Re: BUG #18943: Return value of a function 'xmlBufferCreate' is dereferenced at xpath.c:177 without checking for NUL

On Sun, Jun 01, 2025 at 07:05:25PM +0000, PG Bug reporting form wrote:
> Return value of a function 'xmlBufferCreate' is dereferenced at xpath.c:177
> without checking for NULL, but it is usually checked for this function.
> The function 'xmlBufferCreate' may return NULL, and in some cases the code
> xmlStrdup(buf->content) will throw an error.

Hmm. There are quite a few things going on here, because xpath.c
lacks in a couple of code paths a PgXmlErrorContext and we need
TRY/CATCH blocks to be able to free any memory allocated in the
context of libxml. I think that this means a couple of calls to
pg_xml_init() and pg_xml_done() calls painted in the right places.

Another one is pgxml_result_to_text(). As cstring_to_text() does a
palloc(), it could be possible that we miss the allocation done for
xpresstr().

While going through the code, xslt_process() is actually a bit
incorrect with the handling of resstr? If the palloc() used for the
result fails, we would lose the xmlFree() for resstr, meaning that
we'd better call cstring_to_text_with_len() in the try/catch block.

With all that, I get the attached.

Thoughts or comments?
--
Michael