malloc-fail: Fix null deref if growing input buffer fails

Also add some error checks.

Found with libFuzzer, see #344.

3 files changed, 10 insertions, 2 deletions

diff --git a/encoding.c b/encoding.c
index 634349a0..3f8dab4b 100644
--- a/encoding.c
+++ b/encoding.c
@@ -2332,7 +2332,8 @@ xmlCharEncInput(xmlParserInputBufferPtr input, int flush)
         toconv = 64 * 1024;
     written = xmlBufAvail(out);
     if (toconv * 2 >= written) {
-        xmlBufGrow(out, toconv * 2);
+        if (xmlBufGrow(out, toconv * 2) < 0)
+            return (-1);
         written = xmlBufAvail(out);
     }
     if ((written > 128 * 1024) && (flush == 0))
diff --git a/parserInternals.c b/parserInternals.c
index 70664c36..f55700e5 100644
--- a/parserInternals.c
+++ b/parserInternals.c
@@ -315,6 +315,12 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) {
     ret = xmlParserInputBufferGrow(in->buf, len);
 
     in->base = xmlBufContent(in->buf->buffer);
+    if (in->base == NULL) {
+        in->base = BAD_CAST "";
+        in->cur = in->base;
+        in->end = in->base;
+        return(-1);
+    }
     in->cur = in->base + indx;
     in->end = xmlBufEnd(in->buf->buffer);
 
diff --git a/xmlIO.c b/xmlIO.c
index 05800185..d26ddc41 100644
--- a/xmlIO.c
+++ b/xmlIO.c
@@ -3218,7 +3218,8 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) {
         if (res < 0)
             return(-1);
 
-        xmlBufAddLen(buf, res);
+        if (xmlBufAddLen(buf, res) < 0)
+            return(-1);
     }
 
     /*