shaba/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-03-31 06:50:06 +03:00
Code

malloc-fail: Fix null deref after xmlSchemaItemList{Add,Insert}

Browse Source 
Found with libFuzzer, see #344.
This commit is contained in:
Nick Wellnhofer 2023-03-05 14:11:24 +01:00
parent 19b197b616
commit 767ae50bc9
1 changed files with 16 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
xmlschemas.c
View File

@ -3420,23 +3420,17 @@ xmlSchemaItemListClear(xmlSchemaItemListPtr list)
static int
xmlSchemaItemListAdd(xmlSchemaItemListPtr list, void *item)
{
if (list->items == NULL) {
list->items = (void **) xmlMalloc(
20 * sizeof(void *));
if (list->items == NULL) {
xmlSchemaPErrMemory(NULL, "allocating new item list", NULL);
return(-1);
}
list->sizeItems = 20;
} else if (list->sizeItems <= list->nbItems) {
list->sizeItems *= 2;
list->items = (void **) xmlRealloc(list->items,
list->sizeItems * sizeof(void *));
if (list->items == NULL) {
if (list->sizeItems <= list->nbItems) {
void **tmp;
size_t newSize = list->sizeItems == 0 ? 20 : list->sizeItems * 2;
tmp = (void **) xmlRealloc(list->items, newSize * sizeof(void *));
if (tmp == NULL) {
xmlSchemaPErrMemory(NULL, "growing item list", NULL);
list->sizeItems = 0;
return(-1);
}
list->items = tmp;
list->sizeItems = newSize;
}
list->items[list->nbItems++] = item;
return(0);
@ -3477,23 +3471,17 @@ xmlSchemaItemListAddSize(xmlSchemaItemListPtr list,
static int
xmlSchemaItemListInsert(xmlSchemaItemListPtr list, void *item, int idx)
{
if (list->items == NULL) {
list->items = (void **) xmlMalloc(
20 * sizeof(void *));
if (list->items == NULL) {
xmlSchemaPErrMemory(NULL, "allocating new item list", NULL);
return(-1);
}
list->sizeItems = 20;
} else if (list->sizeItems <= list->nbItems) {
list->sizeItems *= 2;
list->items = (void **) xmlRealloc(list->items,
list->sizeItems * sizeof(void *));
if (list->items == NULL) {
if (list->sizeItems <= list->nbItems) {
void **tmp;
size_t newSize = list->sizeItems == 0 ? 20 : list->sizeItems * 2;
tmp = (void **) xmlRealloc(list->items, newSize * sizeof(void *));
if (tmp == NULL) {
xmlSchemaPErrMemory(NULL, "growing item list", NULL);
list->sizeItems = 0;
return(-1);
}
list->items = tmp;
list->sizeItems = newSize;
}
/*
* Just append if the index is greater/equal than the item count.