Attachment #2869 for bug #16963

View | Details | Raw Unified | Return to bug 16963
Collapse All | Expand All

Line Link Here

(-)file_not_specified_in_diff (-13 / +56 lines)
0	-- libxml2-2.6.32.dfsg.orig/entities.c	0	++ libxml2-2.6.32.dfsg/entities.c
Lines 102-108 Link Here
102	dict = entity->doc->dict;	102	dict = entity->doc->dict;
103		103
104		104
105	if ((entity->children) && (entity->owner == 1) &&	105	if ((entity->children) && (entity->owner != 0) &&
106	(entity == (xmlEntityPtr) entity->children->parent))	106	(entity == (xmlEntityPtr) entity->children->parent))
107	xmlFreeNodeList(entity->children);	107	xmlFreeNodeList(entity->children);
108	if (dict != NULL) {	108	if (dict != NULL) {
109	-- libxml2-2.6.32.dfsg.orig/parser.c	109	++ libxml2-2.6.32.dfsg/parser.c
Lines 2344-2350 Link Here
2344	return(NULL);	2344	return(NULL);
2345	last = str + len;	2345	last = str + len;
2346		2346
2347	if (ctxt->depth > 40) {	2347	if ((ctxt->depth > 40) \|\| (ctxt->nbentities >= 500000)) {
2348	xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);	2348	xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
2349	return(NULL);	2349	return(NULL);
2350	}	2350	}
Lines 2382-2387 Link Here
2382	"String decoding Entity Reference: %.30s\n",	2382	"String decoding Entity Reference: %.30s\n",
2383	str);	2383	str);
2384	ent = xmlParseStringEntityRef(ctxt, &str);	2384	ent = xmlParseStringEntityRef(ctxt, &str);
		2385	if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
		2386	goto int_error;
		2387	ctxt->nbentities++;
		2388	if (ent != NULL)
		2389	ctxt->nbentities += ent->owner;
2385	if ((ent != NULL) &&	2390	if ((ent != NULL) &&
2386	(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {	2391	(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
2387	if (ent->content != NULL) {	2392	if (ent->content != NULL) {
Lines 2427-2432 Link Here
2427	xmlGenericError(xmlGenericErrorContext,	2432	xmlGenericError(xmlGenericErrorContext,
2428	"String decoding PE Reference: %.30s\n", str);	2433	"String decoding PE Reference: %.30s\n", str);
2429	ent = xmlParseStringPEReference(ctxt, &str);	2434	ent = xmlParseStringPEReference(ctxt, &str);
		2435	if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
		2436	goto int_error;
		2437	ctxt->nbentities++;
		2438	if (ent != NULL)
		2439	ctxt->nbentities += ent->owner;
2430	if (ent != NULL) {	2440	if (ent != NULL) {
2431	if (ent->content == NULL) {	2441	if (ent->content == NULL) {
2432	if (xmlLoadEntityContent(ctxt, ent) < 0) {	2442	if (xmlLoadEntityContent(ctxt, ent) < 0) {
Lines 2468-2473 Link Here
2468	xmlErrMemory(ctxt, NULL);	2478	xmlErrMemory(ctxt, NULL);
2469	if (rep != NULL)	2479	if (rep != NULL)
2470	xmlFree(rep);	2480	xmlFree(rep);
		2481	int_error:
2471	if (buffer != NULL)	2482	if (buffer != NULL)
2472	xmlFree(buffer);	2483	xmlFree(buffer);
2473	return(NULL);	2484	return(NULL);
Lines 3280-3285 Link Here
3280	}	3291	}
3281	} else {	3292	} else {
