[libxml2] Revert "Fix quadratic runtime in xi:fallback processing"

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Revert "Fix quadratic runtime in xi:fallback processing"
Date: Wed, 19 Aug 2020 12:00:48 +0000 (UTC)

commit 19cae17f5a2acfbd5554d145bb87cd6bf2de244f
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Wed Aug 19 13:07:28 2020 +0200

    Revert "Fix quadratic runtime in xi:fallback processing"
    
    This reverts commit 27119ec33c9f6b9830efa1e0da0acfa353dfa55a.
    
    Not copying fallback children didn't fix up namespaces and could lead
    to use-after-free errors.
    
    Found by OSS-Fuzz.

 xinclude.c | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)
---
diff --git a/xinclude.c b/xinclude.c
index 3c810ca14..90245355e 100644
--- a/xinclude.c
+++ b/xinclude.c
@@ -1984,7 +1984,8 @@ xmlXIncludeLoadFallback(xmlXIncludeCtxtPtr ctxt, xmlNodePtr fallback, int nr) {
            ret = -1;
        xmlXIncludeFreeContext(newctxt);
 
-       ctxt->incTab[nr]->inc = fallback->children;
+       ctxt->incTab[nr]->inc = xmlDocCopyNodeList(ctxt->doc,
+                                                  fallback->children);
     } else {
         ctxt->incTab[nr]->inc = NULL;
     }
@@ -2240,6 +2241,12 @@ xmlXIncludeIncludeNode(xmlXIncludeCtxtPtr ctxt, int nr) {
         if (ctxt->incTab[nr]->fallback)
             xmlUnsetProp(cur, BAD_CAST "href");
        cur->type = XML_XINCLUDE_START;
+        /* Remove fallback children */
+        for (child = cur->children; child != NULL; child = next) {
+            next = child->next;
+            xmlUnlinkNode(child);
+            xmlFreeNode(child);
+        }
        end = xmlNewDocNode(cur->doc, cur->ns, cur->name, NULL);
        if (end == NULL) {
            xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref,
@@ -2255,17 +2262,11 @@ xmlXIncludeIncludeNode(xmlXIncludeCtxtPtr ctxt, int nr) {
         * Add the list of nodes
         */
        while (list != NULL) {
-           next = list->next;
-           xmlAddPrevSibling(end, list);
-           list = next;
-       }
+           cur = list;
+           list = list->next;
 
-        /* Remove fallback node */
-        for (child = cur->children; child != NULL; child = next) {
-            next = child->next;
-            xmlUnlinkNode(child);
-            xmlFreeNode(child);
-        }
+           xmlAddPrevSibling(end, cur);
+       }
     }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]