diff options
| author | Nick Wellnhofer <wellnhofer@aevum.de> | 2016-04-30 17:53:10 +0200 |
|---|---|---|
| committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2016-05-05 15:30:00 +0200 |
| commit | 82b73039dc0eed620621cb699b1140c6e0c89cce (patch) | |
| tree | a5c5ba9cef078ca36cb526bd3e4ae9e8cd908224 | |
| parent | 9b4b8cb3e2ff102376f27e3658fad931a31e952a (diff) | |
| download | libxml2-82b73039dc0eed620621cb699b1140c6e0c89cce.tar.gz | |
Fix namespace axis traversal
When the namespace axis is traversed in "toBool" mode, the traversal
can exit early, before visiting all nodes. In this case, the XPath
context still contains a non-NULL tmpNsList.
This means that
- the check when to start a new traversal was wrong and
- the tmpNsList could be leaked.
Fixes bug #750037 and, by accident, bug #756075:
https://bugzilla.gnome.org/show_bug.cgi?id=750037
https://bugzilla.gnome.org/show_bug.cgi?id=756075
| -rw-r--r-- | result/XPath/tests/nssimple | 11 | ||||
| -rw-r--r-- | test/XPath/docs/ns | 4 | ||||
| -rw-r--r-- | test/XPath/tests/nssimple | 1 | ||||
| -rw-r--r-- | xpath.c | 10 |
4 files changed, 22 insertions, 4 deletions
diff --git a/result/XPath/tests/nssimple b/result/XPath/tests/nssimple index ce638111..1f3b2ceb 100644 --- a/result/XPath/tests/nssimple +++ b/result/XPath/tests/nssimple @@ -4,4 +4,13 @@ Expression: /doc/elem/namespace::node()/.. Object is a Node Set : Set contains 1 nodes: 1 ELEMENT elem - namespace ns1 href=ns1 + namespace ns2 href=nsuri2 + +======================== +Expression: //*[namespace::ns1] +Object is a Node Set : +Set contains 2 nodes: +1 ELEMENT doc + namespace ns1 href=nsuri1 +2 ELEMENT elem + namespace ns2 href=nsuri2 diff --git a/test/XPath/docs/ns b/test/XPath/docs/ns index df4789fc..88f45756 100644 --- a/test/XPath/docs/ns +++ b/test/XPath/docs/ns @@ -1,3 +1,3 @@ -<doc> - <elem xmlns:ns1="ns1"/> +<doc xmlns:ns1="nsuri1"> + <elem xmlns:ns2="nsuri2"/> </doc> diff --git a/test/XPath/tests/nssimple b/test/XPath/tests/nssimple index 5f58fc66..2b25587d 100644 --- a/test/XPath/tests/nssimple +++ b/test/XPath/tests/nssimple @@ -1 +1,2 @@ /doc/elem/namespace::node()/.. +//*[namespace::ns1] @@ -8390,7 +8390,7 @@ xmlNodePtr xmlXPathNextNamespace(xmlXPathParserContextPtr ctxt, xmlNodePtr cur) { if ((ctxt == NULL) || (ctxt->context == NULL)) return(NULL); if (ctxt->context->node->type != XML_ELEMENT_NODE) return(NULL); - if (ctxt->context->tmpNsList == NULL && cur != (xmlNodePtr) xmlXPathXMLNamespace) { + if (cur == NULL) { if (ctxt->context->tmpNsList != NULL) xmlFree(ctxt->context->tmpNsList); ctxt->context->tmpNsList = @@ -12693,6 +12693,14 @@ error: * Reset the context node. */ xpctxt->node = oldContextNode; + /* + * When traversing the namespace axis in "toBool" mode, it's + * possible that tmpNsList wasn't freed. + */ + if (xpctxt->tmpNsList != NULL) { + xmlFree(xpctxt->tmpNsList); + xpctxt->tmpNsList = NULL; + } #ifdef DEBUG_STEP xmlGenericError(xmlGenericErrorContext, |