1 files changed, 623 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch
new file mode 100644
index 0000000000..bdb9e9eb7a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch
@@ -0,0 +1,623 @@
+From c846986356fc149915a74972bf198abc266bc2c0 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 25 Aug 2022 17:43:08 +0200
+Subject: [PATCH] [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE
+Also impose size limits when XML_PARSE_HUGE is set. Limit size of names
+to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to
+XML_MAX_HUGE_LENGTH (1 billion bytes).
+Move some the length checks to the end of the respective loop to make
+them strict.
+xmlParseEntityValue didn't have a length limitation at all. But without
+XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW.
+Thanks to Maddie Stone working with Google Project Zero for the report!
+CVE: CVE-2022-40303
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0]
+Comments: Refreshed hunk
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ parser.c | 233 +++++++++++++++++++++++++++++--------------------------
+ 1 file changed, 121 insertions(+), 112 deletions(-)
+diff --git a/parser.c b/parser.c
+index 93f031be..79479979 100644
+--- a/parser.c
+++ b/parser.c
+@@ -102,6 +102,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt);
+  *                                                                     *
+  ************************************************************************/
+ 
+#define XML_MAX_HUGE_LENGTH 1000000000
+
+ #define XML_PARSER_BIG_ENTITY 1000
+ #define XML_PARSER_LOT_ENTITY 5000
+ 
+@@ -552,7 +554,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info)
+             errmsg = "Malformed declaration expecting version";
+             break;
+         case XML_ERR_NAME_TOO_LONG:
+-            errmsg = "Name too long use XML_PARSE_HUGE option";
+            errmsg = "Name too long";
+             break;
+ #if 0
+         case:
+@@ -3202,6 +3204,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+     int len = 0, l;
+     int c;
+     int count = 0;
+    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                    XML_MAX_TEXT_LENGTH :
+                    XML_MAX_NAME_LENGTH;
+ 
+ #ifdef DEBUG
+     nbParseNameComplex++;
+@@ -3267,7 +3272,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+                 if (ctxt->instate == XML_PARSER_EOF)
+                     return(NULL);
+            }
+-           len += l;
+            if (len <= INT_MAX - l)
+               len += l;
+            NEXTL(l);
+            c = CUR_CHAR(l);
+        }
+@@ -3293,13 +3299,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+                 if (ctxt->instate == XML_PARSER_EOF)
+                     return(NULL);
+            }
+-           len += l;
+            if (len <= INT_MAX - l)
+               len += l;
+            NEXTL(l);
+            c = CUR_CHAR(l);
+        }
+     }
+-    if ((len > XML_MAX_NAME_LENGTH) &&
+-        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+    if (len > maxLength) {
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
+         return(NULL);
+     }
+@@ -3338,7 +3344,10 @@ const xmlChar *
+ xmlParseName(xmlParserCtxtPtr ctxt) {
+     const xmlChar *in;
+     const xmlChar *ret;
+-    int count = 0;
+    size_t count = 0;
+    size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                       XML_MAX_TEXT_LENGTH :
+                       XML_MAX_NAME_LENGTH;
+ 
+     GROW;
+ 
+@@ -3362,8 +3371,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) {
+            in++;
+        if ((*in > 0) && (*in < 0x80)) {
+            count = in - ctxt->input->cur;
+-            if ((count > XML_MAX_NAME_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+            if (count > maxLength) {
+                 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
+                 return(NULL);
+             }
+@@ -3384,6 +3392,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+     int len = 0, l;
+     int c;
+     int count = 0;
+    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                    XML_MAX_TEXT_LENGTH :
+                    XML_MAX_NAME_LENGTH;
+     size_t startPosition = 0;
+ 
+ #ifdef DEBUG
+@@ -3404,17 +3415,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+     while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */
+           (xmlIsNameChar(ctxt, c) && (c != ':'))) {
+        if (count++ > XML_PARSER_CHUNK_SIZE) {
+-            if ((len > XML_MAX_NAME_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+-                return(NULL);
+-            }
+            count = 0;
+            GROW;
+             if (ctxt->instate == XML_PARSER_EOF)
+                 return(NULL);
+        }
+-       len += l;
+        if (len <= INT_MAX - l)
+           len += l;
+        NEXTL(l);
