|
 |
92a3a1 |
From c846986356fc149915a74972bf198abc266bc2c0 Mon Sep 17 00:00:00 2001
|
|
|
92a3a1 |
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
|
92a3a1 |
Date: Thu, 25 Aug 2022 17:43:08 +0200
|
|
|
92a3a1 |
Subject: [PATCH] [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE
|
|
|
92a3a1 |
|
|
|
92a3a1 |
Also impose size limits when XML_PARSE_HUGE is set. Limit size of names
|
|
|
92a3a1 |
to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to
|
|
|
92a3a1 |
XML_MAX_HUGE_LENGTH (1 billion bytes).
|
|
|
92a3a1 |
|
|
|
92a3a1 |
Move some the length checks to the end of the respective loop to make
|
|
|
92a3a1 |
them strict.
|
|
|
92a3a1 |
|
|
|
92a3a1 |
xmlParseEntityValue didn't have a length limitation at all. But without
|
|
|
92a3a1 |
XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW.
|
|
|
92a3a1 |
|
|
|
92a3a1 |
Thanks to Maddie Stone working with Google Project Zero for the report!
|
|
|
92a3a1 |
---
|
|
|
92a3a1 |
parser.c | 233 +++++++++++++++++++++++++++++--------------------------
|
|
|
92a3a1 |
1 file changed, 121 insertions(+), 112 deletions(-)
|
|
|
92a3a1 |
|
|
|
92a3a1 |
diff --git a/parser.c b/parser.c
|
|
|
92a3a1 |
index 93f031be..79479979 100644
|
|
|
92a3a1 |
--- a/parser.c
|
|
|
92a3a1 |
+++ b/parser.c
|
|
|
92a3a1 |
@@ -102,6 +102,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt);
|
|
|
92a3a1 |
* *
|
|
|
92a3a1 |
************************************************************************/
|
|
|
92a3a1 |
|
|
|
92a3a1 |
+#define XML_MAX_HUGE_LENGTH 1000000000
|
|
|
92a3a1 |
+
|
|
|
92a3a1 |
#define XML_PARSER_BIG_ENTITY 1000
|
|
|
92a3a1 |
#define XML_PARSER_LOT_ENTITY 5000
|
|
|
92a3a1 |
|
|
|
92a3a1 |
@@ -552,7 +554,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info)
|
|
|
92a3a1 |
errmsg = "Malformed declaration expecting version";
|
|
|
92a3a1 |
break;
|
|
|
92a3a1 |
case XML_ERR_NAME_TOO_LONG:
|
|
|
92a3a1 |
- errmsg = "Name too long use XML_PARSE_HUGE option";
|
|
|
92a3a1 |
+ errmsg = "Name too long";
|
|
|
92a3a1 |
break;
|
|
|
92a3a1 |
#if 0
|
|
|
92a3a1 |
case:
|
|
|
92a3a1 |
@@ -3202,6 +3204,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
int len = 0, l;
|
|
|
92a3a1 |
int c;
|
|
|
92a3a1 |
int count = 0;
|
|
|
92a3a1 |
+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
|
|
|
92a3a1 |
+ XML_MAX_TEXT_LENGTH :
|
|
|
92a3a1 |
+ XML_MAX_NAME_LENGTH;
|
|
|
92a3a1 |
|
|
|
92a3a1 |
#ifdef DEBUG
|
|
|
92a3a1 |
nbParseNameComplex++;
|
|
|
92a3a1 |
@@ -3267,7 +3272,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
if (ctxt->instate == XML_PARSER_EOF)
|
|
|
92a3a1 |
return(NULL);
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
- len += l;
|
|
|
92a3a1 |
+ if (len <= INT_MAX - l)
|
|
|
92a3a1 |
+ len += l;
|
|
|
92a3a1 |
NEXTL(l);
|
|
|
92a3a1 |
c = CUR_CHAR(l);
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
@@ -3293,13 +3299,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
if (ctxt->instate == XML_PARSER_EOF)
|
|
|
92a3a1 |
return(NULL);
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
- len += l;
|
|
|
92a3a1 |
+ if (len <= INT_MAX - l)
|
|
|
92a3a1 |
+ len += l;
|
|
|
92a3a1 |
NEXTL(l);
|
|
|
92a3a1 |
c = CUR_CHAR(l);
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
