[libxml2] Set doc on element obtained from freeElems

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Set doc on element obtained from freeElems
Date: Thu, 22 Nov 2018 15:37:05 +0000 (UTC)

commit 1567b55b72b8366ce120ed042e03ed5b50d191d7
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Thu Nov 22 14:28:58 2018 +0100

    Set doc on element obtained from freeElems
    
    In commit 8c9daf79, a call to xmlFreeNode was added in
    xmlSAX2StartElementNs. If a node was obtained from the freeElems list,
    make sure to set the doc, otherwise xmlFreeNode wouldn't realize that
    the node name might be in the dictionary, causing an invalid free.
    
    Note that the issue fixed in commit 8c9daf79 requires commit 0ed6addb
    and this one to work properly.
    
    Found by OSS-Fuzz.

 SAX2.c | 1 +
 1 file changed, 1 insertion(+)
---
diff --git a/SAX2.c b/SAX2.c
index ac3ab19a..7642501a 100644
--- a/SAX2.c
+++ b/SAX2.c
@@ -2261,6 +2261,7 @@ xmlSAX2StartElementNs(void *ctx,
        ctxt->freeElems = ret->next;
        ctxt->freeElemsNr--;
        memset(ret, 0, sizeof(xmlNode));
+        ret->doc = ctxt->myDoc;
        ret->type = XML_ELEMENT_NODE;
 
        if (ctxt->dictNames)

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]