3282	ent = xmlParseEntityRef(ctxt);	3293	ent = xmlParseEntityRef(ctxt);
		3294	ctxt->nbentities++;
		3295	if (ent != NULL)
		3296	ctxt->nbentities += ent->owner;
3283	if ((ent != NULL) &&	3297	if ((ent != NULL) &&
3284	(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {	3298	(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
3285	if (len > buf_size - 10) {	3299	if (len > buf_size - 10) {
Lines 4566-4571 Link Here
4566	int isParameter = 0;	4580	int isParameter = 0;
4567	xmlChar *orig = NULL;	4581	xmlChar *orig = NULL;
4568	int skipped;	4582	int skipped;
		4583	unsigned long oldnbent = ctxt->nbentities;
4569		4584
4570	/* GROW; done in the caller */	4585	/* GROW; done in the caller */
4571	if (CMP8(CUR_PTR, '<', '!', 'E', 'N', 'T', 'I', 'T', 'Y')) {	4586	if (CMP8(CUR_PTR, '<', '!', 'E', 'N', 'T', 'I', 'T', 'Y')) {
Lines 4783-4788 Link Here
4783	}	4798	}
4784	}	4799	}
4785	if (cur != NULL) {	4800	if (cur != NULL) {
		4801	if ((cur->owner != 0) \|\| (cur->children == NULL)) {
		4802	cur->owner = ctxt->nbentities - oldnbent;
		4803	if (cur->owner == 0)
		4804	cur->owner = 1;
		4805	}
4786	if (cur->orig != NULL)	4806	if (cur->orig != NULL)
4787	xmlFree(orig);	4807	xmlFree(orig);
4788	else	4808	else
Lines 6189-6194 Link Here
6189	if (ent == NULL) return;	6209	if (ent == NULL) return;
6190	if (!ctxt->wellFormed)	6210	if (!ctxt->wellFormed)
6191	return;	6211	return;
		6212	ctxt->nbentities++;
		6213	if (ctxt->nbentities >= 500000) {
		6214	xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
		6215	return;
		6216	}
6192	was_checked = ent->checked;	6217	was_checked = ent->checked;
6193	if ((ent->name != NULL) &&	6218	if ((ent->name != NULL) &&
6194	(ent->etype != XML_INTERNAL_PREDEFINED_ENTITY)) {	6219	(ent->etype != XML_INTERNAL_PREDEFINED_ENTITY)) {
Lines 6240-6246 Link Here
6240	(ent->children == NULL)) {	6265	(ent->children == NULL)) {
6241	ent->children = list;	6266	ent->children = list;
6242	ent->last = list;	6267	ent->last = list;
6243	ent->owner = 1;	6268	if (ent->owner == 0)
		6269	ent->owner = 1;
6244	list->parent = (xmlNodePtr) ent;	6270	list->parent = (xmlNodePtr) ent;
6245	} else {	6271	} else {
6246	xmlFreeNodeList(list);	6272	xmlFreeNodeList(list);
Lines 6249-6254 Link Here
6249	xmlFreeNodeList(list);	6275	xmlFreeNodeList(list);
6250	}	6276	}
6251	} else {	6277	} else {
		6278	unsigned long oldnbent = ctxt->nbentities;
6252	/*	6279	/*
6253	* 4.3.2: An internal general parsed entity is well-formed	6280	* 4.3.2: An internal general parsed entity is well-formed
6254	* if its replacement text matches the production labeled	6281	* if its replacement text matches the production labeled
Lines 6271-6276 Link Here
6271	ret = xmlParseBalancedChunkMemoryInternal(ctxt,	6298	ret = xmlParseBalancedChunkMemoryInternal(ctxt,
6272	value, user_data, &list);	6299	value, user_data, &list);
6273	ctxt->depth--;	6300	ctxt->depth--;
		6301
