File libxml2-2.7.1-CVE-2009-2414_CVE-2009-2616.patch of Package libxml2
--- parser.c.orig 2009-08-06 15:56:53.000000000 +0200
+++ parser.c 2009-08-06 16:21:05.000000000 +0200
@@ -5300,7 +5300,8 @@
if (name == NULL) {
xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED,
"Name expected in NOTATION declaration\n");
- return(ret);
+ xmlFreeEnumeration(ret);
+ return(NULL);
}
tmp = ret;
while (tmp != NULL) {
@@ -5316,7 +5317,10 @@
}
if (tmp == NULL) {
cur = xmlCreateEnumeration(name);
- if (cur == NULL) return(ret);
+ if (cur == NULL) {
+ xmlFreeEnumeration(ret);
+ return(NULL);
+ }
if (last == NULL) ret = last = cur;
else {
last->next = cur;
@@ -5327,9 +5331,8 @@
} while (RAW == '|');
if (RAW != ')') {
xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL);
- if ((last != NULL) && (last != ret))
- xmlFreeEnumeration(last);
- return(ret);
+ xmlFreeEnumeration(ret);
+ return(NULL);
}
NEXT;
return(ret);
@@ -5384,7 +5387,10 @@
cur = xmlCreateEnumeration(name);
if (!xmlDictOwns(ctxt->dict, name))
xmlFree(name);
- if (cur == NULL) return(ret);
+ if (cur == NULL) {
+ xmlFreeEnumeration(ret);
+ return(NULL);
+ }
if (last == NULL) ret = last = cur;
else {
last->next = cur;
@@ -5788,6 +5794,13 @@
const xmlChar *elem;
xmlChar type = 0;
+ if (ctxt->depth > 128) {
+ xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED,
+ "xmlParseElementChildrenContentDecl : depth %d too deep\n",
+ ctxt->depth);
+ return(NULL);
+ }
+
SKIP_BLANKS;
GROW;
if (RAW == '(') {
@@ -5796,7 +5808,9 @@
/* Recurse on first child */
NEXT;
SKIP_BLANKS;
+ ctxt->depth++;
cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid);
+ ctxt->depth--;
SKIP_BLANKS;
GROW;
} else {
@@ -5928,7 +5942,9 @@
/* Recurse on second child */
NEXT;
SKIP_BLANKS;
+ ctxt->depth++;
last = xmlParseElementChildrenContentDecl(ctxt, inputid);
+ ctxt->depth--;
SKIP_BLANKS;
} else {
elem = xmlParseName(ctxt);
