -680,7 +680,7 @@ xsltSortComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ #else
+     xsltStylePreCompPtr comp;
+ #endif
+-    if ((style == NULL) || (inst == NULL))
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+ #ifdef XSLT_REFACTORED
[email protected]@ -788,7 +788,7 @@ xsltCopyComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+     xsltStylePreCompPtr comp;
+ #endif
+ 
+-    if ((style == NULL) || (inst == NULL))
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ #ifdef XSLT_REFACTORED
+     comp = (xsltStyleItemCopyPtr) xsltNewStylePreComp(style, XSLT_FUNC_COPY);
[email protected]@ -832,7 +832,7 @@ xsltTextComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ #endif
+     const xmlChar *prop;
+ 
+-    if ((style == NULL) || (inst == NULL))
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+ #ifdef XSLT_REFACTORED
[email protected]@ -885,7 +885,7 @@ xsltElementComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+     *   <!-- Content: template -->
+     * </xsl:element>
+     */
+-    if ((style == NULL) || (inst == NULL))
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+ #ifdef XSLT_REFACTORED
[email protected]@ -1002,7 +1002,7 @@ xsltAttributeComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+     *   <!-- Content: template -->
+     * </xsl:attribute>
+     */
+-    if ((style == NULL) || (inst == NULL))
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+ #ifdef XSLT_REFACTORED
[email protected]@ -1122,7 +1122,7 @@ xsltCommentComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+     xsltStylePreCompPtr comp;
+ #endif
+ 
+-    if ((style == NULL) || (inst == NULL))
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+ #ifdef XSLT_REFACTORED
[email protected]@ -1152,7 +1152,7 @@ xsltProcessingInstructionComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+     xsltStylePreCompPtr comp;
+ #endif
+ 
+-    if ((style == NULL) || (inst == NULL))
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+ #ifdef XSLT_REFACTORED
[email protected]@ -1186,7 +1186,7 @@ xsltCopyOfComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+     xsltStylePreCompPtr comp;
+ #endif
+ 
+-    if ((style == NULL) || (inst == NULL))
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+ #ifdef XSLT_REFACTORED
[email protected]@ -1233,7 +1233,7 @@ xsltValueOfComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+ #endif
+     const xmlChar *prop;
+ 
+-    if ((style == NULL) || (inst == NULL))
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+ #ifdef XSLT_REFACTORED
[email protected]@ -1358,7 +1358,7 @@ xsltWithParamComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+     xsltStylePreCompPtr comp;
+ #endif
+ 
+-    if ((style == NULL) || (inst == NULL))
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+ #ifdef XSLT_REFACTORED
[email protected]@ -1417,7 +1417,7 @@ xsltNumberComp(xsltStylesheetPtr style, xmlNodePtr cur) {
+ #endif
+     const xmlChar *prop;
+ 
+-    if ((style == NULL) || (cur == NULL))
++    if ((style == NULL) || (cur == NULL) || (cur->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+ #ifdef XSLT_REFACTORED
[email protected]@ -1543,7 +1543,7 @@ xsltApplyImportsComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+     xsltStylePreCompPtr comp;
+ #endif
+ 
+-    if ((style == NULL) || (inst == NULL))
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+ #ifdef XSLT_REFACTORED
[email protected]@ -1573,7 +1573,7 @@ xsltCallTemplateComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+     xsltStylePreCompPtr comp;
+ #endif
+ 
+-    if ((style == NULL) || (inst == NULL))
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+ #ifdef XSLT_REFACTORED
[email protected]@ -1612,7 +1612,7 @@ xsltApplyTemplatesComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+     xsltStylePreCompPtr comp;
+ #endif
+ 
+-    if ((style == NULL) || (inst == NULL))
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+ #ifdef XSLT_REFACTORED
[email protected]@ -1664,7 +1664,7 @@ xsltChooseComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+     xsltStylePreCompPtr comp;
+ #endif
+ 
+-    if ((style == NULL) || (inst == NULL))
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+ #ifdef XSLT_REFACTORED
[email protected]@ -1695,7 +1695,7 @@ xsltIfComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+     xsltStylePreCompPtr comp;
+ #endif
+ 
+-    if ((style == NULL) || (inst == NULL))
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+ #ifdef XSLT_REFACTORED
[email protected]@ -1741,7 +1741,7 @@ xsltWhenComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+     xsltStylePreCompPtr comp;
+ #endif
+ 
+-    if ((style == NULL) || (inst == NULL))
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+ #ifdef XSLT_REFACTORED
[email protected]@ -1787,7 +1787,7 @@ xsltForEachComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+     xsltStylePreCompPtr comp;
+ #endif
+ 
+-    if ((style == NULL) || (inst == NULL))
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+ #ifdef XSLT_REFACTORED
[email protected]@ -1835,7 +1835,7 @@ xsltVariableComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+     xsltStylePreCompPtr comp;
+ #endif
+ 
+-    if ((style == NULL) || (inst == NULL))
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+ #ifdef XSLT_REFACTORED
[email protected]@ -1914,7 +1914,7 @@ xsltParamComp(xsltStylesheetPtr style, xmlNodePtr inst) {
+     xsltStylePreCompPtr comp;
+ #endif
+ 
+-    if ((style == NULL) || (inst == NULL))
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+ #ifdef XSLT_REFACTORED
[email protected]@ -2006,7 +2006,7 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr node) {
+     *  the parsing mechanism for all elements in the XSLT namespace.
