38 lines
1.0 KiB
Diff
38 lines
1.0 KiB
Diff
From 86105c0493f19ef8e1dd21ab5099613159224b4d Mon Sep 17 00:00:00 2001
|
|
From: David Kilzer <ddkilzer@apple.com>
|
|
Date: Sat, 15 Apr 2023 18:04:03 -0700
|
|
Subject: [PATCH] Fix use-after-free in xmlParseContentInternal()
|
|
|
|
* parser.c:
|
|
(xmlParseCharData):
|
|
- Check if the parser has stopped before advancing
|
|
`ctxt->input->cur`. This only occurs if a custom SAX error
|
|
handler calls xmlStopParser() on fatal errors.
|
|
|
|
Fixes #518.
|
|
|
|
Reference:https://github.com/GNOME/libxml2/commit/86105c0493f19ef8e1dd21ab5099613159224b4d
|
|
Conflict:parser.c
|
|
|
|
---
|
|
parser.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/parser.c b/parser.c
|
|
index f9b4012..ccddf07 100644
|
|
--- a/parser.c
|
|
+++ b/parser.c
|
|
@@ -4504,7 +4504,8 @@ get_more:
|
|
if (*in == ']') {
|
|
if ((in[1] == ']') && (in[2] == '>')) {
|
|
xmlFatalErr(ctxt, XML_ERR_MISPLACED_CDATA_END, NULL);
|
|
- ctxt->input->cur = in + 1;
|
|
+ if (ctxt->instate != XML_PARSER_EOF)
|
|
+ ctxt->input->cur = in + 1;
|
|
return;
|
|
}
|
|
in++;
|
|
--
|
|
2.27.0
|
|
|