From bd41182cf3055dcb5457f709e2531e113736a6cd Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Thu, 8 Mar 2012 14:22:54 +0100 Subject: [PATCH] SF Bug Tracker id 3496993 - Write after free in ixmlNode_insertBefore Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 04:54:40 PST If ixmlNode_isParent(nodeptr, newChild) returns TRUE, ixmlNode_removeChild(nodeptr, newChild, NULL) will free newChild before the modifications of newChild->nextSibling and newChild->prevSibling. (cherry picked from commit 4f34a12a83101830e88a6e86013a47f57858d996) --- ChangeLog | 10 ++++++++++ ixml/src/node.c | 4 ++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 58a5028..2c31374 100644 --- a/ChangeLog +++ b/ChangeLog @@ -318,6 +318,16 @@ Version 1.8.0 Version 1.6.16 ******************************************************************************* +2012-03-08 Fabrice Fontaine + + SF Bug Tracker id 3496993 - Write after free in ixmlNode_insertBefore + + Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 04:54:40 PST + + If ixmlNode_isParent(nodeptr, newChild) returns TRUE, + ixmlNode_removeChild(nodeptr, newChild, NULL) will free newChild before + the modifications of newChild->nextSibling and newChild->prevSibling. + 2012-03-08 Fabrice Fontaine Remove most of strcpy, sprintf and strcat diff --git a/ixml/src/node.c b/ixml/src/node.c index 5d650cb..d59d25e 100644 --- a/ixml/src/node.c +++ b/ixml/src/node.c @@ -500,7 +500,7 @@ int ixmlNode_insertBefore( if (refChild != NULL) { if (ixmlNode_isParent(nodeptr, newChild) == TRUE) { - ixmlNode_removeChild(nodeptr, newChild, NULL); + ixmlNode_removeChild(nodeptr, newChild, &newChild); newChild->nextSibling = NULL; newChild->prevSibling = NULL; } @@ -611,7 +611,7 @@ int ixmlNode_appendChild(IXML_Node *nodeptr, IXML_Node *newChild) } if (ixmlNode_isParent(nodeptr, newChild) == TRUE ) { - ixmlNode_removeChild(nodeptr, newChild, NULL); + ixmlNode_removeChild(nodeptr, newChild, &newChild); } /* set the parent node pointer */ newChild->parentNode = nodeptr;