From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Sat, 1 May 2021 16:53:33 +0200 Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv Check return value of recursive calls to xmlParseElementChildrenContentDeclPriv and return immediately in case of errors. Otherwise, struct xmlElementContent could contain unexpected null pointers, leading to a null deref when post-validating documents which aren't well-formed and parsed in recovery mode. Fixes #243. Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61] CVE: CVE-2021-3537 Signed-off-by: Chee Yang Lee --- parser.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/parser.c b/parser.c index b42e6043..73c27edd 100644 --- a/parser.c +++ b/parser.c @@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, SKIP_BLANKS; cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, depth + 1); + if (cur == NULL) + return(NULL); SKIP_BLANKS; GROW; } else { @@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk, SKIP_BLANKS; last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, depth + 1); + if (last == NULL) { + if (ret != NULL) + xmlFreeDocElementContent(ctxt->myDoc, ret); + return(NULL); + } SKIP_BLANKS; } else { elem = xmlParseName(ctxt); -- GitLab