1From 3eb9f5ca4e6b0933ac1dc7fbcce38669ac002b7f Mon Sep 17 00:00:00 2001 2From: Nick Wellnhofer <wellnhofer@aevum.de> 3Date: Tue, 21 Mar 2023 13:19:31 +0100 4Subject: [PATCH] parser: Limit name length in xmlParseEncName 5 6 7Reference:https://github.com/GNOME/libxml2/commit/3eb9f5ca4e6b0933ac1dc7fbcce38669ac002b7f 8Conflict:NA 9 10--- 11 parser.c | 13 ++++++++----- 12 1 file changed, 8 insertions(+), 5 deletions(-) 13 14diff --git a/parser.c b/parser.c 15index b872d34..a4c9fb2 100644 16--- a/parser.c 17+++ b/parser.c 18@@ -10301,6 +10301,9 @@ xmlParseEncName(xmlParserCtxtPtr ctxt) { 19 xmlChar *buf = NULL; 20 int len = 0; 21 int size = 10; 22+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? 23+ XML_MAX_TEXT_LENGTH : 24+ XML_MAX_NAME_LENGTH; 25 xmlChar cur; 26 27 cur = CUR; 28@@ -10333,13 +10336,13 @@ xmlParseEncName(xmlParserCtxtPtr ctxt) { 29 buf = tmp; 30 } 31 buf[len++] = cur; 32+ if (len > maxLength) { 33+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "EncName"); 34+ xmlFree(buf); 35+ return(NULL); 36+ } 37 NEXT; 38 cur = CUR; 39- if (cur == 0) { 40- SHRINK; 41- GROW; 42- cur = CUR; 43- } 44 } 45 buf[len] = 0; 46 } else { 47-- 482.27.0 49 50