153aa9179Sopenharmony_ciFrom c81d0d04bfbdbccea0c5199bced95a6af961885a Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Fri, 17 Mar 2023 12:39:35 +0100 453aa9179Sopenharmony_ciSubject: [PATCH] malloc-fail: Add more error checks when parsing names 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_cixmlParseName and similar functions must return NULL if an error occurs. 753aa9179Sopenharmony_ci 853aa9179Sopenharmony_ciFound by OSS-Fuzz, see #344. 953aa9179Sopenharmony_ci 1053aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/c81d0d04bfbdbccea0c5199bced95a6af961885a 1153aa9179Sopenharmony_ciConflict:NA 1253aa9179Sopenharmony_ci 1353aa9179Sopenharmony_ci--- 1453aa9179Sopenharmony_ci parser.c | 8 ++++++++ 1553aa9179Sopenharmony_ci 1 file changed, 8 insertions(+) 1653aa9179Sopenharmony_ci 1753aa9179Sopenharmony_cidiff --git a/parser.c b/parser.c 1853aa9179Sopenharmony_ciindex 75bd27f..b872d34 100644 1953aa9179Sopenharmony_ci--- a/parser.c 2053aa9179Sopenharmony_ci+++ b/parser.c 2153aa9179Sopenharmony_ci@@ -3355,6 +3355,8 @@ xmlParseName(xmlParserCtxtPtr ctxt) { 2253aa9179Sopenharmony_ci XML_MAX_NAME_LENGTH; 2353aa9179Sopenharmony_ci 2453aa9179Sopenharmony_ci GROW; 2553aa9179Sopenharmony_ci+ if (ctxt->instate == XML_PARSER_EOF) 2653aa9179Sopenharmony_ci+ return(NULL); 2753aa9179Sopenharmony_ci 2853aa9179Sopenharmony_ci #ifdef DEBUG 2953aa9179Sopenharmony_ci nbParseName++; 3053aa9179Sopenharmony_ci@@ -3410,6 +3412,8 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { 3153aa9179Sopenharmony_ci * Handler for more complex cases 3253aa9179Sopenharmony_ci */ 3353aa9179Sopenharmony_ci GROW; 3453aa9179Sopenharmony_ci+ if (ctxt->instate == XML_PARSER_EOF) 3553aa9179Sopenharmony_ci+ return(NULL); 3653aa9179Sopenharmony_ci startPosition = CUR_PTR - BASE_PTR; 3753aa9179Sopenharmony_ci c = CUR_CHAR(l); 3853aa9179Sopenharmony_ci if ((c == ' ') || (c == '>') || (c == '/') || /* accelerators */ 3953aa9179Sopenharmony_ci@@ -3686,6 +3690,8 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { 4053aa9179Sopenharmony_ci if (count++ > XML_PARSER_CHUNK_SIZE) { 4153aa9179Sopenharmony_ci count = 0; 4253aa9179Sopenharmony_ci GROW; 4353aa9179Sopenharmony_ci+ if (ctxt->instate == XML_PARSER_EOF) 4453aa9179Sopenharmony_ci+ return(NULL); 4553aa9179Sopenharmony_ci } 4653aa9179Sopenharmony_ci COPY_BUF(l,buf,len,c); 4753aa9179Sopenharmony_ci NEXTL(l); 4853aa9179Sopenharmony_ci@@ -8791,6 +8797,8 @@ xmlParseQName(xmlParserCtxtPtr ctxt, const xmlChar **prefix) { 4953aa9179Sopenharmony_ci const xmlChar *l, *p; 5053aa9179Sopenharmony_ci 5153aa9179Sopenharmony_ci GROW; 5253aa9179Sopenharmony_ci+ if (ctxt->instate == XML_PARSER_EOF) 5353aa9179Sopenharmony_ci+ return(NULL); 5453aa9179Sopenharmony_ci 5553aa9179Sopenharmony_ci l = xmlParseNCName(ctxt); 5653aa9179Sopenharmony_ci if (l == NULL) { 5753aa9179Sopenharmony_ci-- 5853aa9179Sopenharmony_ci2.27.0 5953aa9179Sopenharmony_ci 60