From 0a1271eb36a11aea2345e9790c55454d573c8257 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <ilia@ilia.ws>
Date: Mon, 27 Apr 2026 07:54:30 -0400
Subject: [PATCH] ext/xsl: discard partially-constructed ns on xmlStrdup
 failure

If xmlStrdup fails for either href or prefix in xsl_add_ns_def, the
malformed xmlNs (NULL href, or NULL prefix when one was expected) was
linked into node->nsDef. Subsequent libxml2 traversal of the namespace
chain dereferenced those NULLs.

Free the xmlNs via xmlFreeNs and return without linking it.
---
 ext/xsl/xsltprocessor.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ext/xsl/xsltprocessor.c b/ext/xsl/xsltprocessor.c
index 71971332a251..2c0b04082029 100644
--- a/ext/xsl/xsltprocessor.c
+++ b/ext/xsl/xsltprocessor.c
@@ -140,6 +140,12 @@ static void xsl_add_ns_def(xmlNodePtr node)
 				ns->type = XML_LOCAL_NAMESPACE;
 				ns->href = should_free ? attr_value : xmlStrdup(attr_value);
 				ns->prefix = attr->ns->prefix ? xmlStrdup(attr->name) : NULL;
+
+				if (UNEXPECTED(ns->href == NULL || (attr->ns->prefix != NULL && ns->prefix == NULL))) {
+					xmlFreeNs(ns);
+					return;
+				}
+
 				ns->next = node->nsDef;
 				node->nsDef = ns;
 			}