153aa9179Sopenharmony_ciFrom 40bc1c699a7999626d3384be43684f2a68dad6c4 Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Fri, 17 Feb 2023 15:40:32 +0100 453aa9179Sopenharmony_ciSubject: [PATCH] malloc-fail: Fix memory leak in xmlFAParseCharProp 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciFound with libFuzzer, see #344. 753aa9179Sopenharmony_ci 853aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/40bc1c699a7999626d3384be43684f2a68dad6c4 953aa9179Sopenharmony_ciConflict:NA 1053aa9179Sopenharmony_ci--- 1153aa9179Sopenharmony_ci xmlregexp.c | 26 ++++++++++++++++---------- 1253aa9179Sopenharmony_ci 1 file changed, 16 insertions(+), 10 deletions(-) 1353aa9179Sopenharmony_ci 1453aa9179Sopenharmony_cidiff --git a/xmlregexp.c b/xmlregexp.c 1553aa9179Sopenharmony_ciindex fb2eadc..8c2ea81 100644 1653aa9179Sopenharmony_ci--- a/xmlregexp.c 1753aa9179Sopenharmony_ci+++ b/xmlregexp.c 1853aa9179Sopenharmony_ci@@ -1245,7 +1245,7 @@ xmlRegPrintCtxt(FILE *output, xmlRegParserCtxtPtr ctxt) { 1953aa9179Sopenharmony_ci * * 2053aa9179Sopenharmony_ci ************************************************************************/ 2153aa9179Sopenharmony_ci 2253aa9179Sopenharmony_ci-static void 2353aa9179Sopenharmony_ci+static xmlRegRangePtr 2453aa9179Sopenharmony_ci xmlRegAtomAddRange(xmlRegParserCtxtPtr ctxt, xmlRegAtomPtr atom, 2553aa9179Sopenharmony_ci int neg, xmlRegAtomType type, int start, int end, 2653aa9179Sopenharmony_ci xmlChar *blockName) { 2753aa9179Sopenharmony_ci@@ -1253,11 +1253,11 @@ xmlRegAtomAddRange(xmlRegParserCtxtPtr ctxt, xmlRegAtomPtr atom, 2853aa9179Sopenharmony_ci 2953aa9179Sopenharmony_ci if (atom == NULL) { 3053aa9179Sopenharmony_ci ERROR("add range: atom is NULL"); 3153aa9179Sopenharmony_ci- return; 3253aa9179Sopenharmony_ci+ return(NULL); 3353aa9179Sopenharmony_ci } 3453aa9179Sopenharmony_ci if (atom->type != XML_REGEXP_RANGES) { 3553aa9179Sopenharmony_ci ERROR("add range: atom is not ranges"); 3653aa9179Sopenharmony_ci- return; 3753aa9179Sopenharmony_ci+ return(NULL); 3853aa9179Sopenharmony_ci } 3953aa9179Sopenharmony_ci if (atom->maxRanges == 0) { 4053aa9179Sopenharmony_ci atom->maxRanges = 4; 4153aa9179Sopenharmony_ci@@ -1266,7 +1266,7 @@ xmlRegAtomAddRange(xmlRegParserCtxtPtr ctxt, xmlRegAtomPtr atom, 4253aa9179Sopenharmony_ci if (atom->ranges == NULL) { 4353aa9179Sopenharmony_ci xmlRegexpErrMemory(ctxt, "adding ranges"); 4453aa9179Sopenharmony_ci atom->maxRanges = 0; 4553aa9179Sopenharmony_ci- return; 4653aa9179Sopenharmony_ci+ return(NULL); 4753aa9179Sopenharmony_ci } 4853aa9179Sopenharmony_ci } else if (atom->nbRanges >= atom->maxRanges) { 4953aa9179Sopenharmony_ci xmlRegRangePtr *tmp; 5053aa9179Sopenharmony_ci@@ -1276,16 +1276,17 @@ xmlRegAtomAddRange(xmlRegParserCtxtPtr ctxt, xmlRegAtomPtr atom, 5153aa9179Sopenharmony_ci if (tmp == NULL) { 5253aa9179Sopenharmony_ci xmlRegexpErrMemory(ctxt, "adding ranges"); 5353aa9179Sopenharmony_ci atom->maxRanges /= 2; 5453aa9179Sopenharmony_ci- return; 5553aa9179Sopenharmony_ci+ return(NULL); 5653aa9179Sopenharmony_ci } 5753aa9179Sopenharmony_ci atom->ranges = tmp; 5853aa9179Sopenharmony_ci } 5953aa9179Sopenharmony_ci range = xmlRegNewRange(ctxt, neg, type, start, end); 6053aa9179Sopenharmony_ci if (range == NULL) 6153aa9179Sopenharmony_ci- return; 6253aa9179Sopenharmony_ci+ return(NULL); 6353aa9179Sopenharmony_ci range->blockName = blockName; 6453aa9179Sopenharmony_ci atom->ranges[atom->nbRanges++] = range; 6553aa9179Sopenharmony_ci 6653aa9179Sopenharmony_ci+ return(range); 6753aa9179Sopenharmony_ci } 6853aa9179Sopenharmony_ci 6953aa9179Sopenharmony_ci static int 7053aa9179Sopenharmony_ci@@ -4899,11 +4900,16 @@ xmlFAParseCharProp(xmlRegParserCtxtPtr ctxt) { 7153aa9179Sopenharmony_ci } 7253aa9179Sopenharmony_ci if (ctxt->atom == NULL) { 7353aa9179Sopenharmony_ci ctxt->atom = xmlRegNewAtom(ctxt, type); 7453aa9179Sopenharmony_ci- if (ctxt->atom != NULL) 7553aa9179Sopenharmony_ci- ctxt->atom->valuep = blockName; 7653aa9179Sopenharmony_ci+ if (ctxt->atom == NULL) { 7753aa9179Sopenharmony_ci+ xmlFree(blockName); 7853aa9179Sopenharmony_ci+ return; 7953aa9179Sopenharmony_ci+ } 8053aa9179Sopenharmony_ci+ ctxt->atom->valuep = blockName; 8153aa9179Sopenharmony_ci } else if (ctxt->atom->type == XML_REGEXP_RANGES) { 8253aa9179Sopenharmony_ci- xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg, 8353aa9179Sopenharmony_ci- type, 0, 0, blockName); 8453aa9179Sopenharmony_ci+ if (xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg, 8553aa9179Sopenharmony_ci+ type, 0, 0, blockName) == NULL) { 8653aa9179Sopenharmony_ci+ xmlFree(blockName); 8753aa9179Sopenharmony_ci+ } 8853aa9179Sopenharmony_ci } 8953aa9179Sopenharmony_ci } 9053aa9179Sopenharmony_ci 9153aa9179Sopenharmony_ci-- 9253aa9179Sopenharmony_ci2.27.0 9353aa9179Sopenharmony_ci 94