1From 2355eac59e91e1465696150cf0efc9029ba4f9b2 Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Sun, 22 Jan 2023 14:52:06 +0100 4Subject: [PATCH] malloc-fail: Fix null deref if growing input buffer fails 5 6Also add some error checks. 7 8Found with libFuzzer, see #344. 9 10Reference:https://github.com/GNOME/libxml2/commit/2355eac59e91e1465696150cf0efc9029ba4f9b2 11Conflict:xmlIO.c 12--- 13 encoding.c | 3 ++- 14 parserInternals.c | 6 ++++++ 15 2 files changed, 8 insertions(+), 1 deletion(-) 16 17diff --git a/encoding.c b/encoding.c 18index 8ce407f..c073a9c 100644 19--- a/encoding.c 20+++ b/encoding.c 21@@ -2288,7 +2288,8 @@ xmlCharEncInput(xmlParserInputBufferPtr input, int flush) 22 toconv = 64 * 1024; 23 written = xmlBufAvail(out); 24 if (toconv * 2 >= written) { 25- xmlBufGrow(out, toconv * 2); 26+ if (xmlBufGrow(out, toconv * 2) < 0) 27+ return (-1); 28 written = xmlBufAvail(out); 29 } 30 if ((written > 128 * 1024) && (flush == 0)) 31diff --git a/parserInternals.c b/parserInternals.c 32index cee4cd9..dd1dc9c 100644 33--- a/parserInternals.c 34+++ b/parserInternals.c 35@@ -326,6 +326,12 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) { 36 ret = xmlParserInputBufferGrow(in->buf, len); 37 38 in->base = xmlBufContent(in->buf->buffer); 39+ if (in->base == NULL) { 40+ in->base = BAD_CAST ""; 41+ in->cur = in->base; 42+ in->end = in->base; 43+ return(-1); 44+ } 45 in->cur = in->base + indx; 46 in->end = xmlBufEnd(in->buf->buffer); 47 48-- 492.27.0 50 51 52