parser: Avoid undefined behavior in xmlParseStartTag2

Instead of using arithmetic on dangling pointers, store ptrdiff_t values in void pointers which is at least implementation-defined.
2025-10-26 00:37:43 +03:00 · 2023-09-14 20:52:24 +02:00
parent 90d5b79958
commit d7cfe35650
1 changed files with 18 additions and 22 deletions
--- a/parser.c
+++ b/parser.c
@@ -9144,19 +9144,21 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,
            ctxt->attallocs[nratts++] = alloc;
            atts[nbatts++] = attname;
            atts[nbatts++] = aprefix;
-            /*
+            atts[nbatts++] = NULL;
-             * The namespace URI field is used temporarily to point at the
+            if (alloc) {
-             * base of the current input buffer for non-alloced attributes.
+                atts[nbatts++] = attvalue;
-             * When the input buffer is reallocated, all the pointers become
+                attvalue += len;
-             * invalid, but they can be reconstructed later.
+                atts[nbatts++] = attvalue;
-             */
+            } else {
-            if (alloc)
+                /*
-                atts[nbatts++] = NULL;
+                 * attvalue points into the input buffer which can be
-            else
+                 * reallocated. Store differences to input->base instead.
-                atts[nbatts++] = ctxt->input->base;
+                 * The pointers will be reconstructed later.
-            atts[nbatts++] = attvalue;
+                 */
-            attvalue += len;
+                atts[nbatts++] = (void *) (attvalue - BASE_PTR);
-            atts[nbatts++] = attvalue;
+                attvalue += len;
                atts[nbatts++] = (void *) (attvalue - BASE_PTR);
            }
            /*
             * tag if some deallocation is needed
             */
@@ -9192,15 +9194,9 @@ next_attr:
    /* Reconstruct attribute value pointers. */
    for (i = 0, j = 0; j < nratts; i += 5, j++) {
-        if (atts[i+2] != NULL) {
+        if (ctxt->attallocs[j] == 0) {
-            /*
+            atts[i+3] = BASE_PTR + (ptrdiff_t) atts[i+3];  /* value */
-             * Arithmetic on dangling pointers is technically undefined
+            atts[i+4] = BASE_PTR + (ptrdiff_t) atts[i+4];  /* valuend */
             * behavior, but well...
             */
            const xmlChar *old = atts[i+2];
            atts[i+2]  = NULL;    /* Reset repurposed namespace URI */
            atts[i+3] = ctxt->input->base + (atts[i+3] - old);  /* value */
            atts[i+4] = ctxt->input->base + (atts[i+4] - old);  /* valuend */
        }
    }