From e42ebbb33f0408d7c69ea12f348151d2c1ba44e9 Mon Sep 17 00:00:00 2001
From: Andrey Volk <andywolk@gmail.com>
Date: Sun, 25 Apr 2021 03:52:33 +0300
Subject: [PATCH] [Core] scan-build: Fix false-positive use-after-free in
 switch_xml_free_attr(). Add unit test.

---
 src/switch_xml.c         | 10 +++++-----
 tests/unit/switch_core.c | 10 ++++++++++
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/src/switch_xml.c b/src/switch_xml.c
index 13ac47d8a5..407a81767f 100644
--- a/src/switch_xml.c
+++ b/src/switch_xml.c
@@ -1000,15 +1000,15 @@ static char *switch_xml_str2utf8(char **s, switch_size_t *len)
 /* frees a tag attribute list */
 static void switch_xml_free_attr(char **attr)
 {
-	int i = 0;
+	int i, c = 0;
 	char *m;
 
 	if (!attr || attr == SWITCH_XML_NIL)
 		return;					/* nothing to free */
-	while (attr[i])
-		i += 2;					/* find end of attribute list */
-	m = attr[i + 1];			/* list of which names and values are malloced */
-	for (i = 0; m[i]; i++) {
+	while (attr[c])
+		c += 2;					/* find end of attribute list */
+	m = attr[c + 1];			/* list of which names and values are malloced */
+	for (i = c / 2 - 1; i >= 0 ; i--) {
 		if (m[i] & SWITCH_XML_NAMEM)
 			free(attr[i * 2]);
 		if (m[i] & SWITCH_XML_TXTM)
diff --git a/tests/unit/switch_core.c b/tests/unit/switch_core.c
index 56a700c0fb..0e914fa070 100644
--- a/tests/unit/switch_core.c
+++ b/tests/unit/switch_core.c
@@ -53,6 +53,16 @@ FST_CORE_BEGIN("./conf")
 		}
 		FST_TEARDOWN_END()
 
+		FST_TEST_BEGIN(test_xml_free_attr)
+		{
+			switch_xml_t parent_xml = switch_xml_new("xml");
+			switch_xml_t xml = switch_xml_add_child_d(parent_xml, "test", 1);
+			switch_xml_set_attr(xml, "a1", "v1");
+			switch_xml_set_attr_d(xml, "a2", "v2");
+			switch_xml_free(parent_xml);
+		}
+		FST_TEST_END()
+
 		FST_TEST_BEGIN(test_xml_set_attr)
 		{
 			switch_xml_t parent_xml = switch_xml_new("xml");