- if ((len > XML_MAX_NAME_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
+ if (len > maxLength) {
|
|
|
92a3a1 |
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
|
|
|
92a3a1 |
return(NULL);
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
@@ -3338,7 +3344,10 @@ const xmlChar *
|
|
|
92a3a1 |
xmlParseName(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
const xmlChar *in;
|
|
|
92a3a1 |
const xmlChar *ret;
|
|
|
92a3a1 |
- int count = 0;
|
|
|
92a3a1 |
+ size_t count = 0;
|
|
|
92a3a1 |
+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
|
|
|
92a3a1 |
+ XML_MAX_TEXT_LENGTH :
|
|
|
92a3a1 |
+ XML_MAX_NAME_LENGTH;
|
|
|
92a3a1 |
|
|
|
92a3a1 |
GROW;
|
|
|
92a3a1 |
|
|
|
92a3a1 |
@@ -3362,8 +3371,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
in++;
|
|
|
92a3a1 |
if ((*in > 0) && (*in < 0x80)) {
|
|
|
92a3a1 |
count = in - ctxt->input->cur;
|
|
|
92a3a1 |
- if ((count > XML_MAX_NAME_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
+ if (count > maxLength) {
|
|
|
92a3a1 |
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
|
|
|
92a3a1 |
return(NULL);
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
@@ -3384,6 +3392,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
int len = 0, l;
|
|
|
92a3a1 |
int c;
|
|
|
92a3a1 |
int count = 0;
|
|
|
92a3a1 |
+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
|
|
|
92a3a1 |
+ XML_MAX_TEXT_LENGTH :
|
|
|
92a3a1 |
+ XML_MAX_NAME_LENGTH;
|
|
|
92a3a1 |
size_t startPosition = 0;
|
|
|
92a3a1 |
|
|
|
92a3a1 |
#ifdef DEBUG
|
|
|
92a3a1 |
@@ -3404,17 +3415,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */
|
|
|
92a3a1 |
(xmlIsNameChar(ctxt, c) && (c != ':'))) {
|
|
|
92a3a1 |
if (count++ > XML_PARSER_CHUNK_SIZE) {
|
|
|
92a3a1 |
- if ((len > XML_MAX_NAME_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
|
|
|
92a3a1 |
- return(NULL);
|
|
|
92a3a1 |
- }
|
|
|
92a3a1 |
count = 0;
|
|
|
92a3a1 |
GROW;
|
|
|
92a3a1 |
if (ctxt->instate == XML_PARSER_EOF)
|
|
|
92a3a1 |
return(NULL);
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
- len += l;
|
|
|
92a3a1 |
+ if (len <= INT_MAX - l)
|
|
|
92a3a1 |
+ len += l;
|
|
|
92a3a1 |
NEXTL(l);
|
|
|
92a3a1 |
c = CUR_CHAR(l);
|
|
|
92a3a1 |
if (c == 0) {
|
|
|
92a3a1 |
@@ -3432,8 +3439,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
c = CUR_CHAR(l);
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
- if ((len > XML_MAX_NAME_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
+ if (len > maxLength) {
|
|
|
92a3a1 |
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
|
|
|
92a3a1 |
return(NULL);
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
@@ -3459,7 +3465,10 @@ static const xmlChar *
|
|
|
92a3a1 |
xmlParseNCName(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
const xmlChar *in, *e;
|
|
|
92a3a1 |
const xmlChar *ret;
|
|
|
92a3a1 |
- int count = 0;
|
|
|
92a3a1 |
+ size_t count = 0;
|
|
|
92a3a1 |
+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
|
|
|
92a3a1 |
+ XML_MAX_TEXT_LENGTH :
|
|
|
92a3a1 |
+ XML_MAX_NAME_LENGTH;
|
|
|
92a3a1 |
|
|
|
92a3a1 |
#ifdef DEBUG
|
|
|
92a3a1 |
nbParseNCName++;
|
|
|
92a3a1 |
@@ -3484,8 +3493,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
goto complex;
|
|
|
92a3a1 |
if ((*in > 0) && (*in < 0x80)) {
|
|
|
92a3a1 |
count = in - ctxt->input->cur;
