From 8c82f5deeba9d6ecf85f2a0aa9c967320cc6c13c Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 7 Jun 2017 18:32:49 +0200
Subject: [PATCH] Fix memory leak in xmlStringLenGetNodeList

Avoid expanding the entity recursively. Use the same prevention
mechanism as in xmlStringGetNodeList.

xmlStringGetNodeList on the other hand wasn't fixing up the 'last'
pointer.

I think the memory leak can only be triggered in recovery mode.

Found with libFuzzer and ASan.
---
 tree.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tree.c b/tree.c
index 9d330b85..e154ec02 100644
--- a/tree.c
+++ b/tree.c
@@ -1401,6 +1401,8 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) {
 			else if ((ent != NULL) && (ent->children == NULL)) {
 			    xmlNodePtr temp;
 
+                            /* Set to non-NULL value to avoid recursion. */
+			    ent->children = (xmlNodePtr) -1;
 			    ent->children = xmlStringGetNodeList(doc,
 				    (const xmlChar*)node->content);
 			    ent->owner = 1;
@@ -1593,6 +1595,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
 			else if ((ent != NULL) && (ent->children == NULL)) {
 			    xmlNodePtr temp;
 
+                            /* Set to non-NULL value to avoid recursion. */
 			    ent->children = (xmlNodePtr) -1;
 			    ent->children = xmlStringGetNodeList(doc,
 				    (const xmlChar*)node->content);
@@ -1600,6 +1603,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
 			    temp = ent->children;
 			    while (temp) {
 				temp->parent = (xmlNodePtr)ent;
+				ent->last = temp;
 				temp = temp->next;
 			    }
 			}