1From 15050f59d2a62b97b34e9cab8b8076a68ef003bd Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Thu, 25 Aug 2022 17:43:08 +0200 4Subject: [PATCH] CVE-2022-40303 5 6Fix integer overflows with XML_PARSE_HUGE 7 8Also impose size limits when XML_PARSE_HUGE is set. Limit size of names 9to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to 10XML_MAX_HUGE_LENGTH (1 billion bytes). 11 12Move some the length checks to the end of the respective loop to make 13them strict. 14 15xmlParseEntityValue didn't have a length limitation at all. But without 16XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW. 17 18Thanks to Maddie Stone working with Google Project Zero for the report! 19 20Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0] 21CVE: CVE-2022-40303 22Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> 23--- 24 parser.c | 233 +++++++++++++++++++++++++++++-------------------------- 25 1 file changed, 121 insertions(+), 112 deletions(-) 26 27diff --git a/parser.c b/parser.c 28index 1bc3713..0f76577 100644 29--- a/parser.c 30+++ b/parser.c 31@@ -115,6 +115,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt); 32 * * 33 ************************************************************************/ 34 35+#define XML_MAX_HUGE_LENGTH 1000000000 36+ 37 #define XML_PARSER_BIG_ENTITY 1000 38 #define XML_PARSER_LOT_ENTITY 5000 39 40@@ -565,7 +567,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info) 41 errmsg = "Malformed declaration expecting version"; 42 break; 43 case XML_ERR_NAME_TOO_LONG: 44- errmsg = "Name too long use XML_PARSE_HUGE option"; 45+ errmsg = "Name too long"; 46 break; 47 #if 0 48 case: 49@@ -3210,6 +3212,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { 50 int len = 0, l; 51 int c; 52 int count = 0; 53+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? 54+ XML_MAX_TEXT_LENGTH : 55+ XML_MAX_NAME_LENGTH; 56 57 #ifdef DEBUG 58 nbParseNameComplex++; 59@@ -3275,7 +3280,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { 60 if (ctxt->instate == XML_PARSER_EOF) 61 return(NULL); 62 } 63- len += l; 64+ if (len <= INT_MAX - l) 65+ len += l; 66 NEXTL(l); 67 c = CUR_CHAR(l); 68 } 69@@ -3301,13 +3307,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { 70 if (ctxt->instate == XML_PARSER_EOF) 71 return(NULL); 72 } 73- len += l; 74+ if (len <= INT_MAX - l) 75+ len += l; 76 NEXTL(l); 77 c = CUR_CHAR(l); 78 } 79 } 80- if ((len > XML_MAX_NAME_LENGTH) && 81- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 82+ if (len > maxLength) { 83 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); 84 return(NULL); 85 } 86@@ -3346,7 +3352,10 @@ const xmlChar * 87 xmlParseName(xmlParserCtxtPtr ctxt) { 88 const xmlChar *in; 89 const xmlChar *ret; 90- int count = 0; 91+ size_t count = 0; 92+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? 93+ XML_MAX_TEXT_LENGTH : 94+ XML_MAX_NAME_LENGTH; 95 96 GROW; 97 98@@ -3370,8 +3379,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) { 99 in++; 100 if ((*in > 0) && (*in < 0x80)) { 101 count = in - ctxt->input->cur; 102- if ((count > XML_MAX_NAME_LENGTH) && 103- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 104+ if (count > maxLength) { 105 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); 106 return(NULL); 107 } 108@@ -3392,6 +3400,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { 109 int len = 0, l; 110 int c; 111 int count = 0; 112+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? 113+ XML_MAX_TEXT_LENGTH : 114+ XML_MAX_NAME_LENGTH; 115 size_t startPosition = 0; 116 117 #ifdef DEBUG 118@@ -3412,17 +3423,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { 119 while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */ 120 (xmlIsNameChar(ctxt, c) && (c != ':'))) { 121 if (count++ > XML_PARSER_CHUNK_SIZE) { 122- if ((len > XML_MAX_NAME_LENGTH) && 123- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 124- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); 125- return(NULL); 126- } 127 count = 0; 128 GROW; 129 if (ctxt->instate == XML_PARSER_EOF) 130 return(NULL); 131 } 132- len += l; 133+ if (len <= INT_MAX - l) 134+ len += l; 135 NEXTL(l); 136 c = CUR_CHAR(l); 137 if (c == 0) { 138@@ -3440,8 +3447,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { 139 c = CUR_CHAR(l); 140 } 141 } 142- if ((len > XML_MAX_NAME_LENGTH) && 143- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 144+ if (len > maxLength) { 145 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); 146 return(NULL); 147 } 148@@ -3467,7 +3473,10 @@ static const xmlChar * 149 xmlParseNCName(xmlParserCtxtPtr ctxt) { 150 const xmlChar *in, *e; 151 const xmlChar *ret; 152- int count = 0; 153+ size_t count = 0; 154+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? 