shaba/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-01-13 13:17:36 +03:00
Code

malloc-fail: Fix erroneous report in xmlStringGetNodeList

Browse Source 
The parser can produce invalid attribute content in recovery mode.
Unless this is fixed, xmlStringGetNodeList should ignore such errors
silently.
This commit is contained in:
Nick Wellnhofer 2023-12-23 15:03:22 +01:00
parent c8f1f4a280
commit c49572e57d
1 changed files with 22 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
tree.c
View File

@ -1210,6 +1210,16 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) {
xmlEntityPtr ent; xmlEntityPtr ent;
xmlBufPtr buf; xmlBufPtr buf;
/*
* This function should only receive valid attribute values that
* were checked by the parser, typically by xmlParseAttValueComplex
* calling xmlStringDecodeEntities.
*
* In recovery mode, the parser can produce invalid attribute
* values. For now, we ignore any errors silently. If this is fixed,
* we could add assertions here to catch parser issues.
*/
if (value == NULL) return(NULL); if (value == NULL) return(NULL);
cur = value; cur = value;
end = cur + len; end = cur + len;
@ -1239,16 +1249,6 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) {
else else
tmp = 0; tmp = 0;
while (tmp != ';') { /* Non input consuming loop */ while (tmp != ';') { /* Non input consuming loop */
/*
* If you find an integer overflow here when fuzzing,
* the bug is probably elsewhere. This function should
* only receive entities that were already validated by
* the parser, typically by xmlParseAttValueComplex
* calling xmlStringDecodeEntities.
*
* So it's better *not* to check for overflow to
* potentially discover new bugs.
*/
if ((tmp >= '0') && (tmp <= '9')) if ((tmp >= '0') && (tmp <= '9'))
charval = charval * 16 + (tmp - '0'); charval = charval * 16 + (tmp - '0');
else if ((tmp >= 'a') && (tmp <= 'f')) else if ((tmp >= 'a') && (tmp <= 'f'))
@ -1299,7 +1299,7 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) {
q = cur; q = cur;
while ((cur < end) && (*cur != 0) && (*cur != ';')) cur++; while ((cur < end) && (*cur != 0) && (*cur != ';')) cur++;
if ((cur >= end) || (*cur == 0)) if ((cur >= end) || (*cur == 0))
goto out; break;
if (cur != q) { if (cur != q) {
/* /*
* Predefined entities don't generate nodes * Predefined entities don't generate nodes
@ -1443,6 +1443,16 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
xmlEntityPtr ent; xmlEntityPtr ent;
xmlBufPtr buf; xmlBufPtr buf;
/*
* This function should only receive valid attribute values that
* were checked by the parser, typically by xmlParseAttValueComplex
* calling xmlStringDecodeEntities.
*
* In recovery mode, the parser can produce invalid attribute
* values. For now, we ignore any errors silently. If this is fixed,
* we could add assertions here to catch parser issues.
*/
if (value == NULL) return(NULL); if (value == NULL) return(NULL);
buf = xmlBufCreateSize(0); buf = xmlBufCreateSize(0);
@ -1467,7 +1477,6 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
cur += 3; cur += 3;
tmp = *cur; tmp = *cur;
while (tmp != ';') { /* Non input consuming loop */ while (tmp != ';') { /* Non input consuming loop */
/* Don't check for integer overflow, see above. */
if ((tmp >= '0') && (tmp <= '9')) if ((tmp >= '0') && (tmp <= '9'))
charval = charval * 16 + (tmp - '0'); charval = charval * 16 + (tmp - '0');
else if ((tmp >= 'a') && (tmp <= 'f')) else if ((tmp >= 'a') && (tmp <= 'f'))
@ -1509,7 +1518,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
q = cur; q = cur;
while ((*cur != 0) && (*cur != ';')) cur++; while ((*cur != 0) && (*cur != ';')) cur++;
if (*cur == 0) if (*cur == 0)
goto out; break;
if (cur != q) { if (cur != q) {
/* /*
* Predefined entities don't generate nodes * Predefined entities don't generate nodes