153aa9179Sopenharmony_ciFrom c846986356fc149915a74972bf198abc266bc2c0 Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Thu, 25 Aug 2022 17:43:08 +0200 453aa9179Sopenharmony_ciSubject: [PATCH] [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciAlso impose size limits when XML_PARSE_HUGE is set. Limit size of names 753aa9179Sopenharmony_cito XML_MAX_TEXT_LENGTH (10 million bytes) and other content to 853aa9179Sopenharmony_ciXML_MAX_HUGE_LENGTH (1 billion bytes). 953aa9179Sopenharmony_ci 1053aa9179Sopenharmony_ciMove some the length checks to the end of the respective loop to make 1153aa9179Sopenharmony_cithem strict. 1253aa9179Sopenharmony_ci 1353aa9179Sopenharmony_cixmlParseEntityValue didn't have a length limitation at all. But without 1453aa9179Sopenharmony_ciXML_PARSE_HUGE, this should eventually trigger an error in xmlGROW. 1553aa9179Sopenharmony_ci 1653aa9179Sopenharmony_ciThanks to Maddie Stone working with Google Project Zero for the report! 1753aa9179Sopenharmony_ci--- 1853aa9179Sopenharmony_ci parser.c | 233 +++++++++++++++++++++++++++++-------------------------- 1953aa9179Sopenharmony_ci 1 file changed, 121 insertions(+), 112 deletions(-) 2053aa9179Sopenharmony_ci 2153aa9179Sopenharmony_cidiff --git a/parser.c b/parser.c 2253aa9179Sopenharmony_ciindex 93f031be..79479979 100644 2353aa9179Sopenharmony_ci--- a/parser.c 2453aa9179Sopenharmony_ci+++ b/parser.c 2553aa9179Sopenharmony_ci@@ -102,6 +102,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt); 2653aa9179Sopenharmony_ci * * 2753aa9179Sopenharmony_ci ************************************************************************/ 2853aa9179Sopenharmony_ci 2953aa9179Sopenharmony_ci+#define XML_MAX_HUGE_LENGTH 1000000000 3053aa9179Sopenharmony_ci+ 3153aa9179Sopenharmony_ci #define XML_PARSER_BIG_ENTITY 1000 3253aa9179Sopenharmony_ci #define XML_PARSER_LOT_ENTITY 5000 3353aa9179Sopenharmony_ci 3453aa9179Sopenharmony_ci@@ -552,7 +554,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info) 3553aa9179Sopenharmony_ci errmsg = "Malformed declaration expecting version"; 3653aa9179Sopenharmony_ci break; 3753aa9179Sopenharmony_ci case XML_ERR_NAME_TOO_LONG: 3853aa9179Sopenharmony_ci- errmsg = "Name too long use XML_PARSE_HUGE option"; 3953aa9179Sopenharmony_ci+ errmsg = "Name too long"; 4053aa9179Sopenharmony_ci break; 4153aa9179Sopenharmony_ci #if 0 4253aa9179Sopenharmony_ci case: 4353aa9179Sopenharmony_ci@@ -3202,6 +3204,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { 4453aa9179Sopenharmony_ci int len = 0, l; 4553aa9179Sopenharmony_ci int c; 4653aa9179Sopenharmony_ci int count = 0; 4753aa9179Sopenharmony_ci+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? 4853aa9179Sopenharmony_ci+ XML_MAX_TEXT_LENGTH : 4953aa9179Sopenharmony_ci+ XML_MAX_NAME_LENGTH; 5053aa9179Sopenharmony_ci 5153aa9179Sopenharmony_ci #ifdef DEBUG 5253aa9179Sopenharmony_ci nbParseNameComplex++; 5353aa9179Sopenharmony_ci@@ -3267,7 +3272,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { 5453aa9179Sopenharmony_ci if (ctxt->instate == XML_PARSER_EOF) 5553aa9179Sopenharmony_ci return(NULL); 5653aa9179Sopenharmony_ci } 5753aa9179Sopenharmony_ci- len += l; 5853aa9179Sopenharmony_ci+ if (len <= INT_MAX - l) 5953aa9179Sopenharmony_ci+ len += l; 6053aa9179Sopenharmony_ci NEXTL(l); 6153aa9179Sopenharmony_ci c = CUR_CHAR(l); 6253aa9179Sopenharmony_ci } 6353aa9179Sopenharmony_ci@@ -3293,13 +3299,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { 6453aa9179Sopenharmony_ci if (ctxt->instate == XML_PARSER_EOF) 6553aa9179Sopenharmony_ci return(NULL); 6653aa9179Sopenharmony_ci } 6753aa9179Sopenharmony_ci- len += l; 6853aa9179Sopenharmony_ci+ if (len <= INT_MAX - l) 6953aa9179Sopenharmony_ci+ len += l; 7053aa9179Sopenharmony_ci NEXTL(l); 7153aa9179Sopenharmony_ci c = CUR_CHAR(l); 7253aa9179Sopenharmony_ci } 7353aa9179Sopenharmony_ci } 7453aa9179Sopenharmony_ci- if ((len > XML_MAX_NAME_LENGTH) && 7553aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 7653aa9179Sopenharmony_ci+ if (len > maxLength) { 7753aa9179Sopenharmony_ci xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); 7853aa9179Sopenharmony_ci return(NULL); 7953aa9179Sopenharmony_ci } 8053aa9179Sopenharmony_ci@@ -3338,7 +3344,10 @@ const xmlChar * 8153aa9179Sopenharmony_ci xmlParseName(xmlParserCtxtPtr ctxt) { 8253aa9179Sopenharmony_ci const xmlChar *in; 8353aa9179Sopenharmony_ci const xmlChar *ret; 8453aa9179Sopenharmony_ci- int count = 0; 8553aa9179Sopenharmony_ci+ size_t count = 0; 8653aa9179Sopenharmony_ci+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? 