From c7260a47f19e01f4f663b6a56fbdc2dafd8a6e7e Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Mon, 23 Jan 2023 10:19:59 +0100 Subject: [PATCH] malloc-fail: Don't call xmlErrMemory in xmlstring.c Functions like xmlStrdup are called in the error handling code (__xmlRaiseError) which can cause problems like use-after-free or infinite loops when invoked recursively. Calling xmlErrMemory without a context argument isn't helpful anyway. Found with libFuzzer, see #344. Reference:https://github.com/GNOME/libxml2/commit/c7260a47f19e01f4f663b6a56fbdc2dafd8a6e7e Conflict:xmlstring.c --- xmlstring.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/xmlstring.c b/xmlstring.c index 5a6875f..9709545 100644 --- a/xmlstring.c +++ b/xmlstring.c @@ -45,7 +45,6 @@ xmlStrndup(const xmlChar *cur, int len) { if ((cur == NULL) || (len < 0)) return(NULL); ret = (xmlChar *) xmlMallocAtomic(((size_t) len + 1) * sizeof(xmlChar)); if (ret == NULL) { - xmlErrMemory(NULL, NULL); return(NULL); } memcpy(ret, cur, len * sizeof(xmlChar)); @@ -90,7 +89,6 @@ xmlCharStrndup(const char *cur, int len) { if ((cur == NULL) || (len < 0)) return(NULL); ret = (xmlChar *) xmlMallocAtomic(((size_t) len + 1) * sizeof(xmlChar)); if (ret == NULL) { - xmlErrMemory(NULL, NULL); return(NULL); } for (i = 0;i < len;i++) { @@ -465,7 +463,6 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) { return(NULL); ret = (xmlChar *) xmlRealloc(cur, ((size_t) size + len + 1) * sizeof(xmlChar)); if (ret == NULL) { - xmlErrMemory(NULL, NULL); return(cur); } memcpy(&ret[size], add, len * sizeof(xmlChar)); @@ -505,7 +502,6 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) { return(NULL); ret = (xmlChar *) xmlMalloc(((size_t) size + len + 1) * sizeof(xmlChar)); if (ret == NULL) { - xmlErrMemory(NULL, NULL); return(xmlStrndup(str1, size)); } memcpy(ret, str1, size * sizeof(xmlChar)); @@ -1034,7 +1030,6 @@ xmlEscapeFormatString(xmlChar **msg) out-of-memory situations. */ xmlFree(*msg); *msg = NULL; - xmlErrMemory(NULL, NULL); return(NULL); } -- 2.27.0