[libxml2] Never expand parameter entities in text declaration

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Never expand parameter entities in text declaration
Date: Wed, 10 Jun 2020 12:26:11 +0000 (UTC)

commit a28f7d8789e63f5e2ac63b42083754cba58f1a0e
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Wed Jun 10 13:41:13 2020 +0200

    Never expand parameter entities in text declaration
    
    When parsing the text declaration of external DTDs or entities, make
    sure that parameter entities are not expanded. This also fixes a memory
    leak in certain error cases.
    
    The change to xmlSkipBlankChars assumes that the parser state is
    maintained correctly when parsing external DTDs or parameter entities,
    and might expose bugs in the code that were hidden previously.
    
    Found by OSS-Fuzz.

 parser.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)
---
diff --git a/parser.c b/parser.c
index 046f1cec..3559aaae 100644
--- a/parser.c
+++ b/parser.c
@@ -2156,7 +2156,7 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
      * It's Okay to use CUR/NEXT here since all the blanks are on
      * the ASCII range.
      */
-    if ((ctxt->inputNr == 1) && (ctxt->instate != XML_PARSER_DTD)) {
+    if (ctxt->instate != XML_PARSER_DTD) {
        const xmlChar *cur;
        /*
         * if we are in the document content, go really fast
@@ -6852,6 +6852,7 @@ void
 xmlParseTextDecl(xmlParserCtxtPtr ctxt) {
     xmlChar *version;
     const xmlChar *encoding;
+    int oldstate;
 
     /*
      * We know that '<?xml' is here.
@@ -6863,6 +6864,10 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) {
        return;
     }
 
+    /* Avoid expansion of parameter entities when skipping blanks. */
+    oldstate = ctxt->instate;
+    ctxt->instate = XML_PARSER_START;
+
     if (SKIP_BLANKS == 0) {
        xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
                       "Space needed after '<?xml'\n");
@@ -6890,6 +6895,7 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) {
        /*
         * The XML REC instructs us to stop parsing right here
         */
+        ctxt->instate = oldstate;
         return;
     }
     if ((encoding == NULL) && (ctxt->errNo == XML_ERR_OK)) {
@@ -6909,6 +6915,8 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) {
        MOVETO_ENDTAG(CUR_PTR);
        NEXT;
     }
+
+    ctxt->instate = oldstate;
 }
 
 /**

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]