8753aa9179Sopenharmony_ci+ XML_MAX_TEXT_LENGTH : 8853aa9179Sopenharmony_ci+ XML_MAX_NAME_LENGTH; 8953aa9179Sopenharmony_ci 9053aa9179Sopenharmony_ci GROW; 9153aa9179Sopenharmony_ci 9253aa9179Sopenharmony_ci@@ -3362,8 +3371,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) { 9353aa9179Sopenharmony_ci in++; 9453aa9179Sopenharmony_ci if ((*in > 0) && (*in < 0x80)) { 9553aa9179Sopenharmony_ci count = in - ctxt->input->cur; 9653aa9179Sopenharmony_ci- if ((count > XML_MAX_NAME_LENGTH) && 9753aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 9853aa9179Sopenharmony_ci+ if (count > maxLength) { 9953aa9179Sopenharmony_ci xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); 10053aa9179Sopenharmony_ci return(NULL); 10153aa9179Sopenharmony_ci } 10253aa9179Sopenharmony_ci@@ -3384,6 +3392,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { 10353aa9179Sopenharmony_ci int len = 0, l; 10453aa9179Sopenharmony_ci int c; 10553aa9179Sopenharmony_ci int count = 0; 10653aa9179Sopenharmony_ci+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? 10753aa9179Sopenharmony_ci+ XML_MAX_TEXT_LENGTH : 10853aa9179Sopenharmony_ci+ XML_MAX_NAME_LENGTH; 10953aa9179Sopenharmony_ci size_t startPosition = 0; 11053aa9179Sopenharmony_ci 11153aa9179Sopenharmony_ci #ifdef DEBUG 11253aa9179Sopenharmony_ci@@ -3404,17 +3415,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { 11353aa9179Sopenharmony_ci while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */ 11453aa9179Sopenharmony_ci (xmlIsNameChar(ctxt, c) && (c != ':'))) { 11553aa9179Sopenharmony_ci if (count++ > XML_PARSER_CHUNK_SIZE) { 11653aa9179Sopenharmony_ci- if ((len > XML_MAX_NAME_LENGTH) && 11753aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 11853aa9179Sopenharmony_ci- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); 11953aa9179Sopenharmony_ci- return(NULL); 12053aa9179Sopenharmony_ci- } 12153aa9179Sopenharmony_ci count = 0; 12253aa9179Sopenharmony_ci GROW; 12353aa9179Sopenharmony_ci if (ctxt->instate == XML_PARSER_EOF) 12453aa9179Sopenharmony_ci return(NULL); 12553aa9179Sopenharmony_ci } 12653aa9179Sopenharmony_ci- len += l; 12753aa9179Sopenharmony_ci+ if (len <= INT_MAX - l) 12853aa9179Sopenharmony_ci+ len += l; 12953aa9179Sopenharmony_ci NEXTL(l); 13053aa9179Sopenharmony_ci c = CUR_CHAR(l); 13153aa9179Sopenharmony_ci if (c == 0) { 13253aa9179Sopenharmony_ci@@ -3432,8 +3439,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { 13353aa9179Sopenharmony_ci c = CUR_CHAR(l); 13453aa9179Sopenharmony_ci } 13553aa9179Sopenharmony_ci } 13653aa9179Sopenharmony_ci- if ((len > XML_MAX_NAME_LENGTH) && 13753aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 13853aa9179Sopenharmony_ci+ if (len > maxLength) { 13953aa9179Sopenharmony_ci xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); 14053aa9179Sopenharmony_ci return(NULL); 14153aa9179Sopenharmony_ci } 14253aa9179Sopenharmony_ci@@ -3459,7 +3465,10 @@ static const xmlChar * 14353aa9179Sopenharmony_ci xmlParseNCName(xmlParserCtxtPtr ctxt) { 14453aa9179Sopenharmony_ci const xmlChar *in, *e; 14553aa9179Sopenharmony_ci const xmlChar *ret; 14653aa9179Sopenharmony_ci- int count = 0; 14753aa9179Sopenharmony_ci+ size_t count = 0; 14853aa9179Sopenharmony_ci+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? 