From fd801845c860dbdc3be91ed55e464abfd0a0f04e Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 7 Jan 2024 15:19:58 +0100
Subject: [PATCH] fuzz: Cap URL size

Cap URL size to avoid quadratic behavior when generating error messages.
---
 fuzz/fuzz.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/fuzz/fuzz.c b/fuzz/fuzz.c
index 8a939197..f202ca3a 100644
--- a/fuzz/fuzz.c
+++ b/fuzz/fuzz.c
@@ -304,16 +304,21 @@ xmlFuzzReadEntities(void) {
 
     while (1) {
         const char *url, *entity;
-        size_t entitySize;
+        size_t urlSize, entitySize;
         xmlFuzzEntityInfo *entityInfo;
 
-        url = xmlFuzzReadString(NULL);
+        url = xmlFuzzReadString(&urlSize);
         if (url == NULL) break;
 
         entity = xmlFuzzReadString(&entitySize);
         if (entity == NULL) break;
 
-        if (xmlHashLookup(fuzzData.entities, (xmlChar *)url) == NULL) {
+        /*
+         * Cap URL size to avoid quadratic behavior when generating
+         * error messages or looking up entities.
+         */
+        if (urlSize < 50 &&
+            xmlHashLookup(fuzzData.entities, (xmlChar *)url) == NULL) {
             entityInfo = xmlMalloc(sizeof(xmlFuzzEntityInfo));
             if (entityInfo == NULL)
                 break;