|
|
|
92a3a1 |
- if ((count > XML_MAX_NAME_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
+ if (count > maxLength) {
|
|
|
92a3a1 |
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
|
|
|
92a3a1 |
return(NULL);
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
@@ -3567,6 +3575,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
|
|
|
92a3a1 |
const xmlChar *cur = *str;
|
|
|
92a3a1 |
int len = 0, l;
|
|
|
92a3a1 |
int c;
|
|
|
92a3a1 |
+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
|
|
|
92a3a1 |
+ XML_MAX_TEXT_LENGTH :
|
|
|
92a3a1 |
+ XML_MAX_NAME_LENGTH;
|
|
|
92a3a1 |
|
|
|
92a3a1 |
#ifdef DEBUG
|
|
|
92a3a1 |
nbParseStringName++;
|
|
|
92a3a1 |
@@ -3602,12 +3613,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
|
|
|
92a3a1 |
if (len + 10 > max) {
|
|
|
92a3a1 |
xmlChar *tmp;
|
|
|
92a3a1 |
|
|
|
92a3a1 |
- if ((len > XML_MAX_NAME_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
|
|
|
92a3a1 |
- xmlFree(buffer);
|
|
|
92a3a1 |
- return(NULL);
|
|
|
92a3a1 |
- }
|
|
|
92a3a1 |
max *= 2;
|
|
|
92a3a1 |
tmp = (xmlChar *) xmlRealloc(buffer,
|
|
|
92a3a1 |
max * sizeof(xmlChar));
|
|
|
92a3a1 |
@@ -3621,14 +3626,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
|
|
|
92a3a1 |
COPY_BUF(l,buffer,len,c);
|
|
|
92a3a1 |
cur += l;
|
|
|
92a3a1 |
c = CUR_SCHAR(cur, l);
|
|
|
92a3a1 |
+ if (len > maxLength) {
|
|
|
92a3a1 |
+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
|
|
|
92a3a1 |
+ xmlFree(buffer);
|
|
|
92a3a1 |
+ return(NULL);
|
|
|
92a3a1 |
+ }
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
buffer[len] = 0;
|
|
|
92a3a1 |
*str = cur;
|
|
|
92a3a1 |
return(buffer);
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
- if ((len > XML_MAX_NAME_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
+ if (len > maxLength) {
|
|
|
92a3a1 |
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
|
|
|
92a3a1 |
return(NULL);
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
@@ -3655,6 +3664,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
int len = 0, l;
|
|
|
92a3a1 |
int c;
|
|
|
92a3a1 |
int count = 0;
|
|
|
92a3a1 |
+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
|
|
|
92a3a1 |
+ XML_MAX_TEXT_LENGTH :
|
|
|
92a3a1 |
+ XML_MAX_NAME_LENGTH;
|
|
|
92a3a1 |
|
|
|
92a3a1 |
#ifdef DEBUG
|
|
|
92a3a1 |
nbParseNmToken++;
|
|
|
92a3a1 |
@@ -3706,12 +3718,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
if (len + 10 > max) {
|
|
|
92a3a1 |
xmlChar *tmp;
|
|
|
92a3a1 |
|
|
|
92a3a1 |
- if ((max > XML_MAX_NAME_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
|
|
|
92a3a1 |
- xmlFree(buffer);
|
|
|
92a3a1 |
- return(NULL);
|
|
|
92a3a1 |
- }
|
|
|
92a3a1 |
max *= 2;
|
|
|
92a3a1 |
tmp = (xmlChar *) xmlRealloc(buffer,
|
|
|
92a3a1 |
max * sizeof(xmlChar));
|
|
|
92a3a1 |
@@ -3725,6 +3731,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
COPY_BUF(l,buffer,len,c);
|
|
|
92a3a1 |
NEXTL(l);
|
|
|
92a3a1 |
c = CUR_CHAR(l);
|
|
|
92a3a1 |
+ if (len > maxLength) {
|
|
|
92a3a1 |
+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
|
|
|
92a3a1 |
+ xmlFree(buffer);
|
|
|
92a3a1 |
+ return(NULL);
|
|
|
92a3a1 |
+ }
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
buffer[len] = 0;
|
|
|
92a3a1 |
return(buffer);
|
|
|
92a3a1 |
