- fix for entities recursion problem

- Resolve: rhbz#459714 daniel

libxml2-2.6.32.entities.patch

@@ -0,0 +1,216 @@
+Index: include/libxml/parser.h
+===================================================================
+--- include/libxml/parser.h	(revision 3771)
++++ include/libxml/parser.h	(working copy)
+@@ -297,6 +297,7 @@ struct _xmlParserCtxt {
+      */
+     xmlError          lastError;
+     xmlParserMode     parseMode;    /* the parser mode */
++    unsigned long    nbentities;    /* number of entities references */
+ };
+ 
+ /**
+Index: parserInternals.c
+===================================================================
+--- parserInternals.c	(revision 3771)
++++ parserInternals.c	(working copy)
+@@ -1670,6 +1670,7 @@ xmlInitParserCtxt(xmlParserCtxtPtr ctxt)
+     ctxt->depth = 0;
+     ctxt->charset = XML_CHAR_ENCODING_UTF8;
+     ctxt->catalogs = NULL;
++    ctxt->nbentities = 0;
+     xmlInitNodeInfoSeq(&ctxt->node_seq);
+     return(0);
+ }
+Index: SAX2.c
+===================================================================
+--- SAX2.c	(revision 3772)
++++ SAX2.c	(working copy)
+@@ -580,7 +580,8 @@ xmlSAX2GetEntity(void *ctx, const xmlCha
+ 	    return(NULL);
+ 	}
+ 	ret->owner = 1;
+-	ret->checked = 1;
++	if (ret->checked == 0)
++	    ret->checked = 1;
+     }
+     return(ret);
+ }
+--- parser.c.orig	2008-04-08 16:47:58.000000000 +0200
++++ parser.c	2008-08-25 17:55:30.000000000 +0200
+@@ -2344,7 +2344,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
+ 	return(NULL);
+     last = str + len;
+ 
+-    if (ctxt->depth > 40) {
++    if ((ctxt->depth > 40) || (ctxt->nbentities >= 500000)) {
+ 	xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+ 	return(NULL);
+     }
+@@ -2382,6 +2382,11 @@ xmlStringLenDecodeEntities(xmlParserCtxt
+ 			"String decoding Entity Reference: %.30s\n",
+ 			str);
+ 	    ent = xmlParseStringEntityRef(ctxt, &str);
++	    if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
++	        goto int_error;
++	    ctxt->nbentities++;
++	    if (ent != NULL)
++	        ctxt->nbentities += ent->checked;
+ 	    if ((ent != NULL) &&
+ 		(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
+ 		if (ent->content != NULL) {
+@@ -2427,6 +2432,11 @@ xmlStringLenDecodeEntities(xmlParserCtxt
+ 		xmlGenericError(xmlGenericErrorContext,
+ 			"String decoding PE Reference: %.30s\n", str);
+ 	    ent = xmlParseStringPEReference(ctxt, &str);
++	    if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
++	        goto int_error;
++	    ctxt->nbentities++;
++	    if (ent != NULL)
++	        ctxt->nbentities += ent->checked;
+ 	    if (ent != NULL) {
+                 if (ent->content == NULL) {
+ 		    if (xmlLoadEntityContent(ctxt, ent) < 0) {
+@@ -2466,6 +2476,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
+ 
+ mem_error:
+     xmlErrMemory(ctxt, NULL);
++int_error:
+     if (rep != NULL)
+         xmlFree(rep);
+     if (buffer != NULL)
+@@ -3280,6 +3291,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
+ 		}
+ 	    } else {
+ 		ent = xmlParseEntityRef(ctxt);
++		ctxt->nbentities++;
++		if (ent != NULL)
++		    ctxt->nbentities += ent->checked;
+ 		if ((ent != NULL) &&
+ 		    (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
+ 		    if (len > buf_size - 10) {
+@@ -4566,6 +4580,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt
+     int isParameter = 0;
+     xmlChar *orig = NULL;
+     int skipped;
++    unsigned long oldnbent = ctxt->nbentities;
+     
+     /* GROW; done in the caller */
+     if (CMP8(CUR_PTR, '<', '!', 'E', 'N', 'T', 'I', 'T', 'Y')) {
+@@ -4783,6 +4798,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt
+ 		}
+ 	    }
+             if (cur != NULL) {
++	        cur->checked = ctxt->nbentities - oldnbent;
+ 	        if (cur->orig != NULL)
+ 		    xmlFree(orig);
+ 		else
+@@ -6189,6 +6205,11 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
+ 	if (ent == NULL) return;
+ 	if (!ctxt->wellFormed)
+ 	    return;
++	ctxt->nbentities++;
++	if (ctxt->nbentities >= 500000) {
++	    xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
++	    return;
++	}
+ 	was_checked = ent->checked;
+ 	if ((ent->name != NULL) && 
+ 	    (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY)) {
+@@ -6249,6 +6270,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
+ 			xmlFreeNodeList(list);
+ 		    }
+ 		} else {
++		    unsigned long oldnbent = ctxt->nbentities;
+ 		    /*
+ 		     * 4.3.2: An internal general parsed entity is well-formed
+ 		     * if its replacement text matches the production labeled
+@@ -6271,6 +6293,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
+ 			ret = xmlParseBalancedChunkMemoryInternal(ctxt,
+ 					   value, user_data, &list);
+ 			ctxt->depth--;
++
+ 		    } else if (ent->etype ==
+ 			       XML_EXTERNAL_GENERAL_PARSED_ENTITY) {
+ 			ctxt->depth++;
+@@ -6283,6 +6306,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
+ 			xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,
+ 				     "invalid entity type found\n", NULL);
+ 		    }
++		    ent->checked = ctxt->nbentities - oldnbent;
+ 		    if (ret == XML_ERR_ENTITY_LOOP) {
+ 			xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+ 			return;
+@@ -6339,8 +6363,10 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
+ 			list = NULL;
+ 		    }
+ 		}
+-		ent->checked = 1;
++		if (ent->checked == 0)
++		    ent->checked = 1;
+ 	    }
++	    ctxt->nbentities += ent->checked;
+ 
+             if (ent->children == NULL) {
+ 		/*
+@@ -6349,7 +6375,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
+ 		 * though parsing for first checking go though the entity
+ 		 * content to generate callbacks associated to the entity
+ 		 */
+-		if (was_checked == 1) {
++		if (was_checked != 0) {
+ 		    void *user_data;
+ 		    /*
+ 		     * This is a bit hackish but this seems the best
+@@ -11480,7 +11506,7 @@ xmlParseCtxtExternalEntity(xmlParserCtxt
+ 
+     if (ctx == NULL) return(-1);
+ 
+-    if (ctx->depth > 40) {
++    if ((ctx->depth > 40) || (ctx->nbentities >= 500000)) {
+ 	return(XML_ERR_ENTITY_LOOP);
+     }
+ 
+@@ -11681,7 +11707,8 @@ xmlParseExternalEntityPrivate(xmlDocPtr 
+     xmlChar start[4];
+     xmlCharEncoding enc;
+ 
+-    if (depth > 40) {
++    if ((depth > 40) ||
++        ((oldctxt != NULL) && (oldctxt->nbentities >= 500000))) {
+ 	return(XML_ERR_ENTITY_LOOP);
+     }
+ 
+@@ -11824,6 +11851,7 @@ xmlParseExternalEntityPrivate(xmlDocPtr 
+     oldctxt->node_seq.maximum = ctxt->node_seq.maximum;
+     oldctxt->node_seq.length = ctxt->node_seq.length;
+     oldctxt->node_seq.buffer = ctxt->node_seq.buffer;
++    oldctxt->nbentities += ctxt->nbentities;
+     ctxt->node_seq.maximum = 0;
+     ctxt->node_seq.length = 0;
+     ctxt->node_seq.buffer = NULL;
+@@ -11924,7 +11952,7 @@ xmlParseBalancedChunkMemoryInternal(xmlP
+     int size;
+     xmlParserErrors ret = XML_ERR_OK;
+ 
+-    if (oldctxt->depth > 40) {
++    if ((oldctxt->depth > 40) || (oldctxt->nbentities >= 500000)) {
+ 	return(XML_ERR_ENTITY_LOOP);
+     }
+ 
+@@ -12048,6 +12076,7 @@ xmlParseBalancedChunkMemoryInternal(xmlP
+         ctxt->myDoc->last = last;
+     }
+ 	
++    oldctxt->nbentities += ctxt->nbentities;
+     ctxt->sax = oldsax;
+     ctxt->dict = NULL;
+     ctxt->attsDefault = NULL;
+@@ -13363,6 +13392,7 @@ xmlCtxtReset(xmlParserCtxtPtr ctxt)
+     ctxt->depth = 0;
+     ctxt->charset = XML_CHAR_ENCODING_UTF8;
+     ctxt->catalogs = NULL;
++    ctxt->nbentities = 0;
+     xmlInitNodeInfoSeq(&ctxt->node_seq);
+ 
+     if (ctxt->attsDefault != NULL) {

