[xml] [PATCH] Fix attribute decoding during XML schema validation



For https://bugzilla.gnome.org/show_bug.cgi?id=766834

vctxt->parserCtxt is always NULL in xmlSchemaSAXHandleStartElementNs,
so this function can't call xmlStringLenDecodeEntities to decode the
entities.
---
 xmlschemas.c | 30 +++++++++++++++++++++++++-----
 1 file changed, 25 insertions(+), 5 deletions(-)

diff --git a/xmlschemas.c b/xmlschemas.c
index e1b3a4f..59535e5 100644
--- a/xmlschemas.c
+++ b/xmlschemas.c
@@ -27391,6 +27391,7 @@ xmlSchemaSAXHandleStartElementNs(void *ctx,
     * attributes yet.
     */
     if (nb_attributes != 0) {
+       int valueLen, k, l;
        xmlChar *value;
 
         for (j = 0, i = 0; i < nb_attributes; i++, j += 5) {
@@ -27400,12 +27401,31 @@ xmlSchemaSAXHandleStartElementNs(void *ctx,
            * libxml2 differs from normal SAX here in that it escapes all ampersands
            * as &#38; instead of delivering the raw converted string. Changing the
            * behavior at this point would break applications that use this API, so
-           * we are forced to work around it. There is no danger of accidentally
-           * decoding some entity other than &#38; in this step because without
-           * unescaped ampersands there can be no other entities in the string.
+           * we are forced to work around it.
            */
-           value = xmlStringLenDecodeEntities(vctxt->parserCtxt, attributes[j+3],
-               attributes[j+4] - attributes[j+3], XML_SUBSTITUTE_REF, 0, 0, 0);
+           valueLen = attributes[j+4] - attributes[j+3];
+           value = xmlMallocAtomic(valueLen + 1);
+           if (value == NULL) {
+               xmlSchemaVErrMemory(vctxt,
+                   "allocating string for decoded attribute",
+                   NULL);
+               goto internal_error;
+           }
+           for (k = 0, l = 0; k < valueLen; l++) {
+               if (k < valueLen - 4 &&
+                   attributes[j+3][k+0] == '&' &&
+                   attributes[j+3][k+1] == '#' &&
+                   attributes[j+3][k+2] == '3' &&
+                   attributes[j+3][k+3] == '8' &&
+                   attributes[j+3][k+4] == ';') {
+                   value[l] = '&';
+                   k += 5;
+               } else {
+                   value[l] = attributes[j+3][k];
+                   k++;
+               }
+           }
+           value[l] = '\0';
            /*
            * TODO: Set the node line.
            */
-- 
2.8.3



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]