@@ -3732,8 +3743,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
if (len == 0)
|
|
|
92a3a1 |
return(NULL);
|
|
|
92a3a1 |
- if ((len > XML_MAX_NAME_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
+ if (len > maxLength) {
|
|
|
92a3a1 |
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
|
|
|
92a3a1 |
return(NULL);
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
@@ -3759,6 +3769,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
|
|
|
92a3a1 |
int len = 0;
|
|
|
92a3a1 |
int size = XML_PARSER_BUFFER_SIZE;
|
|
|
92a3a1 |
int c, l;
|
|
|
92a3a1 |
+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
|
|
|
92a3a1 |
+ XML_MAX_HUGE_LENGTH :
|
|
|
92a3a1 |
+ XML_MAX_TEXT_LENGTH;
|
|
|
92a3a1 |
xmlChar stop;
|
|
|
92a3a1 |
xmlChar *ret = NULL;
|
|
|
92a3a1 |
const xmlChar *cur = NULL;
|
|
|
92a3a1 |
@@ -3818,6 +3831,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
|
|
|
92a3a1 |
GROW;
|
|
|
92a3a1 |
c = CUR_CHAR(l);
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
+
|
|
|
92a3a1 |
+ if (len > maxLength) {
|
|
|
92a3a1 |
+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
|
|
|
92a3a1 |
+ "entity value too long\n");
|
|
|
92a3a1 |
+ goto error;
|
|
|
92a3a1 |
+ }
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
buf[len] = 0;
|
|
|
92a3a1 |
if (ctxt->instate == XML_PARSER_EOF)
|
|
|
92a3a1 |
@@ -3905,6 +3924,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
|
|
|
92a3a1 |
xmlChar *rep = NULL;
|
|
|
92a3a1 |
size_t len = 0;
|
|
|
92a3a1 |
size_t buf_size = 0;
|
|
|
92a3a1 |
+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
|
|
|
92a3a1 |
+ XML_MAX_HUGE_LENGTH :
|
|
|
92a3a1 |
+ XML_MAX_TEXT_LENGTH;
|
|
|
92a3a1 |
int c, l, in_space = 0;
|
|
|
92a3a1 |
xmlChar *current = NULL;
|
|
|
92a3a1 |
xmlEntityPtr ent;
|
|
|
92a3a1 |
@@ -3936,16 +3958,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
|
|
|
92a3a1 |
while (((NXT(0) != limit) && /* checked */
|
|
|
92a3a1 |
(IS_CHAR(c)) && (c != '<')) &&
|
|
|
92a3a1 |
(ctxt->instate != XML_PARSER_EOF)) {
|
|
|
92a3a1 |
- /*
|
|
|
92a3a1 |
- * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE
|
|
|
92a3a1 |
- * special option is given
|
|
|
92a3a1 |
- */
|
|
|
92a3a1 |
- if ((len > XML_MAX_TEXT_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
|
|
|
92a3a1 |
- "AttValue length too long\n");
|
|
|
92a3a1 |
- goto mem_error;
|
|
|
92a3a1 |
- }
|
|
|
92a3a1 |
if (c == '&') {
|
|
|
92a3a1 |
in_space = 0;
|
|
|
92a3a1 |
if (NXT(1) == '#') {
|
|
|
92a3a1 |
@@ -4093,6 +4105,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
GROW;
|
|
|
92a3a1 |
c = CUR_CHAR(l);
|
|
|
92a3a1 |
+ if (len > maxLength) {
|
|
|
92a3a1 |
+ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
|
|
|
92a3a1 |
+ "AttValue length too long\n");
|
|
|
92a3a1 |
+ goto mem_error;
|
|
|
92a3a1 |
+ }
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
if (ctxt->instate == XML_PARSER_EOF)
|
|
|
92a3a1 |
goto error;
|
|
|
92a3a1 |
@@ -4114,16 +4131,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
|
|
|
92a3a1 |
} else
|
|
|
92a3a1 |
NEXT;
|
|
|
92a3a1 |
|
|
|
92a3a1 |
- /*
|
|
|
92a3a1 |
- * There we potentially risk an overflow, don't allow attribute value of
|
|
|
92a3a1 |
- * length more than INT_MAX it is a very reasonable assumption !
