[PATCH] msxml3: Fix crash when iterating through attributes with namespaces.
Bernhard Übelacker
bernhardu at mailbox.org
Fri Jul 2 16:30:01 CDT 2021
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=50475
Signed-off-by: Bernhard Übelacker <bernhardu at mailbox.org>
---
For an attribute xmlns without a :foo prefix, the function domelem_get_item
gives a NULL xmlns->prefix into xmlNewNsProp, which therefore fails
and leaves domelem_get_item without returning an item.
Therefore the crash follows.
---
dlls/msxml3/element.c | 5 ++-
dlls/msxml3/tests/domdoc.c | 62 ++++++++++++++++++++++++++++++++++++++
2 files changed, 66 insertions(+), 1 deletion(-)
diff --git a/dlls/msxml3/element.c b/dlls/msxml3/element.c
index 1a523798328..c11d28b066c 100644
--- a/dlls/msxml3/element.c
+++ b/dlls/msxml3/element.c
@@ -1832,7 +1832,10 @@ static HRESULT domelem_get_item(const xmlNodePtr node, LONG index, IXMLDOMNode *
if (!xmlns)
return E_OUTOFMEMORY;
- curr = xmlNewNsProp(NULL, xmlns, ns->prefix, ns->href);
+ if (ns->prefix)
+ curr = xmlNewNsProp(NULL, xmlns, ns->prefix, ns->href);
+ else
+ curr = xmlNewProp(NULL, xmlns->prefix, ns->href);
if (!curr) {
xmlFreeNs(xmlns);
return E_OUTOFMEMORY;
diff --git a/dlls/msxml3/tests/domdoc.c b/dlls/msxml3/tests/domdoc.c
index df30104a156..8faf5b59be5 100644
--- a/dlls/msxml3/tests/domdoc.c
+++ b/dlls/msxml3/tests/domdoc.c
@@ -13628,6 +13628,67 @@ todo_wine
DeleteFileA(path);
}
+static const char svg[] =
+ "<svg version=\"1.1\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\"></svg>";
+
+static void test_prefixless_namespace(void)
+{
+ HRESULT hr;
+ IXMLDOMDocument *doc;
+ VARIANT_BOOL b;
+ BSTR str;
+ IXMLDOMNodeList *node_list;
+ LONG length;
+ IXMLDOMNode *node1;
+ IXMLDOMNode *node2;
+ IXMLDOMNamedNodeMap *node_map;
+ int found;
+
+ doc = create_document(&IID_IXMLDOMDocument);
+ EXPECT_REF(doc, 1);
+
+ hr = IXMLDOMDocument_loadXML(doc, _bstr_(svg), &b);
+ EXPECT_HR(hr, S_OK);
+
+ hr = IXMLDOMDocument_get_childNodes(doc, &node_list);
+ EXPECT_HR(hr, S_OK);
+
+ hr = IXMLDOMNodeList_get_item(node_list, 0, &node1);
+ EXPECT_HR(hr, S_OK);
+
+ node_map = (void *)0xdeadbeef;
+ hr = IXMLDOMNode_get_attributes(node1, &node_map);
+ EXPECT_HR(hr, S_OK);
+
+ length = 0xdeadbeef;
+ hr = IXMLDOMNamedNodeMap_get_length(node_map, &length);
+ EXPECT_HR(hr, S_OK);
+ ok(length == 3, "expected length=%d, got %d\n", 3, length);
+
+ found = 0;
+ for (int i = 0; i < length; i++)
+ {
+ hr = IXMLDOMNamedNodeMap_get_item(node_map, i, &node2);
+ EXPECT_HR(hr, S_OK);
+
+ str = (void *)0xdeadbeef;
+ hr = IXMLDOMNode_get_xml(node2, &str);
+ EXPECT_HR(hr, S_OK);
+ if (lstrcmpW(str, L"version=\"1.1\"") == 0) found++;
+ if (lstrcmpW(str, L"xmlns=\"http://www.w3.org/2000/svg\"") == 0) found++;
+ if (lstrcmpW(str, L"xmlns:xlink=\"http://www.w3.org/1999/xlink\"") == 0) found++;
+ SysFreeString(str);
+
+ IXMLDOMNode_Release(node2);
+ }
+ ok(found == 3, "expected to find %d elements, found %d\n", 3, found);
+
+ IXMLDOMNamedNodeMap_Release(node_map);
+ IXMLDOMNode_Release(node1);
+ IXMLDOMNodeList_Release(node_list);
+ IXMLDOMDocument_Release(doc);
+}
+
START_TEST(domdoc)
{
HRESULT hr;
@@ -13723,6 +13784,7 @@ START_TEST(domdoc)
test_mxnamespacemanager();
test_mxnamespacemanager_override();
}
+ test_prefixless_namespace();
CoUninitialize();
}
--
2.30.2
More information about the wine-devel
mailing list