xmlparse.c: Fix dangling pointer caused by use of realloc

Variables pool->ptr and pool->start point to addresses
that may have been freed if realloc chose the path of
a new base address.  So we do the math on these pointers
while they are not dangling, yet.

For a related article:
http://trust-in-soft.com/dangling-pointer-indeterminate/

diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
index fdd3e5290dec493acf29462d65b5e88721858b0a..d26ebd3cb18d0e876909fd30d4605a9dfdd3a64d 100644 (file)
--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c
@@ -6741,6 +6741,10 @@ poolGrow(STRING_POOL *pool)
     int blockSize = (int)((unsigned)(pool->end - pool->start)*2U);
     size_t bytesToAllocate;
 
+    // NOTE: Needs to be calculated prior to calling `realloc`
+    //       to avoid dangling pointers:
+    const ptrdiff_t offsetInsideBlock = pool->ptr - pool->start;
+
     if (blockSize < 0)
       return XML_FALSE;
 
@@ -6754,7 +6758,7 @@ poolGrow(STRING_POOL *pool)
       return XML_FALSE;
     pool->blocks = temp;
     pool->blocks->size = blockSize;
-    pool->ptr = pool->blocks->s + (pool->ptr - pool->start);
+    pool->ptr = pool->blocks->s + offsetInsideBlock;
     pool->start = pool->blocks->s;
     pool->end = pool->start + blockSize;
   }