malloc-fail: Avoid use-after-free after unsuccessful valuePush

In xpath.c there's a lot of code like: valuePush(ctxt, xmlCacheNewX()); ... valuePop(ctxt); If xmlCacheNewX fails, no value will be pushed on the stack. If there's no error check in between, valuePop will pop an unrelated value which can lead to use-after-free errors. Instead of trying to fix all call sites, we simply stop popping values if an error was signaled. This requires to change the CHECK_TYPE macro which is often used to determine whether a value can be safely popped. Found with libFuzzer, see #344.
2025-10-26 00:37:43 +03:00 · 2023-01-31 12:46:30 +01:00
parent 7ec314efcd
commit 6a12be77c6
2 changed files with 11 additions and 2 deletions
--- a/include/libxml/xpathInternals.h
+++ b/include/libxml/xpathInternals.h
@@ -273,7 +273,8 @@ XMLPUBFUN void *
 * type.
 */
 #define CHECK_TYPE(typeval)						\
-    if ((ctxt->value == NULL) || (ctxt->value->type != typeval))	\
+    if ((ctxt->error != 0) ||						\
+        (ctxt->value == NULL) || (ctxt->value->type != typeval))	\
        XP_ERROR(XPATH_INVALID_TYPE)

 /**