mirror of
https://gitlab.gnome.org/GNOME/libxml2.git
synced 2024-10-26 12:25:09 +03:00
Fix memory leaks in SAX1 parser
Found by OSS-Fuzz. I could only reproduce this with the (obsolete) SAX1 parser. One leak is caused by duplicate namespaced attribute names and can be reproduced in memory mode (testcase 4556417027538944): $ cat file <d xmlns:a="ns" a:x="v" xmlns:b="ns" b:x="v"/> $ xmllint --sax1 --memory file The other is caused by ATTLISTs with a normalized default for "xmlns" if they're processed after the entity recursion limit was hit (testcase 5580750034305024). $ cat file <!DOCTYPE d [ <!ENTITY a '<d>&a;'> <!ATTLIST d xmlns NMTOKEN 't'> ]> <d>&a; $ xmllint --sax1 --valid file Also see https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2461
This commit is contained in:
parent
2960178fe8
commit
83fb4119a9
6
SAX2.c
6
SAX2.c
@ -1181,6 +1181,8 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname,
|
||||
xmlSAX2ErrMemory(ctxt, "xmlSAX2StartElement");
|
||||
if (name != NULL)
|
||||
xmlFree(name);
|
||||
if (nval != NULL)
|
||||
xmlFree(nval);
|
||||
return;
|
||||
}
|
||||
} else {
|
||||
@ -1242,6 +1244,8 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname,
|
||||
xmlFree(ns);
|
||||
if (name != NULL)
|
||||
xmlFree(name);
|
||||
if (nval != NULL)
|
||||
xmlFree(nval);
|
||||
return;
|
||||
}
|
||||
} else {
|
||||
@ -1311,6 +1315,8 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname,
|
||||
name, namespace->href);
|
||||
ctxt->wellFormed = 0;
|
||||
if (ctxt->recovery == 0) ctxt->disableSAX = 1;
|
||||
if (name != NULL)
|
||||
xmlFree(name);
|
||||
goto error;
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user