+        c = CUR_CHAR(l);
+        if (c == 0) {
+@@ -3432,8 +3439,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+            c = CUR_CHAR(l);
+        }
+     }
+-    if ((len > XML_MAX_NAME_LENGTH) &&
+-        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+    if (len > maxLength) {
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+         return(NULL);
+     }
+@@ -3459,7 +3465,10 @@ static const xmlChar *
+ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+     const xmlChar *in, *e;
+     const xmlChar *ret;
+-    int count = 0;
+    size_t count = 0;
+    size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                       XML_MAX_TEXT_LENGTH :
+                       XML_MAX_NAME_LENGTH;
+ 
+ #ifdef DEBUG
+     nbParseNCName++;
+@@ -3484,8 +3493,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+            goto complex;
+        if ((*in > 0) && (*in < 0x80)) {
+            count = in - ctxt->input->cur;
+-            if ((count > XML_MAX_NAME_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+            if (count > maxLength) {
+                 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+                 return(NULL);
+             }
+@@ -3567,6 +3575,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
+     const xmlChar *cur = *str;
+     int len = 0, l;
+     int c;
+    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                    XML_MAX_TEXT_LENGTH :
+                    XML_MAX_NAME_LENGTH;
+ 
+ #ifdef DEBUG
+     nbParseStringName++;
+@@ -3602,12 +3613,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
+                if (len + 10 > max) {
+                    xmlChar *tmp;
+ 
+-                    if ((len > XML_MAX_NAME_LENGTH) &&
+-                        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                        xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+-                       xmlFree(buffer);
+-                        return(NULL);
+-                    }
+                    max *= 2;
+                    tmp = (xmlChar *) xmlRealloc(buffer,
+                                                    max * sizeof(xmlChar));
+@@ -3621,14 +3626,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
+                COPY_BUF(l,buffer,len,c);
+                cur += l;
+                c = CUR_SCHAR(cur, l);
+                if (len > maxLength) {
+                    xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+                    xmlFree(buffer);
+                    return(NULL);
+                }
+            }
+            buffer[len] = 0;
+            *str = cur;
+            return(buffer);
+        }
+     }
+-    if ((len > XML_MAX_NAME_LENGTH) &&
+-        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+    if (len > maxLength) {
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+         return(NULL);
+     }
+@@ -3655,6 +3664,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
+     int len = 0, l;
+     int c;
+     int count = 0;
+    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                    XML_MAX_TEXT_LENGTH :
+                    XML_MAX_NAME_LENGTH;
+ 
+ #ifdef DEBUG
+     nbParseNmToken++;
+@@ -3706,12 +3718,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
+                if (len + 10 > max) {
+                    xmlChar *tmp;
+ 
+-                    if ((max > XML_MAX_NAME_LENGTH) &&
+-                        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                        xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
+-                        xmlFree(buffer);
+-                        return(NULL);
+-                    }
+                    max *= 2;
+                    tmp = (xmlChar *) xmlRealloc(buffer,
+                                                    max * sizeof(xmlChar));
+@@ -3725,6 +3731,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
+                COPY_BUF(l,buffer,len,c);
+                NEXTL(l);
+                c = CUR_CHAR(l);
+                if (len > maxLength) {
+                    xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
+                    xmlFree(buffer);
+                    return(NULL);
+                }
+            }
+            buffer[len] = 0;
+            return(buffer);
+@@ -3732,8 +3743,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
+     }
+     if (len == 0)
+         return(NULL);
+-    if ((len > XML_MAX_NAME_LENGTH) &&
+-        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+    if (len > maxLength) {
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
+         return(NULL);
+     }
+@@ -3759,6 +3769,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
+     int len = 0;
+     int size = XML_PARSER_BUFFER_SIZE;
+     int c, l;
