Highlights
Memory Corruption: 18 prior fixes. Scrutinize any change in this area.
libxslt/transform.c: most-fixed (22 issues). Treat as high-risk during review.
56 high-severity fixes in this history; regressions here are high-impact.
Recurring patterns
The bug types that recur here, drawn from past fixes, not open vulnerabilities.
Use After Free: Frequent memory lifetime mismatches occur when temporary node structures, text-node dictionaries, and Result Tree Fragments (RVTs) are freed or detached. Unsynchronized references are retained on the transform context stack, causing severe memory corruption.
Path Traversal: Flaws in security callback checks (such as verifying file reads and writes) often bypassed policies due to lack of scheme separation checks, Windows drive-letter parsing issues, or passing partial/unparsed paths instead of full URLs to validation functions.
Type Confusion: XPath iterator callbacks and formatting routines regularly access nodes (such as namespace nodes or attributes) using incorrect cast structures, causing out-of-bounds pointer reads and memory corruption due to layout mismatches between structs.