summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Wellnhofer <wellnhofer@aevum.de>2023-03-17 12:39:35 +0100
committerNick Wellnhofer <wellnhofer@aevum.de>2023-03-17 12:39:35 +0100
commitc81d0d04bfbdbccea0c5199bced95a6af961885a (patch)
treec0ef5096ac7122146572b3000a865b5f831d028b
parent8090e5856465c0b8e26e2a080f4b498f37fa83ab (diff)
downloadlibxml2-c81d0d04bfbdbccea0c5199bced95a6af961885a.tar.gz
malloc-fail: Add more error checks when parsing names
xmlParseName and similar functions must return NULL if an error occurs. Found by OSS-Fuzz, see #344.
Diffstat
-rw-r--r--parser.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/parser.c b/parser.c
index 4006246e..98fb87cc 100644
--- a/parser.c
+++ b/parser.c
@@ -3350,6 +3350,8 @@ xmlParseName(xmlParserCtxtPtr ctxt) {
XML_MAX_NAME_LENGTH;
GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(NULL);
#ifdef DEBUG
nbParseName++;
@@ -3405,6 +3407,8 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
* Handler for more complex cases
*/
GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(NULL);
startPosition = CUR_PTR - BASE_PTR;
c = CUR_CHAR(l);
if ((c == ' ') || (c == '>') || (c == '/') || /* accelerators */
@@ -3682,6 +3686,8 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
if (count++ > XML_PARSER_CHUNK_SIZE) {
count = 0;
GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(NULL);
}
COPY_BUF(l,buf,len,c);
NEXTL(l);
@@ -8861,6 +8867,8 @@ xmlParseQName(xmlParserCtxtPtr ctxt, const xmlChar **prefix) {
const xmlChar *l, *p;
GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(NULL);
l = xmlParseNCName(ctxt);
if (l == NULL) {
View Lorry Controller Status