From: Sebastian Pipping <sebastian@pipping.org>
Date: Sat, 15 Jul 2017 21:44:48 +0000 (+0200)
Subject: xmlparse.c: Fix dangling pointer caused by use of realloc
X-Git-Tag: R_2_2_3~23^2~1
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=786d7abfcd7f901e4f9fb10bea45e5de99691057;p=libexpat

xmlparse.c: Fix dangling pointer caused by use of realloc

Variables pool->ptr and pool->start point to addresses
that may have been freed if realloc chose the path of
a new base address.  So we do the math on these pointers
while they are not dangling, yet.

For a related article:
http://trust-in-soft.com/dangling-pointer-indeterminate/
---

diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
index fdd3e529..d26ebd3c 100644
--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c
@@ -6741,6 +6741,10 @@ poolGrow(STRING_POOL *pool)
     int blockSize = (int)((unsigned)(pool->end - pool->start)*2U);
     size_t bytesToAllocate;
 
+    // NOTE: Needs to be calculated prior to calling `realloc`
+    //       to avoid dangling pointers:
+    const ptrdiff_t offsetInsideBlock = pool->ptr - pool->start;
+
     if (blockSize < 0)
       return XML_FALSE;
 
@@ -6754,7 +6758,7 @@ poolGrow(STRING_POOL *pool)
       return XML_FALSE;
     pool->blocks = temp;
     pool->blocks->size = blockSize;
-    pool->ptr = pool->blocks->s + (pool->ptr - pool->start);
+    pool->ptr = pool->blocks->s + offsetInsideBlock;
     pool->start = pool->blocks->s;
     pool->end = pool->start + blockSize;
   }