From 44947afba0ded433c6f4ffc10ee646c4b267f2b7 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Sun, 26 Feb 2023 14:41:35 +0100 Subject: [PATCH] malloc-fail: Fix null deref after xmlPointerListAddSize Found with libFuzzer, see #344. Reference:https://github.com/GNOME/libxml2/commit/44947afba0ded433c6f4ffc10ee646c4b267f2b7 Conflict:NA --- xpath.c | 40 +++++++++++++++++++--------------------- 1 file changed, 19 insertions(+), 21 deletions(-) diff --git a/xpath.c b/xpath.c index 54d9c58..84b139d 100644 --- a/xpath.c +++ b/xpath.c @@ -812,32 +812,30 @@ xmlPointerListAddSize(xmlPointerListPtr list, void *item, int initialSize) { - if (list->items == NULL) { - if (initialSize <= 0) - initialSize = 1; - list->items = (void **) xmlMalloc(initialSize * sizeof(void *)); - if (list->items == NULL) { - xmlXPathErrMemory(NULL, - "xmlPointerListCreate: allocating item\n"); - return(-1); - } - list->number = 0; - list->size = initialSize; - } else if (list->size <= list->number) { - if (list->size > 50000000) { - xmlXPathErrMemory(NULL, - "xmlPointerListAddSize: re-allocating item\n"); - return(-1); + if (list->size <= list->number) { + void **tmp; + size_t newSize; + + if (list->size == 0) { + if (initialSize <= 0) + initialSize = 1; + newSize = initialSize; + } else { + if (list->size > 50000000) { + xmlXPathErrMemory(NULL, + "xmlPointerListAddSize: re-allocating item\n"); + return(-1); + } + newSize = list->size * 2; } - list->size *= 2; - list->items = (void **) xmlRealloc(list->items, - list->size * sizeof(void *)); - if (list->items == NULL) { + tmp = (void **) xmlRealloc(list->items, newSize * sizeof(void *)); + if (tmp == NULL) { xmlXPathErrMemory(NULL, "xmlPointerListAddSize: re-allocating item\n"); - list->size = 0; return(-1); } + list->items = tmp; + list->size = newSize; } list->items[list->number++] = item; return(0); -- 2.27.0