|
|
95d693 |
--- xerces-c-3.1.1-patched/src/xercesc/validators/DTD/DTDScanner.cpp 2016/06/10 01:28:38 1747618
|
|
|
95d693 |
+++ xerces-c-3.1.1-patched-modified/src/xercesc/validators/DTD/DTDScanner.cpp 2016/06/10 01:38:34 1747619
|
|
|
95d693 |
@@ -44,6 +44,8 @@
|
|
|
95d693 |
|
|
|
95d693 |
XERCES_CPP_NAMESPACE_BEGIN
|
|
|
95d693 |
|
|
|
95d693 |
+#define CONTENTSPEC_DEPTH_LIMIT 1000
|
|
|
95d693 |
+
|
|
|
95d693 |
// ---------------------------------------------------------------------------
|
|
|
95d693 |
// Local methods
|
|
|
95d693 |
// ---------------------------------------------------------------------------
|
|
|
95d693 |
@@ -1038,8 +1040,13 @@
|
|
|
95d693 |
|
|
|
95d693 |
|
|
|
95d693 |
ContentSpecNode*
|
|
|
95d693 |
-DTDScanner::scanChildren(const DTDElementDecl& elemDecl, XMLBuffer& bufToUse)
|
|
|
95d693 |
+DTDScanner::scanChildren(const DTDElementDecl& elemDecl, XMLBuffer& bufToUse, unsigned int& depth)
|
|
|
95d693 |
{
|
|
|
95d693 |
+ if (depth++ > CONTENTSPEC_DEPTH_LIMIT) {
|
|
|
95d693 |
+ fScanner->emitError(XMLErrs::UnterminatedDOCTYPE);
|
|
|
95d693 |
+ return 0;
|
|
|
95d693 |
+ }
|
|
|
95d693 |
+
|
|
|
95d693 |
// Check for a PE ref here, but don't require spaces
|
|
|
95d693 |
checkForPERef(false, true);
|
|
|
95d693 |
|
|
|
95d693 |
@@ -1240,7 +1247,7 @@
|
|
|
95d693 |
// Recurse to handle this new guy
|
|
|
95d693 |
ContentSpecNode* subNode;
|
|
|
95d693 |
try {
|
|
|
95d693 |
- subNode = scanChildren(elemDecl, bufToUse);
|
|
|
95d693 |
+ subNode = scanChildren(elemDecl, bufToUse, depth);
|
|
|
95d693 |
}
|
|
|
95d693 |
catch (const XMLErrs::Codes)
|
|
|
95d693 |
{
|
|
|
95d693 |
@@ -1577,7 +1584,8 @@
|
|
|
95d693 |
//
|
|
|
95d693 |
toFill.setModelType(DTDElementDecl::Children);
|
|
|
95d693 |
XMLBufBid bbTmp(fBufMgr);
|
|
|
95d693 |
- ContentSpecNode* resNode = scanChildren(toFill, bbTmp.getBuffer());
|
|
|
95d693 |
+ unsigned int depth = 0;
|
|
|
95d693 |
+ ContentSpecNode* resNode = scanChildren(toFill, bbTmp.getBuffer(), depth);
|
|
|
95d693 |
status = (resNode != 0);
|
|
|
95d693 |
if (status)
|
|
|
95d693 |
toFill.setContentSpec(resNode);
|
|
|
95d693 |
@@ -2509,7 +2517,15 @@
|
|
|
95d693 |
{
|
|
|
95d693 |
while (true)
|
|
|
95d693 |
{
|
|
|
95d693 |
- const XMLCh nextCh = fReaderMgr->peekNextChar();
|
|
|
95d693 |
+ XMLCh nextCh;
|
|
|
95d693 |
+
|
|
|
95d693 |
+ try {
|
|
|
95d693 |
+ nextCh = fReaderMgr->peekNextChar();
|
|
|
95d693 |
+ }
|
|
|
95d693 |
+ catch (XMLException& ex) {
|
|
|
95d693 |
+ fScanner->emitError(XMLErrs::XMLException_Fatal, ex.getCode(), ex.getMessage(), NULL, NULL);
|
|
|
95d693 |
+ nextCh = chNull;
|
|
|
95d693 |
+ }
|
|
|
95d693 |
|
|
|
95d693 |
if (!nextCh)
|
|
|
95d693 |
{
|
|
|
95d693 |
--- xerces-c-3.1.1-patched/src/xercesc/validators/DTD/DTDScanner.hpp 2016/06/10 01:28:38 1747618
|
|
|
95d693 |
+++ xerces-c-3.1.1-patched-modified/src/xercesc/validators/DTD/DTDScanner.hpp 2016/06/10 01:38:34 1747619
|
|
|
95d693 |
@@ -143,6 +143,7 @@
|
|
|
95d693 |
(
|
|
|
95d693 |
const DTDElementDecl& elemDecl
|
|
|
95d693 |
, XMLBuffer& bufToUse
|
|
|
95d693 |
+ , unsigned int& depth
|
|
|
95d693 |
);
|
|
|
95d693 |
bool scanCharRef(XMLCh& toFill, XMLCh& second);
|
|
|
95d693 |
void scanComment();
|