GNOME Bugzilla – Bug 794373
xmlBufBackToBuffer leaks memory when buf->error is set
Last modified: 2019-09-13 15:57:50 UTC
My application code uses xmlNodeDump API which internally uses xmlBufPtr as wrapper as below. xmlBufferCreate xmlNodeDump xmlBufFromBuffer xmlBufNodeDump xmlBufBackToBuffer .... xmlBufferFree (->application crashing here) I am tracing a crash in application when run under low memory scenarios, on code inspection found that xmlBufNodeDump can realloc xmlBufPtr->content for large xml. In case of realloc the older 'content' pointer is freed. If the xmlBufNodeDump errors later due to 'no memory' it set's buf->error=XML_ERR_NO_MEMORY and when that happens the xmlBufBackToBuffer returns NULL xmlBufferPtr xmlBufBackToBuffer(xmlBufPtr buf) { xmlBufferPtr ret; if ((buf == NULL) || (buf->error)) return(NULL); .... .... ..... ret->use = (int) buf->use; ret->size = (int) buf->size; ret->alloc = buf->alloc; ret->content = buf->content; ret->contentIO = buf->contentIO; xmlFree(buf); return(ret); } When buf->error is set it leaks the xmlBufPtr and skips copy of xmlBufPtr to xmlBufferPtr. This can lead to xmlBufferPtr->content having an already freed pointer. When application later calls xmlBufferFree it crashes. Returning NULL in case when buf->error is set leads to memory leak and may leave the xmlBufferPtr->content with an old pointer.
Should be fixed here: https://gitlab.gnome.org/GNOME/libxml2/commit/5f1f455c2f659eb6c82adf2b1d3ae00466367873