Skip to content

Fix use-after-free bugs when calling xmlTextReaderClose() before xmlFreeTextReader() on post-validating parser

When creating an xmlTextReaderPtr using xmlReaderForMemory(), there are two optional API functions that can be used:

  • xmlTextReaderClose() may be called prior to calling xmlFreeTextReader() to free parsing resources and close the xmlTextReaderPtr without freeing it.
  • xmlTextReaderCurrentDoc() may be called to return an xmlDocPtr that's owned by the caller, and must be free using xmlFreeDoc() after calling xmlFreeTextReader().

The use-after-free issues occur when calling xmlTextReaderClose() before xmlFreeTextReader(), with different issues occurring depending on whether xmlTextReaderCurrentDoc() is also called.

  • xmlreader.c: (xmlFreeTextReader):
  • Move code to xmlTextReaderClose(), remove duplicate code, and call xmlTextReaderClose() if it hasn't been called yet. (xmlTextReaderClose):
  • Move call to xmlFreeNode(reader->faketext) from xmlFreeTextReader() to fix a use-after-free bug when calling xmlTextReaderClose() before xmlFreeTextReader(), but not when using xmlTextReaderCurrentDoc(). The bug was introduced in 2002 by commit beb70bd3. In 2009 commit f4653dcd fixed the use-after-free that occurred every time xmlFreeTextReader() was called, but not the case where xmlTextReaderClose() was called first.
  • Move post-parsing validation code from xmlFreeTextReader() to fix a second use-after-free when calling xmlTextReaderClose() before xmlFreeTextReader(). This regressed in v2.9.10 with commit 57a3af56.
Edited by David Kilzer

Merge request reports