The xml_parser_start_element_ns() function ultimately calls
xml_parser_add_node(parser, parent->_private, ...
when we encounter a new element-open tag, and xml_parser_add_node()
wants its second argument to be non-NULL. Specifically, foo->_private
should be the libdom counterpart to the libxml2 node foo, the
correspondence being maintained with xml_parser_link_nodes(). Yet
there are several error branches throughout the libxml2 bindings where
the call to xml_parser_link_nodes() is skipped; and moreover, the link
function can itself fail.
The libsvgtiny test suite contains several test cases that exhibit
that pathological behavior:
* test/ns-afl-svg/0341.svg
* test/ns-afl-svg/0846.svg
* test/ns-afl-svg/1105.svg
* test/ns-afl-svg/1358.svg
* test/ns-afl-svg/1571.svg
* test/ns-afl-svg/2026.svg
* test/ns-afl-svg/2040.svg
* test/ns-afl-svg/2209.svg
* test/ns-afl-svg/2210.svg
* test/ns-afl-svg/2529.svg
* test/ns-afl-svg/2607.svg
These all currently segfault (fail) the test suite when libdom was
built with WITH_LIBXML_BINDING=yes and WITH_EXPAT_BINDING=no. To
fix it, we look elsewhere in the libxml2 bindings, and see that
xml_parser_end_element_ns() already has a check for an unlinked
element,
/* If node wasn't linked, we can't do anything */
if (node->_private == NULL) {
parser->msg(DOM_MSG_WARNING, parser->mctx,
"Node '%s' not linked", node->name);
return;
}
Borrowing this for xml_parser_start_element_ns() and applying it to
the "parent" pointer avoids the issue, changing each segfault into a
svgtiny_LIBDOM_ERROR.
---
bindings/xml/libxml_xmlparser.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/bindings/xml/libxml_xmlparser.c b/bindings/xml/libxml_xmlparser.c
index d43c459..57f3f47 100644
--- a/bindings/xml/libxml_xmlparser.c
+++ b/bindings/xml/libxml_xmlparser.c
@@ -419,6 +419,13 @@ void xml_parser_start_element_ns(void *ctx, const xmlChar *localname,
parent = (xmlNodePtr) parser->xml_ctx->myDoc;
}
+ /* If parent isn't linked, we can't do anything */
+ if (parent->_private == NULL) {
+ parser->msg(DOM_MSG_WARNING, parser->mctx,
+ "Node '%s' not linked", parent->name);
+ return;
+ }
+
if (parent->type == XML_DOCUMENT_NODE ||
parent->type == XML_ELEMENT_NODE) {
/* Mirror in the DOM all children of the parent node
--
2.41.0
_______________________________________________
netsurf-dev mailing list -- netsurf-dev@netsurf-browser.org
To unsubscribe send an email to netsurf-dev-leave@netsurf-browser.org
No comments:
Post a Comment