From 30d7660ba87c8487b26582ccc050f4d2880ccb3c Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 28 Nov 2023 13:27:25 +0100
Subject: [PATCH] tree: Fix #583 again

Only set doc->intSubset after successful copy to avoid dangling pointers
in error case.
---
 tree.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/tree.c b/tree.c
index 5a9c24d1b..35dabb97c 100644
--- a/tree.c
+++ b/tree.c
@@ -4378,6 +4378,7 @@ xmlNodePtr
 xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
     xmlNodePtr ret = NULL;
     xmlNodePtr p = NULL,q;
+    xmlDtdPtr newSubset = NULL;
 
     while (node != NULL) {
 #ifdef LIBXML_TREE_ENABLED
@@ -4385,12 +4386,12 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
 		node = node->next;
 		continue;
 	    }
-	    if (doc->intSubset == NULL) {
+	    if ((doc->intSubset == NULL) && (newSubset == NULL)) {
 		q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
 		if (q == NULL) goto error;
 		q->doc = doc;
 		q->parent = parent;
-		doc->intSubset = (xmlDtdPtr) q;
+		newSubset = (xmlDtdPtr) q;
 		xmlAddChild(parent, q);
 	    } else {
 		q = (xmlNodePtr) doc->intSubset;
@@ -4411,6 +4412,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
 	}
 	node = node->next;
     }
+    if ((doc != NULL) && (newSubset != NULL))
+        doc->intSubset = newSubset;
     return(ret);
 error:
     xmlFreeNodeList(ret);
-- 
GitLab