|
|
|
92a3a1 |
- */
|
|
|
92a3a1 |
- if (len >= INT_MAX) {
|
|
|
92a3a1 |
- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
|
|
|
92a3a1 |
- "AttValue length too long\n");
|
|
|
92a3a1 |
- goto mem_error;
|
|
|
92a3a1 |
- }
|
|
|
92a3a1 |
-
|
|
|
92a3a1 |
if (attlen != NULL) *attlen = (int) len;
|
|
|
92a3a1 |
return(buf);
|
|
|
92a3a1 |
|
|
|
92a3a1 |
@@ -4194,6 +4201,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
int len = 0;
|
|
|
92a3a1 |
int size = XML_PARSER_BUFFER_SIZE;
|
|
|
92a3a1 |
int cur, l;
|
|
|
92a3a1 |
+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
|
|
|
92a3a1 |
+ XML_MAX_TEXT_LENGTH :
|
|
|
92a3a1 |
+ XML_MAX_NAME_LENGTH;
|
|
|
92a3a1 |
xmlChar stop;
|
|
|
92a3a1 |
int state = ctxt->instate;
|
|
|
92a3a1 |
int count = 0;
|
|
|
92a3a1 |
@@ -4221,13 +4231,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
if (len + 5 >= size) {
|
|
|
92a3a1 |
xmlChar *tmp;
|
|
|
92a3a1 |
|
|
|
92a3a1 |
- if ((size > XML_MAX_NAME_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
|
|
|
92a3a1 |
- xmlFree(buf);
|
|
|
92a3a1 |
- ctxt->instate = (xmlParserInputState) state;
|
|
|
92a3a1 |
- return(NULL);
|
|
|
92a3a1 |
- }
|
|
|
92a3a1 |
size *= 2;
|
|
|
92a3a1 |
tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
|
|
|
92a3a1 |
if (tmp == NULL) {
|
|
|
92a3a1 |
@@ -4256,6 +4259,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
SHRINK;
|
|
|
92a3a1 |
cur = CUR_CHAR(l);
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
+ if (len > maxLength) {
|
|
|
92a3a1 |
+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
|
|
|
92a3a1 |
+ xmlFree(buf);
|
|
|
92a3a1 |
+ ctxt->instate = (xmlParserInputState) state;
|
|
|
92a3a1 |
+ return(NULL);
|
|
|
92a3a1 |
+ }
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
buf[len] = 0;
|
|
|
92a3a1 |
ctxt->instate = (xmlParserInputState) state;
|
|
|
92a3a1 |
@@ -4283,6 +4292,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
xmlChar *buf = NULL;
|
|
|
92a3a1 |
int len = 0;
|
|
|
92a3a1 |
int size = XML_PARSER_BUFFER_SIZE;
|
|
|
92a3a1 |
+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
|
|
|
92a3a1 |
+ XML_MAX_TEXT_LENGTH :
|
|
|
92a3a1 |
+ XML_MAX_NAME_LENGTH;
|
|
|
92a3a1 |
xmlChar cur;
|
|
|
92a3a1 |
xmlChar stop;
|
|
|
92a3a1 |
int count = 0;
|
|
|
92a3a1 |
@@ -4310,12 +4322,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
if (len + 1 >= size) {
|
|
|
92a3a1 |
xmlChar *tmp;
|
|
|
92a3a1 |
|
|
|
92a3a1 |
- if ((size > XML_MAX_NAME_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
|
|
|
92a3a1 |
- xmlFree(buf);
|
|
|
92a3a1 |
- return(NULL);
|
|
|
92a3a1 |
- }
|
|
|
92a3a1 |
size *= 2;
|
|
|
92a3a1 |
tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
|
|
|
92a3a1 |
if (tmp == NULL) {
|
|
|
92a3a1 |
@@ -4343,6 +4349,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
SHRINK;
|
|
|
92a3a1 |
cur = CUR;
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
+ if (len > maxLength) {
|
|
|
92a3a1 |
+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
