Failure when xmlSAXHandler.characters() callback calls xmlStopParser()
xmlCreateMemoryParserCtxt() is called with the XML document <root>abc</root>
.
Then xmlParseDocument() is called. In the xmlSAXHandler.characters() callback
xmlStopParser() is called.
Result: In the call to
ctxt->sax->characters(ctxt->userData, ctxt->input->cur, nbchar);
in parser.c line 4492-4493, xmlStopParser() changes much of ctxt->input.
It changes the memory that in
points at. Further tests of *in
, e.g.
if (*in == 0xD) {
at line 4499 give strange results.
This was noticed in a test case in libxml++, https://github.com/libxmlplusplus/libxmlplusplus/blob/master/tests/saxparser_parse_double_free/main.cc
See libxml++ issue https://github.com/libxmlplusplus/libxmlplusplus/issues/62,
for instance the valgrind
report at
https://github.com/libxmlplusplus/libxmlplusplus/issues/62#issuecomment-1802137947.
libxml2 version: 2.11.5
Reverting commit 0e193f0d fixes the libxml++ test case. I suppose that's not an option. The libxml++ test case also works fine if the re-introduced test in parser.c is changed to
if (ctxt->instate == XML_PARSER_EOF)
return;