14953aa9179Sopenharmony_ci+ XML_MAX_TEXT_LENGTH : 15053aa9179Sopenharmony_ci+ XML_MAX_NAME_LENGTH; 15153aa9179Sopenharmony_ci 15253aa9179Sopenharmony_ci #ifdef DEBUG 15353aa9179Sopenharmony_ci nbParseNCName++; 15453aa9179Sopenharmony_ci@@ -3484,8 +3493,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { 15553aa9179Sopenharmony_ci goto complex; 15653aa9179Sopenharmony_ci if ((*in > 0) && (*in < 0x80)) { 15753aa9179Sopenharmony_ci count = in - ctxt->input->cur; 15853aa9179Sopenharmony_ci- if ((count > XML_MAX_NAME_LENGTH) && 15953aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 16053aa9179Sopenharmony_ci+ if (count > maxLength) { 16153aa9179Sopenharmony_ci xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); 16253aa9179Sopenharmony_ci return(NULL); 16353aa9179Sopenharmony_ci } 16453aa9179Sopenharmony_ci@@ -3567,6 +3575,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { 16553aa9179Sopenharmony_ci const xmlChar *cur = *str; 16653aa9179Sopenharmony_ci int len = 0, l; 16753aa9179Sopenharmony_ci int c; 16853aa9179Sopenharmony_ci+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? 16953aa9179Sopenharmony_ci+ XML_MAX_TEXT_LENGTH : 17053aa9179Sopenharmony_ci+ XML_MAX_NAME_LENGTH; 17153aa9179Sopenharmony_ci 17253aa9179Sopenharmony_ci #ifdef DEBUG 17353aa9179Sopenharmony_ci nbParseStringName++; 17453aa9179Sopenharmony_ci@@ -3602,12 +3613,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { 17553aa9179Sopenharmony_ci if (len + 10 > max) { 17653aa9179Sopenharmony_ci xmlChar *tmp; 17753aa9179Sopenharmony_ci 17853aa9179Sopenharmony_ci- if ((len > XML_MAX_NAME_LENGTH) && 17953aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 18053aa9179Sopenharmony_ci- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); 18153aa9179Sopenharmony_ci- xmlFree(buffer); 18253aa9179Sopenharmony_ci- return(NULL); 18353aa9179Sopenharmony_ci- } 18453aa9179Sopenharmony_ci max *= 2; 18553aa9179Sopenharmony_ci tmp = (xmlChar *) xmlRealloc(buffer, 18653aa9179Sopenharmony_ci max * sizeof(xmlChar)); 18753aa9179Sopenharmony_ci@@ -3621,14 +3626,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { 18853aa9179Sopenharmony_ci COPY_BUF(l,buffer,len,c); 18953aa9179Sopenharmony_ci cur += l; 19053aa9179Sopenharmony_ci c = CUR_SCHAR(cur, l); 19153aa9179Sopenharmony_ci+ if (len > maxLength) { 19253aa9179Sopenharmony_ci+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); 19353aa9179Sopenharmony_ci+ xmlFree(buffer); 19453aa9179Sopenharmony_ci+ return(NULL); 19553aa9179Sopenharmony_ci+ } 19653aa9179Sopenharmony_ci } 19753aa9179Sopenharmony_ci buffer[len] = 0; 19853aa9179Sopenharmony_ci *str = cur; 19953aa9179Sopenharmony_ci return(buffer); 20053aa9179Sopenharmony_ci } 20153aa9179Sopenharmony_ci } 20253aa9179Sopenharmony_ci- if ((len > XML_MAX_NAME_LENGTH) && 20353aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 20453aa9179Sopenharmony_ci+ if (len > maxLength) { 20553aa9179Sopenharmony_ci xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); 20653aa9179Sopenharmony_ci return(NULL); 20753aa9179Sopenharmony_ci } 20853aa9179Sopenharmony_ci@@ -3655,6 +3664,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { 20953aa9179Sopenharmony_ci int len = 0, l; 21053aa9179Sopenharmony_ci int c; 21153aa9179Sopenharmony_ci int count = 0; 21253aa9179Sopenharmony_ci+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? 21353aa9179Sopenharmony_ci+ XML_MAX_TEXT_LENGTH : 21453aa9179Sopenharmony_ci+ XML_MAX_NAME_LENGTH; 21553aa9179Sopenharmony_ci 21653aa9179Sopenharmony_ci #ifdef DEBUG 21753aa9179Sopenharmony_ci nbParseNmToken++; 21853aa9179Sopenharmony_ci@@ -3706,12 +3718,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { 21953aa9179Sopenharmony_ci if (len + 10 > max) { 22053aa9179Sopenharmony_ci xmlChar *tmp; 22153aa9179Sopenharmony_ci 22253aa9179Sopenharmony_ci- if ((max > XML_MAX_NAME_LENGTH) && 22353aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 22453aa9179Sopenharmony_ci- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); 22553aa9179Sopenharmony_ci- xmlFree(buffer); 22653aa9179Sopenharmony_ci- return(NULL); 22753aa9179Sopenharmony_ci- } 22853aa9179Sopenharmony_ci max *= 2; 22953aa9179Sopenharmony_ci tmp = (xmlChar *) xmlRealloc(buffer, 23053aa9179Sopenharmony_ci max * sizeof(xmlChar)); 23153aa9179Sopenharmony_ci@@ -3725,6 +3731,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { 23253aa9179Sopenharmony_ci COPY_BUF(l,buffer,len,c); 23353aa9179Sopenharmony_ci NEXTL(l); 23453aa9179Sopenharmony_ci c = CUR_CHAR(l); 23553aa9179Sopenharmony_ci+ if (len > maxLength) { 23653aa9179Sopenharmony_ci+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); 23753aa9179Sopenharmony_ci+ xmlFree(buffer); 23853aa9179Sopenharmony_ci+ return(NULL); 23953aa9179Sopenharmony_ci+ } 24053aa9179Sopenharmony_ci } 24153aa9179Sopenharmony_ci buffer[len] = 0; 24253aa9179Sopenharmony_ci return(buffer); 24353aa9179Sopenharmony_ci@@ -3732,8 +3743,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { 24453aa9179Sopenharmony_ci } 24553aa9179Sopenharmony_ci if (len == 0) 24653aa9179Sopenharmony_ci return(NULL); 24753aa9179Sopenharmony_ci- if ((len > XML_MAX_NAME_LENGTH) && 24853aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 24953aa9179Sopenharmony_ci+ if (len > maxLength) { 25053aa9179Sopenharmony_ci xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); 25153aa9179Sopenharmony_ci return(NULL); 25253aa9179Sopenharmony_ci } 25353aa9179Sopenharmony_ci@@ -3759,6 +3769,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { 25453aa9179Sopenharmony_ci int len = 0; 25553aa9179Sopenharmony_ci int size = XML_PARSER_BUFFER_SIZE; 25653aa9179Sopenharmony_ci int c, l; 25753aa9179Sopenharmony_ci+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? 25853aa9179Sopenharmony_ci+ XML_MAX_HUGE_LENGTH : 25953aa9179Sopenharmony_ci+ XML_MAX_TEXT_LENGTH; 26053aa9179Sopenharmony_ci xmlChar stop; 26153aa9179Sopenharmony_ci xmlChar *ret = NULL; 26253aa9179Sopenharmony_ci const xmlChar *cur = NULL; 26353aa9179Sopenharmony_ci@@ -3818,6 +3831,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { 26453aa9179Sopenharmony_ci GROW; 26553aa9179Sopenharmony_ci c = CUR_CHAR(l); 26653aa9179Sopenharmony_ci } 26753aa9179Sopenharmony_ci+ 26853aa9179Sopenharmony_ci+ if (len > maxLength) { 26953aa9179Sopenharmony_ci+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED, 27053aa9179Sopenharmony_ci+ "entity value too long\n"); 27153aa9179Sopenharmony_ci+ goto error; 27253aa9179Sopenharmony_ci+ } 27353aa9179Sopenharmony_ci } 27453aa9179Sopenharmony_ci buf[len] = 0; 27553aa9179Sopenharmony_ci if (ctxt->instate == XML_PARSER_EOF) 27653aa9179Sopenharmony_ci@@ -3905,6 +3924,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { 27753aa9179Sopenharmony_ci xmlChar *rep = NULL; 27853aa9179Sopenharmony_ci size_t len = 0; 27953aa9179Sopenharmony_ci size_t buf_size = 0; 28053aa9179Sopenharmony_ci+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? 28153aa9179Sopenharmony_ci+ XML_MAX_HUGE_LENGTH : 28253aa9179Sopenharmony_ci+ XML_MAX_TEXT_LENGTH; 28353aa9179Sopenharmony_ci int c, l, in_space = 0; 28453aa9179Sopenharmony_ci xmlChar *current = NULL; 28553aa9179Sopenharmony_ci xmlEntityPtr ent; 28653aa9179Sopenharmony_ci@@ -3936,16 +3958,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { 28753aa9179Sopenharmony_ci while (((NXT(0) != limit) && /* checked */ 28853aa9179Sopenharmony_ci (IS_CHAR(c)) && (c != '<')) && 28953aa9179Sopenharmony_ci (ctxt->instate != XML_PARSER_EOF)) { 29053aa9179Sopenharmony_ci- /* 29153aa9179Sopenharmony_ci- * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE 29253aa9179Sopenharmony_ci- * special option is given 29353aa9179Sopenharmony_ci- */ 29453aa9179Sopenharmony_ci- if ((len > XML_MAX_TEXT_LENGTH) && 29553aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 29653aa9179Sopenharmony_ci- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, 29753aa9179Sopenharmony_ci- "AttValue length too long\n"); 29853aa9179Sopenharmony_ci- goto mem_error; 29953aa9179Sopenharmony_ci- } 30053aa9179Sopenharmony_ci if (c == '&') { 30153aa9179Sopenharmony_ci in_space = 0; 30253aa9179Sopenharmony_ci if (NXT(1) == '#') { 30353aa9179Sopenharmony_ci@@ -4093,6 +4105,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { 30453aa9179Sopenharmony_ci } 30553aa9179Sopenharmony_ci GROW; 30653aa9179Sopenharmony_ci c = CUR_CHAR(l); 30753aa9179Sopenharmony_ci+ if (len > maxLength) { 30853aa9179Sopenharmony_ci+ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, 30953aa9179Sopenharmony_ci+ "AttValue length too long\n"); 31053aa9179Sopenharmony_ci+ goto mem_error; 31153aa9179Sopenharmony_ci+ } 31253aa9179Sopenharmony_ci } 31353aa9179Sopenharmony_ci if (ctxt->instate == XML_PARSER_EOF) 31453aa9179Sopenharmony_ci goto error; 31553aa9179Sopenharmony_ci@@ -4114,16 +4131,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { 31653aa9179Sopenharmony_ci } else 31753aa9179Sopenharmony_ci NEXT; 31853aa9179Sopenharmony_ci 31953aa9179Sopenharmony_ci- /* 32053aa9179Sopenharmony_ci- * There we potentially risk an overflow, don't allow attribute value of 32153aa9179Sopenharmony_ci- * length more than INT_MAX it is a very reasonable assumption ! 