--- parser.c.orig 2009-08-03 15:33:12.000000000 +0200 +++ parser.c 2009-08-03 15:36:26.000000000 +0200 @@ -4778,10 +4779,14 @@ xmlParseNotationType(xmlParserCtxtPtr ct if (name == NULL) { xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED, "Name expected in NOTATION declaration\n"); - return(ret); + xmlFreeEnumeration(ret); + return(NULL); } cur = xmlCreateEnumeration(name); - if (cur == NULL) return(ret); + if (cur == NULL) { + xmlFreeEnumeration(ret); + return(NULL); + } if (last == NULL) ret = last = cur; else { last->next = cur; @@ -4791,9 +4796,8 @@ xmlParseNotationType(xmlParserCtxtPtr ct } while (RAW == '|'); if (RAW != ')') { xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL); - if ((last != NULL) && (last != ret)) - xmlFreeEnumeration(last); - return(ret); + xmlFreeEnumeration(ret); + return(NULL); } NEXT; return(ret); @@ -4834,7 +4838,10 @@ xmlParseEnumerationType(xmlParserCtxtPtr } cur = xmlCreateEnumeration(name); xmlFree(name); - if (cur == NULL) return(ret); + if (cur == NULL) { + xmlFreeEnumeration(ret); + return(NULL); + } if (last == NULL) ret = last = cur; else { last->next = cur; @@ -5232,6 +5239,12 @@ xmlParseElementChildrenContentDecl (xmlP const xmlChar *elem; xmlChar type = 0; + if (ctxt->depth > 128) { + xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED, + "xmlParseElementChildrenContentDecl : depth %d too deep\n", + ctxt->depth); + return(NULL); + } SKIP_BLANKS; GROW; if (RAW == '(') { @@ -5240,7 +5253,9 @@ xmlParseElementChildrenContentDecl (xmlP /* Recurse on first child */ NEXT; SKIP_BLANKS; + ctxt->depth++; cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid); + ctxt->depth--; SKIP_BLANKS; GROW; } else { @@ -5370,7 +5385,9 @@ xmlParseElementChildrenContentDecl (xmlP /* Recurse on second child */ NEXT; SKIP_BLANKS; + ctxt->depth++; last = xmlParseElementChildrenContentDecl(ctxt, inputid); + ctxt->depth--; SKIP_BLANKS; } else { elem = xmlParseName(ctxt);