shaba/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-03-19 14:50:07 +03:00
Code

Check return value of nodePush in xmlSAX2StartElement

Browse Source 
If the maximum depth is exceeded, nodePush halts the parser which
results in freeing the input buffer since the previous commit. This
invalidates the attribute pointers, so the error condition must be
checked.

Found by OSS-Fuzz.
This commit is contained in:
Nick Wellnhofer 2018-09-12 13:42:27 +02:00
parent 123234f2cf
commit 8c9daf790a
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
SAX2.c
View File

@ -1665,7 +1665,10 @@ xmlSAX2StartElement(void *ctx, const xmlChar *fullname, const xmlChar **atts)
#ifdef DEBUG_SAX_TREE
xmlGenericError(xmlGenericErrorContext, "pushing(%s)\n", name);
#endif
nodePush(ctxt, ret);
if (nodePush(ctxt, ret) < 0) {
xmlFreeNode(ret);
return;
}
/*
* Link the child element
@ -2336,7 +2339,10 @@ xmlSAX2StartElementNs(void *ctx,
/*
* We are parsing a new node.
*/
nodePush(ctxt, ret);
if (nodePush(ctxt, ret) < 0) {
xmlFreeNode(ret);
return;
}
/*
* Link the child element