From 3583f71f90bbe65f71bfc59545778ce99a8b9306 Mon Sep 17 00:00:00 2001 From: Boris Kolpackov Date: Tue, 11 Jul 2023 15:36:07 +0200 Subject: Import potentially missing NULL pointer checks in Expat Packport commit b3a467e (Fix potential null pointer dereference). --- libxsde/xsde/c/expat/xmlparse.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/libxsde/xsde/c/expat/xmlparse.c b/libxsde/xsde/c/expat/xmlparse.c index f4ddeb6..5e37f73 100644 --- a/libxsde/xsde/c/expat/xmlparse.c +++ b/libxsde/xsde/c/expat/xmlparse.c @@ -2970,6 +2970,22 @@ storeAtts(XML_Parser parser, const ENCODING *enc, size_t uriHash = parser->m_hash_secret_salt; ((XML_Char *)s)[-1] = 0; /* clear flag */ id = (ATTRIBUTE_ID *)lookup(parser, &dtd->attributeIds, s, 0); + if (!id || !id->prefix) { + /* This code is walking through the appAtts array, dealing + * with (in this case) a prefixed attribute name. To be in + * the array, the attribute must have already been bound, so + * has to have passed through the hash table lookup once + * already. That implies that an entry for it already + * exists, so the lookup above will return a pointer to + * already allocated memory. There is no opportunaity for + * the allocator to fail, so the condition above cannot be + * fulfilled. + * + * Since it is difficult to be certain that the above + * analysis is complete, we retain the test. + */ + return XML_ERROR_NO_MEMORY; + } b = id->prefix->binding; if (!b) return XML_ERROR_UNBOUND_PREFIX; @@ -5785,6 +5801,8 @@ getAttributeId(XML_Parser parser, const ENCODING *enc, return NULL; id->prefix = (PREFIX *)lookup(parser, &dtd->prefixes, poolStart(&dtd->pool), sizeof(PREFIX)); + if (!id->prefix) + return NULL; if (id->prefix->name == poolStart(&dtd->pool)) poolFinish(&dtd->pool); else -- cgit v1.1