From bdd66182ef53fe1f7209ab6535fda56366bd7ac9 Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Mon, 23 May 2016 12:27:58 +0800 Subject: [PATCH] Avoid building recursive entities For https://bugzilla.gnome.org/show_bug.cgi?id=762100 When we detect a recusive entity we should really not build the associated data, moreover if someone bypass libxml2 fatal errors and still tries to serialize a broken entity make sure we don't risk to get ito a recursion * parser.c: xmlParserEntityCheck() don't build if entity loop were found and remove the associated text content * tree.c: xmlStringGetNodeList() avoid a potential recursion Upstream-Status: Backport CVE: CVE-2016-3627 Signed-off-by: Armin Kuster etype != XML_INTERNAL_PREDEFINED_ENTITY) && - (ent->content != NULL) && (ent->checked == 0)) { + (ent->content != NULL) && (ent->checked == 0) && + (ctxt->errNo != XML_ERR_ENTITY_LOOP)) { unsigned long oldnbent = ctxt->nbentities; xmlChar *rep; @@ -148,6 +149,9 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, rep = xmlStringDecodeEntities(ctxt, ent->content, XML_SUBSTITUTE_REF, 0, 0, 0); --ctxt->depth; + if (ctxt->errNo == XML_ERR_ENTITY_LOOP) { + ent->content[0] = 0; + } ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; if (rep != NULL) { diff --git a/tree.c b/tree.c index 7fbca6e..9d330b8 100644 --- a/tree.c +++ b/tree.c @@ -1593,6 +1593,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { else if ((ent != NULL) && (ent->children == NULL)) { xmlNodePtr temp; + ent->children = (xmlNodePtr) -1; ent->children = xmlStringGetNodeList(doc, (const xmlChar*)node->content); ent->owner = 1; -- 2.3.5