217 lines
6.9 KiB
Diff
217 lines
6.9 KiB
Diff
Index: include/libxml/parser.h
|
|
===================================================================
|
|
--- include/libxml/parser.h (revision 3771)
|
|
+++ include/libxml/parser.h (working copy)
|
|
@@ -297,6 +297,7 @@ struct _xmlParserCtxt {
|
|
*/
|
|
xmlError lastError;
|
|
xmlParserMode parseMode; /* the parser mode */
|
|
+ unsigned long nbentities; /* number of entities references */
|
|
};
|
|
|
|
/**
|
|
Index: parserInternals.c
|
|
===================================================================
|
|
--- parserInternals.c (revision 3771)
|
|
+++ parserInternals.c (working copy)
|
|
@@ -1670,6 +1670,7 @@ xmlInitParserCtxt(xmlParserCtxtPtr ctxt)
|
|
ctxt->depth = 0;
|
|
ctxt->charset = XML_CHAR_ENCODING_UTF8;
|
|
ctxt->catalogs = NULL;
|
|
+ ctxt->nbentities = 0;
|
|
xmlInitNodeInfoSeq(&ctxt->node_seq);
|
|
return(0);
|
|
}
|
|
Index: SAX2.c
|
|
===================================================================
|
|
--- SAX2.c (revision 3772)
|
|
+++ SAX2.c (working copy)
|
|
@@ -580,7 +580,8 @@ xmlSAX2GetEntity(void *ctx, const xmlCha
|
|
return(NULL);
|
|
}
|
|
ret->owner = 1;
|
|
- ret->checked = 1;
|
|
+ if (ret->checked == 0)
|
|
+ ret->checked = 1;
|
|
}
|
|
return(ret);
|
|
}
|
|
--- parser.c.orig 2008-04-08 16:47:58.000000000 +0200
|
|
+++ parser.c 2008-08-25 17:55:30.000000000 +0200
|
|
@@ -2344,7 +2344,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
|
|
return(NULL);
|
|
last = str + len;
|
|
|
|
- if (ctxt->depth > 40) {
|
|
+ if ((ctxt->depth > 40) || (ctxt->nbentities >= 500000)) {
|
|
xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
|
|
return(NULL);
|
|
}
|
|
@@ -2382,6 +2382,11 @@ xmlStringLenDecodeEntities(xmlParserCtxt
|
|
"String decoding Entity Reference: %.30s\n",
|
|
str);
|
|
ent = xmlParseStringEntityRef(ctxt, &str);
|
|
+ if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
|
|
+ goto int_error;
|
|
+ ctxt->nbentities++;
|
|
+ if (ent != NULL)
|
|
+ ctxt->nbentities += ent->checked;
|
|
if ((ent != NULL) &&
|
|
(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
|
|
if (ent->content != NULL) {
|
|
@@ -2427,6 +2432,11 @@ xmlStringLenDecodeEntities(xmlParserCtxt
|
|
xmlGenericError(xmlGenericErrorContext,
|
|
"String decoding PE Reference: %.30s\n", str);
|
|
ent = xmlParseStringPEReference(ctxt, &str);
|
|
+ if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
|
|
+ goto int_error;
|
|
+ ctxt->nbentities++;
|
|
+ if (ent != NULL)
|
|
+ ctxt->nbentities += ent->checked;
|
|
if (ent != NULL) {
|
|
if (ent->content == NULL) {
|
|
if (xmlLoadEntityContent(ctxt, ent) < 0) {
|
|
@@ -2466,6 +2476,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
|
|
|
|
mem_error:
|
|
xmlErrMemory(ctxt, NULL);
|
|
+int_error:
|
|
if (rep != NULL)
|
|
xmlFree(rep);
|
|
if (buffer != NULL)
|
|
@@ -3280,6 +3291,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
|
|
}
|
|
} else {
|
|
ent = xmlParseEntityRef(ctxt);
|
|
+ ctxt->nbentities++;
|
|
+ if (ent != NULL)
|
|
+ ctxt->nbentities += ent->checked;
|
|
if ((ent != NULL) &&
|
|
(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
|
|
if (len > buf_size - 10) {
|
|
@@ -4566,6 +4580,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt
|
|
int isParameter = 0;
|
|
xmlChar *orig = NULL;
|
|
int skipped;
|
|
+ unsigned long oldnbent = ctxt->nbentities;
|
|
|
|
/* GROW; done in the caller */
|
|
if (CMP8(CUR_PTR, '<', '!', 'E', 'N', 'T', 'I', 'T', 'Y')) {
|
|
@@ -4783,6 +4798,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt
|
|
}
|
|
}
|
|
if (cur != NULL) {
|
|
+ cur->checked = ctxt->nbentities - oldnbent;
|
|
if (cur->orig != NULL)
