1From 86105c0493f19ef8e1dd21ab5099613159224b4d Mon Sep 17 00:00:00 2001 2From: David Kilzer <ddkilzer@apple.com> 3Date: Sat, 15 Apr 2023 18:04:03 -0700 4Subject: [PATCH] Fix use-after-free in xmlParseContentInternal() 5 6* parser.c: 7(xmlParseCharData): 8- Check if the parser has stopped before advancing 9 `ctxt->input->cur`. This only occurs if a custom SAX error 10 handler calls xmlStopParser() on fatal errors. 11 12Fixes #518. 13 14Reference:https://github.com/GNOME/libxml2/commit/86105c0493f19ef8e1dd21ab5099613159224b4d 15Conflict:parser.c 16 17--- 18 parser.c | 3 ++- 19 1 file changed, 2 insertions(+), 1 deletion(-) 20 21diff --git a/parser.c b/parser.c 22index f9b4012..ccddf07 100644 23--- a/parser.c 24+++ b/parser.c 25@@ -4504,7 +4504,8 @@ get_more: 26 if (*in == ']') { 27 if ((in[1] == ']') && (in[2] == '>')) { 28 xmlFatalErr(ctxt, XML_ERR_MISPLACED_CDATA_END, NULL); 29- ctxt->input->cur = in + 1; 30+ if (ctxt->instate != XML_PARSER_EOF) 31+ ctxt->input->cur = in + 1; 32 return; 33 } 34 in++; 35-- 362.27.0 37 38