1From ed615967dfeba615218826bb4ef0c87877cb53cd Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Fri, 17 Feb 2023 15:23:42 +0100 4Subject: [PATCH] malloc-fail: Fix memory leak in xmlRegexpCompile 5 6Found with libFuzzer, see #344. 7 8Reference:https://github.com/GNOME/libxml2/commit/ed615967dfeba615218826bb4ef0c87877cb53cd 9Conflict:NA 10--- 11 xmlregexp.c | 18 ++++++++---------- 12 1 file changed, 8 insertions(+), 10 deletions(-) 13 14diff --git a/xmlregexp.c b/xmlregexp.c 15index 11c684a..360916f 100644 16--- a/xmlregexp.c 17+++ b/xmlregexp.c 18@@ -5566,7 +5566,7 @@ xmlRegexpPrint(FILE *output, xmlRegexpPtr regexp) { 19 */ 20 xmlRegexpPtr 21 xmlRegexpCompile(const xmlChar *regexp) { 22- xmlRegexpPtr ret; 23+ xmlRegexpPtr ret = NULL; 24 xmlRegParserCtxtPtr ctxt; 25 26 ctxt = xmlRegNewParserCtxt(regexp); 27@@ -5576,7 +5576,7 @@ xmlRegexpCompile(const xmlChar *regexp) { 28 /* initialize the parser */ 29 ctxt->state = xmlRegStatePush(ctxt); 30 if (ctxt->state == NULL) 31- return(NULL); 32+ goto error; 33 ctxt->start = ctxt->state; 34 ctxt->end = NULL; 35 36@@ -5585,10 +5585,8 @@ xmlRegexpCompile(const xmlChar *regexp) { 37 if (CUR != 0) { 38 ERROR("xmlFAParseRegExp: extra characters"); 39 } 40- if (ctxt->error != 0) { 41- xmlRegFreeParserCtxt(ctxt); 42- return(NULL); 43- } 44+ if (ctxt->error != 0) 45+ goto error; 46 ctxt->end = ctxt->state; 47 ctxt->start->type = XML_REGEXP_START_STATE; 48 ctxt->end->type = XML_REGEXP_FINAL_STATE; 49@@ -5597,11 +5595,11 @@ xmlRegexpCompile(const xmlChar *regexp) { 50 xmlFAEliminateEpsilonTransitions(ctxt); 51 52 53- if (ctxt->error != 0) { 54- xmlRegFreeParserCtxt(ctxt); 55- return(NULL); 56- } 57+ if (ctxt->error != 0) 58+ goto error; 59 ret = xmlRegEpxFromParse(ctxt); 60+ 61+error: 62 xmlRegFreeParserCtxt(ctxt); 63 return(ret); 64 } 65-- 662.27.0 67 68