1From f5e1174933c65556b5d1c0b3a8f13a27f37a1638 Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Wed, 15 Feb 2023 13:48:18 +0100 4Subject: [PATCH] malloc-fail: Fix memory leak after calling 5 xmlXPathWrapNodeSet 6 7Destroy the node set in xmlXPathWrapNodeSet if the function fails. 8This is somewhat dangerous but matches the expectations of users. 9 10Found with libFuzzer, see #344. 11 12Reference:https://github.com/GNOME/libxml2/commit/f5e1174933c65556b5d1c0b3a8f13a27f37a1638 13Conflict:xpath.c 14--- 15 xpath.c | 5 +++++ 16 1 file changed, 5 insertions(+) 17 18diff --git a/xpath.c b/xpath.c 19index dc99e63..9ead497 100644 20--- a/xpath.c 21+++ b/xpath.c 22@@ -2319,6 +2319,8 @@ xmlXPathContextSetCache(xmlXPathContextPtr ctxt, 23 * Wrap the Nodeset @val in a new xmlXPathObjectPtr 24 * 25 * Returns the created or reused object. 26+ * 27+ * In case of error the node set is destroyed and NULL is returned. 28 */ 29 static xmlXPathObjectPtr 30 xmlXPathCacheWrapNodeSet(xmlXPathContextPtr ctxt, xmlNodeSetPtr val) 31@@ -4398,6 +4400,8 @@ xmlXPathNewNodeSetList(xmlNodeSetPtr val) 32 * Wrap the Nodeset @val in a new xmlXPathObjectPtr 33 * 34 * Returns the newly created object. 35+ * 36+ * In case of error the node set is destroyed and NULL is returned. 37 */ 38 xmlXPathObjectPtr 39 xmlXPathWrapNodeSet(xmlNodeSetPtr val) { 40@@ -4406,6 +4410,7 @@ xmlXPathWrapNodeSet(xmlNodeSetPtr val) { 41 ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); 42 if (ret == NULL) { 43 xmlXPathErrMemory(NULL, "creating node set object\n"); 44+ xmlXPathFreeNodeSet(val); 45 return(NULL); 46 } 47 memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); 48-- 492.27.0 50 51