[RFC] msxml3: Fix crashes due to access to invalid context pointer.
Bernhard Übelacker
bernhardu at mailbox.org
Mon Dec 20 02:31:52 CST 2021
Am 20.12.21 um 09:08 schrieb Nikolay Sivov:
>
>
> On 12/18/21 11:42, Bernhard Übelacker wrote:
>> Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=52073
>>
>> In function xslt_doc_default_loader a pointer of the stack based
>> variable "xmlParserInputPtr input" is given to bind_url.
>>
>> Later in function import_loader_onDataAvailable this pointer appears
>> as parameter "void *ctxt" which correctly gets casted to
>> "xmlParserInputPtr *input", but in my opinion incorrectly given
>> to xmlNewIOInputStream as parameter "xmlParserCtxtPtr ctxt".
>>
>> In the next call to xmlNewInputStream this xmlParserCtxtPtr is
>> used to increment the input_id member.
>>
>> By accident this input_id member contains the pointer which causes
>> in xmlXPathNodeCollectAndTest the segfault.
> ...
>> inputbuffer =
>> xmlParserInputBufferCreateIO(import_loader_io_read,
>> import_loader_io_close, buffer,
>> XML_CHAR_ENCODING_NONE);
>> - *input = xmlNewIOInputStream(ctxt, inputbuffer,
>> XML_CHAR_ENCODING_NONE);
>> + *input = xmlNewIOInputStream(NULL, inputbuffer,
>> XML_CHAR_ENCODING_NONE);
>> if (!*input)
>> xmlFreeParserInputBuffer(inputbuffer);
> Hi,
>
> thanks, this looks correct. According to libxml2 code, ctxt won't be
> useful anyway in this situation, even if we had a correct one.
Hello,
thanks for the review. Then I am going to submit it.
Kind regards,
Bernhard
More information about the wine-devel
mailing list