malloc-fail: Fix null deref after xmlXIncludeNewRef

See #344.
author: Nick Wellnhofer <wellnhofer@aevum.de> 2023-05-08 17:03:00 +0200
committer: Nick Wellnhofer <wellnhofer@aevum.de> 2023-05-11 13:27:52 +0200
commit: c40cbf07a30c264846ad1135a3670535942441f6 (patch)
tree: e6e6529c14d23bec05b25f291ce0d1683ffc4e2e
parent: 105ce73da0b8d5ce317c1cb96e6ea0c6cd52c230 (diff)
download: libxml2-c40cbf07a30c264846ad1135a3670535942441f6.tar.gz
1 files changed, 2 insertions, 12 deletions
diff --git a/xinclude.c b/xinclude.c
index 09c1eef4..949c768a 100644
--- a/xinclude.c
+++ b/xinclude.c
@@ -264,19 +264,9 @@ xmlXIncludeNewRef(xmlXIncludeCtxtPtr ctxt, const xmlChar *URI,
     ret->elem = elem;
     ret->xml = 0;
     ret->inc = NULL;
-    if (ctxt->incMax == 0) {
-	ctxt->incMax = 4;
-        ctxt->incTab = (xmlXIncludeRefPtr *) xmlMalloc(ctxt->incMax *
-					      sizeof(ctxt->incTab[0]));
-        if (ctxt->incTab == NULL) {
-	    xmlXIncludeErrMemory(ctxt, elem, "growing XInclude context");
-	    xmlXIncludeFreeRef(ret);
-	    return(NULL);
-	}
-    }
     if (ctxt->incNr >= ctxt->incMax) {
         xmlXIncludeRefPtr *tmp;
-        size_t newSize = ctxt->incMax * 2;
+        size_t newSize = ctxt->incMax ? ctxt->incMax * 2 : 4;
 
         tmp = (xmlXIncludeRefPtr *) xmlRealloc(ctxt->incTab,
 	             newSize * sizeof(ctxt->incTab[0]));
@@ -286,7 +276,7 @@ xmlXIncludeNewRef(xmlXIncludeCtxtPtr ctxt, const xmlChar *URI,
 	    return(NULL);
 	}
         ctxt->incTab = tmp;
-        ctxt->incMax *= 2;
+        ctxt->incMax = newSize;
     }
     ctxt->incTab[ctxt->incNr++] = ret;
     return(ret);
author	Nick Wellnhofer <wellnhofer@aevum.de>	2023-05-08 17:03:00 +0200
committer	Nick Wellnhofer <wellnhofer@aevum.de>	2023-05-11 13:27:52 +0200
commit	c40cbf07a30c264846ad1135a3670535942441f6 (patch)
tree	e6e6529c14d23bec05b25f291ce0d1683ffc4e2e
parent	105ce73da0b8d5ce317c1cb96e6ea0c6cd52c230 (diff)
download	libxml2-c40cbf07a30c264846ad1135a3670535942441f6.tar.gz