mirror of
https://gitlab.gnome.org/GNOME/libxml2.git
synced 2024-10-27 04:55:04 +03:00
Never expand parameter entities in text declaration
When parsing the text declaration of external DTDs or entities, make sure that parameter entities are not expanded. This also fixes a memory leak in certain error cases. The change to xmlSkipBlankChars assumes that the parser state is maintained correctly when parsing external DTDs or parameter entities, and might expose bugs in the code that were hidden previously. Found by OSS-Fuzz.
This commit is contained in:
parent
487871b0e3
commit
a28f7d8789
10
parser.c
10
parser.c
@ -2156,7 +2156,7 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
|
||||
* It's Okay to use CUR/NEXT here since all the blanks are on
|
||||
* the ASCII range.
|
||||
*/
|
||||
if ((ctxt->inputNr == 1) && (ctxt->instate != XML_PARSER_DTD)) {
|
||||
if (ctxt->instate != XML_PARSER_DTD) {
|
||||
const xmlChar *cur;
|
||||
/*
|
||||
* if we are in the document content, go really fast
|
||||
@ -6852,6 +6852,7 @@ void
|
||||
xmlParseTextDecl(xmlParserCtxtPtr ctxt) {
|
||||
xmlChar *version;
|
||||
const xmlChar *encoding;
|
||||
int oldstate;
|
||||
|
||||
/*
|
||||
* We know that '<?xml' is here.
|
||||
@ -6863,6 +6864,10 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) {
|
||||
return;
|
||||
}
|
||||
|
||||
/* Avoid expansion of parameter entities when skipping blanks. */
|
||||
oldstate = ctxt->instate;
|
||||
ctxt->instate = XML_PARSER_START;
|
||||
|
||||
if (SKIP_BLANKS == 0) {
|
||||
xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
|
||||
"Space needed after '<?xml'\n");
|
||||
@ -6890,6 +6895,7 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) {
|
||||
/*
|
||||
* The XML REC instructs us to stop parsing right here
|
||||
*/
|
||||
ctxt->instate = oldstate;
|
||||
return;
|
||||
}
|
||||
if ((encoding == NULL) && (ctxt->errNo == XML_ERR_OK)) {
|
||||
@ -6909,6 +6915,8 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) {
|
||||
MOVETO_ENDTAG(CUR_PTR);
|
||||
NEXT;
|
||||
}
|
||||
|
||||
ctxt->instate = oldstate;
|
||||
}
|
||||
|
||||
/**
|
||||
|
Loading…
Reference in New Issue
Block a user