[xerces-c] branch master updated: DFAContentModel::checkUniqueParticleAttribution(): fix memory leak

Sun, 12 Sep 2021 03:29:59 -0700 

This is an automated email from the ASF dual-hosted git repository.

rleigh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/xerces-c.git


The following commit(s) were added to refs/heads/master by this push:
     new 79f61cb  DFAContentModel::checkUniqueParticleAttribution(): fix memory 
leak
     new 60fd4e2  Merge pull request #35 from 
rouault/fix_memleak_checkUniqueParticleAttribution
79f61cb is described below

commit 79f61cb45672546187b2bc6863858ee410267d00
Author: Even Rouault <even.roua...@spatialys.com>
AuthorDate: Sat Sep 11 23:31:37 2021 +0200

    DFAContentModel::checkUniqueParticleAttribution(): fix memory leak
    
    If a memory allocation of conflictTable[] fails, or later in the
    function, the array is not freed.
    Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38533
---
 src/xercesc/validators/common/DFAContentModel.cpp | 30 ++++++++++++++++++++---
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/src/xercesc/validators/common/DFAContentModel.cpp 
b/src/xercesc/validators/common/DFAContentModel.cpp
index 615eba9..2f590fe 100644
--- a/src/xercesc/validators/common/DFAContentModel.cpp
+++ b/src/xercesc/validators/common/DFAContentModel.cpp
@@ -1603,6 +1603,32 @@ void DFAContentModel::checkUniqueParticleAttribution 
(SchemaGrammar*    const pG
     (
         fElemMapSize * sizeof(signed char*)
     );
+    memset(conflictTable, 0, fElemMapSize * sizeof(signed char*));
+
+    struct ConflictTableKeeper
+    {
+        MemoryManager* fMemoryManager;
+        signed char**  fConflictTable;
+        unsigned int   fElemMapSize;
+
+        ConflictTableKeeper(MemoryManager* memoryManager,
+                            signed char** conflictTable,
+                            unsigned int elemMapSize):
+            fMemoryManager(memoryManager),
+            fConflictTable(conflictTable),
+            fElemMapSize(elemMapSize)
+        {
+        }
+
+        ~ConflictTableKeeper()
+        {
+            for (int i = 0; i < fElemMapSize; i++)
+                fMemoryManager->deallocate(fConflictTable[i]);
+            fMemoryManager->deallocate(fConflictTable);
+        }
+    };
+
+    ConflictTableKeeper keeper(fMemoryManager, conflictTable, fElemMapSize);
 
     // initialize the conflict table
     for (j = 0; j < fElemMapSize; j++) {
@@ -1676,10 +1702,6 @@ void DFAContentModel::checkUniqueParticleAttribution 
(SchemaGrammar*    const pG
             }
         }
     }
-
-    for (i = 0; i < fElemMapSize; i++)
-        fMemoryManager->deallocate(conflictTable[i]);
-    fMemoryManager->deallocate(conflictTable);
 }
 
 }

---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org

Reply via email to