View | Details | Raw Unified | Return to bug 16963
Collapse All | Expand All

(-)file_not_specified_in_diff (-13 / +56 lines)
Line  Link Here
0
-- libxml2-2.6.32.dfsg.orig/entities.c
0
++ libxml2-2.6.32.dfsg/entities.c
Lines 102-108 Link Here
102
        dict = entity->doc->dict;
102
        dict = entity->doc->dict;
103
103
104
104
105
    if ((entity->children) && (entity->owner == 1) &&
105
    if ((entity->children) && (entity->owner != 0) &&
106
        (entity == (xmlEntityPtr) entity->children->parent))
106
        (entity == (xmlEntityPtr) entity->children->parent))
107
        xmlFreeNodeList(entity->children);
107
        xmlFreeNodeList(entity->children);
108
    if (dict != NULL) {
108
    if (dict != NULL) {
109
-- libxml2-2.6.32.dfsg.orig/parser.c
109
++ libxml2-2.6.32.dfsg/parser.c
Lines 2344-2350 Link Here
2344
	return(NULL);
2344
	return(NULL);
2345
    last = str + len;
2345
    last = str + len;
2346
2346
2347
    if (ctxt->depth > 40) {
2347
    if ((ctxt->depth > 40) || (ctxt->nbentities >= 500000)) {
2348
	xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
2348
	xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
2349
	return(NULL);
2349
	return(NULL);
2350
    }
2350
    }
Lines 2382-2387 Link Here
2382
			"String decoding Entity Reference: %.30s\n",
2382
			"String decoding Entity Reference: %.30s\n",
2383
			str);
2383
			str);
2384
	    ent = xmlParseStringEntityRef(ctxt, &str);
2384
	    ent = xmlParseStringEntityRef(ctxt, &str);
2385
	    if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
2386
	        goto int_error;
2387
	    ctxt->nbentities++;
2388
	    if (ent != NULL)
2389
	        ctxt->nbentities += ent->owner;
2385
	    if ((ent != NULL) &&
2390
	    if ((ent != NULL) &&
2386
		(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
2391
		(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
2387
		if (ent->content != NULL) {
2392
		if (ent->content != NULL) {
Lines 2427-2432 Link Here
2427
		xmlGenericError(xmlGenericErrorContext,
2432
		xmlGenericError(xmlGenericErrorContext,
2428
			"String decoding PE Reference: %.30s\n", str);
2433
			"String decoding PE Reference: %.30s\n", str);
2429
	    ent = xmlParseStringPEReference(ctxt, &str);
2434
	    ent = xmlParseStringPEReference(ctxt, &str);
2435
	    if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
2436
	        goto int_error;
2437
	    ctxt->nbentities++;
2438
	    if (ent != NULL)
2439
	        ctxt->nbentities += ent->owner;
2430
	    if (ent != NULL) {
2440
	    if (ent != NULL) {
2431
                if (ent->content == NULL) {
2441
                if (ent->content == NULL) {
2432
		    if (xmlLoadEntityContent(ctxt, ent) < 0) {
2442
		    if (xmlLoadEntityContent(ctxt, ent) < 0) {
Lines 2468-2473 Link Here
2468
    xmlErrMemory(ctxt, NULL);
2478
    xmlErrMemory(ctxt, NULL);
2469
    if (rep != NULL)
2479
    if (rep != NULL)
2470
        xmlFree(rep);
2480
        xmlFree(rep);
2481
int_error:
2471
    if (buffer != NULL)
2482
    if (buffer != NULL)
2472
        xmlFree(buffer);
2483
        xmlFree(buffer);
2473
    return(NULL);
2484
    return(NULL);
Lines 3280-3285 Link Here
3280
		}
3291
		}
3281
	    } else {
3292
	    } else {
3282
		ent = xmlParseEntityRef(ctxt);
3293
		ent = xmlParseEntityRef(ctxt);
3294
		ctxt->nbentities++;
3295
		if (ent != NULL)
3296
		    ctxt->nbentities += ent->owner;
3283
		if ((ent != NULL) &&
3297
		if ((ent != NULL) &&
3284
		    (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
3298
		    (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
3285
		    if (len > buf_size - 10) {
3299
		    if (len > buf_size - 10) {
Lines 4566-4571 Link Here
4566
    int isParameter = 0;
4580
    int isParameter = 0;
4567
    xmlChar *orig = NULL;
4581
    xmlChar *orig = NULL;
4568
    int skipped;
4582
    int skipped;
4583
    unsigned long oldnbent = ctxt->nbentities;
4569
    
4584
    
4570
    /* GROW; done in the caller */
4585
    /* GROW; done in the caller */
4571
    if (CMP8(CUR_PTR, '<', '!', 'E', 'N', 'T', 'I', 'T', 'Y')) {
4586
    if (CMP8(CUR_PTR, '<', '!', 'E', 'N', 'T', 'I', 'T', 'Y')) {
Lines 4783-4788 Link Here
4783
		}
4798
		}
4784
	    }
4799
	    }
4785
            if (cur != NULL) {
4800
            if (cur != NULL) {
4801
	        if ((cur->owner != 0) || (cur->children == NULL)) {
4802
		    cur->owner = ctxt->nbentities - oldnbent;
4803
		    if (cur->owner ==  0)
4804
		        cur->owner = 1;
4805
		}
4786
	        if (cur->orig != NULL)
4806
	        if (cur->orig != NULL)
4787
		    xmlFree(orig);
4807
		    xmlFree(orig);
4788
		else
4808
		else
Lines 6189-6194 Link Here
6189
	if (ent == NULL) return;
6209
	if (ent == NULL) return;
6190
	if (!ctxt->wellFormed)
6210
	if (!ctxt->wellFormed)
6191
	    return;
6211
	    return;
6212
	ctxt->nbentities++;
6213
	if (ctxt->nbentities >= 500000) {
6214
	    xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
6215
	    return;
6216
	}
6192
	was_checked = ent->checked;
6217
	was_checked = ent->checked;
6193
	if ((ent->name != NULL) && 
6218
	if ((ent->name != NULL) && 
6194
	    (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY)) {
6219
	    (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY)) {
Lines 6240-6246 Link Here
6240
			    (ent->children == NULL)) {
6265
			    (ent->children == NULL)) {
6241
			    ent->children = list;
6266
			    ent->children = list;
6242
			    ent->last = list;
6267
			    ent->last = list;
6243
			    ent->owner = 1;
6268
			    if (ent->owner == 0)
6269
				ent->owner = 1;
6244
			    list->parent = (xmlNodePtr) ent;
6270
			    list->parent = (xmlNodePtr) ent;
6245
			} else {
6271
			} else {
6246
			    xmlFreeNodeList(list);
6272
			    xmlFreeNodeList(list);
Lines 6249-6254 Link Here
6249
			xmlFreeNodeList(list);
6275
			xmlFreeNodeList(list);
6250
		    }
6276
		    }
6251
		} else {
6277
		} else {
6278
		    unsigned long oldnbent = ctxt->nbentities;
6252
		    /*
6279
		    /*
6253
		     * 4.3.2: An internal general parsed entity is well-formed
6280
		     * 4.3.2: An internal general parsed entity is well-formed
6254
		     * if its replacement text matches the production labeled
6281
		     * if its replacement text matches the production labeled
Lines 6271-6276 Link Here
6271
			ret = xmlParseBalancedChunkMemoryInternal(ctxt,
6298
			ret = xmlParseBalancedChunkMemoryInternal(ctxt,
6272
					   value, user_data, &list);
6299
					   value, user_data, &list);
6273
			ctxt->depth--;
6300
			ctxt->depth--;
6301
6274
		    } else if (ent->etype ==
6302
