malloc-fail: Fix erroneous report in xmlStringGetNodeList

The parser can produce invalid attribute content in recovery mode. Unless this is fixed, xmlStringGetNodeList should ignore such errors silently.
2024-12-25 23:21:26 +03:00 · 2023-12-23 15:03:22 +01:00 · 2023-12-23 15:03:22 +01:00 · c49572e57d
commit c49572e57d
parent c8f1f4a280
1 changed files with 22 additions and 13 deletions
--- a/tree.c
+++ b/tree.c
@ -1210,6 +1210,16 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) {
    xmlEntityPtr ent;
    xmlBufPtr buf;

+    /*
+     * This function should only receive valid attribute values that
+     * were checked by the parser, typically by xmlParseAttValueComplex
+     * calling xmlStringDecodeEntities.
+     *
+     * In recovery mode, the parser can produce invalid attribute
+     * values. For now, we ignore any errors silently. If this is fixed,
+     * we could add assertions here to catch parser issues.
+     */
+
    if (value == NULL) return(NULL);
    cur = value;
    end = cur + len;
@ -1239,16 +1249,6 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) {
 		else
 		    tmp = 0;
 		while (tmp != ';') { /* Non input consuming loop */
-                    /*
-                     * If you find an integer overflow here when fuzzing,
-                     * the bug is probably elsewhere. This function should
-                     * only receive entities that were already validated by
-                     * the parser, typically by xmlParseAttValueComplex
-                     * calling xmlStringDecodeEntities.
-                     *
-                     * So it's better *not* to check for overflow to
-                     * potentially discover new bugs.
-                     */
 		    if ((tmp >= '0') && (tmp <= '9'))
 			charval = charval * 16 + (tmp - '0');
 		    else if ((tmp >= 'a') && (tmp <= 'f'))
@ -1299,7 +1299,7 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) {
 		q = cur;
 		while ((cur < end) && (*cur != 0) && (*cur != ';')) cur++;
 		if ((cur >= end) || (*cur == 0))
-		    goto out;
+		    break;
 		if (cur != q) {
 		    /*
 		     * Predefined entities don't generate nodes
@ -1443,6 +1443,16 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
    xmlEntityPtr ent;
    xmlBufPtr buf;

+    /*
+     * This function should only receive valid attribute values that
+     * were checked by the parser, typically by xmlParseAttValueComplex
+     * calling xmlStringDecodeEntities.
+     *
+     * In recovery mode, the parser can produce invalid attribute
+     * values. For now, we ignore any errors silently. If this is fixed,
+     * we could add assertions here to catch parser issues.
+     */
+
    if (value == NULL) return(NULL);

    buf = xmlBufCreateSize(0);
@ -1467,7 +1477,6 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
 		cur += 3;
 		tmp = *cur;
 		while (tmp != ';') { /* Non input consuming loop */
-                    /* Don't check for integer overflow, see above. */
 		    if ((tmp >= '0') && (tmp <= '9'))
 			charval = charval * 16 + (tmp - '0');
 		    else if ((tmp >= 'a') && (tmp <= 'f'))
@ -1509,7 +1518,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
 		q = cur;
 		while ((*cur != 0) && (*cur != ';')) cur++;
 		if (*cur == 0)
-		    goto out;
+		    break;
 		if (cur != q) {
 		    /*
 		     * Predefined entities don't generate nodes