153aa9179Sopenharmony_ciFrom 0e4421e793e52e2025297f9252c4dc76b72674c7 Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Mon, 30 Jan 2023 15:05:58 +0100 453aa9179Sopenharmony_ciSubject: [PATCH] malloc-fail: Check return value of xmlXPathNodeSetDupNs 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciAvoid null deref if allocation fails. 753aa9179Sopenharmony_ci 853aa9179Sopenharmony_ciFound with libFuzzer, see #344. 953aa9179Sopenharmony_ci 1053aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/0e4421e793e52e2025297f9252c4dc76b72674c7 1153aa9179Sopenharmony_ciConflict:NA 1253aa9179Sopenharmony_ci--- 1353aa9179Sopenharmony_ci xpath.c | 38 +++++++++++++++++++++++--------------- 1453aa9179Sopenharmony_ci 1 file changed, 23 insertions(+), 15 deletions(-) 1553aa9179Sopenharmony_ci 1653aa9179Sopenharmony_cidiff --git a/xpath.c b/xpath.c 1753aa9179Sopenharmony_ciindex fe0e1e2..212a4e0 100644 1853aa9179Sopenharmony_ci--- a/xpath.c 1953aa9179Sopenharmony_ci+++ b/xpath.c 2053aa9179Sopenharmony_ci@@ -3588,10 +3588,13 @@ xmlXPathNodeSetCreate(xmlNodePtr val) { 2153aa9179Sopenharmony_ci ret->nodeMax = XML_NODESET_DEFAULT; 2253aa9179Sopenharmony_ci if (val->type == XML_NAMESPACE_DECL) { 2353aa9179Sopenharmony_ci xmlNsPtr ns = (xmlNsPtr) val; 2453aa9179Sopenharmony_ci+ xmlNodePtr nsNode = xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); 2553aa9179Sopenharmony_ci 2653aa9179Sopenharmony_ci- /* TODO: Check memory error. */ 2753aa9179Sopenharmony_ci- ret->nodeTab[ret->nodeNr++] = 2853aa9179Sopenharmony_ci- xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); 2953aa9179Sopenharmony_ci+ if (nsNode == NULL) { 3053aa9179Sopenharmony_ci+ xmlXPathFreeNodeSet(ret); 3153aa9179Sopenharmony_ci+ return(NULL); 3253aa9179Sopenharmony_ci+ } 3353aa9179Sopenharmony_ci+ ret->nodeTab[ret->nodeNr++] = nsNode; 3453aa9179Sopenharmony_ci } else 3553aa9179Sopenharmony_ci ret->nodeTab[ret->nodeNr++] = val; 3653aa9179Sopenharmony_ci } 3753aa9179Sopenharmony_ci@@ -3648,7 +3651,7 @@ xmlXPathNodeSetContains (xmlNodeSetPtr cur, xmlNodePtr val) { 3853aa9179Sopenharmony_ci int 3953aa9179Sopenharmony_ci xmlXPathNodeSetAddNs(xmlNodeSetPtr cur, xmlNodePtr node, xmlNsPtr ns) { 4053aa9179Sopenharmony_ci int i; 4153aa9179Sopenharmony_ci- 4253aa9179Sopenharmony_ci+ xmlNodePtr nsNode; 4353aa9179Sopenharmony_ci 4453aa9179Sopenharmony_ci if ((cur == NULL) || (ns == NULL) || (node == NULL) || 4553aa9179Sopenharmony_ci (ns->type != XML_NAMESPACE_DECL) || 4653aa9179Sopenharmony_ci@@ -3696,8 +3699,10 @@ xmlXPathNodeSetAddNs(xmlNodeSetPtr cur, xmlNodePtr node, xmlNsPtr ns) { 4753aa9179Sopenharmony_ci cur->nodeMax *= 2; 4853aa9179Sopenharmony_ci cur->nodeTab = temp; 4953aa9179Sopenharmony_ci } 5053aa9179Sopenharmony_ci- /* TODO: Check memory error. */ 5153aa9179Sopenharmony_ci- cur->nodeTab[cur->nodeNr++] = xmlXPathNodeSetDupNs(node, ns); 5253aa9179Sopenharmony_ci+ nsNode = xmlXPathNodeSetDupNs(node, ns); 