1From 85bc313e7996c06d52b6f6f5c6a467ff3a148e75 Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Wed, 15 Feb 2023 13:49:28 +0100 4Subject: [PATCH] malloc-fail: Fix memory leak after calling valuePush 5 6Destroy the object in valuePush if the function fails. This is somewhat 7dangerous but matches the expectations of users. 8 9Found with libFuzzer, see #344. 10 11Reference:https://github.com/GNOME/libxml2/commit/85bc313e7996c06d52b6f6f5c6a467ff3a148e75 12Conflict:NA 13--- 14 xpath.c | 4 ++++ 15 1 file changed, 4 insertions(+) 16 17diff --git a/xpath.c b/xpath.c 18index 7833870..dc99e63 100644 19--- a/xpath.c 20+++ b/xpath.c 21@@ -2881,6 +2881,8 @@ valuePop(xmlXPathParserContextPtr ctxt) 22 * a memory error is recorded in the parser context. 23 * 24 * Returns the number of items on the value stack, or -1 in case of error. 25+ * 26+ * The object is destroyed in case of error. 27 */ 28 int 29 valuePush(xmlXPathParserContextPtr ctxt, xmlXPathObjectPtr value) 30@@ -2899,6 +2901,7 @@ valuePush(xmlXPathParserContextPtr ctxt, xmlXPathObjectPtr value) 31 32 if (ctxt->valueMax >= XPATH_MAX_STACK_DEPTH) { 33 xmlXPathPErrMemory(ctxt, "XPath stack depth limit reached\n"); 34+ xmlXPathFreeObject(value); 35 return (-1); 36 } 37 tmp = (xmlXPathObjectPtr *) xmlRealloc(ctxt->valueTab, 38@@ -2906,6 +2909,7 @@ valuePush(xmlXPathParserContextPtr ctxt, xmlXPathObjectPtr value) 39 sizeof(ctxt->valueTab[0])); 40 if (tmp == NULL) { 41 xmlXPathPErrMemory(ctxt, "pushing value\n"); 42+ xmlXPathFreeObject(value); 43 return (-1); 44 } 45 ctxt->valueMax *= 2; 46-- 472.27.0 48 49