From: Andrey Chernyy <andrey.cherny@tantorlabs.com>
Date: Fri, 5 Jun 2026 02:43:39 +0300
Subject: [PATCH] xml2: Fix stylesheet document leak in xslt_process()

xslt_process() parses the stylesheet text into an xmlDoc before passing it
to xsltParseStylesheetDoc().  On success, the returned stylesheet owns
that document and frees it through xsltFreeStylesheet().

On failure, libxslt leaves the caller responsible for the xmlDoc, as
shown by its own xsltParseStylesheetFile() wrapper.  Keep tracking the
stylesheet document until ownership has been transferred so the error
cleanup path can free it.
---
 contrib/xml2/xslt_proc.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/contrib/xml2/xslt_proc.c b/contrib/xml2/xslt_proc.c
index 8ceb8c46494..b83d28fe579 100644
--- a/contrib/xml2/xslt_proc.c
+++ b/contrib/xml2/xslt_proc.c
@@ -55,6 +55,7 @@ xslt_process(PG_FUNCTION_ARGS)
 	PgXmlErrorContext *xmlerrcxt;
 	volatile xsltStylesheetPtr stylesheet = NULL;
 	volatile xmlDocPtr doctree = NULL;
+	volatile xmlDocPtr ssdoc = NULL;
 	volatile xmlDocPtr restree = NULL;
 	volatile xsltSecurityPrefsPtr xslt_sec_prefs = NULL;
 	volatile xsltTransformContextPtr xslt_ctxt = NULL;
@@ -78,7 +79,6 @@ xslt_process(PG_FUNCTION_ARGS)
 
 	PG_TRY();
 	{
-		xmlDocPtr	ssdoc;
 		bool		xslt_sec_prefs_error;
 		int			reslen = 0;
 
@@ -100,8 +100,13 @@ xslt_process(PG_FUNCTION_ARGS)
 			xml_ereport(xmlerrcxt, ERROR, ERRCODE_INVALID_XML_DOCUMENT,
 						"error parsing stylesheet as XML document");
 
-		/* After this call we need not free ssdoc separately */
+		/*
+		 * On success, the stylesheet owns ssdoc.  On failure, libxslt leaves
+		 * the caller responsible for freeing ssdoc.
+		 */
 		stylesheet = xsltParseStylesheetDoc(ssdoc);
+		if (stylesheet != NULL)
+			ssdoc = NULL;
 
 		if (stylesheet == NULL || pg_xml_error_occurred(xmlerrcxt))
 			xml_ereport(xmlerrcxt, ERROR, ERRCODE_INVALID_ARGUMENT_FOR_XQUERY,
@@ -167,6 +172,8 @@ xslt_process(PG_FUNCTION_ARGS)
 			xsltFreeSecurityPrefs(xslt_sec_prefs);
 		if (stylesheet != NULL)
 			xsltFreeStylesheet(stylesheet);
+		if (ssdoc != NULL)
+			xmlFreeDoc(ssdoc);
 		if (doctree != NULL)
 			xmlFreeDoc(doctree);
 		if (resstr != NULL)
-- 
2.54.0


--MP_/JNWBJ4_fkREZAfM76xZSan6--