Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-05-24 22:31:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

[LIBXML2] Update to version 2.10.3. CORE-17766

Browse source
This commit is contained in:
Thomas Faber 2022-11-20 10:45:09 -05:00
parent 19da1718e5
commit c0027d117c
No known key found for this signature in database
GPG key ID: 076E7C3D44720826
7 changed files with 172 additions and 169 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
media/doc/3rd Party Files.txt
View file

@ -239,7 +239,7 @@ URL: https://github.com/win-iconv/win-iconv
Title: LibXML Title: LibXML
Path: sdk/lib/3rdparty/libxml2 Path: sdk/lib/3rdparty/libxml2
Used Version: 2.10.2 Used Version: 2.10.3
License: MIT (https://spdx.org/licenses/MIT.htmlf) License: MIT (https://spdx.org/licenses/MIT.htmlf)
URL: http://xmlsoft.org, ftp://xmlsoft.org/libxml2/ URL: http://xmlsoft.org, ftp://xmlsoft.org/libxml2/

17
sdk/lib/3rdparty/libxml2/NEWS vendored
View file

@ -1,5 +1,22 @@
NEWS file for libxml2 NEWS file for libxml2
v2.10.3: Oct 14 2022
### Security
- [CVE-2022-40304] Fix dict corruption caused by entity reference cycles
- [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE
- Fix overflow check in SAX2.c
### Portability
- win32: Fix build with VS2013
### Build system
- cmake: Set SOVERSION
v2.10.2: Aug 29 2022 v2.10.2: Aug 29 2022
### Improvements ### Improvements

24
sdk/lib/3rdparty/libxml2/SAX2.c vendored
View file

@ -28,11 +28,6 @@
#include <libxml/HTMLtree.h> #include <libxml/HTMLtree.h>
#include <libxml/globals.h> #include <libxml/globals.h>
/* Define SIZE_T_MAX unless defined through <limits.h>. */
#ifndef SIZE_T_MAX
# define SIZE_T_MAX ((size_t)-1)
#endif /* !SIZE_T_MAX */
/* #define DEBUG_SAX2 */ /* #define DEBUG_SAX2 */
/* #define DEBUG_SAX2_TREE */ /* #define DEBUG_SAX2_TREE */
@ -2596,22 +2591,23 @@ xmlSAX2Text(xmlParserCtxtPtr ctxt, const xmlChar *ch, int len,
xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: xmlStrdup returned NULL"); xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: xmlStrdup returned NULL");
return; return;
} }
if (((size_t)ctxt->nodelen + (size_t)len > XML_MAX_TEXT_LENGTH) && if (ctxt->nodelen > INT_MAX - len) {
xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented");
return;
}
if ((ctxt->nodelen + len > XML_MAX_TEXT_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) { ((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: huge text node"); xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: huge text node");
return; return;
} }
if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len ||
(size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) {
xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented");
return;
}
if (ctxt->nodelen + len >= ctxt->nodemem) { if (ctxt->nodelen + len >= ctxt->nodemem) {
xmlChar *newbuf; xmlChar *newbuf;
size_t size; int size;
size = ctxt->nodemem + len; size = ctxt->nodemem > INT_MAX - len ?
size *= 2; INT_MAX :
ctxt->nodemem + len;
size = size > INT_MAX / 2 ? INT_MAX : size * 2;
newbuf = (xmlChar *) xmlRealloc(lastChild->content,size); newbuf = (xmlChar *) xmlRealloc(lastChild->content,size);
if (newbuf == NULL) { if (newbuf == NULL) {
xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters"); xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters");

2
sdk/lib/3rdparty/libxml2/config.h vendored
View file

@ -186,7 +186,7 @@
/* #undef VA_LIST_IS_ARRAY */ /* #undef VA_LIST_IS_ARRAY */
/* Version number of package */ /* Version number of package */
#define VERSION "2.10.2" #define VERSION "2.10.3"
/* Determine what socket length (socklen_t) data type is */ /* Determine what socket length (socklen_t) data type is */
#define XML_SOCKLEN_T int #define XML_SOCKLEN_T int

