!58 [sync] PR-55: fix CVE-2024-55549 CVE-2025-24855

From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

CVE-2015-9019.patch

@@ -1,9 +1,11 @@
---- a/libexslt/math.c	2017-10-30 15:49:55.000000000 +0800
+diff --git a/libexslt/math.c b/libexslt/math.c
-+++ b/libexslt/math.c	2019-04-18 15:00:54.524000000 +0800
+index 17138b2..c9f9e5a 100644
-@@ -23,6 +23,13 @@
+--- a/libexslt/math.c
- #ifdef HAVE_STDLIB_H
++++ b/libexslt/math.c
+@@ -11,6 +11,13 @@
+ 
+ #include <math.h>
  #include <stdlib.h>
- #endif
 +#ifdef HAVE_UNISTD_H
 +#include <unistd.h>
 +#endif
@@ -14,7 +16,7 @@
  
  #include "exslt.h"
  
-@@ -474,6 +481,20 @@ static double
+@@ -460,6 +467,20 @@ static double
  exsltMathRandom (void) {
      double ret;
      int num;
@@ -35,3 +37,6 @@
  
      num = rand();
      ret = (double)num / (double)RAND_MAX;
+-- 
+2.27.0
+

CVE-2024-55549.patch

@@ -0,0 +1,45 @@
+From 46041b65f2fbddf5c284ee1a1332fa2c515c0515 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 5 Dec 2024 12:43:19 +0100
+Subject: [PATCH] [CVE-2024-55549] Fix UAF related to excluded namespaces
+
+Definitions of excluded namespaces could be deleted in
+xsltParseTemplateContent. Store excluded namespace URIs in the
+stylesheet's dictionary instead of referencing the namespace definition.
+
+Thanks to Ivan Fratric for the report!
+
+Fixes #127.
+---
+ libxslt/xslt.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 22fdb758..6532f976 100644
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
+@@ -147,10 +147,20 @@ xsltParseContentError(xsltStylesheetPtr style,
+  * in case of error
+  */
+ static int
+-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
++exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
+ {
++    xmlChar *value;
+     int i;
+ 
++    /*
++     * orig can come from a namespace definition on a node which
++     * could be deleted later, for example in xsltParseTemplateContent.
++     * Store the string in stylesheet's dict to avoid use after free.
++     */
++    value = (xmlChar *) xmlDictLookup(style->dict, orig, -1);
++    if (value == NULL)
++        return(-1);
++
+     if (style->exclPrefixMax == 0) {
+         style->exclPrefixMax = 4;
+         style->exclPrefixTab =
+-- 
+GitLab
+