+     */
+     if (style == NULL) {
+-	if (node != NULL)
++	if ((node != NULL) && (node->type == XML_ELEMENT_NODE))
+ 	    node->psvi = NULL;
+ 	return;
+     }
[email protected]@ -2221,7 +2221,8 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr inst) {
+     *   namespace- and local-name of the node, but can evaluate this
+     *   using cctxt->style->inode->category;
+     */
+-    if (inst->psvi != NULL)
++    if ((inst == NULL) || (inst->type != XML_ELEMENT_NODE) ||
++        (inst->psvi != NULL))
+ 	return;
+ 
+     if (IS_XSLT_ELEM(inst)) {
+diff --git a/libxslt/templates.c b/libxslt/templates.c
+index 52bb3cf..169afd9 100644
+--- a/libxslt/templates.c
++++ b/libxslt/templates.c
[email protected]@ -198,7 +198,8 @@ xsltEvalTemplateString(xsltTransformContextPtr ctxt,
+     xmlNodePtr oldInsert, insert = NULL;
+     xmlChar *ret;
+ 
+-    if ((ctxt == NULL) || (contextNode == NULL) || (inst == NULL))
++    if ((ctxt == NULL) || (contextNode == NULL) || (inst == NULL) ||
++        (inst->type != XML_ELEMENT_NODE))
+ 	return(NULL);
+ 
+     if (inst->children == NULL)
[email protected]@ -390,7 +391,8 @@ xsltEvalAttrValueTemplate(xsltTransformContextPtr ctxt, xmlNodePtr inst,
+     xmlChar *ret;
+     xmlChar *expr;
+ 
+-    if ((ctxt == NULL) || (inst == NULL) || (name == NULL))
++    if ((ctxt == NULL) || (inst == NULL) || (name == NULL) ||
++        (inst->type != XML_ELEMENT_NODE))
+ 	return(NULL);
+ 
+     expr = xsltGetNsProp(inst, name, ns);
[email protected]@ -434,7 +436,8 @@ xsltEvalStaticAttrValueTemplate(xsltStylesheetPtr style, xmlNodePtr inst,
+     const xmlChar *ret;
+     xmlChar *expr;
+ 
+-    if ((style == NULL) || (inst == NULL) || (name == NULL))
++    if ((style == NULL) || (inst == NULL) || (name == NULL) ||
++        (inst->type != XML_ELEMENT_NODE))
+ 	return(NULL);
+ 
+     expr = xsltGetNsProp(inst, name, ns);
[email protected]@ -475,7 +478,8 @@ xsltAttrTemplateProcess(xsltTransformContextPtr ctxt, xmlNodePtr target,
+     const xmlChar *value;
+     xmlAttrPtr ret;
+ 
+-    if ((ctxt == NULL) || (attr == NULL) || (target == NULL))
++    if ((ctxt == NULL) || (attr == NULL) || (target == NULL) ||
++        (target->type != XML_ELEMENT_NODE))
+ 	return(NULL);
+     
+     if (attr->type != XML_ATTRIBUTE_NODE)
[email protected]@ -632,7 +636,8 @@ xsltAttrListTemplateProcess(xsltTransformContextPtr ctxt,
+     const xmlChar *value;
+     xmlChar *valueAVT;
+ 
+-    if ((ctxt == NULL) || (target == NULL) || (attrs == NULL))
++    if ((ctxt == NULL) || (target == NULL) || (attrs == NULL) ||
++        (target->type != XML_ELEMENT_NODE))
+ 	return(NULL);
+ 
+     oldInsert = ctxt->insert;
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index c6df19e..bc6d851 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
[email protected]@ -777,7 +777,7 @@ xsltCopyTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
+ #endif
+ 
+     /*
+-    * Play save and reset the merging mechanism for every new
++    * Play safe and reset the merging mechanism for every new
+     * target node.
