From 178f65add031108cc13ee8446fb8a5bd5ad9be88 Mon Sep 17 00:00:00 2001
From: Jay Civelli <jcivelli google com>
Date: Thu, 28 Dec 2017 10:27:48 -0800
Subject: [PATCH] Fix heap use after free.

In parser.c, if a call to xmlCharEncInput() fails and has grown the
buffer, the ctxt object could still point to the old deleted buffer.
Make sure we always update the ctxt.
---
 parser.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/parser.c b/parser.c
index a30dd18e..3a0b640b 100644
--- a/parser.c
+++ b/parser.c
@@ -12212,13 +12212,13 @@ xmldecl_done:
 		size_t current = ctxt->input->cur - ctxt->input->base;
 
 		nbchars = xmlCharEncInput(in, terminate);
+		xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
 		if (nbchars < 0) {
 		    /* TODO 2.6.0 */
 		    xmlGenericError(xmlGenericErrorContext,
 				    "xmlParseChunk: encoder error\n");
 		    return(XML_ERR_INVALID_ENCODING);
 		}
-		xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
 	    }
 	}
     }
-- 
2.15.1.620.gb9897f4670-goog