153aa9179Sopenharmony_ciFrom 2355eac59e91e1465696150cf0efc9029ba4f9b2 Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Sun, 22 Jan 2023 14:52:06 +0100 453aa9179Sopenharmony_ciSubject: [PATCH] malloc-fail: Fix null deref if growing input buffer fails 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciAlso add some error checks. 753aa9179Sopenharmony_ci 853aa9179Sopenharmony_ciFound with libFuzzer, see #344. 953aa9179Sopenharmony_ci 1053aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/2355eac59e91e1465696150cf0efc9029ba4f9b2 1153aa9179Sopenharmony_ciConflict:xmlIO.c 1253aa9179Sopenharmony_ci--- 1353aa9179Sopenharmony_ci encoding.c | 3 ++- 1453aa9179Sopenharmony_ci parserInternals.c | 6 ++++++ 1553aa9179Sopenharmony_ci 2 files changed, 8 insertions(+), 1 deletion(-) 1653aa9179Sopenharmony_ci 1753aa9179Sopenharmony_cidiff --git a/encoding.c b/encoding.c 1853aa9179Sopenharmony_ciindex 8ce407f..c073a9c 100644 1953aa9179Sopenharmony_ci--- a/encoding.c 2053aa9179Sopenharmony_ci+++ b/encoding.c 2153aa9179Sopenharmony_ci@@ -2288,7 +2288,8 @@ xmlCharEncInput(xmlParserInputBufferPtr input, int flush) 2253aa9179Sopenharmony_ci toconv = 64 * 1024; 2353aa9179Sopenharmony_ci written = xmlBufAvail(out); 2453aa9179Sopenharmony_ci if (toconv * 2 >= written) { 2553aa9179Sopenharmony_ci- xmlBufGrow(out, toconv * 2); 2653aa9179Sopenharmony_ci+ if (xmlBufGrow(out, toconv * 2) < 0) 2753aa9179Sopenharmony_ci+ return (-1); 2853aa9179Sopenharmony_ci written = xmlBufAvail(out); 2953aa9179Sopenharmony_ci } 3053aa9179Sopenharmony_ci if ((written > 128 * 1024) && (flush == 0)) 3153aa9179Sopenharmony_cidiff --git a/parserInternals.c b/parserInternals.c 3253aa9179Sopenharmony_ciindex cee4cd9..dd1dc9c 100644 3353aa9179Sopenharmony_ci--- a/parserInternals.c 3453aa9179Sopenharmony_ci+++ b/parserInternals.c 3553aa9179Sopenharmony_ci@@ -326,6 +326,12 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) { 3653aa9179Sopenharmony_ci ret = xmlParserInputBufferGrow(in->buf, len); 3753aa9179Sopenharmony_ci 3853aa9179Sopenharmony_ci in->base = xmlBufContent(in->buf->buffer); 3953aa9179Sopenharmony_ci+ if (in->base == NULL) { 4053aa9179Sopenharmony_ci+ in->base = BAD_CAST ""; 4153aa9179Sopenharmony_ci+ in->cur = in->base; 4253aa9179Sopenharmony_ci+ in->end = in->base; 4353aa9179Sopenharmony_ci+ return(-1); 4453aa9179Sopenharmony_ci+ } 4553aa9179Sopenharmony_ci in->cur = in->base + indx; 4653aa9179Sopenharmony_ci in->end = xmlBufEnd(in->buf->buffer); 4753aa9179Sopenharmony_ci 4853aa9179Sopenharmony_ci-- 4953aa9179Sopenharmony_ci2.27.0 5053aa9179Sopenharmony_ci 5153aa9179Sopenharmony_ci 52