packages/libxml2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
libxml2/Fix-memory-leak-in-error-path-of-XPath-expr-parser.patch
wangchen2020 e77c487eb2 Sync some patches from community
2020-07-03 16:56:41 +08:00

68 lines
2.0 KiB
Diff
Raw Blame History

From d5f2f74d0f0e7906eabb32c57e09a13ac3e578a2 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 11 Nov 2019 11:27:40 +0100
Subject: [PATCH] Fix memory leak in error path of XPath expr parser
Also propagate memory errors.
Found by OSS-Fuzz.
---
xpath.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/xpath.c b/xpath.c
index 9f64ab9..ff1137f 100644
--- a/xpath.c
+++ b/xpath.c
@@ -10088,6 +10088,7 @@ xmlXPathCompNumber(xmlXPathParserContextPtr ctxt)
int ok = 0;
int exponent = 0;
int is_exponent_negative = 0;
+ xmlXPathObjectPtr num;
#ifdef __GNUC__
unsigned long tmp = 0;
double temp;
@@ -10160,8 +10161,13 @@ xmlXPathCompNumber(xmlXPathParserContextPtr ctxt)
exponent = -exponent;
ret *= pow(10.0, (double) exponent);
}
- PUSH_LONG_EXPR(XPATH_OP_VALUE, XPATH_NUMBER, 0, 0,
- xmlXPathCacheNewFloat(ctxt->context, ret), NULL);
+ num = xmlXPathCacheNewFloat(ctxt->context, ret);
+ if (num == NULL) {
+ ctxt->error = XPATH_MEMORY_ERROR;
+ } else if (PUSH_LONG_EXPR(XPATH_OP_VALUE, XPATH_NUMBER, 0, 0, num,
+ NULL) == -1) {
+ xmlXPathReleaseObject(ctxt->context, num);
+ }
}
/**
@@ -10223,6 +10229,7 @@ static void
xmlXPathCompLiteral(xmlXPathParserContextPtr ctxt) {
const xmlChar *q;
xmlChar *ret = NULL;
+ xmlXPathObjectPtr lit;
if (CUR == '"') {
NEXT;
@@ -10250,8 +10257,13 @@ xmlXPathCompLiteral(xmlXPathParserContextPtr ctxt) {
XP_ERROR(XPATH_START_LITERAL_ERROR);
}
if (ret == NULL) return;
- PUSH_LONG_EXPR(XPATH_OP_VALUE, XPATH_STRING, 0, 0,
- xmlXPathCacheNewString(ctxt->context, ret), NULL);
+ lit = xmlXPathCacheNewString(ctxt->context, ret);
+ if (lit == NULL) {
+ ctxt->error = XPATH_MEMORY_ERROR;
+ } else if (PUSH_LONG_EXPR(XPATH_OP_VALUE, XPATH_STRING, 0, 0, lit,
+ NULL) == -1) {
+ xmlXPathReleaseObject(ctxt->context, lit);
+ }
xmlFree(ret);
}
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink