malloc-fail: Fix infinite loop in htmlParseContentInternal

Found with libFuzzer, see #344.
author: Nick Wellnhofer <wellnhofer@aevum.de> 2023-02-16 14:53:29 +0100
committer: Nick Wellnhofer <wellnhofer@aevum.de> 2023-02-17 17:18:34 +0100
commit: 04c2955197b53eb106037bc1d422bb80b39abbf6 (patch)
tree: 6355381c16a2c1c7ef6e71b9dced1bbe6cf81dec /HTMLparser.c
parent: f3e62035d8b80a6dba92639f2470f02258822a0a (diff)
download: libxml2-04c2955197b53eb106037bc1d422bb80b39abbf6.tar.gz
1 files changed, 30 insertions, 2 deletions
diff --git a/HTMLparser.c b/HTMLparser.c
index 43f34a86..a9fc70a0 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -4733,8 +4733,16 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
     int depth;
     const xmlChar *name;
 
-    currentNode = xmlStrdup(ctxt->name);
     depth = ctxt->nameNr;
+    if (depth <= 0) {
+        currentNode = NULL;
+    } else {
+        currentNode = xmlStrdup(ctxt->name);
+        if (currentNode == NULL) {
+            htmlErrMemory(ctxt, NULL);
+            return;
+        }
+    }
     while (1) {
         GROW;
 
@@ -4750,8 +4758,16 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
 		if (currentNode != NULL)
 		    xmlFree(currentNode);
 
-	        currentNode = xmlStrdup(ctxt->name);
 	        depth = ctxt->nameNr;
+                if (depth <= 0) {
+                    currentNode = NULL;
+                } else {
+                    currentNode = xmlStrdup(ctxt->name);
+                    if (currentNode == NULL) {
+                        htmlErrMemory(ctxt, NULL);
+                        break;
+                    }
+                }
 	    }
 	    continue; /* while */
         }
@@ -4773,6 +4789,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
 	            xmlFree(currentNode);
 
 	        currentNode = xmlStrdup(ctxt->name);
+                if (currentNode == NULL) {
+                    htmlErrMemory(ctxt, NULL);
+                    break;
+                }
 	        depth = ctxt->nameNr;
 	        continue;
 	    }
@@ -4796,6 +4816,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
 	    if (currentNode != NULL) xmlFree(currentNode);
 
 	    currentNode = xmlStrdup(ctxt->name);
+            if (currentNode == NULL) {
+                htmlErrMemory(ctxt, NULL);
+                break;
+            }
 	    depth = ctxt->nameNr;
 	    continue;
 	}
@@ -4847,6 +4871,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
             if (currentNode != NULL) xmlFree(currentNode);
 
             currentNode = xmlStrdup(ctxt->name);
+            if (currentNode == NULL) {
+                htmlErrMemory(ctxt, NULL);
+                break;
+            }
             depth = ctxt->nameNr;
         }
         else if (CUR == '<') {
author	Nick Wellnhofer <wellnhofer@aevum.de>	2023-02-16 14:53:29 +0100
committer	Nick Wellnhofer <wellnhofer@aevum.de>	2023-02-17 17:18:34 +0100
commit	04c2955197b53eb106037bc1d422bb80b39abbf6 (patch)
tree	6355381c16a2c1c7ef6e71b9dced1bbe6cf81dec /HTMLparser.c
parent	f3e62035d8b80a6dba92639f2470f02258822a0a (diff)
download	libxml2-04c2955197b53eb106037bc1d422bb80b39abbf6.tar.gz