27 Feb
2026
27 Feb
'26
6:28 a.m.
calling IXMLDOMNode_put_text on a text node leads to xmlTextSetContent in libxml2 which duplicates the text (xmlStr[n]dup) and frees the old content before setting the new calling IXMLDOMElement_put_text on an element node leads to xmlNodeParseContent in libxml2 which sets the text on the xmlNode's child and calls xmlFreeNodeList to free the old content an IXMLDOMNode reference to that internal text node holds a pointer to that freed content and crashes on IXMLDOMNode_Release <open> <-- IXMLDOMElement_put_text -> xmlNodeParseContent frees old 'content' held by IXMLDOMNode below sesame <-- IXMLDOMNode_Release on this node double-frees 'content' freed above </open> -- https://gitlab.winehq.org/wine/wine/-/merge_requests/10202