55
sdk/lib/3rdparty/libxml2/entities.c vendored
View file

@ -128,36 +128,19 @@ xmlFreeEntity(xmlEntityPtr entity)
if ((entity->children) && (entity->owner == 1) && if ((entity->children) && (entity->owner == 1) &&
(entity == (xmlEntityPtr) entity->children->parent)) (entity == (xmlEntityPtr) entity->children->parent))
xmlFreeNodeList(entity->children); xmlFreeNodeList(entity->children);
if (dict != NULL) { if ((entity->name != NULL) &&
if ((entity->name != NULL) && (!xmlDictOwns(dict, entity->name))) ((dict == NULL) || (!xmlDictOwns(dict, entity->name))))
xmlFree((char *) entity->name); xmlFree((char *) entity->name);
if ((entity->ExternalID != NULL) && if (entity->ExternalID != NULL)
(!xmlDictOwns(dict, entity->ExternalID))) xmlFree((char *) entity->ExternalID);
xmlFree((char *) entity->ExternalID); if (entity->SystemID != NULL)
if ((entity->SystemID != NULL) && xmlFree((char *) entity->SystemID);
(!xmlDictOwns(dict, entity->SystemID))) if (entity->URI != NULL)
xmlFree((char *) entity->SystemID); xmlFree((char *) entity->URI);
if ((entity->URI != NULL) && (!xmlDictOwns(dict, entity->URI))) if (entity->content != NULL)
xmlFree((char *) entity->URI); xmlFree((char *) entity->content);
if ((entity->content != NULL) if (entity->orig != NULL)
&& (!xmlDictOwns(dict, entity->content))) xmlFree((char *) entity->orig);
xmlFree((char *) entity->content);
if ((entity->orig != NULL) && (!xmlDictOwns(dict, entity->orig)))
xmlFree((char *) entity->orig);
} else {
if (entity->name != NULL)
xmlFree((char *) entity->name);
if (entity->ExternalID != NULL)
xmlFree((char *) entity->ExternalID);
if (entity->SystemID != NULL)
xmlFree((char *) entity->SystemID);
if (entity->URI != NULL)
xmlFree((char *) entity->URI);
if (entity->content != NULL)
xmlFree((char *) entity->content);
if (entity->orig != NULL)
xmlFree((char *) entity->orig);
}
xmlFree(entity); xmlFree(entity);
} }
@ -193,18 +176,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type,
ret->SystemID = xmlStrdup(SystemID); ret->SystemID = xmlStrdup(SystemID);
} else { } else {
ret->name = xmlDictLookup(dict, name, -1); ret->name = xmlDictLookup(dict, name, -1);
if (ExternalID != NULL) ret->ExternalID = xmlStrdup(ExternalID);
ret->ExternalID = xmlDictLookup(dict, ExternalID, -1); ret->SystemID = xmlStrdup(SystemID);
if (SystemID != NULL)
ret->SystemID = xmlDictLookup(dict, SystemID, -1);
} }
if (content != NULL) { if (content != NULL) {
ret->length = xmlStrlen(content); ret->length = xmlStrlen(content);
if ((dict != NULL) && (ret->length < 5)) ret->content = xmlStrndup(content, ret->length);
ret->content = (xmlChar *)
xmlDictLookup(dict, content, ret->length);
else
ret->content = xmlStrndup(content, ret->length);
} else { } else {
ret->length = 0; ret->length = 0;
ret->content = NULL; ret->content = NULL;

8
sdk/lib/3rdparty/libxml2/include/win32config.h vendored
View file

@ -12,9 +12,13 @@
#define HAVE_STDINT_H #define HAVE_STDINT_H
#endif #endif
#if defined(_MSC_VER) && _MSC_VER < 1900 #if defined(_MSC_VER)
#if _MSC_VER < 1900
#define snprintf _snprintf #define snprintf _snprintf
#define vsnprintf _vsnprintf #endif
#if _MSC_VER < 1500
#define vsnprintf(b,c,f,a) _vsnprintf(b,c,f,a)
#endif
#endif #endif
#endif /* __LIBXML_WIN32_CONFIG__ */ #endif /* __LIBXML_WIN32_CONFIG__ */

