Commit 60dded12 authored by Nick Wellnhofer's avatar Nick Wellnhofer
Browse files

Clear entity content in case of errors

This only affects recovery mode and avoids integer overflow in
xmlStringGetNodeList and possibly other nasty surprises.

See bug 783052 and

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3874
https://bugs.chromium.org/p/chromium/issues/detail?id=796804
parent 6e6ae5da
......@@ -149,7 +149,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
rep = xmlStringDecodeEntities(ctxt, ent->content,
XML_SUBSTITUTE_REF, 0, 0, 0);
--ctxt->depth;
if (ctxt->errNo == XML_ERR_ENTITY_LOOP) {
if (rep == NULL) {
ent->content[0] = 0;
}
......@@ -7189,6 +7189,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
(ret != XML_WAR_UNDECLARED_ENTITY)) {
xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY,
"Entity '%s' failed to parse\n", ent->name);
if (ent->content != NULL)
ent->content[0] = 0;
xmlParserEntityCheck(ctxt, 0, ent, 0);
} else if (list != NULL) {
xmlFreeNodeList(list);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment