[libxml2] Avoid arithmetic on freed pointers

[Nick Wellnhofer <nwellnhof src gnome org>]

commit 4951c462eae68562df335ff6d611f4352ea9931d
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Sun Mar 6 02:29:00 2022 +0100

    Avoid arithmetic on freed pointers

 parserInternals.c | 45 +++++++++------------------------------------
 1 file changed, 9 insertions(+), 36 deletions(-)
---
diff --git a/parserInternals.c b/parserInternals.c
index 364ae3d5..9845044e 100644
--- a/parserInternals.c
+++ b/parserInternals.c
@@ -284,7 +284,6 @@ int
 xmlParserInputGrow(xmlParserInputPtr in, int len) {
     int ret;
     size_t indx;
-    const xmlChar *content;
 
     if ((in == NULL) || (len < 0)) return(-1);
 #ifdef DEBUG_INPUT
@@ -309,22 +308,8 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) {
     } else
         return(0);
 
-    /*
-     * NOTE : in->base may be a "dangling" i.e. freed pointer in this
-     *        block, but we use it really as an integer to do some
-     *        pointer arithmetic. Insure will raise it as a bug but in
-     *        that specific case, that's not !
-     */
-
-    content = xmlBufContent(in->buf->buffer);
-    if (in->base != content) {
-        /*
-        * the buffer has been reallocated
-        */
-       indx = in->cur - in->base;
-       in->base = content;
-       in->cur = &content[indx];
-    }
+    in->base = xmlBufContent(in->buf->buffer);
+    in->cur = in->base + indx;
     in->end = xmlBufEnd(in->buf->buffer);
 
     CHECK_BUFFER(in);
@@ -342,8 +327,6 @@ void
 xmlParserInputShrink(xmlParserInputPtr in) {
     size_t used;
     size_t ret;
-    size_t indx;
-    const xmlChar *content;
 
 #ifdef DEBUG_INPUT
     xmlGenericError(xmlGenericErrorContext, "Shrink\n");
@@ -356,7 +339,7 @@ xmlParserInputShrink(xmlParserInputPtr in) {
 
     CHECK_BUFFER(in);
 
-    used = in->cur - xmlBufContent(in->buf->buffer);
+    used = in->cur - in->base;
     /*
      * Do not shrink on large buffers whose only a tiny fraction
      * was consumed
@@ -364,27 +347,17 @@ xmlParserInputShrink(xmlParserInputPtr in) {
     if (used > INPUT_CHUNK) {
        ret = xmlBufShrink(in->buf->buffer, used - LINE_LEN);
        if (ret > 0) {
-           in->cur -= ret;
+            used -= ret;
            in->consumed += ret;
        }
-       in->end = xmlBufEnd(in->buf->buffer);
     }
 
-    CHECK_BUFFER(in);
-
-    if (xmlBufUse(in->buf->buffer) > INPUT_CHUNK) {
-        return;
-    }
-    xmlParserInputBufferRead(in->buf, 2 * INPUT_CHUNK);
-    content = xmlBufContent(in->buf->buffer);
-    if (in->base != content) {
-        /*
-        * the buffer has been reallocated
-        */
-       indx = in->cur - in->base;
-       in->base = content;
-       in->cur = &content[indx];
+    if (xmlBufUse(in->buf->buffer) <= INPUT_CHUNK) {
+        xmlParserInputBufferRead(in->buf, 2 * INPUT_CHUNK);
     }
+
+    in->base = xmlBufContent(in->buf->buffer);
+    in->cur = in->base + used;
     in->end = xmlBufEnd(in->buf->buffer);
 
     CHECK_BUFFER(in);