32253aa9179Sopenharmony_ci- */ 32353aa9179Sopenharmony_ci- if (len >= INT_MAX) { 32453aa9179Sopenharmony_ci- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, 32553aa9179Sopenharmony_ci- "AttValue length too long\n"); 32653aa9179Sopenharmony_ci- goto mem_error; 32753aa9179Sopenharmony_ci- } 32853aa9179Sopenharmony_ci- 32953aa9179Sopenharmony_ci if (attlen != NULL) *attlen = (int) len; 33053aa9179Sopenharmony_ci return(buf); 33153aa9179Sopenharmony_ci 33253aa9179Sopenharmony_ci@@ -4194,6 +4201,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { 33353aa9179Sopenharmony_ci int len = 0; 33453aa9179Sopenharmony_ci int size = XML_PARSER_BUFFER_SIZE; 33553aa9179Sopenharmony_ci int cur, l; 33653aa9179Sopenharmony_ci+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? 33753aa9179Sopenharmony_ci+ XML_MAX_TEXT_LENGTH : 33853aa9179Sopenharmony_ci+ XML_MAX_NAME_LENGTH; 33953aa9179Sopenharmony_ci xmlChar stop; 34053aa9179Sopenharmony_ci int state = ctxt->instate; 34153aa9179Sopenharmony_ci int count = 0; 34253aa9179Sopenharmony_ci@@ -4221,13 +4231,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { 34353aa9179Sopenharmony_ci if (len + 5 >= size) { 34453aa9179Sopenharmony_ci xmlChar *tmp; 34553aa9179Sopenharmony_ci 34653aa9179Sopenharmony_ci- if ((size > XML_MAX_NAME_LENGTH) && 34753aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 34853aa9179Sopenharmony_ci- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); 34953aa9179Sopenharmony_ci- xmlFree(buf); 35053aa9179Sopenharmony_ci- ctxt->instate = (xmlParserInputState) state; 35153aa9179Sopenharmony_ci- return(NULL); 35253aa9179Sopenharmony_ci- } 35353aa9179Sopenharmony_ci size *= 2; 35453aa9179Sopenharmony_ci tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); 35553aa9179Sopenharmony_ci if (tmp == NULL) { 35653aa9179Sopenharmony_ci@@ -4256,6 +4259,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { 35753aa9179Sopenharmony_ci SHRINK; 35853aa9179Sopenharmony_ci cur = CUR_CHAR(l); 35953aa9179Sopenharmony_ci } 36053aa9179Sopenharmony_ci+ if (len > maxLength) { 36153aa9179Sopenharmony_ci+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); 36253aa9179Sopenharmony_ci+ xmlFree(buf); 36353aa9179Sopenharmony_ci+ ctxt->instate = (xmlParserInputState) state; 36453aa9179Sopenharmony_ci+ return(NULL); 36553aa9179Sopenharmony_ci+ } 36653aa9179Sopenharmony_ci } 36753aa9179Sopenharmony_ci buf[len] = 0; 36853aa9179Sopenharmony_ci ctxt->instate = (xmlParserInputState) state; 36953aa9179Sopenharmony_ci@@ -4283,6 +4292,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { 37053aa9179Sopenharmony_ci xmlChar *buf = NULL; 37153aa9179Sopenharmony_ci int len = 0; 37253aa9179Sopenharmony_ci int size = XML_PARSER_BUFFER_SIZE; 37353aa9179Sopenharmony_ci+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? 37453aa9179Sopenharmony_ci+ XML_MAX_TEXT_LENGTH : 37553aa9179Sopenharmony_ci+ XML_MAX_NAME_LENGTH; 37653aa9179Sopenharmony_ci xmlChar cur; 37753aa9179Sopenharmony_ci xmlChar stop; 37853aa9179Sopenharmony_ci int count = 0; 37953aa9179Sopenharmony_ci@@ -4310,12 +4322,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { 38053aa9179Sopenharmony_ci if (len + 1 >= size) { 38153aa9179Sopenharmony_ci xmlChar *tmp; 38253aa9179Sopenharmony_ci 38353aa9179Sopenharmony_ci- if ((size > XML_MAX_NAME_LENGTH) && 38453aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 38553aa9179Sopenharmony_ci- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); 38653aa9179Sopenharmony_ci- xmlFree(buf); 38753aa9179Sopenharmony_ci- return(NULL); 38853aa9179Sopenharmony_ci- } 38953aa9179Sopenharmony_ci size *= 2; 39053aa9179Sopenharmony_ci tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); 39153aa9179Sopenharmony_ci