Fix handling of RVTs returned from nested EXSLT functions

Set the context variable to NULL when evaluating EXSLT functions.
Fixes potential use-after-free errors or memory leaks.

Fixes bug 792580. Thanks to Clemens Gutweiler for the report.

https://bugzilla.gnome.org/show_bug.cgi?id=792580

libexslt/functions.c

@@ -292,6 +292,7 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) {
     exsltFuncFunctionData *func;
     xmlNodePtr paramNode, oldInsert, fake;
     int oldBase;
+    void *oldCtxtVar;
     xsltStackElemPtr params = NULL, param;
     xsltTransformContextPtr tctxt = xsltXPathGetTransformContext(ctxt);
     int i, notSet;
@@ -430,11 +431,14 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) {
     fake = xmlNewDocNode(tctxt->output, NULL,
 			 (const xmlChar *)"fake", NULL);
     oldInsert = tctxt->insert;
+    oldCtxtVar = tctxt->contextVariable;
     tctxt->insert = fake;
+    tctxt->contextVariable = NULL;
     xsltApplyOneTemplate (tctxt, tctxt->node,
 			  func->content, NULL, NULL);
     xsltLocalVariablePop(tctxt, tctxt->varsBase, -2);
     tctxt->insert = oldInsert;
+    tctxt->contextVariable = oldCtxtVar;
     tctxt->varsBase = oldBase;	/* restore original scope */
     if (params != NULL)
 	xsltFreeStackElemList(params);

tests/docs/bug-209.xml

@@ -0,0 +1 @@
+<doc/>

tests/general/bug-209.out

@@ -0,0 +1,2 @@
+<?xml version="1.0"?>
+<result/>

tests/general/bug-209.xsl

@@ -0,0 +1,21 @@
+<xsl:stylesheet
+    version="1.0"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:func="http://exslt.org/functions"
+    extension-element-prefixes="func">
+
+    <xsl:template match="/">
+        <xsl:variable name="v" select="func:a()" />
+        <xsl:copy-of select="$v"/>
+    </xsl:template>
+
+    <func:function name="func:a">
+        <func:result select="func:b()" />
+    </func:function>
+
+    <func:function name="func:b">
+        <func:result>
+            <result/>
+        </func:result>
+    </func:function>
+</xsl:stylesheet>