From c20b758c332d9a13afbbb276d30db1d183a85d43 Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Wed, 28 Aug 2019 00:24:59 +0200 Subject: [PATCH 189/286] xmlparse.c: Deny internal entities closing the doctype --- expat/lib/xmlparse.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/lib/xmlparse.c b/lib/xmlparse.c index f4506b0..3df4347 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c @@ -412,9 +412,10 @@ processXmlDecl(XML_Parser parser, int isGeneralTextEntity, static enum XML_Error initializeEncoding(XML_Parser parser); static enum XML_Error -doProlog(XML_Parser parser, const ENCODING *enc, const char *s, - const char *end, int tok, const char *next, const char **nextPtr, - XML_Bool haveMore); +doProlog(XML_Parser parser, const ENCODING *enc, + const char *s, const char *end, int tok, + const char *next, const char **nextPtr, + XML_Bool haveMore, XML_Bool allowClosingDoctype); static enum XML_Error processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl); @@ -4240,8 +4241,8 @@ externalParEntProcessor(XML_Parser parser, } parser->m_processor = prologProcessor; - return doProlog(parser, parser->m_encoding, s, end, tok, next, - nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer); + return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr, + (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); } static enum XML_Error PTRCALL @@ -4290,20 +4291,14 @@ prologProcessor(XML_Parser parser, { const char *next = s; int tok = XmlPrologTok(parser->m_encoding, s, end, &next); - return doProlog(parser, parser->m_encoding, s, end, tok, next, - nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer); + return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr, + (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); } static enum XML_Error -doProlog(XML_Parser parser, - const ENCODING *enc, - const char *s, - const char *end, - int tok, - const char *next, - const char **nextPtr, - XML_Bool haveMore) -{ +doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + int tok, const char *next, const char **nextPtr, XML_Bool haveMore, + XML_Bool allowClosingDoctype) { #ifdef XML_DTD static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' }; #endif /* XML_DTD */ @@ -4481,6 +4476,11 @@ doProlog(XML_Parser parser, } break; case XML_ROLE_DOCTYPE_CLOSE: + if (allowClosingDoctype != XML_TRUE) { + /* Must not close doctype from within expanded parameter entities */ + return XML_ERROR_INVALID_TOKEN; + } + if (parser->m_doctypeName) { parser->m_startDoctypeDeclHandler(parser->m_handlerArg, parser->m_doctypeName, parser->m_doctypeSysid, parser->m_doctypePubid, 0); @@ -5417,8 +5417,8 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, #ifdef XML_DTD if (entity->is_param) { int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); - result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok, - next, &next, XML_FALSE); + result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, + tok, next, &next, XML_FALSE, XML_FALSE); } else #endif /* XML_DTD */ @@ -5464,8 +5464,8 @@ internalEntityProcessor(XML_Parser parser, #ifdef XML_DTD if (entity->is_param) { int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); - result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok, - next, &next, XML_FALSE); + result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, + tok, next, &next, XML_FALSE, XML_TRUE); } else #endif /* XML_DTD */ @@ -5492,7 +5492,7 @@ internalEntityProcessor(XML_Parser parser, parser->m_processor = prologProcessor; tok = XmlPrologTok(parser->m_encoding, s, end, &next); return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr, - (XML_Bool)!parser->m_parsingStatus.finalBuffer); + (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); } else #endif /* XML_DTD */ --- 2.19.1