Bug#293592: [xml/sgml-pkgs] Bug#293592: libxslt1.1: Setting xml:lang on / makes xsltproc segfault

Mike Hommey Mike Hommey <mh@glandium.org>, 293592@bugs.debian.org
Wed, 9 Feb 2005 16:03:11 +0100


--5mCyUwZo2JvN/JJP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

reassign 293592 libxml2
retitle 293592 libxml2: setting an namespaced attribute should be limited to element nodes.
tag 293592 + patch
thanks

On Fri, Feb 04, 2005 at 05:02:38PM +0100, Vincent Lefevre <vincent@vinc17.org> wrote:
> Package: libxslt1.1
> Version: 1.1.8-5
> Severity: normal
> 
> This XSL stylesheet is buggy, but in any case, xsltproc shouldn't
> segfault.
> 
> <?xml version="1.0"?>
> <xsl:stylesheet version="1.0"
>                 xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
> <xsl:template match="/">
>   <xsl:attribute name="xml:lang">
>     <xsl:value-of select="'en'"/>
>   </xsl:attribute>
> </xsl:template>
> </xsl:stylesheet>
> 
> dixsept:~> xsltproc test.xsl test.xsl
> zsh: segmentation fault (core dumped)  xsltproc test.xsl test.xsl

The issue comes from the function xmlSetNsProp in libxml2 which doesn't
check if the node we're trying to put an attribute on is an element
node. In the case of this stylesheet, since there's no element node
pushed before pushing the attribute, the attribute is applied to the
document node, thus putting the property node in place of a DTD node,
which, at free() time, provoques the segmentation fault.

See attached patch for a fix.

Mike

--5mCyUwZo2JvN/JJP
Content-Type: text/plain; charset=iso-2022-jp
Content-Disposition: attachment; filename=diff

Index: tree.c
===================================================================
--- tree.c	($B%j%S%8%g%s(B 349)
+++ tree.c	($B:n6H%3%T!<(B)
@@ -6438,7 +6438,7 @@
 	     const xmlChar *value) {
     xmlAttrPtr prop;
     
-    if ((node == NULL) || (name == NULL))
+    if ((node == NULL) || (name == NULL) || (node->type != XML_ELEMENT_NODE))
 	return(NULL);
 
     if (ns == NULL)

--5mCyUwZo2JvN/JJP--