Google Git
Sign in
fuchsia/third_party/libxml2/5880a9a6bd97c0f9ac8fc4f30110fe023f484746^!/.
commit
5880a9a6bd97c0f9ac8fc4f30110fe023f484746
[log] [tgz]
author
Nick Wellnhofer <wellnhofer@aevum.de>
Tue Dec 10 16:52:05 2024 +0100
committer
Nick Wellnhofer <wellnhofer@aevum.de>
Tue Feb 18 15:07:44 2025 +0100
tree
5e3464a9b6ad678954a667c29af270f22ad6c2fd
parent
06b3965086a3954da467f88dc8bce937ecd71380 [diff]
[CVE-2024-56171] Fix use-after-free after xmlSchemaItemListAdd

xmlSchemaItemListAdd can reallocate the items array. Update local
variables after adding item in

- xmlSchemaIDCFillNodeTables
- xmlSchemaBubbleIDCNodeTables

Fixes #828.

diff --git a/xmlschemas.c b/xmlschemas.c
index 1b3c524..95be97c 100644
--- a/xmlschemas.c
+++ b/xmlschemas.c

@@ -23374,6 +23374,7 @@
 			}
 			if (xmlSchemaItemListAdd(bind->dupls, bind->nodeTable[j]) == -1)
 			    goto internal_error;
+                        dupls = (xmlSchemaPSVIIDCNodePtr *) bind->dupls->items;
 			/*
 			* Remove the duplicate entry from the IDC node-table.
 			*/
@@ -23590,6 +23591,8 @@
 				goto internal_error;
 			}
 			xmlSchemaItemListAdd(parBind->dupls, parNode);
+		        dupls = (xmlSchemaPSVIIDCNodePtr *)
+                            parBind->dupls->items;
 		    } else {
 			/*
 			* Add the node-table entry (node and key-sequence) of