+    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                    XML_MAX_HUGE_LENGTH :
+                    XML_MAX_TEXT_LENGTH;
+     xmlChar stop;
+     xmlChar *ret = NULL;
+     const xmlChar *cur = NULL;
+@@ -3818,6 +3831,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
+            GROW;
+            c = CUR_CHAR(l);
+        }
+
+        if (len > maxLength) {
+            xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
+                           "entity value too long\n");
+            goto error;
+        }
+     }
+     buf[len] = 0;
+     if (ctxt->instate == XML_PARSER_EOF)
+@@ -3905,6 +3924,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+     xmlChar *rep = NULL;
+     size_t len = 0;
+     size_t buf_size = 0;
+    size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                       XML_MAX_HUGE_LENGTH :
+                       XML_MAX_TEXT_LENGTH;
+     int c, l, in_space = 0;
+     xmlChar *current = NULL;
+     xmlEntityPtr ent;
+@@ -3925,16 +3925,6 @@
+     while (((NXT(0) != limit) && /* checked */
+             (IS_CHAR(c)) && (c != '<')) &&
+             (ctxt->instate != XML_PARSER_EOF)) {
+-        /*
+-         * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE
+-         * special option is given
+-         */
+-        if ((len > XML_MAX_TEXT_LENGTH) &&
+-            ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-            xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+-                           "AttValue length too long\n");
+-            goto mem_error;
+-        }
+        if (c == 0) break;
+        if (c == '&') {
+            in_space = 0;
+@@ -4093,6 +4105,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+        }
+        GROW;
+        c = CUR_CHAR(l);
+        if (len > maxLength) {
+            xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+                           "AttValue length too long\n");
+            goto mem_error;
+        }
+     }
+     if (ctxt->instate == XML_PARSER_EOF)
+         goto error;
+@@ -4114,16 +4131,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+     } else
+        NEXT;
+ 
+-    /*
+-     * There we potentially risk an overflow, don't allow attribute value of
+-     * length more than INT_MAX it is a very reasonable assumption !
+-     */
+-    if (len >= INT_MAX) {
+-        xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+-                       "AttValue length too long\n");
+-        goto mem_error;
+-    }
+-
+     if (attlen != NULL) *attlen = (int) len;
+     return(buf);
+ 
+@@ -4194,6 +4201,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
+     int len = 0;
+     int size = XML_PARSER_BUFFER_SIZE;
+     int cur, l;
+    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                    XML_MAX_TEXT_LENGTH :
+                    XML_MAX_NAME_LENGTH;
+     xmlChar stop;
+     int state = ctxt->instate;
+     int count = 0;
+@@ -4221,13 +4231,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
+        if (len + 5 >= size) {
+            xmlChar *tmp;
+ 
+-            if ((size > XML_MAX_NAME_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
+-                xmlFree(buf);
+-               ctxt->instate = (xmlParserInputState) state;
+-                return(NULL);
+-            }
+            size *= 2;
+            tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
+            if (tmp == NULL) {
+@@ -4256,6 +4259,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
+            SHRINK;
+            cur = CUR_CHAR(l);
+        }
+        if (len > maxLength) {
+            xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
+            xmlFree(buf);
+            ctxt->instate = (xmlParserInputState) state;
+            return(NULL);
+        }
+     }
+     buf[len] = 0;
+     ctxt->instate = (xmlParserInputState) state;
+@@ -4283,6 +4292,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
+     xmlChar *buf = NULL;
+     int len = 0;
+     int size = XML_PARSER_BUFFER_SIZE;
+    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                    XML_MAX_TEXT_LENGTH :
+                    XML_MAX_NAME_LENGTH;
+     xmlChar cur;
+     xmlChar stop;
+     int count = 0;
+@@ -4310,12 +4322,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
+        if (len + 1 >= size) {
+            xmlChar *tmp;
+ 
+-            if ((size > XML_MAX_NAME_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
+-                xmlFree(buf);
+-                return(NULL);
+-            }
+            size *= 2;
+            tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
+            if (tmp == NULL) {
+@@ -4343,6 +4349,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
+            SHRINK;
+            cur = CUR;
+        }
+        if (len > maxLength) {
+            xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
