Attachment #162889 for bug #234099

Lines 297-302 struct _xmlParserCtxt { Link Here

(-)libxml2-2.6.32/include/libxml/parser.h (+1 lines)
297	*/	297	*/
298	xmlError lastError;	298	xmlError lastError;
299	xmlParserMode parseMode; /* the parser mode */	299	xmlParserMode parseMode; /* the parser mode */
		300	unsigned long nbentities; /* number of entities references */
300	};	301	};
301		302
302	/**	303	/**

Lines 57-62 struct _xmlEntity { Link Here

(-)libxml2-2.6.32/include/libxml/entities.h (+1 lines)
57	const xmlChar URI; / the full URI as computed */	57	const xmlChar URI; / the full URI as computed */
58	int owner; /* does the entity own the childrens */	58	int owner; /* does the entity own the childrens */
59	int checked; /* was the entity content checked */	59	int checked; /* was the entity content checked */
		60	unsigned long nbentities; /* the number of entities references */
60	};	61	};
61		62
62	/*	63	/*




    NULL, NULL, NULL, NULL, NULL, NULL, 
    BAD_CAST "<", BAD_CAST "<", 1,
    XML_INTERNAL_PREDEFINED_ENTITY,
    NULL, NULL, NULL, NULL, 0, 1, 0
};
static xmlEntity xmlEntityGt = {
    NULL, XML_ENTITY_DECL, BAD_CAST "gt",
    NULL, NULL, NULL, NULL, NULL, NULL, 
    BAD_CAST ">", BAD_CAST ">", 1,
    XML_INTERNAL_PREDEFINED_ENTITY,
    NULL, NULL, NULL, NULL, 0, 1, 0
};
static xmlEntity xmlEntityAmp = {
    NULL, XML_ENTITY_DECL, BAD_CAST "amp",
    NULL, NULL, NULL, NULL, NULL, NULL, 
    BAD_CAST "&", BAD_CAST "&", 1,
    XML_INTERNAL_PREDEFINED_ENTITY,
    NULL, NULL, NULL, NULL, 0, 1, 0
};
static xmlEntity xmlEntityQuot = {
    NULL, XML_ENTITY_DECL, BAD_CAST "quot",
    NULL, NULL, NULL, NULL, NULL, NULL, 
    BAD_CAST "\"", BAD_CAST "\"", 1,
    XML_INTERNAL_PREDEFINED_ENTITY,
    NULL, NULL, NULL, NULL, 0, 1, 0
};
static xmlEntity xmlEntityApos = {
    NULL, XML_ENTITY_DECL, BAD_CAST "apos",
    NULL, NULL, NULL, NULL, NULL, NULL, 
    BAD_CAST "'", BAD_CAST "'", 1,
    XML_INTERNAL_PREDEFINED_ENTITY,
    NULL, NULL, NULL, NULL, 0, 1, 0
};

/**

Lines 1669-1674 xmlInitParserCtxt(xmlParserCtxtPtr ctxt) Link Here

(-)libxml2-2.6.32/parserInternals.c (+1 lines)
1669	ctxt->depth = 0;	1669	ctxt->depth = 0;
1670	ctxt->charset = XML_CHAR_ENCODING_UTF8;	1670	ctxt->charset = XML_CHAR_ENCODING_UTF8;
1671	ctxt->catalogs = NULL;	1671	ctxt->catalogs = NULL;
		1672	ctxt->nbentities = 0;
1672	xmlInitNodeInfoSeq(&ctxt->node_seq);	1673	xmlInitNodeInfoSeq(&ctxt->node_seq);
1673	return(0);	1674	return(0);
1674	}	1675	}

