153aa9179Sopenharmony_ciFrom 08695683dbd78301aa95bf3042871256479bc6a6 Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Mon, 30 Jan 2023 15:52:00 +0100 453aa9179Sopenharmony_ciSubject: [PATCH] malloc-fail: Add error check in xmlXPathEqualNodeSetFloat 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciAvoid null deref. 753aa9179Sopenharmony_ci 853aa9179Sopenharmony_ciFound with libFuzzer, see #344. 953aa9179Sopenharmony_ci 1053aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/08695683dbd78301aa95bf3042871256479bc6a6 1153aa9179Sopenharmony_ciConflict:NA 1253aa9179Sopenharmony_ci--- 1353aa9179Sopenharmony_ci xpath.c | 1 + 1453aa9179Sopenharmony_ci 1 file changed, 1 insertion(+) 1553aa9179Sopenharmony_ci 1653aa9179Sopenharmony_cidiff --git a/xpath.c b/xpath.c 1753aa9179Sopenharmony_ciindex 6d76e43..77d5434 100644 1853aa9179Sopenharmony_ci--- a/xpath.c 1953aa9179Sopenharmony_ci+++ b/xpath.c 2053aa9179Sopenharmony_ci@@ -6799,6 +6799,7 @@ xmlXPathEqualNodeSetFloat(xmlXPathParserContextPtr ctxt, 2153aa9179Sopenharmony_ci xmlFree(str2); 2253aa9179Sopenharmony_ci xmlXPathNumberFunction(ctxt, 1); 2353aa9179Sopenharmony_ci val = valuePop(ctxt); 2453aa9179Sopenharmony_ci+ CHECK_ERROR0; 2553aa9179Sopenharmony_ci v = val->floatval; 2653aa9179Sopenharmony_ci xmlXPathReleaseObject(ctxt->context, val); 2753aa9179Sopenharmony_ci if (!xmlXPathIsNaN(v)) { 2853aa9179Sopenharmony_ci-- 2953aa9179Sopenharmony_ci2.27.0 3053aa9179Sopenharmony_ci 31