|Subject:||Another double free set of errors|
|Date:||Thu, 19 Apr 2018 08:07:26 -0400|
|To:||bug-XML-LibXML [...] rt.cpan.org|
|From:||Jeff <jeff [...] jefftrout.com>|
This is related toit is another scenario in which that wonderful libxml2 feature which free’s the xmlNodePtr you pass in if both sides are text and it merges. So the problem is if you call addSibling twice both with text nodes. The code in question checks to see if self is a text node, but not self->parent->last which can become a text node - this results in our ol’ double free problem. Sample code: #!/usr/bin/perl # # crash # use XML::LibXML; my $div = new XML::LibXML::Element("div"); $div->addChild(new XML::LibXML::Element("font")); my $font = new XML::LibXML::Element("font"); $div->addChild($font); my $text1 = new XML::LibXML::Text("Ok"); my $text2 = new XML::LibXML::Text("not ok"); # libxml2 will merge this into text1 # and free text2, however we don't # know that text2 got free'd $font->addSibling($text1); $font->addSibling($text2); I also discovered the source of problem on which I left a comment in the source about in the patch - basically what happens is replaceChild is that the owner changes - we pull in owner, then do the replace, then reparent ret and set fixOwner back to owner - but after LibXML_reparent_removed_node(ret) owner->node is null - this causes the crash. I found in testing that removing the fixOwner fixed it but was a bit worried about other side effects (I Now, as for why the workaround mentioned works it is probably reference count related to holding onto parent longer) (I was tracking that one because it seemed that was the problem I was having - a double free after some operations I often do) thanks
Message body is not shown because sender requested not to inline it.
-- Jeff Trout <email@example.com>