Revert "malloc-fail: Avoid use-after-free after unsuccessful valuePush"

This reverts commit 6a12be77c6a94c374ab7476087edcee2ba41d9b4. There's too much code reading ctxt->value directly and making the wrong assumptions.
2025-03-27 18:50:07 +03:00 · 2023-02-24 16:21:17 +01:00 · 2023-02-24 16:21:17 +01:00 · b51478dc95
commit b51478dc95
parent f931178e5f
2 changed files with 2 additions and 11 deletions
--- a/include/libxml/xpathInternals.h
+++ b/include/libxml/xpathInternals.h
@ -273,8 +273,7 @@ XMLPUBFUN void *
 * type.
 */
 #define CHECK_TYPE(typeval)						\
-    if ((ctxt->error != 0) ||						\
-        (ctxt->value == NULL) || (ctxt->value->type != typeval))	\
+    if ((ctxt->value == NULL) || (ctxt->value->type != typeval))	\
        XP_ERROR(XPATH_INVALID_TYPE)

 /**
--- a/xpath.c
+++ b/xpath.c
@ -2881,15 +2881,7 @@ valuePop(xmlXPathParserContextPtr ctxt)
 {
    xmlXPathObjectPtr ret;

-    /*
-     * If a memory allocation failed, it can happen that valuePush doesn't
-     * push a value on the stack. If there's no error check before the
-     * corresponding valuePop call, we would pop an unrelated object which
-     * could lead to use-after-free errors later on. So we don't pop values
-     * if an error was signaled. The stack will be cleaned later in
-     * xmlXPathFreeParserContext.
-     */
-    if ((ctxt == NULL) || (ctxt->valueNr <= 0) || (ctxt->error != 0))
+    if ((ctxt == NULL) || (ctxt->valueNr <= 0))
        return (NULL);

    if (ctxt->valueNr <= ctxt->valueFrame) {