Lines 2344-2350 xmlStringLenDecodeEntities(xmlParserCtxt Link Here

(-)libxml2-2.6.32/parser.c (-4 / +33 lines)
2344	return(NULL);	2344	return(NULL);
2345	last = str + len;	2345	last = str + len;
2346		2346
2347	if (ctxt->depth > 40) {	2347	if ((ctxt->depth > 40) \|\| (ctxt->nbentities >= 500000)) {
2348	xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);	2348	xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
2349	return(NULL);	2349	return(NULL);
2350	}	2350	}
Lines 2382-2387 xmlStringLenDecodeEntities(xmlParserCtxt Link Here
2382	"String decoding Entity Reference: %.30s\n",	2382	"String decoding Entity Reference: %.30s\n",
2383	str);	2383	str);
2384	ent = xmlParseStringEntityRef(ctxt, &str);	2384	ent = xmlParseStringEntityRef(ctxt, &str);
		2385	if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
		2386	goto int_error;
		2387	ctxt->nbentities++;
		2388	if (ent != NULL)
		2389	ctxt->nbentities += ent->nbentities;
2385	if ((ent != NULL) &&	2390	if ((ent != NULL) &&
2386	(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {	2391	(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
2387	if (ent->content != NULL) {	2392	if (ent->content != NULL) {
Lines 2427-2432 xmlStringLenDecodeEntities(xmlParserCtxt Link Here
2427	xmlGenericError(xmlGenericErrorContext,	2432	xmlGenericError(xmlGenericErrorContext,
2428	"String decoding PE Reference: %.30s\n", str);	2433	"String decoding PE Reference: %.30s\n", str);
2429	ent = xmlParseStringPEReference(ctxt, &str);	2434	ent = xmlParseStringPEReference(ctxt, &str);
		2435	if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
		2436	goto int_error;
		2437	ctxt->nbentities++;
		2438	if (ent != NULL)
		2439	ctxt->nbentities += ent->nbentities;
2430	if (ent != NULL) {	2440	if (ent != NULL) {
2431	if (ent->content == NULL) {	2441	if (ent->content == NULL) {
2432	if (xmlLoadEntityContent(ctxt, ent) < 0) {	2442	if (xmlLoadEntityContent(ctxt, ent) < 0) {
Lines 2466-2471 xmlStringLenDecodeEntities(xmlParserCtxt Link Here
2466		2476
2467	mem_error:	2477	mem_error:
2468	xmlErrMemory(ctxt, NULL);	2478	xmlErrMemory(ctxt, NULL);
		2479	int_error:
2469	if (rep != NULL)	2480	if (rep != NULL)
2470	xmlFree(rep);	2481	xmlFree(rep);
2471	if (buffer != NULL)	2482	if (buffer != NULL)
Lines 3280-3285 xmlParseAttValueComplex(xmlParserCtxtPtr Link Here
3280	}	3291	}
3281	} else {	3292	} else {
3282	ent = xmlParseEntityRef(ctxt);	3293	ent = xmlParseEntityRef(ctxt);
		3294	ctxt->nbentities++;
		3295	if (ent != NULL)
		3296	ctxt->nbentities += ent->nbentities;
3283	if ((ent != NULL) &&	3297	if ((ent != NULL) &&
3284	(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {	3298	(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
3285	if (len > buf_size - 10) {	3299	if (len > buf_size - 10) {
Lines 4566-4571 xmlParseEntityDecl(xmlParserCtxtPtr ctxt Link Here
4566	int isParameter = 0;	4580	int isParameter = 0;
4567	xmlChar *orig = NULL;	4581	xmlChar *orig = NULL;
4568	int skipped;	4582	int skipped;
		4583	unsigned long oldnbent = ctxt->nbentities;
4569		4584
4570	/* GROW; done in the caller */	4585	/* GROW; done in the caller */
4571	if (CMP8(CUR_PTR, '<', '!', 'E', 'N', 'T', 'I', 'T', 'Y')) {	4586	if (CMP8(CUR_PTR, '<', '!', 'E', 'N', 'T', 'I', 'T', 'Y')) {
Lines 4783-4788 xmlParseEntityDecl(xmlParserCtxtPtr ctxt Link Here
4783	}	4798	}
4784	}	4799	}
4785	if (cur != NULL) {	4800	if (cur != NULL) {
		4801	cur->nbentities = ctxt->nbentities - oldnbent;
4786	if (cur->orig != NULL)	4802	if (cur->orig != NULL)
4787	xmlFree(orig);	4803	xmlFree(orig);
4788	else	4804	else
Lines 6189-6194 xmlParseReference(xmlParserCtxtPtr ctxt) Link Here
6189	if (ent == NULL) return;	6205	if (ent == NULL) return;
6190	if (!ctxt->wellFormed)	6206	if (!ctxt->wellFormed)
6191	return;	6207	return;
		6208	ctxt->nbentities++;
		6209	if (ctxt->nbentities >= 500000) {
		6210	xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
		6211	return;
		6212	}
6192	was_checked = ent->checked;	6213	was_checked = ent->checked;
6193	if ((ent->name != NULL) &&	6214	if ((ent->name != NULL) &&
6194	(ent->etype != XML_INTERNAL_PREDEFINED_ENTITY)) {	6215	(ent->etype != XML_INTERNAL_PREDEFINED_ENTITY)) {
Lines 6249-6254 xmlParseReference(xmlParserCtxtPtr ctxt) Link Here
6249	xmlFreeNodeList(list);	6270	xmlFreeNodeList(list);
6250	}	6271	}
6251	} else {	6272	} else {
