From 310b309fbdbc85fc7498235b62d911fe90dce942 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 30 Jul 2012 16:16:04 +0800
Subject: [PATCH] Enforce XML_PARSER_EOF state handling through the parser
To: libvir-list@redhat.com
That condition is one raised when the parser should positively stop
processing further even to report errors. Best is to test is after
most GROW call especially within loops
Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 131 +++++++++++++++++++++++++++++++++++++++++++++++++++++----------
1 file changed, 110 insertions(+), 21 deletions(-)
diff --git a/parser.c b/parser.c
index 2e633d5..78ae09b 100644
--- a/parser.c
+++ b/parser.c
@@ -2145,6 +2145,8 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) {
"Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur);
}
ret = inputPush(ctxt, input);
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(-1);
GROW;
return(ret);
}
@@ -2181,6 +2183,8 @@ xmlParseCharRef(xmlParserCtxtPtr ctxt) {
if (count++ > 20) {
count = 0;
GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(0);
}
if ((RAW >= '0') && (RAW <= '9'))
val = val * 16 + (CUR - '0');
@@ -2212,6 +2216,8 @@ xmlParseCharRef(xmlParserCtxtPtr ctxt) {
if (count++ > 20) {
count = 0;
GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(0);
}
if ((RAW >= '0') && (RAW <= '9'))
val = val * 10 + (CUR - '0');
@@ -2560,6 +2566,8 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
* the amount of data in the buffer.
*/
GROW
+ if (ctxt->instate == XML_PARSER_EOF)
+ return;
if ((ctxt->input->end - ctxt->input->cur)>=4) {
start[0] = RAW;
start[1] = NXT(1);
@@ -3178,6 +3186,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
* Handler for more complex cases
*/
GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(NULL);
c = CUR_CHAR(l);
if ((ctxt->options & XML_PARSE_OLD10) == 0) {
/*
@@ -3229,6 +3239,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
if (count++ > 100) {
count = 0;
GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(NULL);
}
len += l;
NEXTL(l);
@@ -3253,6 +3265,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
if (count++ > 100) {
count = 0;
GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(NULL);
}
len += l;
NEXTL(l);
@@ -3361,6 +3375,8 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
}
count = 0;
GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(NULL);
}
len += l;
NEXTL(l);
@@ -3451,6 +3467,8 @@ xmlParseNameAndCompare(xmlParserCtxtPtr ctxt, xmlChar const *other) {
const xmlChar *ret;
GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(NULL);
in = ctxt->input->cur;
while (*in != 0 && *in == *cmp) {
@@ -3590,6 +3608,8 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
#endif
GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(NULL);
c = CUR_CHAR(l);
while (xmlIsNameChar(ctxt, c)) {
@@ -3618,6 +3638,10 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
if (count++ > 100) {
count = 0;
GROW;
+ if (ctxt->instate == XML_PARSER_EOF) {
+ xmlFree(buffer);
+ return(NULL);
+ }
}
if (len + 10 > max) {
xmlChar *tmp;
@@ -3699,6 +3723,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
ctxt->instate = XML_PARSER_ENTITY_VALUE;
input = ctxt->input;
GROW;
+ if (ctxt->instate == XML_PARSER_EOF) {
+ xmlFree(buf);
+ return(NULL);
+ }
NEXT;
c = CUR_CHAR(l);
/*
@@ -3710,8 +3738,8 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
* In practice it means we stop the loop only when back at parsing
* the initial entity and the quote is found
*/
- while ((IS_CHAR(c)) && ((c != stop) || /* checked */
- (ctxt->input != input))) {
+ while (((IS_CHAR(c)) && ((c != stop) || /* checked */
+ (ctxt->input != input))) && (ctxt->instate != XML_PARSER_EOF)) {
if (len + 5 >= size) {
xmlChar *tmp;
@@ -3740,6 +3768,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
}
}
buf[len] = 0;
+ if (ctxt->instate == XML_PARSER_EOF) {
+ xmlFree(buf);
+ return(NULL);
+ }
/*
* Raise problem w.r.t. '&' and '%' being used in non-entities
@@ -3787,12 +3819,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
*/
ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
0, 0, 0);
- if (orig != NULL)
+ if (orig != NULL)
*orig = buf;
else
xmlFree(buf);
}
-
+
return(ret);
}
@@ -3843,8 +3875,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
* OK loop until we reach one of the ending char or a size limit.
