Fix use-after-free in xmlParseContentInternal()

* parser.c: (xmlParseCharData): - Check if the parser has stopped before advancing `ctxt->input->cur`. This only occurs if a custom SAX error handler calls xmlStopParser() on fatal errors. Fixes #518.
2024-10-26 12:25:09 +03:00 · 2023-04-15 18:04:03 -07:00 · 2023-04-15 18:04:03 -07:00 · 86105c0493
commit 86105c0493
parent a19fa11e1d
1 changed files with 2 additions and 1 deletions
--- a/parser.c
+++ b/parser.c
@ -4447,7 +4447,8 @@ get_more:
        if (*in == ']') {
            if ((in[1] == ']') && (in[2] == '>')) {
                xmlFatalErr(ctxt, XML_ERR_MISPLACED_CDATA_END, NULL);
-                ctxt->input->cur = in + 1;
+                if (ctxt->instate != XML_PARSER_EOF)
+                    ctxt->input->cur = in + 1;
                return;
            }
            in++;