6274	} else if (ent->etype ==	6302	} else if (ent->etype ==
6275	XML_EXTERNAL_GENERAL_PARSED_ENTITY) {	6303	XML_EXTERNAL_GENERAL_PARSED_ENTITY) {
6276	ctxt->depth++;	6304	ctxt->depth++;
Lines 6283-6288 Link Here
6283	xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,	6311	xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,
6284	"invalid entity type found\n", NULL);	6312	"invalid entity type found\n", NULL);
6285	}	6313	}
		6314	if ((ent->owner != 0) \|\| (ent->children == NULL)) {
		6315	ent->owner = ctxt->nbentities - oldnbent;
		6316	if (ent->owner == 0)
		6317	ent->owner = 1;
		6318	}
6286	if (ret == XML_ERR_ENTITY_LOOP) {	6319	if (ret == XML_ERR_ENTITY_LOOP) {
6287	xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);	6320	xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
6288	return;	6321	return;
Lines 6301-6307 Link Here
6301	(ctxt->parseMode == XML_PARSE_READER)) {	6334	(ctxt->parseMode == XML_PARSE_READER)) {
6302	list->parent = (xmlNodePtr) ent;	6335	list->parent = (xmlNodePtr) ent;
6303	list = NULL;	6336	list = NULL;
6304	ent->owner = 1;	6337	if (ent->owner == 0)
		6338	ent->owner = 1;
6305	} else {	6339	} else {
6306	ent->owner = 0;	6340	ent->owner = 0;
6307	while (list != NULL) {	6341	while (list != NULL) {
Lines 6318-6324 Link Here
6318	#endif /* LIBXML_LEGACY_ENABLED */	6352	#endif /* LIBXML_LEGACY_ENABLED */
6319	}	6353	}
6320	} else {	6354	} else {
6321	ent->owner = 1;	6355	if (ent->owner == 0)
		6356	ent->owner = 1;
6322	while (list != NULL) {	6357	while (list != NULL) {
6323	list->parent = (xmlNodePtr) ent;	6358	list->parent = (xmlNodePtr) ent;
6324	if (list->next == NULL)	6359	if (list->next == NULL)
Lines 6393-6398 Link Here
6393	}	6428	}
6394	return;	6429	return;
6395	}	6430	}
		6431	ctxt->nbentities += ent->owner;
6396	if ((ctxt->sax != NULL) && (ctxt->sax->reference != NULL) &&	6432	if ((ctxt->sax != NULL) && (ctxt->sax->reference != NULL) &&
6397	(ctxt->replaceEntities == 0) && (!ctxt->disableSAX)) {	6433	(ctxt->replaceEntities == 0) && (!ctxt->disableSAX)) {
6398	/*	6434	/*
Lines 6495-6501 Link Here
6495	break;	6531	break;
6496	cur = next;	6532	cur = next;
6497	}	6533	}
6498	ent->owner = 1;	6534	if (ent->owner == 0)
		6535	ent->owner = 1;
6499	#ifdef LIBXML_LEGACY_ENABLED	6536	#ifdef LIBXML_LEGACY_ENABLED
6500	if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY)	6537	if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY)
6501	xmlAddEntityReference(ent, firstChild, nw);	6538	xmlAddEntityReference(ent, firstChild, nw);
Lines 11480-11486 Link Here
11480		11517
11481	if (ctx == NULL) return(-1);	11518	if (ctx == NULL) return(-1);
11482		11519
11483	if (ctx->depth > 40) {	11520	if ((ctx->depth > 40) \|\| (ctx->nbentities >= 500000)) {
11484	return(XML_ERR_ENTITY_LOOP);	11521	return(XML_ERR_ENTITY_LOOP);
11485	}	11522	}
11486		11523
Lines 11681-11687 Link Here
11681	xmlChar start[4];	11718	xmlChar start[4];
