mirror of
https://gitlab.gnome.org/GNOME/libxml2.git
synced 2024-12-25 23:21:26 +03:00
01411e7c5e
Implement section "4.6 Predefined Entities" of the XML 1.0 spec and check whether redeclarations of predefined entities match the original definitions. Note that some test cases declared <!ENTITY lt "<"> But the XML spec clearly states that this is illegal: > If the entities lt or amp are declared, they MUST be declared as > internal entities whose replacement text is a character reference to > the respective character (less-than sign or ampersand) being escaped; > the double escaping is REQUIRED for these entities so that references > to them produce a well-formed result. Also fixes #217 but the connection is only tangential. The integer overflow discovered by fuzzing was more related to the fact that various parts of the parser disagreed on whether to prefer predefined entities over their redeclarations. The whole situation is a mess and even depends on legacy parser options. But now that redeclarations are validated, it shouldn't make a difference. As noted in the added comment, this is also one of the cases where overly defensive checks can hide interesting logic bugs from fuzzers.
18 lines
528 B
Plaintext
18 lines
528 B
Plaintext
SAX.setDocumentLocator()
|
|
SAX.startDocument()
|
|
SAX.internalSubset(doc, , )
|
|
SAX.entityDecl(lt, 1, (null), (null), <)
|
|
SAX.getEntity(lt)
|
|
SAX.entityDecl(gt, 1, (null), (null), >)
|
|
SAX.getEntity(gt)
|
|
SAX.entityDecl(amp, 1, (null), (null), &)
|
|
SAX.getEntity(amp)
|
|
SAX.entityDecl(apos, 1, (null), (null), ')
|
|
SAX.getEntity(apos)
|
|
SAX.entityDecl(quot, 1, (null), (null), ")
|
|
SAX.getEntity(quot)
|
|
SAX.externalSubset(doc, , )
|
|
SAX.startElementNs(doc, NULL, NULL, 0, 0, 0)
|
|
SAX.endElementNs(doc, NULL, NULL)
|
|
SAX.endDocument()
|