From b215c270fa3b1436314cc56654718bd12182cfec Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 13 Sep 2020 12:19:48 +0200
Subject: [PATCH] Fix cleanup of attributes in XML reader

xml:id creates ID attributes even in documents without a DTD, so the
check in xmlTextReaderFreeProp must be changed to avoid use after free.

Found by OSS-Fuzz.
---
 xmlreader.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/xmlreader.c b/xmlreader.c
index a9b9ef93..01adf74f 100644
--- a/xmlreader.c
+++ b/xmlreader.c
@@ -359,12 +359,12 @@ xmlTextReaderFreeProp(xmlTextReaderPtr reader, xmlAttrPtr cur) {
 	xmlDeregisterNodeDefaultValue((xmlNodePtr) cur);
 
     /* Check for ID removal -> leading to invalid references ! */
-    if ((cur->parent != NULL) && (cur->parent->doc != NULL) &&
-	((cur->parent->doc->intSubset != NULL) ||
-	 (cur->parent->doc->extSubset != NULL))) {
+    if ((cur->parent != NULL) && (cur->parent->doc != NULL)) {
         if (xmlIsID(cur->parent->doc, cur->parent, cur))
 	    xmlTextReaderRemoveID(cur->parent->doc, cur);
-        if (xmlIsRef(cur->parent->doc, cur->parent, cur))
+	if (((cur->parent->doc->intSubset != NULL) ||
+	     (cur->parent->doc->extSubset != NULL)) &&
+            (xmlIsRef(cur->parent->doc, cur->parent, cur)))
             xmlTextReaderRemoveRef(cur->parent->doc, cur);
     }
     if (cur->children != NULL)
-- 
2.27.0