5353aa9179Sopenharmony_ci+ if(nsNode == NULL) 5453aa9179Sopenharmony_ci+ return(-1); 5553aa9179Sopenharmony_ci+ cur->nodeTab[cur->nodeNr++] = nsNode; 5653aa9179Sopenharmony_ci return(0); 5753aa9179Sopenharmony_ci } 5853aa9179Sopenharmony_ci 5953aa9179Sopenharmony_ci@@ -3754,10 +3759,11 @@ xmlXPathNodeSetAdd(xmlNodeSetPtr cur, xmlNodePtr val) { 6053aa9179Sopenharmony_ci } 6153aa9179Sopenharmony_ci if (val->type == XML_NAMESPACE_DECL) { 6253aa9179Sopenharmony_ci xmlNsPtr ns = (xmlNsPtr) val; 6353aa9179Sopenharmony_ci+ xmlNodePtr nsNode = xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); 6453aa9179Sopenharmony_ci 6553aa9179Sopenharmony_ci- /* TODO: Check memory error. */ 6653aa9179Sopenharmony_ci- cur->nodeTab[cur->nodeNr++] = 6753aa9179Sopenharmony_ci- xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); 6853aa9179Sopenharmony_ci+ if (nsNode == NULL) 6953aa9179Sopenharmony_ci+ return(-1); 7053aa9179Sopenharmony_ci+ cur->nodeTab[cur->nodeNr++] = nsNode; 7153aa9179Sopenharmony_ci } else 7253aa9179Sopenharmony_ci cur->nodeTab[cur->nodeNr++] = val; 7353aa9179Sopenharmony_ci return(0); 7453aa9179Sopenharmony_ci@@ -3809,10 +3815,11 @@ xmlXPathNodeSetAddUnique(xmlNodeSetPtr cur, xmlNodePtr val) { 7553aa9179Sopenharmony_ci } 7653aa9179Sopenharmony_ci if (val->type == XML_NAMESPACE_DECL) { 7753aa9179Sopenharmony_ci xmlNsPtr ns = (xmlNsPtr) val; 7853aa9179Sopenharmony_ci+ xmlNodePtr nsNode = xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); 7953aa9179Sopenharmony_ci 8053aa9179Sopenharmony_ci- /* TODO: Check memory error. */ 8153aa9179Sopenharmony_ci- cur->nodeTab[cur->nodeNr++] = 8253aa9179Sopenharmony_ci- xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); 8353aa9179Sopenharmony_ci+ if (nsNode == NULL) 8453aa9179Sopenharmony_ci+ return(-1); 8553aa9179Sopenharmony_ci+ cur->nodeTab[cur->nodeNr++] = nsNode; 8653aa9179Sopenharmony_ci } else 8753aa9179Sopenharmony_ci cur->nodeTab[cur->nodeNr++] = val; 8853aa9179Sopenharmony_ci return(0); 8953aa9179Sopenharmony_ci@@ -3926,10 +3933,11 @@ xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) { 9053aa9179Sopenharmony_ci } 9153aa9179Sopenharmony_ci if (n2->type == XML_NAMESPACE_DECL) { 9253aa9179Sopenharmony_ci xmlNsPtr ns = (xmlNsPtr) n2; 9353aa9179Sopenharmony_ci+ xmlNodePtr nsNode = xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); 9453aa9179Sopenharmony_ci 9553aa9179Sopenharmony_ci- /* TODO: Check memory error. */ 9653aa9179Sopenharmony_ci- val1->nodeTab[val1->nodeNr++] = 9753aa9179Sopenharmony_ci- xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); 9853aa9179Sopenharmony_ci+ if (nsNode == NULL) 9953aa9179Sopenharmony_ci+ return(NULL); 10053aa9179Sopenharmony_ci+ val1->nodeTab[val1->nodeNr++] = nsNode; 10153aa9179Sopenharmony_ci } else 10253aa9179Sopenharmony_ci val1->nodeTab[val1->nodeNr++] = n2; 10353aa9179Sopenharmony_ci } 10453aa9179Sopenharmony_ci-- 10553aa9179Sopenharmony_ci2.27.0 10653aa9179Sopenharmony_ci 107