1From ae6fa0521c34449b54f9cb3257a4df9b79f3212f Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Wed, 2 Nov 2022 16:13:27 +0100 4Subject: [PATCH 11/28] malloc-fail: Fix use-after-free in xmlXIncludeAddNode 5 6Found with libFuzzer, see #344. 7 8Reference: https://github.com/GNOME/libxml2/commit/5a19e21605398cef6a8b1452477a8705cb41562b 9Conflict: xinclude.c:<xmlXIncludeAddNode> 10--- 11 xinclude.c | 3 ++- 12 1 file changed, 2 insertions(+), 1 deletion(-) 13 14diff --git a/xinclude.c b/xinclude.c 15index cd1e1b1..e5e3b16 100644 16--- a/xinclude.c 17+++ b/xinclude.c 18@@ -612,14 +612,15 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) { 19 } 20 URL = xmlSaveUri(uri); 21 xmlFreeURI(uri); 22- xmlFree(URI); 23 if (URL == NULL) { 24 xmlXIncludeErr(ctxt, cur, XML_XINCLUDE_HREF_URI, 25 "invalid value URI %s\n", URI); 26 if (fragment != NULL) 27 xmlFree(fragment); 28+ xmlFree(URI); 29 return(-1); 30 } 31+ xmlFree(URI); 32 33 if (xmlStrEqual(URL, ctxt->doc->URL)) 34 local = 1; 35-- 362.27.0 37 38