153aa9179Sopenharmony_ciFrom 9fa1b228a5d60fab92a79c6c01c39e37454da1b3 Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Tue, 14 Feb 2023 16:43:35 +0100 453aa9179Sopenharmony_ciSubject: [PATCH] malloc-fail: Fix memory leak in xmlGetDtdElementDesc2 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciFound with libFuzzer, see #344. 753aa9179Sopenharmony_ci 853aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/9fa1b228a5d60fab92a79c6c01c39e37454da1b3 953aa9179Sopenharmony_ciConflict:valid.c 1053aa9179Sopenharmony_ci 1153aa9179Sopenharmony_ci--- 1253aa9179Sopenharmony_ci valid.c | 23 +++++++++++++++-------- 1353aa9179Sopenharmony_ci 1 file changed, 15 insertions(+), 8 deletions(-) 1453aa9179Sopenharmony_ci 1553aa9179Sopenharmony_cidiff --git a/valid.c b/valid.c 1653aa9179Sopenharmony_ciindex ed3c850..b7b92fe 100644 1753aa9179Sopenharmony_ci--- a/valid.c 1853aa9179Sopenharmony_ci+++ b/valid.c 1953aa9179Sopenharmony_ci@@ -26,8 +26,9 @@ 2053aa9179Sopenharmony_ci #include <libxml/list.h> 2153aa9179Sopenharmony_ci #include <libxml/globals.h> 2253aa9179Sopenharmony_ci 2353aa9179Sopenharmony_ci-static xmlElementPtr xmlGetDtdElementDesc2(xmlDtdPtr dtd, const xmlChar *name, 2453aa9179Sopenharmony_ci- int create); 2553aa9179Sopenharmony_ci+static xmlElementPtr 2653aa9179Sopenharmony_ci+xmlGetDtdElementDesc2(xmlValidCtxtPtr ctxt, xmlDtdPtr dtd, const xmlChar *name, 2753aa9179Sopenharmony_ci+ int create); 2853aa9179Sopenharmony_ci /* #define DEBUG_VALID_ALGO */ 2953aa9179Sopenharmony_ci /* #define DEBUG_REGEXP_ALGO */ 3053aa9179Sopenharmony_ci 3153aa9179Sopenharmony_ci@@ -2135,7 +2136,7 @@ xmlAddAttributeDecl(xmlValidCtxtPtr ctxt, 3253aa9179Sopenharmony_ci * Validity Check: 3353aa9179Sopenharmony_ci * Multiple ID per element 3453aa9179Sopenharmony_ci */ 3553aa9179Sopenharmony_ci- elemDef = xmlGetDtdElementDesc2(dtd, elem, 1); 3653aa9179Sopenharmony_ci+ elemDef = xmlGetDtdElementDesc2(ctxt, dtd, elem, 1); 3753aa9179Sopenharmony_ci if (elemDef != NULL) { 3853aa9179Sopenharmony_ci 3953aa9179Sopenharmony_ci #ifdef LIBXML_VALID_ENABLED 4053aa9179Sopenharmony_ci@@ -3295,7 +3296,8 @@ xmlGetDtdElementDesc(xmlDtdPtr dtd, const xmlChar *name) { 4153aa9179Sopenharmony_ci */ 4253aa9179Sopenharmony_ci 4353aa9179Sopenharmony_ci static xmlElementPtr 4453aa9179Sopenharmony_ci-xmlGetDtdElementDesc2(xmlDtdPtr dtd, const xmlChar *name, int create) { 4553aa9179Sopenharmony_ci+xmlGetDtdElementDesc2(xmlValidCtxtPtr ctxt, xmlDtdPtr dtd, const xmlChar *name, 4653aa9179Sopenharmony_ci+ int create) { 4753aa9179Sopenharmony_ci xmlElementTablePtr table; 4853aa9179Sopenharmony_ci xmlElementPtr cur; 4953aa9179Sopenharmony_ci xmlChar *uqname = NULL, *prefix = NULL; 5053aa9179Sopenharmony_ci@@ -3318,7 +3320,7 @@ xmlGetDtdElementDesc2(xmlDtdPtr dtd, const xmlChar *name, int create) { 5153aa9179Sopenharmony_ci dtd->elements = (void *) table; 5253aa9179Sopenharmony_ci } 5353aa9179Sopenharmony_ci if (table == NULL) { 5453aa9179Sopenharmony_ci- xmlVErrMemory(NULL, "element table allocation failed"); 5553aa9179Sopenharmony_ci+ xmlVErrMemory(ctxt, "element table allocation failed"); 5653aa9179Sopenharmony_ci return(NULL); 5753aa9179Sopenharmony_ci } 5853aa9179Sopenharmony_ci } 5953aa9179Sopenharmony_ci@@ -3331,8 +3333,8 @@ xmlGetDtdElementDesc2(xmlDtdPtr dtd, const xmlChar *name, int create) { 6053aa9179Sopenharmony_ci if ((cur == NULL) && (create)) { 6153aa9179Sopenharmony_ci cur = (xmlElementPtr) xmlMalloc(sizeof(xmlElement)); 6253aa9179Sopenharmony_ci if (cur == NULL) { 6353aa9179Sopenharmony_ci- xmlVErrMemory(NULL, "malloc failed"); 6453aa9179Sopenharmony_ci- return(NULL); 6553aa9179Sopenharmony_ci+ xmlVErrMemory(ctxt, "malloc failed"); 6653aa9179Sopenharmony_ci+ goto error; 6753aa9179Sopenharmony_ci } 6853aa9179Sopenharmony_ci memset(cur, 0, sizeof(xmlElement)); 6953aa9179Sopenharmony_ci cur->type = XML_ELEMENT_DECL; 7053aa9179Sopenharmony_ci@@ -3344,8 +3346,13 @@ xmlGetDtdElementDesc2(xmlDtdPtr dtd, const xmlChar *name, int create) { 7153aa9179Sopenharmony_ci cur->prefix = xmlStrdup(prefix); 7253aa9179Sopenharmony_ci cur->etype = XML_ELEMENT_TYPE_UNDEFINED; 7353aa9179Sopenharmony_ci 7453aa9179Sopenharmony_ci- xmlHashAddEntry2(table, name, prefix, cur); 7553aa9179Sopenharmony_ci+ if (xmlHashAddEntry2(table, name, prefix, cur) < 0) { 7653aa9179Sopenharmony_ci+ xmlVErrMemory(ctxt, "adding entry failed"); 7753aa9179Sopenharmony_ci+ xmlFreeElement(cur); 7853aa9179Sopenharmony_ci+ cur = NULL; 7953aa9179Sopenharmony_ci+ } 8053aa9179Sopenharmony_ci } 8153aa9179Sopenharmony_ci+error: 8253aa9179Sopenharmony_ci if (prefix != NULL) xmlFree(prefix); 8353aa9179Sopenharmony_ci if (uqname != NULL) xmlFree(uqname); 8453aa9179Sopenharmony_ci return(cur); 8553aa9179Sopenharmony_ci-- 8653aa9179Sopenharmony_ci2.27.0 8753aa9179Sopenharmony_ci 88