diff options
author | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-02-26 14:41:35 +0100 |
---|---|---|
committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-02-27 17:17:50 +0100 |
commit | 44947afba0ded433c6f4ffc10ee646c4b267f2b7 (patch) | |
tree | 5e448440812f7c45e79b1d6d26ea817e743307d0 /xpath.c | |
parent | 70b21c9f2a31b3ecfe8aa624c01da3ebba9e06c8 (diff) | |
download | libxml2-44947afba0ded433c6f4ffc10ee646c4b267f2b7.tar.gz |
malloc-fail: Fix null deref after xmlPointerListAddSize
Found with libFuzzer, see #344.
Diffstat (limited to 'xpath.c')
-rw-r--r-- | xpath.c | 40 |
1 files changed, 19 insertions, 21 deletions
@@ -823,32 +823,30 @@ xmlPointerListAddSize(xmlPointerListPtr list, void *item, int initialSize) { - if (list->items == NULL) { - if (initialSize <= 0) - initialSize = 1; - list->items = (void **) xmlMalloc(initialSize * sizeof(void *)); - if (list->items == NULL) { - xmlXPathErrMemory(NULL, - "xmlPointerListCreate: allocating item\n"); - return(-1); - } - list->number = 0; - list->size = initialSize; - } else if (list->size <= list->number) { - if (list->size > 50000000) { - xmlXPathErrMemory(NULL, - "xmlPointerListAddSize: re-allocating item\n"); - return(-1); + if (list->size <= list->number) { + void **tmp; + size_t newSize; + + if (list->size == 0) { + if (initialSize <= 0) + initialSize = 1; + newSize = initialSize; + } else { + if (list->size > 50000000) { + xmlXPathErrMemory(NULL, + "xmlPointerListAddSize: re-allocating item\n"); + return(-1); + } + newSize = list->size * 2; } - list->size *= 2; - list->items = (void **) xmlRealloc(list->items, - list->size * sizeof(void *)); - if (list->items == NULL) { + tmp = (void **) xmlRealloc(list->items, newSize * sizeof(void *)); + if (tmp == NULL) { xmlXPathErrMemory(NULL, "xmlPointerListAddSize: re-allocating item\n"); - list->size = 0; return(-1); } + list->items = tmp; + list->size = newSize; } list->items[list->number++] = item; return(0); |