Check return value of nodePush in xmlSAX2StartElement

If the maximum depth is exceeded, nodePush halts the parser which results in freeing the input buffer since the previous commit. This invalidates the attribute pointers, so the error condition must be checked. Found by OSS-Fuzz.
author: Nick Wellnhofer <wellnhofer@aevum.de> 2018-09-12 13:42:27 +0200
committer: Nick Wellnhofer <wellnhofer@aevum.de> 2018-09-12 13:52:47 +0200
commit: 8c9daf790abfc06e8ca3a44652542c577bb67d49 (patch)
tree: 1215a48b17399db9ab5b93184a1784071199d952 /SAX2.c
parent: 123234f2cfcd9e9b9f83047eee1dc17b4c3f4407 (diff)
download: libxml2-8c9daf790abfc06e8ca3a44652542c577bb67d49.tar.gz
1 files changed, 8 insertions, 2 deletions
diff --git a/SAX2.c b/SAX2.c
index 0f261b7b..49ce566c 100644
--- a/SAX2.c
+++ b/SAX2.c
@@ -1665,7 +1665,10 @@ xmlSAX2StartElement(void *ctx, const xmlChar *fullname, const xmlChar **atts)
 #ifdef DEBUG_SAX_TREE
     xmlGenericError(xmlGenericErrorContext, "pushing(%s)\n", name);
 #endif
-    nodePush(ctxt, ret);
+    if (nodePush(ctxt, ret) < 0) {
+        xmlFreeNode(ret);
+        return;
+    }
 
     /*
      * Link the child element
@@ -2336,7 +2339,10 @@ xmlSAX2StartElementNs(void *ctx,
     /*
      * We are parsing a new node.
      */
-    nodePush(ctxt, ret);
+    if (nodePush(ctxt, ret) < 0) {
+        xmlFreeNode(ret);
+        return;
+    }
 
     /*
      * Link the child element
author	Nick Wellnhofer <wellnhofer@aevum.de>	2018-09-12 13:42:27 +0200
committer	Nick Wellnhofer <wellnhofer@aevum.de>	2018-09-12 13:52:47 +0200
commit	8c9daf790abfc06e8ca3a44652542c577bb67d49 (patch)
tree	1215a48b17399db9ab5b93184a1784071199d952 /SAX2.c
parent	123234f2cfcd9e9b9f83047eee1dc17b4c3f4407 (diff)
download	libxml2-8c9daf790abfc06e8ca3a44652542c577bb67d49.tar.gz