233
sdk/lib/3rdparty/libxml2/parser.c vendored
View file

@ -102,6 +102,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt);
* * * *
************************************************************************/ ************************************************************************/
#define XML_MAX_HUGE_LENGTH 1000000000
#define XML_PARSER_BIG_ENTITY 1000 #define XML_PARSER_BIG_ENTITY 1000
#define XML_PARSER_LOT_ENTITY 5000 #define XML_PARSER_LOT_ENTITY 5000
@ -552,7 +554,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info)
errmsg = "Malformed declaration expecting version"; errmsg = "Malformed declaration expecting version";
break; break;
case XML_ERR_NAME_TOO_LONG: case XML_ERR_NAME_TOO_LONG:
errmsg = "Name too long use XML_PARSE_HUGE option"; errmsg = "Name too long";
break; break;
#if 0 #if 0
case: case:
@ -3202,6 +3204,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
int len = 0, l; int len = 0, l;
int c; int c;
int count = 0; int count = 0;
int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
XML_MAX_TEXT_LENGTH :
XML_MAX_NAME_LENGTH;
#ifdef DEBUG #ifdef DEBUG
nbParseNameComplex++; nbParseNameComplex++;
@ -3267,7 +3272,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
if (ctxt->instate == XML_PARSER_EOF) if (ctxt->instate == XML_PARSER_EOF)
return(NULL); return(NULL);
} }
len += l; if (len <= INT_MAX - l)
len += l;
NEXTL(l); NEXTL(l);
c = CUR_CHAR(l); c = CUR_CHAR(l);
} }
@ -3293,13 +3299,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
if (ctxt->instate == XML_PARSER_EOF) if (ctxt->instate == XML_PARSER_EOF)
return(NULL); return(NULL);
} }
len += l; if (len <= INT_MAX - l)
len += l;
NEXTL(l); NEXTL(l);
c = CUR_CHAR(l); c = CUR_CHAR(l);
} }
} }
if ((len > XML_MAX_NAME_LENGTH) && if (len > maxLength) {
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
return(NULL); return(NULL);
} }
@ -3338,7 +3344,10 @@ const xmlChar *
xmlParseName(xmlParserCtxtPtr ctxt) { xmlParseName(xmlParserCtxtPtr ctxt) {
const xmlChar *in; const xmlChar *in;
const xmlChar *ret; const xmlChar *ret;
int count = 0; size_t count = 0;
size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
XML_MAX_TEXT_LENGTH :
XML_MAX_NAME_LENGTH;
GROW; GROW;
@ -3362,8 +3371,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) {
in++; in++;
if ((*in > 0) && (*in < 0x80)) { if ((*in > 0) && (*in < 0x80)) {
count = in - ctxt->input->cur; count = in - ctxt->input->cur;
if ((count > XML_MAX_NAME_LENGTH) && if (count > maxLength) {
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
return(NULL); return(NULL);
} }
@ -3384,6 +3392,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
int len = 0, l; int len = 0, l;
int c; int c;
int count = 0; int count = 0;
int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
XML_MAX_TEXT_LENGTH :
XML_MAX_NAME_LENGTH;
size_t startPosition = 0; size_t startPosition = 0;
#ifdef DEBUG #ifdef DEBUG
@ -3404,17 +3415,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */ while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */
(xmlIsNameChar(ctxt, c) && (c != ':'))) { (xmlIsNameChar(ctxt, c) && (c != ':'))) {
if (count++ > XML_PARSER_CHUNK_SIZE) { if (count++ > XML_PARSER_CHUNK_SIZE) {
if ((len > XML_MAX_NAME_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
return(NULL);
}
count = 0; count = 0;
GROW; GROW;
if (ctxt->instate == XML_PARSER_EOF) if (ctxt->instate == XML_PARSER_EOF)
return(NULL); return(NULL);
} }
len += l; if (len <= INT_MAX - l)
len += l;
NEXTL(l); NEXTL(l);
c = CUR_CHAR(l); c = CUR_CHAR(l);
if (c == 0) { if (c == 0) {
@ -3432,8 +3439,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
c = CUR_CHAR(l); c = CUR_CHAR(l);
} }
} }
if ((len > XML_MAX_NAME_LENGTH) && if (len > maxLength) {
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
return(NULL); return(NULL);
} }
@ -3459,7 +3465,10 @@ static const xmlChar *