+     */
+     if ((target == NULL) || (target->children == NULL)) {
+diff --git a/libxslt/variables.c b/libxslt/variables.c
+index cb0d4b0..2d26872 100644
+--- a/libxslt/variables.c
++++ b/libxslt/variables.c
[email protected]@ -1935,7 +1935,7 @@ xsltParseStylesheetCallerParam(xsltTransformContextPtr ctxt, xmlNodePtr inst)
+                                the instruction itself. */
+     xsltStackElemPtr param = NULL;
+     
+-    if ((ctxt == NULL) || (inst == NULL))
++    if ((ctxt == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return(NULL);
+ 
+ #ifdef XSLT_REFACTORED
[email protected]@ -1994,7 +1994,7 @@ xsltParseGlobalVariable(xsltStylesheetPtr style, xmlNodePtr cur)
+     xsltStylePreCompPtr comp;
+ #endif
+ 
+-    if ((cur == NULL) || (style == NULL))
++    if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ 	return;
+     
+ #ifdef XSLT_REFACTORED
[email protected]@ -2056,7 +2056,7 @@ xsltParseGlobalParam(xsltStylesheetPtr style, xmlNodePtr cur) {
+     xsltStylePreCompPtr comp;
+ #endif
+ 
+-    if ((cur == NULL) || (style == NULL))
++    if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ 	return;
+     
+ #ifdef XSLT_REFACTORED
[email protected]@ -2119,7 +2119,7 @@ xsltParseStylesheetVariable(xsltTransformContextPtr ctxt, xmlNodePtr inst)
+     xsltStylePreCompPtr comp;
+ #endif
+ 
+-    if ((inst == NULL) || (ctxt == NULL))
++    if ((inst == NULL) || (ctxt == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+     comp = inst->psvi;
[email protected]@ -2161,7 +2161,7 @@ xsltParseStylesheetParam(xsltTransformContextPtr ctxt, xmlNodePtr cur)
+     xsltStylePreCompPtr comp;
+ #endif
+ 
+-    if ((cur == NULL) || (ctxt == NULL))
++    if ((cur == NULL) || (ctxt == NULL) || (cur->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+     comp = cur->psvi;
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 6293bb3..2bc8af5 100644
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
[email protected]@ -1162,9 +1162,9 @@ xsltParseStylesheetOutput(xsltStylesheetPtr style, xmlNodePtr cur)
+     xmlChar *element,
+      *end;
+ 
+-    if ((cur == NULL) || (style == NULL))
++    if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+         return;
+-   
++
+     prop = xmlGetNsProp(cur, (const xmlChar *) "version", NULL);
+     if (prop != NULL) {
+         if (style->version != NULL)
[email protected]@ -1377,12 +1377,12 @@ xsltParseStylesheetDecimalFormat(xsltStylesheetPtr style, xmlNodePtr cur)
+     xmlChar *prop;
+     xsltDecimalFormatPtr format;
+     xsltDecimalFormatPtr iter;
+-    
+-    if ((cur == NULL) || (style == NULL))
++
++    if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+     format = style->decimalFormat;
+-    
++
+     prop = xmlGetNsProp(cur, BAD_CAST("name"), NULL);
+     if (prop != NULL) {
+ 	format = xsltDecimalFormatGetByName(style, prop);
[email protected]@ -1484,7 +1484,7 @@ xsltParseStylesheetPreserveSpace(xsltStylesheetPtr style, xmlNodePtr cur) {
+     xmlChar *elements;
+     xmlChar *element, *end;
+ 
+-    if ((cur == NULL) || (style == NULL))
++    if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+     elements = xmlGetNsProp(cur, (const xmlChar *)"elements", NULL);
[email protected]@ -1558,7 +1558,7 @@ xsltParseStylesheetExtPrefix(xsltStylesheetPtr style, xmlNodePtr cur,
+     xmlChar *prefixes;
+     xmlChar *prefix, *end;
+ 
+-    if ((cur == NULL) || (style == NULL))
++    if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+     if (isXsltElem) {
[email protected]@ -1623,7 +1623,7 @@ xsltParseStylesheetStripSpace(xsltStylesheetPtr style, xmlNodePtr cur) {
