On Wed, Feb 16, 2011 at 02:48:50PM -0500, Rob Richards wrote:
> I hit an issue that causes a crash when using
> xmlParseBalancedChunkMemory with data that contains an entity.
> i.e. <test><data> </data></test>
> The xmlDocPtr passed in to the function does contain the entity
> declarations btw
>
> When the entity is parsed a call to xmlParseBalancedChunkInternal is
> made with the context created from xmlParseBalancedChunkMemory which
> has a temporary myDoc property. The content is cretated as being
> owned by the temporary doc.
>
> The temporary doc from the top level xmlParseBalancedChunkMemory is
> freed leaving the created list from when the entity was parsed with
> an invalid pointer which ultimately causes a crash when the
> structure is freed.
>
> Attached patch just sets the owning doc for the list to the same one
> that owns the parent entity if not so already.
> No issues ever with dict as the dict from the original doc is passed
> along in each of the new contexts.
>
> Rob
> diff --git "a/parser_HEAD.c" "b/parser.c"
> index d1c7888..9ab8641 100644
> --- "a/parser_HEAD.c"
> +++ "b/parser.c"
> @@ -6992,6 +6992,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
> ent->owner = 1;
> while (list != NULL) {
> list->parent = (xmlNodePtr) ent;
> + xmlSetTreeDoc(list, ent->doc);
> if (list->next == NULL)
> ent->last = list;
> list = list->next;
Okay, understood, makes sense to me and that should be safe, ACK
thanks !
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
[email protected] | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
_______________________________________________
xml mailing list, project page http://xmlsoft.org/
[email protected]
http://mail.gnome.org/mailman/listinfo/xml
