From 2355eac59e91e1465696150cf0efc9029ba4f9b2 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 22 Jan 2023 14:52:06 +0100
Subject: [PATCH] malloc-fail: Fix null deref if growing input buffer fails

Also add some error checks.

Found with libFuzzer, see #344.

Reference:https://github.com/GNOME/libxml2/commit/2355eac59e91e1465696150cf0efc9029ba4f9b2
Conflict:xmlIO.c
---
 encoding.c        | 3 ++-
 parserInternals.c | 6 ++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/encoding.c b/encoding.c
index 8ce407f..c073a9c 100644
--- a/encoding.c
+++ b/encoding.c
@@ -2288,7 +2288,8 @@ xmlCharEncInput(xmlParserInputBufferPtr input, int flush)
         toconv = 64 * 1024;
     written = xmlBufAvail(out);
     if (toconv * 2 >= written) {
-        xmlBufGrow(out, toconv * 2);
+        if (xmlBufGrow(out, toconv * 2) < 0)
+            return (-1);
         written = xmlBufAvail(out);
     }
     if ((written > 128 * 1024) && (flush == 0))
diff --git a/parserInternals.c b/parserInternals.c
index cee4cd9..dd1dc9c 100644
--- a/parserInternals.c
+++ b/parserInternals.c
@@ -326,6 +326,12 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) {
     ret = xmlParserInputBufferGrow(in->buf, len);
 
     in->base = xmlBufContent(in->buf->buffer);
+    if (in->base == NULL) {
+        in->base = BAD_CAST "";
+        in->cur = in->base;
+        in->end = in->base;
+        return(-1);
+    }
     in->cur = in->base + indx;
     in->end = xmlBufEnd(in->buf->buffer);
 
-- 
2.27.0