c/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2 synced 2025-03-28 21:33:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

malloc-fail: Don't call xmlErrMemory in xmlstring.c

Browse Source 
Functions like xmlStrdup are called in the error handling code
(__xmlRaiseError) which can cause problems like use-after-free or
infinite loops when invoked recursively.

Calling xmlErrMemory without a context argument isn't helpful anyway.

Found with libFuzzer, see #344.
This commit is contained in:
Nick Wellnhofer 2023-01-23 10:19:59 +01:00
parent e6d22f925a
commit c7260a47f1
1 changed files with 0 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
xmlstring.c
View File

@ -48,7 +48,6 @@ xmlStrndup(const xmlChar *cur, int len) {
if ((cur == NULL) || (len < 0)) return(NULL); if ((cur == NULL) || (len < 0)) return(NULL);
ret = (xmlChar *) xmlMallocAtomic((size_t) len + 1); ret = (xmlChar *) xmlMallocAtomic((size_t) len + 1);
if (ret == NULL) { if (ret == NULL) {
xmlErrMemory(NULL, NULL);
return(NULL); return(NULL);
} }
memcpy(ret, cur, len); memcpy(ret, cur, len);
@ -93,7 +92,6 @@ xmlCharStrndup(const char *cur, int len) {
if ((cur == NULL) || (len < 0)) return(NULL); if ((cur == NULL) || (len < 0)) return(NULL);
ret = (xmlChar *) xmlMallocAtomic((size_t) len + 1); ret = (xmlChar *) xmlMallocAtomic((size_t) len + 1);
if (ret == NULL) { if (ret == NULL) {
xmlErrMemory(NULL, NULL);
return(NULL); return(NULL);
} }
for (i = 0;i < len;i++) { for (i = 0;i < len;i++) {
@ -463,7 +461,6 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) {
return(NULL); return(NULL);
ret = (xmlChar *) xmlRealloc(cur, (size_t) size + len + 1); ret = (xmlChar *) xmlRealloc(cur, (size_t) size + len + 1);
if (ret == NULL) { if (ret == NULL) {
xmlErrMemory(NULL, NULL);
return(cur); return(cur);
} }
memcpy(&ret[size], add, len); memcpy(&ret[size], add, len);
@ -503,7 +500,6 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) {
return(NULL); return(NULL);
ret = (xmlChar *) xmlMalloc((size_t) size + len + 1); ret = (xmlChar *) xmlMalloc((size_t) size + len + 1);
if (ret == NULL) { if (ret == NULL) {
xmlErrMemory(NULL, NULL);
return(xmlStrndup(str1, size)); return(xmlStrndup(str1, size));
} }
memcpy(ret, str1, size); memcpy(ret, str1, size);
@ -1032,7 +1028,6 @@ xmlEscapeFormatString(xmlChar **msg)
out-of-memory situations. */ out-of-memory situations. */
xmlFree(*msg); xmlFree(*msg);
*msg = NULL; *msg = NULL;
xmlErrMemory(NULL, NULL);
return(NULL); return(NULL);
} }