if (tmp == NULL) { 39253aa9179Sopenharmony_ci@@ -4343,6 +4349,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { 39353aa9179Sopenharmony_ci SHRINK; 39453aa9179Sopenharmony_ci cur = CUR; 39553aa9179Sopenharmony_ci } 39653aa9179Sopenharmony_ci+ if (len > maxLength) { 39753aa9179Sopenharmony_ci+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); 39853aa9179Sopenharmony_ci+ xmlFree(buf); 39953aa9179Sopenharmony_ci+ return(NULL); 40053aa9179Sopenharmony_ci+ } 40153aa9179Sopenharmony_ci } 40253aa9179Sopenharmony_ci buf[len] = 0; 40353aa9179Sopenharmony_ci if (cur != stop) { 40453aa9179Sopenharmony_ci@@ -4742,6 +4753,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, 40553aa9179Sopenharmony_ci int r, rl; 40653aa9179Sopenharmony_ci int cur, l; 40753aa9179Sopenharmony_ci size_t count = 0; 40853aa9179Sopenharmony_ci+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? 40953aa9179Sopenharmony_ci+ XML_MAX_HUGE_LENGTH : 41053aa9179Sopenharmony_ci+ XML_MAX_TEXT_LENGTH; 41153aa9179Sopenharmony_ci int inputid; 41253aa9179Sopenharmony_ci 41353aa9179Sopenharmony_ci inputid = ctxt->input->id; 41453aa9179Sopenharmony_ci@@ -4787,13 +4801,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, 41553aa9179Sopenharmony_ci if ((r == '-') && (q == '-')) { 41653aa9179Sopenharmony_ci xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL); 41753aa9179Sopenharmony_ci } 41853aa9179Sopenharmony_ci- if ((len > XML_MAX_TEXT_LENGTH) && 41953aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 42053aa9179Sopenharmony_ci- xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, 42153aa9179Sopenharmony_ci- "Comment too big found", NULL); 42253aa9179Sopenharmony_ci- xmlFree (buf); 42353aa9179Sopenharmony_ci- return; 42453aa9179Sopenharmony_ci- } 42553aa9179Sopenharmony_ci if (len + 5 >= size) { 42653aa9179Sopenharmony_ci xmlChar *new_buf; 42753aa9179Sopenharmony_ci size_t new_size; 42853aa9179Sopenharmony_ci@@ -4831,6 +4838,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, 42953aa9179Sopenharmony_ci GROW; 43053aa9179Sopenharmony_ci cur = CUR_CHAR(l); 43153aa9179Sopenharmony_ci } 43253aa9179Sopenharmony_ci+ 43353aa9179Sopenharmony_ci+ if (len > maxLength) { 43453aa9179Sopenharmony_ci+ xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, 43553aa9179Sopenharmony_ci+ "Comment too big found", NULL); 43653aa9179Sopenharmony_ci+ xmlFree (buf); 43753aa9179Sopenharmony_ci+ return; 43853aa9179Sopenharmony_ci+ } 43953aa9179Sopenharmony_ci } 44053aa9179Sopenharmony_ci buf[len] = 0; 44153aa9179Sopenharmony_ci if (cur == 0) { 44253aa9179Sopenharmony_ci@@ -4875,6 +4889,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) { 44353aa9179Sopenharmony_ci xmlChar *buf = NULL; 44453aa9179Sopenharmony_ci size_t size = XML_PARSER_BUFFER_SIZE; 44553aa9179Sopenharmony_ci size_t len = 0; 44653aa9179Sopenharmony_ci+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? 44753aa9179Sopenharmony_ci+ XML_MAX_HUGE_LENGTH : 44853aa9179Sopenharmony_ci+ XML_MAX_TEXT_LENGTH; 44953aa9179Sopenharmony_ci xmlParserInputState state; 45053aa9179Sopenharmony_ci const xmlChar *in; 45153aa9179Sopenharmony_ci size_t nbchar = 0; 45253aa9179Sopenharmony_ci@@ -4958,8 +4975,7 @@ get_more: 45353aa9179Sopenharmony_ci buf[len] = 0; 45453aa9179Sopenharmony_ci } 45553aa9179Sopenharmony_ci } 45653aa9179Sopenharmony_ci- if ((len > XML_MAX_TEXT_LENGTH) && 45753aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 45853aa9179Sopenharmony_ci+ if (len > maxLength) { 45953aa9179Sopenharmony_ci xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, 46053aa9179Sopenharmony_ci "Comment too big found", NULL); 46153aa9179Sopenharmony_ci xmlFree (buf); 46253aa9179Sopenharmony_ci@@ -5159,6 +5175,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { 46353aa9179Sopenharmony_ci xmlChar *buf = NULL; 46453aa9179Sopenharmony_ci size_t len = 0; 46553aa9179Sopenharmony_ci size_t size = XML_PARSER_BUFFER_SIZE; 46653aa9179Sopenharmony_ci+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? 