153aa9179Sopenharmony_ciFrom 86105c0493f19ef8e1dd21ab5099613159224b4d Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: David Kilzer <ddkilzer@apple.com> 353aa9179Sopenharmony_ciDate: Sat, 15 Apr 2023 18:04:03 -0700 453aa9179Sopenharmony_ciSubject: [PATCH] Fix use-after-free in xmlParseContentInternal() 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ci* parser.c: 753aa9179Sopenharmony_ci(xmlParseCharData): 853aa9179Sopenharmony_ci- Check if the parser has stopped before advancing 953aa9179Sopenharmony_ci `ctxt->input->cur`. This only occurs if a custom SAX error 1053aa9179Sopenharmony_ci handler calls xmlStopParser() on fatal errors. 1153aa9179Sopenharmony_ci 1253aa9179Sopenharmony_ciFixes #518. 1353aa9179Sopenharmony_ci 1453aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/86105c0493f19ef8e1dd21ab5099613159224b4d 1553aa9179Sopenharmony_ciConflict:parser.c 1653aa9179Sopenharmony_ci 1753aa9179Sopenharmony_ci--- 1853aa9179Sopenharmony_ci parser.c | 3 ++- 1953aa9179Sopenharmony_ci 1 file changed, 2 insertions(+), 1 deletion(-) 2053aa9179Sopenharmony_ci 2153aa9179Sopenharmony_cidiff --git a/parser.c b/parser.c 2253aa9179Sopenharmony_ciindex f9b4012..ccddf07 100644 2353aa9179Sopenharmony_ci--- a/parser.c 2453aa9179Sopenharmony_ci+++ b/parser.c 2553aa9179Sopenharmony_ci@@ -4504,7 +4504,8 @@ get_more: 2653aa9179Sopenharmony_ci if (*in == ']') { 2753aa9179Sopenharmony_ci if ((in[1] == ']') && (in[2] == '>')) { 2853aa9179Sopenharmony_ci xmlFatalErr(ctxt, XML_ERR_MISPLACED_CDATA_END, NULL); 2953aa9179Sopenharmony_ci- ctxt->input->cur = in + 1; 3053aa9179Sopenharmony_ci+ if (ctxt->instate != XML_PARSER_EOF) 3153aa9179Sopenharmony_ci+ ctxt->input->cur = in + 1; 3253aa9179Sopenharmony_ci return; 3353aa9179Sopenharmony_ci } 3453aa9179Sopenharmony_ci in++; 3553aa9179Sopenharmony_ci-- 3653aa9179Sopenharmony_ci2.27.0 3753aa9179Sopenharmony_ci 38