|
|
|
92a3a1 |
+ xmlFree(buf);
|
|
|
92a3a1 |
+ return(NULL);
|
|
|
92a3a1 |
+ }
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
buf[len] = 0;
|
|
|
92a3a1 |
if (cur != stop) {
|
|
|
92a3a1 |
@@ -4742,6 +4753,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
|
|
|
92a3a1 |
int r, rl;
|
|
|
92a3a1 |
int cur, l;
|
|
|
92a3a1 |
size_t count = 0;
|
|
|
92a3a1 |
+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
|
|
|
92a3a1 |
+ XML_MAX_HUGE_LENGTH :
|
|
|
92a3a1 |
+ XML_MAX_TEXT_LENGTH;
|
|
|
92a3a1 |
int inputid;
|
|
|
92a3a1 |
|
|
|
92a3a1 |
inputid = ctxt->input->id;
|
|
|
92a3a1 |
@@ -4787,13 +4801,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
|
|
|
92a3a1 |
if ((r == '-') && (q == '-')) {
|
|
|
92a3a1 |
xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL);
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
- if ((len > XML_MAX_TEXT_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
- xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
|
|
|
92a3a1 |
- "Comment too big found", NULL);
|
|
|
92a3a1 |
- xmlFree (buf);
|
|
|
92a3a1 |
- return;
|
|
|
92a3a1 |
- }
|
|
|
92a3a1 |
if (len + 5 >= size) {
|
|
|
92a3a1 |
xmlChar *new_buf;
|
|
|
92a3a1 |
size_t new_size;
|
|
|
92a3a1 |
@@ -4831,6 +4838,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
|
|
|
92a3a1 |
GROW;
|
|
|
92a3a1 |
cur = CUR_CHAR(l);
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
+
|
|
|
92a3a1 |
+ if (len > maxLength) {
|
|
|
92a3a1 |
+ xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
|
|
|
92a3a1 |
+ "Comment too big found", NULL);
|
|
|
92a3a1 |
+ xmlFree (buf);
|
|
|
92a3a1 |
+ return;
|
|
|
92a3a1 |
+ }
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
buf[len] = 0;
|
|
|
92a3a1 |
if (cur == 0) {
|
|
|
92a3a1 |
@@ -4875,6 +4889,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
xmlChar *buf = NULL;
|
|
|
92a3a1 |
size_t size = XML_PARSER_BUFFER_SIZE;
|
|
|
92a3a1 |
size_t len = 0;
|
|
|
92a3a1 |
+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
|
|
|
92a3a1 |
+ XML_MAX_HUGE_LENGTH :
|
|
|
92a3a1 |
+ XML_MAX_TEXT_LENGTH;
|
|
|
92a3a1 |
xmlParserInputState state;
|
|
|
92a3a1 |
const xmlChar *in;
|
|
|
92a3a1 |
size_t nbchar = 0;
|
|
|
92a3a1 |
@@ -4958,8 +4975,7 @@ get_more:
|
|
|
92a3a1 |
buf[len] = 0;
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
- if ((len > XML_MAX_TEXT_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
+ if (len > maxLength) {
|
|
|
92a3a1 |
xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
|
|
|
92a3a1 |
"Comment too big found", NULL);
|
|
|
92a3a1 |
xmlFree (buf);
|
|
|
92a3a1 |
@@ -5159,6 +5175,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
xmlChar *buf = NULL;
|
|
|
92a3a1 |
size_t len = 0;
|
|
|
92a3a1 |
size_t size = XML_PARSER_BUFFER_SIZE;
|
|
|
92a3a1 |
+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
|
|
|
92a3a1 |
+ XML_MAX_HUGE_LENGTH :
|
|
|
92a3a1 |
+ XML_MAX_TEXT_LENGTH;
|
|
|
92a3a1 |
int cur, l;
|
|
|
