[libxml2] Fix user-after-free with `xmllint --xinclude --dropdtd`

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Fix user-after-free with `xmllint --xinclude --dropdtd`
Date: Thu, 22 Apr 2021 18:08:24 +0000 (UTC)

commit 1098c30a040e72a4654968547f415be4e4c40fe7
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Thu Apr 22 19:26:28 2021 +0200

    Fix user-after-free with `xmllint --xinclude --dropdtd`
    
    The --dropdtd option can leave dangling pointers in entity reference
    nodes. Make sure to skip these nodes when processing XIncludes.
    
    This also avoids scanning entity declarations and even modifying
    them inadvertently during XInclude processing.
    
    Move from a block list to an allow list approach to avoid descending
    into other node types that can't contain elements.
    
    Fixes #237.

 xinclude.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
---
diff --git a/xinclude.c b/xinclude.c
index 1636caff..b2e6ea13 100644
--- a/xinclude.c
+++ b/xinclude.c
@@ -2430,9 +2430,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree,
             ctxt->incTotal++;
             xmlXIncludePreProcessNode(ctxt, cur);
         } else if ((cur->children != NULL) &&
-                   (cur->children->type != XML_ENTITY_DECL) &&
-                   (cur->children->type != XML_XINCLUDE_START) &&
-                   (cur->children->type != XML_XINCLUDE_END)) {
+                   ((cur->type == XML_DOCUMENT_NODE) ||
+                    (cur->type == XML_ELEMENT_NODE))) {
             cur = cur->children;
             continue;
         }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]