diff options
| author | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-02-17 15:53:07 +0100 |
|---|---|---|
| committer | Sadaf Ebrahimi <sadafebrahimi@google.com> | 2023-05-09 03:13:14 +0000 |
| commit | 254f18430b00f0b9ad78e469c861f58b3c1662a7 (patch) | |
| tree | adfdeca58ec3e4352abdad3fa3741fcb28aa9512 | |
| parent | 56b3eced67b513bf3186451d88fa8e3d5309294c (diff) | |
| download | libxml2-254f18430b00f0b9ad78e469c861f58b3c1662a7.tar.gz | |
malloc-fail: Fix OOB read after xmlRegGetCounter
Found with libFuzzer, see #344.
(cherry picked from commit 1743c4c3fc58cf38ecce68db9de51d0f3651e033)
I also copied the error label from
e64653c0e7975594e27d7de2ed4be062c1e4ad03 to fix the build failure.
Bug: http://b/274231102
Test: TreeHugger
Change-Id: I3bad3e03092e17a761cb6e299aff848ebd35b6f4
| -rw-r--r-- | xmlregexp.c | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/xmlregexp.c b/xmlregexp.c index 984c7ac6..ce09b221 100644 --- a/xmlregexp.c +++ b/xmlregexp.c @@ -1673,6 +1673,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, return(-1); inter = ctxt->state; counter = xmlRegGetCounter(ctxt); + if (counter < 0) + return(-1); ctxt->counters[counter].min = atom->min - 1; ctxt->counters[counter].max = atom->max - 1; /* count the number of times we see it again */ @@ -1691,6 +1693,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, * epsilon transition. */ counter = xmlRegGetCounter(ctxt); + if (counter < 0) + return(-1); ctxt->counters[counter].min = atom->min - 1; ctxt->counters[counter].max = atom->max - 1; /* count the number of times we see it again */ @@ -6015,6 +6019,8 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, * associate a counter to the transition. */ counter = xmlRegGetCounter(am); + if (counter < 0) + goto error; am->counters[counter].min = min; am->counters[counter].max = max; @@ -6034,6 +6040,10 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, if (min == 0) xmlFAGenerateEpsilonTransition(am, from, to); return(to); + +error: + xmlRegFreeAtom(atom); + return(NULL); } /** @@ -6081,6 +6091,8 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, * associate a counter to the transition. */ counter = xmlRegGetCounter(am); + if (counter < 0) + goto error; am->counters[counter].min = min; am->counters[counter].max = max; @@ -6100,6 +6112,10 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, if (min == 0) xmlFAGenerateEpsilonTransition(am, from, to); return(to); + +error: + xmlRegFreeAtom(atom); + return(NULL); } /** @@ -6167,6 +6183,8 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, * associate a counter to the transition. */ counter = xmlRegGetCounter(am); + if (counter < 0) + goto error; am->counters[counter].min = 1; am->counters[counter].max = 1; @@ -6179,6 +6197,10 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, xmlRegAtomPush(am, atom); am->state = to; return(to); + +error: + xmlRegFreeAtom(atom); + return(NULL); } @@ -6226,6 +6248,8 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, * associate a counter to the transition. */ counter = xmlRegGetCounter(am); + if (counter < 0) + goto error; am->counters[counter].min = 1; am->counters[counter].max = 1; @@ -6238,6 +6262,10 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, xmlRegAtomPush(am, atom); am->state = to; return(to); + +error: + xmlRegFreeAtom(atom); + return(NULL); } /** |