diff options
author | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-02-26 16:53:47 +0100 |
---|---|---|
committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-02-26 16:55:37 +0100 |
commit | 80a37629f2117cd39065d6e6005a4dc14c1258fb (patch) | |
tree | ab1a0ecf0b2f15e25d23fd89e8006b167b68ca38 | |
parent | 7a7c50352e8cdb40201074895f0124d7a06d4ab3 (diff) | |
download | libxslt-80a37629f2117cd39065d6e6005a4dc14c1258fb.tar.gz |
malloc-fail: Fix memory leak in xsltGetInheritedNsList
Found with libFuzzer, see #84.
-rw-r--r-- | libxslt/xslt.c | 27 |
1 files changed, 8 insertions, 19 deletions
diff --git a/libxslt/xslt.c b/libxslt/xslt.c index 8c7f27b1..12489640 100644 --- a/libxslt/xslt.c +++ b/libxslt/xslt.c @@ -1111,9 +1111,9 @@ xsltGetInheritedNsList(xsltStylesheetPtr style, xmlNodePtr node) { xmlNsPtr cur; - xmlNsPtr *ret = NULL; + xmlNsPtr *ret = NULL, *tmp; int nbns = 0; - int maxns = 10; + int maxns = 0; int i; if ((style == NULL) || (template == NULL) || (node == NULL) || @@ -1138,17 +1138,6 @@ xsltGetInheritedNsList(xsltStylesheetPtr style, if (xmlStrEqual(cur->href, style->exclPrefixTab[i])) goto skip_ns; } - if (ret == NULL) { - ret = - (xmlNsPtr *) xmlMalloc((maxns + 1) * - sizeof(xmlNsPtr)); - if (ret == NULL) { - xmlGenericError(xmlGenericErrorContext, - "xsltGetInheritedNsList : out of memory!\n"); - return(0); - } - ret[nbns] = NULL; - } /* * Skip shadowed namespace bindings. */ @@ -1159,16 +1148,16 @@ xsltGetInheritedNsList(xsltStylesheetPtr style, } if (i >= nbns) { if (nbns >= maxns) { - maxns *= 2; - ret = (xmlNsPtr *) xmlRealloc(ret, - (maxns + - 1) * - sizeof(xmlNsPtr)); - if (ret == NULL) { + maxns = (maxns == 0) ? 10 : 2 * maxns; + tmp = (xmlNsPtr *) xmlRealloc(ret, + (maxns + 1) * sizeof(xmlNsPtr)); + if (tmp == NULL) { xmlGenericError(xmlGenericErrorContext, "xsltGetInheritedNsList : realloc failed!\n"); + xmlFree(ret); return(0); } + ret = tmp; } ret[nbns++] = cur; ret[nbns] = NULL; |