diff options
author | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-01-22 14:52:06 +0100 |
---|---|---|
committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-01-24 11:32:15 +0100 |
commit | 2355eac59e91e1465696150cf0efc9029ba4f9b2 (patch) | |
tree | 186ede1a8c4ccdcdcb2ec0193113f35de59f4593 | |
parent | 0c5f40b788410753eb73e3040be4f50b608923e1 (diff) | |
download | libxml2-2355eac59e91e1465696150cf0efc9029ba4f9b2.tar.gz |
malloc-fail: Fix null deref if growing input buffer fails
Also add some error checks.
Found with libFuzzer, see #344.
-rw-r--r-- | encoding.c | 3 | ||||
-rw-r--r-- | parserInternals.c | 6 | ||||
-rw-r--r-- | xmlIO.c | 3 |
3 files changed, 10 insertions, 2 deletions
@@ -2332,7 +2332,8 @@ xmlCharEncInput(xmlParserInputBufferPtr input, int flush) toconv = 64 * 1024; written = xmlBufAvail(out); if (toconv * 2 >= written) { - xmlBufGrow(out, toconv * 2); + if (xmlBufGrow(out, toconv * 2) < 0) + return (-1); written = xmlBufAvail(out); } if ((written > 128 * 1024) && (flush == 0)) diff --git a/parserInternals.c b/parserInternals.c index 70664c36..f55700e5 100644 --- a/parserInternals.c +++ b/parserInternals.c @@ -315,6 +315,12 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) { ret = xmlParserInputBufferGrow(in->buf, len); in->base = xmlBufContent(in->buf->buffer); + if (in->base == NULL) { + in->base = BAD_CAST ""; + in->cur = in->base; + in->end = in->base; + return(-1); + } in->cur = in->base + indx; in->end = xmlBufEnd(in->buf->buffer); @@ -3218,7 +3218,8 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) { if (res < 0) return(-1); - xmlBufAddLen(buf, res); + if (xmlBufAddLen(buf, res) < 0) + return(-1); } /* |