GNOME Bugzilla – Bug 692813
Suspect algorithm in several of libxml2's allocation paths
Last modified: 2021-07-05 13:22:50 UTC
We can see in xinclude.c, xmlreader.c, nanohttp.c and maybe others similar constructions like this: (libxml2-2.9.0/xinclude.c xmlXIncludeNewRef()) if (ctxt->incNr >= ctxt->incMax) { ctxt->incMax *= 2; ctxt->incTab = (xmlXIncludeRefPtr *) xmlRealloc(ctxt->incTab, ctxt->incMax * sizeof(ctxt->incTab[0])); if (ctxt->incTab == NULL) { xmlXIncludeErrMemory(ctxt, ref, "growing XInclude context"); xmlXIncludeFreeRef(ret); return(NULL); } } incMax is doubled (ctxt->incMax *= 2) and it remains doubled even if allocation fails. Cannot cause this any problem?
GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org. As part of that, we are mass-closing older open tickets in bugzilla.gnome.org which have not seen updates for a longer time (resources are unfortunately quite limited so not every ticket can get handled). If you can still reproduce the situation described in this ticket in a recent and supported software version, then please follow https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines and create a new ticket at https://gitlab.gnome.org/GNOME/libxml2/-/issues/ Thank you for your understanding and your help.