mirror of
				https://gitlab.gnome.org/GNOME/libxml2.git
				synced 2025-10-24 13:33:01 +03:00 
			
		
		
		
	Add missing increments of recursion depth counter to XML parser.
For https://bugzilla.gnome.org/show_bug.cgi?id=765207 CVE-2016-3705 The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call xmlStringDecodeEntities() in a recursive context without incrementing the 'depth' counter in the parser context. Because of that omission, the parser failed to detect attribute recursions in certain documents before running out of stack space.
This commit is contained in:
		
				
					committed by
					
						 Daniel Veillard
						Daniel Veillard
					
				
			
			
				
	
			
			
			
						parent
						
							846cf015a7
						
					
				
				
					commit
					8f30bdff69
				
			
							
								
								
									
										8
									
								
								parser.c
									
									
									
									
									
								
							
							
						
						
									
										8
									
								
								parser.c
									
									
									
									
									
								
							| @@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, | ||||
|  | ||||
| 	ent->checked = 1; | ||||
|  | ||||
|         ++ctxt->depth; | ||||
| 	rep = xmlStringDecodeEntities(ctxt, ent->content, | ||||
| 				  XML_SUBSTITUTE_REF, 0, 0, 0); | ||||
|         --ctxt->depth; | ||||
|  | ||||
| 	ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; | ||||
| 	if (rep != NULL) { | ||||
| @@ -3966,8 +3968,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { | ||||
| 	 * an entity declaration, it is bypassed and left as is. | ||||
| 	 * so XML_SUBSTITUTE_REF is not set here. | ||||
| 	 */ | ||||
|         ++ctxt->depth; | ||||
| 	ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF, | ||||
| 				      0, 0, 0); | ||||
|         --ctxt->depth; | ||||
| 	if (orig != NULL) | ||||
| 	    *orig = buf; | ||||
| 	else | ||||
| @@ -4092,9 +4096,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { | ||||
| 		} else if ((ent != NULL) && | ||||
| 		           (ctxt->replaceEntities != 0)) { | ||||
| 		    if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) { | ||||
| 			++ctxt->depth; | ||||
| 			rep = xmlStringDecodeEntities(ctxt, ent->content, | ||||
| 						      XML_SUBSTITUTE_REF, | ||||
| 						      0, 0, 0); | ||||
| 			--ctxt->depth; | ||||
| 			if (rep != NULL) { | ||||
| 			    current = rep; | ||||
| 			    while (*current != 0) { /* non input consuming */ | ||||
| @@ -4130,8 +4136,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { | ||||
| 			(ent->content != NULL) && (ent->checked == 0)) { | ||||
| 			unsigned long oldnbent = ctxt->nbentities; | ||||
|  | ||||
| 			++ctxt->depth; | ||||
| 			rep = xmlStringDecodeEntities(ctxt, ent->content, | ||||
| 						  XML_SUBSTITUTE_REF, 0, 0, 0); | ||||
| 			--ctxt->depth; | ||||
|  | ||||
| 			ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; | ||||
| 			if (rep != NULL) { | ||||
|   | ||||
		Reference in New Issue
	
	Block a user