153aa9179Sopenharmony_ciFrom 04c2955197b53eb106037bc1d422bb80b39abbf6 Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Thu, 16 Feb 2023 14:53:29 +0100 453aa9179Sopenharmony_ciSubject: [PATCH] malloc-fail: Fix infinite loop in htmlParseContentInternal 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciFound with libFuzzer, see #344. 753aa9179Sopenharmony_ci 853aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/04c2955197b53eb106037bc1d422bb80b39abbf6 953aa9179Sopenharmony_ciConflict:NA 1053aa9179Sopenharmony_ci--- 1153aa9179Sopenharmony_ci HTMLparser.c | 32 ++++++++++++++++++++++++++++++-- 1253aa9179Sopenharmony_ci 1 file changed, 30 insertions(+), 2 deletions(-) 1353aa9179Sopenharmony_ci 1453aa9179Sopenharmony_cidiff --git a/HTMLparser.c b/HTMLparser.c 1553aa9179Sopenharmony_ciindex 5272c25..f90053a 100644 1653aa9179Sopenharmony_ci--- a/HTMLparser.c 1753aa9179Sopenharmony_ci+++ b/HTMLparser.c 1853aa9179Sopenharmony_ci@@ -4718,8 +4718,16 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { 1953aa9179Sopenharmony_ci int depth; 2053aa9179Sopenharmony_ci const xmlChar *name; 2153aa9179Sopenharmony_ci 2253aa9179Sopenharmony_ci- currentNode = xmlStrdup(ctxt->name); 2353aa9179Sopenharmony_ci depth = ctxt->nameNr; 2453aa9179Sopenharmony_ci+ if (depth <= 0) { 2553aa9179Sopenharmony_ci+ currentNode = NULL; 2653aa9179Sopenharmony_ci+ } else { 2753aa9179Sopenharmony_ci+ currentNode = xmlStrdup(ctxt->name); 2853aa9179Sopenharmony_ci+ if (currentNode == NULL) { 2953aa9179Sopenharmony_ci+ htmlErrMemory(ctxt, NULL); 3053aa9179Sopenharmony_ci+ return; 3153aa9179Sopenharmony_ci+ } 3253aa9179Sopenharmony_ci+ } 3353aa9179Sopenharmony_ci while (1) { 3453aa9179Sopenharmony_ci GROW; 3553aa9179Sopenharmony_ci 3653aa9179Sopenharmony_ci@@ -4735,8 +4743,16 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { 3753aa9179Sopenharmony_ci if (currentNode != NULL) 3853aa9179Sopenharmony_ci xmlFree(currentNode); 3953aa9179Sopenharmony_ci 4053aa9179Sopenharmony_ci- currentNode = xmlStrdup(ctxt->name); 4153aa9179Sopenharmony_ci depth = ctxt->nameNr; 4253aa9179Sopenharmony_ci+ if (depth <= 0) { 4353aa9179Sopenharmony_ci+ currentNode = NULL; 4453aa9179Sopenharmony_ci+ } else { 4553aa9179Sopenharmony_ci+ currentNode = xmlStrdup(ctxt->name); 4653aa9179Sopenharmony_ci+ if (currentNode == NULL) { 4753aa9179Sopenharmony_ci+ htmlErrMemory(ctxt, NULL); 4853aa9179Sopenharmony_ci+ break; 4953aa9179Sopenharmony_ci+ } 5053aa9179Sopenharmony_ci+ } 5153aa9179Sopenharmony_ci } 5253aa9179Sopenharmony_ci continue; /* while */ 5353aa9179Sopenharmony_ci } 5453aa9179Sopenharmony_ci@@ -4758,6 +4774,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { 5553aa9179Sopenharmony_ci xmlFree(currentNode); 5653aa9179Sopenharmony_ci 5753aa9179Sopenharmony_ci currentNode = xmlStrdup(ctxt->name); 5853aa9179Sopenharmony_ci+ if (currentNode == NULL) { 5953aa9179Sopenharmony_ci+ htmlErrMemory(ctxt, NULL); 6053aa9179Sopenharmony_ci+ break; 6153aa9179Sopenharmony_ci+ } 6253aa9179Sopenharmony_ci depth = ctxt->nameNr; 6353aa9179Sopenharmony_ci continue; 6453aa9179Sopenharmony_ci } 6553aa9179Sopenharmony_ci@@ -4781,6 +4801,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { 6653aa9179Sopenharmony_ci if (currentNode != NULL) xmlFree(currentNode); 6753aa9179Sopenharmony_ci 6853aa9179Sopenharmony_ci currentNode = xmlStrdup(ctxt->name); 6953aa9179Sopenharmony_ci+ if (currentNode == NULL) { 7053aa9179Sopenharmony_ci+ htmlErrMemory(ctxt, NULL); 7153aa9179Sopenharmony_ci+ break; 7253aa9179Sopenharmony_ci+ } 7353aa9179Sopenharmony_ci depth = ctxt->nameNr; 7453aa9179Sopenharmony_ci continue; 7553aa9179Sopenharmony_ci } 7653aa9179Sopenharmony_ci@@ -4829,6 +4853,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { 7753aa9179Sopenharmony_ci if (currentNode != NULL) xmlFree(currentNode); 7853aa9179Sopenharmony_ci 7953aa9179Sopenharmony_ci currentNode = xmlStrdup(ctxt->name); 8053aa9179Sopenharmony_ci+ if (currentNode == NULL) { 8153aa9179Sopenharmony_ci+ htmlErrMemory(ctxt, NULL); 8253aa9179Sopenharmony_ci+ break; 8353aa9179Sopenharmony_ci+ } 8453aa9179Sopenharmony_ci depth = ctxt->nameNr; 8553aa9179Sopenharmony_ci } 8653aa9179Sopenharmony_ci else if (CUR == '<') { 8753aa9179Sopenharmony_ci-- 8853aa9179Sopenharmony_ci2.27.0 8953aa9179Sopenharmony_ci 9053aa9179Sopenharmony_ci 91