Bug 685330 – Crash near NULL when passing an uninitialized variable to document()

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 685330 - Crash near NULL when passing an uninitialized variable to document()


Summary:	Crash near NULL when passing an uninitialized variable to document()


Status:	RESOLVED FIXED

Product:	libxslt
Classification:	Platform
Component:	general
Version:	1.1.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Daniel Veillard
QA Contact:	libxml QA maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2012-10-02 20:37 UTC by Nicolas Gregoire
Modified:	2012-10-21 23:17 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Minimized test case (197 bytes, application/xml) 2012-10-02 20:37 UTC, Nicolas Gregoire	Details

Description Nicolas Gregoire 2012-10-02 20:37:52 UTC

Created attachment 225624 [details]
Minimized test case

The attached test case will crash the latest libxslt release (1.1.27). A read
near NULL occurs in xsltDocumentFunction() when an uninitialized variable is used as a parameter to the document() function:

$ xsltproc --version
Using libxml 20900, libxslt 10127 and libexslt 816
xsltproc was compiled against libxml 20900, libxslt 10127 and libexslt 816
libxslt 10127 was compiled against libxml 20900
libexslt 816 was compiled against libxml 20900


(gdb) r
Variable 'xxx' has not been declared.
XPath error : Stack usage errror

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b8bbbf in xsltDocumentFunction (ctxt=Unhandled dwarf expression opcode 0x0
) at functions.c:263
263	        if (obj->nodesetval) {
(gdb) x/i $rip
=> 0x7ffff7b8bbbf <xsltDocumentFunction+495>:	cmpq   $0x0,(%r12)
(gdb) info reg
rax            0x7ffff5b01880	140737315346560
rbx            0x7ffff5b00e80	140737315344000
rcx            0x1ffffeb60331	35184350462769
rdx            0x80	128
rsi            0x10	16
rdi            0x7ffff5b0198f	140737315346831
rbp            0x7fffffffd5b0	0x7fffffffd5b0
rsp            0x7fffffffd540	0x7fffffffd540
r8             0x80	128
r9             0x78	120
r10            0x7ffff5d9ec4d	140737318087757
r11            0x7ffff5e05bb6	140737318509494
r12            0x8	8
r13            0xffffeb601d3	17592164418003
r14            0x100000000001	17592186044417
r15            0xffffeb601d4	17592164418004
rip            0x7ffff7b8bbbf	0x7ffff7b8bbbf <xsltDocumentFunction+495>
eflags         0x10246	[ PF ZF IF RF ]

Comment 1 Nick Wellnhofer 2012-10-10 10:58:10 UTC

Fixed in the following commit:
http://git.gnome.org/browse/libxslt/commit/?id=6c99c519d97e5fcbec7a9537d190efb442e4e833