libxml2/backport-malloc-fail-Don-t-call-xmlErrMemory-in-xmlstring.c.patch

From c7260a47f19e01f4f663b6a56fbdc2dafd8a6e7e Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 23 Jan 2023 10:19:59 +0100
Subject: [PATCH] malloc-fail: Don't call xmlErrMemory in xmlstring.c

Functions like xmlStrdup are called in the error handling code
(__xmlRaiseError) which can cause problems like use-after-free or
infinite loops when invoked recursively.

Calling xmlErrMemory without a context argument isn't helpful anyway.

Found with libFuzzer, see #344.

Reference:https://github.com/GNOME/libxml2/commit/c7260a47f19e01f4f663b6a56fbdc2dafd8a6e7e
Conflict:xmlstring.c
---
 xmlstring.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/xmlstring.c b/xmlstring.c
index 5a6875f..9709545 100644
--- a/xmlstring.c
+++ b/xmlstring.c
@@ -45,7 +45,6 @@ xmlStrndup(const xmlChar *cur, int len) {
     if ((cur == NULL) || (len < 0)) return(NULL);
     ret = (xmlChar *) xmlMallocAtomic(((size_t) len + 1) * sizeof(xmlChar));
     if (ret == NULL) {
-        xmlErrMemory(NULL, NULL);
         return(NULL);
     }
     memcpy(ret, cur, len * sizeof(xmlChar));
@@ -90,7 +89,6 @@ xmlCharStrndup(const char *cur, int len) {
     if ((cur == NULL) || (len < 0)) return(NULL);
     ret = (xmlChar *) xmlMallocAtomic(((size_t) len + 1) * sizeof(xmlChar));
     if (ret == NULL) {
-        xmlErrMemory(NULL, NULL);
         return(NULL);
     }
     for (i = 0;i < len;i++) {
@@ -465,7 +463,6 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) {
         return(NULL);
     ret = (xmlChar *) xmlRealloc(cur, ((size_t) size + len + 1) * sizeof(xmlChar));
     if (ret == NULL) {
-        xmlErrMemory(NULL, NULL);
         return(cur);
     }
     memcpy(&ret[size], add, len * sizeof(xmlChar));
@@ -505,7 +502,6 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) {
         return(NULL);
     ret = (xmlChar *) xmlMalloc(((size_t) size + len + 1) * sizeof(xmlChar));
     if (ret == NULL) {
-        xmlErrMemory(NULL, NULL);
         return(xmlStrndup(str1, size));
     }
     memcpy(ret, str1, size * sizeof(xmlChar));
@@ -1034,7 +1030,6 @@ xmlEscapeFormatString(xmlChar **msg)
            out-of-memory situations. */
         xmlFree(*msg);
         *msg = NULL;
-        xmlErrMemory(NULL, NULL);
         return(NULL);
     }
 
-- 
2.27.0