CVE-2025-24855.patch

@@ -0,0 +1,130 @@
+From c7c7f1f78dd202a053996fcefe57eb994aec8ef2 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 17 Dec 2024 15:56:21 +0100
+Subject: [PATCH] [CVE-2025-24855] Fix use-after-free of XPath context node
+
+There are several places where the XPath context node isn't restored
+after modifying it, leading to use-after-free errors with nested XPath
+evaluations and dynamically allocated context nodes.
+
+Restore XPath context node in
+
+- xsltNumberFormatGetValue
+- xsltEvalXPathPredicate
+- xsltEvalXPathStringNs
+- xsltComputeSortResultInternal
+
+In some places, the transformation context node was saved and restored
+which shouldn't be necessary.
+
+Thanks to Ivan Fratric for the report!
+
+Fixes #128.
+---
+ libxslt/numbers.c   | 5 +++++
+ libxslt/templates.c | 9 ++++++---
+ libxslt/xsltutils.c | 4 ++--
+ 3 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 0e1fa136..741124d1 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -733,9 +733,12 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
+     int amount = 0;
+     xmlBufferPtr pattern;
+     xmlXPathObjectPtr obj;
++    xmlNodePtr oldNode;
+ 
+     pattern = xmlBufferCreate();
+     if (pattern != NULL) {
++        oldNode = context->node;
++
+ 	xmlBufferCCat(pattern, "number(");
+ 	xmlBufferCat(pattern, value);
+ 	xmlBufferCCat(pattern, ")");
+@@ -748,6 +751,8 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
+ 	    xmlXPathFreeObject(obj);
+ 	}
+ 	xmlBufferFree(pattern);
++
++        context->node = oldNode;
+     }
+     return amount;
+ }
+diff --git a/libxslt/templates.c b/libxslt/templates.c
+index f08b9bda..1c8d96e2 100644
+--- a/libxslt/templates.c
++++ b/libxslt/templates.c
+@@ -61,6 +61,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+     int oldNsNr;
+     xmlNsPtr *oldNamespaces;
+     xmlNodePtr oldInst;
++    xmlNodePtr oldNode;
+     int oldProximityPosition, oldContextSize;
+ 
+     if ((ctxt == NULL) || (ctxt->inst == NULL)) {
+@@ -69,6 +70,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+         return(0);
+     }
+ 
++    oldNode = ctxt->xpathCtxt->node;
+     oldContextSize = ctxt->xpathCtxt->contextSize;
+     oldProximityPosition = ctxt->xpathCtxt->proximityPosition;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -96,8 +98,9 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+ 	ctxt->state = XSLT_STATE_STOPPED;
+ 	ret = 0;
+     }
+-    ctxt->xpathCtxt->nsNr = oldNsNr;
+ 
++    ctxt->xpathCtxt->node = oldNode;
++    ctxt->xpathCtxt->nsNr = oldNsNr;
+     ctxt->xpathCtxt->namespaces = oldNamespaces;
+     ctxt->inst = oldInst;
+     ctxt->xpathCtxt->contextSize = oldContextSize;
+@@ -137,7 +140,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+     }
+ 
+     oldInst = ctxt->inst;
+-    oldNode = ctxt->node;
++    oldNode = ctxt->xpathCtxt->node;
+     oldPos = ctxt->xpathCtxt->proximityPosition;
+     oldSize = ctxt->xpathCtxt->contextSize;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -167,7 +170,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+ 	 "xsltEvalXPathString: returns %s\n", ret));
+ #endif
+     ctxt->inst = oldInst;
+-    ctxt->node = oldNode;
++    ctxt->xpathCtxt->node = oldNode;
+     ctxt->xpathCtxt->contextSize = oldSize;
+     ctxt->xpathCtxt->proximityPosition = oldPos;
+     ctxt->xpathCtxt->nsNr = oldNsNr;
+diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c
+index 0e9dc62f..a20da961 100644
+--- a/libxslt/xsltutils.c
++++ b/libxslt/xsltutils.c
+@@ -1065,8 +1065,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort,
+ 	return(NULL);
+     }
+ 
+-    oldNode = ctxt->node;
+     oldInst = ctxt->inst;
++    oldNode = ctxt->xpathCtxt->node;
+     oldPos = ctxt->xpathCtxt->proximityPosition;
+     oldSize = ctxt->xpathCtxt->contextSize;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -1137,8 +1137,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort,
+ 	    results[i] = NULL;
+ 	}
+     }
+-    ctxt->node = oldNode;
+     ctxt->inst = oldInst;
++    ctxt->xpathCtxt->node = oldNode;
+     ctxt->xpathCtxt->contextSize = oldSize;
+     ctxt->xpathCtxt->proximityPosition = oldPos;
+     ctxt->xpathCtxt->nsNr = oldNsNr;
+-- 
+GitLab
+

Fix-clang-Wconditional-uninitialized-warning-in-libx.patch

@@ -1,28 +0,0 @@
-From 291d190b3d37bfe58efe7328e37a5334c553126b Mon Sep 17 00:00:00 2001
-From: David Kilzer <ddkilzer@apple.com>
-Date: Tue, 7 Jan 2020 15:15:53 -0800
-Subject: [PATCH 10/24] Fix clang -Wconditional-uninitialized warning in
- libxslt/numbers.c
-
-* libxslt/numbers.c:
-(xsltFormatNumberConversion): Initialize `len` to fix warning.
----
- libxslt/numbers.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libxslt/numbers.c b/libxslt/numbers.c
-index 92023f8..7969dc9 100644
---- a/libxslt/numbers.c
-+++ b/libxslt/numbers.c
-@@ -960,7 +960,7 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
-     xmlChar *nprefix, *nsuffix = NULL;
-     int	    prefix_length, suffix_length = 0, nprefix_length, nsuffix_length;
-     double  scale;
--    int	    j, len;
-+    int	    j, len = 0;
-     int     self_grouping_len;
-     xsltFormatNumberInfo format_info;
-     /*
--- 
-1.8.3.1
-

