mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-22 13:21:08 -05:00
af360bc9ea
wgetc873988898.patch -O telecomm-01.patch wget0fb5786dbf.patch -O mediaprovider-01.patch wget1a4b9ef510.patch -O wifi-01.patch wget364a1d9962.patch -O bluetooth-01.patch wget87a06448b9.patch -O settings-01.patch wgetaaba724a68.patch -O settings-02.patch wget507304e1f5.patch -O native-01.patch wget89489ff5dd.patch -O base-01.patch wgetd1765c4715.patch -O base-02.patch wgetcbb1a0ecd6.patch -O base-03.patch wget4725772c0b.patch -O base-04.patch wget19747f6923.patch -O base-05.patch wgete7a1aa9ed0.patch -O base-06.patch wget922a7860b1.patch -O base-07.patch wgeted183ed912.patch -O base-08.patch wgetc6fbe1330a.patch -O base-09.patch wget9141cac175.patch -O base-10.patch wget41235bcc67.patch -O av-01.patch wgeta89f704701.patch -O av-02.patch wget6d7cd80d77.patch -O av-03.patch wget75fc175a08.patch -O av-04.patch wgetb023ec300f.patch -O av-05.patch wgetc8117d1539.patch -O av-06.patch wgetf06d23d824.patch -O av-07.patch wget9c7408ab07.patch -O av-08.patch wgetcfbfcefb3c.patch -O launcher-01.patch wget4a27a7f162.patch -O libxml-01.patch Signed-off-by: Tad <tad@spotco.us>
124 lines
3.8 KiB
Diff
124 lines
3.8 KiB
Diff
From 4a27a7f162907facfbeddf2d4ae4c6ab7c6eb15a Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Fri, 17 Feb 2023 15:53:07 +0100
|
|
Subject: [PATCH] malloc-fail: Fix OOB read after xmlRegGetCounter
|
|
|
|
Found with libFuzzer, see #344.
|
|
|
|
(cherry picked from commit 1743c4c3fc58cf38ecce68db9de51d0f3651e033)
|
|
|
|
I also copied the error label from
|
|
e64653c0e7975594e27d7de2ed4be062c1e4ad03 to fix the build failure.
|
|
|
|
Bug: http://b/274231102
|
|
Test: TreeHugger
|
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0e6ed17dfe8e36e5618a592a600720bd61e015cc)
|
|
Merged-In: I3bad3e03092e17a761cb6e299aff848ebd35b6f4
|
|
Change-Id: I3bad3e03092e17a761cb6e299aff848ebd35b6f4
|
|
---
|
|
xmlregexp.c | 28 ++++++++++++++++++++++++++++
|
|
1 file changed, 28 insertions(+)
|
|
|
|
diff --git a/xmlregexp.c b/xmlregexp.c
|
|
index 984c7ac6e..ce09b2216 100644
|
|
--- a/xmlregexp.c
|
|
+++ b/xmlregexp.c
|
|
@@ -1673,6 +1673,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from,
|
|
return(-1);
|
|
inter = ctxt->state;
|
|
counter = xmlRegGetCounter(ctxt);
|
|
+ if (counter < 0)
|
|
+ return(-1);
|
|
ctxt->counters[counter].min = atom->min - 1;
|
|
ctxt->counters[counter].max = atom->max - 1;
|
|
/* count the number of times we see it again */
|
|
@@ -1691,6 +1693,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from,
|
|
* epsilon transition.
|
|
*/
|
|
counter = xmlRegGetCounter(ctxt);
|
|
+ if (counter < 0)
|
|
+ return(-1);
|
|
ctxt->counters[counter].min = atom->min - 1;
|
|
ctxt->counters[counter].max = atom->max - 1;
|
|
/* count the number of times we see it again */
|
|
@@ -6015,6 +6019,8 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
|
|
* associate a counter to the transition.
|
|
*/
|
|
counter = xmlRegGetCounter(am);
|
|
+ if (counter < 0)
|
|
+ goto error;
|
|
am->counters[counter].min = min;
|
|
am->counters[counter].max = max;
|
|
|
|
@@ -6034,6 +6040,10 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
|
|
if (min == 0)
|
|
xmlFAGenerateEpsilonTransition(am, from, to);
|
|
return(to);
|
|
+
|
|
+error:
|
|
+ xmlRegFreeAtom(atom);
|
|
+ return(NULL);
|
|
}
|
|
|
|
/**
|
|
@@ -6081,6 +6091,8 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
|
|
* associate a counter to the transition.
|
|
*/
|
|
counter = xmlRegGetCounter(am);
|
|
+ if (counter < 0)
|
|
+ goto error;
|
|
am->counters[counter].min = min;
|
|
am->counters[counter].max = max;
|
|
|
|
@@ -6100,6 +6112,10 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
|
|
if (min == 0)
|
|
xmlFAGenerateEpsilonTransition(am, from, to);
|
|
return(to);
|
|
+
|
|
+error:
|
|
+ xmlRegFreeAtom(atom);
|
|
+ return(NULL);
|
|
}
|
|
|
|
/**
|
|
@@ -6167,6 +6183,8 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
|
|
* associate a counter to the transition.
|
|
*/
|
|
counter = xmlRegGetCounter(am);
|
|
+ if (counter < 0)
|
|
+ goto error;
|
|
am->counters[counter].min = 1;
|
|
am->counters[counter].max = 1;
|
|
|
|
@@ -6179,6 +6197,10 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from,
|
|
xmlRegAtomPush(am, atom);
|
|
am->state = to;
|
|
return(to);
|
|
+
|
|
+error:
|
|
+ xmlRegFreeAtom(atom);
|
|
+ return(NULL);
|
|
}
|
|
|
|
|
|
@@ -6226,6 +6248,8 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
|
|
* associate a counter to the transition.
|
|
*/
|
|
counter = xmlRegGetCounter(am);
|
|
+ if (counter < 0)
|
|
+ goto error;
|
|
am->counters[counter].min = 1;
|
|
am->counters[counter].max = 1;
|
|
|
|
@@ -6238,6 +6262,10 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from,
|
|
xmlRegAtomPush(am, atom);
|
|
am->state = to;
|
|
return(to);
|
|
+
|
|
+error:
|
|
+ xmlRegFreeAtom(atom);
|
|
+ return(NULL);
|
|
}
|
|
|
|
/**
|