Author: stsp
Date: Thu Nov 27 16:32:21 2025
New Revision: 1930035
Log:
Fix a NULL pointer crash in libexpat via the new xml_stream API.
The crash was triggered by xml-test 10: test_xml_parse_stream_invalid_xml
This test would crash on my system because b->parser->parser was NULL.
* subversion/libsvn_subr/xml_stream.c
(xml_stream_close): Actually free the parser if an error occurs,
instead of returning immediately by way of SVN_ERR().
(xml_stream_write): Check whether parser has already been freed before
passing it on to svn_xml_parse().
Modified:
subversion/trunk/subversion/libsvn_subr/xml_stream.c
Modified: subversion/trunk/subversion/libsvn_subr/xml_stream.c
==============================================================================
--- subversion/trunk/subversion/libsvn_subr/xml_stream.c Thu Nov 27
15:29:22 2025 (r1930034)
+++ subversion/trunk/subversion/libsvn_subr/xml_stream.c Thu Nov 27
16:32:21 2025 (r1930035)
@@ -45,6 +45,13 @@ xml_stream_write(void *baton, const char
xml_stream_baton_t *b = baton;
svn_error_t *err;
+ /*
+ * Check if the XML parser has already been freed.
+ * This can happen if an error occurs during XML parsing.
+ */
+ if (b->parser == NULL)
+ return NULL;
+
err = svn_xml_parse(b->parser, data, *len, FALSE);
if (err)
@@ -61,15 +68,17 @@ xml_stream_write(void *baton, const char
static svn_error_t *
xml_stream_close(void *baton)
{
+ svn_error_t *err;
xml_stream_baton_t *b = baton;
if (b->parser)
{
/* Dispose the parser with a final push because we are closing
the stream. */
- SVN_ERR(svn_xml_parse(b->parser, NULL, 0, TRUE));
+ err = svn_xml_parse(b->parser, NULL, 0, TRUE);
svn_xml_free_parser(b->parser);
b->parser = NULL;
+ return svn_error_trace(err);
}
else
{
