Fix use-after-free in xmlParseContentInternal()

* parser.c: (xmlParseCharData): - Check if the parser has stopped before advancing `ctxt->input->cur`. This only occurs if a custom SAX error handler calls xmlStopParser() on fatal errors. Fixes #518.
author: David Kilzer <ddkilzer@apple.com> 2023-04-15 18:04:03 -0700
committer: David Kilzer <ddkilzer@apple.com> 2023-04-16 12:01:05 -0700
commit: 86105c0493f19ef8e1dd21ab5099613159224b4d (patch)
tree: a912ec9a1acf1e27a8eeeee5469636a96979b087
parent: a19fa11e1d6c2b824f873b5be3786fc92380dd8f (diff)
download: libxml2-86105c0493f19ef8e1dd21ab5099613159224b4d.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/parser.c b/parser.c
index 933dfb93..523e59de 100644
--- a/parser.c
+++ b/parser.c
@@ -4447,7 +4447,8 @@ get_more:
         if (*in == ']') {
             if ((in[1] == ']') && (in[2] == '>')) {
                 xmlFatalErr(ctxt, XML_ERR_MISPLACED_CDATA_END, NULL);
-                ctxt->input->cur = in + 1;
+                if (ctxt->instate != XML_PARSER_EOF)
+                    ctxt->input->cur = in + 1;
                 return;
             }
             in++;
author	David Kilzer <ddkilzer@apple.com>	2023-04-15 18:04:03 -0700
committer	David Kilzer <ddkilzer@apple.com>	2023-04-16 12:01:05 -0700
commit	86105c0493f19ef8e1dd21ab5099613159224b4d (patch)
tree	a912ec9a1acf1e27a8eeeee5469636a96979b087
parent	a19fa11e1d6c2b824f873b5be3786fc92380dd8f (diff)
download	libxml2-86105c0493f19ef8e1dd21ab5099613159224b4d.tar.gz