The variable cvp is stored on the stack and is uninitialized. So the field ctxt->flags in valid.c xmlIsStreaming() contains random data. The logic of xmlIsStreaming() can do an invalid cast and pointer dereference pctxt->parseMode and may crash there. Use memset() to pass correct zero flags in xmlValidCtxt cvp variable down to xmlValidateDocument().
shlomif
commented
1 year ago
The variable cvp is stored on the stack and is uninitialized. So the field ctxt->flags in valid.c xmlIsStreaming() contains random data. The logic of xmlIsStreaming() can do an invalid cast and pointer dereference pctxt->parseMode and may crash there. Use memset() to pass correct zero flags in xmlValidCtxt cvp variable down to xmlValidateDocument().