lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-24 13:33:01 +03:00
Code Activity

Fix null deref in legacy SAX1 parser

Browse Source 
Always call nameNsPush instead of namePush. The latter is unused now
and should probably be removed from the public API. I can't see how
it could be used reasonably from client code and the unprefixed name
has always polluted the global namespace.

Fixes a null pointer dereference introduced with de5b624f when parsing
in SAX1 mode.

Found by OSS-Fuzz.
This commit is contained in:
Nick Wellnhofer
2021-05-09 18:56:57 +02:00
parent ce00c36e65
commit bfd2f4300f
1 changed files with 2 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
parser.c
View File

@@ -10025,12 +10025,7 @@ xmlParseElementStart(xmlParserCtxtPtr ctxt) {
spacePop(ctxt); spacePop(ctxt);
return(-1); return(-1);
} }
if (ctxt->sax2)
nameNsPush(ctxt, name, prefix, URI, line, ctxt->nsNr - nsNr); nameNsPush(ctxt, name, prefix, URI, line, ctxt->nsNr - nsNr);
#ifdef LIBXML_SAX1_ENABLED
else
namePush(ctxt, name);
#endif /* LIBXML_SAX1_ENABLED */
ret = ctxt->node; ret = ctxt->node;
#ifdef LIBXML_VALID_ENABLED #ifdef LIBXML_VALID_ENABLED
@@ -11496,13 +11491,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
nodePop(ctxt); nodePop(ctxt);
spacePop(ctxt); spacePop(ctxt);
} }
if (ctxt->sax2) nameNsPush(ctxt, name, prefix, URI, line, ctxt->nsNr - nsNr);
nameNsPush(ctxt, name, prefix, URI, line,
ctxt->nsNr - nsNr);
#ifdef LIBXML_SAX1_ENABLED
else
namePush(ctxt, name);
#endif /* LIBXML_SAX1_ENABLED */
ctxt->instate = XML_PARSER_CONTENT; ctxt->instate = XML_PARSER_CONTENT;
ctxt->progressive = 1; ctxt->progressive = 1;