From 145a79c9427d526758ef45caa6daa9ddb229af7d Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Thu, 19 Jul 2012 20:34:26 +0800
Subject: [PATCH] Impose a reasonable limit on PI size
To: libvir-list@redhat.com
Unless the XML_PARSE_HUGE option is given to the parser,
the value is XML_MAX_TEXT_LENGTH, i.e. the same than for a
text node within content.
Also cleanup some unsigned int used for memory size.
Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 26 +++++++++++++++++++++-----
1 file changed, 21 insertions(+), 5 deletions(-)
diff --git a/parser.c b/parser.c
index 7e5cef7..a78b0b1 100644
--- a/parser.c
+++ b/parser.c
@@ -4953,8 +4953,8 @@ error:
void
xmlParsePI(xmlParserCtxtPtr ctxt) {
xmlChar *buf = NULL;
- int len = 0;
- int size = XML_PARSER_BUFFER_SIZE;
+ size_t len = 0;
+ size_t size = XML_PARSER_BUFFER_SIZE;
int cur, l;
const xmlChar *target;
xmlParserInputState state;
@@ -5011,9 +5011,8 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
((cur != '?') || (NXT(1) != '>'))) {
if (len + 5 >= size) {
xmlChar *tmp;
-
- size *= 2;
- tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
+ size_t new_size = size * 2;
+ tmp = (xmlChar *) xmlRealloc(buf, new_size);
if (tmp == NULL) {
xmlErrMemory(ctxt, NULL);
xmlFree(buf);
@@ -5021,11 +5020,20 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
return;
}
buf = tmp;
+ size = new_size;
}
count++;
if (count > 50) {
GROW;
count = 0;
+ if ((len > XML_MAX_TEXT_LENGTH) &&
+ ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
+ "PI %s too big found", target);
+ xmlFree(buf);
+ ctxt->instate = state;
+ return;
+ }
}
COPY_BUF(l,buf,len,cur);
NEXTL(l);
@@ -5036,6 +5044,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
cur = CUR_CHAR(l);
}
}
+ if ((len > XML_MAX_TEXT_LENGTH) &&
+ ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
+ "PI %s too big found", target);
+ xmlFree(buf);
+ ctxt->instate = state;
+ return;
+ }
buf[len] = 0;
if (cur != '?') {
xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
--
1.7.11.4