parser: Fix stack handling in xmlParseTryOrFinish

After commit e0dd330b, this latent bug could cause use-after-free errors in rare circumstances like using the reader API with recovery and XIncludes.
2025-10-24 13:33:01 +03:00 · 2023-10-14 22:43:25 +02:00
parent 7dfcea03c3
commit 86ef190e53
1 changed files with 9 additions and 13 deletions
--- a/parser.c
+++ b/parser.c
@@ -11736,7 +11736,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
 		const xmlChar *prefix = NULL;
 		const xmlChar *URI = NULL;
                int line = ctxt->input->line;
-		int nbNs;
+		int nbNs = 0;

 		if ((!terminate) && (avail < 2))
 		    goto done;
@@ -11807,30 +11807,26 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
 			    ctxt->sax->endElement(ctxt->userData, name);
 #endif /* LIBXML_SAX1_ENABLED */
 		    }
-		    if (ctxt->instate == XML_PARSER_EOF)
-			goto done;
 		    spacePop(ctxt);
-		    if (ctxt->nameNr == 0) {
-			ctxt->instate = XML_PARSER_EPILOG;
-		    } else {
-			ctxt->instate = XML_PARSER_CONTENT;
-		    }
-		    break;
-		}
-		if (RAW == '>') {
+		} else if (RAW == '>') {
 		    NEXT;
+                    nameNsPush(ctxt, name, prefix, URI, line, nbNs);
 		} else {
 		    xmlFatalErrMsgStr(ctxt, XML_ERR_GT_REQUIRED,
 					 "Couldn't find end of Start Tag %s\n",
 					 name);
 		    nodePop(ctxt);
 		    spacePop(ctxt);
+                    if (nbNs > 0)
+                        xmlParserNsPop(ctxt, nbNs);
 		}
-                nameNsPush(ctxt, name, prefix, URI, line, nbNs);

                if (ctxt->instate == XML_PARSER_EOF)
                    goto done;
-		ctxt->instate = XML_PARSER_CONTENT;
+                if (ctxt->nameNr == 0)
+                    ctxt->instate = XML_PARSER_EPILOG;
+                else
+                    ctxt->instate = XML_PARSER_CONTENT;
                break;
 	    }
            case XML_PARSER_CONTENT: {