153aa9179Sopenharmony_ciFrom a442d16a5fe61626f00f33abe547da9379a37d89 Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Sun, 26 Feb 2023 14:48:23 +0100 453aa9179Sopenharmony_ciSubject: [PATCH] malloc-fail: Fix memory leak in xmlGetNsList 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciFound with libFuzzer, see #344. 753aa9179Sopenharmony_ci 853aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/a442d16a5fe61626f00f33abe547da9379a37d89 953aa9179Sopenharmony_ciConflict:NA 1053aa9179Sopenharmony_ci--- 1153aa9179Sopenharmony_ci tree.c | 25 +++++++++---------------- 1253aa9179Sopenharmony_ci 1 file changed, 9 insertions(+), 16 deletions(-) 1353aa9179Sopenharmony_ci 1453aa9179Sopenharmony_cidiff --git a/tree.c b/tree.c 1553aa9179Sopenharmony_ciindex 35bd948..4a80e28 100644 1653aa9179Sopenharmony_ci--- a/tree.c 1753aa9179Sopenharmony_ci+++ b/tree.c 1853aa9179Sopenharmony_ci@@ -5971,7 +5971,7 @@ xmlGetNsList(const xmlDoc *doc ATTRIBUTE_UNUSED, const xmlNode *node) 1953aa9179Sopenharmony_ci xmlNsPtr cur; 2053aa9179Sopenharmony_ci xmlNsPtr *ret = NULL; 2153aa9179Sopenharmony_ci int nbns = 0; 2253aa9179Sopenharmony_ci- int maxns = 10; 2353aa9179Sopenharmony_ci+ int maxns = 0; 2453aa9179Sopenharmony_ci int i; 2553aa9179Sopenharmony_ci 2653aa9179Sopenharmony_ci if ((node == NULL) || (node->type == XML_NAMESPACE_DECL)) 2753aa9179Sopenharmony_ci@@ -5981,16 +5981,6 @@ xmlGetNsList(const xmlDoc *doc ATTRIBUTE_UNUSED, const xmlNode *node) 2853aa9179Sopenharmony_ci if (node->type == XML_ELEMENT_NODE) { 2953aa9179Sopenharmony_ci cur = node->nsDef; 3053aa9179Sopenharmony_ci while (cur != NULL) { 3153aa9179Sopenharmony_ci- if (ret == NULL) { 3253aa9179Sopenharmony_ci- ret = 3353aa9179Sopenharmony_ci- (xmlNsPtr *) xmlMalloc((maxns + 1) * 3453aa9179Sopenharmony_ci- sizeof(xmlNsPtr)); 3553aa9179Sopenharmony_ci- if (ret == NULL) { 3653aa9179Sopenharmony_ci- xmlTreeErrMemory("getting namespace list"); 3753aa9179Sopenharmony_ci- return (NULL); 3853aa9179Sopenharmony_ci- } 3953aa9179Sopenharmony_ci- ret[nbns] = NULL; 4053aa9179Sopenharmony_ci- } 4153aa9179Sopenharmony_ci for (i = 0; i < nbns; i++) { 4253aa9179Sopenharmony_ci if ((cur->prefix == ret[i]->prefix) || 4353aa9179Sopenharmony_ci (xmlStrEqual(cur->prefix, ret[i]->prefix))) 4453aa9179Sopenharmony_ci@@ -5998,15 +5988,18 @@ xmlGetNsList(const xmlDoc *doc ATTRIBUTE_UNUSED, const xmlNode *node) 4553aa9179Sopenharmony_ci } 4653aa9179Sopenharmony_ci if (i >= nbns) { 4753aa9179Sopenharmony_ci if (nbns >= maxns) { 4853aa9179Sopenharmony_ci- maxns *= 2; 4953aa9179Sopenharmony_ci- ret = (xmlNsPtr *) xmlRealloc(ret, 5053aa9179Sopenharmony_ci- (maxns + 5153aa9179Sopenharmony_ci- 1) * 5253aa9179Sopenharmony_ci+ xmlNsPtr *tmp; 5353aa9179Sopenharmony_ci+ 5453aa9179Sopenharmony_ci+ maxns = maxns ? maxns * 2 : 10; 5553aa9179Sopenharmony_ci+ tmp = (xmlNsPtr *) xmlRealloc(ret, 5653aa9179Sopenharmony_ci+ (maxns + 1) * 5753aa9179Sopenharmony_ci sizeof(xmlNsPtr)); 5853aa9179Sopenharmony_ci- if (ret == NULL) { 5953aa9179Sopenharmony_ci+ if (tmp == NULL) { 6053aa9179Sopenharmony_ci xmlTreeErrMemory("getting namespace list"); 6153aa9179Sopenharmony_ci+ xmlFree(ret); 6253aa9179Sopenharmony_ci return (NULL); 6353aa9179Sopenharmony_ci } 6453aa9179Sopenharmony_ci+ ret = tmp; 6553aa9179Sopenharmony_ci } 6653aa9179Sopenharmony_ci ret[nbns++] = cur; 6753aa9179Sopenharmony_ci ret[nbns] = NULL; 6853aa9179Sopenharmony_ci-- 6953aa9179Sopenharmony_ci2.27.0 7053aa9179Sopenharmony_ci 71