parser: Halt parser when growing buffer results in OOM

Fix short-lived regression from previous commit. It might be safer to make xmlBufSetInputBaseCur use the original buffer even in case of errors. Found by OSS-Fuzz.
2025-03-24 06:50:08 +03:00 · 2023-06-08 21:53:05 +02:00 · 2023-06-08 21:53:05 +02:00 · b236b7a588
commit b236b7a588
parent 20f5c73457
3 changed files with 12 additions and 2 deletions
--- a/buf.c
+++ b/buf.c
@ -1100,6 +1100,10 @@ xmlBufSetInputBaseCur(xmlBufPtr buf, xmlParserInputPtr input,
                      size_t base, size_t cur) {
    if (input == NULL)
        return(-1);
+    /*
+     * TODO: It might be safer to keep using the buffer content if there
+     * was an error.
+     */
    if ((buf == NULL) || (buf->error)) {
        input->base = input->cur = input->end = BAD_CAST "";
        return(-1);
--- a/encoding.c
+++ b/encoding.c
@ -2143,8 +2143,10 @@ xmlCharEncInput(xmlParserInputBufferPtr input, int flush)
        toconv = 64 * 1024;
    written = xmlBufAvail(out);
    if (toconv * 2 >= written) {
-        if (xmlBufGrow(out, toconv * 2) < 0)
+        if (xmlBufGrow(out, toconv * 2) < 0) {
+            input->error = XML_ERR_NO_MEMORY;
            return(XML_ENC_ERR_MEMORY);
+        }
        written = xmlBufAvail(out);
    }
    if ((written > 128 * 1024) && (flush == 0))
--- a/parserInternals.c
+++ b/parserInternals.c
@ -566,8 +566,12 @@ xmlParserGrow(xmlParserCtxtPtr ctxt) {
    ret = xmlParserInputBufferGrow(buf, INPUT_CHUNK);
    xmlBufSetInputBaseCur(buf->buffer, in, 0, curBase);

-    if (ret < 0)
+    if (ret < 0) {
        xmlFatalErr(ctxt, buf->error, NULL);
+        /* Buffer contents may be lost in case of memory errors. */
+        if (buf->error == XML_ERR_NO_MEMORY)
+            xmlHaltParser(ctxt);
+    }

    return(ret);
 }