1From 077df27eb1bdc2a3268f7596415fd91db76d29d4 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Thu, 22 Dec 2022 15:22:01 +0100
4Subject: [PATCH] parser: Fix integer overflow of input ID
5
6Applies a patch from Chromium. Also stop incrementing input ID of
7subcontexts. This isn't necessary.
8
9Fixes #465.
10
11Reference:https://github.com/GNOME/libxml2/commit/077df27eb1bdc2a3268f7596415fd91db76d29d4
12Conflict:NA
13---
14 parser.c          | 8 ++------
15 parserInternals.c | 7 ++++++-
16 2 files changed, 8 insertions(+), 7 deletions(-)
17
18diff --git a/parser.c b/parser.c
19index 2207404..431851f 100644
20--- a/parser.c
21+++ b/parser.c
22@@ -13337,7 +13337,7 @@ xmlParseBalancedChunkMemoryInternal(xmlParserCtxtPtr oldctxt,
23 	ctxt->userData = ctxt;
24     if (ctxt->dict != NULL) xmlDictFree(ctxt->dict);
25     ctxt->dict = oldctxt->dict;
26-    ctxt->input_id = oldctxt->input_id + 1;
27+    ctxt->input_id = oldctxt->input_id;
28     ctxt->str_xml = xmlDictLookup(ctxt->dict, BAD_CAST "xml", 3);
29     ctxt->str_xmlns = xmlDictLookup(ctxt->dict, BAD_CAST "xmlns", 5);
30     ctxt->str_xml_ns = xmlDictLookup(ctxt->dict, XML_XML_NAMESPACE, 36);
31@@ -13968,11 +13968,7 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID,
32     if (pctx != NULL) {
33         ctxt->options = pctx->options;
34         ctxt->_private = pctx->_private;
35-	/*
36-	 * this is a subparser of pctx, so the input_id should be
37-	 * incremented to distinguish from main entity
38-	 */
39-	ctxt->input_id = pctx->input_id + 1;
40+	ctxt->input_id = pctx->input_id;
41     }
42 
43     /* Don't read from stdin. */
44diff --git a/parserInternals.c b/parserInternals.c
45index ef18ccf..cee4cd9 100644
46--- a/parserInternals.c
47+++ b/parserInternals.c
48@@ -1352,8 +1352,13 @@ xmlNewInputStream(xmlParserCtxtPtr ctxt) {
49      * should not happen while parsing which is the situation where
50      * the id is actually needed.
51      */
52-    if (ctxt != NULL)
53+    if (ctxt != NULL) {
54+        if (input->id >= INT_MAX) {
55+            xmlErrMemory(ctxt, "Input ID overflow\n");
56+            return(NULL);
57+        }
58         input->id = ctxt->input_id++;
59+    }
60 
61     return(input);
62 }
63-- 
642.27.0
65
66