diff options
| author | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-02-26 16:53:08 +0100 |
|---|---|---|
| committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-02-26 16:55:37 +0100 |
| commit | 5917d2dc2fc180aa77738790d616b5d75e93f54a (patch) | |
| tree | 09f1611c0cfd992a97d83d9265bc0361f1c1fbe9 /libxslt | |
| parent | 55296fd260e50b93eee1c6472fc8b8c495c47b4e (diff) | |
| download | libxslt-5917d2dc2fc180aa77738790d616b5d75e93f54a.tar.gz | |
malloc-fail: Fix null deref in xsltDocumentFunction
Found with libFuzzer, see #84.
Diffstat (limited to 'libxslt')
| -rw-r--r-- | libxslt/functions.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/libxslt/functions.c b/libxslt/functions.c index 7ab139eb..2452722e 100644 --- a/libxslt/functions.c +++ b/libxslt/functions.c @@ -249,7 +249,7 @@ xsltDocumentFunction(xmlXPathParserContextPtr ctxt, int nargs) obj = valuePop(ctxt); ret = xmlXPathNewNodeSet(NULL); - if ((obj != NULL) && obj->nodesetval) { + if ((obj != NULL) && (obj->nodesetval != NULL) && (ret != NULL)) { for (i = 0; i < obj->nodesetval->nodeNr; i++) { valuePush(ctxt, xmlXPathNewNodeSet(obj->nodesetval->nodeTab[i])); @@ -263,9 +263,11 @@ xsltDocumentFunction(xmlXPathParserContextPtr ctxt, int nargs) } xsltDocumentFunction(ctxt, 2); newobj = valuePop(ctxt); - ret->nodesetval = xmlXPathNodeSetMerge(ret->nodesetval, - newobj->nodesetval); - xmlXPathFreeObject(newobj); + if (newobj != NULL) { + ret->nodesetval = xmlXPathNodeSetMerge(ret->nodesetval, + newobj->nodesetval); + xmlXPathFreeObject(newobj); + } } } |