shaba/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-01-15 23:24:06 +03:00
Code

Fix memory leak in xmlStringLenGetNodeList

Browse Source 
Avoid expanding the entity recursively. Use the same prevention
mechanism as in xmlStringGetNodeList.

xmlStringGetNodeList on the other hand wasn't fixing up the 'last'
pointer.

I think the memory leak can only be triggered in recovery mode.

Found with libFuzzer and ASan.
This commit is contained in:
Nick Wellnhofer 2017-06-07 18:32:49 +02:00
parent 94691dc884
commit 8c82f5deeb
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
tree.c
View File

@ -1401,6 +1401,8 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) {
else if ((ent != NULL) && (ent->children == NULL)) {
xmlNodePtr temp;
/* Set to non-NULL value to avoid recursion. */
ent->children = (xmlNodePtr) -1;
ent->children = xmlStringGetNodeList(doc,
(const xmlChar*)node->content);
ent->owner = 1;
@ -1593,6 +1595,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
else if ((ent != NULL) && (ent->children == NULL)) {
xmlNodePtr temp;
/* Set to non-NULL value to avoid recursion. */
ent->children = (xmlNodePtr) -1;
ent->children = xmlStringGetNodeList(doc,
(const xmlChar*)node->content);
@ -1600,6 +1603,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
temp = ent->children;
while (temp) {
temp->parent = (xmlNodePtr)ent;
ent->last = temp;
temp = temp->next;
}
}