1From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001 2From: Rhodri James <rhodri@wildebeest.org.uk> 3Date: Wed, 17 Aug 2022 18:26:18 +0100 4Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser 5 6It is possible to concoct a situation in which parsing is 7suspended while substituting in an internal entity, so that 8XML_ResumeParser directly uses internalEntityProcessor as 9its processor. If the subsequent parse includes some unclosed 10tags, this will return without calling storeRawNames to ensure 11that the raw versions of the tag names are stored in memory other 12than the parse buffer itself. If the parse buffer is then changed 13or reallocated (for example if processing a file line by line), 14badness will ensue. 15 16This patch ensures storeRawNames is always called when needed 17after calling doContent. The earlier call do doContent does 18not need the same protection; it only deals with entity 19substitution, which cannot leave unbalanced tags, and in any 20case the raw names will be pointing into the stored entity 21value not the parse buffer. 22--- 23 lib/xmlparse.c | 13 +++++++++---- 24 1 file changed, 9 insertions(+), 4 deletions(-) 25 26diff --git a/lib/xmlparse.c b/lib/xmlparse.c 27index 7bcabf7f..d73f419c 100644 28--- a/lib/xmlparse.c 29+++ b/lib/xmlparse.c 30@@ -5826,10 +5826,15 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end, 31 { 32 parser->m_processor = contentProcessor; 33 /* see externalEntityContentProcessor vs contentProcessor */ 34- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, 35- s, end, nextPtr, 36- (XML_Bool)! parser->m_parsingStatus.finalBuffer, 37- XML_ACCOUNT_DIRECT); 38+ result = doContent(parser, parser->m_parentParser ? 1 : 0, 39+ parser->m_encoding, s, end, nextPtr, 40+ (XML_Bool)! parser->m_parsingStatus.finalBuffer, 41+ XML_ACCOUNT_DIRECT); 42+ if (result == XML_ERROR_NONE) { 43+ if (! storeRawNames(parser)) 44+ return XML_ERROR_NO_MEMORY; 45+ } 46+ return result; 47 } 48 } 49 50-- 512.27.0 52 53