1From 961a4f35bfcbe3f2b0ca0932e880ea73cbb2ab2c Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Sun, 5 Mar 2023 14:10:41 +0100 4Subject: [PATCH] malloc-fail: Fix memory leak in xmlSchemaParseUnion 5 6Also report malloc failure from xmlStrndup. 7 8Found with libFuzzer, see #344. 9 10Reference:https://github.com/GNOME/libxml2/commit/961a4f35bfcbe3f2b0ca0932e880ea73cbb2ab2c 11Conflict:NA 12--- 13 xmlschemas.c | 6 ++++++ 14 1 file changed, 6 insertions(+) 15 16diff --git a/xmlschemas.c b/xmlschemas.c 17index d2f8bf1..4dbee37 100644 18--- a/xmlschemas.c 19+++ b/xmlschemas.c 20@@ -9017,6 +9017,11 @@ xmlSchemaParseUnion(xmlSchemaParserCtxtPtr ctxt, xmlSchemaPtr schema, 21 if (end == cur) 22 break; 23 tmp = xmlStrndup(cur, end - cur); 24+ if (tmp == NULL) { 25+ xmlSchemaPErrMemory(ctxt, "xmlSchemaParseUnion, " 26+ "duplicating type name", NULL); 27+ return (-1); 28+ } 29 if (xmlSchemaPValAttrNodeQNameValue(ctxt, schema, 30 NULL, attr, BAD_CAST tmp, &nsName, &localName) == 0) { 31 /* 32@@ -9027,6 +9032,7 @@ xmlSchemaParseUnion(xmlSchemaParserCtxtPtr ctxt, xmlSchemaPtr schema, 33 if (link == NULL) { 34 xmlSchemaPErrMemory(ctxt, "xmlSchemaParseUnion, " 35 "allocating a type link", NULL); 36+ FREE_AND_NULL(tmp) 37 return (-1); 38 } 39 link->type = NULL; 40-- 412.27.0 42 43