92a3a1 |
const xmlChar *target;
|
|
|
92a3a1 |
xmlParserInputState state;
|
|
|
92a3a1 |
@@ -5234,14 +5253,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
return;
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
count = 0;
|
|
|
92a3a1 |
- if ((len > XML_MAX_TEXT_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
|
|
|
92a3a1 |
- "PI %s too big found", target);
|
|
|
92a3a1 |
- xmlFree(buf);
|
|
|
92a3a1 |
- ctxt->instate = state;
|
|
|
92a3a1 |
- return;
|
|
|
92a3a1 |
- }
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
COPY_BUF(l,buf,len,cur);
|
|
|
92a3a1 |
NEXTL(l);
|
|
|
92a3a1 |
@@ -5251,15 +5262,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
GROW;
|
|
|
92a3a1 |
cur = CUR_CHAR(l);
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
+ if (len > maxLength) {
|
|
|
92a3a1 |
+ xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
|
|
|
92a3a1 |
+ "PI %s too big found", target);
|
|
|
92a3a1 |
+ xmlFree(buf);
|
|
|
92a3a1 |
+ ctxt->instate = state;
|
|
|
92a3a1 |
+ return;
|
|
|
92a3a1 |
+ }
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
- if ((len > XML_MAX_TEXT_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
|
|
|
92a3a1 |
- "PI %s too big found", target);
|
|
|
92a3a1 |
- xmlFree(buf);
|
|
|
92a3a1 |
- ctxt->instate = state;
|
|
|
92a3a1 |
- return;
|
|
|
92a3a1 |
- }
|
|
|
92a3a1 |
buf[len] = 0;
|
|
|
92a3a1 |
if (cur != '?') {
|
|
|
92a3a1 |
xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
|
|
|
92a3a1 |
@@ -8954,6 +8964,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
|
|
|
92a3a1 |
const xmlChar *in = NULL, *start, *end, *last;
|
|
|
92a3a1 |
xmlChar *ret = NULL;
|
|
|
92a3a1 |
int line, col;
|
|
|
92a3a1 |
+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
|
|
|
92a3a1 |
+ XML_MAX_HUGE_LENGTH :
|
|
|
92a3a1 |
+ XML_MAX_TEXT_LENGTH;
|
|
|
92a3a1 |
|
|
|
92a3a1 |
GROW;
|
|
|
92a3a1 |
in = (xmlChar *) CUR_PTR;
|
|
|
92a3a1 |
@@ -8993,8 +9006,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
|
|
|
92a3a1 |
start = in;
|
|
|
92a3a1 |
if (in >= end) {
|
|
|
92a3a1 |
GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
|
|
|
92a3a1 |
- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
+ if ((in - start) > maxLength) {
|
|
|
92a3a1 |
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
|
|
|
92a3a1 |
"AttValue length too long\n");
|
|
|
92a3a1 |
return(NULL);
|
|
|
92a3a1 |
@@ -9007,8 +9019,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
|
|
|
92a3a1 |
if ((*in++ == 0x20) && (*in == 0x20)) break;
|
|
|
92a3a1 |
if (in >= end) {
|
|
|
92a3a1 |
GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
|
|
|
92a3a1 |
- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
+ if ((in - start) > maxLength) {
|
|
|
92a3a1 |
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
|
|
|
92a3a1 |
"AttValue length too long\n");
|
|
|
92a3a1 |
return(NULL);
|
|
|
92a3a1 |
@@ -9041,16 +9052,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
|
|
|
92a3a1 |
