153aa9179Sopenharmony_ciFrom f5e1174933c65556b5d1c0b3a8f13a27f37a1638 Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Wed, 15 Feb 2023 13:48:18 +0100 453aa9179Sopenharmony_ciSubject: [PATCH] malloc-fail: Fix memory leak after calling 553aa9179Sopenharmony_ci xmlXPathWrapNodeSet 653aa9179Sopenharmony_ci 753aa9179Sopenharmony_ciDestroy the node set in xmlXPathWrapNodeSet if the function fails. 853aa9179Sopenharmony_ciThis is somewhat dangerous but matches the expectations of users. 953aa9179Sopenharmony_ci 1053aa9179Sopenharmony_ciFound with libFuzzer, see #344. 1153aa9179Sopenharmony_ci 1253aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/f5e1174933c65556b5d1c0b3a8f13a27f37a1638 1353aa9179Sopenharmony_ciConflict:xpath.c 1453aa9179Sopenharmony_ci--- 1553aa9179Sopenharmony_ci xpath.c | 5 +++++ 1653aa9179Sopenharmony_ci 1 file changed, 5 insertions(+) 1753aa9179Sopenharmony_ci 1853aa9179Sopenharmony_cidiff --git a/xpath.c b/xpath.c 1953aa9179Sopenharmony_ciindex dc99e63..9ead497 100644 2053aa9179Sopenharmony_ci--- a/xpath.c 2153aa9179Sopenharmony_ci+++ b/xpath.c 2253aa9179Sopenharmony_ci@@ -2319,6 +2319,8 @@ xmlXPathContextSetCache(xmlXPathContextPtr ctxt, 2353aa9179Sopenharmony_ci * Wrap the Nodeset @val in a new xmlXPathObjectPtr 2453aa9179Sopenharmony_ci * 2553aa9179Sopenharmony_ci * Returns the created or reused object. 2653aa9179Sopenharmony_ci+ * 2753aa9179Sopenharmony_ci+ * In case of error the node set is destroyed and NULL is returned. 2853aa9179Sopenharmony_ci */ 2953aa9179Sopenharmony_ci static xmlXPathObjectPtr 3053aa9179Sopenharmony_ci xmlXPathCacheWrapNodeSet(xmlXPathContextPtr ctxt, xmlNodeSetPtr val) 3153aa9179Sopenharmony_ci@@ -4398,6 +4400,8 @@ xmlXPathNewNodeSetList(xmlNodeSetPtr val) 3253aa9179Sopenharmony_ci * Wrap the Nodeset @val in a new xmlXPathObjectPtr 3353aa9179Sopenharmony_ci * 3453aa9179Sopenharmony_ci * Returns the newly created object. 3553aa9179Sopenharmony_ci+ * 3653aa9179Sopenharmony_ci+ * In case of error the node set is destroyed and NULL is returned. 3753aa9179Sopenharmony_ci */ 3853aa9179Sopenharmony_ci xmlXPathObjectPtr 3953aa9179Sopenharmony_ci xmlXPathWrapNodeSet(xmlNodeSetPtr val) { 4053aa9179Sopenharmony_ci@@ -4406,6 +4410,7 @@ xmlXPathWrapNodeSet(xmlNodeSetPtr val) { 4153aa9179Sopenharmony_ci ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); 4253aa9179Sopenharmony_ci if (ret == NULL) { 4353aa9179Sopenharmony_ci xmlXPathErrMemory(NULL, "creating node set object\n"); 4453aa9179Sopenharmony_ci+ xmlXPathFreeNodeSet(val); 4553aa9179Sopenharmony_ci return(NULL); 4653aa9179Sopenharmony_ci } 4753aa9179Sopenharmony_ci memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); 4853aa9179Sopenharmony_ci-- 4953aa9179Sopenharmony_ci2.27.0 5053aa9179Sopenharmony_ci 51