1From c81d0d04bfbdbccea0c5199bced95a6af961885a Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Fri, 17 Mar 2023 12:39:35 +0100 4Subject: [PATCH] malloc-fail: Add more error checks when parsing names 5 6xmlParseName and similar functions must return NULL if an error occurs. 7 8Found by OSS-Fuzz, see #344. 9 10Reference:https://github.com/GNOME/libxml2/commit/c81d0d04bfbdbccea0c5199bced95a6af961885a 11Conflict:NA 12 13--- 14 parser.c | 8 ++++++++ 15 1 file changed, 8 insertions(+) 16 17diff --git a/parser.c b/parser.c 18index 75bd27f..b872d34 100644 19--- a/parser.c 20+++ b/parser.c 21@@ -3355,6 +3355,8 @@ xmlParseName(xmlParserCtxtPtr ctxt) { 22 XML_MAX_NAME_LENGTH; 23 24 GROW; 25+ if (ctxt->instate == XML_PARSER_EOF) 26+ return(NULL); 27 28 #ifdef DEBUG 29 nbParseName++; 30@@ -3410,6 +3412,8 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { 31 * Handler for more complex cases 32 */ 33 GROW; 34+ if (ctxt->instate == XML_PARSER_EOF) 35+ return(NULL); 36 startPosition = CUR_PTR - BASE_PTR; 37 c = CUR_CHAR(l); 38 if ((c == ' ') || (c == '>') || (c == '/') || /* accelerators */ 39@@ -3686,6 +3690,8 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { 40 if (count++ > XML_PARSER_CHUNK_SIZE) { 41 count = 0; 42 GROW; 43+ if (ctxt->instate == XML_PARSER_EOF) 44+ return(NULL); 45 } 46 COPY_BUF(l,buf,len,c); 47 NEXTL(l); 48@@ -8791,6 +8797,8 @@ xmlParseQName(xmlParserCtxtPtr ctxt, const xmlChar **prefix) { 49 const xmlChar *l, *p; 50 51 GROW; 52+ if (ctxt->instate == XML_PARSER_EOF) 53+ return(NULL); 54 55 l = xmlParseNCName(ctxt); 56 if (l == NULL) { 57-- 582.27.0 59 60