The xml_parser_end_document() function tries to retrieve the XML node
using dom_node_get_user_data() after the parser has finished. It
checks the return value of that function, but not the true result (a
node pointer), which is itself passed in via a pointer. This goes
wrong when the returned pointer is NULL and unusable, because the
return value is always DOM_NO_ERR (meaning everything was OK).
This problem manifests as a segfault (null dereference) if you try to
parse an empty document using the libxml bindings. It is fixed by
adding a NULL check.
---
bindings/xml/libxml_xmlparser.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/bindings/xml/libxml_xmlparser.c b/bindings/xml/libxml_xmlparser.c
index 02b8a34..d43c459 100644
--- a/bindings/xml/libxml_xmlparser.c
+++ b/bindings/xml/libxml_xmlparser.c
@@ -346,7 +346,11 @@ void xml_parser_end_document(void *ctx)
/* Get XML node */
err = dom_node_get_user_data((struct dom_node *) parser->doc,
parser->udkey, (void **) (void *) &node);
- if (err != DOM_NO_ERR) {
+
+ /* The return value from dom_node_get_user_data() is always
+ * DOM_NO_ERR, but the returned "node" will be NULL if no user
+ * data is found. */
+ if (err != DOM_NO_ERR || node == NULL) {
parser->msg(DOM_MSG_WARNING, parser->mctx,
"Failed finding XML node");
return;
--
2.39.3
_______________________________________________
netsurf-dev mailing list -- netsurf-dev@netsurf-browser.org
To unsubscribe send an email to netsurf-dev-leave@netsurf-browser.org
No comments:
Post a Comment