[libxml2] Fix memory leak in xmlStringLenGetNodeList
- From: Nick Wellnhofer <nwellnhof src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libxml2] Fix memory leak in xmlStringLenGetNodeList
- Date: Wed, 7 Jun 2017 18:07:26 +0000 (UTC)
commit 8c82f5deeba9d6ecf85f2a0aa9c967320cc6c13c
Author: Nick Wellnhofer <wellnhofer aevum de>
Date: Wed Jun 7 18:32:49 2017 +0200
Fix memory leak in xmlStringLenGetNodeList
Avoid expanding the entity recursively. Use the same prevention
mechanism as in xmlStringGetNodeList.
xmlStringGetNodeList on the other hand wasn't fixing up the 'last'
pointer.
I think the memory leak can only be triggered in recovery mode.
Found with libFuzzer and ASan.
tree.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
---
diff --git a/tree.c b/tree.c
index 9d330b8..e154ec0 100644
--- a/tree.c
+++ b/tree.c
@@ -1401,6 +1401,8 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) {
else if ((ent != NULL) && (ent->children == NULL)) {
xmlNodePtr temp;
+ /* Set to non-NULL value to avoid recursion. */
+ ent->children = (xmlNodePtr) -1;
ent->children = xmlStringGetNodeList(doc,
(const xmlChar*)node->content);
ent->owner = 1;
@@ -1593,6 +1595,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
else if ((ent != NULL) && (ent->children == NULL)) {
xmlNodePtr temp;
+ /* Set to non-NULL value to avoid recursion. */
ent->children = (xmlNodePtr) -1;
ent->children = xmlStringGetNodeList(doc,
(const xmlChar*)node->content);
@@ -1600,6 +1603,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
temp = ent->children;
while (temp) {
temp->parent = (xmlNodePtr)ent;
+ ent->last = temp;
temp = temp->next;
}
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]