fix: xmlXPathParserContext could be double-delete in OOM case. (!156) · Merge requests · GNOME / libxml2

jinsub ahn requested to merge jinniahn/libxml2:jinniahn-master-patch-49812 into master Mar 30, 2022

it could be double-delete in xmlXPathEval of libxml2 under OOM situation.

```
xmlXPathObjectPtr
xmlXPathEval(const xmlChar *str, xmlXPathContextPtr ctx) {
    xmlXPathParserContextPtr ctxt;
    //....
    ctxt = xmlXPathNewParserContext(str, ctx);   // alloc
    //...
    xmlXPathEvalExpr(ctxt);
    //....
    xmlXPathFreeParserContext(ctxt);             // free
    return(res);
}

void
xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {
    //....
    xmlXPathRunEval(ctxt, 0);
}


# https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.12/xpath.c#L13888
static int
xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool)
{
  //....
  ctxt->valueTab = (xmlXPathObjectPtr *)
       xmlMalloc(10 * sizeof(xmlXPathObjectPtr));
  if (ctxt->valueTab == NULL) {
      xmlXPathPErrMemory(ctxt, "creating evaluation context\n");
      xmlFree(ctxt);  // <<==== ctxt is deleted here. so xmlXPathEval could delete again.  
  }
  //...
}
```

I think it should return here instead of xmlFree(..).

fix: xmlXPathParserContext could be double-delete in OOM case.

Merge request reports