lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-24 13:33:01 +03:00
Code Activity

Impose a reasonable limit on PI size

Browse Source 
Unless the XML_PARSE_HUGE option is given to the parser,
the value is XML_MAX_TEXT_LENGTH, i.e. the same than for a
text node within content.
Also cleanup some unsigned int used for memory size.
This commit is contained in:
Daniel Veillard
2012-07-19 20:34:26 +08:00
parent 0de1f3114a
commit 5130481646
1 changed files with 21 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
parser.c
View File

@@ -4966,8 +4966,8 @@ error:
void void
xmlParsePI(xmlParserCtxtPtr ctxt) { xmlParsePI(xmlParserCtxtPtr ctxt) {
xmlChar *buf = NULL; xmlChar *buf = NULL;
int len = 0; size_t len = 0;
int size = XML_PARSER_BUFFER_SIZE; size_t size = XML_PARSER_BUFFER_SIZE;
int cur, l; int cur, l;
const xmlChar *target; const xmlChar *target;
xmlParserInputState state; xmlParserInputState state;
@@ -5024,9 +5024,8 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
((cur != '?') || (NXT(1) != '>'))) { ((cur != '?') || (NXT(1) != '>'))) {
if (len + 5 >= size) { if (len + 5 >= size) {
xmlChar *tmp; xmlChar *tmp;
size_t new_size = size * 2;
size *= 2; tmp = (xmlChar *) xmlRealloc(buf, new_size);
tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
if (tmp == NULL) { if (tmp == NULL) {
xmlErrMemory(ctxt, NULL); xmlErrMemory(ctxt, NULL);
xmlFree(buf); xmlFree(buf);
@@ -5034,11 +5033,20 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
return; return;
} }
buf = tmp; buf = tmp;
size = new_size;
} }
count++; count++;
if (count > 50) { if (count > 50) {
GROW; GROW;
count = 0; count = 0;
if ((len > XML_MAX_TEXT_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
"PI %s too big found", target);
xmlFree(buf);
ctxt->instate = state;
return;
}
} }
COPY_BUF(l,buf,len,cur); COPY_BUF(l,buf,len,cur);
NEXTL(l); NEXTL(l);
@@ -5049,6 +5057,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
cur = CUR_CHAR(l); cur = CUR_CHAR(l);
} }
} }
if ((len > XML_MAX_TEXT_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
"PI %s too big found", target);
xmlFree(buf);
ctxt->instate = state;
return;
}
buf[len] = 0; buf[len] = 0;
if (cur != '?') { if (cur != '?') {
xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,