		6273	unsigned long oldnbent = ctxt->nbentities;
6252	/*	6274	/*
6253	* 4.3.2: An internal general parsed entity is well-formed	6275	* 4.3.2: An internal general parsed entity is well-formed
6254	* if its replacement text matches the production labeled	6276	* if its replacement text matches the production labeled
Lines 6271-6276 xmlParseReference(xmlParserCtxtPtr ctxt) Link Here
6271	ret = xmlParseBalancedChunkMemoryInternal(ctxt,	6293	ret = xmlParseBalancedChunkMemoryInternal(ctxt,
6272	value, user_data, &list);	6294	value, user_data, &list);
6273	ctxt->depth--;	6295	ctxt->depth--;
		6296
6274	} else if (ent->etype ==	6297	} else if (ent->etype ==
6275	XML_EXTERNAL_GENERAL_PARSED_ENTITY) {	6298	XML_EXTERNAL_GENERAL_PARSED_ENTITY) {
6276	ctxt->depth++;	6299	ctxt->depth++;
Lines 6283-6288 xmlParseReference(xmlParserCtxtPtr ctxt) Link Here
6283	xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,	6306	xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,
6284	"invalid entity type found\n", NULL);	6307	"invalid entity type found\n", NULL);
6285	}	6308	}
		6309	ent->nbentities = ctxt->nbentities - oldnbent;
6286	if (ret == XML_ERR_ENTITY_LOOP) {	6310	if (ret == XML_ERR_ENTITY_LOOP) {
6287	xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);	6311	xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
6288	return;	6312	return;
Lines 6341-6346 xmlParseReference(xmlParserCtxtPtr ctxt) Link Here
6341	}	6365	}
6342	ent->checked = 1;	6366	ent->checked = 1;
6343	}	6367	}
		6368	ctxt->nbentities += ent->nbentities;
6344		6369
6345	if (ent->children == NULL) {	6370	if (ent->children == NULL) {
6346	/*	6371	/*
Lines 11480-11486 xmlParseCtxtExternalEntity(xmlParserCtxt Link Here
11480		11505
11481	if (ctx == NULL) return(-1);	11506	if (ctx == NULL) return(-1);
11482		11507
11483	if (ctx->depth > 40) {	11508	if ((ctx->depth > 40) \|\| (ctx->nbentities >= 500000)) {
11484	return(XML_ERR_ENTITY_LOOP);	11509	return(XML_ERR_ENTITY_LOOP);
11485	}	11510	}
11486		11511
Lines 11681-11687 xmlParseExternalEntityPrivate(xmlDocPtr Link Here
11681	xmlChar start[4];	11706	xmlChar start[4];
11682	xmlCharEncoding enc;	11707	xmlCharEncoding enc;
11683		11708
11684	if (depth > 40) {	11709	if ((depth > 40) \|\|
		11710	((oldctxt != NULL) && (oldctxt->nbentities >= 500000))) {
11685	return(XML_ERR_ENTITY_LOOP);	11711	return(XML_ERR_ENTITY_LOOP);
11686	}	11712	}
11687		11713
Lines 11824-11829 xmlParseExternalEntityPrivate(xmlDocPtr Link Here
11824	oldctxt->node_seq.maximum = ctxt->node_seq.maximum;	11850	oldctxt->node_seq.maximum = ctxt->node_seq.maximum;
11825	oldctxt->node_seq.length = ctxt->node_seq.length;	11851	oldctxt->node_seq.length = ctxt->node_seq.length;
11826	oldctxt->node_seq.buffer = ctxt->node_seq.buffer;	11852	oldctxt->node_seq.buffer = ctxt->node_seq.buffer;
		11853	oldctxt->nbentities += ctxt->nbentities;
11827	ctxt->node_seq.maximum = 0;	11854	ctxt->node_seq.maximum = 0;
11828	ctxt->node_seq.length = 0;	11855	ctxt->node_seq.length = 0;
11829	ctxt->node_seq.buffer = NULL;	11856	ctxt->node_seq.buffer = NULL;
Lines 11924-11930 xmlParseBalancedChunkMemoryInternal(xmlP Link Here
11924	int size;	11951	int size;
11925	xmlParserErrors ret = XML_ERR_OK;	11952	xmlParserErrors ret = XML_ERR_OK;
11926		11953
11927	if (oldctxt->depth > 40) {	11954	if ((oldctxt->depth > 40) \|\| (oldctxt->nbentities >= 500000)) {
11928	return(XML_ERR_ENTITY_LOOP);	11955	return(XML_ERR_ENTITY_LOOP);
11929	}	11956	}
11930		11957
Lines 12048-12053 xmlParseBalancedChunkMemoryInternal(xmlP Link Here
12048	ctxt->myDoc->last = last;	12075	ctxt->myDoc->last = last;
12049	}	12076	}
12050		12077
		12078	oldctxt->nbentities += ctxt->nbentities;
12051	ctxt->sax = oldsax;	12079	ctxt->sax = oldsax;
12052	ctxt->dict = NULL;	12080	ctxt->dict = NULL;
12053	ctxt->attsDefault = NULL;	12081	ctxt->attsDefault = NULL;
Lines 13363-13368 xmlCtxtReset(xmlParserCtxtPtr ctxt) Link Here
13363	ctxt->depth = 0;	13391	ctxt->depth = 0;
13364	ctxt->charset = XML_CHAR_ENCODING_UTF8;	13392	ctxt->charset = XML_CHAR_ENCODING_UTF8;
13365	ctxt->catalogs = NULL;	13393	ctxt->catalogs = NULL;
		13394	ctxt->nbentities = 0;
13366	xmlInitNodeInfoSeq(&ctxt->node_seq);	13395	xmlInitNodeInfoSeq(&ctxt->node_seq);
13367		13396
13368	if (ctxt->attsDefault != NULL) {	13397	if (ctxt->attsDefault != NULL) {