xmlParseNCName(xmlParserCtxtPtr ctxt) { xmlParseNCName(xmlParserCtxtPtr ctxt) {
const xmlChar *in, *e; const xmlChar *in, *e;
const xmlChar *ret; const xmlChar *ret;
int count = 0; size_t count = 0;
size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
XML_MAX_TEXT_LENGTH :
XML_MAX_NAME_LENGTH;
#ifdef DEBUG #ifdef DEBUG
nbParseNCName++; nbParseNCName++;
@ -3484,8 +3493,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
goto complex; goto complex;
if ((*in > 0) && (*in < 0x80)) { if ((*in > 0) && (*in < 0x80)) {
count = in - ctxt->input->cur; count = in - ctxt->input->cur;
if ((count > XML_MAX_NAME_LENGTH) && if (count > maxLength) {
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
return(NULL); return(NULL);
} }
@ -3567,6 +3575,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
const xmlChar *cur = *str; const xmlChar *cur = *str;
int len = 0, l; int len = 0, l;
int c; int c;
int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
XML_MAX_TEXT_LENGTH :
XML_MAX_NAME_LENGTH;
#ifdef DEBUG #ifdef DEBUG
nbParseStringName++; nbParseStringName++;
@ -3602,12 +3613,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
if (len + 10 > max) { if (len + 10 > max) {
xmlChar *tmp; xmlChar *tmp;
if ((len > XML_MAX_NAME_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
xmlFree(buffer);
return(NULL);
}
max *= 2; max *= 2;
tmp = (xmlChar *) xmlRealloc(buffer, tmp = (xmlChar *) xmlRealloc(buffer,
max * sizeof(xmlChar)); max * sizeof(xmlChar));
@ -3621,14 +3626,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
COPY_BUF(l,buffer,len,c); COPY_BUF(l,buffer,len,c);
cur += l; cur += l;
c = CUR_SCHAR(cur, l); c = CUR_SCHAR(cur, l);
if (len > maxLength) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
xmlFree(buffer);
return(NULL);
}
} }
buffer[len] = 0; buffer[len] = 0;
*str = cur; *str = cur;
return(buffer); return(buffer);
} }
} }
if ((len > XML_MAX_NAME_LENGTH) && if (len > maxLength) {
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
return(NULL); return(NULL);
} }
@ -3655,6 +3664,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
int len = 0, l; int len = 0, l;
int c; int c;
int count = 0; int count = 0;
int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
XML_MAX_TEXT_LENGTH :
XML_MAX_NAME_LENGTH;
#ifdef DEBUG #ifdef DEBUG
nbParseNmToken++; nbParseNmToken++;
@ -3706,12 +3718,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
if (len + 10 > max) { if (len + 10 > max) {
xmlChar *tmp; xmlChar *tmp;
if ((max > XML_MAX_NAME_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
xmlFree(buffer);
return(NULL);
}
max *= 2; max *= 2;
tmp = (xmlChar *) xmlRealloc(buffer, tmp = (xmlChar *) xmlRealloc(buffer,
max * sizeof(xmlChar)); max * sizeof(xmlChar));
@ -3725,6 +3731,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
COPY_BUF(l,buffer,len,c); COPY_BUF(l,buffer,len,c);
NEXTL(l); NEXTL(l);
c = CUR_CHAR(l); c = CUR_CHAR(l);
if (len > maxLength) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
xmlFree(buffer);
return(NULL);
}
} }
buffer[len] = 0; buffer[len] = 0;
return(buffer); return(buffer);
@ -3732,8 +3743,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
} }
if (len == 0) if (len == 0)
return(NULL); return(NULL);
if ((len > XML_MAX_NAME_LENGTH) && if (len > maxLength) {
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
return(NULL); return(NULL);
} }
@ -3759,6 +3769,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
int len = 0; int len = 0;
int size = XML_PARSER_BUFFER_SIZE; int size = XML_PARSER_BUFFER_SIZE;
int c, l; int c, l;
int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
XML_MAX_HUGE_LENGTH :
XML_MAX_TEXT_LENGTH;
xmlChar stop; xmlChar stop;
xmlChar *ret = NULL; xmlChar *ret = NULL;
const xmlChar *cur = NULL; const xmlChar *cur = NULL;
@ -3818,6 +3831,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
