1From a442d16a5fe61626f00f33abe547da9379a37d89 Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Sun, 26 Feb 2023 14:48:23 +0100 4Subject: [PATCH] malloc-fail: Fix memory leak in xmlGetNsList 5 6Found with libFuzzer, see #344. 7 8Reference:https://github.com/GNOME/libxml2/commit/a442d16a5fe61626f00f33abe547da9379a37d89 9Conflict:NA 10--- 11 tree.c | 25 +++++++++---------------- 12 1 file changed, 9 insertions(+), 16 deletions(-) 13 14diff --git a/tree.c b/tree.c 15index 35bd948..4a80e28 100644 16--- a/tree.c 17+++ b/tree.c 18@@ -5971,7 +5971,7 @@ xmlGetNsList(const xmlDoc *doc ATTRIBUTE_UNUSED, const xmlNode *node) 19 xmlNsPtr cur; 20 xmlNsPtr *ret = NULL; 21 int nbns = 0; 22- int maxns = 10; 23+ int maxns = 0; 24 int i; 25 26 if ((node == NULL) || (node->type == XML_NAMESPACE_DECL)) 27@@ -5981,16 +5981,6 @@ xmlGetNsList(const xmlDoc *doc ATTRIBUTE_UNUSED, const xmlNode *node) 28 if (node->type == XML_ELEMENT_NODE) { 29 cur = node->nsDef; 30 while (cur != NULL) { 31- if (ret == NULL) { 32- ret = 33- (xmlNsPtr *) xmlMalloc((maxns + 1) * 34- sizeof(xmlNsPtr)); 35- if (ret == NULL) { 36- xmlTreeErrMemory("getting namespace list"); 37- return (NULL); 38- } 39- ret[nbns] = NULL; 40- } 41 for (i = 0; i < nbns; i++) { 42 if ((cur->prefix == ret[i]->prefix) || 43 (xmlStrEqual(cur->prefix, ret[i]->prefix))) 44@@ -5998,15 +5988,18 @@ xmlGetNsList(const xmlDoc *doc ATTRIBUTE_UNUSED, const xmlNode *node) 45 } 46 if (i >= nbns) { 47 if (nbns >= maxns) { 48- maxns *= 2; 49- ret = (xmlNsPtr *) xmlRealloc(ret, 50- (maxns + 51- 1) * 52+ xmlNsPtr *tmp; 53+ 54+ maxns = maxns ? maxns * 2 : 10; 55+ tmp = (xmlNsPtr *) xmlRealloc(ret, 56+ (maxns + 1) * 57 sizeof(xmlNsPtr)); 58- if (ret == NULL) { 59+ if (tmp == NULL) { 60 xmlTreeErrMemory("getting namespace list"); 61+ xmlFree(ret); 62 return (NULL); 63 } 64+ ret = tmp; 65 } 66 ret[nbns++] = cur; 67 ret[nbns] = NULL; 68-- 692.27.0 70 71