Use after free in python/tests/xpathns.py
While running xpathns.py in a loop I sometimes get a segfault:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000004fb4e5b1de9 in xmlXPathNodeSetFreeNs (ns=0x4fbdbd603a8) at xpath.c:3557
3557 if ((ns->next != NULL) && (ns->next->type != XML_NAMESPACE_DECL)) {
(gdb) bt
#0 0x00000e05b2c48de9 in xmlXPathNodeSetFreeNs (ns=0xe05948c8528)
at xpath.c:3557
#1 0x00000e05db20d118 in capsule_dealloc ()
from /usr/local/lib/libpython3.10.so.0.0
#2 0x00000e05db25b367 in dict_dealloc ()
from /usr/local/lib/libpython3.10.so.0.0
#3 0x00000e05db29d7cf in subtype_dealloc ()
from /usr/local/lib/libpython3.10.so.0.0
#4 0x00000e05db265bfb in _PyDict_DelItem_KnownHash ()
from /usr/local/lib/libpython3.10.so.0.0
#5 0x00000e05db351f78 in _PyEval_EvalFrameDefault ()
from /usr/local/lib/libpython3.10.so.0.0
#6 0x00000e05db34e781 in _PyEval_Vector ()
from /usr/local/lib/libpython3.10.so.0.0
#7 0x00000e05db3d6437 in pyrun_file ()
from /usr/local/lib/libpython3.10.so.0.0
#8 0x00000e05db3d5a61 in _PyRun_SimpleFileObject ()
from /usr/local/lib/libpython3.10.so.0.0
#9 0x00000e05db3d4f14 in _PyRun_AnyFileObject ()
from /usr/local/lib/libpython3.10.so.0.0
#10 0x00000e05db3ff9f5 in pymain_run_file_obj ()
from /usr/local/lib/libpython3.10.so.0.0
#11 0x00000e05db3ff0e2 in pymain_run_file ()
It goes away if I move del n
before d.freeDoc()
.
After trying to understand the python wrapper and xpath.c I think freeDoc frees n->next
.