Subject: | removeChild() segfaults when not expanding entities |
# This script segfaults:
use strict;
use XML::LibXML;
my $xml = <<EOF;
<!DOCTYPE bug [
<!ENTITY myent "xyz">
]>
<bug>
<elem>&myent;</elem>
</bug>
EOF
my $dom = XML::LibXML->load_xml (string => $xml,
expand_entities => 0);
my $root = $dom->documentElement;
my @nodes = $root->childNodes;
foreach my $node (@nodes) {
next if $node->nodeType != XML_ELEMENT_NODE;
next if $node->nodeName ne 'elem';
$root->removeChild ($node);
}
__END__
The script doesn't crash if you do one of the following:
- set expand_entities to 1
- do not use the entity &myent;
- instead of &myent; use & (or <, > ...)
In dom.c, at one point the function _domReconileNS() gets called with a
tree argument where tree->ns is not NULL but tree->ns->prefix is either
NULL or points to lala-land.
In the above script, the pointer is NULL. But with a more complicated
XML document, tree->ns->prefix pointed to an address beyond the end of
the virtual RAM. That means that it is not sufficient to extend the
check to
if (tree->ns != NULL && tree->ns->prefix != NULL)
That just fixes the test case but the crash still happens with my "real"
data.
The bug occurred on Gentoo x86_64 with version 1.9000 but also with
version 2.0008.