153aa9179Sopenharmony_ciFrom ae6fa0521c34449b54f9cb3257a4df9b79f3212f Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Wed, 2 Nov 2022 16:13:27 +0100 453aa9179Sopenharmony_ciSubject: [PATCH 11/28] malloc-fail: Fix use-after-free in xmlXIncludeAddNode 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciFound with libFuzzer, see #344. 753aa9179Sopenharmony_ci 853aa9179Sopenharmony_ciReference: https://github.com/GNOME/libxml2/commit/5a19e21605398cef6a8b1452477a8705cb41562b 953aa9179Sopenharmony_ciConflict: xinclude.c:<xmlXIncludeAddNode> 1053aa9179Sopenharmony_ci--- 1153aa9179Sopenharmony_ci xinclude.c | 3 ++- 1253aa9179Sopenharmony_ci 1 file changed, 2 insertions(+), 1 deletion(-) 1353aa9179Sopenharmony_ci 1453aa9179Sopenharmony_cidiff --git a/xinclude.c b/xinclude.c 1553aa9179Sopenharmony_ciindex cd1e1b1..e5e3b16 100644 1653aa9179Sopenharmony_ci--- a/xinclude.c 1753aa9179Sopenharmony_ci+++ b/xinclude.c 1853aa9179Sopenharmony_ci@@ -612,14 +612,15 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) { 1953aa9179Sopenharmony_ci } 2053aa9179Sopenharmony_ci URL = xmlSaveUri(uri); 2153aa9179Sopenharmony_ci xmlFreeURI(uri); 2253aa9179Sopenharmony_ci- xmlFree(URI); 2353aa9179Sopenharmony_ci if (URL == NULL) { 2453aa9179Sopenharmony_ci xmlXIncludeErr(ctxt, cur, XML_XINCLUDE_HREF_URI, 2553aa9179Sopenharmony_ci "invalid value URI %s\n", URI); 2653aa9179Sopenharmony_ci if (fragment != NULL) 2753aa9179Sopenharmony_ci xmlFree(fragment); 2853aa9179Sopenharmony_ci+ xmlFree(URI); 2953aa9179Sopenharmony_ci return(-1); 3053aa9179Sopenharmony_ci } 3153aa9179Sopenharmony_ci+ xmlFree(URI); 3253aa9179Sopenharmony_ci 3353aa9179Sopenharmony_ci if (xmlStrEqual(URL, ctxt->doc->URL)) 3453aa9179Sopenharmony_ci local = 1; 3553aa9179Sopenharmony_ci-- 3653aa9179Sopenharmony_ci2.27.0 3753aa9179Sopenharmony_ci 38