After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 447899 - Double deallocation in xmlFreeTextReader
Double deallocation in xmlFreeTextReader
Status: RESOLVED FIXED
Product: libxml2
Classification: Platform
Component: general
2.6.27
Other All
: Normal normal
: ---
Assigned To: Daniel Veillard
libxml QA maintainers
Depends on:
Blocks:
 
 
Reported: 2007-06-15 14:21 UTC by valery pryamikov
Modified: 2009-08-21 16:42 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description valery pryamikov 2007-06-15 14:21:06 UTC 
Steps to reproduce:
use xmlTextReader to parse xml document 
"<s:test a='a' b='b' xmlns:s='urn:mytest.ns'>\n"
"	<b>b</b>\n"
"	<s:c>c</s:c>\n"
"	<d/>\n"
"</s:test>";

and call xmlFreeTextReader

Stack trace:


Other information:
insert follwing two lines to xmlreader.c after line 2186 (xmlTextReaderFreeDoc(reader, ...))

///<bugFix>
if (reader->faketext != NULL && reader->faketext->doc == reader->ctxt->myDoc)
 reader->faketext->doc = NULL;
///</bugFix>
Comment 1 Daniel Veillard 2007-06-15 15:17:22 UTC 
I'm unable to understand the bug report. Provide a full standalone
C test case. If you have a suggested patch please include a contextual
diff that would be perfect.

Daniel
Comment 2 valery pryamikov 2007-06-18 07:50:17 UTC 
Below is contextual diff.
Without that fix reader->faketext->doc will be attempted to be released few steps later during release of reader->faketext->doc. But it has been already released with reader->ctxt

*** libxml2-2.6.27/libxml2-2.6.27/xmlreader.c   Fri Mar 10 00:31:12 2006
--- Projects/libxml2/xmlreader.c Fri Jun 15 16:18:22 2007
***************
*** 2184,2189 ****
--- 2184,2191 ----
        if (reader->ctxt->myDoc != NULL) {
            if (reader->preserve == 0)
                xmlTextReaderFreeDoc(reader, reader->ctxt->myDoc);
+               if (reader->faketext != NULL && reader->faketext->doc == reader->ctxt->myDoc)
+                       reader->faketext->doc = NULL;
            reader->ctxt->myDoc = NULL;
        }
        if ((reader->ctxt->vctxt.vstateTab != NULL) &&
Comment 3 Zygmunt Krynicki 2008-05-29 14:10:06 UTC 
Could someone please get this confirmed and applied? It's been nearly a year since the patch (working patch might I add) was reported and provided and still 2.6.30 is affected :/
Comment 4 Daniel Veillard 2009-08-21 16:42:30 UTC 
Actually the correct patch is I believe to move the
  xmlFreeNode(reader->faketext);
block before the one calling xmlTextReaderFreeDoc()
Will try to fix it that way but since no reproducer was given it's
all guesses.

  I commited my version of the fix to git, hopefully it works for you

Daniel