In domelem_removeAttributeNode, we call xmlRemoveProp if attributeNode is NULL. Doing this frees the xmlNodePtr, leaving a dangling pointer. Which later in domattr_Release causes a use-after-free.
Found by ASan.
From: Yuxuan Shui yshui@codeweavers.com
In domelem_removeAttributeNode, we call xmlRemoveProp if attributeNode is NULL. Doing this frees the xmlNodePtr, leaving a dangling pointer. Which later in domattr_Release causes a use-after-free.
Found by ASan. --- dlls/msxml3/element.c | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-)
diff --git a/dlls/msxml3/element.c b/dlls/msxml3/element.c index fd9a2973cd8..0859576ded2 100644 --- a/dlls/msxml3/element.c +++ b/dlls/msxml3/element.c @@ -1501,17 +1501,9 @@ static HRESULT WINAPI domelem_removeAttributeNode( if (This->node.node != attr_node->node->parent) return E_INVALIDARG;
- if (attributeNode) - { - xmlUnlinkNode(attr_node->node ); - xmldoc_add_orphan(attr_node->node->doc, attr_node->node); - *attributeNode = (IXMLDOMAttribute*)create_node(attr_node->node); - } - else - { - if (xmlRemoveProp((xmlAttrPtr)attr_node->node) == -1) - return E_INVALIDARG; - } + xmlUnlinkNode(attr_node->node); + xmldoc_add_orphan(attr_node->node->doc, attr_node->node); + if (attributeNode) *attributeNode = (IXMLDOMAttribute*)create_node(attr_node->node); return S_OK; }
-
Yuxuan Shui -
Yuxuan Shui (@yshui)