153aa9179Sopenharmony_ciFrom c7260a47f19e01f4f663b6a56fbdc2dafd8a6e7e Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Mon, 23 Jan 2023 10:19:59 +0100 453aa9179Sopenharmony_ciSubject: [PATCH] malloc-fail: Don't call xmlErrMemory in xmlstring.c 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciFunctions like xmlStrdup are called in the error handling code 753aa9179Sopenharmony_ci(__xmlRaiseError) which can cause problems like use-after-free or 853aa9179Sopenharmony_ciinfinite loops when invoked recursively. 953aa9179Sopenharmony_ci 1053aa9179Sopenharmony_ciCalling xmlErrMemory without a context argument isn't helpful anyway. 1153aa9179Sopenharmony_ci 1253aa9179Sopenharmony_ciFound with libFuzzer, see #344. 1353aa9179Sopenharmony_ci 1453aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/c7260a47f19e01f4f663b6a56fbdc2dafd8a6e7e 1553aa9179Sopenharmony_ciConflict:xmlstring.c 1653aa9179Sopenharmony_ci--- 1753aa9179Sopenharmony_ci xmlstring.c | 5 ----- 1853aa9179Sopenharmony_ci 1 file changed, 5 deletions(-) 1953aa9179Sopenharmony_ci 2053aa9179Sopenharmony_cidiff --git a/xmlstring.c b/xmlstring.c 2153aa9179Sopenharmony_ciindex 5a6875f..9709545 100644 2253aa9179Sopenharmony_ci--- a/xmlstring.c 2353aa9179Sopenharmony_ci+++ b/xmlstring.c 2453aa9179Sopenharmony_ci@@ -45,7 +45,6 @@ xmlStrndup(const xmlChar *cur, int len) { 2553aa9179Sopenharmony_ci if ((cur == NULL) || (len < 0)) return(NULL); 2653aa9179Sopenharmony_ci ret = (xmlChar *) xmlMallocAtomic(((size_t) len + 1) * sizeof(xmlChar)); 2753aa9179Sopenharmony_ci if (ret == NULL) { 2853aa9179Sopenharmony_ci- xmlErrMemory(NULL, NULL); 2953aa9179Sopenharmony_ci return(NULL); 3053aa9179Sopenharmony_ci } 3153aa9179Sopenharmony_ci memcpy(ret, cur, len * sizeof(xmlChar)); 3253aa9179Sopenharmony_ci@@ -90,7 +89,6 @@ xmlCharStrndup(const char *cur, int len) { 3353aa9179Sopenharmony_ci if ((cur == NULL) || (len < 0)) return(NULL); 3453aa9179Sopenharmony_ci ret = (xmlChar *) xmlMallocAtomic(((size_t) len + 1) * sizeof(xmlChar)); 3553aa9179Sopenharmony_ci if (ret == NULL) { 3653aa9179Sopenharmony_ci- xmlErrMemory(NULL, NULL); 3753aa9179Sopenharmony_ci return(NULL); 3853aa9179Sopenharmony_ci } 3953aa9179Sopenharmony_ci for (i = 0;i < len;i++) { 4053aa9179Sopenharmony_ci@@ -465,7 +463,6 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) { 4153aa9179Sopenharmony_ci return(NULL); 4253aa9179Sopenharmony_ci ret = (xmlChar *) xmlRealloc(cur, ((size_t) size + len + 1) * sizeof(xmlChar)); 4353aa9179Sopenharmony_ci if (ret == NULL) { 4453aa9179Sopenharmony_ci- xmlErrMemory(NULL, NULL); 4553aa9179Sopenharmony_ci return(cur); 4653aa9179Sopenharmony_ci } 4753aa9179Sopenharmony_ci memcpy(&ret[size], add, len * sizeof(xmlChar)); 4853aa9179Sopenharmony_ci@@ -505,7 +502,6 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) { 4953aa9179Sopenharmony_ci return(NULL); 5053aa9179Sopenharmony_ci ret = (xmlChar *) xmlMalloc(((size_t) size + len + 1) * sizeof(xmlChar)); 5153aa9179Sopenharmony_ci if (ret == NULL) { 5253aa9179Sopenharmony_ci- xmlErrMemory(NULL, NULL); 5353aa9179Sopenharmony_ci return(xmlStrndup(str1, size)); 5453aa9179Sopenharmony_ci } 5553aa9179Sopenharmony_ci memcpy(ret, str1, size * sizeof(xmlChar)); 5653aa9179Sopenharmony_ci@@ -1034,7 +1030,6 @@ xmlEscapeFormatString(xmlChar **msg) 5753aa9179Sopenharmony_ci out-of-memory situations. */ 5853aa9179Sopenharmony_ci xmlFree(*msg); 5953aa9179Sopenharmony_ci *msg = NULL; 6053aa9179Sopenharmony_ci- xmlErrMemory(NULL, NULL); 6153aa9179Sopenharmony_ci return(NULL); 6253aa9179Sopenharmony_ci } 6353aa9179Sopenharmony_ci 6453aa9179Sopenharmony_ci-- 6553aa9179Sopenharmony_ci2.27.0 6653aa9179Sopenharmony_ci 67