+     xmlChar *elements;
+     xmlChar *element, *end;
+ 
+-    if ((cur == NULL) || (style == NULL))
++    if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+     elements = xmlGetNsProp(cur, (const xmlChar *)"elements", NULL);
[email protected]@ -1696,7 +1696,7 @@ xsltParseStylesheetExcludePrefix(xsltStylesheetPtr style, xmlNodePtr cur,
+     xmlChar *prefixes;
+     xmlChar *prefix, *end;
+ 
+-    if ((cur == NULL) || (style == NULL))
++    if ((cur == NULL) || (style == NULL) || (cur->type != XML_ELEMENT_NODE))
+ 	return(0);
+ 
+     if (isXsltElem)
[email protected]@ -4287,7 +4287,7 @@ static int
+ xsltParseUnknownXSLTElem(xsltCompilerCtxtPtr cctxt,
+ 			    xmlNodePtr node)
+ {
+-    if ((cctxt == NULL) || (node == NULL))
++    if ((cctxt == NULL) || (node == NULL) || (node->type != XML_ELEMENT_NODE))
+ 	return(-1);
+ 
+     /*
[email protected]@ -4384,7 +4384,7 @@ xsltParseSequenceConstructor(xsltCompilerCtxtPtr cctxt, xmlNodePtr cur)
+     if (cctxt->inode->category == XSLT_ELEMENT_CATEGORY_EXTENSION) {
+ 	cctxt->inode->extContentHandled = 1;
+     }
+-    if (cur == NULL)
++    if ((cur == NULL) || (cur->type == XML_NAMESPACE_DECL))
+ 	return;
+     /*
+     * This is the content reffered to as a "template".
[email protected]@ -4789,7 +4789,8 @@ xsltParseSequenceConstructor(xsltCompilerCtxtPtr cctxt, xmlNodePtr cur)
+  */
+ void
+ xsltParseTemplateContent(xsltStylesheetPtr style, xmlNodePtr templ) {
+-    if ((style == NULL) || (templ == NULL))
++    if ((style == NULL) || (templ == NULL) ||
++        (templ->type == XML_NAMESPACE_DECL))
+ 	return;
+ 
+     /*
[email protected]@ -4838,6 +4839,10 @@ xsltParseTemplateContent(xsltStylesheetPtr style, xmlNodePtr templ) {
+ void
+ xsltParseTemplateContent(xsltStylesheetPtr style, xmlNodePtr templ) {
+     xmlNodePtr cur, delete;
++
++    if ((style == NULL) || (templ == NULL) ||
++        (templ->type == XML_NAMESPACE_DECL)) return;
++
+     /*
+      * This content comes from the stylesheet
+      * For stylesheets, the set of whitespace-preserving
[email protected]@ -5057,7 +5062,7 @@ xsltParseStylesheetKey(xsltStylesheetPtr style, xmlNodePtr key) {
+     xmlChar *name = NULL;
+     xmlChar *nameURI = NULL;
+ 
+-    if ((style == NULL) || (key == NULL))
++    if ((style == NULL) || (key == NULL) || (key->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+     /*
[email protected]@ -5147,7 +5152,8 @@ xsltParseXSLTTemplate(xsltCompilerCtxtPtr cctxt, xmlNodePtr templNode) {
+     xmlChar *prop;    
+     double  priority;    
+ 
+-    if ((cctxt == NULL) || (templNode == NULL))
++    if ((cctxt == NULL) || (templNode == NULL) ||
++        (templNode->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+     /*
[email protected]@ -5308,7 +5314,8 @@ xsltParseStylesheetTemplate(xsltStylesheetPtr style, xmlNodePtr template) {
+     xmlChar *modeURI = NULL;
+     double  priority;
+ 
+-    if (template == NULL)
++    if ((style == NULL) || (template == NULL) ||
++        (template->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+     /*
[email protected]@ -5440,7 +5447,7 @@ static xsltStyleItemIncludePtr
+ xsltCompileXSLTIncludeElem(xsltCompilerCtxtPtr cctxt, xmlNodePtr node) {
+     xsltStyleItemIncludePtr item;
+ 
+-    if ((cctxt == NULL) || (node == NULL))
++    if ((cctxt == NULL) || (node == NULL) || (node->type != XML_ELEMENT_NODE))
+ 	return(NULL);
+ 
+     node->psvi = NULL;
[email protected]@ -5960,7 +5967,7 @@ xsltParseXSLTStylesheetElem(xsltCompilerCtxtPtr cctxt, xmlNodePtr node)
+ {
+     xmlNodePtr cur, start;
+ 
