[PATCH 1/2] bindings/xml/libxml_xmlparser.c: fix segfault due to unlinked parent

Fri, 11 Aug 2023 19:46:31 -0700 

The xml_parser_start_element_ns() function ultimately calls

  xml_parser_add_node(parser, parent->_private, ...

when we encounter a new element-open tag, and xml_parser_add_node()
wants its second argument to be non-NULL. Specifically, foo->_private
should be the libdom counterpart to the libxml2 node foo, the
correspondence being maintained with xml_parser_link_nodes(). Yet
there are several error branches throughout the libxml2 bindings where
the call to xml_parser_link_nodes() is skipped; and moreover, the link
function can itself fail.

The libsvgtiny test suite contains several test cases that exhibit
that pathological behavior:

  * test/ns-afl-svg/0341.svg
  * test/ns-afl-svg/0846.svg
  * test/ns-afl-svg/1105.svg
  * test/ns-afl-svg/1358.svg
  * test/ns-afl-svg/1571.svg
  * test/ns-afl-svg/2026.svg
  * test/ns-afl-svg/2040.svg
  * test/ns-afl-svg/2209.svg
  * test/ns-afl-svg/2210.svg
  * test/ns-afl-svg/2529.svg
  * test/ns-afl-svg/2607.svg

These all currently segfault (fail) the test suite when libdom was
built with WITH_LIBXML_BINDING=yes and WITH_EXPAT_BINDING=no. To
fix it, we look elsewhere in the libxml2 bindings, and see that
xml_parser_end_element_ns() already has a check for an unlinked
element,

  /* If node wasn't linked, we can't do anything */
  if (node->_private == NULL) {
    parser->msg(DOM_MSG_WARNING, parser->mctx,
                "Node '%s' not linked", node->name);
    return;
  }

Borrowing this for xml_parser_start_element_ns() and applying it to
the "parent" pointer avoids the issue, changing each segfault into a
svgtiny_LIBDOM_ERROR.
---
 bindings/xml/libxml_xmlparser.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/bindings/xml/libxml_xmlparser.c b/bindings/xml/libxml_xmlparser.c
index d43c459..57f3f47 100644
--- a/bindings/xml/libxml_xmlparser.c
+++ b/bindings/xml/libxml_xmlparser.c
@@ -419,6 +419,13 @@ void xml_parser_start_element_ns(void *ctx, const xmlChar 
*localname,
                parent = (xmlNodePtr) parser->xml_ctx->myDoc;
        }
 
+       /* If parent isn't linked, we can't do anything */
+       if (parent->_private == NULL) {
+               parser->msg(DOM_MSG_WARNING, parser->mctx,
+                               "Node '%s' not linked", parent->name);
+               return;
+       }
+
        if (parent->type == XML_DOCUMENT_NODE ||
                        parent->type == XML_ELEMENT_NODE) {
                /* Mirror in the DOM all children of the parent node
-- 
2.41.0
_______________________________________________
netsurf-dev mailing list -- netsurf-dev@netsurf-browser.org
To unsubscribe send an email to netsurf-dev-le...@netsurf-browser.org

Reply via email to