diff options
author | David Kilzer <ddkilzer@apple.com> | 2023-04-15 18:04:03 -0700 |
---|---|---|
committer | David Kilzer <ddkilzer@apple.com> | 2023-04-16 12:01:05 -0700 |
commit | 86105c0493f19ef8e1dd21ab5099613159224b4d (patch) | |
tree | a912ec9a1acf1e27a8eeeee5469636a96979b087 | |
parent | a19fa11e1d6c2b824f873b5be3786fc92380dd8f (diff) | |
download | libxml2-86105c0493f19ef8e1dd21ab5099613159224b4d.tar.gz |
Fix use-after-free in xmlParseContentInternal()
* parser.c:
(xmlParseCharData):
- Check if the parser has stopped before advancing
`ctxt->input->cur`. This only occurs if a custom SAX error
handler calls xmlStopParser() on fatal errors.
Fixes #518.
-rw-r--r-- | parser.c | 3 |
1 files changed, 2 insertions, 1 deletions
@@ -4447,7 +4447,8 @@ get_more: if (*in == ']') { if ((in[1] == ']') && (in[2] == '>')) { xmlFatalErr(ctxt, XML_ERR_MISPLACED_CDATA_END, NULL); - ctxt->input->cur = in + 1; + if (ctxt->instate != XML_PARSER_EOF) + ctxt->input->cur = in + 1; return; } in++; |