153aa9179Sopenharmony_ciFrom d08fd8306e224c48dedc1a9b549376ae1d4c7f6c Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Fri, 17 Feb 2023 15:53:07 +0100 453aa9179Sopenharmony_ciSubject: [PATCH] malloc-fail: Fix OOB read after xmlRegGetCounter 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciFound with libFuzzer, see #344. 753aa9179Sopenharmony_ci 853aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/1743c4c3fc58cf38ecce68db9de51d0f3651e033 953aa9179Sopenharmony_ciConflict:xmlregexp.c 1053aa9179Sopenharmony_ci 1153aa9179Sopenharmony_ci--- 1253aa9179Sopenharmony_ci xmlregexp.c | 12 ++++++++++++ 1353aa9179Sopenharmony_ci 1 file changed, 12 insertions(+) 1453aa9179Sopenharmony_ci 1553aa9179Sopenharmony_cidiff --git a/xmlregexp.c b/xmlregexp.c 1653aa9179Sopenharmony_ciindex 360916f..e7c48a4 100644 1753aa9179Sopenharmony_ci--- a/xmlregexp.c 1853aa9179Sopenharmony_ci+++ b/xmlregexp.c 1953aa9179Sopenharmony_ci@@ -1681,6 +1681,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, 2053aa9179Sopenharmony_ci } 2153aa9179Sopenharmony_ci inter = ctxt->state; 2253aa9179Sopenharmony_ci counter = xmlRegGetCounter(ctxt); 2353aa9179Sopenharmony_ci+ if (counter < 0) 2453aa9179Sopenharmony_ci+ return(-1); 2553aa9179Sopenharmony_ci ctxt->counters[counter].min = atom->min - 1; 2653aa9179Sopenharmony_ci ctxt->counters[counter].max = atom->max - 1; 2753aa9179Sopenharmony_ci /* count the number of times we see it again */ 2853aa9179Sopenharmony_ci@@ -1699,6 +1701,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, 2953aa9179Sopenharmony_ci * epsilon transition. 3053aa9179Sopenharmony_ci */ 3153aa9179Sopenharmony_ci counter = xmlRegGetCounter(ctxt); 3253aa9179Sopenharmony_ci+ if (counter < 0) 3353aa9179Sopenharmony_ci+ return(-1); 3453aa9179Sopenharmony_ci ctxt->counters[counter].min = atom->min - 1; 3553aa9179Sopenharmony_ci ctxt->counters[counter].max = atom->max - 1; 3653aa9179Sopenharmony_ci /* allow a way out based on the count */ 3753aa9179Sopenharmony_ci@@ -6025,6 +6029,8 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, 3853aa9179Sopenharmony_ci * associate a counter to the transition. 3953aa9179Sopenharmony_ci */ 4053aa9179Sopenharmony_ci counter = xmlRegGetCounter(am); 4153aa9179Sopenharmony_ci+ if (counter < 0) 4253aa9179Sopenharmony_ci+ goto error; 4353aa9179Sopenharmony_ci am->counters[counter].min = min; 4453aa9179Sopenharmony_ci am->counters[counter].max = max; 4553aa9179Sopenharmony_ci 4653aa9179Sopenharmony_ci@@ -6099,6 +6105,8 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, 4753aa9179Sopenharmony_ci * associate a counter to the transition. 4853aa9179Sopenharmony_ci */ 4953aa9179Sopenharmony_ci counter = xmlRegGetCounter(am); 5053aa9179Sopenharmony_ci+ if (counter < 0) 5153aa9179Sopenharmony_ci+ goto error; 5253aa9179Sopenharmony_ci am->counters[counter].min = min; 5353aa9179Sopenharmony_ci am->counters[counter].max = max; 5453aa9179Sopenharmony_ci 5553aa9179Sopenharmony_ci@@ -6191,6 +6199,8 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, 5653aa9179Sopenharmony_ci * associate a counter to the transition. 5753aa9179Sopenharmony_ci */ 5853aa9179Sopenharmony_ci counter = xmlRegGetCounter(am); 5953aa9179Sopenharmony_ci+ if (counter < 0) 6053aa9179Sopenharmony_ci+ goto error; 6153aa9179Sopenharmony_ci am->counters[counter].min = 1; 6253aa9179Sopenharmony_ci am->counters[counter].max = 1; 6353aa9179Sopenharmony_ci 6453aa9179Sopenharmony_ci@@ -6256,6 +6266,8 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, 6553aa9179Sopenharmony_ci * associate a counter to the transition. 6653aa9179Sopenharmony_ci */ 6753aa9179Sopenharmony_ci counter = xmlRegGetCounter(am); 6853aa9179Sopenharmony_ci+ if (counter < 0) 6953aa9179Sopenharmony_ci+ goto error; 7053aa9179Sopenharmony_ci am->counters[counter].min = 1; 7153aa9179Sopenharmony_ci am->counters[counter].max = 1; 7253aa9179Sopenharmony_ci 7353aa9179Sopenharmony_ci-- 7453aa9179Sopenharmony_ci2.27.0 7553aa9179Sopenharmony_ci 76