1From 041789d9ec5a0f592e200bcb7313d88ff14707e4 Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Thu, 16 Feb 2023 15:02:08 +0100 4Subject: [PATCH] malloc-fail: Fix null deref in htmlnamePush 5 6Found with libFuzzer, see #344. 7 8Reference:https://github.com/GNOME/libxml2/commit/041789d9ec5a0f592e200bcb7313d88ff14707e4 9Conflict:NA 10--- 11 HTMLparser.c | 18 ++++++++++-------- 12 1 file changed, 10 insertions(+), 8 deletions(-) 13 14diff --git a/HTMLparser.c b/HTMLparser.c 15index ca551d9..e02a142 100644 16--- a/HTMLparser.c 17+++ b/HTMLparser.c 18@@ -161,7 +161,7 @@ htmlParseErrInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, 19 * 20 * Pushes a new element name on top of the name stack 21 * 22- * Returns 0 in case of error, the index in the stack otherwise 23+ * Returns -1 in case of error, the index in the stack otherwise 24 */ 25 static int 26 htmlnamePush(htmlParserCtxtPtr ctxt, const xmlChar * value) 27@@ -171,15 +171,17 @@ htmlnamePush(htmlParserCtxtPtr ctxt, const xmlChar * value) 28 if ((ctxt->html < 10) && (xmlStrEqual(value, BAD_CAST "body"))) 29 ctxt->html = 10; 30 if (ctxt->nameNr >= ctxt->nameMax) { 31- ctxt->nameMax *= 2; 32- ctxt->nameTab = (const xmlChar * *) 33- xmlRealloc((xmlChar * *)ctxt->nameTab, 34- ctxt->nameMax * 35- sizeof(ctxt->nameTab[0])); 36- if (ctxt->nameTab == NULL) { 37+ size_t newSize = ctxt->nameMax * 2; 38+ const xmlChar **tmp; 39+ 40+ tmp = xmlRealloc((xmlChar **) ctxt->nameTab, 41+ newSize * sizeof(ctxt->nameTab[0])); 42+ if (tmp == NULL) { 43 htmlErrMemory(ctxt, NULL); 44- return (0); 45+ return (-1); 46 } 47+ ctxt->nameTab = tmp; 48+ ctxt->nameMax = newSize; 49 } 50 ctxt->nameTab[ctxt->nameNr] = value; 51 ctxt->name = value; 52-- 532.27.0 54 55