c/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2 synced 2025-03-28 21:33:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Set doc on element obtained from freeElems

Browse Source 
In commit 8c9daf79, a call to xmlFreeNode was added in
xmlSAX2StartElementNs. If a node was obtained from the freeElems list,
make sure to set the doc, otherwise xmlFreeNode wouldn't realize that
the node name might be in the dictionary, causing an invalid free.

Note that the issue fixed in commit 8c9daf79 requires commit 0ed6addb
and this one to work properly.

Found by OSS-Fuzz.
This commit is contained in:
Nick Wellnhofer 2018-11-22 14:28:58 +01:00
parent fc27759d2a
commit 1567b55b72
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
SAX2.c
View File

@ -2261,6 +2261,7 @@ xmlSAX2StartElementNs(void *ctx,
ctxt->freeElems = ret->next;
ctxt->freeElemsNr--;
memset(ret, 0, sizeof(xmlNode));
ret->doc = ctxt->myDoc;
ret->type = XML_ELEMENT_NODE;
if (ctxt->dictNames)