GNOME Bugzilla – Bug 634005
xmlSAX2StartElementNS creates malformed tree (with patch)
Last modified: 2021-07-05 13:20:51 UTC
Under the right circumstances, xmlSAX2StartElementNS will construct a malformed tree, in that the child of a parent will have parent == NULL. Example code and a patch to SAX2.c (v 2.7.7) are posted at: https://gist.github.com/662758 Summary: printf("doc2 %p, doc2->children %p, doc2->children->parent %p\n", doc2, doc2->children, doc2->children ? doc2->children->parent : NULL); will output doc2 0x164b390, doc2->children 0x164cd40, doc2->children->parent (nil) This malformed document can easily be made to segfault during xmlFreeDoc (as the gisted example code demonstrates). This simple patch fixes the bug: diff --git a/SAX2.c b/SAX2.c index 84c1f00..fac870d 100644 --- a/SAX2.c +++ b/SAX2.c @@ -2264,6 +2264,7 @@ xmlSAX2StartElementNs(void *ctx, * Link the child element */ if (parent != NULL) { + xmlUnlinkNode(ret); if (parent->type == XML_ELEMENT_NODE) { xmlAddChild(parent, ret); } else { It appears that xmlSAX2StartElement may have the same issue, though I have not written demonstration code for that function. This issue was originally discovered via https://github.com/tenderlove/nokogiri/issues/issue/362 Thanks for your time.
GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org. As part of that, we are mass-closing older open tickets in bugzilla.gnome.org which have not seen updates for a longer time (resources are unfortunately quite limited so not every ticket can get handled). If you can still reproduce the situation described in this ticket in a recent and supported software version, then please follow https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines and create a new ticket at https://gitlab.gnome.org/GNOME/libxml2/-/issues/ Thank you for your understanding and your help.