diff options
author | Boris Kolpackov <boris@codesynthesis.com> | 2023-07-11 15:36:07 +0200 |
---|---|---|
committer | Boris Kolpackov <boris@codesynthesis.com> | 2023-07-11 15:36:07 +0200 |
commit | 3583f71f90bbe65f71bfc59545778ce99a8b9306 (patch) | |
tree | b54527e3406758b954f5f6eec1bbbdde8562dca0 | |
parent | 972f062b0118d530cb4e6986c2ea51df5bce52b1 (diff) |
Packport commit b3a467e (Fix potential null pointer dereference).
-rw-r--r-- | libxsde/xsde/c/expat/xmlparse.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/libxsde/xsde/c/expat/xmlparse.c b/libxsde/xsde/c/expat/xmlparse.c index f4ddeb6..5e37f73 100644 --- a/libxsde/xsde/c/expat/xmlparse.c +++ b/libxsde/xsde/c/expat/xmlparse.c @@ -2970,6 +2970,22 @@ storeAtts(XML_Parser parser, const ENCODING *enc, size_t uriHash = parser->m_hash_secret_salt; ((XML_Char *)s)[-1] = 0; /* clear flag */ id = (ATTRIBUTE_ID *)lookup(parser, &dtd->attributeIds, s, 0); + if (!id || !id->prefix) { + /* This code is walking through the appAtts array, dealing + * with (in this case) a prefixed attribute name. To be in + * the array, the attribute must have already been bound, so + * has to have passed through the hash table lookup once + * already. That implies that an entry for it already + * exists, so the lookup above will return a pointer to + * already allocated memory. There is no opportunaity for + * the allocator to fail, so the condition above cannot be + * fulfilled. + * + * Since it is difficult to be certain that the above + * analysis is complete, we retain the test. + */ + return XML_ERROR_NO_MEMORY; + } b = id->prefix->binding; if (!b) return XML_ERROR_UNBOUND_PREFIX; @@ -5785,6 +5801,8 @@ getAttributeId(XML_Parser parser, const ENCODING *enc, return NULL; id->prefix = (PREFIX *)lookup(parser, &dtd->prefixes, poolStart(&dtd->pool), sizeof(PREFIX)); + if (!id->prefix) + return NULL; if (id->prefix->name == poolStart(&dtd->pool)) poolFinish(&dtd->pool); else |