diff options
author | Nick Wellnhofer <wellnhofer@aevum.de> | 2021-04-22 19:26:28 +0200 |
---|---|---|
committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2021-04-22 19:44:26 +0200 |
commit | 1098c30a040e72a4654968547f415be4e4c40fe7 (patch) | |
tree | 2655a5f002cc161778be10f095e705e6fe144333 | |
parent | 72b3c067cedbb80dbbac755cca79ff502c858ad5 (diff) | |
download | libxml2-1098c30a040e72a4654968547f415be4e4c40fe7.tar.gz |
Fix user-after-free with `xmllint --xinclude --dropdtd`
The --dropdtd option can leave dangling pointers in entity reference
nodes. Make sure to skip these nodes when processing XIncludes.
This also avoids scanning entity declarations and even modifying
them inadvertently during XInclude processing.
Move from a block list to an allow list approach to avoid descending
into other node types that can't contain elements.
Fixes #237.
-rw-r--r-- | xinclude.c | 5 |
1 files changed, 2 insertions, 3 deletions
@@ -2430,9 +2430,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree, ctxt->incTotal++; xmlXIncludePreProcessNode(ctxt, cur); } else if ((cur->children != NULL) && - (cur->children->type != XML_ENTITY_DECL) && - (cur->children->type != XML_XINCLUDE_START) && - (cur->children->type != XML_XINCLUDE_END)) { + ((cur->type == XML_DOCUMENT_NODE) || + (cur->type == XML_ELEMENT_NODE))) { cur = cur->children; continue; } |