Fix xmlURIEscape memory leaks.

Found by running the fuzz/uri.c fuzzer under asan (internal Android bug 171610679). Always free `ret` when exiting on failure. I've moved the definition of NULLCHK down past where ret is always initialized to make it clear that this is safe. This patch also fixes the indentation of two of the NULLCHK call sites to make it more obvious that NULLCHK isn't `if`-like.
2025-08-29 01:49:22 +03:00 · 2020-10-27 11:29:20 -07:00
parent 31c6ce3b63
commit 7c06d99e1f
1 changed files with 9 additions and 8 deletions
--- a/uri.c
+++ b/uri.c
@ -1754,11 +1754,6 @@ xmlURIEscape(const xmlChar * str)
    xmlURIPtr uri;
    int ret2;

-#define NULLCHK(p) if(!p) { \
-         xmlURIErrMemory("escaping URI value\n"); \
-         xmlFreeURI(uri); \
-         return NULL; } \
-
    if (str == NULL)
        return (NULL);

@ -1780,6 +1775,12 @@ xmlURIEscape(const xmlChar * str)

    ret = NULL;

+#define NULLCHK(p) if(!p) { \
+         xmlURIErrMemory("escaping URI value\n"); \
+         xmlFreeURI(uri); \
+         xmlFree(ret); \
+         return NULL; } \
+
    if (uri->scheme) {
        segment = xmlURIEscapeStr(BAD_CAST uri->scheme, BAD_CAST "+-.");
        NULLCHK(segment)
@ -1800,7 +1801,7 @@ xmlURIEscape(const xmlChar * str)
    if (uri->user) {
        segment = xmlURIEscapeStr(BAD_CAST uri->user, BAD_CAST ";:&=+$,");
        NULLCHK(segment)
-		ret = xmlStrcat(ret,BAD_CAST "//");
+        ret = xmlStrcat(ret,BAD_CAST "//");
        ret = xmlStrcat(ret, segment);
        ret = xmlStrcat(ret, BAD_CAST "@");
        xmlFree(segment);
@ -1809,8 +1810,8 @@ xmlURIEscape(const xmlChar * str)
    if (uri->server) {
        segment = xmlURIEscapeStr(BAD_CAST uri->server, BAD_CAST "/?;:@");
        NULLCHK(segment)
-		if (uri->user == NULL)
-		ret = xmlStrcat(ret, BAD_CAST "//");
+        if (uri->user == NULL)
+            ret = xmlStrcat(ret, BAD_CAST "//");
        ret = xmlStrcat(ret, segment);
        xmlFree(segment);
    }