Fix-clang-Wimplicit-int-conversion-warning.patch

@@ -1,28 +0,0 @@
-From aac4bccdd893713dd058305e385d7f13f94e6add Mon Sep 17 00:00:00 2001
-From: David Kilzer <ddkilzer@apple.com>
-Date: Tue, 7 Jan 2020 15:23:17 -0800
-Subject: [PATCH 11/24] Fix clang -Wimplicit-int-conversion warning
-
-* libxslt/numbers.c:
-(xsltNumberFormatDecimal): Cast `val` to `(xmlChar)` to fix the
-warning.
----
- libxslt/numbers.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libxslt/numbers.c b/libxslt/numbers.c
-index 7969dc9..4cb2125 100644
---- a/libxslt/numbers.c
-+++ b/libxslt/numbers.c
-@@ -177,7 +177,7 @@ xsltNumberFormatDecimal(xmlBufferPtr buffer,
- 	        i = -1;
- 		break;
- 	    }
--	    *(--pointer) = val;
-+	    *(--pointer) = (xmlChar)val;
- 	}
- 	else {
- 	/*
--- 
-1.8.3.1
-

Fix-double-free-with-stylesheets-containing-entity-n.patch

@@ -1,36 +0,0 @@
-From 3e8bbcdec8d2318ca8ab27a2a4a509a5d9bb2d51 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 2 Feb 2021 04:28:15 +0100
-Subject: [PATCH] Fix double-free with stylesheets containing entity nodes
-
-Fix broken logic to make sure that entity nodes are deleted from the
-stylesheet. Note that stylesheets parsed with XML_PARSE_NOENT, which
-is included in XSLT_PARSE_OPTIONS, aren't affected.
-
-Found by OSS-Fuzz.
----
- libxslt/xslt.c | 8 ++------
- 1 file changed, 2 insertions(+), 6 deletions(-)
-
-diff --git a/libxslt/xslt.c b/libxslt/xslt.c
-index 7a1ce01..69116f2 100644
---- a/libxslt/xslt.c
-+++ b/libxslt/xslt.c
-@@ -3656,12 +3656,8 @@ xsltPreprocessStylesheet(xsltStylesheetPtr style, xmlNodePtr cur)
- 	    (!xsltCheckExtURI(style, cur->ns->href))) {
- 	    goto skip_children;
- 	} else if (cur->children != NULL) {
--	    if ((cur->children->type != XML_ENTITY_DECL) &&
--		(cur->children->type != XML_ENTITY_REF_NODE) &&
--		(cur->children->type != XML_ENTITY_NODE)) {
--		cur = cur->children;
--		continue;
--	    }
-+	    cur = cur->children;
-+	    continue;
- 	}
- 
- skip_children:
--- 
-1.8.3.1
-

Fix-implicit-int-conversion-warning-in-exslt-crypto..patch

@@ -1,25 +0,0 @@
-From f235404b13f17d5343b854fe5d459a0c98bbd2d2 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Fri, 10 Jan 2020 13:11:45 +0100
-Subject: [PATCH 12/24] Fix implicit-int-conversion warning in exslt/crypto.c
-
----
- libexslt/crypto.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libexslt/crypto.c b/libexslt/crypto.c
-index 621fd90..c6bf34f 100644
---- a/libexslt/crypto.c
-+++ b/libexslt/crypto.c
-@@ -101,7 +101,7 @@ exsltCryptoHex2Bin (const unsigned char *hex, int hexlen,
- 	else if (tmp >= 'a' && tmp <= 'f')
- 	    lo = 10 + (tmp - 'a');
- 
--	result = hi << 4;
-+	result = (unsigned char) (hi << 4);
- 	result += lo;
- 	bin[j++] = result;
-     }
--- 
-1.8.3.1
-

