diff --git a/libxml2-2.6.32.entities.patch b/libxml2-2.6.32.entities.patch new file mode 100644 index 0000000..e9b4828 --- /dev/null +++ b/libxml2-2.6.32.entities.patch @@ -0,0 +1,216 @@ +Index: include/libxml/parser.h +=================================================================== +--- include/libxml/parser.h (revision 3771) ++++ include/libxml/parser.h (working copy) +@@ -297,6 +297,7 @@ struct _xmlParserCtxt { + */ + xmlError lastError; + xmlParserMode parseMode; /* the parser mode */ ++ unsigned long nbentities; /* number of entities references */ + }; + + /** +Index: parserInternals.c +=================================================================== +--- parserInternals.c (revision 3771) ++++ parserInternals.c (working copy) +@@ -1670,6 +1670,7 @@ xmlInitParserCtxt(xmlParserCtxtPtr ctxt) + ctxt->depth = 0; + ctxt->charset = XML_CHAR_ENCODING_UTF8; + ctxt->catalogs = NULL; ++ ctxt->nbentities = 0; + xmlInitNodeInfoSeq(&ctxt->node_seq); + return(0); + } +Index: SAX2.c +=================================================================== +--- SAX2.c (revision 3772) ++++ SAX2.c (working copy) +@@ -580,7 +580,8 @@ xmlSAX2GetEntity(void *ctx, const xmlCha + return(NULL); + } + ret->owner = 1; +- ret->checked = 1; ++ if (ret->checked == 0) ++ ret->checked = 1; + } + return(ret); + } +--- parser.c.orig 2008-04-08 16:47:58.000000000 +0200 ++++ parser.c 2008-08-25 17:55:30.000000000 +0200 +@@ -2344,7 +2344,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt + return(NULL); + last = str + len; + +- if (ctxt->depth > 40) { ++ if ((ctxt->depth > 40) || (ctxt->nbentities >= 500000)) { + xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); + return(NULL); + } +@@ -2382,6 +2382,11 @@ xmlStringLenDecodeEntities(xmlParserCtxt + "String decoding Entity Reference: %.30s\n", + str); + ent = xmlParseStringEntityRef(ctxt, &str); ++ if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) ++ goto int_error; ++ ctxt->nbentities++; ++ if (ent != NULL) ++ ctxt->nbentities += ent->checked; + if ((ent != NULL) && + (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) { + if (ent->content != NULL) { +@@ -2427,6 +2432,11 @@ xmlStringLenDecodeEntities(xmlParserCtxt + xmlGenericError(xmlGenericErrorContext, + "String decoding PE Reference: %.30s\n", str); + ent = xmlParseStringPEReference(ctxt, &str); ++ if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) ++ goto int_error; ++ ctxt->nbentities++; ++ if (ent != NULL) ++ ctxt->nbentities += ent->checked; + if (ent != NULL) { + if (ent->content == NULL) { + if (xmlLoadEntityContent(ctxt, ent) < 0) { +@@ -2466,6 +2476,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt + + mem_error: + xmlErrMemory(ctxt, NULL); ++int_error: + if (rep != NULL) + xmlFree(rep); + if (buffer != NULL) +@@ -3280,6 +3291,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr + } + } else { + ent = xmlParseEntityRef(ctxt); ++ ctxt->nbentities++; ++ if (ent != NULL) ++ ctxt->nbentities += ent->checked; + if ((ent != NULL) && + (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) { + if (len > buf_size - 10) { +@@ -4566,6 +4580,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt + int isParameter = 0; + xmlChar *orig = NULL; + int skipped; ++ unsigned long oldnbent = ctxt->nbentities; + + /* GROW; done in the caller */ + if (CMP8(CUR_PTR, '<', '!', 'E', 'N', 'T', 'I', 'T', 'Y')) { +@@ -4783,6 +4798,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt + } + } + if (cur != NULL) { ++ cur->checked = ctxt->nbentities - oldnbent; + if (cur->orig != NULL) + xmlFree(orig); + else +@@ -6189,6 +6205,11 @@ xmlParseReference(xmlParserCtxtPtr ctxt) + if (ent == NULL) return; + if (!ctxt->wellFormed) + return; ++ ctxt->nbentities++; ++ if (ctxt->nbentities >= 500000) { ++ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); ++ return; ++ } + was_checked = ent->checked; + if ((ent->name != NULL) && + (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY)) { +@@ -6249,6 +6270,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) + xmlFreeNodeList(list); + } + } else { ++ unsigned long oldnbent = ctxt->nbentities; + /* + * 4.3.2: An internal general parsed entity is