Overview

File xerces-c-CVE-2016-4463-part1.patch of Package xerces-c

From 6f2844bb141953f9cb5ddde78238d9dda548fc24 Mon Sep 17 00:00:00 2001
From: Scott Cantor <scantor@apache.org>
Date: Fri, 10 Jun 2016 01:38:34 +0000
Subject: [PATCH] https://issues.apache.org/jira/browse/XERCESC-2066
 https://issues.apache.org/jira/browse/XERCESC-2069

git-svn-id: https://svn.apache.org/repos/asf/xerces/c/branches/xerces-3.1@1747619 13f79535-47bb-0310-9956-ffa450edef68
---
 src/xercesc/validators/DTD/DTDScanner.cpp | 24 ++++++++++++++++++++----
 src/xercesc/validators/DTD/DTDScanner.hpp |  1 +
 2 files changed, 21 insertions(+), 4 deletions(-)

Index: xerces-c-3.1.1/src/xercesc/validators/DTD/DTDScanner.cpp
===================================================================
--- xerces-c-3.1.1.orig/src/xercesc/validators/DTD/DTDScanner.cpp
+++ xerces-c-3.1.1/src/xercesc/validators/DTD/DTDScanner.cpp
@@ -44,6 +44,8 @@
 
 XERCES_CPP_NAMESPACE_BEGIN
 
+#define CONTENTSPEC_DEPTH_LIMIT 1000
+
 // ---------------------------------------------------------------------------
 //  Local methods
 // ---------------------------------------------------------------------------
@@ -1038,8 +1040,13 @@ bool DTDScanner::scanCharRef(XMLCh& firs
 
 
 ContentSpecNode*
-DTDScanner::scanChildren(const DTDElementDecl& elemDecl, XMLBuffer& bufToUse)
+DTDScanner::scanChildren(const DTDElementDecl& elemDecl, XMLBuffer& bufToUse, unsigned int& depth)
 {
+    if (depth++ > CONTENTSPEC_DEPTH_LIMIT) {
+        fScanner->emitError(XMLErrs::UnterminatedDOCTYPE);
+        return 0;
+    }
+
     // Check for a PE ref here, but don't require spaces
     checkForPERef(false, true);
 
@@ -1240,7 +1247,7 @@ DTDScanner::scanChildren(const DTDElemen
                         // Recurse to handle this new guy
                         ContentSpecNode* subNode;
                         try {
-                            subNode = scanChildren(elemDecl, bufToUse);
+                            subNode = scanChildren(elemDecl, bufToUse, depth);
                         }
                         catch (const XMLErrs::Codes)
                         {
@@ -1577,7 +1584,8 @@ bool DTDScanner::scanContentSpec(DTDElem
         //
         toFill.setModelType(DTDElementDecl::Children);
         XMLBufBid bbTmp(fBufMgr);
-        ContentSpecNode* resNode = scanChildren(toFill, bbTmp.getBuffer());
+        unsigned int depth = 0;
+        ContentSpecNode* resNode = scanChildren(toFill, bbTmp.getBuffer(), depth);
         status = (resNode != 0);
         if (status)
             toFill.setContentSpec(resNode);
Index: xerces-c-3.1.1/src/xercesc/validators/DTD/DTDScanner.hpp
===================================================================
--- xerces-c-3.1.1.orig/src/xercesc/validators/DTD/DTDScanner.hpp
+++ xerces-c-3.1.1/src/xercesc/validators/DTD/DTDScanner.hpp
@@ -143,6 +143,7 @@ private:
     (
         const   DTDElementDecl&     elemDecl
         ,       XMLBuffer&          bufToUse
+        ,       unsigned int&       depth
     );
     bool scanCharRef(XMLCh& toFill, XMLCh& second);
     void scanComment();
openSUSE Build Service is sponsored by
Places