Index: include/libxml/parser.h
===================================================================
--- include/libxml/parser.h	(revision 3771)
+++ include/libxml/parser.h	(working copy)
@@ -297,6 +297,7 @@ struct _xmlParserCtxt {
      */
     xmlError          lastError;
     xmlParserMode     parseMode;    /* the parser mode */
+    unsigned long    nbentities;    /* number of entities references */
 };
 
 /**
Index: parserInternals.c
===================================================================
--- parserInternals.c	(revision 3771)
+++ parserInternals.c	(working copy)
@@ -1670,6 +1670,7 @@ xmlInitParserCtxt(xmlParserCtxtPtr ctxt)
     ctxt->depth = 0;
     ctxt->charset = XML_CHAR_ENCODING_UTF8;
     ctxt->catalogs = NULL;
+    ctxt->nbentities = 0;
     xmlInitNodeInfoSeq(&ctxt->node_seq);
     return(0);
 }
Index: SAX2.c
===================================================================
--- SAX2.c	(revision 3772)
+++ SAX2.c	(working copy)
@@ -580,7 +580,8 @@ xmlSAX2GetEntity(void *ctx, const xmlCha
 	    return(NULL);
 	}
 	ret->owner = 1;
-	ret->checked = 1;
+	if (ret->checked == 0)
+	    ret->checked = 1;
     }
     return(ret);
 }
--- parser.c.orig	2008-04-08 16:47:58.000000000 +0200
+++ parser.c	2008-08-25 17:55:30.000000000 +0200
@@ -2344,7 +2344,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
 	return(NULL);
     last = str + len;
 
-    if (ctxt->depth > 40) {
+    if ((ctxt->depth > 40) || (ctxt->nbentities >= 500000)) {
 	xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
 	return(NULL);
     }
@@ -2382,6 +2382,11 @@ xmlStringLenDecodeEntities(xmlParserCtxt
 			"String decoding Entity Reference: %.30s\n",
 			str);
 	    ent = xmlParseStringEntityRef(ctxt, &str);
+	    if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
+	        goto int_error;
+	    ctxt->nbentities++;
+	    if (ent != NULL)
+	        ctxt->nbentities += ent->checked;
 	    if ((ent != NULL) &&
 		(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
 		if (ent->content != NULL) {
@@ -2427,6 +2432,11 @@ xmlStringLenDecodeEntities(xmlParserCtxt
 		xmlGenericError(xmlGenericErrorContext,
 			"String decoding PE Reference: %.30s\n", str);
 	    ent = xmlParseStringPEReference(ctxt, &str);
+	    if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
+	        goto int_error;
+	    ctxt->nbentities++;
+	    if (ent != NULL)
+	        ctxt->nbentities += ent->checked;
 	    if (ent != NULL) {
                 if (ent->content == NULL) {
 		    if (xmlLoadEntityContent(ctxt, ent) < 0) {
@@ -2466,6 +2476,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
 
 mem_error:
     xmlErrMemory(ctxt, NULL);
+int_error:
     if (rep != NULL)
         xmlFree(rep);
     if (buffer != NULL)
@@ -3280,6 +3291,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
 		}
 	    } else {
 		ent = xmlParseEntityRef(ctxt);
+		ctxt->nbentities++;
+		if (ent != NULL)
+		    ctxt->nbentities += ent->checked;
 		if ((ent != NULL) &&
 		    (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
 		    if (len > buf_size - 10) {
@@ -4566,6 +4580,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt
     int isParameter = 0;
     xmlChar *orig = NULL;
     int skipped;
+    unsigned long oldnbent = ctxt->nbentities;
     