+            xmlFree(buf);
+            return(NULL);
+        }
+     }
+     buf[len] = 0;
+     if (cur != stop) {
+@@ -4742,6 +4753,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
+     int r, rl;
+     int cur, l;
+     size_t count = 0;
+    size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                       XML_MAX_HUGE_LENGTH :
+                       XML_MAX_TEXT_LENGTH;
+     int inputid;
+ 
+     inputid = ctxt->input->id;
+@@ -4787,13 +4801,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
+        if ((r == '-') && (q == '-')) {
+            xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL);
+        }
+-        if ((len > XML_MAX_TEXT_LENGTH) &&
+-            ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-            xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+-                         "Comment too big found", NULL);
+-            xmlFree (buf);
+-            return;
+-        }
+        if (len + 5 >= size) {
+            xmlChar *new_buf;
+             size_t new_size;
+@@ -4831,6 +4838,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
+            GROW;
+            cur = CUR_CHAR(l);
+        }
+
+        if (len > maxLength) {
+            xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+                         "Comment too big found", NULL);
+            xmlFree (buf);
+            return;
+        }
+     }
+     buf[len] = 0;
+     if (cur == 0) {
+@@ -4875,6 +4889,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) {
+     xmlChar *buf = NULL;
+     size_t size = XML_PARSER_BUFFER_SIZE;
+     size_t len = 0;
+    size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                       XML_MAX_HUGE_LENGTH :
+                       XML_MAX_TEXT_LENGTH;
+     xmlParserInputState state;
+     const xmlChar *in;
+     size_t nbchar = 0;
+@@ -4958,8 +4975,7 @@ get_more:
+                buf[len] = 0;
+            }
+        }
+-        if ((len > XML_MAX_TEXT_LENGTH) &&
+-            ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+        if (len > maxLength) {
+             xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+                          "Comment too big found", NULL);
+             xmlFree (buf);
+@@ -5159,6 +5175,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
+     xmlChar *buf = NULL;
+     size_t len = 0;
+     size_t size = XML_PARSER_BUFFER_SIZE;
+    size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                       XML_MAX_HUGE_LENGTH :
+                       XML_MAX_TEXT_LENGTH;
+     int cur, l;
+     const xmlChar *target;
+     xmlParserInputState state;
+@@ -5234,14 +5253,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
+                         return;
+                     }
+                    count = 0;
+-                    if ((len > XML_MAX_TEXT_LENGTH) &&
+-                        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                        xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
+-                                          "PI %s too big found", target);
+-                        xmlFree(buf);
+-                        ctxt->instate = state;
+-                        return;
+-                    }
+                }
+                COPY_BUF(l,buf,len,cur);
+                NEXTL(l);
+@@ -5251,15 +5262,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
+                    GROW;
+                    cur = CUR_CHAR(l);
+                }
+                if (len > maxLength) {
+                    xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
+                                      "PI %s too big found", target);
+                    xmlFree(buf);
+                    ctxt->instate = state;
+                    return;
+                }
+            }
+-            if ((len > XML_MAX_TEXT_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
+-                                  "PI %s too big found", target);
+-                xmlFree(buf);
+-                ctxt->instate = state;
+-                return;
+-            }
+            buf[len] = 0;
+            if (cur != '?') {
+                xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
+@@ -8954,6 +8964,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+     const xmlChar *in = NULL, *start, *end, *last;
+     xmlChar *ret = NULL;
+     int line, col;
+    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                    XML_MAX_HUGE_LENGTH :
+                    XML_MAX_TEXT_LENGTH;
+ 
+     GROW;
+     in = (xmlChar *) CUR_PTR;
+@@ -8993,8 +9006,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+            start = in;
+            if (in >= end) {
+                 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
+-                if (((in - start) > XML_MAX_TEXT_LENGTH) &&
