From 80a0580f234cdfe656af8fdec04a3e4188439c20 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 30 Sep 2023 15:47:46 +0200
Subject: [PATCH] xinclude: Expand comment about fuzz timeouts

---
 xinclude.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/xinclude.c b/xinclude.c
index 9c144a1e..b6581558 100644
--- a/xinclude.c
+++ b/xinclude.c
@@ -1841,6 +1841,20 @@ xmlXIncludeExpandNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node) {
      * The XInclude engine offers no protection against exponential
      * expansion attacks similar to "billion laughs". Avoid timeouts by
      * limiting the total number of replacements when fuzzing.
+     *
+     * Unfortuately, a single XInclude can already result in quadratic
+     * behavior:
+     *
+     *     <doc xmlns:xi="http://www.w3.org/2001/XInclude">
+     *       <xi:include xpointer="xpointer(//e)"/>
+     *       <e>
+     *         <e>
+     *           <e>
+     *             <!-- more nested elements -->
+     *           </e>
+     *         </e>
+     *       </e>
+     *     </doc>
      */
     if (ctxt->incTotal >= 20)
         return(NULL);