GNOME Bugzilla – Bug 582913
xmlSaveTree() on a <meta> tag with encoding causes invalid memory access
Last modified: 2009-08-12 21:08:27 UTC
Steps to reproduce: A C program demonstrating this issue is posted at http://gist.github.com/112897 It occurs in 2.7.3 and 2.7.2, but not in 2.6.31. Given a document with encoding information in a meta tag, calling xmlSaveTree() on that meta tag node will result in an invalid memory access and will usually segfault. Stack trace: Valgrind output indicating the illegal memory access: ==598== Invalid read of size 4 ==598== at 0x408F4BD: htmlNodeDumpFormatOutput (HTMLtree.c:781) ==598== by 0x411DA79: xmlNodeDumpOutputInternal (xmlsave.c:721) ==598== by 0x411E208: xmlSaveTree (xmlsave.c:1786) ==598== by 0x804868B: main (in /home/mike/tmp/nokogiri-55/meta-tag-issue) ==598== Address 0x42f8eec is 4 bytes inside a block of size 60 free'd ==598== at 0x402265C: free (vg_replace_malloc.c:323) ==598== by 0x406F1CE: xmlFreeNode (tree.c:3708) ==598== by 0x40902A2: htmlSetMetaEncoding (HTMLtree.c:271) ==598== by 0x411DA14: xmlNodeDumpOutputInternal (xmlsave.c:704) ==598== by 0x411E208: xmlSaveTree (xmlsave.c:1786) ==598== by 0x804868B: main (in /home/mike/tmp/nokogiri-55/meta-tag-issue) This trace indicates that memory freed by htmlSetMetaEncoding() is being accessed by htmlNodeDumpFormatOutput(). Other information:
Okay, I have fixed htmlSetMetaEncoding() to be nicer, not destroy existing meta encoding elements just update the property and only if needed, which is never the case if you just output part of the current document without asking for encoding changes. Fixed in git (8d7c1b7ab296ea2e8c8d18d7b8f3d24e0963f8ff) thanks for the report, Daniel