     /* GROW; done in the caller */
     if (CMP8(CUR_PTR, '<', '!', 'E', 'N', 'T', 'I', 'T', 'Y')) {
@@ -4783,6 +4798,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt
 		}
 	    }
             if (cur != NULL) {
+	        cur->checked = ctxt->nbentities - oldnbent;
 	        if (cur->orig != NULL)
 		    xmlFree(orig);
 		else
@@ -6189,6 +6205,11 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
 	if (ent == NULL) return;
 	if (!ctxt->wellFormed)
 	    return;
+	ctxt->nbentities++;
+	if (ctxt->nbentities >= 500000) {
+	    xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+	    return;
+	}
 	was_checked = ent->checked;
 	if ((ent->name != NULL) && 
 	    (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY)) {
@@ -6249,6 +6270,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
 			xmlFreeNodeList(list);
 		    }
 		} else {
+		    unsigned long oldnbent = ctxt->nbentities;
 		    /*
 		     * 4.3.2: An internal general parsed entity is well-formed
 		     * if its replacement text matches the production labeled
@@ -6271,6 +6293,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
 			ret = xmlParseBalancedChunkMemoryInternal(ctxt,
 					   value, user_data, &list);
 			ctxt->depth--;
+
 		    } else if (ent->etype ==
 			       XML_EXTERNAL_GENERAL_PARSED_ENTITY) {
 			ctxt->depth++;
@@ -6283,6 +6306,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
 			xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,
 				     "invalid entity type found\n", NULL);
 		    }
+		    ent->checked = ctxt->nbentities - oldnbent;
 		    if (ret == XML_ERR_ENTITY_LOOP) {
 			xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
 			return;
@@ -6339,8 +6363,10 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
 			list = NULL;
 		    }
 		}
-		ent->checked = 1;
+		if (ent->checked == 0)
+		    ent->checked = 1;
 	    }
+	    ctxt->nbentities += ent->checked;
 
             if (ent->children == NULL) {
 		/*
@@ -6349,7 +6375,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
 		 * though parsing for first checking go though the entity
 		 * content to generate callbacks associated to the entity
 		 */
-		if (was_checked == 1) {
+		if (was_checked != 0) {
 		    void *user_data;
 		    /*
 		     * This is a bit hackish but this seems the best
@@ -11480,7 +11506,7 @@ xmlParseCtxtExternalEntity(xmlParserCtxt
 
     if (ctx == NULL) return(-1);
 
-    if (ctx->depth > 40) {
+    if ((ctx->depth > 40) || (ctx->nbentities >= 500000)) {
 	return(XML_ERR_ENTITY_LOOP);
     }
 
@@ -11681,7 +11707,8 @@ xmlParseExternalEntityPrivate(xmlDocPtr 
     xmlChar start[4];
     xmlCharEncoding enc;
 
-    if (depth > 40) {
+    if ((depth > 40) ||
+        ((oldctxt != NULL) && (oldctxt->nbentities >= 500000))) {
 	return(XML_ERR_ENTITY_LOOP);
     }
 
@@ -11824,6 +11851,7 @@ xmlParseExternalEntityPrivate(xmlDocPtr 
     oldctxt->node_seq.maximum = ctxt->node_seq.maximum;
     oldctxt->node_seq.length = ctxt->node_seq.length;
     oldctxt->node_seq.buffer = ctxt->node_seq.buffer;
+    oldctxt->nbentities += ctxt->nbentities;
     ctxt->node_seq.maximum = 0;
     ctxt->node_seq.length = 0;
     ctxt->node_seq.buffer = NULL;
@@ -11924,7 +11952,7 @@ xmlParseBalancedChunkMemoryInternal(xmlP
     int size;
     xmlParserErrors ret = XML_ERR_OK;
 
-    if (oldctxt->depth > 40) {
+    if ((oldctxt->depth > 40) || (oldctxt->nbentities >= 500000)) {
 	return(XML_ERR_ENTITY_LOOP);
     }
 
@@ -12048,6 +12076,7 @@ xmlParseBalancedChunkMemoryInternal(xmlP
         ctxt->myDoc->last = last;
     }
 	
+    oldctxt->nbentities += ctxt->nbentities;
     ctxt->sax = oldsax;
     ctxt->dict = NULL;
     ctxt->attsDefault = NULL;
@@ -13363,6 +13392,7 @@ xmlCtxtReset(xmlParserCtxtPtr ctxt)
     ctxt->depth = 0;
     ctxt->charset = XML_CHAR_ENCODING_UTF8;
     ctxt->catalogs = NULL;
+    ctxt->nbentities = 0;
     xmlInitNodeInfoSeq(&ctxt->node_seq);
 
     if (ctxt->attsDefault != NULL) {