49 lines
1.6 KiB
Diff
49 lines
1.6 KiB
Diff
From c3fd8c429591e06eb847c11bc9273d13b3450d53 Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Sat, 13 Mar 2021 17:19:32 +0100
|
|
Subject: [PATCH] Fix exponential behavior with recursive entities
|
|
|
|
Fix another case where only recursion depth was limited, but entities
|
|
would still be expanded over and over again.
|
|
|
|
The test case discovered by fuzzing only affected parsing in recovery
|
|
mode with XML_PARSE_RECOVER.
|
|
|
|
Found by OSS-Fuzz.
|
|
---
|
|
parser.c | 9 +++++++--
|
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/parser.c b/parser.c
|
|
index efde672..b42e604 100644
|
|
--- a/parser.c
|
|
+++ b/parser.c
|
|
@@ -2684,8 +2684,10 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
|
|
rep = xmlStringDecodeEntities(ctxt, ent->content, what,
|
|
0, 0, 0);
|
|
ctxt->depth--;
|
|
- if (rep == NULL)
|
|
+ if (rep == NULL) {
|
|
+ ent->content[0] = 0;
|
|
goto int_error;
|
|
+ }
|
|
|
|
current = rep;
|
|
while (*current != 0) { /* non input consuming loop */
|
|
@@ -2740,8 +2742,11 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
|
|
rep = xmlStringDecodeEntities(ctxt, ent->content, what,
|
|
0, 0, 0);
|
|
ctxt->depth--;
|
|
- if (rep == NULL)
|
|
+ if (rep == NULL) {
|
|
+ if (ent->content != NULL)
|
|
+ ent->content[0] = 0;
|
|
goto int_error;
|
|
+ }
|
|
current = rep;
|
|
while (*current != 0) { /* non input consuming loop */
|
|
buffer[nbchars++] = *current++;
|
|
--
|
|
1.8.3.1
|
|
|