155+ XML_MAX_TEXT_LENGTH : 156+ XML_MAX_NAME_LENGTH; 157 158 #ifdef DEBUG 159 nbParseNCName++; 160@@ -3492,8 +3501,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { 161 goto complex; 162 if ((*in > 0) && (*in < 0x80)) { 163 count = in - ctxt->input->cur; 164- if ((count > XML_MAX_NAME_LENGTH) && 165- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 166+ if (count > maxLength) { 167 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); 168 return(NULL); 169 } 170@@ -3575,6 +3583,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { 171 const xmlChar *cur = *str; 172 int len = 0, l; 173 int c; 174+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? 175+ XML_MAX_TEXT_LENGTH : 176+ XML_MAX_NAME_LENGTH; 177 178 #ifdef DEBUG 179 nbParseStringName++; 180@@ -3610,12 +3621,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { 181 if (len + 10 > max) { 182 xmlChar *tmp; 183 184- if ((len > XML_MAX_NAME_LENGTH) && 185- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 186- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); 187- xmlFree(buffer); 188- return(NULL); 189- } 190 max *= 2; 191 tmp = (xmlChar *) xmlRealloc(buffer, 192 max * sizeof(xmlChar)); 193@@ -3629,14 +3634,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { 194 COPY_BUF(l,buffer,len,c); 195 cur += l; 196 c = CUR_SCHAR(cur, l); 197+ if (len > maxLength) { 198+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); 199+ xmlFree(buffer); 200+ return(NULL); 201+ } 202 } 203 buffer[len] = 0; 204 *str = cur; 205 return(buffer); 206 } 207 } 208- if ((len > XML_MAX_NAME_LENGTH) && 209- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 210+ if (len > maxLength) { 211 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); 212 return(NULL); 213 } 214@@ -3663,6 +3672,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { 215 int len = 0, l; 216 int c; 217 int count = 0; 218+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? 219+ XML_MAX_TEXT_LENGTH : 220+ XML_MAX_NAME_LENGTH; 221 222 #ifdef DEBUG 223 nbParseNmToken++; 224@@ -3714,12 +3726,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { 225 if (len + 10 > max) { 226 xmlChar *tmp; 227 228- if ((max > XML_MAX_NAME_LENGTH) && 229- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 230- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); 231- xmlFree(buffer); 232- return(NULL); 233- } 234 max *= 2; 235 tmp = (xmlChar *) xmlRealloc(buffer, 236 max * sizeof(xmlChar)); 237@@ -3733,6 +3739,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { 238 COPY_BUF(l,buffer,len,c); 239 NEXTL(l); 240 c = CUR_CHAR(l); 241+ if (len > maxLength) { 242+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); 243+ xmlFree(buffer); 244+ return(NULL); 245+ } 246 } 247 buffer[len] = 0; 248 return(buffer); 249@@ -3740,8 +3751,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { 250 } 251 if (len == 0) 252 return(NULL); 253- if ((len > XML_MAX_NAME_LENGTH) && 254- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 255+ if (len > maxLength) { 256 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); 257 return(NULL); 258 } 259@@ -3767,6 +3777,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { 260 int len = 0; 261 int size = XML_PARSER_BUFFER_SIZE; 262 int c, l; 263+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? 264+ XML_MAX_HUGE_LENGTH : 265+ XML_MAX_TEXT_LENGTH; 266 xmlChar stop; 267 xmlChar *ret = NULL; 268 const xmlChar *cur = NULL; 269@@ -3826,6 +3839,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { 270 GROW; 271 c = CUR_CHAR(l); 272 } 273+ 274+ if (len > maxLength) { 275+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED, 276+ "entity value too long\n"); 277+ goto error; 278+ } 279 } 280 buf[len] = 0; 281 if (ctxt->instate == XML_PARSER_EOF) 282@@ -3913,6 +3932,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { 283 xmlChar *rep = NULL; 284 size_t len = 0; 285 size_t buf_size = 0; 286+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? 287+ XML_MAX_HUGE_LENGTH : 288+ XML_MAX_TEXT_LENGTH; 289 int c, l, in_space = 0; 290 xmlChar *current = NULL; 291 xmlEntityPtr ent; 292@@ -3944,16 +3966,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { 293 while (((NXT(0) != limit) && /* checked */ 294 (IS_CHAR(c)) && (c != '<')) && 295 (ctxt->instate != XML_PARSER_EOF)) { 296- /* 297- * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE 298- * special option is given 299- */ 300- if ((len > XML_MAX_TEXT_LENGTH) && 301- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 302- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, 303- "AttValue length too long\n"); 304- goto mem_error; 305- } 306 if (c == '&') { 307 in_space = 0; 308 if (NXT(1) == '#') { 309@@ -4101,6 +4113,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { 310 } 311 GROW; 312 c = CUR_CHAR(l); 313+ if (len > maxLength) { 314+ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, 315+ "AttValue length too long\n"); 316+ goto mem_error; 317+ } 318 } 319 if (ctxt->instate == XML_PARSER_EOF) 320 goto error; 321@@ -4122,16 +4139,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { 322 } else 323 NEXT; 324 325- /* 326- * There we potentially risk an overflow, don't allow attribute value of 327- * length more than INT_MAX it is a very reasonable assumption ! 