+-    if ((cctxt == NULL) || (node == NULL))
++    if ((cctxt == NULL) || (node == NULL) || (node->type != XML_ELEMENT_NODE))
+ 	return(-1);
+     
+     if (node->children == NULL)
[email protected]@ -6048,7 +6055,7 @@ xsltParseStylesheetTop(xsltStylesheetPtr style, xmlNodePtr top) {
+     int templates = 0;
+ #endif
+ 
+-    if (top == NULL)
++    if ((top == NULL) || (top->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+     prop = xmlGetNsProp(top, (const xmlChar *)"version", NULL);
+diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c
+index 7a4caf0..6a0e8f2 100644
+--- a/libxslt/xsltutils.c
++++ b/libxslt/xsltutils.c
[email protected]@ -91,10 +91,15 @@ xsltGetCNsProp(xsltStylesheetPtr style, xmlNodePtr node,
+     if ((node == NULL) || (style == NULL) || (style->dict == NULL))
+ 	return(NULL);
+ 
+-    prop = node->properties;
+-    if (nameSpace == NULL) {
++    if (nameSpace == NULL)
+         return xmlGetProp(node, name);
+-    }
++
++    if (node->type == XML_NAMESPACE_DECL)
++        return(NULL);
++    if (node->type == XML_ELEMENT_NODE)
++	prop = node->properties;
++    else
++	prop = NULL;
+     while (prop != NULL) {
+ 	/*
+ 	 * One need to have
[email protected]@ -131,7 +136,7 @@ xsltGetCNsProp(xsltStylesheetPtr style, xmlNodePtr node,
+ 	    attrDecl = xmlGetDtdAttrDesc(doc->intSubset, node->name, name);
+ 	    if ((attrDecl == NULL) && (doc->extSubset != NULL))
+ 		attrDecl = xmlGetDtdAttrDesc(doc->extSubset, node->name, name);
+-		
++
+ 	    if ((attrDecl != NULL) && (attrDecl->prefix != NULL)) {
+ 	        /*
+ 		 * The DTD declaration only allows a prefix search
[email protected]@ -173,7 +178,15 @@ xsltGetNsProp(xmlNodePtr node, const xmlChar *name, const xmlChar *nameSpace) {
+     if (node == NULL)
+ 	return(NULL);
+ 
+-    prop = node->properties;
++    if (nameSpace == NULL)
++        return xmlGetProp(node, name);
++
++    if (node->type == XML_NAMESPACE_DECL)
++        return(NULL);
++    if (node->type == XML_ELEMENT_NODE)
++	prop = node->properties;
++    else
++	prop = NULL;
+     /*
+     * TODO: Substitute xmlGetProp() for xmlGetNsProp(), since the former
+     * is not namespace-aware and will return an attribute with equal
[email protected]@ -183,8 +196,6 @@ xsltGetNsProp(xmlNodePtr node, const xmlChar *name, const xmlChar *nameSpace) {
+     *   So this would return "myName" even if an attribute @name
+     *   in the XSLT was requested.
+     */
+-    if (nameSpace == NULL)
+-	return(xmlGetProp(node, name));
+     while (prop != NULL) {
+ 	/*
+ 	 * One need to have
[email protected]@ -217,7 +228,7 @@ xsltGetNsProp(xmlNodePtr node, const xmlChar *name, const xmlChar *nameSpace) {
+ 	    attrDecl = xmlGetDtdAttrDesc(doc->intSubset, node->name, name);
+ 	    if ((attrDecl == NULL) && (doc->extSubset != NULL))
+ 		attrDecl = xmlGetDtdAttrDesc(doc->extSubset, node->name, name);
+-		
++
+ 	    if ((attrDecl != NULL) && (attrDecl->prefix != NULL)) {
+ 	        /*
+ 		 * The DTD declaration only allows a prefix search
+--
+cgit v0.9.0.2
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxslt/patches/08-libxslt-Fix-system-property-with-unknown-namespace.patch	Mon Jan 21 03:30:38 2013 -0800
@@ -0,0 +1,60 @@
+Taken as it's from:
+
+http://git.gnome.org/browse/libxslt/commit/?id=abb7c65980c7da450f0447dcc6a1821eef99d473
+
+From abb7c65980c7da450f0447dcc6a1821eef99d473 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <[email protected]>
+Date: Wed, 15 Aug 2012 21:06:14 +0000
+Subject: Fix system-property with unknown namespace
+
+The empty string should be returned, see bug #631803.
