Index: ChangeLog
===================================================================
--- ChangeLog	(revision 48161)
+++ ChangeLog	(revision 48162)
@@ -1,3 +1,9 @@
+Mon Oct 27 20:21:05 2014  NAKAMURA Usaku  <usa@ruby-lang.org>
+
+	* lib/rexml/entity.rb: keep the entity size within the limitation.
+	  reported by Willis Vandevanter <will@silentrobots.com> and
+	  patched by nahi.
+
 Mon Sep 22 12:10:29 2014  Tanaka Akira  <akr@fsij.org>
 
 	* test/ruby/test_time_tz.rb: Fix test error with tzdata-2014g.
Index: lib/rexml/entity.rb
===================================================================
--- lib/rexml/entity.rb	(revision 48161)
+++ lib/rexml/entity.rb	(revision 48162)
@@ -138,8 +138,14 @@
         matches = @value.scan(PEREFERENCE_RE)
         rv = @value.clone
         if @parent
+          sum = 0
           matches.each do |entity_reference|
             entity_value = @parent.entity( entity_reference[0] )
+            if sum + entity_value.bytesize > Document.entity_expansion_text_limit
+              raise "entity expansion has grown too large"
+            else
+              sum += entity_value.bytesize
+            end
             rv.gsub!( /%#{entity_reference.join};/um, entity_value )
           end
         end
Index: test/rexml/test_document.rb
===================================================================
--- test/rexml/test_document.rb	(revision 48161)
+++ test/rexml/test_document.rb	(revision 48162)
@@ -47,6 +47,20 @@
 </member>
 EOF
 
+    XML_WITH_NESTED_PARAMETER_ENTITY = <<EOF
+<!DOCTYPE root [
+  <!ENTITY % a "BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.">
+  <!ENTITY % b "%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;">
+  <!ENTITY % c "%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;">
+  <!ENTITY % d "%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;">
+  <!ENTITY % e "%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;">
+  <!ENTITY % f "%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;">
+  <!ENTITY % g "%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;">
+  <!ENTITY test "test %g;">
+]>
+<cd></cd>
+EOF
+
   XML_WITH_4_ENTITY_EXPANSION = <<EOF
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE member [
@@ -85,6 +99,19 @@
     REXML::Document.entity_expansion_limit = 10000
   end
 
+  def test_entity_expansion_limit_for_parameter_entity
+    assert_raise(REXML::ParseException) do
+      REXML::Document.new(XML_WITH_NESTED_PARAMETER_ENTITY)
+    end
+    REXML::Document.entity_expansion_limit = 100
+    assert_equal(100, REXML::Document.entity_expansion_limit)
+    assert_raise(REXML::ParseException) do
+      REXML::Document.new(XML_WITH_NESTED_PARAMETER_ENTITY)
+    end
+  ensure
+    REXML::Document.entity_expansion_limit = 10000
+  end
+
   def test_tag_in_cdata_with_not_ascii_only_but_ascii8bit_encoding_source
     tag = "<b>...</b>"
     message = "こんにちは、世界！" # Hello world! in Japanese
Index: test/rexml/test_entity.rb
===================================================================
--- test/rexml/test_entity.rb	(revision 48161)
+++ test/rexml/test_entity.rb	(revision 48162)
@@ -122,6 +122,22 @@
     end
   end
 
+  def test_entity_string_limit_for_parameter_entity
+    template = '<!DOCTYPE bomb [ <!ENTITY % a "^" > <!ENTITY bomb "$" > ]><root/>'
+    len      = 5120 # 5k per entity
+    template.sub!(/\^/, "B" * len)
+
+    # 10k is OK
+    entities = '%a;' * 2 # 5k entity * 2 = 10k
+    REXML::Document.new(template.sub(/\$/, entities))
+
+    # above 10k explodes
+    entities = '%a;' * 3 # 5k entity * 2 = 15k
+    assert_raises(REXML::ParseException) do
+      REXML::Document.new(template.sub(/\$/, entities))
+    end
+  end
+
   def test_raw
     source = '<!DOCTYPE foo [
 <!ENTITY ent "replace">
Index: .
===================================================================
--- .	(revision 48161)
+++ .	(revision 48162)

Property changes on: .
___________________________________________________________________
Modified: svn:mergeinfo
   Merged /trunk:r48161