*/
c = CUR_CHAR(l);
- while ((NXT(0) != limit) && /* checked */
- (IS_CHAR(c)) && (c != '<')) {
+ while (((NXT(0) != limit) && /* checked */
+ (IS_CHAR(c)) && (c != '<')) &&
+ (ctxt->instate != XML_PARSER_EOF)) {
/*
* Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE
* special option is given
@@ -3989,6 +4022,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
GROW;
c = CUR_CHAR(l);
}
+ if (ctxt->instate == XML_PARSER_EOF)
+ goto error;
+
if ((in_space) && (normalize)) {
while (buf[len - 1] == 0x20) len--;
}
@@ -4021,6 +4057,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
mem_error:
xmlErrMemory(ctxt, NULL);
+error:
if (buf != NULL)
xmlFree(buf);
if (rep != NULL)
@@ -4133,6 +4170,10 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
if (count > 50) {
GROW;
count = 0;
+ if (ctxt->instate == XML_PARSER_EOF) {
+ xmlFree(buf);
+ return(NULL);
+ }
}
COPY_BUF(l,buf,len,cur);
NEXTL(l);
@@ -4216,6 +4257,10 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
if (count > 50) {
GROW;
count = 0;
+ if (ctxt->instate == XML_PARSER_EOF) {
+ xmlFree(buf);
+ return(NULL);
+ }
}
NEXT;
cur = CUR;
@@ -4422,6 +4467,8 @@ get_more:
}
SHRINK;
GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return;
in = ctxt->input->cur;
} while (((*in >= 0x20) && (*in <= 0x7F)) || (*in == 0x09));
nbchar = 0;
@@ -4490,6 +4537,8 @@ xmlParseCharDataComplex(xmlParserCtxtPtr ctxt, int cdata) {
if (count > 50) {
GROW;
count = 0;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return;
}
NEXTL(l);
cur = CUR_CHAR(l);
@@ -4701,6 +4750,10 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
if (count > 50) {
GROW;
count = 0;
+ if (ctxt->instate == XML_PARSER_EOF) {
+ xmlFree(buf);
+ return;
+ }
}
NEXTL(l);
cur = CUR_CHAR(l);
@@ -4859,6 +4912,10 @@ get_more:
}
SHRINK;
GROW;
+ if (ctxt->instate == XML_PARSER_EOF) {
+ xmlFree(buf);
+ return;
+ }
in = ctxt->input->cur;
if (*in == '-') {
if (in[1] == '-') {
@@ -5095,6 +5152,10 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
count++;
if (count > 50) {
GROW;
+ if (ctxt->instate == XML_PARSER_EOF) {
+ xmlFree(buf);
+ return;
+ }
count = 0;
if ((len > XML_MAX_TEXT_LENGTH) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
@@ -5851,7 +5912,7 @@ xmlParseAttributeListDecl(xmlParserCtxtPtr ctxt) {
}
SKIP_BLANKS;
GROW;
- while (RAW != '>') {
+ while ((RAW != '>') && (ctxt->instate != XML_PARSER_EOF)) {
const xmlChar *check = CUR_PTR;
int type;
int def;
@@ -6000,7 +6061,7 @@ xmlParseElementMixedContentDecl(xmlParserCtxtPtr ctxt, int inputchk) {
ret = cur = xmlNewDocElementContent(ctxt->myDoc, NULL, XML_ELEMENT_CONTENT_PCDATA);
if (ret == NULL) return(NULL);
}
- while (RAW == '|') {
+ while ((RAW == '|') && (ctxt->instate != XML_PARSER_EOF)) {
NEXT;
if (elem == NULL) {
ret = xmlNewDocElementContent(ctxt->myDoc, NULL, XML_ELEMENT_CONTENT_OR);
@@ -6144,7 +6205,7 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
}
SKIP_BLANKS;
SHRINK;
- while (RAW != ')') {
+ while ((RAW != ')') && (ctxt->instate != XML_PARSER_EOF)) {
/*
* Each loop we parse one separator and one element.
*/
@@ -6423,6 +6484,8 @@ xmlParseElementContentDecl(xmlParserCtxtPtr ctxt, const xmlChar *name,
}
NEXT;
GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(-1);
SKIP_BLANKS;
if (CMP7(CUR_PTR, '#', 'P', 'C', 'D', 'A', 'T', 'A')) {
tree = xmlParseElementMixedContentDecl(ctxt, inputid);
@@ -6590,8 +6653,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
"Entering INCLUDE Conditional Section\n");
}
- while ((RAW != 0) && ((RAW != ']') || (NXT(1) != ']') ||
- (NXT(2) != '>'))) {
+ while (((RAW != 0) && ((RAW != ']') || (NXT(1) != ']') ||
+ (NXT(2) != '>'))) && (ctxt->instate != XML_PARSER_EOF)) {
const xmlChar *check = CUR_PTR;
unsigned int cons = ctxt->input->consumed;
@@ -6659,7 +6722,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
if (ctxt->recovery == 0) ctxt->disableSAX = 1;
ctxt->instate = XML_PARSER_IGNORE;
- while ((depth >= 0) && (RAW != 0)) {
+ while (((depth >= 0) && (RAW != 0)) &&
+ (ctxt->instate != XML_PARSER_EOF)) {
if ((RAW == '<') && (NXT(1) == '!') && (NXT(2) == '[')) {
depth++;
SKIP(3);
@@ -6930,7 +6994,7 @@ xmlParseExternalSubset(xmlParserCtxtPtr ctxt, const xmlChar *ExternalID,
break;
}
}
-
+
if (RAW != 0) {
xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL);
}
@@ -7383,6 +7447,8 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) {
xmlEntityPtr ent = NULL;
GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(NULL);
if (RAW != '&')
return(NULL);
@@ -7913,6 +7979,10 @@ xmlLoadEntityContent(xmlParserCtxtPtr ctxt, xmlEntityPtr entity) {
if (count++ > 100) {
count = 0;
GROW;
+ if (ctxt->instate == XML_PARSER_EOF) {
+ xmlBufferFree(buf);
+ return(-1);
+ }
}
NEXTL(l);
c = CUR_CHAR(l);
@@ -8146,7 +8216,7 @@ xmlParseInternalSubset(xmlParserCtxtPtr ctxt) {
* PEReferences.
