153aa9179Sopenharmony_ciFrom 767ae50bc9e94a35bfede3af291cf0060893db0f Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Sun, 5 Mar 2023 14:11:24 +0100 453aa9179Sopenharmony_ciSubject: [PATCH] malloc-fail: Fix null deref after 553aa9179Sopenharmony_ci xmlSchemaItemList{Add,Insert} 653aa9179Sopenharmony_ci 753aa9179Sopenharmony_ciFound with libFuzzer, see #344. 853aa9179Sopenharmony_ci 953aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/767ae50bc9e94a35bfede3af291cf0060893db0f 1053aa9179Sopenharmony_ciConflict:NA 1153aa9179Sopenharmony_ci--- 1253aa9179Sopenharmony_ci xmlschemas.c | 44 ++++++++++++++++---------------------------- 1353aa9179Sopenharmony_ci 1 file changed, 16 insertions(+), 28 deletions(-) 1453aa9179Sopenharmony_ci 1553aa9179Sopenharmony_cidiff --git a/xmlschemas.c b/xmlschemas.c 1653aa9179Sopenharmony_ciindex 46cbe0f..d2f8bf1 100644 1753aa9179Sopenharmony_ci--- a/xmlschemas.c 1853aa9179Sopenharmony_ci+++ b/xmlschemas.c 1953aa9179Sopenharmony_ci@@ -3417,23 +3417,17 @@ xmlSchemaItemListClear(xmlSchemaItemListPtr list) 2053aa9179Sopenharmony_ci static int 2153aa9179Sopenharmony_ci xmlSchemaItemListAdd(xmlSchemaItemListPtr list, void *item) 2253aa9179Sopenharmony_ci { 2353aa9179Sopenharmony_ci- if (list->items == NULL) { 2453aa9179Sopenharmony_ci- list->items = (void **) xmlMalloc( 2553aa9179Sopenharmony_ci- 20 * sizeof(void *)); 2653aa9179Sopenharmony_ci- if (list->items == NULL) { 2753aa9179Sopenharmony_ci- xmlSchemaPErrMemory(NULL, "allocating new item list", NULL); 2853aa9179Sopenharmony_ci- return(-1); 2953aa9179Sopenharmony_ci- } 3053aa9179Sopenharmony_ci- list->sizeItems = 20; 3153aa9179Sopenharmony_ci- } else if (list->sizeItems <= list->nbItems) { 3253aa9179Sopenharmony_ci- list->sizeItems *= 2; 3353aa9179Sopenharmony_ci- list->items = (void **) xmlRealloc(list->items, 3453aa9179Sopenharmony_ci- list->sizeItems * sizeof(void *)); 3553aa9179Sopenharmony_ci- if (list->items == NULL) { 3653aa9179Sopenharmony_ci+ if (list->sizeItems <= list->nbItems) { 3753aa9179Sopenharmony_ci+ void **tmp; 3853aa9179Sopenharmony_ci+ size_t newSize = list->sizeItems == 0 ? 20 : list->sizeItems * 2; 3953aa9179Sopenharmony_ci+ 4053aa9179Sopenharmony_ci+ tmp = (void **) xmlRealloc(list->items, newSize * sizeof(void *)); 4153aa9179Sopenharmony_ci+ if (tmp == NULL) { 4253aa9179Sopenharmony_ci xmlSchemaPErrMemory(NULL, "growing item list", NULL); 4353aa9179Sopenharmony_ci- list->sizeItems = 0; 4453aa9179Sopenharmony_ci return(-1); 4553aa9179Sopenharmony_ci } 4653aa9179Sopenharmony_ci+ list->items = tmp; 4753aa9179Sopenharmony_ci+ list->sizeItems = newSize; 4853aa9179Sopenharmony_ci } 4953aa9179Sopenharmony_ci list->items[list->nbItems++] = item; 5053aa9179Sopenharmony_ci return(0); 5153aa9179Sopenharmony_ci@@ -3474,23 +3468,17 @@ xmlSchemaItemListAddSize(xmlSchemaItemListPtr list, 5253aa9179Sopenharmony_ci static int 5353aa9179Sopenharmony_ci xmlSchemaItemListInsert(xmlSchemaItemListPtr list, void *item, int idx) 5453aa9179Sopenharmony_ci { 5553aa9179Sopenharmony_ci- if (list->items == NULL) { 5653aa9179Sopenharmony_ci- list->items = (void **) xmlMalloc( 5753aa9179Sopenharmony_ci- 20 * sizeof(void *)); 5853aa9179Sopenharmony_ci- if (list->items == NULL) { 5953aa9179Sopenharmony_ci- xmlSchemaPErrMemory(NULL, "allocating new item list", NULL); 6053aa9179Sopenharmony_ci- return(-1); 6153aa9179Sopenharmony_ci- } 6253aa9179Sopenharmony_ci- list->sizeItems = 20; 6353aa9179Sopenharmony_ci- } else if (list->sizeItems <= list->nbItems) { 6453aa9179Sopenharmony_ci- list->sizeItems *= 2; 6553aa9179Sopenharmony_ci- list->items = (void **) xmlRealloc(list->items, 6653aa9179Sopenharmony_ci- list->sizeItems * sizeof(void *)); 6753aa9179Sopenharmony_ci- if (list->items == NULL) { 6853aa9179Sopenharmony_ci+ if (list->sizeItems <= list->nbItems) { 6953aa9179Sopenharmony_ci+ void **tmp; 7053aa9179Sopenharmony_ci+ size_t newSize = list->sizeItems == 0 ? 20 : list->sizeItems * 2; 7153aa9179Sopenharmony_ci+ 7253aa9179Sopenharmony_ci+ tmp = (void **) xmlRealloc(list->items, newSize * sizeof(void *)); 7353aa9179Sopenharmony_ci+ if (tmp == NULL) { 7453aa9179Sopenharmony_ci xmlSchemaPErrMemory(NULL, "growing item list", NULL); 7553aa9179Sopenharmony_ci- list->sizeItems = 0; 7653aa9179Sopenharmony_ci return(-1); 7753aa9179Sopenharmony_ci } 7853aa9179Sopenharmony_ci+ list->items = tmp; 7953aa9179Sopenharmony_ci+ list->sizeItems = newSize; 8053aa9179Sopenharmony_ci } 8153aa9179Sopenharmony_ci /* 8253aa9179Sopenharmony_ci * Just append if the index is greater/equal than the item count. 8353aa9179Sopenharmony_ci-- 8453aa9179Sopenharmony_ci2.27.0 8553aa9179Sopenharmony_ci 86