textproc/libxml/patches/patch-parser.c


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

$NetBSD: patch-parser.c,v 1.2 2011/09/01 14:42:09 obache Exp $

* fixes CVE-2009-2414 and CVE-2009-2416.

--- parser.c.orig	2001-09-14 14:09:41.000000000 +0000
+++ parser.c
@@ -5164,11 +5164,15 @@ xmlParseNotationType(xmlParserCtxtPtr ct
 		                 "Name expected in NOTATION declaration\n");
 	    ctxt->wellFormed = 0;
 	    ctxt->disableSAX = 1;
-	    return(ret);
+	    xmlFreeEnumeration(ret);
+	    return(NULL);
 	}
 	cur = xmlCreateEnumeration(name);
 	xmlFree(name);
-	if (cur == NULL) return(ret);
+	if (cur == NULL) {
+	    xmlFreeEnumeration(ret);
+	    return(NULL);
+	}
 	if (last == NULL) ret = last = cur;
 	else {
 	    last->next = cur;
@@ -5183,9 +5187,8 @@ xmlParseNotationType(xmlParserCtxtPtr ct
 	                     "')' required to finish NOTATION declaration\n");
 	ctxt->wellFormed = 0;
 	ctxt->disableSAX = 1;
-	if ((last != NULL) && (last != ret))
-	    xmlFreeEnumeration(last);
-	return(ret);
+	xmlFreeEnumeration(ret);
+	return(NULL);
     }
     NEXT;
     return(ret);
@@ -5236,7 +5239,10 @@ xmlParseEnumerationType(xmlParserCtxtPtr
 	}
 	cur = xmlCreateEnumeration(name);
 	xmlFree(name);
-	if (cur == NULL) return(ret);
+	if (cur == NULL) {
+	    xmlFreeEnumeration(ret);
+	    return(NULL);
+	}
 	if (last == NULL) ret = last = cur;
 	else {
 	    last->next = cur;
@@ -5715,13 +5721,22 @@ xmlParseElementChildrenContentDecl
     xmlChar *elem;
     xmlChar type = 0;
 
+    if (ctxt->depth > 128) {
+	ctxt->sax->error(ctxt->userData,
+		"xmlParseElementChildrenContentDecl : depth %d too deep\n",
+		ctxt->depth);
+	return(NULL);
+    }
+
     SKIP_BLANKS;
     GROW;
     if (RAW == '(') {
         /* Recurse on first child */
 	NEXT;
 	SKIP_BLANKS;
+	ctxt->depth++;
         cur = ret = xmlParseElementChildrenContentDecl(ctxt);
+	ctxt->depth--;
 	SKIP_BLANKS;
 	GROW;
     } else {
@@ -5865,7 +5880,9 @@ xmlParseElementChildrenContentDecl
 	    /* Recurse on second child */
 	    NEXT;
 	    SKIP_BLANKS;
+	    ctxt->depth++;
 	    last = xmlParseElementChildrenContentDecl(ctxt);
+	    ctxt->depth--;
 	    SKIP_BLANKS;
 	} else {
 	    elem = xmlParseNameComplex(ctxt);