+-                    ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+                if ((in - start) > maxLength) {
+                     xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+                                    "AttValue length too long\n");
+                     return(NULL);
+@@ -9007,8 +9019,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+            if ((*in++ == 0x20) && (*in == 0x20)) break;
+            if (in >= end) {
+                 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
+-                if (((in - start) > XML_MAX_TEXT_LENGTH) &&
+-                    ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+                if ((in - start) > maxLength) {
+                     xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+                                    "AttValue length too long\n");
+                     return(NULL);
+@@ -9041,16 +9052,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+                    last = last + delta;
+                }
+                end = ctxt->input->end;
+-                if (((in - start) > XML_MAX_TEXT_LENGTH) &&
+-                    ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+                if ((in - start) > maxLength) {
+                     xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+                                    "AttValue length too long\n");
+                     return(NULL);
+                 }
+            }
+        }
+-        if (((in - start) > XML_MAX_TEXT_LENGTH) &&
+-            ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+        if ((in - start) > maxLength) {
+             xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+                            "AttValue length too long\n");
+             return(NULL);
+@@ -9063,8 +9072,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+            col++;
+            if (in >= end) {
+                 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
+-                if (((in - start) > XML_MAX_TEXT_LENGTH) &&
+-                    ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+                if ((in - start) > maxLength) {
+                     xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+                                    "AttValue length too long\n");
+                     return(NULL);
+@@ -9072,8 +9080,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+            }
+        }
+        last = in;
+-        if (((in - start) > XML_MAX_TEXT_LENGTH) &&
+-            ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+        if ((in - start) > maxLength) {
+             xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+                            "AttValue length too long\n");
+             return(NULL);
+@@ -9763,6 +9770,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
+     int        s, sl;
+     int cur, l;
+     int count = 0;
+    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
+                    XML_MAX_HUGE_LENGTH :
+                    XML_MAX_TEXT_LENGTH;
+ 
+     /* Check 2.6.0 was NXT(0) not RAW */
+     if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) {
+@@ -9796,13 +9806,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
+        if (len + 5 >= size) {
+            xmlChar *tmp;
+ 
+-            if ((size > XML_MAX_TEXT_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED,
+-                             "CData section too big found", NULL);
+-                xmlFree (buf);
+-                return;
+-            }
+            tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar));
+            if (tmp == NULL) {
+                xmlFree(buf);
+@@ -9829,6 +9832,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
+        }
+        NEXTL(l);
+        cur = CUR_CHAR(l);
+        if (len > maxLength) {
+            xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED,
+                           "CData section too big found\n");
+            xmlFree(buf);
+            return;
+        }
+     }
+     buf[len] = 0;
+     ctxt->instate = XML_PARSER_CONTENT;
+-- 
+GitLab

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch new file mode 100644 index 0000000000..bdb9e9eb7a --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch
@@ -0,0 +1,623 @@
	1	From c846986356fc149915a74972bf198abc266bc2c0 Mon Sep 17 00:00:00 2001
	2	From: Nick Wellnhofer <wellnhofer@aevum.de>
	3	Date: Thu, 25 Aug 2022 17:43:08 +0200
	4	Subject: [PATCH] [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE
	5
	6	Also impose size limits when XML_PARSE_HUGE is set. Limit size of names
	7	to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to
	8	XML_MAX_HUGE_LENGTH (1 billion bytes).
	9
	10	Move some the length checks to the end of the respective loop to make
	11	them strict.
