malloc-fail: Fix memory leak in xsltGetInheritedNsList

Found with libFuzzer, see #84.
author: Nick Wellnhofer <wellnhofer@aevum.de> 2023-02-26 16:53:47 +0100
committer: Nick Wellnhofer <wellnhofer@aevum.de> 2023-02-26 16:55:37 +0100
commit: 80a37629f2117cd39065d6e6005a4dc14c1258fb (patch)
tree: ab1a0ecf0b2f15e25d23fd89e8006b167b68ca38
parent: 7a7c50352e8cdb40201074895f0124d7a06d4ab3 (diff)
download: libxslt-80a37629f2117cd39065d6e6005a4dc14c1258fb.tar.gz
1 files changed, 8 insertions, 19 deletions
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
index 8c7f27b1..12489640 100644
--- a/libxslt/xslt.c
+++ b/libxslt/xslt.c
@@ -1111,9 +1111,9 @@ xsltGetInheritedNsList(xsltStylesheetPtr style,
 	               xmlNodePtr node)
 {
     xmlNsPtr cur;
-    xmlNsPtr *ret = NULL;
+    xmlNsPtr *ret = NULL, *tmp;
     int nbns = 0;
-    int maxns = 10;
+    int maxns = 0;
     int i;
 
     if ((style == NULL) || (template == NULL) || (node == NULL) ||
@@ -1138,17 +1138,6 @@ xsltGetInheritedNsList(xsltStylesheetPtr style,
 		    if (xmlStrEqual(cur->href, style->exclPrefixTab[i]))
 			goto skip_ns;
 		}
-                if (ret == NULL) {
-                    ret =
-                        (xmlNsPtr *) xmlMalloc((maxns + 1) *
-                                               sizeof(xmlNsPtr));
-                    if (ret == NULL) {
-                        xmlGenericError(xmlGenericErrorContext,
-                                        "xsltGetInheritedNsList : out of memory!\n");
-                        return(0);
-                    }
-                    ret[nbns] = NULL;
-                }
 		/*
 		* Skip shadowed namespace bindings.
 		*/
@@ -1159,16 +1148,16 @@ xsltGetInheritedNsList(xsltStylesheetPtr style,
                 }
                 if (i >= nbns) {
                     if (nbns >= maxns) {
-                        maxns *= 2;
-                        ret = (xmlNsPtr *) xmlRealloc(ret,
-                                                      (maxns +
-                                                       1) *
-                                                      sizeof(xmlNsPtr));
-                        if (ret == NULL) {
+                        maxns = (maxns == 0) ? 10 : 2 * maxns;
+                        tmp = (xmlNsPtr *) xmlRealloc(ret,
+                                (maxns + 1) * sizeof(xmlNsPtr));
+                        if (tmp == NULL) {
                             xmlGenericError(xmlGenericErrorContext,
                                             "xsltGetInheritedNsList : realloc failed!\n");
+                            xmlFree(ret);
                             return(0);
                         }
+                        ret = tmp;
                     }
                     ret[nbns++] = cur;
                     ret[nbns] = NULL;
author	Nick Wellnhofer <wellnhofer@aevum.de>	2023-02-26 16:53:47 +0100
committer	Nick Wellnhofer <wellnhofer@aevum.de>	2023-02-26 16:55:37 +0100
commit	80a37629f2117cd39065d6e6005a4dc14c1258fb (patch)
tree	ab1a0ecf0b2f15e25d23fd89e8006b167b68ca38
parent	7a7c50352e8cdb40201074895f0124d7a06d4ab3 (diff)
download	libxslt-80a37629f2117cd39065d6e6005a4dc14c1258fb.tar.gz