55 lines
1.8 KiB
Diff
55 lines
1.8 KiB
Diff
From 041789d9ec5a0f592e200bcb7313d88ff14707e4 Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Thu, 16 Feb 2023 15:02:08 +0100
|
|
Subject: [PATCH] malloc-fail: Fix null deref in htmlnamePush
|
|
|
|
Found with libFuzzer, see #344.
|
|
|
|
Reference:https://github.com/GNOME/libxml2/commit/041789d9ec5a0f592e200bcb7313d88ff14707e4
|
|
Conflict:NA
|
|
---
|
|
HTMLparser.c | 18 ++++++++++--------
|
|
1 file changed, 10 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/HTMLparser.c b/HTMLparser.c
|
|
index ca551d9..e02a142 100644
|
|
--- a/HTMLparser.c
|
|
+++ b/HTMLparser.c
|
|
@@ -161,7 +161,7 @@ htmlParseErrInt(xmlParserCtxtPtr ctxt, xmlParserErrors error,
|
|
*
|
|
* Pushes a new element name on top of the name stack
|
|
*
|
|
- * Returns 0 in case of error, the index in the stack otherwise
|
|
+ * Returns -1 in case of error, the index in the stack otherwise
|
|
*/
|
|
static int
|
|
htmlnamePush(htmlParserCtxtPtr ctxt, const xmlChar * value)
|
|
@@ -171,15 +171,17 @@ htmlnamePush(htmlParserCtxtPtr ctxt, const xmlChar * value)
|
|
if ((ctxt->html < 10) && (xmlStrEqual(value, BAD_CAST "body")))
|
|
ctxt->html = 10;
|
|
if (ctxt->nameNr >= ctxt->nameMax) {
|
|
- ctxt->nameMax *= 2;
|
|
- ctxt->nameTab = (const xmlChar * *)
|
|
- xmlRealloc((xmlChar * *)ctxt->nameTab,
|
|
- ctxt->nameMax *
|
|
- sizeof(ctxt->nameTab[0]));
|
|
- if (ctxt->nameTab == NULL) {
|
|
+ size_t newSize = ctxt->nameMax * 2;
|
|
+ const xmlChar **tmp;
|
|
+
|
|
+ tmp = xmlRealloc((xmlChar **) ctxt->nameTab,
|
|
+ newSize * sizeof(ctxt->nameTab[0]));
|
|
+ if (tmp == NULL) {
|
|
htmlErrMemory(ctxt, NULL);
|
|
- return (0);
|
|
+ return (-1);
|
|
}
|
|
+ ctxt->nameTab = tmp;
|
|
+ ctxt->nameMax = newSize;
|
|
}
|
|
ctxt->nameTab[ctxt->nameNr] = value;
|
|
ctxt->name = value;
|
|
--
|
|
2.27.0
|
|
|