153aa9179Sopenharmony_ciFrom ed615967dfeba615218826bb4ef0c87877cb53cd Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Fri, 17 Feb 2023 15:23:42 +0100 453aa9179Sopenharmony_ciSubject: [PATCH] malloc-fail: Fix memory leak in xmlRegexpCompile 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciFound with libFuzzer, see #344. 753aa9179Sopenharmony_ci 853aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/ed615967dfeba615218826bb4ef0c87877cb53cd 953aa9179Sopenharmony_ciConflict:NA 1053aa9179Sopenharmony_ci--- 1153aa9179Sopenharmony_ci xmlregexp.c | 18 ++++++++---------- 1253aa9179Sopenharmony_ci 1 file changed, 8 insertions(+), 10 deletions(-) 1353aa9179Sopenharmony_ci 1453aa9179Sopenharmony_cidiff --git a/xmlregexp.c b/xmlregexp.c 1553aa9179Sopenharmony_ciindex 11c684a..360916f 100644 1653aa9179Sopenharmony_ci--- a/xmlregexp.c 1753aa9179Sopenharmony_ci+++ b/xmlregexp.c 1853aa9179Sopenharmony_ci@@ -5566,7 +5566,7 @@ xmlRegexpPrint(FILE *output, xmlRegexpPtr regexp) { 1953aa9179Sopenharmony_ci */ 2053aa9179Sopenharmony_ci xmlRegexpPtr 2153aa9179Sopenharmony_ci xmlRegexpCompile(const xmlChar *regexp) { 2253aa9179Sopenharmony_ci- xmlRegexpPtr ret; 2353aa9179Sopenharmony_ci+ xmlRegexpPtr ret = NULL; 2453aa9179Sopenharmony_ci xmlRegParserCtxtPtr ctxt; 2553aa9179Sopenharmony_ci 2653aa9179Sopenharmony_ci ctxt = xmlRegNewParserCtxt(regexp); 2753aa9179Sopenharmony_ci@@ -5576,7 +5576,7 @@ xmlRegexpCompile(const xmlChar *regexp) { 2853aa9179Sopenharmony_ci /* initialize the parser */ 2953aa9179Sopenharmony_ci ctxt->state = xmlRegStatePush(ctxt); 3053aa9179Sopenharmony_ci if (ctxt->state == NULL) 3153aa9179Sopenharmony_ci- return(NULL); 3253aa9179Sopenharmony_ci+ goto error; 3353aa9179Sopenharmony_ci ctxt->start = ctxt->state; 3453aa9179Sopenharmony_ci ctxt->end = NULL; 3553aa9179Sopenharmony_ci 3653aa9179Sopenharmony_ci@@ -5585,10 +5585,8 @@ xmlRegexpCompile(const xmlChar *regexp) { 3753aa9179Sopenharmony_ci if (CUR != 0) { 3853aa9179Sopenharmony_ci ERROR("xmlFAParseRegExp: extra characters"); 3953aa9179Sopenharmony_ci } 4053aa9179Sopenharmony_ci- if (ctxt->error != 0) { 4153aa9179Sopenharmony_ci- xmlRegFreeParserCtxt(ctxt); 4253aa9179Sopenharmony_ci- return(NULL); 4353aa9179Sopenharmony_ci- } 4453aa9179Sopenharmony_ci+ if (ctxt->error != 0) 4553aa9179Sopenharmony_ci+ goto error; 4653aa9179Sopenharmony_ci ctxt->end = ctxt->state; 4753aa9179Sopenharmony_ci ctxt->start->type = XML_REGEXP_START_STATE; 4853aa9179Sopenharmony_ci ctxt->end->type = XML_REGEXP_FINAL_STATE; 4953aa9179Sopenharmony_ci@@ -5597,11 +5595,11 @@ xmlRegexpCompile(const xmlChar *regexp) { 5053aa9179Sopenharmony_ci xmlFAEliminateEpsilonTransitions(ctxt); 5153aa9179Sopenharmony_ci 5253aa9179Sopenharmony_ci 5353aa9179Sopenharmony_ci- if (ctxt->error != 0) { 5453aa9179Sopenharmony_ci- xmlRegFreeParserCtxt(ctxt); 5553aa9179Sopenharmony_ci- return(NULL); 5653aa9179Sopenharmony_ci- } 5753aa9179Sopenharmony_ci+ if (ctxt->error != 0) 5853aa9179Sopenharmony_ci+ goto error; 5953aa9179Sopenharmony_ci ret = xmlRegEpxFromParse(ctxt); 6053aa9179Sopenharmony_ci+ 6153aa9179Sopenharmony_ci+error: 6253aa9179Sopenharmony_ci xmlRegFreeParserCtxt(ctxt); 6353aa9179Sopenharmony_ci return(ret); 6453aa9179Sopenharmony_ci } 6553aa9179Sopenharmony_ci-- 6653aa9179Sopenharmony_ci2.27.0 6753aa9179Sopenharmony_ci 68