1From 6273df6c6d84b6be8a62a62abf1d9b79cc2035f8 Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Tue, 30 May 2023 12:30:27 +0200 4Subject: [PATCH] xpath: Ignore entity ref nodes when computing node hash 5 6XPath queries only work reliably if entities are substituted. 7Nevertheless, it's possible to query a document with entity reference 8nodes. xmllint even deletes entities when the `--dropdtd` option is 9passed, resulting in dangling pointers, so it's best to skip entity 10reference nodes to avoid a use-after-free. 11 12Fixes #550. 13 14Reference:https://github.com/GNOME/libxml2/commit/6273df6c6d84b6be8a62a62abf1d9b79cc2035f8 15Conflict:NA 16 17--- 18 xpath.c | 11 ++++++----- 19 1 file changed, 6 insertions(+), 5 deletions(-) 20 21diff --git a/xpath.c b/xpath.c 22index 3d1ca71..3128efb 100644 23--- a/xpath.c 24+++ b/xpath.c 25@@ -6396,11 +6396,12 @@ xmlXPathNodeValHash(xmlNodePtr node) { 26 /* 27 * Skip to next node 28 */ 29- if ((tmp->children != NULL) && (tmp->type != XML_DTD_NODE)) { 30- if (tmp->children->type != XML_ENTITY_DECL) { 31- tmp = tmp->children; 32- continue; 33- } 34+ if ((tmp->children != NULL) && 35+ (tmp->type != XML_DTD_NODE) && 36+ (tmp->type != XML_ENTITY_REF_NODE) && 37+ (tmp->children->type != XML_ENTITY_DECL)) { 38+ tmp = tmp->children; 39+ continue; 40 } 41 if (tmp == node) 42 break; 43-- 442.27.0 45 46