From c6610e3eeba085e8d98eb717450d5a7e485d6ef7 Mon Sep 17 00:00:00 2001 From: fangyunzhong Date: Tue, 15 Nov 2022 14:20:01 +0800 Subject: [PATCH] =?UTF-8?q?fixed=20e118e72=20from=20https://gitee.com/fang?= =?UTF-8?q?-yunzhong/third=5Fparty=5Flibxml2/pulls/30=20fixed=209e04470=20?= =?UTF-8?q?from=20https://gitee.com/fang-yunzhong/third=5Fparty=5Flibxml2/?= =?UTF-8?q?pulls/29=20=E5=AE=89=E5=85=A8=E6=BC=8F=E6=B4=9E=E4=BF=AE?= =?UTF-8?q?=E5=A4=8D=EF=BC=9ACVE-2022-40303,CVE-2022-40304?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: fangyunzhong --- entities.c | 55 ++++--------- parser.c | 233 ++++++++++++++++++++++++++++------------------------- 2 files changed, 137 insertions(+), 151 deletions(-) diff --git a/entities.c b/entities.c index 1a8f86f..ec1b9a7 100644 --- a/entities.c +++ b/entities.c @@ -112,36 +112,19 @@ xmlFreeEntity(xmlEntityPtr entity) if ((entity->children) && (entity->owner == 1) && (entity == (xmlEntityPtr) entity->children->parent)) xmlFreeNodeList(entity->children); - if (dict != NULL) { - if ((entity->name != NULL) && (!xmlDictOwns(dict, entity->name))) - xmlFree((char *) entity->name); - if ((entity->ExternalID != NULL) && - (!xmlDictOwns(dict, entity->ExternalID))) - xmlFree((char *) entity->ExternalID); - if ((entity->SystemID != NULL) && - (!xmlDictOwns(dict, entity->SystemID))) - xmlFree((char *) entity->SystemID); - if ((entity->URI != NULL) && (!xmlDictOwns(dict, entity->URI))) - xmlFree((char *) entity->URI); - if ((entity->content != NULL) - && (!xmlDictOwns(dict, entity->content))) - xmlFree((char *) entity->content); - if ((entity->orig != NULL) && (!xmlDictOwns(dict, entity->orig))) - xmlFree((char *) entity->orig); - } else { - if (entity->name != NULL) - xmlFree((char *) entity->name); - if (entity->ExternalID != NULL) - xmlFree((char *) entity->ExternalID); - if (entity->SystemID != NULL) - xmlFree((char *) entity->SystemID); - if (entity->URI != NULL) - xmlFree((char *) entity->URI); - if (entity->content != NULL) - xmlFree((char *) entity->content); - if (entity->orig != NULL) - xmlFree((char *) entity->orig); - } + if ((entity->name != NULL) && + ((dict == NULL) || (!xmlDictOwns(dict, entity->name)))) + xmlFree((char *) entity->name); + if (entity->ExternalID != NULL) + xmlFree((char *) entity->ExternalID); + if (entity->SystemID != NULL) + xmlFree((char *) entity->SystemID); + if (entity->URI != NULL) + xmlFree((char *) entity->URI); + if (entity->content != NULL) + xmlFree((char *) entity->content); + if (entity->orig != NULL) + xmlFree((char *) entity->orig); xmlFree(entity); } @@ -177,18 +160,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type, ret->SystemID = xmlStrdup(SystemID); } else { ret->name = xmlDictLookup(dict, name, -1); - if (ExternalID != NULL) - ret->ExternalID = xmlDictLookup(dict, ExternalID, -1); - if (SystemID != NULL) - ret->SystemID = xmlDictLookup(dict, SystemID, -1); + ret->ExternalID = xmlStrdup(ExternalID); + ret->SystemID = xmlStrdup(SystemID); } if (content != NULL) { ret->length = xmlStrlen(content); - if ((dict != NULL) && (ret->length < 5)) - ret->content = (xmlChar *) - xmlDictLookup(dict, content, ret->length); - else - ret->content = xmlStrndup(content, ret->length); + ret->content = xmlStrndup(content, ret->length); } else { ret->length = 0; ret->content = NULL; diff --git a/parser.c b/parser.c index c9312fa..aa8ec02 100644 --- a/parser.c +++ b/parser.c @@ -115,6 +115,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt); * * ************************************************************************/ +#define XML_MAX_HUGE_LENGTH 1000000000 + #define XML_PARSER_BIG_ENTITY 1000 #define XML_PARSER_LOT_ENTITY 5000 @@ -565,7 +567,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info) errmsg = "Malformed declaration expecting version"; break; case XML_ERR_NAME_TOO_LONG: - errmsg = "Name too long use XML_PARSE_HUGE option"; + errmsg = "Name too long"; break; #if 0 case: @@ -3207,6 +3209,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { int len = 0, l; int c; int count = 0; + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? + XML_MAX_TEXT_LENGTH : + XML_MAX_NAME_LENGTH; #ifdef DEBUG nbParseNameComplex++; @@ -3272,7 +3277,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { if (ctxt->instate == XML_PARSER_EOF) return(NULL); } - len += l; + if (len <= INT_MAX - l) + len += l; NEXTL(l); c = CUR_CHAR(l); } @@ -3298,13 +3304,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { if (ctxt->instate == XML_PARSER_EOF) return(NULL); } - len += l; + if (len <= INT_MAX - l) + len += l; NEXTL(l); c = CUR_CHAR(l); } } - if ((len > XML_MAX_NAME_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { + if (len > maxLength) { xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); return(NULL); } @@ -3343,7 +3349,10 @@ const xmlChar * xmlParseName(xmlParserCtxtPtr ctxt) { const xmlChar *in; const xmlChar *ret; - int count = 0; + size_t count = 0; + size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? + XML_MAX_TEXT_LENGTH : + XML_MAX_NAME_LENGTH; GROW; @@ -3367,8 +3376,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) { in++; if ((*in > 0) && (*in < 0x80)) { count = in - ctxt->input->cur; - if ((count > XML_MAX_NAME_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { + if (count > maxLength) { xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); return(NULL); } @@ -3389,6 +3397,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { int len = 0, l; int c; int count = 0; + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? + XML_MAX_TEXT_LENGTH : + XML_MAX_NAME_LENGTH; size_t startPosition = 0; #ifdef DEBUG @@ -3409,17 +3420,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */ (xmlIsNameChar(ctxt, c) && (c != ':'))) { if (count++ > XML_PARSER_CHUNK_SIZE) { - if ((len > XML_MAX_NAME_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); - return(NULL); - } count = 0; GROW; if (ctxt->instate == XML_PARSER_EOF) return(NULL); } - len += l; + if (len <= INT_MAX - l) + len += l; NEXTL(l); c = CUR_CHAR(l); if (c == 0) { @@ -3437,8 +3444,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { c = CUR_CHAR(l); } } - if ((len > XML_MAX_NAME_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { + if (len > maxLength) { xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); return(NULL); } @@ -3464,7 +3470,10 @@ static const xmlChar * xmlParseNCName(xmlParserCtxtPtr ctxt) { const xmlChar *in, *e; const xmlChar *ret; - int count = 0; + size_t count = 0; + size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? + XML_MAX_TEXT_LENGTH : + XML_MAX_NAME_LENGTH; #ifdef DEBUG nbParseNCName++; @@ -3489,8 +3498,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { goto complex; if ((*in > 0) && (*in < 0x80)) { count = in - ctxt->input->cur; - if ((count > XML_MAX_NAME_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { + if (count > maxLength) { xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); return(NULL); } @@ -3572,6 +3580,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { const xmlChar *cur = *str; int len = 0, l; int c; + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? + XML_MAX_TEXT_LENGTH : + XML_MAX_NAME_LENGTH; #ifdef DEBUG nbParseStringName++; @@ -3607,12 +3618,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { if (len + 10 > max) { xmlChar *tmp; - if ((len > XML_MAX_NAME_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); - xmlFree(buffer); - return(NULL); - } max *= 2; tmp = (xmlChar *) xmlRealloc(buffer, max * sizeof(xmlChar)); @@ -3626,14 +3631,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { COPY_BUF(l,buffer,len,c); cur += l; c = CUR_SCHAR(cur, l); + if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + xmlFree(buffer); + return(NULL); + } } buffer[len] = 0; *str = cur; return(buffer); } } - if ((len > XML_MAX_NAME_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { + if (len > maxLength) { xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); return(NULL); } @@ -3660,6 +3669,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { int len = 0, l; int c; int count = 0; + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? + XML_MAX_TEXT_LENGTH : + XML_MAX_NAME_LENGTH; #ifdef DEBUG nbParseNmToken++; @@ -3711,12 +3723,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { if (len + 10 > max) { xmlChar *tmp; - if ((max > XML_MAX_NAME_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); - xmlFree(buffer); - return(NULL); - } max *= 2; tmp = (xmlChar *) xmlRealloc(buffer, max * sizeof(xmlChar)); @@ -3730,6 +3736,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { COPY_BUF(l,buffer,len,c); NEXTL(l); c = CUR_CHAR(l); + if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); + xmlFree(buffer); + return(NULL); + } } buffer[len] = 0; return(buffer); @@ -3737,8 +3748,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { } if (len == 0) return(NULL); - if ((len > XML_MAX_NAME_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { + if (len > maxLength) { xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); return(NULL); } @@ -3764,6 +3774,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { int len = 0; int size = XML_PARSER_BUFFER_SIZE; int c, l; + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? + XML_MAX_HUGE_LENGTH : + XML_MAX_TEXT_LENGTH; xmlChar stop; xmlChar *ret = NULL; const xmlChar *cur = NULL; @@ -3823,6 +3836,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { GROW; c = CUR_CHAR(l); } + + if (len > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED, + "entity value too long\n"); + goto