Fix dyn:map with namespace nodes

exsltDynMapFunction didn't handle namespace nodes correctly. Namespace nodes are actually an xmlNs, not an xmlNode and must be special-cased. The old code initialized the doc pointer in the XPath context struct with a value read from past the end of the xmlNs struct. Typically, this resulted in a segfault. Found with afl-fuzz and ASan.

Fix dyn:map with namespace nodes
f298d3195bce · Nick Wellnhofer · d46f96f0aca4 · f298d319 · f298d319 · f298d319
Commit f298d3195bce authored 9 years ago by Nick Wellnhofer
--- a/libexslt/dynamic.c
+++ b/libexslt/dynamic.c
@@ -167,5 +167,6 @@
        ctxt->context->proximityPosition = 0;
        for (i = 0; i < nodeset->nodeNr; i++) {
            xmlXPathObjectPtr subResult = NULL;
+            xmlNodePtr cur = nodeset->nodeTab[i];

            ctxt->context->proximityPosition++;
@@ -170,7 +171,23 @@

            ctxt->context->proximityPosition++;
-            ctxt->context->node = nodeset->nodeTab[i];
-            ctxt->context->doc = nodeset->nodeTab[i]->doc;
+            ctxt->context->node = cur;
+
+            if (cur->type == XML_NAMESPACE_DECL) {
+                /*
+                * The XPath module sets the owner element of a ns-node on
+                * the ns->next field.
+                */
+                cur = (xmlNodePtr) ((xmlNsPtr) cur)->next;
+                if ((cur == NULL) || (cur->type != XML_ELEMENT_NODE)) {
+                    xsltGenericError(xsltGenericErrorContext,
+                        "Internal error in exsltDynMapFunction: "
+                        "Cannot retrieve the doc of a namespace node.\n");
+                    continue;
+                }
+                ctxt->context->doc = cur->doc;
+            } else {
+                ctxt->context->doc = cur->doc;
+            }

            subResult = xmlXPathCompiledEval(comp, ctxt->context);
            if (subResult != NULL) {

--- a/tests/exslt/dynamic/dynmap.out
+++ b/tests/exslt/dynamic/dynmap.out
@@ -38,4 +38,7 @@
    <exsl:string xmlns:exsl="http://exslt.org/common">without-child</exsl:string>
    <exsl:string xmlns:exsl="http://exslt.org/common">with-child</exsl:string>
  </string>
+  <namespace>
+    <exsl:string xmlns:exsl="http://exslt.org/common">dynmap</exsl:string>
+  </namespace>
 </result>
--- a/tests/exslt/dynamic/dynmap.xsl
+++ b/tests/exslt/dynamic/dynmap.xsl
@@ -18,6 +18,9 @@
 <string>
  <xsl:copy-of select="dyn:map(*, 'name()')"/>
 </string>  
+ <namespace>
+  <xsl:copy-of select="dyn:map(namespace::*, 'name(/*)')"/>
+ </namespace>
 </result> 
 </xsl:template>
 </xsl:stylesheet>