From e6d7eb7767d4e7ce9e1ef810c0ee5197148d9a1c Mon Sep 17 00:00:00 2001
From: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
Date: Fri, 10 Sep 2010 19:26:10 -0300
Subject: [PATCH] 2010-09-10 Jean Sigwald <jean.sigwald(at)orange-ftgroup.com>
 I discovered a reliable denial-of-service issue on the last stable release of
 libupnp (1.6.6) remotely triggerable by any unauthenticated user. The issue
 is related with a bad parsing of malformed XML. (cherry picked from commit
 25a4bd6d253cec60ee11d7a43491e1b1a6be5465)

---
 ChangeLog             | 6 ++++++
 ixml/src/ixmlparser.c | 5 ++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 2e8f78b..ade2789 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,12 @@
 Version 1.8.0
 *******************************************************************************
 
+2010-09-10 Jean Sigwald <jean.sigwald(at)orange-ftgroup.com>
+	I discovered a reliable denial-of-service issue on the last stable
+	release of libupnp (1.6.6) remotely triggerable by any
+	unauthenticated user. The issue is related with a bad parsing of
+	malformed XML.
+
 2010-09-10 Chandra Penke <chandrapenke(at)mcntech.com>
 	* SF Patch Tracker [ 2854711 ] Patch for Solaris10 compilation and usage
 	Submitted By: zephyrus ( zephyrus00jp )
diff --git a/ixml/src/ixmlparser.c b/ixml/src/ixmlparser.c
index 59b0f50..739a49a 100644
--- a/ixml/src/ixmlparser.c
+++ b/ixml/src/ixmlparser.c
@@ -582,11 +582,14 @@ static int Parser_isValidEndElement(
 	IXML_Node *newNode)
 {
 	assert(xmlParser);
-	assert(xmlParser->pCurElement);
 	assert(xmlParser->pCurElement->element);
 	assert(newNode);
 	assert(newNode->nodeName);
 
+	if (xmlParser->pCurElement == NULL) {
+		return 0;
+	}
+
 	return strcmp(xmlParser->pCurElement->element, newNode->nodeName) == 0;
 }