libxml2.spec

@@ -1,7 +1,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.6.32
-Release: 3%{?dist}%{?extra_release}
+Release: 4%{?dist}%{?extra_release}
 License: MIT
 Group: Development/Libraries
 Source: ftp://xmlsoft.org/libxml2-%{version}.tar.gz
@@ -9,6 +9,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python python-devel zlib-devel
 URL: http://xmlsoft.org/
 Patch0: libxml2-multilib.patch
+Patch1: libxml2-2.6.32.entities.patch
 
 %description
 This library allows to manipulate XML files. It includes support 
@@ -67,6 +68,7 @@ at parse time or later once the document has been modified.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p0
 
 %build
 %configure
@@ -141,14 +143,18 @@ rm -fr %{buildroot}
 %doc doc/python.html
 
 %changelog
-* Fri May 30 2008 Daniel Veillard <veillard@redhat.com> 2.6.31-3.fc10
+* Mon Aug 25 2008 Daniel Veillard <veillard@redhat.com> 2.6.32-4.fc10
+- fix for entities recursion problem
+- Resolve: rhbz#459714
+
+* Fri May 30 2008 Daniel Veillard <veillard@redhat.com> 2.6.32-3.fc10
 - cleanup based on Fedora packaging guidelines, should fix #226079
 - separate a -static package
 
-* Thu May 15 2008 Daniel Veillard <veillard@redhat.com> 2.6.31-2.fc10
+* Thu May 15 2008 Daniel Veillard <veillard@redhat.com> 2.6.32-2.fc10
 - try to fix multiarch problems like #440206
 
-* Tue Apr  8 2008 Daniel Veillard <veillard@redhat.com> 2.6.31-1.fc9
+* Tue Apr  8 2008 Daniel Veillard <veillard@redhat.com> 2.6.32-1.fc9
 - upstream release 2.6.32 see http://xmlsoft.org/news.html
 - many bug fixed upstream