From 6dc2fdb2bdce02b758801a33da0a15e3446b732d Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 7 Jan 2024 14:30:57 +0100
Subject: [PATCH] parser: Account for full size of non-well-formed entities

Account for the full size of the entity if parsing stops because of
errors. In our cost model, we have to assume that the entity loader
processes the whole entity regardless of its content.
---
 parser.c | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/parser.c b/parser.c
index 470486cb..1038d71b 100644
--- a/parser.c
+++ b/parser.c
@@ -2395,9 +2395,21 @@ xmlPopPE(xmlParserCtxtPtr ctxt) {
     ent->flags &= ~XML_ENT_EXPANDING;
 
     if ((ent->flags & XML_ENT_CHECKED) == 0) {
+        int result;
+
+        /*
+         * Read the rest of the stream in case of errors. We want
+         * to account for the whole entity size.
+         */
+        do {
+            ctxt->input->cur = ctxt->input->end;
+            xmlParserShrink(ctxt);
+            result = xmlParserGrow(ctxt);
+        } while (result > 0);
+
         consumed = ctxt->input->consumed;
         xmlSaturatedAddSizeT(&consumed,
-                             ctxt->input->cur - ctxt->input->base);
+                             ctxt->input->end - ctxt->input->base);
 
         xmlSaturatedAdd(&ent->expandedSize, consumed);
 
@@ -11976,6 +11988,7 @@ xmlCtxtParseContent(xmlParserCtxtPtr ctxt, xmlParserInputPtr input,
     xmlNodePtr root = NULL;
     xmlNodePtr list = NULL;
     xmlChar *rootName = BAD_CAST "#root";
+    int result;
 
     if (buildTree) {
         root = xmlNewDocNode(ctxt->myDoc, NULL, rootName, NULL);
@@ -12040,6 +12053,16 @@ xmlCtxtParseContent(xmlParserCtxtPtr ctxt, xmlParserInputPtr input,
         }
     }
 
+    /*
+     * Read the rest of the stream in case of errors. We want
+     * to account for the whole entity size.
+     */
+    do {
+        ctxt->input->cur = ctxt->input->end;
+        xmlParserShrink(ctxt);
+        result = xmlParserGrow(ctxt);
+    } while (result > 0);
+
     if (buildTree)
         nodePop(ctxt);
 
@@ -12129,7 +12152,7 @@ xmlCtxtParseEntity(xmlParserCtxtPtr ctxt, xmlEntityPtr ent) {
      * Entity size accounting
      */
     consumed = input->consumed;
-    xmlSaturatedAddSizeT(&consumed, input->cur - input->base);
+    xmlSaturatedAddSizeT(&consumed, input->end - input->base);
 
     if ((ent->flags & XML_ENT_CHECKED) == 0)
         xmlSaturatedAdd(&ent->expandedSize, consumed);