328- */ 329- if (len >= INT_MAX) { 330- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, 331- "AttValue length too long\n"); 332- goto mem_error; 333- } 334- 335 if (attlen != NULL) *attlen = (int) len; 336 return(buf); 337 338@@ -4202,6 +4209,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { 339 int len = 0; 340 int size = XML_PARSER_BUFFER_SIZE; 341 int cur, l; 342+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? 343+ XML_MAX_TEXT_LENGTH : 344+ XML_MAX_NAME_LENGTH; 345 xmlChar stop; 346 int state = ctxt->instate; 347 int count = 0; 348@@ -4229,13 +4239,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { 349 if (len + 5 >= size) { 350 xmlChar *tmp; 351 352- if ((size > XML_MAX_NAME_LENGTH) && 353- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 354- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); 355- xmlFree(buf); 356- ctxt->instate = (xmlParserInputState) state; 357- return(NULL); 358- } 359 size *= 2; 360 tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); 361 if (tmp == NULL) { 362@@ -4264,6 +4267,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { 363 SHRINK; 364 cur = CUR_CHAR(l); 365 } 366+ if (len > maxLength) { 367+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); 368+ xmlFree(buf); 369+ ctxt->instate = (xmlParserInputState) state; 370+ return(NULL); 371+ } 372 } 373 buf[len] = 0; 374 ctxt->instate = (xmlParserInputState) state; 375@@ -4291,6 +4300,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { 376 xmlChar *buf = NULL; 377 int len = 0; 378 int size = XML_PARSER_BUFFER_SIZE; 379+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? 380+ XML_MAX_TEXT_LENGTH : 381+ XML_MAX_NAME_LENGTH; 382 xmlChar cur; 383 xmlChar stop; 384 int count = 0; 385@@ -4318,12 +4330,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { 386 if (len + 1 >= size) { 387 xmlChar *tmp; 388 389- if ((size > XML_MAX_NAME_LENGTH) && 390- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 391- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); 392- xmlFree(buf); 393- return(NULL); 394- } 395 size *= 2; 396 tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); 397 if (tmp == NULL) { 398@@ -4351,6 +4357,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { 399 SHRINK; 400 cur = CUR; 401 } 402+ if (len > maxLength) { 403+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); 404+ xmlFree(buf); 405+ return(NULL); 406+ } 407 } 408 buf[len] = 0; 409 if (cur != stop) { 410@@ -4750,6 +4761,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, 411 int r, rl; 412 int cur, l; 413 size_t count = 0; 414+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? 415+ XML_MAX_HUGE_LENGTH : 416+ XML_MAX_TEXT_LENGTH; 417 int inputid; 418 419 inputid = ctxt->input->id; 420@@ -4795,13 +4809,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, 421 if ((r == '-') && (q == '-')) { 422 xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL); 423 } 424- if ((len > XML_MAX_TEXT_LENGTH) && 425- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 426- xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, 427- "Comment too big found", NULL); 428- xmlFree (buf); 429- return; 430- } 431 if (len + 5 >= size) { 432 xmlChar *new_buf; 433 size_t new_size; 434@@ -4839,6 +4846,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, 435 GROW; 436 cur = CUR_CHAR(l); 437 } 438+ 439+ if (len > maxLength) { 440+ xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, 441+ "Comment too big found", NULL); 442+ xmlFree (buf); 443+ return; 444+ } 445 } 446 buf[len] = 0; 447 if (cur == 0) { 448@@ -4883,6 +4897,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) { 449 xmlChar *buf = NULL; 450 size_t size = XML_PARSER_BUFFER_SIZE; 451 size_t len = 0; 452+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? 453+ XML_MAX_HUGE_LENGTH : 454+ XML_MAX_TEXT_LENGTH; 455 xmlParserInputState state; 456 const xmlChar *in; 457 size_t nbchar = 0; 458@@ -4966,8 +4983,7 @@ get_more: 459 buf[len] = 0; 460 } 461 } 462- if ((len > XML_MAX_TEXT_LENGTH) && 463- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 464+ if (len > maxLength) { 465 xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, 466 "Comment too big found", NULL); 467 xmlFree (buf); 468@@ -5167,6 +5183,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { 469 xmlChar *buf = NULL; 470 size_t len = 0; 471 size_t size = XML_PARSER_BUFFER_SIZE; 472+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? 