File xerces-c-CVE-2016-4463-part1.patch of Package xerces-c
From 6f2844bb141953f9cb5ddde78238d9dda548fc24 Mon Sep 17 00:00:00 2001
From: Scott Cantor <scantor@apache.org>
Date: Fri, 10 Jun 2016 01:38:34 +0000
Subject: [PATCH] https://issues.apache.org/jira/browse/XERCESC-2066
https://issues.apache.org/jira/browse/XERCESC-2069
git-svn-id: https://svn.apache.org/repos/asf/xerces/c/branches/xerces-3.1@1747619 13f79535-47bb-0310-9956-ffa450edef68
---
src/xercesc/validators/DTD/DTDScanner.cpp | 24 ++++++++++++++++++++----
src/xercesc/validators/DTD/DTDScanner.hpp | 1 +
2 files changed, 21 insertions(+), 4 deletions(-)
Index: xerces-c-3.1.1/src/xercesc/validators/DTD/DTDScanner.cpp
===================================================================
--- xerces-c-3.1.1.orig/src/xercesc/validators/DTD/DTDScanner.cpp
+++ xerces-c-3.1.1/src/xercesc/validators/DTD/DTDScanner.cpp
@@ -44,6 +44,8 @@
XERCES_CPP_NAMESPACE_BEGIN
+#define CONTENTSPEC_DEPTH_LIMIT 1000
+
// ---------------------------------------------------------------------------
// Local methods
// ---------------------------------------------------------------------------
@@ -1038,8 +1040,13 @@ bool DTDScanner::scanCharRef(XMLCh& firs
ContentSpecNode*
-DTDScanner::scanChildren(const DTDElementDecl& elemDecl, XMLBuffer& bufToUse)
+DTDScanner::scanChildren(const DTDElementDecl& elemDecl, XMLBuffer& bufToUse, unsigned int& depth)
{
+ if (depth++ > CONTENTSPEC_DEPTH_LIMIT) {
+ fScanner->emitError(XMLErrs::UnterminatedDOCTYPE);
+ return 0;
+ }
+
// Check for a PE ref here, but don't require spaces
checkForPERef(false, true);
@@ -1240,7 +1247,7 @@ DTDScanner::scanChildren(const DTDElemen
// Recurse to handle this new guy
ContentSpecNode* subNode;
try {
- subNode = scanChildren(elemDecl, bufToUse);
+ subNode = scanChildren(elemDecl, bufToUse, depth);
}
catch (const XMLErrs::Codes)
{
@@ -1577,7 +1584,8 @@ bool DTDScanner::scanContentSpec(DTDElem
//
toFill.setModelType(DTDElementDecl::Children);
XMLBufBid bbTmp(fBufMgr);
- ContentSpecNode* resNode = scanChildren(toFill, bbTmp.getBuffer());
+ unsigned int depth = 0;
+ ContentSpecNode* resNode = scanChildren(toFill, bbTmp.getBuffer(), depth);
status = (resNode != 0);
if (status)
toFill.setContentSpec(resNode);
Index: xerces-c-3.1.1/src/xercesc/validators/DTD/DTDScanner.hpp
===================================================================
--- xerces-c-3.1.1.orig/src/xercesc/validators/DTD/DTDScanner.hpp
+++ xerces-c-3.1.1/src/xercesc/validators/DTD/DTDScanner.hpp
@@ -143,6 +143,7 @@ private:
(
const DTDElementDecl& elemDecl
, XMLBuffer& bufToUse
+ , unsigned int& depth
);
bool scanCharRef(XMLCh& toFill, XMLCh& second);
void scanComment();