[xml] Long patterns with xmlTextReaderPreservePattern make xmlFreeTextReader crash


In my case, code analogous to the one in example 'reader3.c' makes
'xmlFreeTextReader' crash when I use long patterns, e.g. 
(shorter patterns work).

The code stripped to its minimum:

pReader = xmlReaderForMemory(...);
xmlTextReaderPreservePattern(pReader, (xmlChar*)pszXPath, NULL) //
returns XML_ERR_OK

Called with the pattern mentioned above, the following values can be
observed after the call to 'xmlTextReaderPreservePattern':

pReader->patternTab[0]->nbStep has the value 11
pReader->patternTab[0]->maxStep has the value 10

On clean-up, xmlFreeTextReader calls xmlFreePattern, which relies upon
the value of nbStep (=11):

   for (i = 0;i < comp->nbStep;i++) {
        op = &comp->steps[i];
        if (op->value != NULL)
            xmlFree((xmlChar *) op->value);
        if (op->value2 != NULL)
            xmlFree((xmlChar *) op->value2);

Accessing comp->steps[10] is not allowed and leads to a crash in

I am still using libxml2 version 2.6.5, but the above mentioned code
doesn't seem to have changed in 2.6.16. Is there a way to check this
condition beforehand? Or to set the limit higher?

Thanks for any help.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]