• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1From 0c5f40b788410753eb73e3040be4f50b608923e1 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Sun, 22 Jan 2023 13:27:41 +0100
4Subject: [PATCH] malloc-fail: Fix null deref in xmlSAX2AttributeInternal
5
6Found with libFuzzer, see #344.
7
8Reference:https://github.com/GNOME/libxml2/commit/0c5f40b788410753eb73e3040be4f50b608923e1
9Conflict:NA
10---
11 SAX2.c | 36 ++++++++++++++++++------------------
12 1 file changed, 18 insertions(+), 18 deletions(-)
13
14diff --git a/SAX2.c b/SAX2.c
15index 3eebd2b..2426e93 100644
16--- a/SAX2.c
17+++ b/SAX2.c
18@@ -1297,25 +1297,25 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname,
19
20     /* !!!!!! <a toto:arg="" xmlns:toto="http://toto.com"> */
21     ret = xmlNewNsPropEatName(ctxt->node, namespace, name, NULL);
22+    if (ret == NULL)
23+        goto error;
24
25-    if (ret != NULL) {
26-        if ((ctxt->replaceEntities == 0) && (!ctxt->html)) {
27-	    xmlNodePtr tmp;
28-
29-	    ret->children = xmlStringGetNodeList(ctxt->myDoc, value);
30-	    tmp = ret->children;
31-	    while (tmp != NULL) {
32-		tmp->parent = (xmlNodePtr) ret;
33-		if (tmp->next == NULL)
34-		    ret->last = tmp;
35-		tmp = tmp->next;
36-	    }
37-	} else if (value != NULL) {
38-	    ret->children = xmlNewDocText(ctxt->myDoc, value);
39-	    ret->last = ret->children;
40-	    if (ret->children != NULL)
41-		ret->children->parent = (xmlNodePtr) ret;
42-	}
43+    if ((ctxt->replaceEntities == 0) && (!ctxt->html)) {
44+        xmlNodePtr tmp;
45+
46+        ret->children = xmlStringGetNodeList(ctxt->myDoc, value);
47+        tmp = ret->children;
48+        while (tmp != NULL) {
49+            tmp->parent = (xmlNodePtr) ret;
50+            if (tmp->next == NULL)
51+                ret->last = tmp;
52+            tmp = tmp->next;
53+        }
54+    } else if (value != NULL) {
55+        ret->children = xmlNewDocText(ctxt->myDoc, value);
56+        ret->last = ret->children;
57+        if (ret->children != NULL)
58+            ret->children->parent = (xmlNodePtr) ret;
59     }
60
61 #ifdef LIBXML_VALID_ENABLED
62--
632.27.0
64
65