lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-24 13:33:01 +03:00
Code Activity

Impose a reasonable limit on attribute size

Browse Source 
Unless the XML_PARSE_HUGE option is given to the parser,
the value is XML_MAX_TEXT_LENGTH, i.e. the same than for a
text node within content.
This commit is contained in:
Daniel Veillard
2012-07-19 11:25:16 +08:00
parent b60e612e87
commit e17db9946c
1 changed files with 46 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
parser.c
View File

@@ -3800,6 +3800,16 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
c = CUR_CHAR(l); c = CUR_CHAR(l);
while ((NXT(0) != limit) && /* checked */ while ((NXT(0) != limit) && /* checked */
(IS_CHAR(c)) && (c != '<')) { (IS_CHAR(c)) && (c != '<')) {
/*
* Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE
* special option is given
*/
if ((len > XML_MAX_TEXT_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue lenght too long\n");
goto mem_error;
}
if (c == 0) break; if (c == 0) break;
if (c == '&') { if (c == '&') {
in_space = 0; in_space = 0;
@@ -8663,6 +8673,12 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
in = in + delta; in = in + delta;
} }
end = ctxt->input->end; end = ctxt->input->end;
if (((in - start) > XML_MAX_TEXT_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue lenght too long\n");
return(NULL);
}
} }
} }
while ((in < end) && (*in != limit) && (*in >= 0x20) && while ((in < end) && (*in != limit) && (*in >= 0x20) &&
@@ -8677,6 +8693,12 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
in = in + delta; in = in + delta;
} }
end = ctxt->input->end; end = ctxt->input->end;
if (((in - start) > XML_MAX_TEXT_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue lenght too long\n");
return(NULL);
}
} }
} }
last = in; last = in;
@@ -8698,8 +8720,20 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
last = last + delta; last = last + delta;
} }
end = ctxt->input->end; end = ctxt->input->end;
if (((in - start) > XML_MAX_TEXT_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue lenght too long\n");
return(NULL);
} }
} }
}
if (((in - start) > XML_MAX_TEXT_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue lenght too long\n");
return(NULL);
}
if (*in != limit) goto need_complex; if (*in != limit) goto need_complex;
} else { } else {
while ((in < end) && (*in != limit) && (*in >= 0x20) && while ((in < end) && (*in != limit) && (*in >= 0x20) &&
@@ -8714,9 +8748,21 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
in = in + delta; in = in + delta;
} }
end = ctxt->input->end; end = ctxt->input->end;
if (((in - start) > XML_MAX_TEXT_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue lenght too long\n");
return(NULL);
}
} }
} }
last = in; last = in;
if (((in - start) > XML_MAX_TEXT_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue lenght too long\n");
return(NULL);
}
if (*in != limit) goto need_complex; if (*in != limit) goto need_complex;
} }
in++; in++;