malloc-fail: Fix memory leak after calling xmlXPathWrapNodeSet

Destroy the node set in xmlXPathWrapNodeSet if the function fails.
This is somewhat dangerous but matches the expectations of users.

Found with libFuzzer, see #344.

1 files changed, 5 insertions, 0 deletions

diff --git a/xpath.c b/xpath.c
index 8ec445e6..33cf8576 100644
--- a/xpath.c
+++ b/xpath.c
@@ -2338,6 +2338,8 @@ xmlXPathContextSetCache(xmlXPathContextPtr ctxt,
  * Wrap the Nodeset @val in a new xmlXPathObjectPtr
  *
  * Returns the created or reused object.
+ *
+ * In case of error the node set is destroyed and NULL is returned.
  */
 static xmlXPathObjectPtr
 xmlXPathCacheWrapNodeSet(xmlXPathContextPtr ctxt, xmlNodeSetPtr val)
@@ -4423,6 +4425,8 @@ xmlXPathNewNodeSetList(xmlNodeSetPtr val)
  * Wrap the Nodeset @val in a new xmlXPathObjectPtr
  *
  * Returns the newly created object.
+ *
+ * In case of error the node set is destroyed and NULL is returned.
  */
 xmlXPathObjectPtr
 xmlXPathWrapNodeSet(xmlNodeSetPtr val) {
@@ -4431,6 +4435,7 @@ xmlXPathWrapNodeSet(xmlNodeSetPtr val) {
     ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
     if (ret == NULL) {
         xmlXPathErrMemory(NULL, "creating node set object\n");
+        xmlXPathFreeNodeSet(val);
 	return(NULL);
     }
     memset(ret, 0 , sizeof(xmlXPathObject));