lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-26 00:37:43 +03:00
Code Activity

Fix exponential behavior with recursive entities

Browse Source 
Fix another case where only recursion depth was limited, but entities
would still be expanded over and over again.

The test case discovered by fuzzing only affected parsing in recovery
mode with XML_PARSE_RECOVER.

Found by OSS-Fuzz.
This commit is contained in:
Nick Wellnhofer
2021-03-13 17:19:32 +01:00
parent 683de7efe4
commit c3fd8c4295
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
parser.c
View File

@@ -2684,8 +2684,10 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
rep = xmlStringDecodeEntities(ctxt, ent->content, what,
0, 0, 0);
ctxt->depth--;
if (rep == NULL)
if (rep == NULL) {
ent->content[0] = 0;
goto int_error;
}
current = rep;
while (*current != 0) { /* non input consuming loop */
@@ -2740,8 +2742,11 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
rep = xmlStringDecodeEntities(ctxt, ent->content, what,
0, 0, 0);
ctxt->depth--;
if (rep == NULL)
if (rep == NULL) {
if (ent->content != NULL)
ent->content[0] = 0;
goto int_error;
}
current = rep;
while (*current != 0) { /* non input consuming loop */
buffer[nbchars++] = *current++;