+---
+diff --git a/libxslt/functions.c b/libxslt/functions.c
+index de962f4..01852b8 100644
+--- a/libxslt/functions.c
++++ b/libxslt/functions.c
[email protected]@ -799,7 +799,9 @@ xsltSystemPropertyFunction(xmlXPathParserContextPtr ctxt, int nargs){
+ 	    } else {
+ 		valuePush(ctxt, xmlXPathNewString((const xmlChar *)""));
+ 	    }
+-	}
++	} else {
++	    valuePush(ctxt, xmlXPathNewString((const xmlChar *)""));
++        }
+ 	if (name != NULL)
+ 	    xmlFree(name);
+ 	if (prefix != NULL)
+diff --git a/tests/docs/bug-176.xml b/tests/docs/bug-176.xml
+new file mode 100644
+index 0000000..69d62f2
+--- a/dev/null
++++ b/tests/docs/bug-176.xml
[email protected]@ -0,0 +1 @@
++<doc/>
+diff --git a/tests/general/bug-176.out b/tests/general/bug-176.out
+new file mode 100644
+index 0000000..e829790
+--- a/dev/null
++++ b/tests/general/bug-176.out
[email protected]@ -0,0 +1,2 @@
++<?xml version="1.0"?>
++<result/>
+diff --git a/tests/general/bug-176.xsl b/tests/general/bug-176.xsl
+new file mode 100644
+index 0000000..6996e1e
+--- a/dev/null
++++ b/tests/general/bug-176.xsl
[email protected]@ -0,0 +1,11 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<xsl:transform xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
++               xmlns:msxsl="urn:schemas-microsoft-com:xslt"
++               exclude-result-prefixes="msxsl"
++               version="1.0">
++    <xsl:template match="/">
++        <result>
++            <xsl:value-of select="system-property('msxsl:version')"/>
++        </result>
++    </xsl:template>
++</xsl:transform>
+--
+cgit v0.9.0.2
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxslt/patches/09-libxslt-Hardening-of-code-checking-node-types-in-EXSLT.patch	Mon Jan 21 03:30:38 2013 -0800
@@ -0,0 +1,40 @@
+Taken as it's from:
+
+http://git.gnome.org/browse/libxslt/commit/?id=24653072221e76d2f1f06aa71225229b532f8946
+
+Followup on CVE-2012-2870
+
+From 24653072221e76d2f1f06aa71225229b532f8946 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <[email protected]>
+Date: Thu, 16 Aug 2012 07:51:35 +0000
+Subject: Hardening of code checking node types in EXSLT
+
+---
+diff --git a/libexslt/functions.c b/libexslt/functions.c
+index 13fd06e..4c68cea 100644
+--- a/libexslt/functions.c
++++ b/libexslt/functions.c
[email protected]@ -459,10 +459,9 @@ exsltFuncFunctionComp (xsltStylesheetPtr style, xmlNodePtr inst) {
+     xmlHashTablePtr data;
+     exsltFuncFunctionData *func;
+ 
+-    if ((style == NULL) || (inst == NULL))
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
+ 	return;
+ 
+-
+     {
+ 	xmlChar *qname;
+ 
[email protected]@ -546,6 +545,9 @@ exsltFuncResultComp (xsltStylesheetPtr style, xmlNodePtr inst,
+     xmlChar *sel;
+     exsltFuncResultPreComp *ret;
+ 
++    if ((style == NULL) || (inst == NULL) || (inst->type != XML_ELEMENT_NODE))
++        return (NULL);
++
+     /*
+      * "Validity" checking
+      */
+--
+cgit v0.9.0.2
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxslt/patches/10-libxslt-xsltproc-should-return-an-error-code-if-xinclude-fails.patch	Mon Jan 21 03:30:38 2013 -0800
@@ -0,0 +1,48 @@
+Taken as it's from:
+
+http://git.gnome.org/browse/libxslt/commit/?id=e669a8c7cefec93ee1bfaf59721aadc42e226d6e
+
+From e669a8c7cefec93ee1bfaf59721aadc42e226d6e Mon Sep 17 00:00:00 2001
+From: Malcolm Purvis <[email protected]>
+Date: Thu, 16 Aug 2012 09:08:31 +0000
+Subject: xsltproc should return an error code if xinclude fails
+
+When running xsltproc with the --xinclude option and if the included file
+contains parse errors, then xsltproc exits with a success return code (0)
+rather than an error code.  This is despite the fact that parser error
+messages are printed out.
