Fix memory leaks in SAX1 parser

Found by OSS-Fuzz. I could only reproduce this with the (obsolete) SAX1 parser. One leak is caused by duplicate namespaced attribute names and can be reproduced in memory mode (testcase 4556417027538944): $ cat file <d xmlns:a="ns" a:x="v" xmlns:b="ns" b:x="v"/> $ xmllint --sax1 --memory file The other is caused by ATTLISTs with a normalized default for "xmlns" if they're processed after the entity recursion limit was hit (testcase 5580750034305024). $ cat file <!DOCTYPE d [ <!ENTITY a '<d>&a;'> <!ATTLIST d xmlns NMTOKEN 't'> ]> <d>&a; $ xmllint --sax1 --valid file Also see https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2461
2024-10-26 12:25:09 +03:00 · 2017-09-05 23:45:04 +02:00 · 2017-09-05 23:45:04 +02:00 · 83fb4119a9
commit 83fb4119a9
parent 2960178fe8
1 changed files with 6 additions and 0 deletions
--- a/SAX2.c
+++ b/SAX2.c
@ -1181,6 +1181,8 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname,
 	        xmlSAX2ErrMemory(ctxt, "xmlSAX2StartElement");
 		if (name != NULL)
 		    xmlFree(name);
+                if (nval != NULL)
+                    xmlFree(nval);
 		return;
 	    }
 	} else {
@ -1242,6 +1244,8 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname,
 	        xmlFree(ns);
 		if (name != NULL)
 		    xmlFree(name);
+                if (nval != NULL)
+                    xmlFree(nval);
 		return;
 	    }
 	} else {
@ -1311,6 +1315,8 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname,
                                             name, namespace->href);
                        ctxt->wellFormed = 0;
                        if (ctxt->recovery == 0) ctxt->disableSAX = 1;
+                        if (name != NULL)
+                            xmlFree(name);
                        goto error;
                    }
                }