[libxml2] Fix more memory leaks in error paths of XPath parser

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Fix more memory leaks in error paths of XPath parser
Date: Mon, 2 Dec 2019 10:42:07 +0000 (UTC)

commit 2c80fc911678adc9dcf252b3bc71cce101c8728e
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Mon Dec 2 11:30:30 2019 +0100

    Fix more memory leaks in error paths of XPath parser
    
    Found by OSS-Fuzz.

 xpath.c | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)
---
diff --git a/xpath.c b/xpath.c
index ff1137f0..030bab35 100644
--- a/xpath.c
+++ b/xpath.c
@@ -10300,8 +10300,10 @@ xmlXPathCompVariableReference(xmlXPathParserContextPtr ctxt) {
        XP_ERROR(XPATH_VARIABLE_REF_ERROR);
     }
     ctxt->comp->last = -1;
-    PUSH_LONG_EXPR(XPATH_OP_VARIABLE, 0, 0, 0,
-                  name, prefix);
+    if (PUSH_LONG_EXPR(XPATH_OP_VARIABLE, 0, 0, 0, name, prefix) == -1) {
+        xmlFree(prefix);
+        xmlFree(name);
+    }
     SKIP_BLANKS;
     if ((ctxt->context != NULL) && (ctxt->context->flags & XML_XPATH_NOVAR)) {
        XP_ERROR(XPATH_FORBID_VARIABLE_ERROR);
@@ -10408,8 +10410,10 @@ xmlXPathCompFunctionCall(xmlXPathParserContextPtr ctxt) {
            SKIP_BLANKS;
        }
     }
-    PUSH_LONG_EXPR(XPATH_OP_FUNCTION, nbargs, 0, 0,
-                  name, prefix);
+    if (PUSH_LONG_EXPR(XPATH_OP_FUNCTION, nbargs, 0, 0, name, prefix) == -1) {
+        xmlFree(prefix);
+        xmlFree(name);
+    }
     NEXT;
     SKIP_BLANKS;
 }
@@ -11050,7 +11054,7 @@ xmlXPathCompPredicate(xmlXPathParserContextPtr ctxt, int filter) {
  */
 static xmlChar *
 xmlXPathCompNodeTest(xmlXPathParserContextPtr ctxt, xmlXPathTestVal *test,
-                    xmlXPathTypeVal *type, const xmlChar **prefix,
+                    xmlXPathTypeVal *type, xmlChar **prefix,
                     xmlChar *name) {
     int blanks;
 
@@ -11281,7 +11285,7 @@ xmlXPathCompStep(xmlXPathParserContextPtr ctxt) {
        SKIP_BLANKS;
     } else {
        xmlChar *name = NULL;
-       const xmlChar *prefix = NULL;
+       xmlChar *prefix = NULL;
        xmlXPathTestVal test = (xmlXPathTestVal) 0;
        xmlXPathAxisVal axis = (xmlXPathAxisVal) 0;
        xmlXPathTypeVal type = (xmlXPathTypeVal) 0;
@@ -11391,9 +11395,11 @@ eval_predicates:
            PUSH_BINARY_EXPR(XPATH_OP_RANGETO, op2, op1, 0, 0);
        } else
 #endif
-           PUSH_FULL_EXPR(XPATH_OP_COLLECT, op1, ctxt->comp->last, axis,
-                          test, type, (void *)prefix, (void *)name);
-
+        if (PUSH_FULL_EXPR(XPATH_OP_COLLECT, op1, ctxt->comp->last, axis,
+                           test, type, (void *)prefix, (void *)name) == -1) {
+            xmlFree(prefix);
+            xmlFree(name);
+        }
     }
 #ifdef DEBUG_STEP
     xmlGenericError(xmlGenericErrorContext, "Step : ");

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]