Re: [xml] Heap use after free in parser.c

On Mon, Jan 22, 2018 at 7:53 AM, Nick Wellnhofer wrote: > On 08/01/2018 22:43, Jay Civelli wrote: > >> On Mon, Jan 8, 2018 at 11:27 AM, Nick Wellnhofer > > wrote: >> >> On 02/01/2018 20:08, Jay Civelli via xml wrote: >> >> We ran into a heap use after free

Re: [xml] Heap use after free in parser.c

On 08/01/2018 22:43, Jay Civelli wrote: On Mon, Jan 8, 2018 at 11:27 AM, Nick Wellnhofer > wrote: On 02/01/2018 20:08, Jay Civelli via xml wrote: We ran into a heap use after free in Chromium http://crbug.com/793715 that

Re: [xml] Heap use after free in parser.c

Hi Nick, Did you have a chance to look at my latest patch? (attached in my previous email) Thanks. Jay On Mon, Jan 8, 2018 at 1:43 PM, Jay Civelli wrote: > On Mon, Jan 8, 2018 at 11:27 AM, Nick Wellnhofer > wrote: > >> On 02/01/2018 20:08, Jay Civelli via xml wrote: >> >>> We ran into a heap

Re: [xml] Heap use after free in parser.c

On Mon, Jan 8, 2018 at 11:27 AM, Nick Wellnhofer wrote: > On 02/01/2018 20:08, Jay Civelli via xml wrote: > >> We ran into a heap use after free in Chromium http://crbug.com/793715 < >> http://crbug.com/793715> that I think I tracked down. >> > > I don't have access to this page. You should have

Re: [xml] Heap use after free in parser.c

On 02/01/2018 20:08, Jay Civelli via xml wrote: We ran into a heap use after free in Chromium http://crbug.com/793715 that I think I tracked down. I don't have access to this page. I have a tentative patch attached to address it. In parser.c, if a call to xmlCharEncI

[xml] Heap use after free in parser.c

Hi, We ran into a heap use after free in Chromium http://crbug.com/793715 that I think I tracked down. I have a tentative patch attached to address it. In parser.c, if a call to xmlCharEncInput() fails and has grown the buffer, the ctxt object could still point to the old deleted buffer. Thanks.