well-formed + * if its replacement text matches the production labeled +@@ -6271,6 +6293,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) + ret = xmlParseBalancedChunkMemoryInternal(ctxt, + value, user_data, &list); + ctxt->depth--; ++ + } else if (ent->etype == + XML_EXTERNAL_GENERAL_PARSED_ENTITY) { + ctxt->depth++; +@@ -6283,6 +6306,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) + xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, + "invalid entity type found\n", NULL); + } ++ ent->checked = ctxt->nbentities - oldnbent; + if (ret == XML_ERR_ENTITY_LOOP) { + xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); + return; +@@ -6339,8 +6363,10 @@ xmlParseReference(xmlParserCtxtPtr ctxt) + list = NULL; + } + } +- ent->checked = 1; ++ if (ent->checked == 0) ++ ent->checked = 1; + } ++ ctxt->nbentities += ent->checked; + + if (ent->children == NULL) { + /* +@@ -6349,7 +6375,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) + * though parsing for first checking go though the entity + * content to generate callbacks associated to the entity + */ +- if (was_checked == 1) { ++ if (was_checked != 0) { + void *user_data; + /* + * This is a bit hackish but this seems the best +@@ -11480,7 +11506,7 @@ xmlParseCtxtExternalEntity(xmlParserCtxt + + if (ctx == NULL) return(-1); + +- if (ctx->depth > 40) { ++ if ((ctx->depth > 40) || (ctx->nbentities >= 500000)) { + return(XML_ERR_ENTITY_LOOP); + } + +@@ -11681,7 +11707,8 @@ xmlParseExternalEntityPrivate(xmlDocPtr + xmlChar start[4]; + xmlCharEncoding enc; + +- if (depth > 40) { ++ if ((depth > 40) || ++ ((oldctxt != NULL) && (oldctxt->nbentities >= 500000))) { + return(XML_ERR_ENTITY_LOOP); + } + +@@ -11824,6 +11851,7 @@ xmlParseExternalEntityPrivate(xmlDocPtr + oldctxt->node_seq.maximum = ctxt->node_seq.maximum; + oldctxt->node_seq.length = ctxt->node_seq.length; + oldctxt->node_seq.buffer = ctxt->node_seq.buffer; ++ oldctxt->nbentities += ctxt->nbentities; + ctxt->node_seq.maximum = 0; + ctxt->node_seq.length = 0; + ctxt->node_seq.buffer = NULL; +@@ -11924,7 +11952,7 @@ xmlParseBalancedChunkMemoryInternal(xmlP + int size; + xmlParserErrors ret = XML_ERR_OK; + +- if (oldctxt->depth > 40) { ++ if ((oldctxt->depth > 40) || (oldctxt->nbentities >= 500000)) { + return(XML_ERR_ENTITY_LOOP); + } + +@@ -12048,6 +12076,7 @@ xmlParseBalancedChunkMemoryInternal(xmlP + ctxt->myDoc->last = last; + } + ++ oldctxt->nbentities += ctxt->nbentities; + ctxt->sax = oldsax; + ctxt->dict = NULL; + ctxt->attsDefault = NULL; +@@ -13363,6 +13392,7 @@ xmlCtxtReset(xmlParserCtxtPtr ctxt) + ctxt->depth = 0; + ctxt->charset = XML_CHAR_ENCODING_UTF8; + ctxt->catalogs = NULL; ++ ctxt->nbentities = 0; + xmlInitNodeInfoSeq(&ctxt->node_seq); + + if (ctxt->attsDefault != NULL) { diff --git a/libxml2.spec b/libxml2.spec index 243a8e6..c1bd018 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.6.32 -Release: 3%{?dist}%{?extra_release} +Release: 4%{?dist}%{?extra_release} License: MIT Group: Development/Libraries Source: ftp://xmlsoft.org/libxml2-%{version}.tar.gz @@ -9,6 +9,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python python-devel zlib-devel URL: http://xmlsoft.org/ Patch0: libxml2-multilib.patch +Patch1: libxml2-2.6.32.entities.patch %description This library allows to manipulate XML files. It includes support @@ -67,6 +68,7 @@ at parse time or later once the document has been modified. %prep %setup -q %patch0 -p1 +%patch1 -p0 %build %configure @@ -141,14 +143,18 @@ rm -fr %{buildroot} %doc doc/python.html %changelog -* Fri May 30 2008 Daniel Veillard 2.6.31-3.fc10 +* Mon Aug 25 2008 Daniel Veillard 2.6.32-4.fc10 +- fix for entities recursion problem +- Resolve: rhbz#459714 + +* Fri May 30 2008 Daniel Veillard 2.6.32-3.fc10 - cleanup based on Fedora packaging guidelines, should fix #226079 - separate a -static package -* Thu May 15 2008 Daniel Veillard 2.6.31-2.fc10 +* Thu May 15 2008 Daniel Veillard 2.6.32-2.fc10 - try to fix multiarch problems like #440206 -* Tue Apr 8 2008 Daniel Veillard 2.6.31-1.fc9 +* Tue Apr 8 2008 Daniel Veillard 2.6.32-1.fc9 - upstream release 2.6.32 see http://xmlsoft.org/news.html - many bug fixed upstream