GROW; GROW;
c = CUR_CHAR(l); c = CUR_CHAR(l);
} }
if (len > maxLength) {
xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
"entity value too long\n");
goto error;
}
} }
buf[len] = 0; buf[len] = 0;
if (ctxt->instate == XML_PARSER_EOF) if (ctxt->instate == XML_PARSER_EOF)
@ -3905,6 +3924,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
xmlChar *rep = NULL; xmlChar *rep = NULL;
size_t len = 0; size_t len = 0;
size_t buf_size = 0; size_t buf_size = 0;
size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
XML_MAX_HUGE_LENGTH :
XML_MAX_TEXT_LENGTH;
int c, l, in_space = 0; int c, l, in_space = 0;
xmlChar *current = NULL; xmlChar *current = NULL;
xmlEntityPtr ent; xmlEntityPtr ent;
@ -3936,16 +3958,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
while (((NXT(0) != limit) && /* checked */ while (((NXT(0) != limit) && /* checked */
(IS_CHAR(c)) && (c != '<')) && (IS_CHAR(c)) && (c != '<')) &&
(ctxt->instate != XML_PARSER_EOF)) { (ctxt->instate != XML_PARSER_EOF)) {
/*
* Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE
* special option is given
*/
if ((len > XML_MAX_TEXT_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue length too long\n");
goto mem_error;
}
if (c == '&') { if (c == '&') {
in_space = 0; in_space = 0;
if (NXT(1) == '#') { if (NXT(1) == '#') {
@ -4093,6 +4105,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
} }
GROW; GROW;
c = CUR_CHAR(l); c = CUR_CHAR(l);
if (len > maxLength) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue length too long\n");
goto mem_error;
}
} }
if (ctxt->instate == XML_PARSER_EOF) if (ctxt->instate == XML_PARSER_EOF)
goto error; goto error;
@ -4114,16 +4131,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
} else } else
NEXT; NEXT;
/*
* There we potentially risk an overflow, don't allow attribute value of
* length more than INT_MAX it is a very reasonable assumption !
*/
if (len >= INT_MAX) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue length too long\n");
goto mem_error;
}
if (attlen != NULL) *attlen = (int) len; if (attlen != NULL) *attlen = (int) len;
return(buf); return(buf);
@ -4194,6 +4201,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
int len = 0; int len = 0;
int size = XML_PARSER_BUFFER_SIZE; int size = XML_PARSER_BUFFER_SIZE;
int cur, l; int cur, l;
int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
XML_MAX_TEXT_LENGTH :
XML_MAX_NAME_LENGTH;
xmlChar stop; xmlChar stop;
int state = ctxt->instate; int state = ctxt->instate;
int count = 0; int count = 0;
@ -4221,13 +4231,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
if (len + 5 >= size) { if (len + 5 >= size) {
xmlChar *tmp; xmlChar *tmp;
if ((size > XML_MAX_NAME_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
xmlFree(buf);
ctxt->instate = (xmlParserInputState) state;
return(NULL);
}
size *= 2; size *= 2;
tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
if (tmp == NULL) { if (tmp == NULL) {
@ -4256,6 +4259,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
SHRINK; SHRINK;
cur = CUR_CHAR(l); cur = CUR_CHAR(l);
} }
if (len > maxLength) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
xmlFree(buf);
ctxt->instate = (xmlParserInputState) state;
return(NULL);
}
} }
buf[len] = 0; buf[len] = 0;
ctxt->instate = (xmlParserInputState) state; ctxt->instate = (xmlParserInputState) state;
@ -4283,6 +4292,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
xmlChar *buf = NULL; xmlChar *buf = NULL;
int len = 0; int len = 0;
int size = XML_PARSER_BUFFER_SIZE; int size = XML_PARSER_BUFFER_SIZE;
int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
XML_MAX_TEXT_LENGTH :
XML_MAX_NAME_LENGTH;
xmlChar cur; xmlChar cur;
xmlChar stop; xmlChar stop;
int count = 0; int count = 0;
@ -4310,12 +4322,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
if (len + 1 >= size) { if (len + 1 >= size) {
