From c39ec3033ed40a4df87173ab1e715440942cd204 Mon Sep 17 00:00:00 2001 From: Stephen Checkoway Date: Thu, 6 Jul 2023 14:00:12 -0400 Subject: [PATCH] fix memsize_node when called on xmlAttrs The `properties` field of an `xmlNode` element points to an `xmlAttr`. The first few fields of `xmlAttr` are in common with `xmlNode`, but not the `properties` field which doesn't exist in an `xmlAttr`. The `memsize_node` function was passing an `xmlAttr` to a recursive call and then trying to do the same with the properties of that. This led to type confusion and subsequent crashes. Fixes: #2923 (cherry picked from commit 81762fa0b306a7d25ef22a303ff9dd6e9bd94ffd) --- ext/nokogiri/xml_document.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ext/nokogiri/xml_document.c b/ext/nokogiri/xml_document.c index 442884daae..c6856f979a 100644 --- a/ext/nokogiri/xml_document.c +++ b/ext/nokogiri/xml_document.c @@ -103,8 +103,11 @@ memsize_node(const xmlNodePtr node) size_t memsize = 0; memsize += xmlStrlen(node->name); - for (child = (xmlNodePtr)node->properties; child; child = child->next) { - memsize += sizeof(xmlAttr) + memsize_node(child); + + if (node->type == XML_ELEMENT_NODE) { + for (child = (xmlNodePtr)node->properties; child; child = child->next) { + memsize += sizeof(xmlAttr) + memsize_node(child); + } } if (node->type == XML_TEXT_NODE) { memsize += xmlStrlen(node->content);