fix: Prevent infinite recursion in xmlCatalogListXMLResolve

2026-01-26 21:41:34 +03:00 · 2025-09-10 18:11:50 +03:00
parent 9827e6e446
commit eae9291aa7
4 changed files with 23 additions and 8 deletions
--- a/catalog.c
+++ b/catalog.c
@@ -65,7 +65,7 @@
 #endif

 static xmlChar *xmlCatalogNormalizePublic(const xmlChar *pubID);
-static int xmlExpandCatalog(xmlCatalogPtr catal, const char *filename);
+static int xmlExpandCatalog(xmlCatalogPtr catal, const char *filename, int depth);

 /************************************************************************
 *									*
@@ -2249,17 +2249,24 @@ xmlGetSGMLCatalogEntryType(const xmlChar *name) {
 * @param file  the filepath for the catalog
 * @param super  should this be handled as a Super Catalog in which case
 *          parsing is not recursive
+ * @param depth  the current depth of the catalog
 * @returns 0 in case of success, -1 in case of error.
 */
 static int
 xmlParseSGMLCatalog(xmlCatalogPtr catal, const xmlChar *value,
-	            const char *file, int super) {
+	            const char *file, int super, int depth) {
    const xmlChar *cur = value;
    xmlChar *base = NULL;
    int res;

    if ((cur == NULL) || (file == NULL))
        return(-1);
+
+    /* Check recursion depth */
+    if (depth > MAX_CATAL_DEPTH) {
+        return(-1);
+    }
+
    base = xmlStrdup((const xmlChar *) file);

    while ((cur != NULL) && (cur[0] != 0)) {
@@ -2437,7 +2444,7 @@ xmlParseSGMLCatalog(xmlCatalogPtr catal, const xmlChar *value,

 		    filename = xmlBuildURI(sysid, base);
 		    if (filename != NULL) {
-			xmlExpandCatalog(catal, (const char *)filename);
+			xmlExpandCatalog(catal, (const char *)filename, depth);
 			xmlFree(filename);
 		    }
 		}
@@ -2584,7 +2591,7 @@ xmlLoadSGMLSuperCatalog(const char *filename)
 	return(NULL);
    }

-    ret = xmlParseSGMLCatalog(catal, content, filename, 1);
+    ret = xmlParseSGMLCatalog(catal, content, filename, 1, 0);
    xmlFree(content);
    if (ret < 0) {
 	xmlFreeCatalog(catal);
@@ -2633,7 +2640,7 @@ xmlLoadACatalog(const char *filename)
 	    xmlFree(content);
 	    return(NULL);
 	}
-        ret = xmlParseSGMLCatalog(catal, content, filename, 0);
+        ret = xmlParseSGMLCatalog(catal, content, filename, 0, 0);
 	if (ret < 0) {
 	    xmlFreeCatalog(catal);
 	    xmlFree(content);
@@ -2660,14 +2667,20 @@ xmlLoadACatalog(const char *filename)
 *
 * @param catal  a catalog
 * @param filename  a file path
+ * @param depth  the current depth of the catalog
 * @returns 0 in case of success, -1 in case of error
 */
 static int
-xmlExpandCatalog(xmlCatalogPtr catal, const char *filename)
+xmlExpandCatalog(xmlCatalogPtr catal, const char *filename, int depth)
 {
    if ((catal == NULL) || (filename == NULL))
 	return(-1);

+    /* Check recursion depth */
+    if (depth > MAX_CATAL_DEPTH) {
+	return(-1);
+    }
+
 #ifdef LIBXML_SGML_CATALOG_ENABLED
    if (catal->type == XML_SGML_CATALOG_TYPE) {
 	xmlChar *content;
@@ -2677,7 +2690,7 @@ xmlExpandCatalog(xmlCatalogPtr catal, const char *filename)
 	if (content == NULL)
 	    return(-1);

-        ret = xmlParseSGMLCatalog(catal, content, filename, 0);
+        ret = xmlParseSGMLCatalog(catal, content, filename, 0, depth + 1);
 	if (ret < 0) {
 	    xmlFree(content);
 	    return(-1);
@@ -3138,7 +3151,7 @@ xmlLoadCatalog(const char *filename)
 	return(0);
    }

-    ret = xmlExpandCatalog(xmlDefaultCatalog, filename);
+    ret = xmlExpandCatalog(xmlDefaultCatalog, filename, 0);
    xmlRMutexUnlock(&xmlCatalogMutex);
    return(ret);
 }
--- a/result/catalogs/recursive
+++ b/result/catalogs/recursive
@@ -0,0 +1 @@
+> 
--- a/test/catalogs/recursive.script
+++ b/test/catalogs/recursive.script
--- a/test/catalogs/recursive.sgml
+++ b/test/catalogs/recursive.sgml
@@ -0,0 +1 @@
+CATALOG recursive.sgml