Fix the XPath arity check to also check the XPath stack limits
Example xmlXPathNormalizeFunction() would do CHECK_ARITY(1) and the expect valuePop(ctxt); to return an object, except now valuePop() looks at the XPath stack frames and fails returning NULL, and we end up crashing dereferencing the object. Real solution is to exten CHECK_ARITY() and recompile all XPath functions using it.
parent
890faa54
Please register or sign in to comment