		    } else if (ent->etype ==
6275
			       XML_EXTERNAL_GENERAL_PARSED_ENTITY) {
6303
			       XML_EXTERNAL_GENERAL_PARSED_ENTITY) {
6276
			ctxt->depth++;
6304
			ctxt->depth++;
Lines 6283-6288 Link Here
6283
			xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,
6311
			xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,
6284
				     "invalid entity type found\n", NULL);
6312
				     "invalid entity type found\n", NULL);
6285
		    }
6313
		    }
6314
		    if ((ent->owner != 0) || (ent->children == NULL)) {
6315
			ent->owner = ctxt->nbentities - oldnbent;
6316
			if (ent->owner == 0)
6317
			    ent->owner = 1;
6318
		    }
6286
		    if (ret == XML_ERR_ENTITY_LOOP) {
6319
		    if (ret == XML_ERR_ENTITY_LOOP) {
6287
			xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
6320
			xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
6288
			return;
6321
			return;
Lines 6301-6307 Link Here
6301
				    (ctxt->parseMode == XML_PARSE_READER)) {
6334
				    (ctxt->parseMode == XML_PARSE_READER)) {
6302
				    list->parent = (xmlNodePtr) ent;
6335
				    list->parent = (xmlNodePtr) ent;
6303
				    list = NULL;
6336
				    list = NULL;
6304
				    ent->owner = 1;
6337
				    if (ent->owner == 0)
6338
					ent->owner = 1;
6305
				} else {
6339
				} else {
6306
				    ent->owner = 0;
6340
				    ent->owner = 0;
6307
				    while (list != NULL) {
6341
				    while (list != NULL) {
Lines 6318-6324 Link Here
6318
#endif /* LIBXML_LEGACY_ENABLED */
6352
#endif /* LIBXML_LEGACY_ENABLED */
6319
				}
6353
				}
6320
			    } else {
6354
			    } else {
6321
				ent->owner = 1;
6355
			        if (ent->owner == 0)
6356
				    ent->owner = 1;
6322
				while (list != NULL) {
6357
				while (list != NULL) {
6323
				    list->parent = (xmlNodePtr) ent;
6358
				    list->parent = (xmlNodePtr) ent;
6324
				    if (list->next == NULL)
6359
				    if (list->next == NULL)
Lines 6393-6398 Link Here
6393
		}
6428
		}
6394
		return;
6429
		return;
6395
	    }
6430
	    }
6431
	    ctxt->nbentities += ent->owner;
6396
	    if ((ctxt->sax != NULL) && (ctxt->sax->reference != NULL) &&
6432
	    if ((ctxt->sax != NULL) && (ctxt->sax->reference != NULL) &&
6397
	        (ctxt->replaceEntities == 0) && (!ctxt->disableSAX)) {
6433
	        (ctxt->replaceEntities == 0) && (!ctxt->disableSAX)) {
6398
		/*
6434
		/*
Lines 6495-6501 Link Here
6495
				break;
6531
				break;
6496
			    cur = next;
6532
			    cur = next;
6497
			}
6533
			}
6498
			ent->owner = 1;
6534
			if (ent->owner == 0)
6535
			    ent->owner = 1;
6499
#ifdef LIBXML_LEGACY_ENABLED
6536
#ifdef LIBXML_LEGACY_ENABLED
6500
			if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY)			      
6537
			if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY)			      
6501
			  xmlAddEntityReference(ent, firstChild, nw);
6538
			  xmlAddEntityReference(ent, firstChild, nw);
Lines 11480-11486 Link Here
11480
11517
11481
    if (ctx == NULL) return(-1);
11518
    if (ctx == NULL) return(-1);
11482
11519
11483
    if (ctx->depth > 40) {
11520
    if ((ctx->depth > 40) || (ctx->nbentities >= 500000)) {
11484
	return(XML_ERR_ENTITY_LOOP);
11521
	return(XML_ERR_ENTITY_LOOP);
11485
    }
11522
    }
11486
11523
Lines 11681-11687 Link Here
11681
