Bug 685328 – Crash reading NULL when using xsl:key

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 685328 - Crash reading NULL when using xsl:key


Summary:	Crash reading NULL when using xsl:key


Status:	RESOLVED FIXED

Product:	libxslt
Classification:	Platform
Component:	general
Version:	1.1.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Daniel Veillard
QA Contact:	libxml QA maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2012-10-02 20:20 UTC by Nicolas Gregoire
Modified:	2012-10-21 23:19 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Minimized test case (137 bytes, application/xml) 2012-10-02 20:20 UTC, Nicolas Gregoire	Details

Description Nicolas Gregoire 2012-10-02 20:20:59 UTC

Created attachment 225622 [details]
Minimized test case

The attached test case will crash the latest libxslt release (1.1.27). A read at NULL occurs in SKIP_BLANKS when an invalid "use" parameter is given to "xsl:key":

$ xsltproc --version
Using libxml 20900, libxslt 10127 and libexslt 816
xsltproc was compiled against libxml 20900, libxslt 10127 and libexslt 816
libxslt 10127 was compiled against libxml 20900
libexslt 816 was compiled against libxml 20900

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff72748ca in xmlXPathCompUnaryExpr (ctxt=Unhandled dwarf expression opcode 0x0
) at xpath.c:10807
10807	    SKIP_BLANKS;
(gdb) x/i $rip
=> 0x7ffff72748ca <xmlXPathCompUnaryExpr+154>:	mov    (%rdi),%cl
(gdb) info reg
rax            0xffffeb6e690	17592164476560
rbx            0x7ffff5b73480	140737315812480
rcx            0x100000000000	17592186044416
rdx            0x7ffff5b5c280	140737315717760
rsi            0x1ffffeb6e690	35184350520976
rdi            0x0	0
rbp            0x7fffffffde10	0x7fffffffde10
rsp            0x7fffffffdde0	0x7fffffffdde0
r8             0x100000000000	17592186044416
r9             0x39e	926
r10            0x0	0
r11            0x7ffff5e05ba6	140737318509478
r12            0x7ffff4f5b480	140737303131264
r13            0x7ffff5b73480	140737315812480
r14            0x7ffff5b73480	140737315812480
r15            0x7ffff5b73480	140737315812480
rip            0x7ffff72748ca	0x7ffff72748ca <xmlXPathCompUnaryExpr+154>
eflags         0x10246	[ PF ZF IF RF ]

Comment 1 Nick Wellnhofer 2012-10-21 23:19:33 UTC

It was actually the empty 'match' attribute that caused the crash. Fixed in
http://git.gnome.org/browse/libxslt/commit/?id=dc11b6b379a882418093ecc8adf11f6166682e8d