aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--libxsde/xsde/c/expat/xmlparse.c18
1 files changed, 18 insertions, 0 deletions
diff --git a/libxsde/xsde/c/expat/xmlparse.c b/libxsde/xsde/c/expat/xmlparse.c
index f4ddeb6..5e37f73 100644
--- a/libxsde/xsde/c/expat/xmlparse.c
+++ b/libxsde/xsde/c/expat/xmlparse.c
@@ -2970,6 +2970,22 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
size_t uriHash = parser->m_hash_secret_salt;
((XML_Char *)s)[-1] = 0; /* clear flag */
id = (ATTRIBUTE_ID *)lookup(parser, &dtd->attributeIds, s, 0);
+ if (!id || !id->prefix) {
+ /* This code is walking through the appAtts array, dealing
+ * with (in this case) a prefixed attribute name. To be in
+ * the array, the attribute must have already been bound, so
+ * has to have passed through the hash table lookup once
+ * already. That implies that an entry for it already
+ * exists, so the lookup above will return a pointer to
+ * already allocated memory. There is no opportunaity for
+ * the allocator to fail, so the condition above cannot be
+ * fulfilled.
+ *
+ * Since it is difficult to be certain that the above
+ * analysis is complete, we retain the test.
+ */
+ return XML_ERROR_NO_MEMORY;
+ }
b = id->prefix->binding;
if (!b)
return XML_ERROR_UNBOUND_PREFIX;
@@ -5785,6 +5801,8 @@ getAttributeId(XML_Parser parser, const ENCODING *enc,
return NULL;
id->prefix = (PREFIX *)lookup(parser, &dtd->prefixes, poolStart(&dtd->pool),
sizeof(PREFIX));
+ if (!id->prefix)
+ return NULL;
if (id->prefix->name == poolStart(&dtd->pool))
poolFinish(&dtd->pool);
else