fix memsize_node when called on xmlAttrs

stevecheckoway · flavorjones · commit c39ec3033ed4 · 2023-08-11T11:16:53.000-04:00
The `properties` field of an `xmlNode` element points to an `xmlAttr`. The first few fields of `xmlAttr` are in common with `xmlNode`, but not the `properties` field which doesn't exist in an `xmlAttr`. The `memsize_node` function was passing an `xmlAttr` to a recursive call and then trying to do the same with the properties of that. This led to type confusion and subsequent crashes. Fixes: #2923 (cherry picked from commit 81762fa)
diff --git a/ext/nokogiri/xml_document.c b/ext/nokogiri/xml_document.c
@@ -103,8 +103,11 @@ memsize_node(const xmlNodePtr node)
   size_t memsize = 0;
 
   memsize += xmlStrlen(node->name);
-  for (child = (xmlNodePtr)node->properties; child; child = child->next) {
-    memsize += sizeof(xmlAttr) + memsize_node(child);
+
+  if (node->type == XML_ELEMENT_NODE) {
+    for (child = (xmlNodePtr)node->properties; child; child = child->next) {
+      memsize += sizeof(xmlAttr) + memsize_node(child);
+    }
   }
   if (node->type == XML_TEXT_NODE) {
     memsize += xmlStrlen(node->content);
