From 6a37870125901165d10cc934d139fa259ff98ef5 Mon Sep 17 00:00:00 2001
From: "sgunderson@bigfoot.com" <>
Date: Thu, 22 Sep 2011 23:50:48 +0200
Subject: [PATCH] Fix a possible use-after-free in the C++11 version;
 substitution could remove an element due to clean, and still want to read out
 its name.

---
 c++11/xml-template.cpp | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/c++11/xml-template.cpp b/c++11/xml-template.cpp
index 317a561..2e8fb94 100644
--- a/c++11/xml-template.cpp
+++ b/c++11/xml-template.cpp
@@ -168,8 +168,8 @@ void Substitute::process(xmlNode *node, bool clean)
 {
 	xmlNode *next_child;
 	for (xmlNode *child = node->children; child != NULL; child = next_child) {
-		next_child = child->next;	
-		bool processed = false;
+		next_child = child->next;
+		Directive *next_processor = this;
 
 		if (child->type == XML_ELEMENT_NODE) {
 			// Find the ID, if any.
@@ -208,22 +208,16 @@ void Substitute::process(xmlNode *node, bool clean)
 					xmlSetProp(child, attr_key, attr_value);
 				}
 
-				if (processed) {
-					continue;
-				}
-
-				// Regular substitution.
+				// Regular substitution. (Don't call process() immediately, because
+				// that might delete the element, which would cause problems.)
 				if (it.first == tag ||
 				    (!id.empty() && it.first == ("#" + id))) {
-					it.second->process(child, clean);
-					processed = true;
+					next_processor = it.second;
 				}
 			}
 		}
 
-		if (!processed) {
-			process(child, clean);
-		}
+		next_processor->process(child, clean);
 	}
 	if (clean) {
 		clean_node(node);
-- 
2.39.2