153aa9179Sopenharmony_ciFrom a3749551e65a8caf146ea2bccf610e718d90bde0 Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Fri, 3 Feb 2023 14:00:13 +0100 453aa9179Sopenharmony_ciSubject: [PATCH] malloc-fail: Fix reallocation in xmlXIncludeNewRef 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciAvoid null deref. 753aa9179Sopenharmony_ci 853aa9179Sopenharmony_ciFound with libFuzzer, see #344. 953aa9179Sopenharmony_ci 1053aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/a3749551e65a8caf146ea2bccf610e718d90bde0 1153aa9179Sopenharmony_ciConflict:xinclude.c 1253aa9179Sopenharmony_ci--- 1353aa9179Sopenharmony_ci xinclude.c | 12 ++++++++---- 1453aa9179Sopenharmony_ci 1 file changed, 8 insertions(+), 4 deletions(-) 1553aa9179Sopenharmony_ci 1653aa9179Sopenharmony_cidiff --git a/xinclude.c b/xinclude.c 1753aa9179Sopenharmony_ciindex 60a0d7b..cc486f5 100644 1853aa9179Sopenharmony_ci--- a/xinclude.c 1953aa9179Sopenharmony_ci+++ b/xinclude.c 2053aa9179Sopenharmony_ci@@ -257,14 +257,18 @@ xmlXIncludeNewRef(xmlXIncludeCtxtPtr ctxt, const xmlChar *URI, 2153aa9179Sopenharmony_ci } 2253aa9179Sopenharmony_ci } 2353aa9179Sopenharmony_ci if (ctxt->incNr >= ctxt->incMax) { 2453aa9179Sopenharmony_ci- ctxt->incMax *= 2; 2553aa9179Sopenharmony_ci- ctxt->incTab = (xmlXIncludeRefPtr *) xmlRealloc(ctxt->incTab, 2653aa9179Sopenharmony_ci- ctxt->incMax * sizeof(ctxt->incTab[0])); 2753aa9179Sopenharmony_ci- if (ctxt->incTab == NULL) { 2853aa9179Sopenharmony_ci+ xmlXIncludeRefPtr *tmp; 2953aa9179Sopenharmony_ci+ size_t newSize = ctxt->incMax * 2; 3053aa9179Sopenharmony_ci+ 3153aa9179Sopenharmony_ci+ tmp = (xmlXIncludeRefPtr *) xmlRealloc(ctxt->incTab, 3253aa9179Sopenharmony_ci+ newSize * sizeof(ctxt->incTab[0])); 3353aa9179Sopenharmony_ci+ if (tmp == NULL) { 3453aa9179Sopenharmony_ci xmlXIncludeErrMemory(ctxt, ref, "growing XInclude context"); 3553aa9179Sopenharmony_ci xmlXIncludeFreeRef(ret); 3653aa9179Sopenharmony_ci return(NULL); 3753aa9179Sopenharmony_ci } 3853aa9179Sopenharmony_ci+ ctxt->incTab = tmp; 3953aa9179Sopenharmony_ci+ ctxt->incMax *= 2; 4053aa9179Sopenharmony_ci } 4153aa9179Sopenharmony_ci ctxt->incTab[ctxt->incNr++] = ret; 4253aa9179Sopenharmony_ci return(ret); 4353aa9179Sopenharmony_ci-- 4453aa9179Sopenharmony_ci2.27.0 4553aa9179Sopenharmony_ci 46