shaba/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-03-31 06:50:06 +03:00
Code

malloc-fail: Fix OOB read after xmlRegGetCounter

Browse Source 
Found with libFuzzer, see #344.
This commit is contained in:
Nick Wellnhofer 2023-02-17 15:53:07 +01:00
parent 40bc1c699a
commit 1743c4c3fc
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
xmlregexp.c
View File

@ -1665,6 +1665,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from,
}
inter = ctxt->state;
counter = xmlRegGetCounter(ctxt);
if (counter < 0)
return(-1);
ctxt->counters[counter].min = atom->min - 1;
ctxt->counters[counter].max = atom->max - 1;
/* count the number of times we see it again */
@ -1683,6 +1685,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from,
* epsilon transition.
*/
counter = xmlRegGetCounter(ctxt);
if (counter < 0)
return(-1);
ctxt->counters[counter].min = atom->min - 1;
ctxt->counters[counter].max = atom->max - 1;
/* allow a way out based on the count */
@ -6075,6 +6079,8 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
* associate a counter to the transition.
*/
counter = xmlRegGetCounter(am);
if (counter < 0)
goto error;
am->counters[counter].min = min;
am->counters[counter].max = max;
@ -6149,6 +6155,8 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
* associate a counter to the transition.
*/
counter = xmlRegGetCounter(am);
if (counter < 0)
goto error;
am->counters[counter].min = min;
am->counters[counter].max = max;
@ -6241,6 +6249,8 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
* associate a counter to the transition.
*/
counter = xmlRegGetCounter(am);
if (counter < 0)
goto error;
am->counters[counter].min = 1;
am->counters[counter].max = 1;
@ -6306,6 +6316,8 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
* associate a counter to the transition.
*/
counter = xmlRegGetCounter(am);
if (counter < 0)
goto error;
am->counters[counter].min = 1;
am->counters[counter].max = 1;