From a28f7d8789e63f5e2ac63b42083754cba58f1a0e Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Wed, 10 Jun 2020 13:41:13 +0200 Subject: [PATCH] Never expand parameter entities in text declaration When parsing the text declaration of external DTDs or entities, make sure that parameter entities are not expanded. This also fixes a memory leak in certain error cases. The change to xmlSkipBlankChars assumes that the parser state is maintained correctly when parsing external DTDs or parameter entities, and might expose bugs in the code that were hidden previously. Found by OSS-Fuzz. --- parser.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/parser.c b/parser.c index 046f1cec..3559aaae 100644 --- a/parser.c +++ b/parser.c @@ -2156,7 +2156,7 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) { * It's Okay to use CUR/NEXT here since all the blanks are on * the ASCII range. */ - if ((ctxt->inputNr == 1) && (ctxt->instate != XML_PARSER_DTD)) { + if (ctxt->instate != XML_PARSER_DTD) { const xmlChar *cur; /* * if we are in the document content, go really fast @@ -6852,6 +6852,7 @@ void xmlParseTextDecl(xmlParserCtxtPtr ctxt) { xmlChar *version; const xmlChar *encoding; + int oldstate; /* * We know that 'instate; + ctxt->instate = XML_PARSER_START; + if (SKIP_BLANKS == 0) { xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Space needed after 'instate = oldstate; return; } if ((encoding == NULL) && (ctxt->errNo == XML_ERR_OK)) { @@ -6909,6 +6915,8 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) { MOVETO_ENDTAG(CUR_PTR); NEXT; } + + ctxt->instate = oldstate; } /**