libxml2/Fix-cleanup-of-attributes-in-XML-reader.patch

From b215c270fa3b1436314cc56654718bd12182cfec Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 13 Sep 2020 12:19:48 +0200
Subject: [PATCH] Fix cleanup of attributes in XML reader

xml:id creates ID attributes even in documents without a DTD, so the
check in xmlTextReaderFreeProp must be changed to avoid use after free.

Found by OSS-Fuzz.
---
 xmlreader.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/xmlreader.c b/xmlreader.c
index a9b9ef93..01adf74f 100644
--- a/xmlreader.c
+++ b/xmlreader.c
@@ -359,12 +359,12 @@ xmlTextReaderFreeProp(xmlTextReaderPtr reader, xmlAttrPtr cur) {
 	xmlDeregisterNodeDefaultValue((xmlNodePtr) cur);
 
     /* Check for ID removal -> leading to invalid references ! */
-    if ((cur->parent != NULL) && (cur->parent->doc != NULL) &&
-	((cur->parent->doc->intSubset != NULL) ||
-	 (cur->parent->doc->extSubset != NULL))) {
+    if ((cur->parent != NULL) && (cur->parent->doc != NULL)) {
         if (xmlIsID(cur->parent->doc, cur->parent, cur))
 	    xmlTextReaderRemoveID(cur->parent->doc, cur);
-        if (xmlIsRef(cur->parent->doc, cur->parent, cur))
+	if (((cur->parent->doc->intSubset != NULL) ||
+	     (cur->parent->doc->extSubset != NULL)) &&
+            (xmlIsRef(cur->parent->doc, cur->parent, cur)))
             xmlTextReaderRemoveRef(cur->parent->doc, cur);
     }
     if (cur->children != NULL)
-- 
2.27.0
fix problems detected by oss-fuzz test 2020-11-12 10:24:05 +08:00			`From b215c270fa3b1436314cc56654718bd12182cfec Mon Sep 17 00:00:00 2001`
			`From: Nick Wellnhofer <wellnhofer@aevum.de>`
			`Date: Sun, 13 Sep 2020 12:19:48 +0200`
			`Subject: [PATCH] Fix cleanup of attributes in XML reader`

			`xml:id creates ID attributes even in documents without a DTD, so the`
			`check in xmlTextReaderFreeProp must be changed to avoid use after free.`

			`Found by OSS-Fuzz.`
			`---`
			`xmlreader.c \| 8 ++++----`
			`1 file changed, 4 insertions(+), 4 deletions(-)`

			`diff --git a/xmlreader.c b/xmlreader.c`
			`index a9b9ef93..01adf74f 100644`
			`--- a/xmlreader.c`
			`+++ b/xmlreader.c`
			`@@ -359,12 +359,12 @@ xmlTextReaderFreeProp(xmlTextReaderPtr reader, xmlAttrPtr cur) {`
			`xmlDeregisterNodeDefaultValue((xmlNodePtr) cur);`

			`/* Check for ID removal -> leading to invalid references ! */`
			`- if ((cur->parent != NULL) && (cur->parent->doc != NULL) &&`
			`- ((cur->parent->doc->intSubset != NULL) \|\|`
			`- (cur->parent->doc->extSubset != NULL))) {`
			`+ if ((cur->parent != NULL) && (cur->parent->doc != NULL)) {`
			`if (xmlIsID(cur->parent->doc, cur->parent, cur))`
			`xmlTextReaderRemoveID(cur->parent->doc, cur);`
			`- if (xmlIsRef(cur->parent->doc, cur->parent, cur))`
			`+ if (((cur->parent->doc->intSubset != NULL) \|\|`
			`+ (cur->parent->doc->extSubset != NULL)) &&`
			`+ (xmlIsRef(cur->parent->doc, cur->parent, cur)))`
			`xmlTextReaderRemoveRef(cur->parent->doc, cur);`
			`}`
			`if (cur->children != NULL)`
			`--`
			`2.27.0`