Fix xmlURIEscape memory leaks.
Found by running the fuzz/uri.c fuzzer under asan (internal Android bug
171610679).
Always free `ret` when exiting on failure. I've moved the definition of
NULLCHK down past where ret is always initialized to make it clear that
this is safe.
This patch also fixes the indentation of two of the NULLCHK call sites
to make it more obvious that NULLCHK isn't `if`-like.
diff --git a/uri.c b/uri.c
index 7e9a9f4..8204825 100644
--- a/uri.c
+++ b/uri.c
@@ -1754,11 +1754,6 @@
xmlURIPtr uri;
int ret2;
-#define NULLCHK(p) if(!p) { \
- xmlURIErrMemory("escaping URI value\n"); \
- xmlFreeURI(uri); \
- return NULL; } \
-
if (str == NULL)
return (NULL);
@@ -1780,6 +1775,12 @@
ret = NULL;
+#define NULLCHK(p) if(!p) { \
+ xmlURIErrMemory("escaping URI value\n"); \
+ xmlFreeURI(uri); \
+ xmlFree(ret); \
+ return NULL; } \
+
if (uri->scheme) {
segment = xmlURIEscapeStr(BAD_CAST uri->scheme, BAD_CAST "+-.");
NULLCHK(segment)
@@ -1800,7 +1801,7 @@
if (uri->user) {
segment = xmlURIEscapeStr(BAD_CAST uri->user, BAD_CAST ";:&=+$,");
NULLCHK(segment)
- ret = xmlStrcat(ret,BAD_CAST "//");
+ ret = xmlStrcat(ret,BAD_CAST "//");
ret = xmlStrcat(ret, segment);
ret = xmlStrcat(ret, BAD_CAST "@");
xmlFree(segment);
@@ -1809,8 +1810,8 @@
if (uri->server) {
segment = xmlURIEscapeStr(BAD_CAST uri->server, BAD_CAST "/?;:@");
NULLCHK(segment)
- if (uri->user == NULL)
- ret = xmlStrcat(ret, BAD_CAST "//");
+ if (uri->user == NULL)
+ ret = xmlStrcat(ret, BAD_CAST "//");
ret = xmlStrcat(ret, segment);
xmlFree(segment);
}
