153aa9179Sopenharmony_ciFrom 0c5f40b788410753eb73e3040be4f50b608923e1 Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Sun, 22 Jan 2023 13:27:41 +0100 453aa9179Sopenharmony_ciSubject: [PATCH] malloc-fail: Fix null deref in xmlSAX2AttributeInternal 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciFound with libFuzzer, see #344. 753aa9179Sopenharmony_ci 853aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/0c5f40b788410753eb73e3040be4f50b608923e1 953aa9179Sopenharmony_ciConflict:NA 1053aa9179Sopenharmony_ci--- 1153aa9179Sopenharmony_ci SAX2.c | 36 ++++++++++++++++++------------------ 1253aa9179Sopenharmony_ci 1 file changed, 18 insertions(+), 18 deletions(-) 1353aa9179Sopenharmony_ci 1453aa9179Sopenharmony_cidiff --git a/SAX2.c b/SAX2.c 1553aa9179Sopenharmony_ciindex 3eebd2b..2426e93 100644 1653aa9179Sopenharmony_ci--- a/SAX2.c 1753aa9179Sopenharmony_ci+++ b/SAX2.c 1853aa9179Sopenharmony_ci@@ -1297,25 +1297,25 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname, 1953aa9179Sopenharmony_ci 2053aa9179Sopenharmony_ci /* !!!!!! <a toto:arg="" xmlns:toto="http://toto.com"> */ 2153aa9179Sopenharmony_ci ret = xmlNewNsPropEatName(ctxt->node, namespace, name, NULL); 2253aa9179Sopenharmony_ci+ if (ret == NULL) 2353aa9179Sopenharmony_ci+ goto error; 2453aa9179Sopenharmony_ci 2553aa9179Sopenharmony_ci- if (ret != NULL) { 2653aa9179Sopenharmony_ci- if ((ctxt->replaceEntities == 0) && (!ctxt->html)) { 2753aa9179Sopenharmony_ci- xmlNodePtr tmp; 2853aa9179Sopenharmony_ci- 2953aa9179Sopenharmony_ci- ret->children = xmlStringGetNodeList(ctxt->myDoc, value); 3053aa9179Sopenharmony_ci- tmp = ret->children; 3153aa9179Sopenharmony_ci- while (tmp != NULL) { 3253aa9179Sopenharmony_ci- tmp->parent = (xmlNodePtr) ret; 3353aa9179Sopenharmony_ci- if (tmp->next == NULL) 3453aa9179Sopenharmony_ci- ret->last = tmp; 3553aa9179Sopenharmony_ci- tmp = tmp->next; 3653aa9179Sopenharmony_ci- } 3753aa9179Sopenharmony_ci- } else if (value != NULL) { 3853aa9179Sopenharmony_ci- ret->children = xmlNewDocText(ctxt->myDoc, value); 3953aa9179Sopenharmony_ci- ret->last = ret->children; 4053aa9179Sopenharmony_ci- if (ret->children != NULL) 4153aa9179Sopenharmony_ci- ret->children->parent = (xmlNodePtr) ret; 4253aa9179Sopenharmony_ci- } 4353aa9179Sopenharmony_ci+ if ((ctxt->replaceEntities == 0) && (!ctxt->html)) { 4453aa9179Sopenharmony_ci+ xmlNodePtr tmp; 4553aa9179Sopenharmony_ci+ 4653aa9179Sopenharmony_ci+ ret->children = xmlStringGetNodeList(ctxt->myDoc, value); 4753aa9179Sopenharmony_ci+ tmp = ret->children; 4853aa9179Sopenharmony_ci+ while (tmp != NULL) { 4953aa9179Sopenharmony_ci+ tmp->parent = (xmlNodePtr) ret; 5053aa9179Sopenharmony_ci+ if (tmp->next == NULL) 5153aa9179Sopenharmony_ci+ ret->last = tmp; 5253aa9179Sopenharmony_ci+ tmp = tmp->next; 5353aa9179Sopenharmony_ci+ } 5453aa9179Sopenharmony_ci+ } else if (value != NULL) { 5553aa9179Sopenharmony_ci+ ret->children = xmlNewDocText(ctxt->myDoc, value); 5653aa9179Sopenharmony_ci+ ret->last = ret->children; 5753aa9179Sopenharmony_ci+ if (ret->children != NULL) 5853aa9179Sopenharmony_ci+ ret->children->parent = (xmlNodePtr) ret; 5953aa9179Sopenharmony_ci } 6053aa9179Sopenharmony_ci 6153aa9179Sopenharmony_ci #ifdef LIBXML_VALID_ENABLED 6253aa9179Sopenharmony_ci-- 6353aa9179Sopenharmony_ci2.27.0 6453aa9179Sopenharmony_ci 65