153aa9179Sopenharmony_ciFrom 30d7660ba87c8487b26582ccc050f4d2880ccb3c Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Tue, 28 Nov 2023 13:27:25 +0100 453aa9179Sopenharmony_ciSubject: [PATCH] tree: Fix #583 again 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciOnly set doc->intSubset after successful copy to avoid dangling pointers 753aa9179Sopenharmony_ciin error case. 853aa9179Sopenharmony_ci--- 953aa9179Sopenharmony_ci tree.c | 7 +++++-- 1053aa9179Sopenharmony_ci 1 file changed, 5 insertions(+), 2 deletions(-) 1153aa9179Sopenharmony_ci 1253aa9179Sopenharmony_cidiff --git a/tree.c b/tree.c 1353aa9179Sopenharmony_ciindex 5a9c24d1b..35dabb97c 100644 1453aa9179Sopenharmony_ci--- a/tree.c 1553aa9179Sopenharmony_ci+++ b/tree.c 1653aa9179Sopenharmony_ci@@ -4378,6 +4378,7 @@ xmlNodePtr 1753aa9179Sopenharmony_ci xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { 1853aa9179Sopenharmony_ci xmlNodePtr ret = NULL; 1953aa9179Sopenharmony_ci xmlNodePtr p = NULL,q; 2053aa9179Sopenharmony_ci+ xmlDtdPtr newSubset = NULL; 2153aa9179Sopenharmony_ci 2253aa9179Sopenharmony_ci while (node != NULL) { 2353aa9179Sopenharmony_ci #ifdef LIBXML_TREE_ENABLED 2453aa9179Sopenharmony_ci@@ -4385,12 +4386,12 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { 2553aa9179Sopenharmony_ci node = node->next; 2653aa9179Sopenharmony_ci continue; 2753aa9179Sopenharmony_ci } 2853aa9179Sopenharmony_ci- if (doc->intSubset == NULL) { 2953aa9179Sopenharmony_ci+ if ((doc->intSubset == NULL) && (newSubset == NULL)) { 3053aa9179Sopenharmony_ci q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); 3153aa9179Sopenharmony_ci if (q == NULL) goto error; 3253aa9179Sopenharmony_ci q->doc = doc; 3353aa9179Sopenharmony_ci q->parent = parent; 3453aa9179Sopenharmony_ci- doc->intSubset = (xmlDtdPtr) q; 3553aa9179Sopenharmony_ci+ newSubset = (xmlDtdPtr) q; 3653aa9179Sopenharmony_ci xmlAddChild(parent, q); 3753aa9179Sopenharmony_ci } else { 3853aa9179Sopenharmony_ci q = (xmlNodePtr) doc->intSubset; 3953aa9179Sopenharmony_ci@@ -4411,6 +4412,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { 4053aa9179Sopenharmony_ci } 4153aa9179Sopenharmony_ci node = node->next; 4253aa9179Sopenharmony_ci } 4353aa9179Sopenharmony_ci+ if ((doc != NULL) && (newSubset != NULL)) 4453aa9179Sopenharmony_ci+ doc->intSubset = newSubset; 4553aa9179Sopenharmony_ci return(ret); 4653aa9179Sopenharmony_ci error: 4753aa9179Sopenharmony_ci xmlFreeNodeList(ret); 4853aa9179Sopenharmony_ci-- 4953aa9179Sopenharmony_ciGitLab 5053aa9179Sopenharmony_ci 51