35 lines
899 B
Diff
35 lines
899 B
Diff
From 6bb146a3ea24a9bacfad6fe67268f0404af37d9c Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Wed, 2 Nov 2022 16:13:27 +0100
|
|
Subject: [PATCH] malloc-fail: Fix use-after-free in xmlXIncludeAddNode
|
|
|
|
Found with libFuzzer, see #344.
|
|
---
|
|
xinclude.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/xinclude.c b/xinclude.c
|
|
index 2a0614d7..e32b3419 100644
|
|
--- a/xinclude.c
|
|
+++ b/xinclude.c
|
|
@@ -614,14 +614,15 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) {
|
|
}
|
|
URL = xmlSaveUri(uri);
|
|
xmlFreeURI(uri);
|
|
- xmlFree(URI);
|
|
if (URL == NULL) {
|
|
xmlXIncludeErr(ctxt, cur, XML_XINCLUDE_HREF_URI,
|
|
"invalid value URI %s\n", URI);
|
|
if (fragment != NULL)
|
|
xmlFree(fragment);
|
|
+ xmlFree(URI);
|
|
return(-1);
|
|
}
|
|
+ xmlFree(URI);
|
|
|
|
/*
|
|
* If local and xml then we need a fragment
|
|
--
|
|
2.48.1
|
|
|