1From 19b197b61646fd2ad7e584b739500876681c4e3d Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Sun, 5 Mar 2023 14:10:56 +0100 4Subject: [PATCH] malloc-fail: Fix null deref after xmlSchemaCompareDates 5 6Found with libFuzzer, see #344. 7 8Reference:https://github.com/GNOME/libxml2/commit/19b197b61646fd2ad7e584b739500876681c4e3d 9Conflict:NA 10--- 11 xmlschemastypes.c | 28 ++++++++++++++++++++++++++++ 12 1 file changed, 28 insertions(+) 13 14diff --git a/xmlschemastypes.c b/xmlschemastypes.c 15index 160777f..d5c7790 100644 16--- a/xmlschemastypes.c 17+++ b/xmlschemastypes.c 18@@ -4146,9 +4146,15 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) 19 20 if (!y->value.date.tz_flag) { 21 p1 = xmlSchemaDateNormalize(x, 0); 22+ if (p1 == NULL) 23+ return -2; 24 p1d = _xmlSchemaDateCastYMToDays(p1) + p1->value.date.day; 25 /* normalize y + 14:00 */ 26 q1 = xmlSchemaDateNormalize(y, (14 * SECS_PER_HOUR)); 27+ if (q1 == NULL) { 28+ xmlSchemaFreeValue(p1); 29+ return -2; 30+ } 31 32 q1d = _xmlSchemaDateCastYMToDays(q1) + q1->value.date.day; 33 if (p1d < q1d) { 34@@ -4167,6 +4173,11 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) 35 int ret = 0; 36 /* normalize y - 14:00 */ 37 q2 = xmlSchemaDateNormalize(y, -(14 * SECS_PER_HOUR)); 38+ if (q2 == NULL) { 39+ xmlSchemaFreeValue(p1); 40+ xmlSchemaFreeValue(q1); 41+ return -2; 42+ } 43 q2d = _xmlSchemaDateCastYMToDays(q2) + q2->value.date.day; 44 if (p1d > q2d) 45 ret = 1; 46@@ -4190,10 +4201,16 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) 47 } 48 } else if (y->value.date.tz_flag) { 49 q1 = xmlSchemaDateNormalize(y, 0); 50+ if (q1 == NULL) 51+ return -2; 52 q1d = _xmlSchemaDateCastYMToDays(q1) + q1->value.date.day; 53 54 /* normalize x - 14:00 */ 55 p1 = xmlSchemaDateNormalize(x, -(14 * SECS_PER_HOUR)); 56+ if (p1 == NULL) { 57+ xmlSchemaFreeValue(q1); 58+ return -2; 59+ } 60 p1d = _xmlSchemaDateCastYMToDays(p1) + p1->value.date.day; 61 62 if (p1d < q1d) { 63@@ -4212,6 +4229,11 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) 64 int ret = 0; 65 /* normalize x + 14:00 */ 66 p2 = xmlSchemaDateNormalize(x, (14 * SECS_PER_HOUR)); 67+ if (p2 == NULL) { 68+ xmlSchemaFreeValue(p1); 69+ xmlSchemaFreeValue(q1); 70+ return -2; 71+ } 72 p2d = _xmlSchemaDateCastYMToDays(p2) + p2->value.date.day; 73 74 if (p2d > q1d) { 75@@ -4241,9 +4263,15 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) 76 if (x->type == y->type) { 77 int ret = 0; 78 q1 = xmlSchemaDateNormalize(y, 0); 79+ if (q1 == NULL) 80+ return -2; 81 q1d = _xmlSchemaDateCastYMToDays(q1) + q1->value.date.day; 82 83 p1 = xmlSchemaDateNormalize(x, 0); 84+ if (p1 == NULL) { 85+ xmlSchemaFreeValue(q1); 86+ return -2; 87+ } 88 p1d = _xmlSchemaDateCastYMToDays(p1) + p1->value.date.day; 89 90 if (p1d < q1d) { 91-- 922.27.0 93 94