+* xsltproc/xsltproc.c: check xinclude processing function return code,
+  fail with error 6 if it went wrong.
+---
+diff --git a/xsltproc/xsltproc.c b/xsltproc/xsltproc.c
+index 8244ef3..42d6b9a 100644
+--- a/xsltproc/xsltproc.c
++++ b/xsltproc/xsltproc.c
[email protected]@ -359,16 +359,23 @@ xsltProcess(xmlDocPtr doc, xsltStylesheetPtr cur, const char *filename) {
+ 
+ #ifdef LIBXML_XINCLUDE_ENABLED
+     if (xinclude) {
++        int ret;
++
+ 	if (timing)
+ 	    startTimer();
+ #if LIBXML_VERSION >= 20603
+-	xmlXIncludeProcessFlags(doc, XSLT_PARSE_OPTIONS);
++	ret = xmlXIncludeProcessFlags(doc, XSLT_PARSE_OPTIONS);
+ #else
+-	xmlXIncludeProcess(doc);
++	ret = xmlXIncludeProcess(doc);
+ #endif
+ 	if (timing) {
+ 	    endTimer("XInclude processing %s", filename);
+ 	}
++
++        if (ret < 0) {
++	    errorno = 6;
++            return;
++        }
+     }
+ #endif
+     if (timing)
+--
+cgit v0.9.0.2
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxslt/patches/11-libxslt-Fix-a-dictionary-string-usage.patch	Mon Jan 21 03:30:38 2013 -0800
@@ -0,0 +1,109 @@
+Taken as it's from:
+
+http://git.gnome.org/browse/libxslt/commit/?id=54977ed7966847e305a2008cb18892df26eeb065
+
+Heap-double-free in xmlFreeNodeList
+http://code.google.com/p/chromium/issues/detail?id=144799
+
+From 54977ed7966847e305a2008cb18892df26eeb065 Mon Sep 17 00:00:00 2001
+From: Chris Evans <[email protected]>
+Date: Mon, 03 Sep 2012 07:50:22 +0000
+Subject: Fix a dictionary string usage
+
+Raised in chromium, but also affecting xsltproc
+Also updated AUTHORS to list Chris and other contributors
+---
+diff --git a/AUTHORS b/AUTHORS
+index 094ebbc..3a70a17 100644
+--- a/AUTHORS
++++ b/AUTHORS
[email protected]@ -5,7 +5,7 @@ Daniel Veillard:
+    Used to work at W3C, now Red Hat
+    co-chair of W3C XML Linking WG
+    invited expert on the W3C XML Core WG
+-   Author of libxml upon which this library is based.
++   Author of libxml2 upon which this library is based.
+ 
+ Bjorn Reese:
+    [email protected]
[email protected]@ -18,3 +18,46 @@ William Brack <[email protected]>
+ Thomas Broyer <[email protected]>
+ 
+ Igor Zlatkovic <[email protected]> for the Windows port
++
++Patches gently provided by a multitude of people :
++
++Abhishek Arya <[email protected]>
++Ben Walton <[email protected]>
++Bjorn Reese <[email protected]>
++C. M. Sperberg-McQueen <[email protected]>
++Colin Walters <[email protected]>
++Daniel Mustieles <[email protected]>
++Daniel Richard G <[email protected]>
++Darin Adler <[email protected]>
++ÉRDI Gergo <[email protected]>
++Fatih Demir <[email protected]>
++Federico Mena Quintero <[email protected]>
++Frederic Crozat <[email protected]>
++Hao Hu <[email protected]>
++Havoc Pennington <[email protected]>
++IlyaS <[email protected]>
++jacob berkman <[email protected]>
++Jason Viers <[email protected]>
++Jérôme Carretero <[email protected]>
++Joachim Breitner <[email protected]>
++Johan Dahlin <[email protected]>
++John Fleck <[email protected]>
++Jose Maria Celorio <[email protected]>
++Julio M. Merino Vidal <[email protected]>
++Kasimier T. Buchcik <[email protected]>
++Kjartan Maraas <[email protected]>
++Laurence Rowe <[email protected]>
++Malcolm Purvis <[email protected]>
++Martin <[email protected]>
++MDT 2002 John Fleck <[email protected]>
++Michael Bonfils <[email protected]>
