From e6d22f925ad65ce93312815aa20c7eeea58640fe Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 23 Jan 2023 01:48:37 +0100
Subject: [PATCH] malloc-fail: Fix reallocation in inputPush

Store xmlRealloc result in temporary variable to avoid null deref in
error handler.

Found with libFuzzer, see #344.

Reference:https://github.com/GNOME/libxml2/commit/e6d22f925ad65ce93312815aa20c7eeea58640fe
Conflict:NA
---
 parser.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/parser.c b/parser.c
index 3c06439..88f04e4 100644
--- a/parser.c
+++ b/parser.c
@@ -1758,16 +1758,17 @@ inputPush(xmlParserCtxtPtr ctxt, xmlParserInputPtr value)
     if ((ctxt == NULL) || (value == NULL))
         return(-1);
     if (ctxt->inputNr >= ctxt->inputMax) {
-        ctxt->inputMax *= 2;
-        ctxt->inputTab =
-            (xmlParserInputPtr *) xmlRealloc(ctxt->inputTab,
-                                             ctxt->inputMax *
-                                             sizeof(ctxt->inputTab[0]));
-        if (ctxt->inputTab == NULL) {
+        size_t newSize = ctxt->inputMax * 2;
+        xmlParserInputPtr *tmp;
+
+        tmp = (xmlParserInputPtr *) xmlRealloc(ctxt->inputTab,
+                                               newSize * sizeof(*tmp));
+        if (tmp == NULL) {
             xmlErrMemory(ctxt, NULL);
-	    ctxt->inputMax /= 2;
             return (-1);
         }
+        ctxt->inputTab = tmp;
+        ctxt->inputMax = newSize;
     }
     ctxt->inputTab[ctxt->inputNr] = value;
     ctxt->input = value;
-- 
2.27.0