Commit 899a5d9f authored by Nick Wellnhofer's avatar Nick Wellnhofer
Browse files

Detect infinite recursion in parameter entities

When expanding a parameter entity in a DTD, infinite recursion could
lead to an infinite loop or memory exhaustion.

Thanks to Wei Lei for the first of many reports.

Fixes bug 759579.
parent fb56f80e
......@@ -2250,6 +2250,13 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) {
xmlGenericError(xmlGenericErrorContext,
"Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur);
}
if (((ctxt->inputNr > 40) && ((ctxt->options & XML_PARSE_HUGE) == 0)) ||
(ctxt->inputNr > 1024)) {
xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
while (ctxt->inputNr > 1)
xmlFreeInputStream(inputPop(ctxt));
return(-1);
}
ret = inputPush(ctxt, input);
if (ctxt->instate == XML_PARSER_EOF)
return(-1);
......@@ -7916,8 +7923,10 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
return;
input = xmlNewEntityInputStream(ctxt, entity);
if (xmlPushInput(ctxt, input) < 0)
if (xmlPushInput(ctxt, input) < 0) {
xmlFreeInputStream(input);
return;
}
if (entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) {
/*
......
Entity: line 2: parser error : Detected an entity reference loop
%z; %z; %z; %z; %z;
^
Entity: line 2:
%z; %z; %z; %z; %z;
^
Entity: line 2: parser error : Detected an entity reference loop
%z; %z; %z; %z; %z;
^
Entity: line 2:
%z; %z; %z; %z; %z;
^
./test/errors/759579.xml : failed to parse
<!DOCTYPE doc [
<!ENTITY % z '
&#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
&#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
&#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
&#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
&#37;z; &#37;z; &#37;z; &#37;z; &#37;z;
'>
%z;
]>
<doc/>
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment