diff options
| author | Sebastian Pipping <sebastian@pipping.org> | 2022-10-17 22:37:30 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-10-17 22:37:30 +0200 |
| commit | 15026eb853ff945127b077598985365349f63d59 (patch) | |
| tree | fc26c330ec9acd4e156d335b49712e0498fb2e08 | |
| parent | 46810602905246e9ab688f173dfd34fe1ad9f775 (diff) | |
| parent | 8510b2c551535a29a654c997d8af8239cbee7c8c (diff) | |
| download | libexpat-git-15026eb853ff945127b077598985365349f63d59.tar.gz | |
Merge pull request #653 from libexpat/issue-652-stop-leaking-tag-bindings
Stop leaking tag bindings (fixes #652)
| -rw-r--r-- | expat/Changes | 4 | ||||
| -rw-r--r-- | expat/lib/xmlparse.c | 6 | ||||
| -rw-r--r-- | expat/tests/runtests.c | 23 |
3 files changed, 30 insertions, 3 deletions
diff --git a/expat/Changes b/expat/Changes index e4db7700..9d0dff87 100644 --- a/expat/Changes +++ b/expat/Changes @@ -5,12 +5,16 @@ NOTE: We are looking for help with a few things: Release x.x.x xxx xxxxxxxxxxxx xx xxxx Bug fixes: #612 #645 Fix curruption from undefined entities + #616 #652 #653 Stop leaking opening tag bindings after a closing tag + mismatch error where a parser is reset through + XML_ParserReset and then reused to parse Other changes: #648 Address compiler warnings Special thanks to: Jann Horn + Mark Brand Rhodri James and Google Project Zero diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c index 5e2c16b2..e415068b 100644 --- a/expat/lib/xmlparse.c +++ b/expat/lib/xmlparse.c @@ -3011,9 +3011,6 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, int len; const char *rawName; TAG *tag = parser->m_tagStack; - parser->m_tagStack = tag->parent; - tag->parent = parser->m_freeTagList; - parser->m_freeTagList = tag; rawName = s + enc->minBytesPerChar * 2; len = XmlNameLength(enc, rawName); if (len != tag->rawNameLength @@ -3021,6 +3018,9 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, *eventPP = rawName; return XML_ERROR_TAG_MISMATCH; } + parser->m_tagStack = tag->parent; + tag->parent = parser->m_freeTagList; + parser->m_freeTagList = tag; --parser->m_tagLevel; if (parser->m_endElementHandler) { const XML_Char *localPart; diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c index a8cc1f03..7477fa24 100644 --- a/expat/tests/runtests.c +++ b/expat/tests/runtests.c @@ -7927,6 +7927,28 @@ START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) { } END_TEST +START_TEST(test_misc_tag_mismatch_reset_leak) { +#ifdef XML_NS + const char *const text = "<open xmlns='https://namespace1.test'></close>"; + XML_Parser parser = XML_ParserCreateNS(NULL, XCS('\n')); + + if (XML_Parse(parser, text, (int)strlen(text), XML_TRUE) != XML_STATUS_ERROR) + fail("Call to parse was expected to fail"); + if (XML_GetErrorCode(parser) != XML_ERROR_TAG_MISMATCH) + fail("Call to parse was expected to fail from a closing tag mismatch"); + + XML_ParserReset(parser, NULL); + + if (XML_Parse(parser, text, (int)strlen(text), XML_TRUE) != XML_STATUS_ERROR) + fail("Call to parse was expected to fail"); + if (XML_GetErrorCode(parser) != XML_ERROR_TAG_MISMATCH) + fail("Call to parse was expected to fail from a closing tag mismatch"); + + XML_ParserFree(parser); +#endif +} +END_TEST + static void alloc_setup(void) { XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free}; @@ -12277,6 +12299,7 @@ make_suite(void) { tcase_add_test(tc_misc, test_misc_stop_during_end_handler_issue_240_2); tcase_add_test__ifdef_xml_dtd( tc_misc, test_misc_deny_internal_entity_closing_doctype_issue_317); + tcase_add_test(tc_misc, test_misc_tag_mismatch_reset_leak); suite_add_tcase(s, tc_alloc); tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown); |