1From 0e4421e793e52e2025297f9252c4dc76b72674c7 Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Mon, 30 Jan 2023 15:05:58 +0100 4Subject: [PATCH] malloc-fail: Check return value of xmlXPathNodeSetDupNs 5 6Avoid null deref if allocation fails. 7 8Found with libFuzzer, see #344. 9 10Reference:https://github.com/GNOME/libxml2/commit/0e4421e793e52e2025297f9252c4dc76b72674c7 11Conflict:NA 12--- 13 xpath.c | 38 +++++++++++++++++++++++--------------- 14 1 file changed, 23 insertions(+), 15 deletions(-) 15 16diff --git a/xpath.c b/xpath.c 17index fe0e1e2..212a4e0 100644 18--- a/xpath.c 19+++ b/xpath.c 20@@ -3588,10 +3588,13 @@ xmlXPathNodeSetCreate(xmlNodePtr val) { 21 ret->nodeMax = XML_NODESET_DEFAULT; 22 if (val->type == XML_NAMESPACE_DECL) { 23 xmlNsPtr ns = (xmlNsPtr) val; 24+ xmlNodePtr nsNode = xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); 25 26- /* TODO: Check memory error. */ 27- ret->nodeTab[ret->nodeNr++] = 28- xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); 29+ if (nsNode == NULL) { 30+ xmlXPathFreeNodeSet(ret); 31+ return(NULL); 32+ } 33+ ret->nodeTab[ret->nodeNr++] = nsNode; 34 } else 35 ret->nodeTab[ret->nodeNr++] = val; 36 } 37@@ -3648,7 +3651,7 @@ xmlXPathNodeSetContains (xmlNodeSetPtr cur, xmlNodePtr val) { 38 int 39 xmlXPathNodeSetAddNs(xmlNodeSetPtr cur, xmlNodePtr node, xmlNsPtr ns) { 40 int i; 41- 42+ xmlNodePtr nsNode; 43 44 if ((cur == NULL) || (ns == NULL) || (node == NULL) || 45 (ns->type != XML_NAMESPACE_DECL) || 46@@ -3696,8 +3699,10 @@ xmlXPathNodeSetAddNs(xmlNodeSetPtr cur, xmlNodePtr node, xmlNsPtr ns) { 47 cur->nodeMax *= 2; 48 cur->nodeTab = temp; 49 } 50- /* TODO: Check memory error. */ 51- cur->nodeTab[cur->nodeNr++] = xmlXPathNodeSetDupNs(node, ns); 52+ nsNode = xmlXPathNodeSetDupNs(node, ns); 53+ if(nsNode == NULL) 54+ return(-1); 55+ cur->nodeTab[cur->nodeNr++] = nsNode; 56 return(0); 57 } 58 59@@ -3754,10 +3759,11 @@ xmlXPathNodeSetAdd(xmlNodeSetPtr cur, xmlNodePtr val) { 60 } 61 if (val->type == XML_NAMESPACE_DECL) { 62 xmlNsPtr ns = (xmlNsPtr) val; 63+ xmlNodePtr nsNode = xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); 64 65- /* TODO: Check memory error. */ 66- cur->nodeTab[cur->nodeNr++] = 67- xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); 68+ if (nsNode == NULL) 69+ return(-1); 70+ cur->nodeTab[cur->nodeNr++] = nsNode; 71 } else 72 cur->nodeTab[cur->nodeNr++] = val; 73 return(0); 74@@ -3809,10 +3815,11 @@ xmlXPathNodeSetAddUnique(xmlNodeSetPtr cur, xmlNodePtr val) { 75 } 76 if (val->type == XML_NAMESPACE_DECL) { 77 xmlNsPtr ns = (xmlNsPtr) val; 78+ xmlNodePtr nsNode = xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); 79 80- /* TODO: Check memory error. */ 81- cur->nodeTab[cur->nodeNr++] = 82- xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); 83+ if (nsNode == NULL) 84+ return(-1); 85+ cur->nodeTab[cur->nodeNr++] = nsNode; 86 } else 87 cur->nodeTab[cur->nodeNr++] = val; 88 return(0); 89@@ -3926,10 +3933,11 @@ xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) { 90 } 91 if (n2->type == XML_NAMESPACE_DECL) { 92 xmlNsPtr ns = (xmlNsPtr) n2; 93+ xmlNodePtr nsNode = xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); 94 95- /* TODO: Check memory error. */ 96- val1->nodeTab[val1->nodeNr++] = 97- xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); 98+ if (nsNode == NULL) 99+ return(NULL); 100+ val1->nodeTab[val1->nodeNr++] = nsNode; 101 } else 102 val1->nodeTab[val1->nodeNr++] = n2; 103 } 104-- 1052.27.0 106 107