Fix error handling in Saxon extension functions

The old code could lead to a NULL pointer dereference.

- Set XPath error if saxon:expression can't compile an expression.
- Check return value in saxon:eval.

Add first tests for Saxon extension functions.

Found with afl-fuzz and ASan.

configure.in

@@ -716,6 +716,7 @@ tests/exslt/Makefile
 tests/exslt/common/Makefile
 tests/exslt/functions/Makefile
 tests/exslt/math/Makefile
+tests/exslt/saxon/Makefile
 tests/exslt/sets/Makefile
 tests/exslt/strings/Makefile
 tests/exslt/date/Makefile

libexslt/saxon.c

@@ -101,9 +101,7 @@ exsltSaxonExpressionFunction (xmlXPathParserContextPtr ctxt, int nargs) {
 	 ret = xmlXPathCompile(arg);
 	 if (ret == NULL) {
 	      xmlFree(arg);
-	      xsltGenericError(xsltGenericErrorContext,
+              xmlXPathSetError(ctxt, XPATH_EXPR_ERROR);
-			"{%s}:%s: argument is not an XPath expression\n",
-			ctxt->context->functionURI, ctxt->context->function);
 	      return;
 	 }
 	 xmlHashAddEntry(hash, arg, (void *) ret);
@@ -147,6 +145,10 @@ exsltSaxonEvalFunction (xmlXPathParserContextPtr ctxt, int nargs) {
      expr = (xmlXPathCompExprPtr) xmlXPathPopExternal(ctxt);
 
      ret = xmlXPathCompiledEval(expr, ctxt->context);
+     if (ret == NULL) {
+	  xmlXPathSetError(ctxt, XPATH_EXPR_ERROR);
+	  return;
+     }
 
      valuePush(ctxt, ret);
 }

tests/exslt/Makefile.am

@@ -1,6 +1,6 @@
 ## Process this file with automake to produce Makefile.in
 
-SUBDIRS=common functions math sets strings dynamic date $(CRYPTO_TESTDIR)
+SUBDIRS=common functions math saxon sets strings dynamic date $(CRYPTO_TESTDIR)
 
 test tests:
 	@(cur=`pwd` ; for dir in $(SUBDIRS) ; do cd $$dir ; $(MAKE) CHECKER='$(CHECKER)' tests ; cd $$cur ; done)

tests/exslt/saxon/Makefile.am

@@ -0,0 +1,48 @@
+## Process this file with automake to produce Makefile.in
+
+$(top_builddir)/xsltproc/xsltproc:
+	@(cd ../../../xsltproc ; $(MAKE) xsltproc)
+
+EXTRA_DIST = 						\
+	eval.1.out	eval.1.xml	eval.1.xsl	\
+	eval.2.out	eval.2.xml	eval.2.xsl	\
+	eval.3.out	eval.3.xml	eval.3.xsl
+
+CLEANFILES = .memdump
+
+valgrind:
+	@echo '## Running the regression tests under Valgrind'
+	$(MAKE) CHECKER='libtool --mode=execute valgrind -q --leak-check=full' tests
+
+test tests: $(top_builddir)/xsltproc/xsltproc
+	@echo '## Running exslt saxon tests'
+	@(echo > .memdump)
+	@(for i in $(srcdir)/*.xsl ; do \
+	  name=`basename $$i .xsl` ; \
+	  if [ ! -f $(srcdir)/$$name.xml ] ; then continue ; fi ; \
+	  log=`$(CHECKER) $(top_builddir)/xsltproc/xsltproc \
+		$(srcdir)/$$name.xsl $(srcdir)/$$name.xml > $$name.res 2>$$name.bad;\
+	  if [ ! -f $(srcdir)/$$name.out ] ; then \
+		cp $$name.res $(srcdir)/$$name.out ; \
+		if [ -s $$name.bad ] ; then \
+			mv $$name.bad $(srcdir)/$$name.err ; \
+		fi ; \
+	  else \
+		if  [ ! -s $$name.res ] ; then \
+			echo "Fatal error, no $$name.res\n" ; \
+	  	else \
+			diff $(srcdir)/$$name.out $$name.res ; \
+			if [ -s $(srcdir)/$$name.err ] ; then \
+	  			diff $(srcdir)/$$name.err $$name.bad; \
+			else \
+				diff /dev/null $$name.bad; \
+			fi ; \
+		fi ; \
+	  fi; \
+	  grep "MORY ALLO" .memdump  | grep -v "MEMORY ALLOCATED : 0" || true`;\
+	  if [ -n "$$log" ] ; then \
+	  	echo $$name result ; \
+		echo "$$log" ; \
+	  fi ; \
+	  rm -f $$name.res $$name.bad ; \
+	  done)

