Re: [xml] Patch for Double Free in xmlNewEntityInputStream(parserInternals.c)

[Daniel Veillard <veillard redhat com>]

On Tue, Apr 29, 2008 at 09:53:39AM +0800, Ashwin wrote:
> 
> 
> 
> >  It's surprizing because that call is used quite frequently, e.g. in
> > the regression tests, but the entity URI is always NULL which is why this
> > was never raised during any of the existing tests...
> >  I applied and commited a version based on your patch,
> 
> Hi,
>    Yes, it will be not NULL in a very weird case, somewhat similar to the
> one for which there was a fix recently (SVN 3713). Suppose you have an xml
> document with an external subset, In the external subset a parameter
> entity(say E1) is defined whose replacement text is external using SYSTEM,
> Then in the external subset you have another PE (E2) whose replacement text
> is E1, in this case entity->URI will not be NULL and would lead to a double
> free...
> 
> An extremely weird scenario!!! I don't think anyone would be twisted enough
> to use PE's that way....

  If you could provide a set of data, i think this is weird enough
that this should be added to the test suite to avoid tripping on this
later,

  thanks !

Daniel

-- 
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard      | virtualization library  http://libvirt.org/
veillard redhat com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine  http://rpmfind.net/