From 664f881008f40356c0502c8cc154e17e3c80e353 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 26 Sep 2019 11:01:58 +0200
Subject: [PATCH] Fix use-after-free in xmlTextReaderFreeNodeList

Recent commit 1fbcf40 caused a use-after-free read because it didn't
account for the fact that xmlTextReaderFreeDoc frees entities before
freeing entity references via xmlTextReaderFreeNodeList.

Found by OSS-Fuzz.
---
 xmlreader.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/xmlreader.c b/xmlreader.c
index 9229c18..b505f16 100644
--- a/xmlreader.c
+++ b/xmlreader.c
@@ -367,10 +367,10 @@ xmlTextReaderFreeNodeList(xmlTextReaderPtr reader, xmlNodePtr cur) {
 	return;
     }
     while (1) {
-        while ((cur->children != NULL) &&
-               (cur->children->parent == cur) &&
-               (cur->type != XML_DTD_NODE) &&
-               (cur->type != XML_ENTITY_REF_NODE)) {
+        while ((cur->type != XML_DTD_NODE) &&
+               (cur->type != XML_ENTITY_REF_NODE) &&
+               (cur->children != NULL) &&
+               (cur->children->parent == cur)) {
             cur = cur->children;
             depth += 1;
         }
-- 
1.7.12.4