1From d1b87856931797c5c527cee16d96e482a45b99ed Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Sun, 22 Jan 2023 17:42:09 +0100 4Subject: [PATCH] malloc-fail: Fix infinite loop in xmlParseTextDecl 5 6Memory errors can set `instate` to `XML_PARSER_EOF` which results in 7`NEXT` making no progress. 8 9Found with libFuzzer, see #344. 10 11Reference:https://github.com/GNOME/libxml2/commit/d1b87856931797c5c527cee16d96e482a45b99ed 12Conflict:NA 13--- 14 parser.c | 2 ++ 15 1 file changed, 2 insertions(+) 16 17diff --git a/parser.c b/parser.c 18index 9127deb..fafae15 100644 19--- a/parser.c 20+++ b/parser.c 21@@ -6957,6 +6957,8 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) { 22 * We must have the encoding declaration 23 */ 24 encoding = xmlParseEncodingDecl(ctxt); 25+ if (ctxt->instate == XML_PARSER_EOF) 26+ return; 27 if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { 28 /* 29 * The XML REC instructs us to stop parsing right here 30-- 312.27.0 32 33