diff options
| author | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-02-17 15:53:07 +0100 |
|---|---|---|
| committer | Sadaf Ebrahimi <sadafebrahimi@google.com> | 2023-05-08 20:58:07 +0000 |
| commit | 381160fc2a293d50a627c9e35bb34485bf97b6e7 (patch) | |
| tree | f40b5f3d4e3018f154894d53f17a4715e888c9d1 | |
| parent | 8cc8f38db65c01f2489f67f10248cc4c6d05cb26 (diff) | |
| download | libxml2-381160fc2a293d50a627c9e35bb34485bf97b6e7.tar.gz | |
malloc-fail: Fix OOB read after xmlRegGetCounter
Found with libFuzzer, see #344.
(cherry picked from commit 1743c4c3fc58cf38ecce68db9de51d0f3651e033)
I also copied the error label from
e64653c0e7975594e27d7de2ed4be062c1e4ad03 to fix the build failure.
Bug: http://b/274231102
Test: TreeHugger
Change-Id: I3bad3e03092e17a761cb6e299aff848ebd35b6f4
| -rw-r--r-- | xmlregexp.c | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/xmlregexp.c b/xmlregexp.c index d255fbf0..6234a879 100644 --- a/xmlregexp.c +++ b/xmlregexp.c @@ -1641,6 +1641,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, return(-1); inter = ctxt->state; counter = xmlRegGetCounter(ctxt); + if (counter < 0) + return(-1); ctxt->counters[counter].min = atom->min - 1; ctxt->counters[counter].max = atom->max - 1; /* count the number of times we see it again */ @@ -1659,6 +1661,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, * epsilon transition. */ counter = xmlRegGetCounter(ctxt); + if (counter < 0) + return(-1); ctxt->counters[counter].min = atom->min - 1; ctxt->counters[counter].max = atom->max - 1; /* count the number of times we see it again */ @@ -5924,6 +5928,8 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, * associate a counter to the transition. */ counter = xmlRegGetCounter(am); + if (counter < 0) + goto error; am->counters[counter].min = min; am->counters[counter].max = max; @@ -5943,6 +5949,10 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, if (min == 0) xmlFAGenerateEpsilonTransition(am, from, to); return(to); + +error: + xmlRegFreeAtom(atom); + return(NULL); } /** @@ -5990,6 +6000,8 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, * associate a counter to the transition. */ counter = xmlRegGetCounter(am); + if (counter < 0) + goto error; am->counters[counter].min = min; am->counters[counter].max = max; @@ -6009,6 +6021,10 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, if (min == 0) xmlFAGenerateEpsilonTransition(am, from, to); return(to); + +error: + xmlRegFreeAtom(atom); + return(NULL); } /** @@ -6076,6 +6092,8 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, * associate a counter to the transition. */ counter = xmlRegGetCounter(am); + if (counter < 0) + goto error; am->counters[counter].min = 1; am->counters[counter].max = 1; @@ -6088,6 +6106,10 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, xmlRegAtomPush(am, atom); am->state = to; return(to); + +error: + xmlRegFreeAtom(atom); + return(NULL); } @@ -6135,6 +6157,8 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, * associate a counter to the transition. */ counter = xmlRegGetCounter(am); + if (counter < 0) + goto error; am->counters[counter].min = 1; am->counters[counter].max = 1; @@ -6147,6 +6171,10 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, xmlRegAtomPush(am, atom); am->state = to; return(to); + +error: + xmlRegFreeAtom(atom); + return(NULL); } /** |