From 19cae17f5a2acfbd5554d145bb87cd6bf2de244f Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Wed, 19 Aug 2020 13:07:28 +0200 Subject: [PATCH] Revert "Fix quadratic runtime in xi:fallback processing" This reverts commit 27119ec33c9f6b9830efa1e0da0acfa353dfa55a. Not copying fallback children didn't fix up namespaces and could lead to use-after-free errors. Found by OSS-Fuzz. --- xinclude.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/xinclude.c b/xinclude.c index 3c810ca1..90245355 100644 --- a/xinclude.c +++ b/xinclude.c @@ -1984,7 +1984,8 @@ xmlXIncludeLoadFallback(xmlXIncludeCtxtPtr ctxt, xmlNodePtr fallback, int nr) { ret = -1; xmlXIncludeFreeContext(newctxt); - ctxt->incTab[nr]->inc = fallback->children; + ctxt->incTab[nr]->inc = xmlDocCopyNodeList(ctxt->doc, + fallback->children); } else { ctxt->incTab[nr]->inc = NULL; } @@ -2240,6 +2241,12 @@ xmlXIncludeIncludeNode(xmlXIncludeCtxtPtr ctxt, int nr) { if (ctxt->incTab[nr]->fallback) xmlUnsetProp(cur, BAD_CAST "href"); cur->type = XML_XINCLUDE_START; + /* Remove fallback children */ + for (child = cur->children; child != NULL; child = next) { + next = child->next; + xmlUnlinkNode(child); + xmlFreeNode(child); + } end = xmlNewDocNode(cur->doc, cur->ns, cur->name, NULL); if (end == NULL) { xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, @@ -2255,17 +2262,11 @@ xmlXIncludeIncludeNode(xmlXIncludeCtxtPtr ctxt, int nr) { * Add the list of nodes */ while (list != NULL) { - next = list->next; - xmlAddPrevSibling(end, list); - list = next; - } + cur = list; + list = list->next; - /* Remove fallback node */ - for (child = cur->children; child != NULL; child = next) { - next = child->next; - xmlUnlinkNode(child); - xmlFreeNode(child); - } + xmlAddPrevSibling(end, cur); + } }