• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1From 40bc1c699a7999626d3384be43684f2a68dad6c4 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Fri, 17 Feb 2023 15:40:32 +0100
4Subject: [PATCH] malloc-fail: Fix memory leak in xmlFAParseCharProp
5
6Found with libFuzzer, see #344.
7
8Reference:https://github.com/GNOME/libxml2/commit/40bc1c699a7999626d3384be43684f2a68dad6c4
9Conflict:NA
10---
11 xmlregexp.c | 26 ++++++++++++++++----------
12 1 file changed, 16 insertions(+), 10 deletions(-)
13
14diff --git a/xmlregexp.c b/xmlregexp.c
15index fb2eadc..8c2ea81 100644
16--- a/xmlregexp.c
17+++ b/xmlregexp.c
18@@ -1245,7 +1245,7 @@ xmlRegPrintCtxt(FILE *output, xmlRegParserCtxtPtr ctxt) {
19  *									*
20  ************************************************************************/
21
22-static void
23+static xmlRegRangePtr
24 xmlRegAtomAddRange(xmlRegParserCtxtPtr ctxt, xmlRegAtomPtr atom,
25 	           int neg, xmlRegAtomType type, int start, int end,
26 		   xmlChar *blockName) {
27@@ -1253,11 +1253,11 @@ xmlRegAtomAddRange(xmlRegParserCtxtPtr ctxt, xmlRegAtomPtr atom,
28
29     if (atom == NULL) {
30 	ERROR("add range: atom is NULL");
31-	return;
32+	return(NULL);
33     }
34     if (atom->type != XML_REGEXP_RANGES) {
35 	ERROR("add range: atom is not ranges");
36-	return;
37+	return(NULL);
38     }
39     if (atom->maxRanges == 0) {
40 	atom->maxRanges = 4;
41@@ -1266,7 +1266,7 @@ xmlRegAtomAddRange(xmlRegParserCtxtPtr ctxt, xmlRegAtomPtr atom,
42 	if (atom->ranges == NULL) {
43 	    xmlRegexpErrMemory(ctxt, "adding ranges");
44 	    atom->maxRanges = 0;
45-	    return;
46+	    return(NULL);
47 	}
48     } else if (atom->nbRanges >= atom->maxRanges) {
49 	xmlRegRangePtr *tmp;
50@@ -1276,16 +1276,17 @@ xmlRegAtomAddRange(xmlRegParserCtxtPtr ctxt, xmlRegAtomPtr atom,
51 	if (tmp == NULL) {
52 	    xmlRegexpErrMemory(ctxt, "adding ranges");
53 	    atom->maxRanges /= 2;
54-	    return;
55+	    return(NULL);
56 	}
57 	atom->ranges = tmp;
58     }
59     range = xmlRegNewRange(ctxt, neg, type, start, end);
60     if (range == NULL)
61-	return;
62+	return(NULL);
63     range->blockName = blockName;
64     atom->ranges[atom->nbRanges++] = range;
65
66+    return(range);
67 }
68
69 static int
70@@ -4899,11 +4900,16 @@ xmlFAParseCharProp(xmlRegParserCtxtPtr ctxt) {
71     }
72     if (ctxt->atom == NULL) {
73 	ctxt->atom = xmlRegNewAtom(ctxt, type);
74-	if (ctxt->atom != NULL)
75-	    ctxt->atom->valuep = blockName;
76+        if (ctxt->atom == NULL) {
77+            xmlFree(blockName);
78+            return;
79+        }
80+	ctxt->atom->valuep = blockName;
81     } else if (ctxt->atom->type == XML_REGEXP_RANGES) {
82-        xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg,
83-		           type, 0, 0, blockName);
84+        if (xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg,
85+                               type, 0, 0, blockName) == NULL) {
86+            xmlFree(blockName);
87+        }
88     }
89 }
90
91--
922.27.0
93
94