From f4befc31c3e93593248f9d43e6365f247a7e67b7 Mon Sep 17 00:00:00 2001
From: "Fred L. Drake, Jr." <fdrake@users.sourceforge.net>
Date: Tue, 8 Oct 2002 17:04:55 +0000
Subject: [PATCH] SF bug #620343: segfault: bad API/callback interaction The
 start-namespace-decl callback can set the start-element callback to NULL, but
 Expat tried to call it anyway.

---
 expat/lib/xmlparse.c   |  5 +++--
 expat/tests/runtests.c | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
index 602108d3..b834d1ae 100644
--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c
@@ -2075,8 +2075,9 @@ doContent(XML_Parser parser,
           result = storeAtts(parser, enc, s, &(tag->name), &(tag->bindings));
           if (result)
             return result;
-          startElementHandler(handlerArg, tag->name.str,
-                              (const XML_Char **)atts);
+          if (startElementHandler)
+            startElementHandler(handlerArg, tag->name.str,
+                                (const XML_Char **)atts);
         }
         else if (defaultHandler)
           reportDefault(parser, enc, s, next);
diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
index fcb7e6a7..99a4bfb7 100644
--- a/expat/tests/runtests.c
+++ b/expat/tests/runtests.c
@@ -790,6 +790,41 @@ START_TEST(test_ns_tagname_overwrite_triplet)
 }
 END_TEST
 
+
+/* Regression test for SF bug #620343. */
+static void
+start_element_fail(void *userData,
+                    const XML_Char *name, const XML_Char **atts)
+{
+    /* We should never get here. */
+    fail("should never reach start_element_fail()");
+}
+
+static void
+start_ns_clearing_start_element(void *userData,
+                                       const XML_Char *prefix,
+                                       const XML_Char *uri)
+{
+    XML_SetStartElementHandler((XML_Parser) userData, NULL);
+}
+
+START_TEST(test_start_ns_clears_start_element)
+{
+    /* This needs to use separate start/end tags; using the empty tag
+       syntax doesn't cause the problematic path through Expat to be
+       taken.
+    */
+    char *text = "<e xmlns='http://xml.libexpat.org/'></e>";
+
+    XML_SetStartElementHandler(parser, start_element_fail);
+    XML_SetStartNamespaceDeclHandler(parser, start_ns_clearing_start_element);
+    XML_UseParserAsHandlerArg(parser);
+    if (XML_Parse(parser, text, strlen(text), 1) == XML_STATUS_ERROR)
+        xml_failure(parser);
+}
+END_TEST
+
+
 static Suite *
 make_basic_suite(void)
 {
@@ -835,6 +870,7 @@ make_basic_suite(void)
     tcase_add_test(tc_namespace, test_return_ns_triplet);
     tcase_add_test(tc_namespace, test_ns_tagname_overwrite);
     tcase_add_test(tc_namespace, test_ns_tagname_overwrite_triplet);
+    tcase_add_test(tc_namespace, test_start_ns_clears_start_element);
 
     return s;
 }
-- 
2.40.0