1From e6d22f925ad65ce93312815aa20c7eeea58640fe Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Mon, 23 Jan 2023 01:48:37 +0100 4Subject: [PATCH] malloc-fail: Fix reallocation in inputPush 5 6Store xmlRealloc result in temporary variable to avoid null deref in 7error handler. 8 9Found with libFuzzer, see #344. 10 11Reference:https://github.com/GNOME/libxml2/commit/e6d22f925ad65ce93312815aa20c7eeea58640fe 12Conflict:NA 13--- 14 parser.c | 15 ++++++++------- 15 1 file changed, 8 insertions(+), 7 deletions(-) 16 17diff --git a/parser.c b/parser.c 18index 3c06439..88f04e4 100644 19--- a/parser.c 20+++ b/parser.c 21@@ -1758,16 +1758,17 @@ inputPush(xmlParserCtxtPtr ctxt, xmlParserInputPtr value) 22 if ((ctxt == NULL) || (value == NULL)) 23 return(-1); 24 if (ctxt->inputNr >= ctxt->inputMax) { 25- ctxt->inputMax *= 2; 26- ctxt->inputTab = 27- (xmlParserInputPtr *) xmlRealloc(ctxt->inputTab, 28- ctxt->inputMax * 29- sizeof(ctxt->inputTab[0])); 30- if (ctxt->inputTab == NULL) { 31+ size_t newSize = ctxt->inputMax * 2; 32+ xmlParserInputPtr *tmp; 33+ 34+ tmp = (xmlParserInputPtr *) xmlRealloc(ctxt->inputTab, 35+ newSize * sizeof(*tmp)); 36+ if (tmp == NULL) { 37 xmlErrMemory(ctxt, NULL); 38- ctxt->inputMax /= 2; 39 return (-1); 40 } 41+ ctxt->inputTab = tmp; 42+ ctxt->inputMax = newSize; 43 } 44 ctxt->inputTab[ctxt->inputNr] = value; 45 ctxt->input = value; 46-- 472.27.0 48 49