Commit 1abf2967 authored by Nick Wellnhofer's avatar Nick Wellnhofer
Browse files

Fix exponential runtime and memory in xi:fallback processing

When creating XML_XINCLUDE_START nodes, the children of the original
xi:include node must be freed, otherwise fallback content is copied
twice, doubling runtime and memory consumption for each nested
xi:fallback/xi:include pair.

Found with libFuzzer.
parent 11b57459
<?xml version="1.0"?>
<a>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
</a>
0 1 a 0 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
0 15 a 0 0
<a>
<xi:include href="a01.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:fallback>
<elem/>
<xi:include href="a02.xml">
<xi:fallback>
<elem/>
<xi:include href="a03.xml">
<xi:fallback>
<elem/>
<xi:include href="a04.xml">
<xi:fallback>
<elem/>
<xi:include href="a05.xml">
<xi:fallback>
<elem/>
<xi:include href="a06.xml">
<xi:fallback>
<elem/>
<xi:include href="a07.xml">
<xi:fallback>
<elem/>
<xi:include href="a08.xml">
<xi:fallback>
<elem/>
<xi:include href="a09.xml">
<xi:fallback>
<elem/>
<xi:include href="a10.xml">
<xi:fallback>
<elem/>
<xi:include href="a11.xml">
<xi:fallback>
<elem/>
<xi:include href="a12.xml">
<xi:fallback>
<elem/>
<xi:include href="a13.xml">
<xi:fallback>
<elem/>
<xi:include href="a14.xml">
<xi:fallback>
<elem/>
<xi:include href="a15.xml">
<xi:fallback>
<elem/>
<xi:include href="a16.xml">
<xi:fallback>
<elem/>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</a>
......@@ -2260,11 +2260,19 @@ xmlXIncludeIncludeNode(xmlXIncludeCtxtPtr ctxt, int nr) {
xmlUnlinkNode(cur);
xmlFreeNode(cur);
} else {
xmlNodePtr child, next;
/*
* Change the current node as an XInclude start one, and add an
* XInclude end one
*/
cur->type = XML_XINCLUDE_START;
/* Remove fallback children */
for (child = cur->children; child != NULL; child = next) {
next = child->next;
xmlUnlinkNode(child);
xmlFreeNode(child);
}
end = xmlNewDocNode(cur->doc, cur->ns, cur->name, NULL);
if (end == NULL) {
xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment