mirror of
				https://gitlab.gnome.org/GNOME/libxml2.git
				synced 2025-10-26 00:37:43 +03:00 
			
		
		
		
	Memory leak in xmlFreeTextReader
In error cases, there might still be elements in the vstate table. Since vstateVPop in valid.c is private, we have to pop the elements with xmlValidatePopElement. This inspects nodes of the document, so the reader doc must be freed after the clearing the vstate table. Found by OSS-Fuzz.
This commit is contained in:
		
							
								
								
									
										14
									
								
								xmlreader.c
									
									
									
									
									
								
							
							
						
						
									
										14
									
								
								xmlreader.c
									
									
									
									
									
								
							| @@ -2264,17 +2264,19 @@ xmlFreeTextReader(xmlTextReaderPtr reader) { | |||||||
|     if (reader->ctxt != NULL) { |     if (reader->ctxt != NULL) { | ||||||
|         if (reader->dict == reader->ctxt->dict) |         if (reader->dict == reader->ctxt->dict) | ||||||
| 	    reader->dict = NULL; | 	    reader->dict = NULL; | ||||||
|  | 	if ((reader->ctxt->vctxt.vstateTab != NULL) && | ||||||
|  | 	    (reader->ctxt->vctxt.vstateMax > 0)){ | ||||||
|  |             while (reader->ctxt->vctxt.vstateNr > 0) | ||||||
|  |                 xmlValidatePopElement(&reader->ctxt->vctxt, NULL, NULL, NULL); | ||||||
|  | 	    xmlFree(reader->ctxt->vctxt.vstateTab); | ||||||
|  | 	    reader->ctxt->vctxt.vstateTab = NULL; | ||||||
|  | 	    reader->ctxt->vctxt.vstateMax = 0; | ||||||
|  | 	} | ||||||
| 	if (reader->ctxt->myDoc != NULL) { | 	if (reader->ctxt->myDoc != NULL) { | ||||||
| 	    if (reader->preserve == 0) | 	    if (reader->preserve == 0) | ||||||
| 		xmlTextReaderFreeDoc(reader, reader->ctxt->myDoc); | 		xmlTextReaderFreeDoc(reader, reader->ctxt->myDoc); | ||||||
| 	    reader->ctxt->myDoc = NULL; | 	    reader->ctxt->myDoc = NULL; | ||||||
| 	} | 	} | ||||||
| 	if ((reader->ctxt->vctxt.vstateTab != NULL) && |  | ||||||
| 	    (reader->ctxt->vctxt.vstateMax > 0)){ |  | ||||||
| 	    xmlFree(reader->ctxt->vctxt.vstateTab); |  | ||||||
| 	    reader->ctxt->vctxt.vstateTab = NULL; |  | ||||||
| 	    reader->ctxt->vctxt.vstateMax = 0; |  | ||||||
| 	} |  | ||||||
| 	if (reader->allocs & XML_TEXTREADER_CTXT) | 	if (reader->allocs & XML_TEXTREADER_CTXT) | ||||||
| 	    xmlFreeParserCtxt(reader->ctxt); | 	    xmlFreeParserCtxt(reader->ctxt); | ||||||
|     } |     } | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user