malloc-fail: Fix reallocation in xmlXIncludeNewRef

Avoid null deref. Found with libFuzzer, see #344.
2025-10-28 23:14:57 +03:00 · 2023-02-03 14:00:13 +01:00
parent d1272c2ed6
commit a3749551e6
1 changed files with 8 additions and 4 deletions
--- a/xinclude.c
+++ b/xinclude.c
@@ -272,14 +272,18 @@ xmlXIncludeNewRef(xmlXIncludeCtxtPtr ctxt, const xmlChar *URI,
 	}
    }
    if (ctxt->incNr >= ctxt->incMax) {
-	ctxt->incMax *= 2;
-        ctxt->incTab = (xmlXIncludeRefPtr *) xmlRealloc(ctxt->incTab,
-	             ctxt->incMax * sizeof(ctxt->incTab[0]));
-        if (ctxt->incTab == NULL) {
+        xmlXIncludeRefPtr *tmp;
+        size_t newSize = ctxt->incMax * 2;
+
+        tmp = (xmlXIncludeRefPtr *) xmlRealloc(ctxt->incTab,
+	             newSize * sizeof(ctxt->incTab[0]));
+        if (tmp == NULL) {
 	    xmlXIncludeErrMemory(ctxt, elem, "growing XInclude context");
 	    xmlXIncludeFreeRef(ret);
 	    return(NULL);
 	}
+        ctxt->incTab = tmp;
+        ctxt->incMax *= 2;
    }
    ctxt->incTab[ctxt->incNr++] = ret;
    return(ret);