[libxml2] Fix double free in XML reader with XIncludes

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Fix double free in XML reader with XIncludes
Date: Tue, 25 Aug 2020 22:29:56 +0000 (UTC)

commit ba589adc2f86c6be9ad7e0d771d4c9b09d059b89
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Tue Aug 25 23:50:39 2020 +0200

    Fix double free in XML reader with XIncludes
    
    An XInclude with empty fallback could lead to a double free in
    xmlTextReaderRead.
    
    Found by OSS-Fuzz.

 xmlreader.c | 2 ++
 1 file changed, 2 insertions(+)
---
diff --git a/xmlreader.c b/xmlreader.c
index 6ae6e9229..1ab15ba7a 100644
--- a/xmlreader.c
+++ b/xmlreader.c
@@ -1491,6 +1491,8 @@ get_next_node:
             (reader->node->prev->type != XML_DTD_NODE)) {
            xmlNodePtr tmp = reader->node->prev;
            if ((tmp->extra & NODE_IS_PRESERVED) == 0) {
+                if (oldnode == tmp)
+                    oldnode = NULL;
                xmlUnlinkNode(tmp);
                xmlTextReaderFreeNode(reader, tmp);
            }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]