Commit 28f5e1a2 authored by Daniel Veillard's avatar Daniel Veillard
Browse files

Fix potential crash on entities errors

Related to https://bugs.launchpad.net/lxml/+bug/502959

Basically the core of the issue is that if an entity references another
entity, then in case we are replacing entities content, we should always
do so by copying the referenced content as long as the reference is
done within the entity. Otherwise, if for some reason there is a later
parsing error that entity content may be freed.

Complex scenario exposed by command:
thinkpad:~/XML/diveintopython-5.4/xml -> valgrind --db-attach=yes
../../xmllint --loaddtd --noout --noent diveintopython.xml

  Document references &a;
  a references &b;
  we references b content directly in by linking in the a content
  a has an error further down
  we free a, freeing the chunk from b
  Document references &b; after &a;
  we try to copy b content, but it was freed already => segfault

* parser.c: never reference directly entity content without copying if
  we aren't in the document main entity
parent 3b6d7b9a
......@@ -7396,7 +7396,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY)
xmlAddEntityReference(ent, firstChild, nw);
#endif /* LIBXML_LEGACY_ENABLED */
} else if (list == NULL) {
} else if ((list == NULL) || (ctxt->inputNr > 0)) {
xmlNodePtr nw = NULL, cur, next, last,
firstChild = NULL;
/*
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment