Fix a number of potential memory leaks around REALLOC(). More are lurking.
This commit is contained in:
parent
5b5c48d4a3
commit
3edce7a7ca
@ -1147,8 +1147,13 @@ int XML_Parse(XML_Parser parser, const char *s, int len, int isFinal)
|
|||||||
if (nLeftOver) {
|
if (nLeftOver) {
|
||||||
if (buffer == 0 || nLeftOver > bufferLim - buffer) {
|
if (buffer == 0 || nLeftOver > bufferLim - buffer) {
|
||||||
/* FIXME avoid integer overflow */
|
/* FIXME avoid integer overflow */
|
||||||
buffer = buffer == 0 ? MALLOC(len * 2) : REALLOC(buffer, len * 2);
|
char *temp;
|
||||||
/* FIXME storage leak if realloc fails */
|
temp = buffer == 0 ? MALLOC(len * 2) : REALLOC(buffer, len * 2);
|
||||||
|
if (temp == NULL) {
|
||||||
|
errorCode = XML_ERROR_NO_MEMORY;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
buffer = temp;
|
||||||
if (!buffer) {
|
if (!buffer) {
|
||||||
errorCode = XML_ERROR_NO_MEMORY;
|
errorCode = XML_ERROR_NO_MEMORY;
|
||||||
eventPtr = eventEndPtr = 0;
|
eventPtr = eventEndPtr = 0;
|
||||||
@ -1665,12 +1670,16 @@ doContent(XML_Parser parser,
|
|||||||
/* Need to guarantee that:
|
/* Need to guarantee that:
|
||||||
tag->buf + ROUND_UP(tag->rawNameLength, sizeof(XML_Char))
|
tag->buf + ROUND_UP(tag->rawNameLength, sizeof(XML_Char))
|
||||||
<= tag->bufEnd - sizeof(XML_Char) */
|
<= tag->bufEnd - sizeof(XML_Char) */
|
||||||
if (tag->rawNameLength + (int)(sizeof(XML_Char) - 1) + (int)sizeof(XML_Char) > tag->bufEnd - tag->buf) {
|
if (tag->rawNameLength + (int)(sizeof(XML_Char) - 1)
|
||||||
|
+ (int)sizeof(XML_Char) > tag->bufEnd - tag->buf) {
|
||||||
int bufSize = tag->rawNameLength * 4;
|
int bufSize = tag->rawNameLength * 4;
|
||||||
bufSize = ROUND_UP(bufSize, sizeof(XML_Char));
|
bufSize = ROUND_UP(bufSize, sizeof(XML_Char));
|
||||||
tag->buf = REALLOC(tag->buf, bufSize);
|
{
|
||||||
if (!tag->buf)
|
char *temp = REALLOC(tag->buf, bufSize);
|
||||||
return XML_ERROR_NO_MEMORY;
|
if (temp == NULL)
|
||||||
|
return XML_ERROR_NO_MEMORY;
|
||||||
|
tag->buf = temp;
|
||||||
|
}
|
||||||
tag->bufEnd = tag->buf + bufSize;
|
tag->bufEnd = tag->buf + bufSize;
|
||||||
}
|
}
|
||||||
memcpy(tag->buf, tag->rawName, tag->rawNameLength);
|
memcpy(tag->buf, tag->rawName, tag->rawNameLength);
|
||||||
@ -1696,9 +1705,12 @@ doContent(XML_Parser parser,
|
|||||||
if (fromPtr == rawNameEnd)
|
if (fromPtr == rawNameEnd)
|
||||||
break;
|
break;
|
||||||
bufSize = (tag->bufEnd - tag->buf) << 1;
|
bufSize = (tag->bufEnd - tag->buf) << 1;
|
||||||
tag->buf = REALLOC(tag->buf, bufSize);
|
{
|
||||||
if (!tag->buf)
|
char *temp = REALLOC(tag->buf, bufSize);
|
||||||
return XML_ERROR_NO_MEMORY;
|
if (temp == NULL)
|
||||||
|
return XML_ERROR_NO_MEMORY;
|
||||||
|
tag->buf = temp;
|
||||||
|
}
|
||||||
tag->bufEnd = tag->buf + bufSize;
|
tag->bufEnd = tag->buf + bufSize;
|
||||||
if (nextPtr)
|
if (nextPtr)
|
||||||
tag->rawName = tag->buf;
|
tag->rawName = tag->buf;
|
||||||
@ -1959,10 +1971,12 @@ static enum XML_Error storeAtts(XML_Parser parser, const ENCODING *enc,
|
|||||||
n = XmlGetAttributes(enc, attStr, attsSize, atts);
|
n = XmlGetAttributes(enc, attStr, attsSize, atts);
|
||||||
if (n + nDefaultAtts > attsSize) {
|
if (n + nDefaultAtts > attsSize) {
|
||||||
int oldAttsSize = attsSize;
|
int oldAttsSize = attsSize;
|
||||||
|
ATTRIBUTE *temp;
|
||||||
attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
|
attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
|
||||||
atts = REALLOC((void *)atts, attsSize * sizeof(ATTRIBUTE));
|
temp = REALLOC((void *)atts, attsSize * sizeof(ATTRIBUTE));
|
||||||
if (!atts)
|
if (temp == NULL)
|
||||||
return XML_ERROR_NO_MEMORY;
|
return XML_ERROR_NO_MEMORY;
|
||||||
|
atts = temp;
|
||||||
if (n > oldAttsSize)
|
if (n > oldAttsSize)
|
||||||
XmlGetAttributes(enc, attStr, n, atts);
|
XmlGetAttributes(enc, attStr, n, atts);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user