From 04c2955197b53eb106037bc1d422bb80b39abbf6 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Thu, 16 Feb 2023 14:53:29 +0100 Subject: malloc-fail: Fix infinite loop in htmlParseContentInternal Found with libFuzzer, see #344. --- HTMLparser.c | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) (limited to 'HTMLparser.c') diff --git a/HTMLparser.c b/HTMLparser.c index 43f34a86..a9fc70a0 100644 --- a/HTMLparser.c +++ b/HTMLparser.c @@ -4733,8 +4733,16 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { int depth; const xmlChar *name; - currentNode = xmlStrdup(ctxt->name); depth = ctxt->nameNr; + if (depth <= 0) { + currentNode = NULL; + } else { + currentNode = xmlStrdup(ctxt->name); + if (currentNode == NULL) { + htmlErrMemory(ctxt, NULL); + return; + } + } while (1) { GROW; @@ -4750,8 +4758,16 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { if (currentNode != NULL) xmlFree(currentNode); - currentNode = xmlStrdup(ctxt->name); depth = ctxt->nameNr; + if (depth <= 0) { + currentNode = NULL; + } else { + currentNode = xmlStrdup(ctxt->name); + if (currentNode == NULL) { + htmlErrMemory(ctxt, NULL); + break; + } + } } continue; /* while */ } @@ -4773,6 +4789,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { xmlFree(currentNode); currentNode = xmlStrdup(ctxt->name); + if (currentNode == NULL) { + htmlErrMemory(ctxt, NULL); + break; + } depth = ctxt->nameNr; continue; } @@ -4796,6 +4816,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { if (currentNode != NULL) xmlFree(currentNode); currentNode = xmlStrdup(ctxt->name); + if (currentNode == NULL) { + htmlErrMemory(ctxt, NULL); + break; + } depth = ctxt->nameNr; continue; } @@ -4847,6 +4871,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { if (currentNode != NULL) xmlFree(currentNode); currentNode = xmlStrdup(ctxt->name); + if (currentNode == NULL) { + htmlErrMemory(ctxt, NULL); + break; + } depth = ctxt->nameNr; } else if (CUR == '<') { -- cgit v1.2.1