Merge branch 'dev/11/fp3/security-aosp-rvc-release' into int/11/fp3 * dev/11/fp3/security-aosp-rvc-release: malloc-fail: Fix OOB read after xmlRegGetCounter Change-Id: Ie698381da426266ca3daccd03f3776dd9169a21e

commit: 92a400b8b864c2d78a14e2429eac892bf08d19db [log] [tgz]
author: Prashantsinh Parmar <prashantsinh.parmar@fairphone.partners> Tue Oct 10 15:11:12 2023 +0530
committer: Prashantsinh Parmar <prashantsinh.parmar@fairphone.partners> Wed Oct 11 13:12:28 2023 +0200
tree: f40b5f3d4e3018f154894d53f17a4715e888c9d1
parent: 3f90fef4b07abfbf6d7a652a8bed1e47a8faafca [diff]
parent: dc858b313343c56ac6184595ae552fb060d3789b [diff]
diff --git a/xmlregexp.c b/xmlregexp.c
index d255fbf..6234a87 100644
--- a/xmlregexp.c
+++ b/xmlregexp.c

@@ -1641,6 +1641,8 @@
 			return(-1);
 		    inter = ctxt->state;
 		    counter = xmlRegGetCounter(ctxt);
+                    if (counter < 0)
+                        return(-1);
 		    ctxt->counters[counter].min = atom->min - 1;
 		    ctxt->counters[counter].max = atom->max - 1;
 		    /* count the number of times we see it again */
@@ -1659,6 +1661,8 @@
 		     * epsilon transition.
 		     */
 		    counter = xmlRegGetCounter(ctxt);
+                    if (counter < 0)
+                        return(-1);
 		    ctxt->counters[counter].min = atom->min - 1;
 		    ctxt->counters[counter].max = atom->max - 1;
 		    /* count the number of times we see it again */
@@ -5924,6 +5928,8 @@
      * associate a counter to the transition.
      */
     counter = xmlRegGetCounter(am);
+    if (counter < 0)
+        goto error;
     am->counters[counter].min = min;
     am->counters[counter].max = max;
 
@@ -5943,6 +5949,10 @@
     if (min == 0)
 	xmlFAGenerateEpsilonTransition(am, from, to);
     return(to);
+
+error:
+    xmlRegFreeAtom(atom);
+    return(NULL);
 }
 
 /**
@@ -5990,6 +6000,8 @@
      * associate a counter to the transition.
      */
     counter = xmlRegGetCounter(am);
+    if (counter < 0)
+        goto error;
     am->counters[counter].min = min;
     am->counters[counter].max = max;
 
@@ -6009,6 +6021,10 @@
     if (min == 0)
 	xmlFAGenerateEpsilonTransition(am, from, to);
     return(to);
+
+error:
+    xmlRegFreeAtom(atom);
+    return(NULL);
 }
 
 /**
@@ -6076,6 +6092,8 @@
      * associate a counter to the transition.
      */
     counter = xmlRegGetCounter(am);
+    if (counter < 0)
+        goto error;
     am->counters[counter].min = 1;
     am->counters[counter].max = 1;
 
@@ -6088,6 +6106,10 @@
     xmlRegAtomPush(am, atom);
     am->state = to;
     return(to);
+
+error:
+    xmlRegFreeAtom(atom);
+    return(NULL);
 }
 
 
@@ -6135,6 +6157,8 @@
      * associate a counter to the transition.
      */
     counter = xmlRegGetCounter(am);
+    if (counter < 0)
+        goto error;
     am->counters[counter].min = 1;
     am->counters[counter].max = 1;
 
@@ -6147,6 +6171,10 @@
     xmlRegAtomPush(am, atom);
     am->state = to;
     return(to);
+
+error:
+    xmlRegFreeAtom(atom);
+    return(NULL);
 }
 
 /**
commit	92a400b8b864c2d78a14e2429eac892bf08d19db	[log] [tgz]
author	Prashantsinh Parmar <prashantsinh.parmar@fairphone.partners>	Tue Oct 10 15:11:12 2023 +0530
committer	Prashantsinh Parmar <prashantsinh.parmar@fairphone.partners>	Wed Oct 11 13:12:28 2023 +0200
tree	f40b5f3d4e3018f154894d53f17a4715e888c9d1
parent	3f90fef4b07abfbf6d7a652a8bed1e47a8faafca [diff]
parent	dc858b313343c56ac6184595ae552fb060d3789b [diff]