Fix use-after-free with `xmllint --html --push`

Call htmlCtxtUseOptions to make sure that names aren't stored in
dictionaries.

Note that this issue only affects xmllint using the HTML push parser.

Fixes #230.

xmllint.c

@@ -2213,7 +2213,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) {
             if (res > 0) {
                 ctxt = htmlCreatePushParserCtxt(NULL, NULL,
                             chars, res, filename, XML_CHAR_ENCODING_NONE);
-                xmlCtxtUseOptions(ctxt, options);
+                htmlCtxtUseOptions(ctxt, options);
                 while ((res = fread(chars, 1, pushsize, f)) > 0) {
                     htmlParseChunk(ctxt, chars, res, 0);
                 }

[dhbbb]

@nwellnhof Hi,I recently ran into this issue on a historical version of libxml2 as well and was doing some root cause analysation work. But I don't understand enough about the way html is parsed, so I don't really understand the real cause of this vulnerability. Could please tell me why you patched the vulnerability like this?

[Nick Wellnhofer]

@dhbbb I don't remember the exact details. Reading the commit message, it had something with storing element names in a dictionary. The XML parser does this by default and has an option XML_PARSE_NODICT to disable this behavior. The HTML parser never stores element names in dictionaries and htmlCtxtUseOptions sets ctxt->dictNames to 0. Anyway, mixing html* and xml* function calls is obviously wrong.