1From d7daf9fd967ad7fcd509e6355f12f824327f07a4 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Tue, 14 Mar 2023 13:02:36 +0100
4Subject: [PATCH] xmllint: Fix use-after-free with --maxmem
5
6Fixes #498.
7
8Reference:https://github.com/GNOME/libxml2/commit/d7daf9fd967ad7fcd509e6355f12f824327f07a4
9Conflict:include/libxml/xmlmemory.h
10
11
12---
13 include/libxml/xmlmemory.h |  2 ++
14 xmllint.c                  | 15 ++++++---------
15 xmlmemory.c                | 21 +++++++++++++++++++++
16 3 files changed, 29 insertions(+), 9 deletions(-)
17
18diff --git a/include/libxml/xmlmemory.h b/include/libxml/xmlmemory.h
19index 17e375a..0a5f3eb 100644
20--- a/include/libxml/xmlmemory.h
21+++ b/include/libxml/xmlmemory.h
22@@ -137,6 +137,8 @@ XMLPUBFUN void XMLCALL
23 /*
24  * These are specific to the XML debug memory wrapper.
25  */
26+XMLPUBFUN size_t
27+	xmlMemSize	(void *ptr);
28 XMLPUBFUN int XMLCALL
29 	xmlMemUsed	(void);
30 XMLPUBFUN int XMLCALL
31diff --git a/xmllint.c b/xmllint.c
32index fd43893..a17aa07 100644
33--- a/xmllint.c
34+++ b/xmllint.c
35@@ -358,17 +358,14 @@ myMallocFunc(size_t size)
36 static void *
37 myReallocFunc(void *mem, size_t size)
38 {
39-    void *ret;
40+    size_t oldsize = xmlMemSize(mem);
41 
42-    ret = xmlMemRealloc(mem, size);
43-    if (ret != NULL) {
44-        if (xmlMemUsed() > maxmem) {
45-            OOM();
46-            xmlMemFree(ret);
47-            return (NULL);
48-        }
49+    if (xmlMemUsed() + size - oldsize > (size_t) maxmem) {
50+        OOM();
51+        return (NULL);
52     }
53-    return (ret);
54+
55+    return (xmlMemRealloc(mem, size));
56 }
57 static char *
58 myStrdupFunc(const char *str)
59diff --git a/xmlmemory.c b/xmlmemory.c
60index c51f49a..469fcfb 100644
61--- a/xmlmemory.c
62+++ b/xmlmemory.c
63@@ -573,6 +573,27 @@ xmlMemoryStrdup(const char *str) {
64     return(xmlMemStrdupLoc(str, "none", 0));
65 }
66 
67+/**
68+ * xmlMemSize:
69+ * @ptr:  pointer to the memory allocation
70+ *
71+ * Returns the size of a memory allocation.
72+ */
73+
74+size_t
75+xmlMemSize(void *ptr) {
76+    MEMHDR *p;
77+
78+    if (ptr == NULL)
79+	return(0);
80+
81+    p = CLIENT_2_HDR(ptr);
82+    if (p->mh_tag != MEMTAG)
83+        return(0);
84+
85+    return(p->mh_size);
86+}
87+
88 /**
89  * xmlMemUsed:
90  *
91-- 
922.27.0
93
94