Commit 664f8810 authored by Nick Wellnhofer's avatar Nick Wellnhofer

Fix use-after-free in xmlTextReaderFreeNodeList

Recent commit 1fbcf409 caused a use-after-free read because it didn't
account for the fact that xmlTextReaderFreeDoc frees entities before
freeing entity references via xmlTextReaderFreeNodeList.

Found by OSS-Fuzz.
parent 99a864a1
......@@ -367,10 +367,10 @@ xmlTextReaderFreeNodeList(xmlTextReaderPtr reader, xmlNodePtr cur) {
return;
}
while (1) {
while ((cur->children != NULL) &&
(cur->children->parent == cur) &&
(cur->type != XML_DTD_NODE) &&
(cur->type != XML_ENTITY_REF_NODE)) {
while ((cur->type != XML_DTD_NODE) &&
(cur->type != XML_ENTITY_REF_NODE) &&
(cur->children != NULL) &&
(cur->children->parent == cur)) {
cur = cur->children;
depth += 1;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment