fix memsize_node when called on xmlAttrs

The `properties` field of an `xmlNode` element points to an `xmlAttr`. The first few fields of `xmlAttr` are in common with `xmlNode`, but not the `properties` field which doesn't exist in an `xmlAttr`. The `memsize_node` function was passing an `xmlAttr` to a recursive call and then trying to do the same with the properties of that. This led to type confusion and subsequent crashes. Fixes: sparklemotion#2923
stevecheckoway · Jul 6, 2023 · 81762fa · 81762fa
1 parent 2edbbef
commit 81762fa
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/ext/nokogiri/xml_document.c b/ext/nokogiri/xml_document.c
@@ -103,8 +103,11 @@ memsize_node(const xmlNodePtr node)
   size_t memsize = 0;
 
   memsize += xmlStrlen(node->name);
-  for (child = (xmlNodePtr)node->properties; child; child = child->next) {
-    memsize += sizeof(xmlAttr) + memsize_node(child);
+
+  if (node->type == XML_ELEMENT_NODE) {
+    for (child = (xmlNodePtr)node->properties; child; child = child->next) {
+      memsize += sizeof(xmlAttr) + memsize_node(child);
+    }
   }
   if (node->type == XML_TEXT_NODE) {
     memsize += xmlStrlen(node->content);