	12
	13	xmlParseEntityValue didn't have a length limitation at all. But without
	14	XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW.
	15
	16	Thanks to Maddie Stone working with Google Project Zero for the report!
	17
	18	CVE: CVE-2022-40303
	19	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0]
	20	Comments: Refreshed hunk
	21
	22	Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
	23	---
	24	parser.c \| 233 +++++++++++++++++++++++++++++--------------------------
	25	1 file changed, 121 insertions(+), 112 deletions(-)
	26
	27	diff --git a/parser.c b/parser.c
	28	index 93f031be..79479979 100644
	29	--- a/parser.c
	30	+++ b/parser.c
	31	@@ -102,6 +102,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt);
	32	* *
	33	************************************************************************/
	34
	35	+#define XML_MAX_HUGE_LENGTH 1000000000
	36	+
	37	#define XML_PARSER_BIG_ENTITY 1000
	38	#define XML_PARSER_LOT_ENTITY 5000
	39
	40	@@ -552,7 +554,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info)
	41	errmsg = "Malformed declaration expecting version";
	42	break;
	43	case XML_ERR_NAME_TOO_LONG:
	44	- errmsg = "Name too long use XML_PARSE_HUGE option";
	45	+ errmsg = "Name too long";
	46	break;
	47	#if 0
	48	case:
	49	@@ -3202,6 +3204,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
	50	int len = 0, l;
	51	int c;
	52	int count = 0;
	53	+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
	54	+ XML_MAX_TEXT_LENGTH :
	55	+ XML_MAX_NAME_LENGTH;
	56
	57	#ifdef DEBUG
	58	nbParseNameComplex++;
	59	@@ -3267,7 +3272,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
	60	if (ctxt->instate == XML_PARSER_EOF)
	61	return(NULL);
	62	}
	63	- len += l;
	64	+ if (len <= INT_MAX - l)
	65	+ len += l;
	66	NEXTL(l);
	67	c = CUR_CHAR(l);
	68	}
	69	@@ -3293,13 +3299,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
	70	if (ctxt->instate == XML_PARSER_EOF)
	71	return(NULL);
	72	}
	73	- len += l;
	74	+ if (len <= INT_MAX - l)
	75	+ len += l;
	76	NEXTL(l);
	77	c = CUR_CHAR(l);
	78	}
	79	}
	80	- if ((len > XML_MAX_NAME_LENGTH) &&
	81	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	82	+ if (len > maxLength) {
	83	xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
	84	return(NULL);
	85	}
	86	@@ -3338,7 +3344,10 @@ const xmlChar *
	87	xmlParseName(xmlParserCtxtPtr ctxt) {
	88	const xmlChar *in;
	89	const xmlChar *ret;
	90	- int count = 0;
	91	+ size_t count = 0;
	92	+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
	93	+ XML_MAX_TEXT_LENGTH :
	94	+ XML_MAX_NAME_LENGTH;
	95
	96	GROW;
	97
	98	@@ -3362,8 +3371,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) {
	99	in++;
	100	if ((in > 0) && (in < 0x80)) {
	101	count = in - ctxt->input->cur;
	102	- if ((count > XML_MAX_NAME_LENGTH) &&
	103	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	104	+ if (count > maxLength) {
	105	xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
	106	return(NULL);
	107	}
	108	@@ -3384,6 +3392,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
	109	int len = 0, l;
	110	int c;
	111	int count = 0;
	112	+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
	113	+ XML_MAX_TEXT_LENGTH :
	114	+ XML_MAX_NAME_LENGTH;
	115	size_t startPosition = 0;
	116
	117	#ifdef DEBUG
	118	@@ -3404,17 +3415,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
	119	while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */
	120	(xmlIsNameChar(ctxt, c) && (c != ':'))) {
	121	if (count++ > XML_PARSER_CHUNK_SIZE) {
	122	- if ((len > XML_MAX_NAME_LENGTH) &&
	123	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	124	- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
	125	- return(NULL);
	126	- }
	127	count = 0;
	128	GROW;
	129	if (ctxt->instate == XML_PARSER_EOF)
	130	return(NULL);
	131	}
	132	- len += l;
	133	+ if (len <= INT_MAX - l)
	134	+ len += l;
	135	NEXTL(l);
	136	c = CUR_CHAR(l);
	137	if (c == 0) {
	138	@@ -3432,8 +3439,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
	139	c = CUR_CHAR(l);
	140	}
	141	}
	142	- if ((len > XML_MAX_NAME_LENGTH) &&
	143	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	144	+ if (len > maxLength) {
	145	xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
	146	return(NULL);
	147	}
