On Mon, Jan 8, 2018 at 11:27 AM, Nick Wellnhofer <wellnhofer aevum de> wrote:On 02/01/2018 20:08, Jay Civelli via xml wrote:
We ran into a heap use after free in Chromium http://crbug.com/793715 <http://crbug.com/793715> that I think I tracked down.
I don't have access to this page.You should have access now.
I have a tentative patch attached to address it.
In parser.c, if a call to xmlCharEncInput() fails and has grown the buffer, the ctxt object could still point to the old deleted buffer.
Maybe it's better to call xmlHaltParser if xmlCharEncInput fails. That's what the other code path in xmlParseChunk does.Good idea, done in new attached patch. Note that I changed the error from the existing from XML_ERR_INVALID_ENCODING to XML_ERR_INVALID_CHAR which seemed to make more sense.Jay
Nick