Changeset 16778 in vbox for trunk/src/libs

Timestamp:

Feb 16, 2009 10:04:16 AM (16 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

42849

Message:

libxml2: some fixes from upstream

Location:

trunk/src/libs/libxml2-2.6.30

Files:

• SAX2.c (modified) (4 diffs)
• include/libxml/parser.h (modified) (1 diff)
• parser.c (modified) (20 diffs)
• parserInternals.c (modified) (1 diff)
• tree.c (modified) (2 diffs)

trunk/src/libs/libxml2-2.6.30/SAX2.c

@@ -12 +12 @@
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 #include <libxml/xmlmemory.h>
 #include <libxml/tree.h>
@@ -26 +27 @@
 #include <libxml/HTMLtree.h>
 #include <libxml/globals.h>
+
+/* Define SIZE_T_MAX unless defined through <limits.h>. */
+#ifndef SIZE_T_MAX
+# define SIZE_T_MAX     ((size_t)-1)
+#endif /* !SIZE_T_MAX */
 
 /* #define DEBUG_SAX2 */
@@ -581 +587 @@
         }
         ret->owner = 1;
-        ret->checked = 1;
+        if (ret->checked == 0)
+            ret->checked = 1;
     }
     return(ret);
@@ -2444 +2451 @@
                 lastChild->content = xmlStrdup(lastChild->content);
             }
+            if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len ||
+                (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) {
+                xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented");
+                return;
+            }
             if (ctxt->nodelen + len >= ctxt->nodemem) {
                 xmlChar *newbuf;
-                int size;
+                size_t size;
 
                 size = ctxt->nodemem + len;

trunk/src/libs/libxml2-2.6.30/include/libxml/parser.h

@@ -298 +298 @@
     xmlError          lastError;
     xmlParserMode     parseMode;    /* the parser mode */
+    unsigned long     nbentities;    /* number of entities references */
 };
 

trunk/src/libs/libxml2-2.6.30/parser.c

@@ -2181 +2181 @@
     last = str + len;
 
-    if (ctxt->depth > 40) {
+    if ((ctxt->depth > 40) || (ctxt->nbentities >= 500000)) {
         xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
         return(NULL);
@@ -2219 +2219 @@
                         str);
             ent = xmlParseStringEntityRef(ctxt, &str);
+            if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
+                goto int_error;
+            ctxt->nbentities++;
+            if (ent != NULL)
+                ctxt->nbentities += ent->checked;
             if ((ent != NULL) &&
                 (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
@@ -2265 +2270 @@
                         "String decoding PE Reference: %.30s\n", str);
             ent = xmlParseStringPEReference(ctxt, &str);
+            if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
+                goto int_error;
+            ctxt->nbentities++;
+            if (ent != NULL)
+                ctxt->nbentities += ent->checked;
             if (ent != NULL) {
                 xmlChar *rep;
@@ -2301 +2311 @@
 mem_error:
     xmlErrMemory(ctxt, NULL);
+int_error:
+    if (buffer != NULL)
+        xmlFree(buffer);
     return(NULL);
 }
@@ -3110 +3123 @@
             } else {
                 ent = xmlParseEntityRef(ctxt);
+                ctxt->nbentities++;
+                if (ent != NULL)
+                    ctxt->nbentities += ent->checked;
                 if ((ent != NULL) &&
                     (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
@@ -3584 +3600 @@
                     col = ctxt->input->col;
                 }
+                /* something really bad happened in the SAX callback */
+                if (ctxt->instate != XML_PARSER_CONTENT)
+                    return;
             }
             ctxt->input->cur = in;
@@ -3664 +3683 @@
             }
             nbchar = 0;
+            /* something really bad happened in the SAX callback */
+            if (ctxt->instate != XML_PARSER_CONTENT)
+                return;
         }
         count++;
@@ -4392 +4414 @@
     xmlChar *orig = NULL;
     int skipped;
+    unsigned long oldnbent = ctxt->nbentities;
     
