malloc-fail: Report malloc failure in xmlRegEpxFromParse

Also check whether malloc failures are reported when fuzzing.

fuzz/fuzz.c

@@ -44,6 +44,7 @@ static struct {
 
 size_t fuzzNumAllocs;
 size_t fuzzMaxAllocs;
+int fuzzAllocFailed;
 
 /**
  * xmlFuzzErrorFunc:
@@ -71,12 +72,13 @@ xmlFuzzErrorFunc(void *ctx ATTRIBUTE_UNUSED, const char *msg ATTRIBUTE_UNUSED,
 static void *
 xmlFuzzMalloc(size_t size) {
     if (fuzzMaxAllocs > 0) {
-        if (fuzzNumAllocs >= fuzzMaxAllocs - 1)
+        if (fuzzNumAllocs >= fuzzMaxAllocs - 1) {
 #if XML_FUZZ_MALLOC_ABORT
             abort();
-#else
-            return(NULL);
 #endif
+            fuzzAllocFailed = 1;
+            return(NULL);
+        }
         fuzzNumAllocs += 1;
     }
     return malloc(size);
@@ -85,12 +87,13 @@ xmlFuzzMalloc(size_t size) {
 static void *
 xmlFuzzRealloc(void *ptr, size_t size) {
     if (fuzzMaxAllocs > 0) {
-        if (fuzzNumAllocs >= fuzzMaxAllocs - 1)
+        if (fuzzNumAllocs >= fuzzMaxAllocs - 1) {
 #if XML_FUZZ_MALLOC_ABORT
             abort();
-#else
-            return(NULL);
 #endif
+            fuzzAllocFailed = 1;
+            return(NULL);
+        }
         fuzzNumAllocs += 1;
     }
     return realloc(ptr, size);
@@ -105,6 +108,12 @@ void
 xmlFuzzMemSetLimit(size_t limit) {
     fuzzNumAllocs = 0;
     fuzzMaxAllocs = limit ? limit + XML_FUZZ_MALLOC_OFFSET : 0;
+    fuzzAllocFailed = 0;
+}
+
+int
+xmlFuzzMallocFailed(void) {
+    return fuzzAllocFailed;
 }
 
 /**

fuzz/fuzz.h

@@ -56,6 +56,9 @@ xmlFuzzMemSetup(void);
 void
 xmlFuzzMemSetLimit(size_t limit);
 
+int
+xmlFuzzMallocFailed(void);
+
 void
 xmlFuzzDataInit(const char *data, size_t size);
 

fuzz/regexp.c

@@ -4,6 +4,8 @@
  * See Copyright for the status of this software.
  */
 
+#include <stdio.h>
+#include <stdlib.h>
 #include <libxml/xmlregexp.h>
 #include "fuzz.h"
 
@@ -31,6 +33,10 @@ LLVMFuzzerTestOneInput(const char *data, size_t size) {
 
     xmlFuzzMemSetLimit(maxAlloc);
     regexp = xmlRegexpCompile(BAD_CAST str1);
+    if (xmlFuzzMallocFailed() && regexp != NULL) {
+        fprintf(stderr, "malloc failure not reported\n");
+        abort();
+    }
     /* xmlRegexpExec has pathological performance in too many cases. */
 #if 0
     xmlRegexpExec(regexp, BAD_CAST str2);

xmlregexp.c

@@ -476,7 +476,11 @@ xmlRegEpxFromParse(xmlRegParserCtxtPtr ctxt) {
     ret->determinist = ctxt->determinist;
     ret->flags = ctxt->flags;
     if (ret->determinist == -1) {
-        xmlRegexpIsDeterminist(ret);
+        if (xmlRegexpIsDeterminist(ret) < 0) {
+            xmlRegexpErrMemory(ctxt, "checking determinism");
+            xmlFree(ret);
+            return(NULL);
+        }
     }
 
     if ((ret->determinist != 0) &&