last = last + delta;
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
end = ctxt->input->end;
|
|
|
92a3a1 |
- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
+ if ((in - start) > maxLength) {
|
|
|
92a3a1 |
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
|
|
|
92a3a1 |
"AttValue length too long\n");
|
|
|
92a3a1 |
return(NULL);
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
+ if ((in - start) > maxLength) {
|
|
|
92a3a1 |
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
|
|
|
92a3a1 |
"AttValue length too long\n");
|
|
|
92a3a1 |
return(NULL);
|
|
|
92a3a1 |
@@ -9063,8 +9072,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
|
|
|
92a3a1 |
col++;
|
|
|
92a3a1 |
if (in >= end) {
|
|
|
92a3a1 |
GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
|
|
|
92a3a1 |
- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
+ if ((in - start) > maxLength) {
|
|
|
92a3a1 |
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
|
|
|
92a3a1 |
"AttValue length too long\n");
|
|
|
92a3a1 |
return(NULL);
|
|
|
92a3a1 |
@@ -9072,8 +9080,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
last = in;
|
|
|
92a3a1 |
- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
+ if ((in - start) > maxLength) {
|
|
|
92a3a1 |
xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
|
|
|
92a3a1 |
"AttValue length too long\n");
|
|
|
92a3a1 |
return(NULL);
|
|
|
92a3a1 |
@@ -9763,6 +9770,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
int s, sl;
|
|
|
92a3a1 |
int cur, l;
|
|
|
92a3a1 |
int count = 0;
|
|
|
92a3a1 |
+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
|
|
|
92a3a1 |
+ XML_MAX_HUGE_LENGTH :
|
|
|
92a3a1 |
+ XML_MAX_TEXT_LENGTH;
|
|
|
92a3a1 |
|
|
|
92a3a1 |
/* Check 2.6.0 was NXT(0) not RAW */
|
|
|
92a3a1 |
if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) {
|
|
|
92a3a1 |
@@ -9796,13 +9806,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
if (len + 5 >= size) {
|
|
|
92a3a1 |
xmlChar *tmp;
|
|
|
92a3a1 |
|
|
|
92a3a1 |
- if ((size > XML_MAX_TEXT_LENGTH) &&
|
|
|
92a3a1 |
- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
|
|
|
92a3a1 |
- xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED,
|
|
|
92a3a1 |
- "CData section too big found", NULL);
|
|
|
92a3a1 |
- xmlFree (buf);
|
|
|
92a3a1 |
- return;
|
|
|
92a3a1 |
- }
|
|
|
92a3a1 |
tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar));
|
|
|
92a3a1 |
if (tmp == NULL) {
|
|
|
92a3a1 |
xmlFree(buf);
|
|
|
92a3a1 |
@@ -9829,6 +9832,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
NEXTL(l);
|
|
|
92a3a1 |
cur = CUR_CHAR(l);
|
|
|
92a3a1 |
+ if (len > maxLength) {
|
|
|
92a3a1 |
+ xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED,
|
|
|
92a3a1 |
+ "CData section too big found\n");
|
|
|
92a3a1 |
+ xmlFree(buf);
|
|
|
92a3a1 |
+ return;
|
|
|
92a3a1 |
+ }
|
|
|
92a3a1 |
}
|
|
|
92a3a1 |
buf[len] = 0;
|
|
|
92a3a1 |
ctxt->instate = XML_PARSER_CONTENT;
|
|
|
92a3a1 |
--
|
|
|
92a3a1 |
GitLab
|
|
|
92a3a1 |
|