[libxml2] Avoid building recursive entities

From: Daniel Veillard <veillard src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Avoid building recursive entities
Date: Mon, 23 May 2016 08:06:55 +0000 (UTC)

commit bdd66182ef53fe1f7209ab6535fda56366bd7ac9
Author: Daniel Veillard <veillard redhat com>
Date:   Mon May 23 12:27:58 2016 +0800

    Avoid building recursive entities
    
    For https://bugzilla.gnome.org/show_bug.cgi?id=762100
    
    When we detect a recusive entity we should really not
    build the associated data, moreover if someone bypass
    libxml2 fatal errors and still tries to serialize a broken
    entity make sure we don't risk to get ito a recursion
    
    * parser.c: xmlParserEntityCheck() don't build if entity loop
      were found and remove the associated text content
    * tree.c: xmlStringGetNodeList() avoid a potential recursion

 parser.c |    6 +++++-
 tree.c   |    1 +
 2 files changed, 6 insertions(+), 1 deletions(-)
---
diff --git a/parser.c b/parser.c
index ea0e89e..53a6b7f 100644
--- a/parser.c
+++ b/parser.c
@@ -138,7 +138,8 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
      * entities problems
      */
     if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&
-       (ent->content != NULL) && (ent->checked == 0)) {
+       (ent->content != NULL) && (ent->checked == 0) &&
+       (ctxt->errNo != XML_ERR_ENTITY_LOOP)) {
        unsigned long oldnbent = ctxt->nbentities;
        xmlChar *rep;
 
@@ -148,6 +149,9 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
        rep = xmlStringDecodeEntities(ctxt, ent->content,
                                  XML_SUBSTITUTE_REF, 0, 0, 0);
         --ctxt->depth;
+       if (ctxt->errNo == XML_ERR_ENTITY_LOOP) {
+           ent->content[0] = 0;
+       }
 
        ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
        if (rep != NULL) {
diff --git a/tree.c b/tree.c
index 7fbca6e..9d330b8 100644
--- a/tree.c
+++ b/tree.c
@@ -1593,6 +1593,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
                        else if ((ent != NULL) && (ent->children == NULL)) {
                            xmlNodePtr temp;
 
+                           ent->children = (xmlNodePtr) -1;
                            ent->children = xmlStringGetNodeList(doc,
                                    (const xmlChar*)node->content);
                            ent->owner = 1;

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]