Fix-quadratic-runtime-with-text-and-xsl-message.patch

@@ -1,49 +0,0 @@
-From 4ccc06b56b8b6d39c29932c92cd1ed82f6698d6f Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Sun, 20 Sep 2020 15:14:47 +0200
-Subject: [PATCH 33/37] Fix quadratic runtime with text and <xsl:message>
-
-Backup and restore "last text" data in xsltEvalTemplateString.
-Otherwise, optimization of string concatenation would be disabled
-whenever an xsl:message was processed.
-
-Found by OSS-Fuzz.
----
- libxslt/templates.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/libxslt/templates.c b/libxslt/templates.c
-index 48b73a5..4108ed2 100644
---- a/libxslt/templates.c
-+++ b/libxslt/templates.c
-@@ -210,6 +210,8 @@ xsltEvalTemplateString(xsltTransformContextPtr ctxt,
- {
-     xmlNodePtr oldInsert, insert = NULL;
-     xmlChar *ret;
-+    const xmlChar *oldLastText;
-+    int oldLastTextSize, oldLastTextUse;
- 
-     if ((ctxt == NULL) || (contextNode == NULL) || (inst == NULL) ||
-         (inst->type != XML_ELEMENT_NODE))
-@@ -233,12 +235,18 @@ xsltEvalTemplateString(xsltTransformContextPtr ctxt,
-     }
-     oldInsert = ctxt->insert;
-     ctxt->insert = insert;
-+    oldLastText = ctxt->lasttext;
-+    oldLastTextSize = ctxt->lasttsize;
-+    oldLastTextUse = ctxt->lasttuse;
-     /*
-     * OPTIMIZE TODO: if inst->children consists only of text-nodes.
-     */
-     xsltApplyOneTemplate(ctxt, contextNode, inst->children, NULL, NULL);
- 
-     ctxt->insert = oldInsert;
-+    ctxt->lasttext = oldLastText;
-+    ctxt->lasttsize = oldLastTextSize;
-+    ctxt->lasttuse = oldLastTextUse;
- 
-     ret = xmlNodeGetContent(insert);
-     if (insert != NULL)
--- 
-1.8.3.1
-

Fix-variable-syntax-in-Python-configuration.patch

@@ -1,50 +0,0 @@
-From b90e1063a83d9c0328d2559cdb6e9455da9747c7 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Fri, 10 Jan 2020 12:58:35 +0100
-Subject: [PATCH 08/24] Fix variable syntax in Python configuration
-
-Resolves #30.
----
- configure.ac | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 585b9d7..d676b12 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -272,17 +272,17 @@ except: print 0"`
- 	   -d $with_python/lib/python$PYTHON_VERSION/site-packages
- 	then
- 	    PYTHON_INCLUDES=$with_python/include/python$PYTHON_VERSION
--	    PYTHON_SITE_PACKAGES='$(libdir)/python$(PYTHON_VERSION)/site-packages'
-+	    PYTHON_SITE_PACKAGES=$libdir/python$PYTHON_VERSION/site-packages
- 	else
- 	    if test -r $prefix/include/python$PYTHON_VERSION/Python.h
- 	    then
- 	        PYTHON_INCLUDES=$prefix/include/python$PYTHON_VERSION
--		PYTHON_SITE_PACKAGES='$(libdir)/python$(PYTHON_VERSION)/site-packages'
-+		PYTHON_SITE_PACKAGES=$libdir/python$PYTHON_VERSION/site-packages
- 	    else
- 		if test -r /usr/include/python$PYTHON_VERSION/Python.h
- 		then
- 		    PYTHON_INCLUDES=/usr/include/python$PYTHON_VERSION
--		    PYTHON_SITE_PACKAGES='$(libdir)/python$(PYTHON_VERSION)/site-packages'
-+		    PYTHON_SITE_PACKAGES=$libdir/python$PYTHON_VERSION/site-packages
- 		else
- 		    echo could not find python$PYTHON_VERSION/Python.h
- 		fi
-@@ -296,9 +296,9 @@ except: print 0"`
-     fi
-     if test "$with_python" != ""
-     then
--        pythondir='$(PYTHON_SITE_PACKAGES)'
-+        pythondir=$PYTHON_SITE_PACKAGES
-     else
--        pythondir='$(libdir)/python$(PYTHON_VERSION)/site-packages'
-+        pythondir=$libdir/python$PYTHON_VERSION/site-packages
-     fi
- fi
- AM_CONDITIONAL(WITH_PYTHON, test "$PYTHON_INCLUDES" != "")
--- 
-1.8.3.1
-

libxslt.spec

@@ -1,18 +1,14 @@
 Name:     libxslt
-Version:  1.1.34
+Version:  1.1.37
-Release:  5
+Release:  2
 Summary:  XSLT Transformation Library
 License:  MIT
 URL:      http://xmlsoft.org/libxslt/
 Source0:  https://github.com/GNOME/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 # PATCH-FIX-UPSTREAM bug-fix https://github.com/GNOME/libxslt/
 Patch0: CVE-2015-9019.patch
-Patch1: Fix-variable-syntax-in-Python-configuration.patch
+Patch1: CVE-2024-55549.patch
-Patch2: Fix-clang-Wconditional-uninitialized-warning-in-libx.patch
+Patch2: CVE-2025-24855.patch
-Patch3: Fix-clang-Wimplicit-int-conversion-warning.patch
-Patch4: Fix-implicit-int-conversion-warning-in-exslt-crypto..patch
-Patch5: Fix-quadratic-runtime-with-text-and-xsl-message.patch
-Patch6: Fix-double-free-with-stylesheets-containing-entity-n.patch
 
