[totem-pl-parser/gnome-2-28] Fix crasher parsing hacker medley RSS feed

[Bastien Nocera <hadess src gnome org>]

commit db9d1835d55adfcabac03bfa274463ce8b7abe1b
Author: Bastien Nocera <hadess hadess net>
Date:   Wed Apr 28 16:10:13 2010 +0100

    Fix crasher parsing hacker medley RSS feed
    
    From:
    https://bugzilla.redhat.com/show_bug.cgi?id=582850
    
    Parsing the RSS at http://feeds.feedburner.com/HackerMedley
    caused a crash because we weren't zero'ing the newly re-allocated
    buffer for the token parsing.

 plparse/xmllexer.c  |   13 +++++++++----
 plparse/xmlparser.c |    9 ++++++++-
 2 files changed, 17 insertions(+), 5 deletions(-)
---
diff --git a/plparse/xmllexer.c b/plparse/xmllexer.c
index bc564b3..36a8466 100644
--- a/plparse/xmllexer.c
+++ b/plparse/xmllexer.c
@@ -535,13 +535,18 @@ int lexer_get_token_d_r(struct lexer * lexer, char ** _tok, int * _tok_size, int
 
     /* pb */
     if (tok_pos >= tok_size) {
+      char *tmp_tok;
+      int new_size;
       if (fixed)
         return T_ERROR;
-      *_tok_size *= 2;
-      *_tok = realloc (*_tok, *_tok_size);
-      lprintf("token buffer is too small\n");
+      new_size = *_tok_size * 2;
+      tmp_tok = realloc (*_tok, new_size);
+      lprintf("token buffer is too small (need %d)\n", tok_pos);
       lprintf("increasing buffer size to %d bytes\n", *_tok_size);
-      if (*_tok) {
+      if (tmp_tok) {
+	  *_tok = tmp_tok;
+	  memset (*_tok + tok_size, 0, new_size - tok_size);
+	  *_tok_size = new_size;
           return lexer_get_token_d_r (lexer, _tok, _tok_size, 0);
       } else {
           return T_ERROR;
diff --git a/plparse/xmlparser.c b/plparse/xmlparser.c
index b278260..2f2005e 100644
--- a/plparse/xmlparser.c
+++ b/plparse/xmlparser.c
@@ -364,6 +364,7 @@ static int xml_parser_get_node_internal (xml_parser_t *xml_parser,
 						    pname_buffer, pname_buffer_size,
 						    nname_buffer, nname_buffer_size,
 						    subtree, root_names, rec + 1, flags);
+	  tok = *token_buffer;
 	  free (root_names[rec + 1]);
 	  if (parse_res == -1 || parse_res > 0) {
 	    return parse_res;
@@ -412,8 +413,14 @@ static int xml_parser_get_node_internal (xml_parser_t *xml_parser,
 	  }
 	  /* make sure the buffer for the property name is big enough */
 	  if (*token_buffer_size > *pname_buffer_size) {
+	    char *tmp_prop;
 	    *pname_buffer_size = *token_buffer_size;
-	    *pname_buffer = realloc (*pname_buffer, *pname_buffer_size);
+	    tmp_prop = realloc (*pname_buffer, *pname_buffer_size);
+	    if (!tmp_prop)
+	      return -1;
+	    *pname_buffer = tmp_prop;
+	    property_name = tmp_prop;
+	  } else {
 	    property_name = *pname_buffer;
 	  }
 	  strcpy(property_name, tok);