* Subsequence (markupdecl | PEReference | S)*
*/
- while (RAW != ']') {
+ while ((RAW != ']') && (ctxt->instate != XML_PARSER_EOF)) {
const xmlChar *check = CUR_PTR;
unsigned int cons = ctxt->input->consumed;
@@ -8332,9 +8402,9 @@ xmlParseStartTag(xmlParserCtxtPtr ctxt) {
SKIP_BLANKS;
GROW;
- while ((RAW != '>') &&
+ while (((RAW != '>') &&
((RAW != '/') || (NXT(1) != '>')) &&
- (IS_BYTE_CHAR(RAW))) {
+ (IS_BYTE_CHAR(RAW))) && (ctxt->instate != XML_PARSER_EOF)) {
const xmlChar *q = CUR_PTR;
unsigned int cons = ctxt->input->consumed;
@@ -8758,6 +8828,8 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
if (in >= end) {
const xmlChar *oldbase = ctxt->input->base;
GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(NULL);
if (oldbase != ctxt->input->base) {
long delta = ctxt->input->base - oldbase;
start = start + delta;
@@ -8778,6 +8850,8 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
if (in >= end) {
const xmlChar *oldbase = ctxt->input->base;
GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(NULL);
if (oldbase != ctxt->input->base) {
long delta = ctxt->input->base - oldbase;
start = start + delta;
@@ -8804,6 +8878,8 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
if (in >= end) {
const xmlChar *oldbase = ctxt->input->base;
GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(NULL);
if (oldbase != ctxt->input->base) {
long delta = ctxt->input->base - oldbase;
start = start + delta;
@@ -8833,6 +8909,8 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
if (in >= end) {
const xmlChar *oldbase = ctxt->input->base;
GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(NULL);
if (oldbase != ctxt->input->base) {
long delta = ctxt->input->base - oldbase;
start = start + delta;
@@ -9076,9 +9154,9 @@ reparse:
GROW;
if (ctxt->input->base != base) goto base_changed;
- while ((RAW != '>') &&
+ while (((RAW != '>') &&
((RAW != '/') || (NXT(1) != '>')) &&
- (IS_BYTE_CHAR(RAW))) {
+ (IS_BYTE_CHAR(RAW))) && (ctxt->instate != XML_PARSER_EOF)) {
const xmlChar *q = CUR_PTR;
unsigned int cons = ctxt->input->consumed;
int len = -1, alloc = 0;
@@ -9249,6 +9327,8 @@ skip_ns:
failed:
GROW
+ if (ctxt->instate == XML_PARSER_EOF)
+ break;
if (ctxt->input->base != base) goto base_changed;
if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
break;
@@ -9486,6 +9566,8 @@ xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix,
* We should definitely be at the ending "S? '>'" part
*/
GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return;
SKIP_BLANKS;
if ((!IS_BYTE_CHAR(RAW)) || (RAW != '>')) {
xmlFatalErr(ctxt, XML_ERR_GT_REQUIRED, NULL);
@@ -9601,6 +9683,10 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
count++;
if (count > 50) {
GROW;
+ if (ctxt->instate == XML_PARSER_EOF) {
+ xmlFree(buf);
+ return;
+ }
count = 0;
}
NEXTL(l);
@@ -10364,9 +10450,10 @@ xmlParseXMLDecl(xmlParserCtxtPtr ctxt) {
void
xmlParseMisc(xmlParserCtxtPtr ctxt) {
- while (((RAW == '<') && (NXT(1) == '?')) ||
- (CMP4(CUR_PTR, '<', '!', '-', '-')) ||
- IS_BLANK_CH(CUR)) {
+ while ((ctxt->instate != XML_PARSER_EOF) &&
+ (((RAW == '<') && (NXT(1) == '?')) ||
+ (CMP4(CUR_PTR, '<', '!', '-', '-')) ||
+ IS_BLANK_CH(CUR))) {
if ((RAW == '<') && (NXT(1) == '?')) {
xmlParsePI(ctxt);
} else if (IS_BLANK_CH(CUR)) {
@@ -11836,6 +11923,8 @@ xmlParseChunk(xmlParserCtxtPtr ctxt, const char *chunk, int size,
return(XML_ERR_INTERNAL_ERROR);
if ((ctxt->errNo != XML_ERR_OK) && (ctxt->disableSAX == 1))
return(ctxt->errNo);
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(-1);
if (ctxt->instate == XML_PARSER_START)
xmlDetectSAX2(ctxt);
if ((size > 0) && (chunk != NULL) && (!terminate) &&
--
1.7.11.4