Custom xpath function segfault

[flavorjones]

Reported by Andrew Crump on the nokogiri-talk mailing list:

Hi code-crunching robots,

This code using a custom xpath function returns the matching nodes on
1.5.0 but segfaults for me in 1.5.1 and 1.5.2:
https://gist.github.com/2040448

Thanks,

Andrew.

[flavorjones]

Valgrind sez:

==5529== Memcheck, a memory error detector
==5529== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==5529== Using Valgrind-3.6.1-Debian and LibVEX; rerun with -h for copyright info
==5529== Command: ruby ./foo.rb
==5529== 
==5529== Invalid read of size 8
==5529==    at 0x7FC8726: Nokogiri_wrap_xml_node_set (xml_node_set.c:430)
==5529==    by 0x7FC9450: ruby_funcall (xml_xpath_context.c:94)
==5529==    by 0x86B3E78: ??? (in /usr/lib/libxml2.so.2.7.8)
==5529==    by 0x86B1545: ??? (in /usr/lib/libxml2.so.2.7.8)
==5529==    by 0x86B1834: ??? (in /usr/lib/libxml2.so.2.7.8)
==5529==    by 0x86B26C4: ??? (in /usr/lib/libxml2.so.2.7.8)
==5529==    by 0x86B3421: ??? (in /usr/lib/libxml2.so.2.7.8)
==5529==    by 0x86B3D6E: ??? (in /usr/lib/libxml2.so.2.7.8)
==5529==    by 0x86B55EB: ??? (in /usr/lib/libxml2.so.2.7.8)
==5529==    by 0x86B5E8C: xmlXPathEvalExpression (in /usr/lib/libxml2.so.2.7.8)
==5529==    by 0x7FC903C: evaluate (xml_xpath_context.c:226)
==5529==    by 0x4E68E0E: rb_call0 (eval.c:5778)
==5529==    by 0x4E6908E: rb_call (eval.c:6176)
==5529==    by 0x4E6E37A: rb_eval (eval.c:3506)
==5529==    by 0x4E66DD1: rb_yield_0 (eval.c:5095)
==5529==    by 0x4E4B3C8: rb_ary_collect (array.c:1838)
==5529==    by 0x4E68DF1: rb_call0 (eval.c:5781)
==5529==    by 0x4E6908E: rb_call (eval.c:6176)
==5529==    by 0x4E6E37A: rb_eval (eval.c:3506)
==5529==    by 0x4E71D3E: rb_eval (eval.c:3236)
==5529==    by 0x4E6FAB0: rb_eval (eval.c:3691)
==5529==    by 0x4E68432: rb_call0 (eval.c:6079)
==5529==    by 0x4E6908E: rb_call (eval.c:6176)
==5529==    by 0x4E6E37A: rb_eval (eval.c:3506)
==5529==    by 0x4E6E44E: rb_eval (eval.c:3516)
==5529==    by 0x4E75008: ruby_exec_internal (eval.c:1654)
==5529==    by 0x4E75054: ruby_exec (eval.c:1674)
==5529==    by 0x4E77C01: ruby_run (eval.c:1684)
==5529==    by 0x400768: main (main.c:48)
==5529==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==5529== 
/home/mike/.rvm/gems/ruby-1.8.7-p357/gems/nokogiri-1.5.2/lib/nokogiri/xml/node.rb:159: [BUG] Segmentation fault
ruby 1.8.7 (2011-12-28 patchlevel 357) [x86_64-linux]

==5529== 
==5529== HEAP SUMMARY:
==5529==     in use at exit: 7,175,174 bytes in 47,450 blocks
==5529==   total heap usage: 145,239 allocs, 97,789 frees, 120,555,116 bytes allocated
==5529== 
==5529== LEAK SUMMARY:
==5529==    definitely lost: 0 bytes in 0 blocks
==5529==    indirectly lost: 0 bytes in 0 blocks
==5529==      possibly lost: 1,656 bytes in 32 blocks
==5529==    still reachable: 7,173,518 bytes in 47,418 blocks
==5529==         suppressed: 0 bytes in 0 blocks
==5529== Rerun with --leak-check=full to see details of leaked memory
==5529== 
==5529== For counts of detected and suppressed errors, rerun with: -v
==5529== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Aborted

[flavorjones]

Testing fix.

[tenderlove]

Looks like the node set is null. How about:

diff --git a/ext/nokogiri/xml_node_set.c b/ext/nokogiri/xml_node_set.c
index 155e76e..fe608a8 100644
--- a/ext/nokogiri/xml_node_set.c
+++ b/ext/nokogiri/xml_node_set.c
@@ -425,7 +425,7 @@ VALUE Nokogiri_wrap_xml_node_set(xmlNodeSetPtr node_set, VALUE document)
     rb_funcall(document, decorate, 1, new_set);
   }

-  if (node_set->nodeTab) {
+  if (node_set && node_set->nodeTab) {
     for (i = 0; i < node_set->nodeNr; i++) {
       cur = node_set->nodeTab[i];
       if (cur && cur->type == XML_NAMESPACE_DECL)

[acrmp]

Thanks!