malloc-fail: Fix null deref if growing input buffer fails

Also add some error checks. Found with libFuzzer, see #344.
2025-03-27 18:50:07 +03:00 · 2023-01-22 14:52:06 +01:00 · 2023-01-22 14:52:06 +01:00 · 2355eac59e
commit 2355eac59e
parent 0c5f40b788
3 changed files with 10 additions and 2 deletions
--- a/encoding.c
+++ b/encoding.c
@ -2332,7 +2332,8 @@ xmlCharEncInput(xmlParserInputBufferPtr input, int flush)
        toconv = 64 * 1024;
    written = xmlBufAvail(out);
    if (toconv * 2 >= written) {
-        xmlBufGrow(out, toconv * 2);
+        if (xmlBufGrow(out, toconv * 2) < 0)
+            return (-1);
        written = xmlBufAvail(out);
    }
    if ((written > 128 * 1024) && (flush == 0))
--- a/parserInternals.c
+++ b/parserInternals.c
@ -315,6 +315,12 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) {
    ret = xmlParserInputBufferGrow(in->buf, len);

    in->base = xmlBufContent(in->buf->buffer);
+    if (in->base == NULL) {
+        in->base = BAD_CAST "";
+        in->cur = in->base;
+        in->end = in->base;
+        return(-1);
+    }
    in->cur = in->base + indx;
    in->end = xmlBufEnd(in->buf->buffer);

--- a/xmlIO.c
+++ b/xmlIO.c
@ -3218,7 +3218,8 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) {
        if (res < 0)
            return(-1);

-        xmlBufAddLen(buf, res);
+        if (xmlBufAddLen(buf, res) < 0)
+            return(-1);
    }

    /*