1
0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-03-16 02:50:07 +03:00

Fix more NULL pointer derefs in xpointer.c

Found with afl-fuzz.
This commit is contained in:
Nick Wellnhofer 2016-06-26 12:38:28 +02:00
parent 229d1f93ce
commit e905f08123

View File

@ -542,7 +542,7 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
/*
* Empty set ...
*/
if (end->nodesetval->nodeNr <= 0)
if ((end->nodesetval == NULL) || (end->nodesetval->nodeNr <= 0))
return(NULL);
endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
endIndex = -1;
@ -1361,7 +1361,7 @@ xmlXPtrEval(const xmlChar *str, xmlXPathContextPtr ctx) {
*/
xmlNodeSetPtr set;
set = tmp->nodesetval;
if ((set->nodeNr != 1) ||
if ((set == NULL) || (set->nodeNr != 1) ||
(set->nodeTab[0] != (xmlNodePtr) ctx->doc))
stack++;
} else
@ -2034,9 +2034,11 @@ xmlXPtrRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) {
xmlXPathFreeObject(set);
XP_ERROR(XPATH_MEMORY_ERROR);
}
for (i = 0;i < oldset->locNr;i++) {
xmlXPtrLocationSetAdd(newset,
xmlXPtrCoveringRange(ctxt, oldset->locTab[i]));
if (oldset != NULL) {
for (i = 0;i < oldset->locNr;i++) {
xmlXPtrLocationSetAdd(newset,
xmlXPtrCoveringRange(ctxt, oldset->locTab[i]));
}
}
/*