• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1From 04c2955197b53eb106037bc1d422bb80b39abbf6 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Thu, 16 Feb 2023 14:53:29 +0100
4Subject: [PATCH] malloc-fail: Fix infinite loop in htmlParseContentInternal
5
6Found with libFuzzer, see #344.
7
8Reference:https://github.com/GNOME/libxml2/commit/04c2955197b53eb106037bc1d422bb80b39abbf6
9Conflict:NA
10---
11 HTMLparser.c | 32 ++++++++++++++++++++++++++++++--
12 1 file changed, 30 insertions(+), 2 deletions(-)
13
14diff --git a/HTMLparser.c b/HTMLparser.c
15index 5272c25..f90053a 100644
16--- a/HTMLparser.c
17+++ b/HTMLparser.c
18@@ -4718,8 +4718,16 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
19     int depth;
20     const xmlChar *name;
21
22-    currentNode = xmlStrdup(ctxt->name);
23     depth = ctxt->nameNr;
24+    if (depth <= 0) {
25+        currentNode = NULL;
26+    } else {
27+        currentNode = xmlStrdup(ctxt->name);
28+        if (currentNode == NULL) {
29+            htmlErrMemory(ctxt, NULL);
30+            return;
31+        }
32+    }
33     while (1) {
34         GROW;
35
36@@ -4735,8 +4743,16 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
37 		if (currentNode != NULL)
38 		    xmlFree(currentNode);
39
40-	        currentNode = xmlStrdup(ctxt->name);
41 	        depth = ctxt->nameNr;
42+                if (depth <= 0) {
43+                    currentNode = NULL;
44+                } else {
45+                    currentNode = xmlStrdup(ctxt->name);
46+                    if (currentNode == NULL) {
47+                        htmlErrMemory(ctxt, NULL);
48+                        break;
49+                    }
50+                }
51 	    }
52 	    continue; /* while */
53         }
54@@ -4758,6 +4774,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
55 	            xmlFree(currentNode);
56
57 	        currentNode = xmlStrdup(ctxt->name);
58+                if (currentNode == NULL) {
59+                    htmlErrMemory(ctxt, NULL);
60+                    break;
61+                }
62 	        depth = ctxt->nameNr;
63 	        continue;
64 	    }
65@@ -4781,6 +4801,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
66 	    if (currentNode != NULL) xmlFree(currentNode);
67
68 	    currentNode = xmlStrdup(ctxt->name);
69+            if (currentNode == NULL) {
70+                htmlErrMemory(ctxt, NULL);
71+                break;
72+            }
73 	    depth = ctxt->nameNr;
74 	    continue;
75 	}
76@@ -4829,6 +4853,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
77 		if (currentNode != NULL) xmlFree(currentNode);
78
79 		currentNode = xmlStrdup(ctxt->name);
80+            if (currentNode == NULL) {
81+                htmlErrMemory(ctxt, NULL);
82+                break;
83+            }
84 		depth = ctxt->nameNr;
85 	    }
86 	    else if (CUR == '<') {
87--
882.27.0
89
90
91