Commit 5ccac8ce authored by Nick Wellnhofer's avatar Nick Wellnhofer
Browse files

Make sure that xmlParseQName returns NULL in error case

If there's an error growing the input buffer when recovering from
invalid QNames, make sure to return NULL. Otherwise, callers could be
confused. In xmlParseStartTag2, for example, `tlen` could become

Found by OSS-Fuzz.
parent f209e551
......@@ -8723,6 +8723,8 @@ xmlParseQName(xmlParserCtxtPtr ctxt, const xmlChar **prefix) {
if (l == NULL) {
xmlChar *tmp;
if (ctxt->instate == XML_PARSER_EOF)
xmlNsErr(ctxt, XML_NS_ERR_QNAME,
"Failed to parse QName '%s:'\n", p, NULL, NULL);
l = xmlParseNmtoken(ctxt);
......@@ -8751,6 +8753,8 @@ xmlParseQName(xmlParserCtxtPtr ctxt, const xmlChar **prefix) {
*prefix = p;
if (ctxt->instate == XML_PARSER_EOF)
tmp = xmlBuildQName(BAD_CAST "", l, NULL, 0);
l = xmlDictLookup(ctxt->dict, tmp, -1);
if (tmp != NULL) xmlFree(tmp);
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment