1From 621c222efe87946ad8e53f59e28c782979d340c8 Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Mon, 30 Jan 2023 15:48:11 +0100 4Subject: [PATCH] malloc-fail: Fix error check in xmlXPathCompareValues 5 6Avoid null deref. 7 8Found with libFuzzer, see #344. 9 10Reference:https://github.com/GNOME/libxml2/commit/621c222efe87946ad8e53f59e28c782979d340c8 11Conflict:NA 12--- 13 xpath.c | 12 ++---------- 14 1 file changed, 2 insertions(+), 10 deletions(-) 15 16diff --git a/xpath.c b/xpath.c 17index 77d5434..fcbc7e3 100644 18--- a/xpath.c 19+++ b/xpath.c 20@@ -7367,21 +7367,13 @@ xmlXPathCompareValues(xmlXPathParserContextPtr ctxt, int inf, int strict) { 21 valuePush(ctxt, arg1); 22 xmlXPathNumberFunction(ctxt, 1); 23 arg1 = valuePop(ctxt); 24- } 25- if (arg1->type != XPATH_NUMBER) { 26- xmlXPathFreeObject(arg1); 27- xmlXPathFreeObject(arg2); 28- XP_ERROR0(XPATH_INVALID_OPERAND); 29+ CHECK_ERROR0; 30 } 31 if (arg2->type != XPATH_NUMBER) { 32 valuePush(ctxt, arg2); 33 xmlXPathNumberFunction(ctxt, 1); 34 arg2 = valuePop(ctxt); 35- } 36- if (arg2->type != XPATH_NUMBER) { 37- xmlXPathReleaseObject(ctxt->context, arg1); 38- xmlXPathReleaseObject(ctxt->context, arg2); 39- XP_ERROR0(XPATH_INVALID_OPERAND); 40+ CHECK_ERROR0; 41 } 42 /* 43 * Add tests for infinity and nan 44-- 452.27.0 46 47