35 lines
1.1 KiB
Diff
35 lines
1.1 KiB
Diff
From fef12ed81619c79729bf66a906701308a02d6b2b Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Wed, 11 Oct 2023 13:32:54 +0200
|
|
Subject: [PATCH] buf: Also reset input in error case
|
|
|
|
Avoid dangling pointers if memory allocation failed. This could cause
|
|
a use-after-free after recent changes.
|
|
|
|
Found by OSS-Fuzz.
|
|
|
|
Reference:https://github.com/GNOME/libxml2/commit/fef12ed81619c79729bf66a906701308a02d6b2b
|
|
Conflict:NA
|
|
---
|
|
buf.c | 6 +++++-
|
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/buf.c b/buf.c
|
|
index e0afd798c..266395f48 100644
|
|
--- a/buf.c
|
|
+++ b/buf.c
|
|
@@ -1017,8 +1017,12 @@ xmlBufMergeBuffer(xmlBufPtr buf, xmlBufferPtr buffer) {
|
|
*/
|
|
int
|
|
xmlBufResetInput(xmlBufPtr buf, xmlParserInputPtr input) {
|
|
- if ((input == NULL) || (buf == NULL) || (buf->error))
|
|
+ if (input == NULL)
|
|
return(-1);
|
|
+ if ((buf == NULL) || (buf->error)) {
|
|
+ input->base = input->cur = input->end = BAD_CAST "";
|
|
+ return(-1);
|
|
+ }
|
|
CHECK_COMPAT(buf)
|
|
input->base = input->cur = buf->content;
|
|
input->end = &buf->content[buf->use];
|