 BuildRequires: gcc make libtool autoconf automake libgcrypt-devel pkgconfig(libxml-2.0) >= 2.6.27
 
@@ -29,6 +25,24 @@ Requires: libgcrypt-devel libgpg-error-devel
 (or HTML, text, and more) using the standard XSLT stylesheet
 transformation mechanism.
 
+%package -n python3-libxslt
+Summary:Python 3 bindings for %{name}
+BuildRequires:  python3-devel python3-libxml2
+Requires: %{name} = %{version}-%{release}
+Requires: python3-libxml2 >= 2.6.27
+Requires: libxml2 >= 2.6.27
+%{?python_provide:%python_provide python3-%{name}}
+
+%description -n python3-libxslt
+The libxslt-python package contains a module that permits applications
+written in the Python programming language to use the interface
+supplied by the libxslt library to apply XSLT transformations.
+
+This library allows to parse sytlesheets, uses the libxml2-python
+to load and save XML and HTML files. Direct access to XPath and
+the XSLT transformation context are possible to extend the XSLT language
+with XPath functions written in Python.
+
 %package_help
 
 %prep
@@ -46,7 +60,7 @@ autoreconf -vfi
 pushd $RPM_BUILD_ROOT/%{_includedir}/%{name}; touch -m --reference=xslt.h ../../bin/xslt-config;popd
 
 %check
-make check
+%make_build tests
 
 %post
 /sbin/ldconfig
@@ -55,7 +69,7 @@ make check
 
 %files
 %defattr(-,root,root)
-%doc ChangeLog NEWS README FEATURES AUTHORS
+%doc NEWS README FEATURES AUTHORS
 %license Copyright
 %{_bindir}/xsltproc
 %{_libdir}/libxslt.so.*
@@ -67,20 +81,48 @@ make check
 %{_libdir}/libxslt.so
 %{_libdir}/libexslt.so
 %{_libdir}/xsltConf.sh
+%{_libdir}/cmake/libxslt/
 %{_datadir}/aclocal/libxslt.m4
+%{_datadir}/gtk-doc/
 %{_includedir}/libxslt/
 %{_includedir}/libexslt/
 %{_libdir}/pkgconfig/libxslt.pc
 %{_libdir}/pkgconfig/libexslt.pc
 %{_bindir}/xslt-config
 
+%files -n python3-libxslt
+%{python3_sitelib}/libxslt.py*
+%{python3_sitearch}/libxsltmod.so
+%{python3_sitelib}/__pycache__/libxslt*
+
 %files help
-%doc %{_docdir}/%{name}-%{version}
+%doc %{_docdir}/%{name}
 %doc %{_mandir}/man3/*
-%exclude %{_docdir}/%{name}/{ChangeLog,NEWS,README,FEATURES,AUTHORS}
+%exclude %{_docdir}/%{name}/{NEWS,README,FEATURES,AUTHORS}
-%exclude %{_docdir}/../licenses/Copyright
+%exclude %{_docdir}/../licenses/libxslt/Copyright
 
 %changelog
+* Thu Mar 13 2025 Funda Wang <fundawang@yeah.net> - 1.1.37-2
+- fix CVE-2024-55549 CVE-2025-24855
+
+* Sat Nov 05 2022 shixuantong <shixuantong1@huawei.com> - 1.1.37-1
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:upgrade version to 1.1.37
+
+* Fri Jul 01 2022 fuanan <fuanan3@h-partners.com> - 1.1.34-8
+- Type:CVE
+- ID:CVE-2021-30560
+- SUG:NA
+- DESC:fix CVE-2021-30560
+
+* Tue Apr 26 2022 zhangruifang2020 <zhangruifang1@h-partners.com> - 1.1.34-7
+- modify the changelog
+
+* Wed Jan 05 2022 fuanan <fuanan3@huawei.com> - 1.1.34-6
+- Fix test command
+
 * Sat Oct 23 2021 panxiaohe<panxiaohe@huawei.com> - 1.1.34-5
 - Fix double-free with stylesheets containing entity nodes