1From 30d7660ba87c8487b26582ccc050f4d2880ccb3c Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Tue, 28 Nov 2023 13:27:25 +0100 4Subject: [PATCH] tree: Fix #583 again 5 6Only set doc->intSubset after successful copy to avoid dangling pointers 7in error case. 8--- 9 tree.c | 7 +++++-- 10 1 file changed, 5 insertions(+), 2 deletions(-) 11 12diff --git a/tree.c b/tree.c 13index 5a9c24d1b..35dabb97c 100644 14--- a/tree.c 15+++ b/tree.c 16@@ -4378,6 +4378,7 @@ xmlNodePtr 17 xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { 18 xmlNodePtr ret = NULL; 19 xmlNodePtr p = NULL,q; 20+ xmlDtdPtr newSubset = NULL; 21 22 while (node != NULL) { 23 #ifdef LIBXML_TREE_ENABLED 24@@ -4385,12 +4386,12 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { 25 node = node->next; 26 continue; 27 } 28- if (doc->intSubset == NULL) { 29+ if ((doc->intSubset == NULL) && (newSubset == NULL)) { 30 q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); 31 if (q == NULL) goto error; 32 q->doc = doc; 33 q->parent = parent; 34- doc->intSubset = (xmlDtdPtr) q; 35+ newSubset = (xmlDtdPtr) q; 36 xmlAddChild(parent, q); 37 } else { 38 q = (xmlNodePtr) doc->intSubset; 39@@ -4411,6 +4412,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { 40 } 41 node = node->next; 42 } 43+ if ((doc != NULL) && (newSubset != NULL)) 44+ doc->intSubset = newSubset; 45 return(ret); 46 error: 47 xmlFreeNodeList(ret); 48-- 49GitLab 50 51