[PATCH] msxml3: Fix crash when iterating through attributes with namespaces.

Bernhard Übelacker bernhardu at mailbox.org
Fri Jul 2 16:30:01 CDT 2021


Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=50475
Signed-off-by: Bernhard Übelacker <bernhardu at mailbox.org>
---
For an attribute xmlns without a :foo prefix, the function domelem_get_item
gives a NULL xmlns->prefix into xmlNewNsProp, which therefore fails
and leaves domelem_get_item without returning an item.
Therefore the crash follows.
---
 dlls/msxml3/element.c      |  5 ++-
 dlls/msxml3/tests/domdoc.c | 62 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+), 1 deletion(-)

diff --git a/dlls/msxml3/element.c b/dlls/msxml3/element.c
index 1a523798328..c11d28b066c 100644
--- a/dlls/msxml3/element.c
+++ b/dlls/msxml3/element.c
@@ -1832,7 +1832,10 @@ static HRESULT domelem_get_item(const xmlNodePtr node, LONG index, IXMLDOMNode *
     if (!xmlns)
         return E_OUTOFMEMORY;
 
-    curr = xmlNewNsProp(NULL, xmlns, ns->prefix, ns->href);
+    if (ns->prefix)
+        curr = xmlNewNsProp(NULL, xmlns, ns->prefix, ns->href);
+    else
+        curr = xmlNewProp(NULL, xmlns->prefix, ns->href);
     if (!curr) {
         xmlFreeNs(xmlns);
         return E_OUTOFMEMORY;
diff --git a/dlls/msxml3/tests/domdoc.c b/dlls/msxml3/tests/domdoc.c
index df30104a156..8faf5b59be5 100644
--- a/dlls/msxml3/tests/domdoc.c
+++ b/dlls/msxml3/tests/domdoc.c
@@ -13628,6 +13628,67 @@ todo_wine
     DeleteFileA(path);
 }
 
+static const char svg[] =
+    "<svg version=\"1.1\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\"></svg>";
+
+static void test_prefixless_namespace(void)
+{
+    HRESULT hr;
+    IXMLDOMDocument *doc;
+    VARIANT_BOOL b;
+    BSTR str;
+    IXMLDOMNodeList *node_list;
+    LONG length;
+    IXMLDOMNode *node1;
+    IXMLDOMNode *node2;
+    IXMLDOMNamedNodeMap *node_map;
+    int found;
+
+    doc = create_document(&IID_IXMLDOMDocument);
+    EXPECT_REF(doc, 1);
+
+    hr = IXMLDOMDocument_loadXML(doc, _bstr_(svg), &b);
+    EXPECT_HR(hr, S_OK);
+
+    hr = IXMLDOMDocument_get_childNodes(doc, &node_list);
+    EXPECT_HR(hr, S_OK);
+
+    hr = IXMLDOMNodeList_get_item(node_list, 0, &node1);
+    EXPECT_HR(hr, S_OK);
+
+    node_map = (void *)0xdeadbeef;
+    hr = IXMLDOMNode_get_attributes(node1, &node_map);
+    EXPECT_HR(hr, S_OK);
+
+    length = 0xdeadbeef;
+    hr = IXMLDOMNamedNodeMap_get_length(node_map, &length);
+    EXPECT_HR(hr, S_OK);
+    ok(length == 3, "expected length=%d, got %d\n", 3, length);
+
+    found = 0;
+    for (int i = 0; i < length; i++)
+    {
+        hr = IXMLDOMNamedNodeMap_get_item(node_map, i, &node2);
+        EXPECT_HR(hr, S_OK);
+
+        str = (void *)0xdeadbeef;
+        hr = IXMLDOMNode_get_xml(node2, &str);
+        EXPECT_HR(hr, S_OK);
+        if (lstrcmpW(str, L"version=\"1.1\"") == 0) found++;
+        if (lstrcmpW(str, L"xmlns=\"http://www.w3.org/2000/svg\"") == 0) found++;
+        if (lstrcmpW(str, L"xmlns:xlink=\"http://www.w3.org/1999/xlink\"") == 0) found++;
+        SysFreeString(str);
+
+        IXMLDOMNode_Release(node2);
+    }
+    ok(found == 3, "expected to find %d elements, found %d\n", 3, found);
+
+    IXMLDOMNamedNodeMap_Release(node_map);
+    IXMLDOMNode_Release(node1);
+    IXMLDOMNodeList_Release(node_list);
+    IXMLDOMDocument_Release(doc);
+}
+
 START_TEST(domdoc)
 {
     HRESULT hr;
@@ -13723,6 +13784,7 @@ START_TEST(domdoc)
         test_mxnamespacemanager();
         test_mxnamespacemanager_override();
     }
+    test_prefixless_namespace();
 
     CoUninitialize();
 }
-- 
2.30.2




More information about the wine-devel mailing list