Commit c50196c13d348025a4843305902bb37df64bae36
2022-04-10T20:02:47
Fix use-after-free bugs when calling xmlTextReaderClose() before xmlFreeTextReader() on post-validating parser When creating an xmlTextReaderPtr using xmlReaderForMemory(), there are two optional API functions that can be used: - xmlTextReaderClose() may be called prior to calling xmlFreeTextReader() to free parsing resources and close the xmlTextReaderPtr without freeing it. - xmlTextReaderCurrentDoc() may be called to return an xmlDocPtr that's owned by the caller, and must be free using xmlFreeDoc() after calling xmlFreeTextReader(). The use-after-free issues occur when calling xmlTextReaderClose() before xmlFreeTextReader(), with different issues occurring depending on whether xmlTextReaderCurrentDoc() is also called. * xmlreader.c: (xmlFreeTextReader): - Move code to xmlTextReaderClose(), remove duplicate code, and call xmlTextReaderClose() if it hasn't been called yet. (xmlTextReaderClose): - Move call to xmlFreeNode(reader->faketext) from xmlFreeTextReader() to fix a use-after-free bug when calling xmlTextReaderClose() before xmlFreeTextReader(), but not when using xmlTextReaderCurrentDoc(). The bug was introduced in 2002 by commit beb70bd39. In 2009 commit f4653dcd8 fixed the use-after-free that occurred every time xmlFreeTextReader() was called, but not the case where xmlTextReaderClose() was called first. - Move post-parsing validation code from xmlFreeTextReader() to fix a second use-after-free when calling xmlTextReaderClose() before xmlFreeTextReader(). This regressed in v2.9.10 with commit 57a3af56f.