1
0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2024-12-27 03:21:26 +03:00

malloc-fail: Fix erroneous report in xmlStringGetNodeList

The parser can produce invalid attribute content in recovery mode.
Unless this is fixed, xmlStringGetNodeList should ignore such errors
silently.
This commit is contained in:
Nick Wellnhofer 2023-12-23 15:03:22 +01:00
parent c8f1f4a280
commit c49572e57d

35
tree.c
View File

@ -1210,6 +1210,16 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) {
xmlEntityPtr ent;
xmlBufPtr buf;
/*
* This function should only receive valid attribute values that
* were checked by the parser, typically by xmlParseAttValueComplex
* calling xmlStringDecodeEntities.
*
* In recovery mode, the parser can produce invalid attribute
* values. For now, we ignore any errors silently. If this is fixed,
* we could add assertions here to catch parser issues.
*/
if (value == NULL) return(NULL);
cur = value;
end = cur + len;
@ -1239,16 +1249,6 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) {
else
tmp = 0;
while (tmp != ';') { /* Non input consuming loop */
/*
* If you find an integer overflow here when fuzzing,
* the bug is probably elsewhere. This function should
* only receive entities that were already validated by
* the parser, typically by xmlParseAttValueComplex
* calling xmlStringDecodeEntities.
*
* So it's better *not* to check for overflow to
* potentially discover new bugs.
*/
if ((tmp >= '0') && (tmp <= '9'))
charval = charval * 16 + (tmp - '0');
else if ((tmp >= 'a') && (tmp <= 'f'))
@ -1299,7 +1299,7 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) {
q = cur;
while ((cur < end) && (*cur != 0) && (*cur != ';')) cur++;
if ((cur >= end) || (*cur == 0))
goto out;
break;
if (cur != q) {
/*
* Predefined entities don't generate nodes
@ -1443,6 +1443,16 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
xmlEntityPtr ent;
xmlBufPtr buf;
/*
* This function should only receive valid attribute values that
* were checked by the parser, typically by xmlParseAttValueComplex
* calling xmlStringDecodeEntities.
*
* In recovery mode, the parser can produce invalid attribute
* values. For now, we ignore any errors silently. If this is fixed,
* we could add assertions here to catch parser issues.
*/
if (value == NULL) return(NULL);
buf = xmlBufCreateSize(0);
@ -1467,7 +1477,6 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
cur += 3;
tmp = *cur;
while (tmp != ';') { /* Non input consuming loop */
/* Don't check for integer overflow, see above. */
if ((tmp >= '0') && (tmp <= '9'))
charval = charval * 16 + (tmp - '0');
else if ((tmp >= 'a') && (tmp <= 'f'))
@ -1509,7 +1518,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
q = cur;
while ((*cur != 0) && (*cur != ';')) cur++;
if (*cur == 0)
goto out;
break;
if (cur != q) {
/*
* Predefined entities don't generate nodes