1From 44947afba0ded433c6f4ffc10ee646c4b267f2b7 Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Sun, 26 Feb 2023 14:41:35 +0100 4Subject: [PATCH] malloc-fail: Fix null deref after xmlPointerListAddSize 5 6Found with libFuzzer, see #344. 7 8Reference:https://github.com/GNOME/libxml2/commit/44947afba0ded433c6f4ffc10ee646c4b267f2b7 9Conflict:NA 10--- 11 xpath.c | 40 +++++++++++++++++++--------------------- 12 1 file changed, 19 insertions(+), 21 deletions(-) 13 14diff --git a/xpath.c b/xpath.c 15index 54d9c58..84b139d 100644 16--- a/xpath.c 17+++ b/xpath.c 18@@ -812,32 +812,30 @@ xmlPointerListAddSize(xmlPointerListPtr list, 19 void *item, 20 int initialSize) 21 { 22- if (list->items == NULL) { 23- if (initialSize <= 0) 24- initialSize = 1; 25- list->items = (void **) xmlMalloc(initialSize * sizeof(void *)); 26- if (list->items == NULL) { 27- xmlXPathErrMemory(NULL, 28- "xmlPointerListCreate: allocating item\n"); 29- return(-1); 30- } 31- list->number = 0; 32- list->size = initialSize; 33- } else if (list->size <= list->number) { 34- if (list->size > 50000000) { 35- xmlXPathErrMemory(NULL, 36- "xmlPointerListAddSize: re-allocating item\n"); 37- return(-1); 38+ if (list->size <= list->number) { 39+ void **tmp; 40+ size_t newSize; 41+ 42+ if (list->size == 0) { 43+ if (initialSize <= 0) 44+ initialSize = 1; 45+ newSize = initialSize; 46+ } else { 47+ if (list->size > 50000000) { 48+ xmlXPathErrMemory(NULL, 49+ "xmlPointerListAddSize: re-allocating item\n"); 50+ return(-1); 51+ } 52+ newSize = list->size * 2; 53 } 54- list->size *= 2; 55- list->items = (void **) xmlRealloc(list->items, 56- list->size * sizeof(void *)); 57- if (list->items == NULL) { 58+ tmp = (void **) xmlRealloc(list->items, newSize * sizeof(void *)); 59+ if (tmp == NULL) { 60 xmlXPathErrMemory(NULL, 61 "xmlPointerListAddSize: re-allocating item\n"); 62- list->size = 0; 63 return(-1); 64 } 65+ list->items = tmp; 66+ list->size = newSize; 67 } 68 list->items[list->number++] = item; 69 return(0); 70-- 712.27.0 72 73