From 110e44ec9c33096e306cdd9251029a4e54e277f9 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 11 Dec 2024 22:43:27 +0100
Subject: [PATCH] SAX2: Fix xmlSAX2ResolveEntity if systemId is NULL

Passing a NULL systemId results in snprintf("%s", NULL) which crashes on
some platforms. Regressed with commit 4ff2dccf.

Note that systemId should never be NULL during normal parsing. It can
only be NULL if API functions are called with a NULL systemId.

Should fix #825.
---
 SAX2.c | 66 ++++++++++++++++++++++++++++++++--------------------------
 1 file changed, 36 insertions(+), 30 deletions(-)

diff --git a/SAX2.c b/SAX2.c
index 32db6b4c..3d0257c2 100644
--- a/SAX2.c
+++ b/SAX2.c
@@ -404,42 +404,48 @@ xmlSAX2ResolveEntity(void *ctx, const xmlChar *publicId, const xmlChar *systemId
 {
     xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx;
     xmlParserInputPtr ret = NULL;
-    xmlChar *URI;
-    const xmlChar *base = NULL;
-    int res;
+    xmlChar *URI = NULL;
 
     if (ctx == NULL) return(NULL);
-    if (ctxt->input != NULL)
-	base = BAD_CAST ctxt->input->filename;
 
-    /*
-     * We don't really need the 'directory' struct member, but some
-     * users set it manually to a base URI for memory streams.
-     */
-    if (base == NULL)
-        base = BAD_CAST ctxt->directory;
+    if (systemId != NULL) {
+        const xmlChar *base = NULL;
+        int res;
 
-    if ((xmlStrlen(systemId) > XML_MAX_URI_LENGTH) ||
-        (xmlStrlen(base) > XML_MAX_URI_LENGTH)) {
-        xmlFatalErr(ctxt, XML_ERR_RESOURCE_LIMIT, "URI too long");
-        return(NULL);
-    }
-    res = xmlBuildURISafe(systemId, base, &URI);
-    if (URI == NULL) {
-        if (res < 0)
-            xmlSAX2ErrMemory(ctxt);
-        else
-            xmlWarnMsg(ctxt, XML_ERR_INVALID_URI,
-                       "Can't resolve URI: %s\n", systemId);
-        return(NULL);
-    }
-    if (xmlStrlen(URI) > XML_MAX_URI_LENGTH) {
-        xmlFatalErr(ctxt, XML_ERR_RESOURCE_LIMIT, "URI too long");
-    } else {
-        ret = xmlLoadExternalEntity((const char *) URI,
-                                    (const char *) publicId, ctxt);
+        if (ctxt->input != NULL)
+            base = BAD_CAST ctxt->input->filename;
+
+        /*
+         * We don't really need the 'directory' struct member, but some
+         * users set it manually to a base URI for memory streams.
+         */
+        if (base == NULL)
+            base = BAD_CAST ctxt->directory;
+
+        if ((xmlStrlen(systemId) > XML_MAX_URI_LENGTH) ||
+            (xmlStrlen(base) > XML_MAX_URI_LENGTH)) {
+            xmlFatalErr(ctxt, XML_ERR_RESOURCE_LIMIT, "URI too long");
+            return(NULL);
+        }
+        res = xmlBuildURISafe(systemId, base, &URI);
+        if (URI == NULL) {
+            if (res < 0)
+                xmlSAX2ErrMemory(ctxt);
+            else
+                xmlWarnMsg(ctxt, XML_ERR_INVALID_URI,
+                           "Can't resolve URI: %s\n", systemId);
+            return(NULL);
+        }
+        if (xmlStrlen(URI) > XML_MAX_URI_LENGTH) {
+            xmlFatalErr(ctxt, XML_ERR_RESOURCE_LIMIT, "URI too long");
+            xmlFree(URI);
+            return(NULL);
+        }
     }
 
+    ret = xmlLoadExternalEntity((const char *) URI,
+                                (const char *) publicId, ctxt);
+
     xmlFree(URI);
     return(ret);
 }