diff options
author | Nick Wellnhofer <wellnhofer@aevum.de> | 2021-05-01 16:53:33 +0200 |
---|---|---|
committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2021-05-01 17:24:49 +0200 |
commit | babe75030c7f64a37826bb3342317134568bef61 (patch) | |
tree | b489828d2bf42fcabb62dc31ae2d132dfafa5f7b | |
parent | 5465a8e57fe620ceb8efa534e1d6790f423d6bba (diff) | |
download | libxml2-babe75030c7f64a37826bb3342317134568bef61.tar.gz |
Propagate error in xmlParseElementChildrenContentDeclPriv
Check return value of recursive calls to
xmlParseElementChildrenContentDeclPriv and return immediately in case
of errors. Otherwise, struct xmlElementContent could contain unexpected
null pointers, leading to a null deref when post-validating documents
which aren't well-formed and parsed in recovery mode.
Fixes #243.
-rw-r--r-- | parser.c | 7 |
1 files changed, 7 insertions, 0 deletions
@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, SKIP_BLANKS; cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, depth + 1); + if (cur == NULL) + return(NULL); SKIP_BLANKS; GROW; } else { @@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, SKIP_BLANKS; last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, depth + 1); + if (last == NULL) { + if (ret != NULL) + xmlFreeDocElementContent(ctxt->myDoc, ret); + return(NULL); + } SKIP_BLANKS; } else { elem = xmlParseName(ctxt); |