Getting colder with our second freeze... it's 3.31.91 release day and string freeze, upload a tarball and lock those strings 🏂

Commit b1d34de4 authored by Daniel Veillard's avatar Daniel Veillard

Fix inappropriate fetch of entities content


libfuzzer regression testing exposed another case where the parser would
fetch content of an external entity while not in validating mode.
Plug that hole
parent 45752d2c
......@@ -2861,7 +2861,21 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
ctxt->nbentities += ent->checked / 2;
if (ent != NULL) {
if (ent->content == NULL) {
xmlLoadEntityContent(ctxt, ent);
* Note: external parsed entities will not be loaded,
* it is not required for a non-validating parser to
* complete external PEreferences coming from the
* internal subset
if (((ctxt->options & XML_PARSE_NOENT) != 0) ||
((ctxt->options & XML_PARSE_DTDVALID) != 0) ||
(ctxt->validate != 0)) {
xmlLoadEntityContent(ctxt, ent);
} else {
"not validating will not read content for PE entity %s\n",
ent->name, NULL);
rep = xmlStringDecodeEntities(ctxt, ent->content, what,
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment