[xerces-c] branch xerces-3.2 updated: DFAContentModel::checkUniqueParticleAttribution(): fix memory leak

Wed, 05 Oct 2022 11:43:02 -0700 

This is an automated email from the ASF dual-hosted git repository.

scantor pushed a commit to branch xerces-3.2
in repository https://gitbox.apache.org/repos/asf/xerces-c.git


The following commit(s) were added to refs/heads/xerces-3.2 by this push:
     new 583943826 DFAContentModel::checkUniqueParticleAttribution(): fix 
memory leak
583943826 is described below

commit 5839438265cc5983132f6101644d32ddebaddd74
Author: Even Rouault <[email protected]>
AuthorDate: Sat Sep 11 23:31:37 2021 +0200

    DFAContentModel::checkUniqueParticleAttribution(): fix memory leak
    
    If a memory allocation of conflictTable[] fails, or later in the
    function, the array is not freed.
    Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38533
---
 src/xercesc/validators/common/DFAContentModel.cpp | 30 ++++++++++++++++++++---
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/src/xercesc/validators/common/DFAContentModel.cpp 
b/src/xercesc/validators/common/DFAContentModel.cpp
index 589efeaca..a6187ca59 100644
--- a/src/xercesc/validators/common/DFAContentModel.cpp
+++ b/src/xercesc/validators/common/DFAContentModel.cpp
@@ -1603,6 +1603,32 @@ void DFAContentModel::checkUniqueParticleAttribution 
(SchemaGrammar*    const pG
     (
         fElemMapSize * sizeof(signed char*)
     );
+    memset(conflictTable, 0, fElemMapSize * sizeof(signed char*));
+
+    struct ConflictTableKeeper
+    {
+        MemoryManager* fMemoryManager;
+        signed char**  fConflictTable;
+        unsigned int   fElemMapSize;
+
+        ConflictTableKeeper(MemoryManager* memoryManager,
+                            signed char** conflictTable,
+                            unsigned int elemMapSize):
+            fMemoryManager(memoryManager),
+            fConflictTable(conflictTable),
+            fElemMapSize(elemMapSize)
+        {
+        }
+
+        ~ConflictTableKeeper()
+        {
+            for (int i = 0; i < fElemMapSize; i++)
+                fMemoryManager->deallocate(fConflictTable[i]);
+            fMemoryManager->deallocate(fConflictTable);
+        }
+    };
+
+    ConflictTableKeeper keeper(fMemoryManager, conflictTable, fElemMapSize);
 
     // initialize the conflict table
     for (j = 0; j < fElemMapSize; j++) {
@@ -1676,10 +1702,6 @@ void DFAContentModel::checkUniqueParticleAttribution 
(SchemaGrammar*    const pG
             }
         }
     }
-
-    for (i = 0; i < fElemMapSize; i++)
-        fMemoryManager->deallocate(conflictTable[i]);
-    fMemoryManager->deallocate(conflictTable);
 }
 
 XERCES_CPP_NAMESPACE_END


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to