Fix XPath freeing error.android-sdk-adt_r20android-sdk-4.0.3_r1android-sdk-4.0.3-tools_r1android-cts-verifier-4.0_r1android-cts-verifier-4.0.3_r1android-cts-4.0.3_r2android-cts-4.0.3_r1android-4.0.4_r2.1android-4.0.4_r2android-4.0.4_r1.2android-4.0.4_r1.1android-4.0.4_r1android-4.0.3_r1.1android-4.0.3_r1tools_r20ics-plus-aospics-mr1-release

	Bug: 5533654

Applied a patch from Chrome source code to prevent potential
multiple freeing and memory corruption in XPath. This patch
will become unnecessary once we pull in new libxml2.
The Chrome changes are here:
http://codereview.chromium.org/5196003
http://codereview.chromium.org/7508039

Change-Id: I0dd573e2f8e3cfbd1290735e68e44ebb13597482
Signed-off-by: Selim Gurun <sgurun@google.com>

2 files changed, 40 insertions, 5 deletions

diff --git a/patches/XPath_freeing_error.patch b/patches/XPath_freeing_error.patch
new file mode 100644
index 00000000..8c94a188
--- /dev/null
+++ b/patches/XPath_freeing_error.patch
@@ -0,0 +1,30 @@
+This patch fixes security problems described in issue 5533654. Since the original fixes in libxml2 includes multiple amendments and are somewhat larger in scope, we limit the fix to just this particular issue to play it safe.
+The patch does what Chrome does to fix it.
+
+Eventually, when we upgrade libxml2 library, the patch will be unnecessary.
+
+
+--- a/xpath.c	2011-10-31 14:31:20.201049035 -0700
++++ b/xpath.c	2011-11-01 13:50:00.751736494 -0700
+@@ -11736,11 +11736,16 @@
+ 
+ 	    if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+ 	        xmlXPathObjectPtr tmp;
+-		/* pop the result */
+-		tmp = valuePop(ctxt);
+-		xmlXPathReleaseObject(xpctxt, tmp);
+-		/* then pop off contextObj, which will be freed later */
+-		valuePop(ctxt);
++	        /* pop the result if any */
++	        tmp = valuePop(ctxt);
++	        while (tmp != contextObj) {
++	            /*
++	             * Free up the result
++	             * then pop off contextObj, which will be freed later
++	             */
++	             xmlXPathReleaseObject(xpctxt, tmp);
++	             tmp = valuePop(ctxt);
++	        }
+ 		goto evaluation_error;
+ 	    }
+ 
diff --git a/xpath.c b/xpath.c
index 2edf7912..4783c0ef 100644
--- a/xpath.c
+++ b/xpath.c
@@ -11736,11 +11736,16 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
 
 	    if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
 	        xmlXPathObjectPtr tmp;
-		/* pop the result */
-		tmp = valuePop(ctxt);
-		xmlXPathReleaseObject(xpctxt, tmp);
-		/* then pop off contextObj, which will be freed later */
-		valuePop(ctxt);
+	        /* pop the result if any */
+	        tmp = valuePop(ctxt);
+	        while (tmp != contextObj) {
+	            /*
+	             * Free up the result
+	             * then pop off contextObj, which will be freed later
+	             */
+	             xmlXPathReleaseObject(xpctxt, tmp);
+	             tmp = valuePop(ctxt);
+	        }
 		goto evaluation_error;
 	    }