GNOME Bugzilla – Bug 666895
Crash in xmlParseComment when error handler does xmlStopParser
Last modified: 2021-07-05 13:21:29 UTC
The XML contains a comment which contains "--". xmlParseComment() recognizes this as an error and calls the SAX error handler. The error handler calls xmlStopParser(). Upon return, xmlParseComment() continues trying to parse and crashes. Without the xmlParseComment(), all is well. The user program actually calls xmlSAXParseFileWithData. The xmlSAXHandler's 'error' member points to the error handler in question. See http://mail.gnome.org/archives/xml/2009-December/msg00031.html
This is still an issue as of libxml2 v2.9. A patch like so appears to fix this without altering the behavior for folks that aren't calling xmlStopParser from within their error handler: diff --git a/parser.c b/parser.c index 91f8c90..609236a 100644 --- a/parser.c +++ b/parser.c @@ -4995,6 +4995,12 @@ get_more: } else xmlFatalErrMsgStr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, "Double hyphen within comment\n", NULL); + + if (ctxt->instate == XML_PARSER_EOF) { + xmlFree(buf); + return; + } + in++; ctxt->input->col++; }
GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org. As part of that, we are mass-closing older open tickets in bugzilla.gnome.org which have not seen updates for a longer time (resources are unfortunately quite limited so not every ticket can get handled). If you can still reproduce the situation described in this ticket in a recent and supported software version, then please follow https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines and create a new ticket at https://gitlab.gnome.org/GNOME/libxml2/-/issues/ Thank you for your understanding and your help.