libxml2/backport-malloc-fail-Fix-null-deref-in-xmlXPathTranslateFunct.patch

From 8583b9f1cdb966315b3caae328f5d9f2c8b65292 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 12 Dec 2023 15:00:44 +0100
Subject: [PATCH] malloc-fail: Fix null deref in xmlXPathTranslateFunction

Short-lived regression.

Reference: https://github.com/GNOME/libxml2/commit/8583b9f1cdb966315b3caae328f5d9f2c8b65292
Conflict: adpat error:

---
 xpath.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/xpath.c b/xpath.c
index 3128efb..a832722 100644
--- a/xpath.c
+++ b/xpath.c
@@ -9330,9 +9330,9 @@ xmlXPathNormalizeFunction(xmlXPathParserContextPtr ctxt, int nargs) {
  */
 void
 xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) {
-    xmlXPathObjectPtr str;
-    xmlXPathObjectPtr from;
-    xmlXPathObjectPtr to;
+    xmlXPathObjectPtr str = NULL;
+    xmlXPathObjectPtr from = NULL;
+    xmlXPathObjectPtr to = NULL;
     xmlBufPtr target;
     int offset, max;
     int ch;
@@ -9347,6 +9347,8 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) {
     from = valuePop(ctxt);
     CAST_TO_STRING;
     str = valuePop(ctxt);
+    if (ctxt->error != 0)
+        goto error;
 
     target = xmlBufCreate();
     if (target) {
@@ -9388,6 +9390,7 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) {
     valuePush(ctxt, xmlXPathCacheNewString(ctxt->context,
 	xmlBufContent(target)));
     xmlBufFree(target);
+error:
     xmlXPathReleaseObject(ctxt->context, str);
     xmlXPathReleaseObject(ctxt->context, from);
     xmlXPathReleaseObject(ctxt->context, to);
-- 
2.33.0
backport upstream patches 2024-05-06 16:07:19 +08:00			`From 8583b9f1cdb966315b3caae328f5d9f2c8b65292 Mon Sep 17 00:00:00 2001`
			`From: Nick Wellnhofer <wellnhofer@aevum.de>`
			`Date: Tue, 12 Dec 2023 15:00:44 +0100`
			`Subject: [PATCH] malloc-fail: Fix null deref in xmlXPathTranslateFunction`

			`Short-lived regression.`

			`Reference: https://github.com/GNOME/libxml2/commit/8583b9f1cdb966315b3caae328f5d9f2c8b65292`
			`Conflict: adpat error:`

			`---`
			`xpath.c \| 9 ++++++---`
			`1 file changed, 6 insertions(+), 3 deletions(-)`

			`diff --git a/xpath.c b/xpath.c`
			`index 3128efb..a832722 100644`
			`--- a/xpath.c`
			`+++ b/xpath.c`
			`@@ -9330,9 +9330,9 @@ xmlXPathNormalizeFunction(xmlXPathParserContextPtr ctxt, int nargs) {`
			`*/`
			`void`
			`xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) {`
			`- xmlXPathObjectPtr str;`
			`- xmlXPathObjectPtr from;`
			`- xmlXPathObjectPtr to;`
			`+ xmlXPathObjectPtr str = NULL;`
			`+ xmlXPathObjectPtr from = NULL;`
			`+ xmlXPathObjectPtr to = NULL;`
			`xmlBufPtr target;`
			`int offset, max;`
			`int ch;`
			`@@ -9347,6 +9347,8 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) {`
			`from = valuePop(ctxt);`
			`CAST_TO_STRING;`
			`str = valuePop(ctxt);`
			`+ if (ctxt->error != 0)`
			`+ goto error;`

			`target = xmlBufCreate();`
			`if (target) {`
			`@@ -9388,6 +9390,7 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) {`
			`valuePush(ctxt, xmlXPathCacheNewString(ctxt->context,`
			`xmlBufContent(target)));`
			`xmlBufFree(target);`
			`+error:`
			`xmlXPathReleaseObject(ctxt->context, str);`
			`xmlXPathReleaseObject(ctxt->context, from);`
			`xmlXPathReleaseObject(ctxt->context, to);`
			`--`
			`2.33.0`