From 9daf701ad6e4f2d60a18341ff790b361406d59c3 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 22 Apr 2021 19:26:28 +0200
Subject: [PATCH] [CVE-2021-3518] Fix user-after-free with `xmllint --xinclude
 --dropdtd`

The --dropdtd option can leave dangling pointers in entity reference
nodes. Make sure to skip these nodes when processing XIncludes.

This also avoids scanning entity declarations and even modifying
them inadvertently during XInclude processing.

Move from a block list to an allow list approach to avoid descending
into other node types that can't contain elements.

Fixes #237.

Change-Id: Ifd6eee2ade87d55469e234066186921b83fe4dd6
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
---
 xinclude.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/xinclude.c b/xinclude.c
index ba850fa..74443c7 100644
--- a/xinclude.c
+++ b/xinclude.c
@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
     while ((cur != NULL) && (cur != tree->parent)) {
 	/* TODO: need to work on entities -> stack */
 	if ((cur->children != NULL) &&
-	    (cur->children->type != XML_ENTITY_DECL) &&
-	    (cur->children->type != XML_XINCLUDE_START) &&
-	    (cur->children->type != XML_XINCLUDE_END)) {
+	    ((cur->type == XML_DOCUMENT_NODE) ||
+	     (cur->type == XML_ELEMENT_NODE))) {
 	    cur = cur->children;
 	    if (xmlXIncludeTestNode(ctxt, cur))
 		xmlXIncludePreProcessNode(ctxt, cur);
-- 
2.7.4