ext/xsl: discard partially-constructed ns on xmlStrdup failure

iliaal · iliaal · commit 40da71ed0c9b · 2026-04-27T07:54:30.000-04:00
If xmlStrdup fails for either href or prefix in xsl_add_ns_def, the
malformed xmlNs (NULL href, or NULL prefix when one was expected) was
linked into node-&gt;nsDef. Subsequent libxml2 traversal of the namespace
chain dereferenced those NULLs.

On failure, release whichever of href/prefix did allocate, free the
xmlNs, and return without linking it. Matches the existing
xmlMalloc(ns) early-return convention above.
diff --git a/ext/xsl/xsltprocessor.c b/ext/xsl/xsltprocessor.c
@@ -140,6 +140,18 @@ static void xsl_add_ns_def(xmlNodePtr node)
 				ns->type = XML_LOCAL_NAMESPACE;
 				ns->href = should_free ? attr_value : xmlStrdup(attr_value);
 				ns->prefix = attr->ns->prefix ? xmlStrdup(attr->name) : NULL;
+
+				if (UNEXPECTED(ns->href == NULL || (attr->ns->prefix != NULL && ns->prefix == NULL))) {
+					if (ns->href) {
+						xmlFree(ns->href);
+					}
+					if (ns->prefix) {
+						xmlFree(ns->prefix);
+					}
+					xmlFree(ns);
+					return;
+				}
+
 				ns->next = node->nsDef;
 				node->nsDef = ns;
 			}
