153aa9179Sopenharmony_ciFrom c40cbf07a30c264846ad1135a3670535942441f6 Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Mon, 8 May 2023 17:03:00 +0200 453aa9179Sopenharmony_ciSubject: [PATCH] malloc-fail: Fix null deref after xmlXIncludeNewRef 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciSee #344. 753aa9179Sopenharmony_ci 853aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/c40cbf07a30c264846ad1135a3670535942441f6 953aa9179Sopenharmony_ciConflict:xinclude.c 1053aa9179Sopenharmony_ci 1153aa9179Sopenharmony_ci--- 1253aa9179Sopenharmony_ci xinclude.c | 14 ++------------ 1353aa9179Sopenharmony_ci 1 file changed, 2 insertions(+), 12 deletions(-) 1453aa9179Sopenharmony_ci 1553aa9179Sopenharmony_cidiff --git a/xinclude.c b/xinclude.c 1653aa9179Sopenharmony_ciindex c0b4439..a9da439 100644 1753aa9179Sopenharmony_ci--- a/xinclude.c 1853aa9179Sopenharmony_ci+++ b/xinclude.c 1953aa9179Sopenharmony_ci@@ -246,19 +246,9 @@ xmlXIncludeNewRef(xmlXIncludeCtxtPtr ctxt, const xmlChar *URI, 2053aa9179Sopenharmony_ci ret->count = 0; 2153aa9179Sopenharmony_ci ret->xml = 0; 2253aa9179Sopenharmony_ci ret->inc = NULL; 2353aa9179Sopenharmony_ci- if (ctxt->incMax == 0) { 2453aa9179Sopenharmony_ci- ctxt->incMax = 4; 2553aa9179Sopenharmony_ci- ctxt->incTab = (xmlXIncludeRefPtr *) xmlMalloc(ctxt->incMax * 2653aa9179Sopenharmony_ci- sizeof(ctxt->incTab[0])); 2753aa9179Sopenharmony_ci- if (ctxt->incTab == NULL) { 2853aa9179Sopenharmony_ci- xmlXIncludeErrMemory(ctxt, ref, "growing XInclude context"); 2953aa9179Sopenharmony_ci- xmlXIncludeFreeRef(ret); 3053aa9179Sopenharmony_ci- return(NULL); 3153aa9179Sopenharmony_ci- } 3253aa9179Sopenharmony_ci- } 3353aa9179Sopenharmony_ci if (ctxt->incNr >= ctxt->incMax) { 3453aa9179Sopenharmony_ci xmlXIncludeRefPtr *tmp; 3553aa9179Sopenharmony_ci- size_t newSize = ctxt->incMax * 2; 3653aa9179Sopenharmony_ci+ size_t newSize = ctxt->incMax ? ctxt->incMax * 2 : 4; 3753aa9179Sopenharmony_ci 3853aa9179Sopenharmony_ci tmp = (xmlXIncludeRefPtr *) xmlRealloc(ctxt->incTab, 3953aa9179Sopenharmony_ci newSize * sizeof(ctxt->incTab[0])); 4053aa9179Sopenharmony_ci@@ -268,7 +258,7 @@ xmlXIncludeNewRef(xmlXIncludeCtxtPtr ctxt, const xmlChar *URI, 4153aa9179Sopenharmony_ci return(NULL); 4253aa9179Sopenharmony_ci } 4353aa9179Sopenharmony_ci ctxt->incTab = tmp; 4453aa9179Sopenharmony_ci- ctxt->incMax *= 2; 4553aa9179Sopenharmony_ci+ ctxt->incMax = newSize; 4653aa9179Sopenharmony_ci } 4753aa9179Sopenharmony_ci ctxt->incTab[ctxt->incNr++] = ret; 4853aa9179Sopenharmony_ci return(ret); 4953aa9179Sopenharmony_ci-- 5053aa9179Sopenharmony_ci2.27.0 5153aa9179Sopenharmony_ci 52