malloc-fail: Fix memory leak in exclPrefixPush

Found by OSS-Fuzz, see #84.

1 files changed, 8 insertions, 16 deletions

diff --git a/libxslt/xslt.c b/libxslt/xslt.c
index 3a45b62d..c17faa61 100644
--- a/libxslt/xslt.c
+++ b/libxslt/xslt.c
@@ -151,31 +151,23 @@ exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
 {
     int i;
 
-    if (style->exclPrefixMax == 0) {
-        style->exclPrefixMax = 4;
-        style->exclPrefixTab =
-            (xmlChar * *)xmlMalloc(style->exclPrefixMax *
-                                   sizeof(style->exclPrefixTab[0]));
-        if (style->exclPrefixTab == NULL) {
-            xmlGenericError(xmlGenericErrorContext, "malloc failed !\n");
-            return (-1);
-        }
-    }
     /* do not push duplicates */
     for (i = 0;i < style->exclPrefixNr;i++) {
         if (xmlStrEqual(style->exclPrefixTab[i], value))
 	    return(-1);
     }
     if (style->exclPrefixNr >= style->exclPrefixMax) {
-        style->exclPrefixMax *= 2;
-        style->exclPrefixTab =
-            (xmlChar * *)xmlRealloc(style->exclPrefixTab,
-                                    style->exclPrefixMax *
-                                    sizeof(style->exclPrefixTab[0]));
-        if (style->exclPrefixTab == NULL) {
+        xmlChar **tmp;
+        size_t max = style->exclPrefixMax ? style->exclPrefixMax * 2 : 4;
+
+        tmp = xmlRealloc(style->exclPrefixTab,
+                         max * sizeof(style->exclPrefixTab[0]));
+        if (tmp == NULL) {
             xmlGenericError(xmlGenericErrorContext, "realloc failed !\n");
             return (-1);
         }
+        style->exclPrefixTab = tmp;
+        style->exclPrefixMax = max;
     }
     style->exclPrefixTab[style->exclPrefixNr] = value;
     style->exclPrefix = value;