77 lines
2.5 KiB
Diff
77 lines
2.5 KiB
Diff
From 2c80fc911678adc9dcf252b3bc71cce101c8728e Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Mon, 2 Dec 2019 11:30:30 +0100
|
|
Subject: [PATCH] Fix more memory leaks in error paths of XPath parser
|
|
|
|
Found by OSS-Fuzz.
|
|
---
|
|
xpath.c | 24 +++++++++++++++---------
|
|
1 file changed, 15 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/xpath.c b/xpath.c
|
|
index ff1137f..030bab3 100644
|
|
--- a/xpath.c
|
|
+++ b/xpath.c
|
|
@@ -10300,8 +10300,10 @@ xmlXPathCompVariableReference(xmlXPathParserContextPtr ctxt) {
|
|
XP_ERROR(XPATH_VARIABLE_REF_ERROR);
|
|
}
|
|
ctxt->comp->last = -1;
|
|
- PUSH_LONG_EXPR(XPATH_OP_VARIABLE, 0, 0, 0,
|
|
- name, prefix);
|
|
+ if (PUSH_LONG_EXPR(XPATH_OP_VARIABLE, 0, 0, 0, name, prefix) == -1) {
|
|
+ xmlFree(prefix);
|
|
+ xmlFree(name);
|
|
+ }
|
|
SKIP_BLANKS;
|
|
if ((ctxt->context != NULL) && (ctxt->context->flags & XML_XPATH_NOVAR)) {
|
|
XP_ERROR(XPATH_FORBID_VARIABLE_ERROR);
|
|
@@ -10408,8 +10410,10 @@ xmlXPathCompFunctionCall(xmlXPathParserContextPtr ctxt) {
|
|
SKIP_BLANKS;
|
|
}
|
|
}
|
|
- PUSH_LONG_EXPR(XPATH_OP_FUNCTION, nbargs, 0, 0,
|
|
- name, prefix);
|
|
+ if (PUSH_LONG_EXPR(XPATH_OP_FUNCTION, nbargs, 0, 0, name, prefix) == -1) {
|
|
+ xmlFree(prefix);
|
|
+ xmlFree(name);
|
|
+ }
|
|
NEXT;
|
|
SKIP_BLANKS;
|
|
}
|
|
@@ -11050,7 +11054,7 @@ xmlXPathCompPredicate(xmlXPathParserContextPtr ctxt, int filter) {
|
|
*/
|
|
static xmlChar *
|
|
xmlXPathCompNodeTest(xmlXPathParserContextPtr ctxt, xmlXPathTestVal *test,
|
|
- xmlXPathTypeVal *type, const xmlChar **prefix,
|
|
+ xmlXPathTypeVal *type, xmlChar **prefix,
|
|
xmlChar *name) {
|
|
int blanks;
|
|
|
|
@@ -11281,7 +11285,7 @@ xmlXPathCompStep(xmlXPathParserContextPtr ctxt) {
|
|
SKIP_BLANKS;
|
|
} else {
|
|
xmlChar *name = NULL;
|
|
- const xmlChar *prefix = NULL;
|
|
+ xmlChar *prefix = NULL;
|
|
xmlXPathTestVal test = (xmlXPathTestVal) 0;
|
|
xmlXPathAxisVal axis = (xmlXPathAxisVal) 0;
|
|
xmlXPathTypeVal type = (xmlXPathTypeVal) 0;
|
|
@@ -11391,9 +11395,11 @@ eval_predicates:
|
|
PUSH_BINARY_EXPR(XPATH_OP_RANGETO, op2, op1, 0, 0);
|
|
} else
|
|
#endif
|
|
- PUSH_FULL_EXPR(XPATH_OP_COLLECT, op1, ctxt->comp->last, axis,
|
|
- test, type, (void *)prefix, (void *)name);
|
|
-
|
|
+ if (PUSH_FULL_EXPR(XPATH_OP_COLLECT, op1, ctxt->comp->last, axis,
|
|
+ test, type, (void *)prefix, (void *)name) == -1) {
|
|
+ xmlFree(prefix);
|
|
+ xmlFree(name);
|
|
+ }
|
|
}
|
|
#ifdef DEBUG_STEP
|
|
xmlGenericError(xmlGenericErrorContext, "Step : ");
|
|
--
|
|
1.8.3.1
|
|
|