1
0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-24 13:33:01 +03:00

Fix memory leak in xmlStringLenGetNodeList

Avoid expanding the entity recursively. Use the same prevention
mechanism as in xmlStringGetNodeList.

xmlStringGetNodeList on the other hand wasn't fixing up the 'last'
pointer.

I think the memory leak can only be triggered in recovery mode.

Found with libFuzzer and ASan.
This commit is contained in:
Nick Wellnhofer
2017-06-07 18:32:49 +02:00
parent 94691dc884
commit 8c82f5deeb

4
tree.c
View File

@@ -1401,6 +1401,8 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) {
else if ((ent != NULL) && (ent->children == NULL)) { else if ((ent != NULL) && (ent->children == NULL)) {
xmlNodePtr temp; xmlNodePtr temp;
/* Set to non-NULL value to avoid recursion. */
ent->children = (xmlNodePtr) -1;
ent->children = xmlStringGetNodeList(doc, ent->children = xmlStringGetNodeList(doc,
(const xmlChar*)node->content); (const xmlChar*)node->content);
ent->owner = 1; ent->owner = 1;
@@ -1593,6 +1595,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
else if ((ent != NULL) && (ent->children == NULL)) { else if ((ent != NULL) && (ent->children == NULL)) {
xmlNodePtr temp; xmlNodePtr temp;
/* Set to non-NULL value to avoid recursion. */
ent->children = (xmlNodePtr) -1; ent->children = (xmlNodePtr) -1;
ent->children = xmlStringGetNodeList(doc, ent->children = xmlStringGetNodeList(doc,
(const xmlChar*)node->content); (const xmlChar*)node->content);
@@ -1600,6 +1603,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
temp = ent->children; temp = ent->children;
while (temp) { while (temp) {
temp->parent = (xmlNodePtr)ent; temp->parent = (xmlNodePtr)ent;
ent->last = temp;
temp = temp->next; temp = temp->next;
} }
} }