diff options
author | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-03-17 12:39:35 +0100 |
---|---|---|
committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-03-17 12:39:35 +0100 |
commit | c81d0d04bfbdbccea0c5199bced95a6af961885a (patch) | |
tree | c0ef5096ac7122146572b3000a865b5f831d028b | |
parent | 8090e5856465c0b8e26e2a080f4b498f37fa83ab (diff) | |
download | libxml2-c81d0d04bfbdbccea0c5199bced95a6af961885a.tar.gz |
malloc-fail: Add more error checks when parsing names
xmlParseName and similar functions must return NULL if an error occurs.
Found by OSS-Fuzz, see #344.
-rw-r--r-- | parser.c | 8 |
1 files changed, 8 insertions, 0 deletions
@@ -3350,6 +3350,8 @@ xmlParseName(xmlParserCtxtPtr ctxt) { XML_MAX_NAME_LENGTH; GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); #ifdef DEBUG nbParseName++; @@ -3405,6 +3407,8 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { * Handler for more complex cases */ GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); startPosition = CUR_PTR - BASE_PTR; c = CUR_CHAR(l); if ((c == ' ') || (c == '>') || (c == '/') || /* accelerators */ @@ -3682,6 +3686,8 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { if (count++ > XML_PARSER_CHUNK_SIZE) { count = 0; GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); } COPY_BUF(l,buf,len,c); NEXTL(l); @@ -8861,6 +8867,8 @@ xmlParseQName(xmlParserCtxtPtr ctxt, const xmlChar **prefix) { const xmlChar *l, *p; GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); l = xmlParseNCName(ctxt); if (l == NULL) { |