generic-library/libupnp
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

SF Bug Tracker id 3496993 - Write after free in ixmlNode_insertBefore

Browse Source 
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 04:54:40 PST

If ixmlNode_isParent(nodeptr, newChild) returns TRUE,
ixmlNode_removeChild(nodeptr, newChild, NULL) will free newChild before
the modifications of newChild->nextSibling and newChild->prevSibling.
(cherry picked from commit 4f34a12a83)
This commit is contained in:
Fabrice Fontaine
2012-03-08 14:22:54 +01:00
committed by Marcelo Roberto Jimenez
parent 0edaf3361d
commit bd41182cf3
2 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
ChangeLog
View File

@@ -318,6 +318,16 @@ Version 1.8.0
Version 1.6.16 Version 1.6.16
******************************************************************************* *******************************************************************************
2012-03-08 Fabrice Fontaine <fabrice.fontaine(at)orange.com>
SF Bug Tracker id 3496993 - Write after free in ixmlNode_insertBefore
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 04:54:40 PST
If ixmlNode_isParent(nodeptr, newChild) returns TRUE,
ixmlNode_removeChild(nodeptr, newChild, NULL) will free newChild before
the modifications of newChild->nextSibling and newChild->prevSibling.
2012-03-08 Fabrice Fontaine <fabrice.fontaine(at)orange.com> 2012-03-08 Fabrice Fontaine <fabrice.fontaine(at)orange.com>
Remove most of strcpy, sprintf and strcat Remove most of strcpy, sprintf and strcat

4
ixml/src/node.c
View File

@@ -500,7 +500,7 @@ int ixmlNode_insertBefore(
if (refChild != NULL) { if (refChild != NULL) {
if (ixmlNode_isParent(nodeptr, newChild) == TRUE) { if (ixmlNode_isParent(nodeptr, newChild) == TRUE) {
ixmlNode_removeChild(nodeptr, newChild, NULL); ixmlNode_removeChild(nodeptr, newChild, &newChild);
newChild->nextSibling = NULL; newChild->nextSibling = NULL;
newChild->prevSibling = NULL; newChild->prevSibling = NULL;
} }
@@ -611,7 +611,7 @@ int ixmlNode_appendChild(IXML_Node *nodeptr, IXML_Node *newChild)
} }
if (ixmlNode_isParent(nodeptr, newChild) == TRUE ) { if (ixmlNode_isParent(nodeptr, newChild) == TRUE ) {
ixmlNode_removeChild(nodeptr, newChild, NULL); ixmlNode_removeChild(nodeptr, newChild, &newChild);
} }
/* set the parent node pointer */ /* set the parent node pointer */
newChild->parentNode = nodeptr; newChild->parentNode = nodeptr;