xmlChar *tmp; xmlChar *tmp;
if ((size > XML_MAX_NAME_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
xmlFree(buf);
return(NULL);
}
size *= 2; size *= 2;
tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
if (tmp == NULL) { if (tmp == NULL) {
@ -4343,6 +4349,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
SHRINK; SHRINK;
cur = CUR; cur = CUR;
} }
if (len > maxLength) {
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
xmlFree(buf);
return(NULL);
}
} }
buf[len] = 0; buf[len] = 0;
if (cur != stop) { if (cur != stop) {
@ -4742,6 +4753,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
int r, rl; int r, rl;
int cur, l; int cur, l;
size_t count = 0; size_t count = 0;
size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
XML_MAX_HUGE_LENGTH :
XML_MAX_TEXT_LENGTH;
int inputid; int inputid;
inputid = ctxt->input->id; inputid = ctxt->input->id;
@ -4787,13 +4801,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
if ((r == '-') && (q == '-')) { if ((r == '-') && (q == '-')) {
xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL); xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL);
} }
if ((len > XML_MAX_TEXT_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
"Comment too big found", NULL);
xmlFree (buf);
return;
}
if (len + 5 >= size) { if (len + 5 >= size) {
xmlChar *new_buf; xmlChar *new_buf;
size_t new_size; size_t new_size;
@ -4831,6 +4838,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
GROW; GROW;
cur = CUR_CHAR(l); cur = CUR_CHAR(l);
} }
if (len > maxLength) {
xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
"Comment too big found", NULL);
xmlFree (buf);
return;
}
} }
buf[len] = 0; buf[len] = 0;
if (cur == 0) { if (cur == 0) {
@ -4875,6 +4889,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) {
xmlChar *buf = NULL; xmlChar *buf = NULL;
size_t size = XML_PARSER_BUFFER_SIZE; size_t size = XML_PARSER_BUFFER_SIZE;
size_t len = 0; size_t len = 0;
size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
XML_MAX_HUGE_LENGTH :
XML_MAX_TEXT_LENGTH;
xmlParserInputState state; xmlParserInputState state;
const xmlChar *in; const xmlChar *in;
size_t nbchar = 0; size_t nbchar = 0;
@ -4958,8 +4975,7 @@ get_more:
buf[len] = 0; buf[len] = 0;
} }
} }
if ((len > XML_MAX_TEXT_LENGTH) && if (len > maxLength) {
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
"Comment too big found", NULL); "Comment too big found", NULL);
xmlFree (buf); xmlFree (buf);
@ -5159,6 +5175,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
xmlChar *buf = NULL; xmlChar *buf = NULL;
size_t len = 0; size_t len = 0;
size_t size = XML_PARSER_BUFFER_SIZE; size_t size = XML_PARSER_BUFFER_SIZE;
size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
XML_MAX_HUGE_LENGTH :
XML_MAX_TEXT_LENGTH;
int cur, l; int cur, l;
const xmlChar *target; const xmlChar *target;
xmlParserInputState state; xmlParserInputState state;
@ -5234,14 +5253,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
return; return;
} }
count = 0; count = 0;
if ((len > XML_MAX_TEXT_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
"PI %s too big found", target);
xmlFree(buf);
ctxt->instate = state;
return;
}
} }
COPY_BUF(l,buf,len,cur); COPY_BUF(l,buf,len,cur);
NEXTL(l); NEXTL(l);
@ -5251,15 +5262,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
GROW; GROW;
cur = CUR_CHAR(l); cur = CUR_CHAR(l);
} }
if (len > maxLength) {
xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
"PI %s too big found", target);
xmlFree(buf);
ctxt->instate = state;
return;
}
} }
if ((len > XML_MAX_TEXT_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
"PI %s too big found", target);
xmlFree(buf);
ctxt->instate = state;
return;
}
buf[len] = 0; buf[len] = 0;
if (cur != '?') { if (cur != '?') {
xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
