Fix use-after-free in xmlTextReaderFreeNodeList

Recent commit 1fbcf409 caused a use-after-free read because it didn't account for the fact that xmlTextReaderFreeDoc frees entities before freeing entity references via xmlTextReaderFreeNodeList. Found by OSS-Fuzz.

Fix use-after-free in xmlTextReaderFreeNodeList
Recent commit 1fbcf409 caused a use-after-free read because it didn't account for the fact that xmlTextReaderFreeDoc frees entities before freeing entity references via xmlTextReaderFreeNodeList. Found by OSS-Fuzz.
664f8810 · Nick Wellnhofer · 99a864a1 · 664f8810
Commit 664f8810 authored Sep 26, 2019 by Nick Wellnhofer
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 4 deletions

xmlreader.c xmlreader.c +4 -4

No files found.
--- a/xmlreader.c
+++ b/xmlreader.c
@@ -367,10 +367,10 @@ xmlTextReaderFreeNodeList(xmlTextReaderPtr reader, xmlNodePtr cur) {
 	return;
    }
    while (1) {
-        while ((cur->children != NULL) &&
-               (cur->children->parent == cur) &&
-               (cur->type != XML_DTD_NODE) &&
-               (cur->type != XML_ENTITY_REF_NODE)) {
+        while ((cur->type != XML_DTD_NODE) &&
+               (cur->type != XML_ENTITY_REF_NODE) &&
+               (cur->children != NULL) &&
+               (cur->children->parent == cur)) {
            cur = cur->children;
            depth += 1;
        }