    xmlChar start[4];
11718
    xmlChar start[4];
11682
    xmlCharEncoding enc;
11719
    xmlCharEncoding enc;
11683
11720
11684
    if (depth > 40) {
11721
    if ((depth > 40) ||
11722
        ((oldctxt != NULL) && (oldctxt->nbentities >= 500000))) {
11685
	return(XML_ERR_ENTITY_LOOP);
11723
	return(XML_ERR_ENTITY_LOOP);
11686
    }
11724
    }
11687
11725
Lines 11824-11829 Link Here
11824
    oldctxt->node_seq.maximum = ctxt->node_seq.maximum;
11862
    oldctxt->node_seq.maximum = ctxt->node_seq.maximum;
11825
    oldctxt->node_seq.length = ctxt->node_seq.length;
11863
    oldctxt->node_seq.length = ctxt->node_seq.length;
11826
    oldctxt->node_seq.buffer = ctxt->node_seq.buffer;
11864
    oldctxt->node_seq.buffer = ctxt->node_seq.buffer;
11865
    oldctxt->nbentities += ctxt->nbentities;
11827
    ctxt->node_seq.maximum = 0;
11866
    ctxt->node_seq.maximum = 0;
11828
    ctxt->node_seq.length = 0;
11867
    ctxt->node_seq.length = 0;
11829
    ctxt->node_seq.buffer = NULL;
11868
    ctxt->node_seq.buffer = NULL;
Lines 11924-11930 Link Here
11924
    int size;
11963
    int size;
11925
    xmlParserErrors ret = XML_ERR_OK;
11964
    xmlParserErrors ret = XML_ERR_OK;
11926
11965
11927
    if (oldctxt->depth > 40) {
11966
    if ((oldctxt->depth > 40) || (oldctxt->nbentities >= 500000)) {
11928
	return(XML_ERR_ENTITY_LOOP);
11967
	return(XML_ERR_ENTITY_LOOP);
11929
    }
11968
    }
11930
11969
Lines 12048-12053 Link Here
12048
        ctxt->myDoc->last = last;
12087
        ctxt->myDoc->last = last;
12049
    }
12088
    }
12050
	
12089
	
12090
    oldctxt->nbentities += ctxt->nbentities;
12051
    ctxt->sax = oldsax;
12091
    ctxt->sax = oldsax;
12052
    ctxt->dict = NULL;
12092
    ctxt->dict = NULL;
12053
    ctxt->attsDefault = NULL;
12093
    ctxt->attsDefault = NULL;
Lines 13363-13368 Link Here
13363
    ctxt->depth = 0;
13403
    ctxt->depth = 0;
13364
    ctxt->charset = XML_CHAR_ENCODING_UTF8;
13404
    ctxt->charset = XML_CHAR_ENCODING_UTF8;
13365
    ctxt->catalogs = NULL;
13405
    ctxt->catalogs = NULL;
13406
    ctxt->nbentities = 0;
13366
    xmlInitNodeInfoSeq(&ctxt->node_seq);
13407
    xmlInitNodeInfoSeq(&ctxt->node_seq);
13367
13408
13368
    if (ctxt->attsDefault != NULL) {
13409
    if (ctxt->attsDefault != NULL) {
13369
-- libxml2-2.6.32.dfsg.orig/include/libxml/parser.h
13410
++ libxml2-2.6.32.dfsg/include/libxml/parser.h
Lines 297-302 Link Here
297
     */
297
     */
298
    xmlError          lastError;
298
    xmlError          lastError;
299
    xmlParserMode     parseMode;    /* the parser mode */
299
    xmlParserMode     parseMode;    /* the parser mode */
300
    unsigned long    nbentities;    /* number of entities references */
300
};
301
};
301
302
302
/**
303
/**
303
-- libxml2-2.6.32.dfsg.orig/parserInternals.c
304
++ libxml2-2.6.32.dfsg/parserInternals.c
Lines 1669-1674 Link Here
1669
    ctxt->depth = 0;
1669
    ctxt->depth = 0;
1670
    ctxt->charset = XML_CHAR_ENCODING_UTF8;
1670
    ctxt->charset = XML_CHAR_ENCODING_UTF8;
1671
    ctxt->catalogs = NULL;
1671
    ctxt->catalogs = NULL;
1672
    ctxt->nbentities = 0;
1672
    xmlInitNodeInfoSeq(&ctxt->node_seq);
1673
    xmlInitNodeInfoSeq(&ctxt->node_seq);
1673
    return(0);
1674
    return(0);
1674
}
1675
}

Return to bug 16963