c/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2 synced 2025-03-28 21:33:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

malloc-fail: Fix null deref after xmlPointerListAddSize

Browse Source 
Found with libFuzzer, see #344.
This commit is contained in:
Nick Wellnhofer 2023-02-26 14:41:35 +01:00
parent 70b21c9f2a
commit 44947afba0
1 changed files with 19 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
xpath.c
View File

@ -823,32 +823,30 @@ xmlPointerListAddSize(xmlPointerListPtr list,
void *item,
int initialSize)
{
if (list->items == NULL) {
if (initialSize <= 0)
initialSize = 1;
list->items = (void **) xmlMalloc(initialSize * sizeof(void *));
if (list->items == NULL) {
xmlXPathErrMemory(NULL,
"xmlPointerListCreate: allocating item\n");
return(-1);
}
list->number = 0;
list->size = initialSize;
} else if (list->size <= list->number) {
if (list->size > 50000000) {
xmlXPathErrMemory(NULL,
"xmlPointerListAddSize: re-allocating item\n");
return(-1);
if (list->size <= list->number) {
void **tmp;
size_t newSize;
if (list->size == 0) {
if (initialSize <= 0)
initialSize = 1;
newSize = initialSize;
} else {
if (list->size > 50000000) {
xmlXPathErrMemory(NULL,
"xmlPointerListAddSize: re-allocating item\n");
return(-1);
}
newSize = list->size * 2;
}
list->size *= 2;
list->items = (void **) xmlRealloc(list->items,
list->size * sizeof(void *));
if (list->items == NULL) {
tmp = (void **) xmlRealloc(list->items, newSize * sizeof(void *));
if (tmp == NULL) {
xmlXPathErrMemory(NULL,
"xmlPointerListAddSize: re-allocating item\n");
list->size = 0;
return(-1);
}
list->items = tmp;
list->size = newSize;
}
list->items[list->number++] = item;
return(0);