c/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2 synced 2025-03-28 21:33:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

xinclude: Check reallocations for overflow

Browse Source
This commit is contained in:
Nick Wellnhofer 2024-12-15 23:05:06 +01:00
parent 178b11219c
commit ae41cf9af5
1 changed files with 26 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
xinclude.c
View File

@ -28,6 +28,7 @@
#include "private/buf.h" #include "private/buf.h"
#include "private/error.h" #include "private/error.h"
#include "private/memory.h"
#include "private/parser.h" #include "private/parser.h"
#include "private/tree.h" #include "private/tree.h"
#include "private/xinclude.h" #include "private/xinclude.h"
@ -562,14 +563,15 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) {
if (ctxt->incNr >= ctxt->incMax) { if (ctxt->incNr >= ctxt->incMax) {
xmlXIncludeRefPtr *table; xmlXIncludeRefPtr *table;
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION int newSize;
size_t newSize = ctxt->incMax ? ctxt->incMax * 2 : 1;
#else
size_t newSize = ctxt->incMax ? ctxt->incMax * 2 : 4;
#endif
table = (xmlXIncludeRefPtr *) xmlRealloc(ctxt->incTab, newSize = xmlGrowCapacity(ctxt->incMax, sizeof(table[0]),
newSize * sizeof(ctxt->incTab[0])); 4, XML_MAX_ITEMS);
if (newSize < 0) {
xmlXIncludeErrMemory(ctxt);
goto error;
}
table = xmlRealloc(ctxt->incTab, newSize * sizeof(table[0]));
if (table == NULL) { if (table == NULL) {
xmlXIncludeErrMemory(ctxt); xmlXIncludeErrMemory(ctxt);
goto error; goto error;
@ -1133,13 +1135,16 @@ xmlXIncludeLoadDoc(xmlXIncludeCtxtPtr ctxt, xmlXIncludeRefPtr ref) {
/* Also cache NULL docs */ /* Also cache NULL docs */
if (ctxt->urlNr >= ctxt->urlMax) { if (ctxt->urlNr >= ctxt->urlMax) {
xmlXIncludeDoc *tmp; xmlXIncludeDoc *tmp;
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION int newSize;
size_t newSize = ctxt->urlMax ? ctxt->urlMax * 2 : 1;
#else
size_t newSize = ctxt->urlMax ? ctxt->urlMax * 2 : 8;
#endif
tmp = xmlRealloc(ctxt->urlTab, sizeof(xmlXIncludeDoc) * newSize); newSize = xmlGrowCapacity(ctxt->urlMax, sizeof(tmp[0]),
8, XML_MAX_ITEMS);
if (newSize < 0) {
xmlXIncludeErrMemory(ctxt);
xmlFreeDoc(doc);
goto error;
}
tmp = xmlRealloc(ctxt->urlTab, newSize * sizeof(tmp[0]));
if (tmp == NULL) { if (tmp == NULL) {
xmlXIncludeErrMemory(ctxt); xmlXIncludeErrMemory(ctxt);
xmlFreeDoc(doc); xmlFreeDoc(doc);
@ -1484,13 +1489,15 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, xmlXIncludeRefPtr ref) {
if (ctxt->txtNr >= ctxt->txtMax) { if (ctxt->txtNr >= ctxt->txtMax) {
xmlXIncludeTxt *tmp; xmlXIncludeTxt *tmp;
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION int newSize;
size_t newSize = ctxt->txtMax ? ctxt->txtMax * 2 : 1;
#else
size_t newSize = ctxt->txtMax ? ctxt->txtMax * 2 : 8;
#endif
tmp = xmlRealloc(ctxt->txtTab, sizeof(xmlXIncludeTxt) * newSize); newSize = xmlGrowCapacity(ctxt->txtMax, sizeof(tmp[0]),
8, XML_MAX_ITEMS);
if (newSize < 0) {
xmlXIncludeErrMemory(ctxt);
goto error;
}
tmp = xmlRealloc(ctxt->txtTab, newSize * sizeof(tmp[0]));
if (tmp == NULL) { if (tmp == NULL) {
xmlXIncludeErrMemory(ctxt); xmlXIncludeErrMemory(ctxt);
goto error; goto error;