On Thu, Nov 20, 2008 at 05:52:30PM +0000, Martin (gzlist) wrote:
> When compiling the stylesheet attached, libxslt crashes.
>
> The problem lies inside xsltParseTemplateContent (when XSLT_REFACTORED
> is not defined, which is the case in all standard configurations) in
> xslt.c lines 4949-4956:
>
> if (cur->properties != NULL) {
> xmlAttrPtr attr = cur->properties;
>
> while (attr != NULL) {
> xsltCompileAttr(style, attr);
> attr = attr->next;
> }
> }
>
> Here it is assumed that the xmlNodePtr cur refers to a valid xmlNode,
> however it can also be xmlDtd.
>
> When this is the case, and the DTD in the stylesheet has in internal
> subset with attribute declarations, cur->properties is xmlHashTablePtr
> rather than xmlAttrPtr.
>
> This leads to xsltCompileAttr in attrvt.c lines 181-188:
[...]
> Thus xsltTransformError is called with attr->name which is the
> ->nbElems of the xmlHashTablePtr and controllable by modifying the
> internal subset, and attr->parent which is something past the end of
> the struct. As ->name is destined for varargs, ->node is only ever
> read from, and no value controlled by the stylesheet creator is
> written anywhere interesting, I believe this can't be used to do
> anything much.
Argh I see, good catch and good explanation !
> A patch fixing the issue is attached.
yes, that looks just right, thanks a lot ! Applied and pushed to git
> Finally, can someone please look at my other patch already, it's been
> over three months with no acknowledgement.
Ah, yes I see this, sorry this landed in an unvisited folder :-\
I will check it too !
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
[email protected] | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
_______________________________________________
xslt mailing list, project page http://xmlsoft.org/XSLT/
[email protected]
http://mail.gnome.org/mailman/listinfo/xslt