|
|
xmlFree(orig);
|
|
else
|
|
@@ -6189,6 +6205,11 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
|
|
if (ent == NULL) return;
|
|
if (!ctxt->wellFormed)
|
|
return;
|
|
+ ctxt->nbentities++;
|
|
+ if (ctxt->nbentities >= 500000) {
|
|
+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
|
|
+ return;
|
|
+ }
|
|
was_checked = ent->checked;
|
|
if ((ent->name != NULL) &&
|
|
(ent->etype != XML_INTERNAL_PREDEFINED_ENTITY)) {
|
|
@@ -6249,6 +6270,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
|
|
xmlFreeNodeList(list);
|
|
}
|
|
} else {
|
|
+ unsigned long oldnbent = ctxt->nbentities;
|
|
/*
|
|
* 4.3.2: An internal general parsed entity is well-formed
|
|
* if its replacement text matches the production labeled
|
|
@@ -6271,6 +6293,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
|
|
ret = xmlParseBalancedChunkMemoryInternal(ctxt,
|
|
value, user_data, &list);
|
|
ctxt->depth--;
|
|
+
|
|
} else if (ent->etype ==
|
|
XML_EXTERNAL_GENERAL_PARSED_ENTITY) {
|
|
ctxt->depth++;
|
|
@@ -6283,6 +6306,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
|
|
xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,
|
|
"invalid entity type found\n", NULL);
|
|
}
|
|
+ ent->checked = ctxt->nbentities - oldnbent;
|
|
if (ret == XML_ERR_ENTITY_LOOP) {
|
|
xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
|
|
return;
|
|
@@ -6339,8 +6363,10 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
|
|
list = NULL;
|
|
}
|
|
}
|
|
- ent->checked = 1;
|
|
+ if (ent->checked == 0)
|
|
+ ent->checked = 1;
|
|
}
|
|
+ ctxt->nbentities += ent->checked;
|
|
|
|
if (ent->children == NULL) {
|
|
/*
|
|
@@ -6349,7 +6375,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
|
|
* though parsing for first checking go though the entity
|
|
* content to generate callbacks associated to the entity
|
|
*/
|
|
- if (was_checked == 1) {
|
|
+ if (was_checked != 0) {
|
|
void *user_data;
|
|
/*
|
|
* This is a bit hackish but this seems the best
|
|
@@ -11480,7 +11506,7 @@ xmlParseCtxtExternalEntity(xmlParserCtxt
|
|
|
|
if (ctx == NULL) return(-1);
|
|
|
|
- if (ctx->depth > 40) {
|
|
+ if ((ctx->depth > 40) || (ctx->nbentities >= 500000)) {
|
|
return(XML_ERR_ENTITY_LOOP);
|
|
}
|
|
|
|
@@ -11681,7 +11707,8 @@ xmlParseExternalEntityPrivate(xmlDocPtr
|
|
xmlChar start[4];
|
|
xmlCharEncoding enc;
|
|
|
|
- if (depth > 40) {
|
|
+ if ((depth > 40) ||
|
|
+ ((oldctxt != NULL) && (oldctxt->nbentities >= 500000))) {
|
|
return(XML_ERR_ENTITY_LOOP);
|
|
}
|
|
|
|
@@ -11824,6 +11851,7 @@ xmlParseExternalEntityPrivate(xmlDocPtr
|
|
oldctxt->node_seq.maximum = ctxt->node_seq.maximum;
|
|
oldctxt->node_seq.length = ctxt->node_seq.length;
|
|
oldctxt->node_seq.buffer = ctxt->node_seq.buffer;
|
|
+ oldctxt->nbentities += ctxt->nbentities;
|
|
ctxt->node_seq.maximum = 0;
|
|
ctxt->node_seq.length = 0;
|
|
ctxt->node_seq.buffer = NULL;
|
|
@@ -11924,7 +11952,7 @@ xmlParseBalancedChunkMemoryInternal(xmlP
|
|
int size;
|
|
xmlParserErrors ret = XML_ERR_OK;
|
|
|
|
- if (oldctxt->depth > 40) {
|
|
+ if ((oldctxt->depth > 40) || (oldctxt->nbentities >= 500000)) {
|
|
return(XML_ERR_ENTITY_LOOP);
|
|
}
|
|
|
|
@@ -12048,6 +12076,7 @@ xmlParseBalancedChunkMemoryInternal(xmlP
|
|
ctxt->myDoc->last = last;
|
|
}
|
|
|
|
+ oldctxt->nbentities += ctxt->nbentities;
|
|
ctxt->sax = oldsax;
|
|
ctxt->dict = NULL;
|
|
ctxt->attsDefault = NULL;
|
|
@@ -13363,6 +13392,7 @@ xmlCtxtReset(xmlParserCtxtPtr ctxt)
|
|
ctxt->depth = 0;
|
|
ctxt->charset = XML_CHAR_ENCODING_UTF8;
|
|
ctxt->catalogs = NULL;
|
|
+ ctxt->nbentities = 0;
|
|
xmlInitNodeInfoSeq(&ctxt->node_seq);
|
|
|
|
if (ctxt->attsDefault != NULL) {
|