@ -8954,6 +8964,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
const xmlChar *in = NULL, *start, *end, *last; const xmlChar *in = NULL, *start, *end, *last;
xmlChar *ret = NULL; xmlChar *ret = NULL;
int line, col; int line, col;
int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
XML_MAX_HUGE_LENGTH :
XML_MAX_TEXT_LENGTH;
GROW; GROW;
in = (xmlChar *) CUR_PTR; in = (xmlChar *) CUR_PTR;
@ -8993,8 +9006,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
start = in; start = in;
if (in >= end) { if (in >= end) {
GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
if (((in - start) > XML_MAX_TEXT_LENGTH) && if ((in - start) > maxLength) {
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue length too long\n"); "AttValue length too long\n");
return(NULL); return(NULL);
@ -9007,8 +9019,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
if ((*in++ == 0x20) && (*in == 0x20)) break; if ((*in++ == 0x20) && (*in == 0x20)) break;
if (in >= end) { if (in >= end) {
GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
if (((in - start) > XML_MAX_TEXT_LENGTH) && if ((in - start) > maxLength) {
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue length too long\n"); "AttValue length too long\n");
return(NULL); return(NULL);
@ -9041,16 +9052,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
last = last + delta; last = last + delta;
} }
end = ctxt->input->end; end = ctxt->input->end;
if (((in - start) > XML_MAX_TEXT_LENGTH) && if ((in - start) > maxLength) {
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue length too long\n"); "AttValue length too long\n");
return(NULL); return(NULL);
} }
} }
} }
if (((in - start) > XML_MAX_TEXT_LENGTH) && if ((in - start) > maxLength) {
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue length too long\n"); "AttValue length too long\n");
return(NULL); return(NULL);
@ -9063,8 +9072,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
col++; col++;
if (in >= end) { if (in >= end) {
GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
if (((in - start) > XML_MAX_TEXT_LENGTH) && if ((in - start) > maxLength) {
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue length too long\n"); "AttValue length too long\n");
return(NULL); return(NULL);
@ -9072,8 +9080,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
} }
} }
last = in; last = in;
if (((in - start) > XML_MAX_TEXT_LENGTH) && if ((in - start) > maxLength) {
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
"AttValue length too long\n"); "AttValue length too long\n");
return(NULL); return(NULL);
@ -9763,6 +9770,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
int s, sl; int s, sl;
int cur, l; int cur, l;
int count = 0; int count = 0;
int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
XML_MAX_HUGE_LENGTH :
XML_MAX_TEXT_LENGTH;
/* Check 2.6.0 was NXT(0) not RAW */ /* Check 2.6.0 was NXT(0) not RAW */
if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) { if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) {
@ -9796,13 +9806,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
if (len + 5 >= size) { if (len + 5 >= size) {
xmlChar *tmp; xmlChar *tmp;
if ((size > XML_MAX_TEXT_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED,
"CData section too big found", NULL);
xmlFree (buf);
return;
}
tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar)); tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar));
if (tmp == NULL) { if (tmp == NULL) {
xmlFree(buf); xmlFree(buf);
@ -9829,6 +9832,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
} }
NEXTL(l); NEXTL(l);
cur = CUR_CHAR(l); cur = CUR_CHAR(l);
if (len > maxLength) {
xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED,
"CData section too big found\n");
xmlFree(buf);
return;
}
} }
buf[len] = 0; buf[len] = 0;
ctxt->instate = XML_PARSER_CONTENT; ctxt->instate = XML_PARSER_CONTENT;