46753aa9179Sopenharmony_ci+ XML_MAX_HUGE_LENGTH : 46853aa9179Sopenharmony_ci+ XML_MAX_TEXT_LENGTH; 46953aa9179Sopenharmony_ci int cur, l; 47053aa9179Sopenharmony_ci const xmlChar *target; 47153aa9179Sopenharmony_ci xmlParserInputState state; 47253aa9179Sopenharmony_ci@@ -5234,14 +5253,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { 47353aa9179Sopenharmony_ci return; 47453aa9179Sopenharmony_ci } 47553aa9179Sopenharmony_ci count = 0; 47653aa9179Sopenharmony_ci- if ((len > XML_MAX_TEXT_LENGTH) && 47753aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 47853aa9179Sopenharmony_ci- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, 47953aa9179Sopenharmony_ci- "PI %s too big found", target); 48053aa9179Sopenharmony_ci- xmlFree(buf); 48153aa9179Sopenharmony_ci- ctxt->instate = state; 48253aa9179Sopenharmony_ci- return; 48353aa9179Sopenharmony_ci- } 48453aa9179Sopenharmony_ci } 48553aa9179Sopenharmony_ci COPY_BUF(l,buf,len,cur); 48653aa9179Sopenharmony_ci NEXTL(l); 48753aa9179Sopenharmony_ci@@ -5251,15 +5262,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { 48853aa9179Sopenharmony_ci GROW; 48953aa9179Sopenharmony_ci cur = CUR_CHAR(l); 49053aa9179Sopenharmony_ci } 49153aa9179Sopenharmony_ci+ if (len > maxLength) { 49253aa9179Sopenharmony_ci+ xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, 49353aa9179Sopenharmony_ci+ "PI %s too big found", target); 49453aa9179Sopenharmony_ci+ xmlFree(buf); 49553aa9179Sopenharmony_ci+ ctxt->instate = state; 49653aa9179Sopenharmony_ci+ return; 49753aa9179Sopenharmony_ci+ } 49853aa9179Sopenharmony_ci } 49953aa9179Sopenharmony_ci- if ((len > XML_MAX_TEXT_LENGTH) && 50053aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 50153aa9179Sopenharmony_ci- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, 50253aa9179Sopenharmony_ci- "PI %s too big found", target); 50353aa9179Sopenharmony_ci- xmlFree(buf); 50453aa9179Sopenharmony_ci- ctxt->instate = state; 50553aa9179Sopenharmony_ci- return; 50653aa9179Sopenharmony_ci- } 50753aa9179Sopenharmony_ci buf[len] = 0; 50853aa9179Sopenharmony_ci if (cur != '?') { 50953aa9179Sopenharmony_ci xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, 51053aa9179Sopenharmony_ci@@ -8954,6 +8964,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, 51153aa9179Sopenharmony_ci const xmlChar *in = NULL, *start, *end, *last; 51253aa9179Sopenharmony_ci xmlChar *ret = NULL; 51353aa9179Sopenharmony_ci int line, col; 51453aa9179Sopenharmony_ci+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? 51553aa9179Sopenharmony_ci+ XML_MAX_HUGE_LENGTH : 51653aa9179Sopenharmony_ci+ XML_MAX_TEXT_LENGTH; 51753aa9179Sopenharmony_ci 51853aa9179Sopenharmony_ci GROW; 51953aa9179Sopenharmony_ci in = (xmlChar *) CUR_PTR; 52053aa9179Sopenharmony_ci@@ -8993,8 +9006,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, 52153aa9179Sopenharmony_ci start = in; 52253aa9179Sopenharmony_ci if (in >= end) { 52353aa9179Sopenharmony_ci GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) 52453aa9179Sopenharmony_ci- if (((in - start) > XML_MAX_TEXT_LENGTH) && 52553aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 52653aa9179Sopenharmony_ci+ if ((in - start) > maxLength) { 52753aa9179Sopenharmony_ci xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, 52853aa9179Sopenharmony_ci "AttValue length too long\n"); 52953aa9179Sopenharmony_ci return(NULL); 53053aa9179Sopenharmony_ci@@ -9007,8 +9019,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, 53153aa9179Sopenharmony_ci if ((*in++ == 0x20) && (*in == 0x20)) break; 53253aa9179Sopenharmony_ci if (in >= end) { 53353aa9179Sopenharmony_ci GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) 53453aa9179Sopenharmony_ci- if (((in - start) > XML_MAX_TEXT_LENGTH) && 53553aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 53653aa9179Sopenharmony_ci+ if ((in - start) > maxLength) { 53753aa9179Sopenharmony_ci xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, 53853aa9179Sopenharmony_ci "AttValue length too long\n"); 53953aa9179Sopenharmony_ci return(NULL); 54053aa9179Sopenharmony_ci@@ -9041,16 +9052,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, 54153aa9179Sopenharmony_ci last = last + delta; 54253aa9179Sopenharmony_ci } 54353aa9179Sopenharmony_ci end = ctxt->input->end; 