From 1e5375c1b45aae973ae2c0a0f8147bf5f76da945 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 6 Jul 2024 15:15:57 +0200
Subject: [PATCH] SAX2: Check return value of xmlPushInput

Fix null deref in case of malloc failure.
---
 SAX2.c   | 14 +++++---------
 parser.c |  3 ++-
 2 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/SAX2.c b/SAX2.c
index 7e56c250..4c3c7329 100644
--- a/SAX2.c
+++ b/SAX2.c
@@ -320,18 +320,13 @@ xmlSAX2ExternalSubset(void *ctx, const xmlChar *name,
 	                 xmlMalloc(5 * sizeof(xmlParserInputPtr));
 	if (ctxt->inputTab == NULL) {
 	    xmlSAX2ErrMemory(ctxt);
-            xmlFreeInputStream(input);
-	    ctxt->input = oldinput;
-	    ctxt->inputNr = oldinputNr;
-	    ctxt->inputMax = oldinputMax;
-	    ctxt->inputTab = oldinputTab;
-	    ctxt->encoding = oldencoding;
-	    return;
+            goto error;
 	}
 	ctxt->inputNr = 0;
 	ctxt->inputMax = 5;
 	ctxt->input = NULL;
-	xmlPushInput(ctxt, input);
+	if (xmlPushInput(ctxt, input) < 0)
+            goto error;
 
 	if (input->filename == NULL)
 	    input->filename = (char *) xmlCanonicPath(SystemID);
@@ -364,7 +359,8 @@ xmlSAX2ExternalSubset(void *ctx, const xmlChar *name,
         else
             ctxt->sizeentities += consumed;
 
-	xmlFreeInputStream(ctxt->input);
+error:
+	xmlFreeInputStream(input);
         xmlFree(ctxt->inputTab);
 
 	/*
diff --git a/parser.c b/parser.c
index a0bd8225..2443c393 100644
--- a/parser.c
+++ b/parser.c
@@ -2564,7 +2564,8 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) {
 	return(-1);
     }
     ret = inputPush(ctxt, input);
-    GROW;
+    if (ret >= 0)
+        GROW;
     return(ret);
 }