11682	xmlCharEncoding enc;	11719	xmlCharEncoding enc;
11683		11720
11684	if (depth > 40) {	11721	if ((depth > 40) \|\|
		11722	((oldctxt != NULL) && (oldctxt->nbentities >= 500000))) {
11685	return(XML_ERR_ENTITY_LOOP);	11723	return(XML_ERR_ENTITY_LOOP);
11686	}	11724	}
11687		11725
Lines 11824-11829 Link Here
11824	oldctxt->node_seq.maximum = ctxt->node_seq.maximum;	11862	oldctxt->node_seq.maximum = ctxt->node_seq.maximum;
11825	oldctxt->node_seq.length = ctxt->node_seq.length;	11863	oldctxt->node_seq.length = ctxt->node_seq.length;
11826	oldctxt->node_seq.buffer = ctxt->node_seq.buffer;	11864	oldctxt->node_seq.buffer = ctxt->node_seq.buffer;
		11865	oldctxt->nbentities += ctxt->nbentities;
11827	ctxt->node_seq.maximum = 0;	11866	ctxt->node_seq.maximum = 0;
11828	ctxt->node_seq.length = 0;	11867	ctxt->node_seq.length = 0;
11829	ctxt->node_seq.buffer = NULL;	11868	ctxt->node_seq.buffer = NULL;
Lines 11924-11930 Link Here
11924	int size;	11963	int size;
11925	xmlParserErrors ret = XML_ERR_OK;	11964	xmlParserErrors ret = XML_ERR_OK;
11926		11965
11927	if (oldctxt->depth > 40) {	11966	if ((oldctxt->depth > 40) \|\| (oldctxt->nbentities >= 500000)) {
11928	return(XML_ERR_ENTITY_LOOP);	11967	return(XML_ERR_ENTITY_LOOP);
11929	}	11968	}
11930		11969
Lines 12048-12053 Link Here
12048	ctxt->myDoc->last = last;	12087	ctxt->myDoc->last = last;
12049	}	12088	}
12050		12089
		12090	oldctxt->nbentities += ctxt->nbentities;
12051	ctxt->sax = oldsax;	12091	ctxt->sax = oldsax;
12052	ctxt->dict = NULL;	12092	ctxt->dict = NULL;
12053	ctxt->attsDefault = NULL;	12093	ctxt->attsDefault = NULL;
Lines 13363-13368 Link Here
13363	ctxt->depth = 0;	13403	ctxt->depth = 0;
13364	ctxt->charset = XML_CHAR_ENCODING_UTF8;	13404	ctxt->charset = XML_CHAR_ENCODING_UTF8;
13365	ctxt->catalogs = NULL;	13405	ctxt->catalogs = NULL;
		13406	ctxt->nbentities = 0;
13366	xmlInitNodeInfoSeq(&ctxt->node_seq);	13407	xmlInitNodeInfoSeq(&ctxt->node_seq);
13367		13408
13368	if (ctxt->attsDefault != NULL) {	13409	if (ctxt->attsDefault != NULL) {
13369	-- libxml2-2.6.32.dfsg.orig/include/libxml/parser.h	13410	++ libxml2-2.6.32.dfsg/include/libxml/parser.h
Lines 297-302 Link Here
297	*/	297	*/
298	xmlError lastError;	298	xmlError lastError;
299	xmlParserMode parseMode; /* the parser mode */	299	xmlParserMode parseMode; /* the parser mode */
		300	unsigned long nbentities; /* number of entities references */
300	};	301	};
301		302
302	/**	303	/**
303	-- libxml2-2.6.32.dfsg.orig/parserInternals.c	304	++ libxml2-2.6.32.dfsg/parserInternals.c
Lines 1669-1674 Link Here
1669	ctxt->depth = 0;	1669	ctxt->depth = 0;
1670	ctxt->charset = XML_CHAR_ENCODING_UTF8;	1670	ctxt->charset = XML_CHAR_ENCODING_UTF8;
1671	ctxt->catalogs = NULL;	1671	ctxt->catalogs = NULL;
		1672	ctxt->nbentities = 0;
1672	xmlInitNodeInfoSeq(&ctxt->node_seq);	1673	xmlInitNodeInfoSeq(&ctxt->node_seq);
1673	return(0);	1674	return(0);
1674	}	1675	}

Return to bug 16963