mirror of
https://gitlab.gnome.org/GNOME/libxml2
synced 2025-03-28 21:33:13 +00:00
malloc-fail: Fix null deref after xmlPointerListAddSize
Found with libFuzzer, see #344.
This commit is contained in:
parent
70b21c9f2a
commit
44947afba0
40
xpath.c
40
xpath.c
@ -823,32 +823,30 @@ xmlPointerListAddSize(xmlPointerListPtr list,
|
||||
void *item,
|
||||
int initialSize)
|
||||
{
|
||||
if (list->items == NULL) {
|
||||
if (initialSize <= 0)
|
||||
initialSize = 1;
|
||||
list->items = (void **) xmlMalloc(initialSize * sizeof(void *));
|
||||
if (list->items == NULL) {
|
||||
xmlXPathErrMemory(NULL,
|
||||
"xmlPointerListCreate: allocating item\n");
|
||||
return(-1);
|
||||
}
|
||||
list->number = 0;
|
||||
list->size = initialSize;
|
||||
} else if (list->size <= list->number) {
|
||||
if (list->size > 50000000) {
|
||||
xmlXPathErrMemory(NULL,
|
||||
"xmlPointerListAddSize: re-allocating item\n");
|
||||
return(-1);
|
||||
if (list->size <= list->number) {
|
||||
void **tmp;
|
||||
size_t newSize;
|
||||
|
||||
if (list->size == 0) {
|
||||
if (initialSize <= 0)
|
||||
initialSize = 1;
|
||||
newSize = initialSize;
|
||||
} else {
|
||||
if (list->size > 50000000) {
|
||||
xmlXPathErrMemory(NULL,
|
||||
"xmlPointerListAddSize: re-allocating item\n");
|
||||
return(-1);
|
||||
}
|
||||
newSize = list->size * 2;
|
||||
}
|
||||
list->size *= 2;
|
||||
list->items = (void **) xmlRealloc(list->items,
|
||||
list->size * sizeof(void *));
|
||||
if (list->items == NULL) {
|
||||
tmp = (void **) xmlRealloc(list->items, newSize * sizeof(void *));
|
||||
if (tmp == NULL) {
|
||||
xmlXPathErrMemory(NULL,
|
||||
"xmlPointerListAddSize: re-allocating item\n");
|
||||
list->size = 0;
|
||||
return(-1);
|
||||
}
|
||||
list->items = tmp;
|
||||
list->size = newSize;
|
||||
}
|
||||
list->items[list->number++] = item;
|
||||
return(0);
|
||||
|
Loading…
x
Reference in New Issue
Block a user