     /* GROW; done in the caller */
@@ -4601 +4624 @@
             }
             if (cur != NULL) {
+                cur->checked = ctxt->nbentities - oldnbent;
                 if (cur->orig != NULL)
                     xmlFree(orig);
@@ -5979 +6003 @@
         if (!ctxt->wellFormed)
             return;
+        ctxt->nbentities++;
+        if (ctxt->nbentities >= 500000) {
+            xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+            return;
+        }
         was_checked = ent->checked;
         if ((ent->name != NULL) && 
@@ -6039 +6068 @@
                     }
                 } else {
+                    unsigned long oldnbent = ctxt->nbentities;
                     /*
                      * 4.3.2: An internal general parsed entity is well-formed
@@ -6073 +6103 @@
                                      "invalid entity type found\n", NULL);
                     }
+                    ent->checked = ctxt->nbentities - oldnbent;
                     if (ret == XML_ERR_ENTITY_LOOP) {
                         xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
@@ -6129 +6160 @@
                     }
                 }
-                ent->checked = 1;
+                if (ent->checked == 0)
+                    ent->checked = 1;
             }
+            ctxt->nbentities += ent->checked;
 
             if (ent->children == NULL) {
@@ -6139 +6172 @@
                  * content to generate callbacks associated to the entity
                  */
-                if (was_checked == 1) {
+                if (was_checked != 0) {
                     void *user_data;
                     /*
@@ -11154 +11187 @@
     if (ctx == NULL) return(-1);
 
-    if (ctx->depth > 40) {
+    if ((ctx->depth > 40) || (ctx->nbentities >= 500000)) {
         return(XML_ERR_ENTITY_LOOP);
     }
@@ -11355 +11388 @@
     xmlCharEncoding enc;
 
-    if (depth > 40) {
+    if ((depth > 40) ||
+        ((oldctxt != NULL) && (oldctxt->nbentities >= 500000))) {
         return(XML_ERR_ENTITY_LOOP);
     }
@@ -11498 +11532 @@
     oldctxt->node_seq.length = ctxt->node_seq.length;
     oldctxt->node_seq.buffer = ctxt->node_seq.buffer;
+    oldctxt->nbentities += ctxt->nbentities;
     ctxt->node_seq.maximum = 0;
     ctxt->node_seq.length = 0;
@@ -11598 +11633 @@
     xmlParserErrors ret = XML_ERR_OK;
 
-    if (oldctxt->depth > 40) {
+    if ((oldctxt->depth > 40) || (oldctxt->nbentities >= 500000)) {
         return(XML_ERR_ENTITY_LOOP);
     }
@@ -11721 +11756 @@
         ctxt->myDoc->last = last;
     }
-        
+
+    oldctxt->nbentities += ctxt->nbentities;    
     ctxt->sax = oldsax;
     ctxt->dict = NULL;
@@ -13033 +13069 @@
     ctxt->charset = XML_CHAR_ENCODING_UTF8;
     ctxt->catalogs = NULL;
+    ctxt->nbentities = 0;
     xmlInitNodeInfoSeq(&ctxt->node_seq);
 

trunk/src/libs/libxml2-2.6.30/parserInternals.c

@@ -1658 +1658 @@
     ctxt->charset = XML_CHAR_ENCODING_UTF8;
     ctxt->catalogs = NULL;
+    ctxt->nbentities = 0;
     xmlInitNodeInfoSeq(&ctxt->node_seq);
     return(0);

trunk/src/libs/libxml2-2.6.30/tree.c

@@ -15 +15 @@
 
 #include <string.h> /* for memset() only ! */
-
+#include <limits.h>
 #ifdef HAVE_CTYPE_H
 #include <ctype.h>
@@ -6899 +6899 @@
         /*take care of empty case*/
         newSize = (buf->size ? buf->size*2 : size + 10);
-        while (size > newSize) newSize *= 2;
+        while (size > newSize) {
+            if (newSize > UINT_MAX / 2) {
+                xmlTreeErrMemory("growing buffer");
+                return 0;
+            }
+            newSize *= 2;
+        }
         break;
     case XML_BUFFER_ALLOC_EXACT: