[PATCH 0/1] MR9279: msxml3: Fix use-after-free of dom attributes.
In domelem_removeAttributeNode, we call xmlRemoveProp if attributeNode is NULL. Doing this frees the xmlNodePtr, leaving a dangling pointer. Which later in domattr_Release causes a use-after-free. Found by ASan. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/9279
From: Yuxuan Shui <yshui(a)codeweavers.com> In domelem_removeAttributeNode, we call xmlRemoveProp if attributeNode is NULL. Doing this frees the xmlNodePtr, leaving a dangling pointer. Which later in domattr_Release causes a use-after-free. Found by ASan. --- dlls/msxml3/element.c | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/dlls/msxml3/element.c b/dlls/msxml3/element.c index fd9a2973cd8..0859576ded2 100644 --- a/dlls/msxml3/element.c +++ b/dlls/msxml3/element.c @@ -1501,17 +1501,9 @@ static HRESULT WINAPI domelem_removeAttributeNode( if (This->node.node != attr_node->node->parent) return E_INVALIDARG; - if (attributeNode) - { - xmlUnlinkNode(attr_node->node ); - xmldoc_add_orphan(attr_node->node->doc, attr_node->node); - *attributeNode = (IXMLDOMAttribute*)create_node(attr_node->node); - } - else - { - if (xmlRemoveProp((xmlAttrPtr)attr_node->node) == -1) - return E_INVALIDARG; - } + xmlUnlinkNode(attr_node->node); + xmldoc_add_orphan(attr_node->node->doc, attr_node->node); + if (attributeNode) *attributeNode = (IXMLDOMAttribute*)create_node(attr_node->node); return S_OK; } -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/9279
participants (2)
-
Yuxuan Shui -
Yuxuan Shui (@yshui)