54453aa9179Sopenharmony_ci- if (((in - start) > XML_MAX_TEXT_LENGTH) && 54553aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 54653aa9179Sopenharmony_ci+ if ((in - start) > maxLength) { 54753aa9179Sopenharmony_ci xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, 54853aa9179Sopenharmony_ci "AttValue length too long\n"); 54953aa9179Sopenharmony_ci return(NULL); 55053aa9179Sopenharmony_ci } 55153aa9179Sopenharmony_ci } 55253aa9179Sopenharmony_ci } 55353aa9179Sopenharmony_ci- if (((in - start) > XML_MAX_TEXT_LENGTH) && 55453aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 55553aa9179Sopenharmony_ci+ if ((in - start) > maxLength) { 55653aa9179Sopenharmony_ci xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, 55753aa9179Sopenharmony_ci "AttValue length too long\n"); 55853aa9179Sopenharmony_ci return(NULL); 55953aa9179Sopenharmony_ci@@ -9063,8 +9072,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, 56053aa9179Sopenharmony_ci col++; 56153aa9179Sopenharmony_ci if (in >= end) { 56253aa9179Sopenharmony_ci GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) 56353aa9179Sopenharmony_ci- if (((in - start) > XML_MAX_TEXT_LENGTH) && 56453aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 56553aa9179Sopenharmony_ci+ if ((in - start) > maxLength) { 56653aa9179Sopenharmony_ci xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, 56753aa9179Sopenharmony_ci "AttValue length too long\n"); 56853aa9179Sopenharmony_ci return(NULL); 56953aa9179Sopenharmony_ci@@ -9072,8 +9080,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, 57053aa9179Sopenharmony_ci } 57153aa9179Sopenharmony_ci } 57253aa9179Sopenharmony_ci last = in; 57353aa9179Sopenharmony_ci- if (((in - start) > XML_MAX_TEXT_LENGTH) && 57453aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 57553aa9179Sopenharmony_ci+ if ((in - start) > maxLength) { 57653aa9179Sopenharmony_ci xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, 57753aa9179Sopenharmony_ci "AttValue length too long\n"); 57853aa9179Sopenharmony_ci return(NULL); 57953aa9179Sopenharmony_ci@@ -9763,6 +9770,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { 58053aa9179Sopenharmony_ci int s, sl; 58153aa9179Sopenharmony_ci int cur, l; 58253aa9179Sopenharmony_ci int count = 0; 58353aa9179Sopenharmony_ci+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? 58453aa9179Sopenharmony_ci+ XML_MAX_HUGE_LENGTH : 58553aa9179Sopenharmony_ci+ XML_MAX_TEXT_LENGTH; 58653aa9179Sopenharmony_ci 58753aa9179Sopenharmony_ci /* Check 2.6.0 was NXT(0) not RAW */ 58853aa9179Sopenharmony_ci if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) { 58953aa9179Sopenharmony_ci@@ -9796,13 +9806,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { 59053aa9179Sopenharmony_ci if (len + 5 >= size) { 59153aa9179Sopenharmony_ci xmlChar *tmp; 59253aa9179Sopenharmony_ci 59353aa9179Sopenharmony_ci- if ((size > XML_MAX_TEXT_LENGTH) && 59453aa9179Sopenharmony_ci- ((ctxt->options & XML_PARSE_HUGE) == 0)) { 59553aa9179Sopenharmony_ci- xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED, 59653aa9179Sopenharmony_ci- "CData section too big found", NULL); 59753aa9179Sopenharmony_ci- xmlFree (buf); 59853aa9179Sopenharmony_ci- return; 59953aa9179Sopenharmony_ci- } 60053aa9179Sopenharmony_ci tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar)); 60153aa9179Sopenharmony_ci if (tmp == NULL) { 60253aa9179Sopenharmony_ci xmlFree(buf); 60353aa9179Sopenharmony_ci@@ -9829,6 +9832,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { 60453aa9179Sopenharmony_ci } 60553aa9179Sopenharmony_ci NEXTL(l); 60653aa9179Sopenharmony_ci cur = CUR_CHAR(l); 60753aa9179Sopenharmony_ci+ if (len > maxLength) { 60853aa9179Sopenharmony_ci+ xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED, 60953aa9179Sopenharmony_ci+ "CData section too big found\n"); 61053aa9179Sopenharmony_ci+ xmlFree(buf); 61153aa9179Sopenharmony_ci+ return; 61253aa9179Sopenharmony_ci+ } 61353aa9179Sopenharmony_ci } 61453aa9179Sopenharmony_ci buf[len] = 0; 61553aa9179Sopenharmony_ci ctxt->instate = XML_PARSER_CONTENT; 61653aa9179Sopenharmony_ci-- 61753aa9179Sopenharmony_ci2.27.0 61853aa9179Sopenharmony_ci 619