++money_seshu Dronamraju <[email protected]>
++Nick Wellnhofer <[email protected]>
++Nix <[email protected]>
++Pedro F. Giffuni <[email protected]>
++Peter Williams <[email protected]>
++Rob Richards <[email protected]>
++Roumen Petrov <[email protected]>
++Stefan Kost <[email protected]>
++Tomasz Kłoczko <[email protected]>
++Chris Evans <[email protected]>
+diff --git a/libxslt/templates.c b/libxslt/templates.c
+index 169afd9..4804682 100644
+--- a/libxslt/templates.c
++++ b/libxslt/templates.c
[email protected]@ -18,6 +18,7 @@
+ #include <libxml/globals.h>
+ #include <libxml/xmlerror.h>
+ #include <libxml/tree.h>
++#include <libxml/dict.h>
+ #include <libxml/xpathInternals.h>
+ #include <libxml/parserInternals.h>
+ #include "xslt.h"
[email protected]@ -586,7 +587,8 @@ xsltAttrTemplateProcess(xsltTransformContextPtr ctxt, xmlNodePtr target,
+ 		}
+ 	    } else if ((ctxt->internalized) && (target != NULL) &&
+ 	               (target->doc != NULL) &&
+-		       (target->doc->dict == ctxt->dict)) {
++		       (target->doc->dict == ctxt->dict) &&
++		       xmlDictOwns(ctxt->dict, value)) {
+ 		text->content = (xmlChar *) value;
+ 	    } else {
+ 		text->content = xmlStrdup(value);
[email protected]@ -772,7 +774,8 @@ xsltAttrListTemplateProcess(xsltTransformContextPtr ctxt,
+ 		}
+ 	    } else if ((ctxt->internalized) &&
+ 		(target->doc != NULL) &&
+-		(target->doc->dict == ctxt->dict))
++		(target->doc->dict == ctxt->dict) &&
++		xmlDictOwns(ctxt->dict, value))
+ 	    {
+ 		text->content = (xmlChar *) value;
+ 	    } else {
+--
+cgit v0.9.0.2
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxslt/patches/12-libxslt-Avoid-a-heap-use-after-free-error.patch	Mon Jan 21 03:30:38 2013 -0800
@@ -0,0 +1,51 @@
+Taken as it's from:
+
+http://git.gnome.org/browse/libxslt/commit/?id=4da0f7e207f14a03daad4663865c285eb27f93e9
+
+From 4da0f7e207f14a03daad4663865c285eb27f93e9 Mon Sep 17 00:00:00 2001
+From: Chris Evans <[email protected]>
+Date: Mon, 03 Sep 2012 10:16:44 +0000
+Subject: Avoid a heap use after free error
+
+For https://code.google.com/p/chromium/issues/detail?id=140368
+---
+diff --git a/libxslt/functions.c b/libxslt/functions.c
+index 5a8eb79..fe2f1ca 100644
+--- a/libxslt/functions.c
++++ b/libxslt/functions.c
[email protected]@ -660,6 +660,7 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
+ void
+ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+     xmlNodePtr cur = NULL;
++    xmlXPathObjectPtr obj = NULL;
+     long val;
+     xmlChar str[30];
+     xmlDocPtr doc;
[email protected]@ -667,7 +668,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+     if (nargs == 0) {
+ 	cur = ctxt->context->node;
+     } else if (nargs == 1) {
+-	xmlXPathObjectPtr obj;
+ 	xmlNodeSetPtr nodelist;
+ 	int i, ret;
+ 
[email protected]@ -690,7 +690,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+ 	    if (ret == -1)
+ 	        cur = nodelist->nodeTab[i];
+ 	}
+-	xmlXPathFreeObject(obj);
+     } else {
+ 	xsltTransformError(xsltXPathGetTransformContext(ctxt), NULL, NULL,
+ 		"generate-id() : invalid number of args %d\n", nargs);
[email protected]@ -713,6 +712,9 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+ 
+     }
+ 
++    if (obj)
++        xmlXPathFreeObject(obj);
++
+     val = (long)((char *)cur - (char *)doc);
+     if (val >= 0) {
+       sprintf((char *)str, "idp%ld", val);
+--
+cgit v0.9.0.2