From c7260a47f19e01f4f663b6a56fbdc2dafd8a6e7e Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Mon, 23 Jan 2023 10:19:59 +0100 Subject: [PATCH] malloc-fail: Don't call xmlErrMemory in xmlstring.c Functions like xmlStrdup are called in the error handling code (__xmlRaiseError) which can cause problems like use-after-free or infinite loops when invoked recursively. Calling xmlErrMemory without a context argument isn't helpful anyway. Found with libFuzzer, see #344. --- xmlstring.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/xmlstring.c b/xmlstring.c index 54af2121..54734724 100644 --- a/xmlstring.c +++ b/xmlstring.c @@ -48,7 +48,6 @@ xmlStrndup(const xmlChar *cur, int len) { if ((cur == NULL) || (len < 0)) return(NULL); ret = (xmlChar *) xmlMallocAtomic((size_t) len + 1); if (ret == NULL) { - xmlErrMemory(NULL, NULL); return(NULL); } memcpy(ret, cur, len); @@ -93,7 +92,6 @@ xmlCharStrndup(const char *cur, int len) { if ((cur == NULL) || (len < 0)) return(NULL); ret = (xmlChar *) xmlMallocAtomic((size_t) len + 1); if (ret == NULL) { - xmlErrMemory(NULL, NULL); return(NULL); } for (i = 0;i < len;i++) { @@ -463,7 +461,6 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) { return(NULL); ret = (xmlChar *) xmlRealloc(cur, (size_t) size + len + 1); if (ret == NULL) { - xmlErrMemory(NULL, NULL); return(cur); } memcpy(&ret[size], add, len); @@ -503,7 +500,6 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) { return(NULL); ret = (xmlChar *) xmlMalloc((size_t) size + len + 1); if (ret == NULL) { - xmlErrMemory(NULL, NULL); return(xmlStrndup(str1, size)); } memcpy(ret, str1, size); @@ -1032,7 +1028,6 @@ xmlEscapeFormatString(xmlChar **msg) out-of-memory situations. */ xmlFree(*msg); *msg = NULL; - xmlErrMemory(NULL, NULL); return(NULL); }