valid: Fix xmlAddIDSafe in "streaming" mode

Make sure that IDs and attributes never reference each other in streaming (XML reader) mode, even when attributes are copied from an entity. Also update lineno. Fixes a short-lived use-after-free.
2025-03-24 06:50:08 +03:00 · 2024-02-13 10:58:19 +01:00 · 2024-02-13 10:58:19 +01:00 · 9835ec2b97
commit 9835ec2b97
parent e97b4d843f
1 changed files with 7 additions and 6 deletions
--- a/valid.c
+++ b/valid.c
@ -2322,15 +2322,16 @@ xmlAddIDSafe(xmlDocPtr doc, const xmlChar *value, xmlAttrPtr attr,
        ret = xmlHashLookup(table, value);
        if (ret != NULL) {
            /*
-             * Update the attribute to make entities work.
+             * Update the attribute unless we are parsing in streaming
+             * mode. If the attribute is copied from an entity we want
+             * the ID reference the copy.
             */
-            if (!streaming) {
-                if (ret->attr != NULL) {
-                    ret->attr->id = NULL;
-                    ret->attr = attr;
-                }
+            if (ret->attr != NULL) {
+                ret->attr->id = NULL;
+                ret->attr = attr;
                attr->id = ret;
            }
+            ret->lineno = xmlGetLineNo(attr->parent);
 	    attr->atype = XML_ATTRIBUTE_ID;
            return(0);
        }