• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1From c7260a47f19e01f4f663b6a56fbdc2dafd8a6e7e Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Mon, 23 Jan 2023 10:19:59 +0100
4Subject: [PATCH] malloc-fail: Don't call xmlErrMemory in xmlstring.c
5
6Functions like xmlStrdup are called in the error handling code
7(__xmlRaiseError) which can cause problems like use-after-free or
8infinite loops when invoked recursively.
9
10Calling xmlErrMemory without a context argument isn't helpful anyway.
11
12Found with libFuzzer, see #344.
13
14Reference:https://github.com/GNOME/libxml2/commit/c7260a47f19e01f4f663b6a56fbdc2dafd8a6e7e
15Conflict:xmlstring.c
16---
17 xmlstring.c | 5 -----
18 1 file changed, 5 deletions(-)
19
20diff --git a/xmlstring.c b/xmlstring.c
21index 5a6875f..9709545 100644
22--- a/xmlstring.c
23+++ b/xmlstring.c
24@@ -45,7 +45,6 @@ xmlStrndup(const xmlChar *cur, int len) {
25     if ((cur == NULL) || (len < 0)) return(NULL);
26     ret = (xmlChar *) xmlMallocAtomic(((size_t) len + 1) * sizeof(xmlChar));
27     if (ret == NULL) {
28-        xmlErrMemory(NULL, NULL);
29         return(NULL);
30     }
31     memcpy(ret, cur, len * sizeof(xmlChar));
32@@ -90,7 +89,6 @@ xmlCharStrndup(const char *cur, int len) {
33     if ((cur == NULL) || (len < 0)) return(NULL);
34     ret = (xmlChar *) xmlMallocAtomic(((size_t) len + 1) * sizeof(xmlChar));
35     if (ret == NULL) {
36-        xmlErrMemory(NULL, NULL);
37         return(NULL);
38     }
39     for (i = 0;i < len;i++) {
40@@ -465,7 +463,6 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) {
41         return(NULL);
42     ret = (xmlChar *) xmlRealloc(cur, ((size_t) size + len + 1) * sizeof(xmlChar));
43     if (ret == NULL) {
44-        xmlErrMemory(NULL, NULL);
45         return(cur);
46     }
47     memcpy(&ret[size], add, len * sizeof(xmlChar));
48@@ -505,7 +502,6 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) {
49         return(NULL);
50     ret = (xmlChar *) xmlMalloc(((size_t) size + len + 1) * sizeof(xmlChar));
51     if (ret == NULL) {
52-        xmlErrMemory(NULL, NULL);
53         return(xmlStrndup(str1, size));
54     }
55     memcpy(ret, str1, size * sizeof(xmlChar));
56@@ -1034,7 +1030,6 @@ xmlEscapeFormatString(xmlChar **msg)
57            out-of-memory situations. */
58         xmlFree(*msg);
59         *msg = NULL;
60-        xmlErrMemory(NULL, NULL);
61         return(NULL);
62     }
63
64--
652.27.0
66
67