|
 |
6ce3da |
From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001
|
|
|
6ce3da |
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
|
6ce3da |
Date: Sat, 1 May 2021 16:53:33 +0200
|
|
|
6ce3da |
Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv
|
|
|
6ce3da |
|
|
|
6ce3da |
Check return value of recursive calls to
|
|
|
6ce3da |
xmlParseElementChildrenContentDeclPriv and return immediately in case
|
|
|
6ce3da |
of errors. Otherwise, struct xmlElementContent could contain unexpected
|
|
|
6ce3da |
null pointers, leading to a null deref when post-validating documents
|
|
|
6ce3da |
which aren't well-formed and parsed in recovery mode.
|
|
|
6ce3da |
|
|
|
6ce3da |
Fixes #243.
|
|
|
6ce3da |
---
|
|
|
6ce3da |
parser.c | 7 +++++++
|
|
|
6ce3da |
1 file changed, 7 insertions(+)
|
|
|
6ce3da |
|
|
|
6ce3da |
diff --git a/parser.c b/parser.c
|
|
|
6ce3da |
index b42e6043..73c27edd 100644
|
|
|
6ce3da |
--- a/parser.c
|
|
|
6ce3da |
+++ b/parser.c
|
|
|
6ce3da |
@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
|
|
|
6ce3da |
SKIP_BLANKS;
|
|
|
6ce3da |
cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
|
|
|
6ce3da |
depth + 1);
|
|
|
6ce3da |
+ if (cur == NULL)
|
|
|
6ce3da |
+ return(NULL);
|
|
|
6ce3da |
SKIP_BLANKS;
|
|
|
6ce3da |
GROW;
|
|
|
6ce3da |
} else {
|
|
|
6ce3da |
@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
|
|
|
6ce3da |
SKIP_BLANKS;
|
|
|
6ce3da |
last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
|
|
|
6ce3da |
depth + 1);
|
|
|
6ce3da |
+ if (last == NULL) {
|
|
|
6ce3da |
+ if (ret != NULL)
|
|
|
6ce3da |
+ xmlFreeDocElementContent(ctxt->myDoc, ret);
|
|
|
6ce3da |
+ return(NULL);
|
|
|
6ce3da |
+ }
|
|
|
6ce3da |
SKIP_BLANKS;
|
|
|
6ce3da |
} else {
|
|
|
6ce3da |
elem = xmlParseName(ctxt);
|
|
|
6ce3da |
--
|
|
|
6ce3da |
GitLab
|
|
|
6ce3da |
|