473+ XML_MAX_HUGE_LENGTH : 474+ XML_MAX_TEXT_LENGTH; 475 int cur, l; 476 const xmlChar *target; 477 xmlParserInputState state; 478@@ -5242,14 +5261,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { 479 return; 480 } 481 count = 0; 482- if ((len > XML_MAX_TEXT_LENGTH) && 483- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 484- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, 485- "PI %s too big found", target); 486- xmlFree(buf); 487- ctxt->instate = state; 488- return; 489- } 490 } 491 COPY_BUF(l,buf,len,cur); 492 NEXTL(l); 493@@ -5259,15 +5270,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { 494 GROW; 495 cur = CUR_CHAR(l); 496 } 497+ if (len > maxLength) { 498+ xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, 499+ "PI %s too big found", target); 500+ xmlFree(buf); 501+ ctxt->instate = state; 502+ return; 503+ } 504 } 505- if ((len > XML_MAX_TEXT_LENGTH) && 506- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 507- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, 508- "PI %s too big found", target); 509- xmlFree(buf); 510- ctxt->instate = state; 511- return; 512- } 513 buf[len] = 0; 514 if (cur != '?') { 515 xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, 516@@ -8959,6 +8969,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, 517 const xmlChar *in = NULL, *start, *end, *last; 518 xmlChar *ret = NULL; 519 int line, col; 520+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? 521+ XML_MAX_HUGE_LENGTH : 522+ XML_MAX_TEXT_LENGTH; 523 524 GROW; 525 in = (xmlChar *) CUR_PTR; 526@@ -8998,8 +9011,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, 527 start = in; 528 if (in >= end) { 529 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) 530- if (((in - start) > XML_MAX_TEXT_LENGTH) && 531- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 532+ if ((in - start) > maxLength) { 533 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, 534 "AttValue length too long\n"); 535 return(NULL); 536@@ -9012,8 +9024,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, 537 if ((*in++ == 0x20) && (*in == 0x20)) break; 538 if (in >= end) { 539 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) 540- if (((in - start) > XML_MAX_TEXT_LENGTH) && 541- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 542+ if ((in - start) > maxLength) { 543 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, 544 "AttValue length too long\n"); 545 return(NULL); 546@@ -9046,16 +9057,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, 547 last = last + delta; 548 } 549 end = ctxt->input->end; 550- if (((in - start) > XML_MAX_TEXT_LENGTH) && 551- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 552+ if ((in - start) > maxLength) { 553 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, 554 "AttValue length too long\n"); 555 return(NULL); 556 } 557 } 558 } 559- if (((in - start) > XML_MAX_TEXT_LENGTH) && 560- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 561+ if ((in - start) > maxLength) { 562 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, 563 "AttValue length too long\n"); 564 return(NULL); 565@@ -9068,8 +9077,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, 566 col++; 567 if (in >= end) { 568 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) 569- if (((in - start) > XML_MAX_TEXT_LENGTH) && 570- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 571+ if ((in - start) > maxLength) { 572 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, 573 "AttValue length too long\n"); 574 return(NULL); 575@@ -9077,8 +9085,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, 576 } 577 } 578 last = in; 579- if (((in - start) > XML_MAX_TEXT_LENGTH) && 580- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 581+ if ((in - start) > maxLength) { 582 xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, 583 "AttValue length too long\n"); 584 return(NULL); 585@@ -9768,6 +9775,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { 586 int s, sl; 587 int cur, l; 588 int count = 0; 589+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? 590+ XML_MAX_HUGE_LENGTH : 591+ XML_MAX_TEXT_LENGTH; 592 593 /* Check 2.6.0 was NXT(0) not RAW */ 594 if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) { 595@@ -9801,13 +9811,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { 596 if (len + 5 >= size) { 597 xmlChar *tmp; 598 599- if ((size > XML_MAX_TEXT_LENGTH) && 600- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 601- xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED, 602- "CData section too big found", NULL); 603- xmlFree (buf); 604- return; 605- } 606 tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar)); 607 if (tmp == NULL) { 608 xmlFree(buf); 609@@ -9834,6 +9837,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { 610 } 611 NEXTL(l); 612 cur = CUR_CHAR(l); 613+ if (len > maxLength) { 614+ xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED, 615+ "CData section too big found\n"); 616+ xmlFree(buf); 617+ return; 618+ } 619 } 620 buf[len] = 0; 621 ctxt->instate = XML_PARSER_CONTENT; 622-- 6232.25.1 624 625