Return to bug 234099

Lines 31-65 static xmlEntity xmlEntityLt = { Link Here

(-)libxml2-2.6.32/entities.c (-5 / +5 lines)
31	NULL, NULL, NULL, NULL, NULL, NULL,	31	NULL, NULL, NULL, NULL, NULL, NULL,
32	BAD_CAST "<", BAD_CAST "<", 1,	32	BAD_CAST "<", BAD_CAST "<", 1,
33	XML_INTERNAL_PREDEFINED_ENTITY,	33	XML_INTERNAL_PREDEFINED_ENTITY,
34	NULL, NULL, NULL, NULL, 0, 1	34	NULL, NULL, NULL, NULL, 0, 1, 0
35	};	35	};
36	static xmlEntity xmlEntityGt = {	36	static xmlEntity xmlEntityGt = {
37	NULL, XML_ENTITY_DECL, BAD_CAST "gt",	37	NULL, XML_ENTITY_DECL, BAD_CAST "gt",
38	NULL, NULL, NULL, NULL, NULL, NULL,	38	NULL, NULL, NULL, NULL, NULL, NULL,
39	BAD_CAST ">", BAD_CAST ">", 1,	39	BAD_CAST ">", BAD_CAST ">", 1,
40	XML_INTERNAL_PREDEFINED_ENTITY,	40	XML_INTERNAL_PREDEFINED_ENTITY,
41	NULL, NULL, NULL, NULL, 0, 1	41	NULL, NULL, NULL, NULL, 0, 1, 0
42	};	42	};
43	static xmlEntity xmlEntityAmp = {	43	static xmlEntity xmlEntityAmp = {
44	NULL, XML_ENTITY_DECL, BAD_CAST "amp",	44	NULL, XML_ENTITY_DECL, BAD_CAST "amp",
45	NULL, NULL, NULL, NULL, NULL, NULL,	45	NULL, NULL, NULL, NULL, NULL, NULL,
46	BAD_CAST "&", BAD_CAST "&", 1,	46	BAD_CAST "&", BAD_CAST "&", 1,
47	XML_INTERNAL_PREDEFINED_ENTITY,	47	XML_INTERNAL_PREDEFINED_ENTITY,
48	NULL, NULL, NULL, NULL, 0, 1	48	NULL, NULL, NULL, NULL, 0, 1, 0
49	};	49	};
50	static xmlEntity xmlEntityQuot = {	50	static xmlEntity xmlEntityQuot = {
51	NULL, XML_ENTITY_DECL, BAD_CAST "quot",	51	NULL, XML_ENTITY_DECL, BAD_CAST "quot",
52	NULL, NULL, NULL, NULL, NULL, NULL,	52	NULL, NULL, NULL, NULL, NULL, NULL,
53	BAD_CAST "\"", BAD_CAST "\"", 1,	53	BAD_CAST "\"", BAD_CAST "\"", 1,
54	XML_INTERNAL_PREDEFINED_ENTITY,	54	XML_INTERNAL_PREDEFINED_ENTITY,
55	NULL, NULL, NULL, NULL, 0, 1	55	NULL, NULL, NULL, NULL, 0, 1, 0
56	};	56	};
57	static xmlEntity xmlEntityApos = {	57	static xmlEntity xmlEntityApos = {
58	NULL, XML_ENTITY_DECL, BAD_CAST "apos",	58	NULL, XML_ENTITY_DECL, BAD_CAST "apos",
59	NULL, NULL, NULL, NULL, NULL, NULL,	59	NULL, NULL, NULL, NULL, NULL, NULL,
60	BAD_CAST "'", BAD_CAST "'", 1,	60	BAD_CAST "'", BAD_CAST "'", 1,
61	XML_INTERNAL_PREDEFINED_ENTITY,	61	XML_INTERNAL_PREDEFINED_ENTITY,
62	NULL, NULL, NULL, NULL, 0, 1	62	NULL, NULL, NULL, NULL, 0, 1, 0
63	};	63	};
64		64
65	/**	65	/**