Re: [xml] Heap use after free in parser.c

On 02/01/2018 20:08, Jay Civelli via xml wrote:
We ran into a heap use after free in Chromium <> that I think I tracked down.

I don't have access to this page.

I have a tentative patch attached to address it.
In parser.c, if a call to xmlCharEncInput() fails and has grown the buffer, the ctxt object could still point to the old deleted buffer.

Maybe it's better to call xmlHaltParser if xmlCharEncInput fails. That's what the other code path in xmlParseChunk does.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]