[libxml2] Fix use-after-free in xmlTextReaderFreeNodeList

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Fix use-after-free in xmlTextReaderFreeNodeList
Date: Thu, 26 Sep 2019 09:30:39 +0000 (UTC)

commit 664f881008f40356c0502c8cc154e17e3c80e353
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Thu Sep 26 11:01:58 2019 +0200

    Fix use-after-free in xmlTextReaderFreeNodeList
    
    Recent commit 1fbcf40 caused a use-after-free read because it didn't
    account for the fact that xmlTextReaderFreeDoc frees entities before
    freeing entity references via xmlTextReaderFreeNodeList.
    
    Found by OSS-Fuzz.

 xmlreader.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
---
diff --git a/xmlreader.c b/xmlreader.c
index 9229c18c..b505f16e 100644
--- a/xmlreader.c
+++ b/xmlreader.c
@@ -367,10 +367,10 @@ xmlTextReaderFreeNodeList(xmlTextReaderPtr reader, xmlNodePtr cur) {
        return;
     }
     while (1) {
-        while ((cur->children != NULL) &&
-               (cur->children->parent == cur) &&
-               (cur->type != XML_DTD_NODE) &&
-               (cur->type != XML_ENTITY_REF_NODE)) {
+        while ((cur->type != XML_DTD_NODE) &&
+               (cur->type != XML_ENTITY_REF_NODE) &&
+               (cur->children != NULL) &&
+               (cur->children->parent == cur)) {
             cur = cur->children;
             depth += 1;
         }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]