tests/exslt/saxon/eval.1.out

@@ -0,0 +1,4 @@
+<?xml version="1.0"?>
+<results>
+  <result>2</result>
+</results>

tests/exslt/saxon/eval.1.xml

@@ -0,0 +1,3 @@
+<expressions>
+    <expression>1+1</expression>
+</expressions>

tests/exslt/saxon/eval.1.xsl

@@ -0,0 +1,22 @@
+<xsl:stylesheet
+    version="1.0"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:saxon="http://icl.com/saxon"
+    exclude-result-prefixes="saxon">
+
+<xsl:output indent="yes"/>
+
+<xsl:template match="expressions">
+    <results>
+        <xsl:apply-templates select="*"/>
+    </results>
+</xsl:template>
+
+<xsl:template match="expression">
+    <result>
+        <xsl:value-of select="saxon:eval(saxon:expression(.))"/>
+    </result>
+</xsl:template>
+
+</xsl:stylesheet>
+

tests/exslt/saxon/eval.2.err

@@ -0,0 +1,7 @@
+XPath error : Invalid expression
+###
+^
+XPath error : Invalid expression
+xmlXPathCompiledEval: evaluation failed
+runtime error: file ./eval.2.xsl line 11 element value-of
+XPath evaluation returned no result.

tests/exslt/saxon/eval.2.out

@@ -0,0 +1,2 @@
+<?xml version="1.0"?>
+<results/>

tests/exslt/saxon/eval.2.xml

@@ -0,0 +1 @@
+<doc/>

tests/exslt/saxon/eval.2.xsl

@@ -0,0 +1,16 @@
+<xsl:stylesheet
+    version="1.0"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:saxon="http://icl.com/saxon"
+    exclude-result-prefixes="saxon">
+
+<xsl:output indent="yes"/>
+
+<xsl:template match="/">
+    <results>
+        <xsl:value-of select="true() and saxon:expression('###')"/>
+    </results>
+</xsl:template>
+
+</xsl:stylesheet>
+

tests/exslt/saxon/eval.3.err

@@ -0,0 +1,6 @@
+XPath error : Undefined namespace prefix
+xmlXPathCompiledEval: evaluation failed
+XPath error : Invalid expression
+xmlXPathCompiledEval: evaluation failed
+runtime error: file ./eval.3.xsl line 11 element value-of
+XPath evaluation returned no result.

tests/exslt/saxon/eval.3.out

@@ -0,0 +1,2 @@
+<?xml version="1.0"?>
+<results/>

tests/exslt/saxon/eval.3.xml

@@ -0,0 +1 @@
+<doc/>

tests/exslt/saxon/eval.3.xsl

@@ -0,0 +1,16 @@
+<xsl:stylesheet
+    version="1.0"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:saxon="http://icl.com/saxon"
+    exclude-result-prefixes="saxon">
+
+<xsl:output indent="yes"/>
+
+<xsl:template match="/">
+    <results>
+        <xsl:value-of select="true() and saxon:eval(saxon:expression('ns:foo'))"/>
+    </results>
+</xsl:template>
+
+</xsl:stylesheet>
+

win32/runtests.py

@@ -68,6 +68,9 @@ runtests("tests/exslt/functions")
 print("## Running exslt math tests")
 runtests("tests/exslt/math")
 
+print("## Running exslt saxon tests")
+runtests("tests/exslt/saxon")
+
 print("## Running exslt sets tests")
 runtests("tests/exslt/sets")