Fix XPath stack frame logic Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in xmlXPathCompOpEvalPositionalPredicate to make sure that the context object on the stack is actually protected. Otherwise, memory corruption can occur when calling sloppily coded XPath extension functions. Fixes bug 783160.

commit: 0f3b843b3534784ef57a4f9b874238aa1fda5a73 [log] [tgz]
author: Nick Wellnhofer <wellnhofer@aevum.de> Thu Jun 01 23:12:19 2017 +0200
committer: Nick Wellnhofer <wellnhofer@aevum.de> Thu Sep 21 17:55:39 2017 +0200
tree: ea50f73f912835632652cfdbc8b3cfe90c6b4af7
parent: 3157cf4e53c03bc3da604472c015c63141907db8 [diff]
diff --git a/xpath.c b/xpath.c
index 9481507..b816bd3 100644
--- a/xpath.c
+++ b/xpath.c

@@ -11932,11 +11932,11 @@
 		}
 	    }
 
-            frame = xmlXPathSetFrame(ctxt);
 	    valuePush(ctxt, contextObj);
+            frame = xmlXPathSetFrame(ctxt);
 	    res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
-            tmp = valuePop(ctxt);
             xmlXPathPopFrame(ctxt, frame);
+            tmp = valuePop(ctxt);
 
 	    if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
                 while (tmp != contextObj) {
commit	0f3b843b3534784ef57a4f9b874238aa1fda5a73	[log] [tgz]
author	Nick Wellnhofer <wellnhofer@aevum.de>	Thu Jun 01 23:12:19 2017 +0200
committer	Nick Wellnhofer <wellnhofer@aevum.de>	Thu Sep 21 17:55:39 2017 +0200
tree	ea50f73f912835632652cfdbc8b3cfe90c6b4af7
parent	3157cf4e53c03bc3da604472c015c63141907db8 [diff]