Fix user-after-free with `xmllint --xinclude --dropdtd`

The --dropdtd option can leave dangling pointers in entity reference nodes. Make sure to skip these nodes when processing XIncludes. This also avoids scanning entity declarations and even modifying them inadvertently during XInclude processing. Move from a block list to an allow list approach to avoid descending into other node types that can't contain elements. Fixes #237.
author: Nick Wellnhofer <wellnhofer@aevum.de> 2021-04-22 19:26:28 +0200
committer: Nick Wellnhofer <wellnhofer@aevum.de> 2021-04-22 19:44:26 +0200
commit: 1098c30a040e72a4654968547f415be4e4c40fe7 (patch)
tree: 2655a5f002cc161778be10f095e705e6fe144333
parent: 72b3c067cedbb80dbbac755cca79ff502c858ad5 (diff)
download: libxml2-1098c30a040e72a4654968547f415be4e4c40fe7.tar.gz
1 files changed, 2 insertions, 3 deletions
diff --git a/xinclude.c b/xinclude.c
index 1636caff..b2e6ea13 100644
--- a/xinclude.c
+++ b/xinclude.c
@@ -2430,9 +2430,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree,
             ctxt->incTotal++;
             xmlXIncludePreProcessNode(ctxt, cur);
         } else if ((cur->children != NULL) &&
-                   (cur->children->type != XML_ENTITY_DECL) &&
-                   (cur->children->type != XML_XINCLUDE_START) &&
-                   (cur->children->type != XML_XINCLUDE_END)) {
+                   ((cur->type == XML_DOCUMENT_NODE) ||
+                    (cur->type == XML_ELEMENT_NODE))) {
             cur = cur->children;
             continue;
         }
author	Nick Wellnhofer <wellnhofer@aevum.de>	2021-04-22 19:26:28 +0200
committer	Nick Wellnhofer <wellnhofer@aevum.de>	2021-04-22 19:44:26 +0200
commit	1098c30a040e72a4654968547f415be4e4c40fe7 (patch)
tree	2655a5f002cc161778be10f095e705e6fe144333
parent	72b3c067cedbb80dbbac755cca79ff502c858ad5 (diff)
download	libxml2-1098c30a040e72a4654968547f415be4e4c40fe7.tar.gz