xmllint: Fix use-after-free with --maxmem

Fixes #498.
2025-03-20 18:50:08 +03:00 · 2023-03-14 13:02:36 +01:00 · 2023-03-14 13:02:36 +01:00 · d7daf9fd96
commit d7daf9fd96
parent e7c3a4ca1b
3 changed files with 29 additions and 9 deletions
--- a/include/libxml/xmlmemory.h
+++ b/include/libxml/xmlmemory.h
@ -139,6 +139,8 @@ XMLPUBFUN void
 /*
 * These are specific to the XML debug memory wrapper.
 */
+XMLPUBFUN size_t
+	xmlMemSize	(void *ptr);
 XMLPUBFUN int
 	xmlMemUsed	(void);
 XMLPUBFUN int
--- a/xmllint.c
+++ b/xmllint.c
@ -352,17 +352,14 @@ myMallocFunc(size_t size)
 static void *
 myReallocFunc(void *mem, size_t size)
 {
-    void *ret;
+    size_t oldsize = xmlMemSize(mem);

-    ret = xmlMemRealloc(mem, size);
-    if (ret != NULL) {
-        if (xmlMemUsed() > maxmem) {
-            OOM();
-            xmlMemFree(ret);
-            return (NULL);
-        }
+    if (xmlMemUsed() + size - oldsize > (size_t) maxmem) {
+        OOM();
+        return (NULL);
    }
-    return (ret);
+
+    return (xmlMemRealloc(mem, size));
 }
 static char *
 myStrdupFunc(const char *str)
--- a/xmlmemory.c
+++ b/xmlmemory.c
@ -558,6 +558,27 @@ xmlMemoryStrdup(const char *str) {
    return(xmlMemStrdupLoc(str, "none", 0));
 }

+/**
+ * xmlMemSize:
+ * @ptr:  pointer to the memory allocation
+ *
+ * Returns the size of a memory allocation.
+ */
+
+size_t
+xmlMemSize(void *ptr) {
+    MEMHDR *p;
+
+    if (ptr == NULL)
+	return(0);
+
+    p = CLIENT_2_HDR(ptr);
+    if (p->mh_tag != MEMTAG)
+        return(0);
+
+    return(p->mh_size);
+}
+
 /**
 * xmlMemUsed:
 *