1From 0c5f40b788410753eb73e3040be4f50b608923e1 Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Sun, 22 Jan 2023 13:27:41 +0100 4Subject: [PATCH] malloc-fail: Fix null deref in xmlSAX2AttributeInternal 5 6Found with libFuzzer, see #344. 7 8Reference:https://github.com/GNOME/libxml2/commit/0c5f40b788410753eb73e3040be4f50b608923e1 9Conflict:NA 10--- 11 SAX2.c | 36 ++++++++++++++++++------------------ 12 1 file changed, 18 insertions(+), 18 deletions(-) 13 14diff --git a/SAX2.c b/SAX2.c 15index 3eebd2b..2426e93 100644 16--- a/SAX2.c 17+++ b/SAX2.c 18@@ -1297,25 +1297,25 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname, 19 20 /* !!!!!! <a toto:arg="" xmlns:toto="http://toto.com"> */ 21 ret = xmlNewNsPropEatName(ctxt->node, namespace, name, NULL); 22+ if (ret == NULL) 23+ goto error; 24 25- if (ret != NULL) { 26- if ((ctxt->replaceEntities == 0) && (!ctxt->html)) { 27- xmlNodePtr tmp; 28- 29- ret->children = xmlStringGetNodeList(ctxt->myDoc, value); 30- tmp = ret->children; 31- while (tmp != NULL) { 32- tmp->parent = (xmlNodePtr) ret; 33- if (tmp->next == NULL) 34- ret->last = tmp; 35- tmp = tmp->next; 36- } 37- } else if (value != NULL) { 38- ret->children = xmlNewDocText(ctxt->myDoc, value); 39- ret->last = ret->children; 40- if (ret->children != NULL) 41- ret->children->parent = (xmlNodePtr) ret; 42- } 43+ if ((ctxt->replaceEntities == 0) && (!ctxt->html)) { 44+ xmlNodePtr tmp; 45+ 46+ ret->children = xmlStringGetNodeList(ctxt->myDoc, value); 47+ tmp = ret->children; 48+ while (tmp != NULL) { 49+ tmp->parent = (xmlNodePtr) ret; 50+ if (tmp->next == NULL) 51+ ret->last = tmp; 52+ tmp = tmp->next; 53+ } 54+ } else if (value != NULL) { 55+ ret->children = xmlNewDocText(ctxt->myDoc, value); 56+ ret->last = ret->children; 57+ if (ret->children != NULL) 58+ ret->children->parent = (xmlNodePtr) ret; 59 } 60 61 #ifdef LIBXML_VALID_ENABLED 62-- 632.27.0 64 65