summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Wellnhofer <wellnhofer@aevum.de>2023-01-22 13:27:41 +0100
committerNick Wellnhofer <wellnhofer@aevum.de>2023-01-24 11:32:15 +0100
commit0c5f40b788410753eb73e3040be4f50b608923e1 (patch)
treef422bf5023a751e8b488754a9892762231ba6fdf
parent1aabc9db40dc5ec1f8f22c09e74c63dda53f7ed6 (diff)
downloadlibxml2-0c5f40b788410753eb73e3040be4f50b608923e1.tar.gz
malloc-fail: Fix null deref in xmlSAX2AttributeInternal
Found with libFuzzer, see #344.
Diffstat
-rw-r--r--SAX2.c36
1 files changed, 18 insertions, 18 deletions
diff --git a/SAX2.c b/SAX2.c
index b253ea70..2de99ff0 100644
--- a/SAX2.c
+++ b/SAX2.c
@@ -1335,25 +1335,25 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname,
/* !!!!!! <a toto:arg="" xmlns:toto="http://toto.com"> */
ret = xmlNewNsPropEatName(ctxt->node, namespace, name, NULL);
+ if (ret == NULL)
+ goto error;
- if (ret != NULL) {
- if ((ctxt->replaceEntities == 0) && (!ctxt->html)) {
- xmlNodePtr tmp;
-
- ret->children = xmlStringGetNodeList(ctxt->myDoc, value);
- tmp = ret->children;
- while (tmp != NULL) {
- tmp->parent = (xmlNodePtr) ret;
- if (tmp->next == NULL)
- ret->last = tmp;
- tmp = tmp->next;
- }
- } else if (value != NULL) {
- ret->children = xmlNewDocText(ctxt->myDoc, value);
- ret->last = ret->children;
- if (ret->children != NULL)
- ret->children->parent = (xmlNodePtr) ret;
- }
+ if ((ctxt->replaceEntities == 0) && (!ctxt->html)) {
+ xmlNodePtr tmp;
+
+ ret->children = xmlStringGetNodeList(ctxt->myDoc, value);
+ tmp = ret->children;
+ while (tmp != NULL) {
+ tmp->parent = (xmlNodePtr) ret;
+ if (tmp->next == NULL)
+ ret->last = tmp;
+ tmp = tmp->next;
+ }
+ } else if (value != NULL) {
+ ret->children = xmlNewDocText(ctxt->myDoc, value);
+ ret->last = ret->children;
+ if (ret->children != NULL)
+ ret->children->parent = (xmlNodePtr) ret;
}
#ifdef LIBXML_VALID_ENABLED
View Lorry Controller Status