error; + } } buf[len] = 0; if (ctxt->instate == XML_PARSER_EOF) @@ -3910,6 +3929,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { xmlChar *rep = NULL; size_t len = 0; size_t buf_size = 0; + size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? + XML_MAX_HUGE_LENGTH : + XML_MAX_TEXT_LENGTH; int c, l, in_space = 0; xmlChar *current = NULL; xmlEntityPtr ent; @@ -3941,16 +3963,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { while (((NXT(0) != limit) && /* checked */ (IS_CHAR(c)) && (c != '<')) && (ctxt->instate != XML_PARSER_EOF)) { - /* - * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE - * special option is given - */ - if ((len > XML_MAX_TEXT_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { - xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, - "AttValue length too long\n"); - goto mem_error; - } if (c == '&') { in_space = 0; if (NXT(1) == '#') { @@ -4098,6 +4110,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { } GROW; c = CUR_CHAR(l); + if (len > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + goto mem_error; + } } if (ctxt->instate == XML_PARSER_EOF) goto error; @@ -4119,16 +4136,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { } else NEXT; - /* - * There we potentially risk an overflow, don't allow attribute value of - * length more than INT_MAX it is a very reasonable assumption ! - */ - if (len >= INT_MAX) { - xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, - "AttValue length too long\n"); - goto mem_error; - } - if (attlen != NULL) *attlen = (int) len; return(buf); @@ -4199,6 +4206,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { int len = 0; int size = XML_PARSER_BUFFER_SIZE; int cur, l; + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? + XML_MAX_TEXT_LENGTH : + XML_MAX_NAME_LENGTH; xmlChar stop; int state = ctxt->instate; int count = 0; @@ -4226,13 +4236,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { if (len + 5 >= size) { xmlChar *tmp; - if ((size > XML_MAX_NAME_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); - xmlFree(buf); - ctxt->instate = (xmlParserInputState) state; - return(NULL); - } size *= 2; tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); if (tmp == NULL) { @@ -4261,6 +4264,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { SHRINK; cur = CUR_CHAR(l); } + if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); + xmlFree(buf); + ctxt->instate = (xmlParserInputState) state; + return(NULL); + } } buf[len] = 0; ctxt->instate = (xmlParserInputState) state; @@ -4288,6 +4297,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { xmlChar *buf = NULL; int len = 0; int size = XML_PARSER_BUFFER_SIZE; + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? + XML_MAX_TEXT_LENGTH : + XML_MAX_NAME_LENGTH; xmlChar cur; xmlChar stop; int count = 0; @@ -4315,12 +4327,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { if (len + 1 >= size) { xmlChar *tmp; - if ((size > XML_MAX_NAME_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); - xmlFree(buf); - return(NULL); - } size *= 2; tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); if (tmp == NULL) { @@ -4348,6 +4354,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { SHRINK; cur = CUR; } + if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); + xmlFree(buf); + return(NULL); + } } buf[len] = 0; if (cur != stop) { @@ -4746,6 +4757,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, int r, rl; int cur, l; size_t count = 0; + size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? + XML_MAX_HUGE_LENGTH : + XML_MAX_TEXT_LENGTH; int inputid; inputid = ctxt->input->id; @@ -4791,13 +4805,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, if ((r == '-') && (q == '-')) { xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL); } - if ((len > XML_MAX_TEXT_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { - xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, - "Comment too big found", NULL); - xmlFree (buf); - return; - } if (len + 5 >= size) { xmlChar *new_buf; size_t new_size; @@ -4835,6 +4842,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, GROW; cur = CUR_CHAR(l); } + + if (len > maxLength) { + xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, + "Comment too big found", NULL); + xmlFree (buf); + return; + } } buf[len] = 0; if (cur == 0) { @@ -4879,6 +4893,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) { xmlChar *buf = NULL; size_t size = XML_PARSER_BUFFER_SIZE; size_t len = 0; + size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? + XML_MAX_HUGE_LENGTH : + XML_MAX_TEXT_LENGTH; xmlParserInputState state; const xmlChar *in; size_t nbchar = 0; @@ -4962,8 +4979,7 @@ get_more: buf[len] = 0; } } - if ((len > XML_MAX_TEXT_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { + if (len > maxLength) { xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, "Comment too big found", NULL); xmlFree (buf); @@ -5163,6 +5179,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { xmlChar *buf = NULL; size_t len = 0; size_t size = XML_PARSER_BUFFER_SIZE; + size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? + XML_MAX_HUGE_LENGTH : + XML_MAX_TEXT_LENGTH; int cur, l; const xmlChar *target; xmlParserInputState state; @@ -5238,14 +5257,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { return; } count = 0; - if ((len > XML_MAX_TEXT_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { - xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, - "PI %s too big found", target); - xmlFree(buf); - ctxt->instate = state; - return; - } } COPY_BUF(l,buf,len,cur); NEXTL(l); @@ -5255,15 +5266,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { GROW; cur = CUR_CHAR(l); } + if (len > maxLength) { + xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, + "PI %s too big found", target); + xmlFree(buf); + ctxt->instate = state; + return; + } } - if ((len > XML_MAX_TEXT_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { - xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, - "PI %s too big found", target); - xmlFree(buf); - ctxt->instate = state; - return; - } buf[len] = 0; if (cur != '?') { xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, @@ -8955,6 +8965,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, const xmlChar *in = NULL, *start, *end, *last; xmlChar *ret = NULL; int line, col; + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? + XML_MAX_HUGE_LENGTH : + XML_MAX_TEXT_LENGTH; GROW; in = (xmlChar *) CUR_PTR; @@ -8994,8 +9007,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, start = in; if (in >= end) { GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) - if (((in - start) > XML_MAX_TEXT_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { + if ((in - start) > maxLength) { xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, "AttValue length too long\n"); return(NULL); @@ -9008,8 +9020,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, if ((*in++ == 0x20) && (*in == 0x20)) break; if (in >= end) { GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) - if (((in - start) > XML_MAX_TEXT_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { + if ((in - start) > maxLength) { xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, "AttValue length too long\n"); return(NULL); @@ -9042,16 +9053,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, last = last + delta; } end = ctxt->input->end; - if (((in - start) > XML_MAX_TEXT_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { + if ((in - start) > maxLength) { xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, "AttValue length too long\n"); return(NULL); } } } - if (((in - start) > XML_MAX_TEXT_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { + if ((in - start) > maxLength) { xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, "AttValue length too long\n"); return(NULL); @@ -9064,8 +9073,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, col++; if (in >= end) { GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) - if (((in - start) > XML_MAX_TEXT_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { + if ((in - start) > maxLength) { xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, "AttValue length too long\n"); return(NULL); @@ -9073,8 +9081,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, } } last = in; - if (((in - start) > XML_MAX_TEXT_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { + if ((in - start) > maxLength) { xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, "AttValue length too long\n"); return(NULL); @@ -9764,6 +9771,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { int s, sl; int cur, l; int count = 0; + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? + XML_MAX_HUGE_LENGTH : + XML_MAX_TEXT_LENGTH; /* Check 2.6.0 was NXT(0) not RAW */ if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) { @@ -9797,13 +9807,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { if (len + 5 >= size) { xmlChar *tmp; - if ((size > XML_MAX_TEXT_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { - xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED, - "CData section too big found", NULL); - xmlFree (buf); - return; - } tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar)); if (tmp == NULL) { xmlFree(buf); @@ -9830,6 +9833,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { } NEXTL(l); cur = CUR_CHAR(l); + if (len > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED, + "CData section too big found\n"); + xmlFree(buf); + return; + } } buf[len] = 0; ctxt->instate = XML_PARSER_CONTENT; -- Gitee