[xml] Heap use after free in parser.c

We ran into a heap use after free in Chromium http://crbug.com/793715 that I think I tracked down. I have a tentative patch attached to address it.
In parser.c, if a call to xmlCharEncInput() fails and has grown the buffer, the ctxt object could still point to the old deleted buffer.



Attachment: 0001-Fix-heap-use-after-free.patch
Description: Text Data

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]