• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1From e6d22f925ad65ce93312815aa20c7eeea58640fe Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Mon, 23 Jan 2023 01:48:37 +0100
4Subject: [PATCH] malloc-fail: Fix reallocation in inputPush
5
6Store xmlRealloc result in temporary variable to avoid null deref in
7error handler.
8
9Found with libFuzzer, see #344.
10
11Reference:https://github.com/GNOME/libxml2/commit/e6d22f925ad65ce93312815aa20c7eeea58640fe
12Conflict:NA
13---
14 parser.c | 15 ++++++++-------
15 1 file changed, 8 insertions(+), 7 deletions(-)
16
17diff --git a/parser.c b/parser.c
18index 3c06439..88f04e4 100644
19--- a/parser.c
20+++ b/parser.c
21@@ -1758,16 +1758,17 @@ inputPush(xmlParserCtxtPtr ctxt, xmlParserInputPtr value)
22     if ((ctxt == NULL) || (value == NULL))
23         return(-1);
24     if (ctxt->inputNr >= ctxt->inputMax) {
25-        ctxt->inputMax *= 2;
26-        ctxt->inputTab =
27-            (xmlParserInputPtr *) xmlRealloc(ctxt->inputTab,
28-                                             ctxt->inputMax *
29-                                             sizeof(ctxt->inputTab[0]));
30-        if (ctxt->inputTab == NULL) {
31+        size_t newSize = ctxt->inputMax * 2;
32+        xmlParserInputPtr *tmp;
33+
34+        tmp = (xmlParserInputPtr *) xmlRealloc(ctxt->inputTab,
35+                                               newSize * sizeof(*tmp));
36+        if (tmp == NULL) {
37             xmlErrMemory(ctxt, NULL);
38-	    ctxt->inputMax /= 2;
39             return (-1);
40         }
41+        ctxt->inputTab = tmp;
42+        ctxt->inputMax = newSize;
43     }
44     ctxt->inputTab[ctxt->inputNr] = value;
45     ctxt->input = value;
46--
472.27.0
48
49