Correctly relocate internal pointers after realloc()

Adding an offset to a deallocated pointer and assuming that it can be dereferenced is undefined behaviour. When running libxml2 on CHERI-enabled systems such as Arm Morello this results in the creation of an out-of-bounds pointer that cannot be dereferenced and therefore crashes at runtime. The effect of this UB is not just limited to architectures such as CHERI, incorrect relocation of pointers after realloc can in fact cause FORTIFY_SOURCE errors with recent GCC: https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level
2024-12-28 07:21:26 +03:00 · 2022-12-01 12:58:11 +00:00 · 2022-12-01 12:58:11 +00:00 · c62c0d82cc
commit c62c0d82cc
parent c7a9b85cbb
1 changed files with 3 additions and 3 deletions
--- a/parser.c
+++ b/parser.c
@ -9582,10 +9582,10 @@ next_attr:
             * Arithmetic on dangling pointers is technically undefined
             * behavior, but well...
             */
-            ptrdiff_t offset = ctxt->input->base - atts[i+2];
+            const xmlChar *old = atts[i+2];
            atts[i+2]  = NULL;    /* Reset repurposed namespace URI */
-            atts[i+3] += offset;  /* value */
-            atts[i+4] += offset;  /* valuend */
+            atts[i+3] = ctxt->input->base + (atts[i+3] - old);  /* value */
+            atts[i+4] = ctxt->input->base + (atts[i+4] - old);  /* valuend */
        }
    }