shaba/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-02-06 05:57:39 +03:00
Code

malloc-fail: Fix reallocation in inputPush

Browse Source 
Store xmlRealloc result in temporary variable to avoid null deref in
error handler.

Found with libFuzzer, see #344.
This commit is contained in:
Nick Wellnhofer 2023-01-23 01:48:37 +01:00
parent 6fd8904108
commit e6d22f925a
1 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
parser.c
View File

@ -1694,16 +1694,17 @@ inputPush(xmlParserCtxtPtr ctxt, xmlParserInputPtr value)
if ((ctxt == NULL) || (value == NULL))
return(-1);
if (ctxt->inputNr >= ctxt->inputMax) {
ctxt->inputMax *= 2;
ctxt->inputTab =
(xmlParserInputPtr *) xmlRealloc(ctxt->inputTab,
ctxt->inputMax *
sizeof(ctxt->inputTab[0]));
if (ctxt->inputTab == NULL) {
size_t newSize = ctxt->inputMax * 2;
xmlParserInputPtr *tmp;
tmp = (xmlParserInputPtr *) xmlRealloc(ctxt->inputTab,
newSize * sizeof(*tmp));
if (tmp == NULL) {
xmlErrMemory(ctxt, NULL);
ctxt->inputMax /= 2;
return (-1);
}
ctxt->inputTab = tmp;
ctxt->inputMax = newSize;
}
ctxt->inputTab[ctxt->inputNr] = value;
ctxt->input = value;