[libxml2] Fix cleanup of attributes in XML reader

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Fix cleanup of attributes in XML reader
Date: Sun, 13 Sep 2020 10:42:08 +0000 (UTC)

commit b215c270fa3b1436314cc56654718bd12182cfec
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Sun Sep 13 12:19:48 2020 +0200

    Fix cleanup of attributes in XML reader
    
    xml:id creates ID attributes even in documents without a DTD, so the
    check in xmlTextReaderFreeProp must be changed to avoid use after free.
    
    Found by OSS-Fuzz.

 xmlreader.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
---
diff --git a/xmlreader.c b/xmlreader.c
index a9b9ef93e..01adf74f4 100644
--- a/xmlreader.c
+++ b/xmlreader.c
@@ -359,12 +359,12 @@ xmlTextReaderFreeProp(xmlTextReaderPtr reader, xmlAttrPtr cur) {
        xmlDeregisterNodeDefaultValue((xmlNodePtr) cur);
 
     /* Check for ID removal -> leading to invalid references ! */
-    if ((cur->parent != NULL) && (cur->parent->doc != NULL) &&
-       ((cur->parent->doc->intSubset != NULL) ||
-        (cur->parent->doc->extSubset != NULL))) {
+    if ((cur->parent != NULL) && (cur->parent->doc != NULL)) {
         if (xmlIsID(cur->parent->doc, cur->parent, cur))
            xmlTextReaderRemoveID(cur->parent->doc, cur);
-        if (xmlIsRef(cur->parent->doc, cur->parent, cur))
+       if (((cur->parent->doc->intSubset != NULL) ||
+            (cur->parent->doc->extSubset != NULL)) &&
+            (xmlIsRef(cur->parent->doc, cur->parent, cur)))
             xmlTextReaderRemoveRef(cur->parent->doc, cur);
     }
     if (cur->children != NULL)

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]