diff options
author | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-02-16 14:53:29 +0100 |
---|---|---|
committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-02-17 17:18:34 +0100 |
commit | 04c2955197b53eb106037bc1d422bb80b39abbf6 (patch) | |
tree | 6355381c16a2c1c7ef6e71b9dced1bbe6cf81dec /HTMLparser.c | |
parent | f3e62035d8b80a6dba92639f2470f02258822a0a (diff) | |
download | libxml2-04c2955197b53eb106037bc1d422bb80b39abbf6.tar.gz |
malloc-fail: Fix infinite loop in htmlParseContentInternal
Found with libFuzzer, see #344.
Diffstat (limited to 'HTMLparser.c')
-rw-r--r-- | HTMLparser.c | 32 |
1 files changed, 30 insertions, 2 deletions
diff --git a/HTMLparser.c b/HTMLparser.c index 43f34a86..a9fc70a0 100644 --- a/HTMLparser.c +++ b/HTMLparser.c @@ -4733,8 +4733,16 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { int depth; const xmlChar *name; - currentNode = xmlStrdup(ctxt->name); depth = ctxt->nameNr; + if (depth <= 0) { + currentNode = NULL; + } else { + currentNode = xmlStrdup(ctxt->name); + if (currentNode == NULL) { + htmlErrMemory(ctxt, NULL); + return; + } + } while (1) { GROW; @@ -4750,8 +4758,16 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { if (currentNode != NULL) xmlFree(currentNode); - currentNode = xmlStrdup(ctxt->name); depth = ctxt->nameNr; + if (depth <= 0) { + currentNode = NULL; + } else { + currentNode = xmlStrdup(ctxt->name); + if (currentNode == NULL) { + htmlErrMemory(ctxt, NULL); + break; + } + } } continue; /* while */ } @@ -4773,6 +4789,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { xmlFree(currentNode); currentNode = xmlStrdup(ctxt->name); + if (currentNode == NULL) { + htmlErrMemory(ctxt, NULL); + break; + } depth = ctxt->nameNr; continue; } @@ -4796,6 +4816,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { if (currentNode != NULL) xmlFree(currentNode); currentNode = xmlStrdup(ctxt->name); + if (currentNode == NULL) { + htmlErrMemory(ctxt, NULL); + break; + } depth = ctxt->nameNr; continue; } @@ -4847,6 +4871,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { if (currentNode != NULL) xmlFree(currentNode); currentNode = xmlStrdup(ctxt->name); + if (currentNode == NULL) { + htmlErrMemory(ctxt, NULL); + break; + } depth = ctxt->nameNr; } else if (CUR == '<') { |