• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1From d08fd8306e224c48dedc1a9b549376ae1d4c7f6c Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Fri, 17 Feb 2023 15:53:07 +0100
4Subject: [PATCH] malloc-fail: Fix OOB read after xmlRegGetCounter
5
6Found with libFuzzer, see #344.
7
8Reference:https://github.com/GNOME/libxml2/commit/1743c4c3fc58cf38ecce68db9de51d0f3651e033
9Conflict:xmlregexp.c
10
11---
12 xmlregexp.c | 12 ++++++++++++
13 1 file changed, 12 insertions(+)
14
15diff --git a/xmlregexp.c b/xmlregexp.c
16index 360916f..e7c48a4 100644
17--- a/xmlregexp.c
18+++ b/xmlregexp.c
19@@ -1681,6 +1681,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from,
20                     }
21 		    inter = ctxt->state;
22 		    counter = xmlRegGetCounter(ctxt);
23+                    if (counter < 0)
24+                        return(-1);
25 		    ctxt->counters[counter].min = atom->min - 1;
26 		    ctxt->counters[counter].max = atom->max - 1;
27 		    /* count the number of times we see it again */
28@@ -1699,6 +1701,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from,
29 		     * epsilon transition.
30 		     */
31 		    counter = xmlRegGetCounter(ctxt);
32+                    if (counter < 0)
33+                        return(-1);
34 		    ctxt->counters[counter].min = atom->min - 1;
35 		    ctxt->counters[counter].max = atom->max - 1;
36 		    /* allow a way out based on the count */
37@@ -6025,6 +6029,8 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
38      * associate a counter to the transition.
39      */
40     counter = xmlRegGetCounter(am);
41+    if (counter < 0)
42+        goto error;
43     am->counters[counter].min = min;
44     am->counters[counter].max = max;
45
46@@ -6099,6 +6105,8 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
47      * associate a counter to the transition.
48      */
49     counter = xmlRegGetCounter(am);
50+    if (counter < 0)
51+        goto error;
52     am->counters[counter].min = min;
53     am->counters[counter].max = max;
54
55@@ -6191,6 +6199,8 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
56      * associate a counter to the transition.
57      */
58     counter = xmlRegGetCounter(am);
59+    if (counter < 0)
60+        goto error;
61     am->counters[counter].min = 1;
62     am->counters[counter].max = 1;
63
64@@ -6256,6 +6266,8 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
65      * associate a counter to the transition.
66      */
67     counter = xmlRegGetCounter(am);
68+    if (counter < 0)
69+        goto error;
70     am->counters[counter].min = 1;
71     am->counters[counter].max = 1;
72
73--
742.27.0
75
76