diff options
author | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-02-15 13:48:18 +0100 |
---|---|---|
committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-02-17 17:16:51 +0100 |
commit | f5e1174933c65556b5d1c0b3a8f13a27f37a1638 (patch) | |
tree | fd73922fd6faa46d199b99b2643de9a6aa135c82 /xpath.c | |
parent | 3b59fdf001f030e1b2180d3303347119e05d8dcb (diff) | |
download | libxml2-f5e1174933c65556b5d1c0b3a8f13a27f37a1638.tar.gz |
malloc-fail: Fix memory leak after calling xmlXPathWrapNodeSet
Destroy the node set in xmlXPathWrapNodeSet if the function fails.
This is somewhat dangerous but matches the expectations of users.
Found with libFuzzer, see #344.
Diffstat (limited to 'xpath.c')
-rw-r--r-- | xpath.c | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -2338,6 +2338,8 @@ xmlXPathContextSetCache(xmlXPathContextPtr ctxt, * Wrap the Nodeset @val in a new xmlXPathObjectPtr * * Returns the created or reused object. + * + * In case of error the node set is destroyed and NULL is returned. */ static xmlXPathObjectPtr xmlXPathCacheWrapNodeSet(xmlXPathContextPtr ctxt, xmlNodeSetPtr val) @@ -4423,6 +4425,8 @@ xmlXPathNewNodeSetList(xmlNodeSetPtr val) * Wrap the Nodeset @val in a new xmlXPathObjectPtr * * Returns the newly created object. + * + * In case of error the node set is destroyed and NULL is returned. */ xmlXPathObjectPtr xmlXPathWrapNodeSet(xmlNodeSetPtr val) { @@ -4431,6 +4435,7 @@ xmlXPathWrapNodeSet(xmlNodeSetPtr val) { ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); if (ret == NULL) { xmlXPathErrMemory(NULL, "creating node set object\n"); + xmlXPathFreeNodeSet(val); return(NULL); } memset(ret, 0 , sizeof(xmlXPathObject)); |