On 02/01/2018 20:08, Jay Civelli via xml wrote:
We ran into a heap use after free in Chromium http://crbug.com/793715 <http://crbug.com/793715> that I think I tracked down.
I don't have access to this page.
I have a tentative patch attached to address it.
In parser.c, if a call to xmlCharEncInput() fails and has grown the buffer, the ctxt object could still point to the old deleted buffer.
Maybe it's better to call xmlHaltParser if xmlCharEncInput fails. That's what the other code path in xmlParseChunk does.
Nick
Attachment:
0001-Fix-heap-use-after-free.patch
Description: Text Data