Fix harmless memory error in generate-id.

BUG=140368
Review URL: https://chromiumcodereview.appspot.com/10823168

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@149998 0039d316-1c4b-4281-b951-d872f2087c98

third_party/libxml/README.chromium

@@ -30,6 +30,7 @@ Modifications:
 - Add a tweak to limit problems caused by excessive strings and buffers.
 - Change the xmlNs struct a little bit, so it looks like it has no children
 if treated as a generic xmlNode object.
+- Fix pretty harmless use-after-free in generate-id function.
 
 To import a new snapshot of libxml:
 

third_party/libxslt/libxslt/functions.c

@@ -654,6 +654,7 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
 void
 xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
     xmlNodePtr cur = NULL;
+    xmlXPathObjectPtr obj = NULL;
     long val;
     xmlChar str[30];
     xmlDocPtr doc;
@@ -661,7 +662,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
     if (nargs == 0) {
 	cur = ctxt->context->node;
     } else if (nargs == 1) {
-	xmlXPathObjectPtr obj;
 	xmlNodeSetPtr nodelist;
 	int i, ret;
 
@@ -684,7 +684,6 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
 	    if (ret == -1)
 	        cur = nodelist->nodeTab[i];
 	}
-	xmlXPathFreeObject(obj);
     } else {
 	xsltTransformError(xsltXPathGetTransformContext(ctxt), NULL, NULL,
 		"generate-id() : invalid number of args %d\n", nargs);
@@ -707,6 +706,9 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
 
     }
 
+    if (obj)
+        xmlXPathFreeObject(obj);
+
     val = (long)((char *)cur - (char *)doc);
     if (val >= 0) {
       sprintf((char *)str, "idp%ld", val);