1From d31a0e8e7599bfb691616f7c59ff8d39b982aa55 Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Wed, 15 Feb 2023 14:47:29 +0100 4Subject: [PATCH] malloc-fail: Fix memory leak after calling xmlXPathWrapString 5 6Destroy the string in xmlXPathWrapString if the function fails. This is 7somewhat dangerous but matches the expectations of users. 8 9Found with libFuzzer, see #344. 10 11Reference:https://github.com/GNOME/libxml2/commit/d31a0e8e7599bfb691616f7c59ff8d39b982aa55 12Conflict:xpath.c 13--- 14 xpath.c | 3 +++ 15 1 file changed, 3 insertions(+) 16 17diff --git a/xpath.c b/xpath.c 18index 5a6d762..cf74030 100644 19--- a/xpath.c 20+++ b/xpath.c 21@@ -5289,6 +5289,8 @@ xmlXPathNewString(const xmlChar *val) { 22 * Wraps the @val string into an XPath object. 23 * 24 * Returns the newly created object. 25+ * 26+ * Frees @val in case of error. 27 */ 28 xmlXPathObjectPtr 29 xmlXPathWrapString (xmlChar *val) { 30@@ -5297,6 +5299,7 @@ xmlXPathWrapString (xmlChar *val) { 31 ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); 32 if (ret == NULL) { 33 xmlXPathErrMemory(NULL, "creating string object\n"); 34+ xmlFree(val); 35 return(NULL); 36 } 37 memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); 38-- 392.27.0 40 41 42