[libxml2] Fix memory leaks in SAX1 parser
- From: Nick Wellnhofer <nwellnhof src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libxml2] Fix memory leaks in SAX1 parser
- Date: Wed, 6 Sep 2017 00:23:15 +0000 (UTC)
commit 83fb4119a9e8b5f029f6b876ecc497be4e6702e7
Author: Nick Wellnhofer <wellnhofer aevum de>
Date: Tue Sep 5 23:45:04 2017 +0200
Fix memory leaks in SAX1 parser
Found by OSS-Fuzz. I could only reproduce this with the (obsolete)
SAX1 parser.
One leak is caused by duplicate namespaced attribute names and can be
reproduced in memory mode (testcase 4556417027538944):
$ cat file
<d xmlns:a="ns" a:x="v" xmlns:b="ns" b:x="v"/>
$ xmllint --sax1 --memory file
The other is caused by ATTLISTs with a normalized default for "xmlns"
if they're processed after the entity recursion limit was hit
(testcase 5580750034305024).
$ cat file
<!DOCTYPE d [
<!ENTITY a '<d>&a;'>
<!ATTLIST d xmlns NMTOKEN 't'>
]>
<d>&a;
$ xmllint --sax1 --valid file
Also see https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2461
SAX2.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
---
diff --git a/SAX2.c b/SAX2.c
index af2dd14..1508c77 100644
--- a/SAX2.c
+++ b/SAX2.c
@@ -1181,6 +1181,8 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname,
xmlSAX2ErrMemory(ctxt, "xmlSAX2StartElement");
if (name != NULL)
xmlFree(name);
+ if (nval != NULL)
+ xmlFree(nval);
return;
}
} else {
@@ -1242,6 +1244,8 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname,
xmlFree(ns);
if (name != NULL)
xmlFree(name);
+ if (nval != NULL)
+ xmlFree(nval);
return;
}
} else {
@@ -1311,6 +1315,8 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname,
name, namespace->href);
ctxt->wellFormed = 0;
if (ctxt->recovery == 0) ctxt->disableSAX = 1;
+ if (name != NULL)
+ xmlFree(name);
goto error;
}
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
