[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: [xml] stack corruption (2.5.4)
- From: Daniel Veillard <veillard redhat com>
- To: Gary Pennington sun com
- Cc: Petr Pajas <pajas ufal ms mff cuni cz>, xml gnome org
- Subject: Re: [xml] stack corruption (2.5.4)
- Date: Wed, 30 Apr 2003 12:08:38 -0400
On Wed, Apr 30, 2003 at 04:02:27PM +0100, Gary Pennington sun com wrote:
> On Wed, Apr 30, 2003 at 03:55:43PM +0100, Gary Pennington sun com wrote:
> > Ok, we've got a reproducible test case and I have some information.
> >
> > If we apply the patch you sent out, then the stack corruption problem
> > disappears but we get a core dump when the document is freed.
> >
> > This problem is caused by the following line in the patch:
> >
> > ret->doc = NULL;
> >
> > This will set the external subset of the document to have a null pointer.
> >
> > In xmlUnlinkNode(), the following line causes the SIGSEGV:
> >
> > if (cur->type == XML_DTD_NODE) {
> > xmlDocPtr doc;
> > doc = cur->doc;
> > if (doc->intSubset == (xmlDtdPtr) cur)
> > doc->intSubset = NULL;
> > if (doc->extSubset == (xmlDtdPtr) cur) <== SIGSEGV HERE
>
> Oops, I of course meant SIGSEGV on the above line.
Okay, that's a libxml2 bug too. It get a pointer and dereference it
without checking it first against NULL, that part should really be:
if (cur->type == XML_DTD_NODE) {
xmlDocPtr doc;
doc = cur->doc;
if (doc != NULL) {
if (doc->intSubset == (xmlDtdPtr) cur)
doc->intSubset = NULL;
if (doc->extSubset == (xmlDtdPtr) cur)
doc->extSubset = NULL;
}
}
thanks for spotting this out.
Daniel
--
Daniel Veillard | Red Hat Network https://rhn.redhat.com/
veillard redhat com | libxml GNOME XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]