	148	@@ -3459,7 +3465,10 @@ static const xmlChar *
	149	xmlParseNCName(xmlParserCtxtPtr ctxt) {
	150	const xmlChar in, e;
	151	const xmlChar *ret;
	152	- int count = 0;
	153	+ size_t count = 0;
	154	+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
	155	+ XML_MAX_TEXT_LENGTH :
	156	+ XML_MAX_NAME_LENGTH;
	157
	158	#ifdef DEBUG
	159	nbParseNCName++;
	160	@@ -3484,8 +3493,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
	161	goto complex;
	162	if ((in > 0) && (in < 0x80)) {
	163	count = in - ctxt->input->cur;
	164	- if ((count > XML_MAX_NAME_LENGTH) &&
	165	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	166	+ if (count > maxLength) {
	167	xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
	168	return(NULL);
	169	}
	170	@@ -3567,6 +3575,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
	171	const xmlChar cur = str;
	172	int len = 0, l;
	173	int c;
	174	+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
	175	+ XML_MAX_TEXT_LENGTH :
	176	+ XML_MAX_NAME_LENGTH;
	177
	178	#ifdef DEBUG
	179	nbParseStringName++;
	180	@@ -3602,12 +3613,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
	181	if (len + 10 > max) {
	182	xmlChar *tmp;
	183
	184	- if ((len > XML_MAX_NAME_LENGTH) &&
	185	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	186	- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
	187	- xmlFree(buffer);
	188	- return(NULL);
	189	- }
	190	max *= 2;
	191	tmp = (xmlChar *) xmlRealloc(buffer,
	192	max * sizeof(xmlChar));
	193	@@ -3621,14 +3626,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
	194	COPY_BUF(l,buffer,len,c);
	195	cur += l;
	196	c = CUR_SCHAR(cur, l);
	197	+ if (len > maxLength) {
	198	+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
	199	+ xmlFree(buffer);
	200	+ return(NULL);
	201	+ }
	202	}
	203	buffer[len] = 0;
	204	*str = cur;
	205	return(buffer);
	206	}
	207	}
	208	- if ((len > XML_MAX_NAME_LENGTH) &&
	209	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	210	+ if (len > maxLength) {
	211	xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
	212	return(NULL);
	213	}
	214	@@ -3655,6 +3664,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
	215	int len = 0, l;
	216	int c;
	217	int count = 0;
	218	+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
	219	+ XML_MAX_TEXT_LENGTH :
	220	+ XML_MAX_NAME_LENGTH;
	221
	222	#ifdef DEBUG
	223	nbParseNmToken++;
	224	@@ -3706,12 +3718,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
	225	if (len + 10 > max) {
	226	xmlChar *tmp;
	227
	228	- if ((max > XML_MAX_NAME_LENGTH) &&
	229	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	230	- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
	231	- xmlFree(buffer);
	232	- return(NULL);
	233	- }
	234	max *= 2;
	235	tmp = (xmlChar *) xmlRealloc(buffer,
	236	max * sizeof(xmlChar));
	237	@@ -3725,6 +3731,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
	238	COPY_BUF(l,buffer,len,c);
	239	NEXTL(l);
	240	c = CUR_CHAR(l);
	241	+ if (len > maxLength) {
	242	+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
	243	+ xmlFree(buffer);
	244	+ return(NULL);
	245	+ }
	246	}
	247	buffer[len] = 0;
	248	return(buffer);
	249	@@ -3732,8 +3743,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
	250	}
	251	if (len == 0)
	252	return(NULL);
	253	- if ((len > XML_MAX_NAME_LENGTH) &&
	254	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	255	+ if (len > maxLength) {
	256	xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
	257	return(NULL);
	258	}
	259	@@ -3759,6 +3769,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
	260	int len = 0;
	261	int size = XML_PARSER_BUFFER_SIZE;
	262	int c, l;
	263	+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
	264	+ XML_MAX_HUGE_LENGTH :
	265	+ XML_MAX_TEXT_LENGTH;
	266	xmlChar stop;
	267	xmlChar *ret = NULL;
	268	const xmlChar *cur = NULL;
	269	@@ -3818,6 +3831,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
	270	GROW;
	271	c = CUR_CHAR(l);
	272	}
	273	+
	274	+ if (len > maxLength) {
	275	+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
	276	+ "entity value too long\n");
	277	+ goto error;
	278	+ }
	279	}
	280	buf[len] = 0;
	281	if (ctxt->instate == XML_PARSER_EOF)
	282	@@ -3905,6 +3924,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
	283	xmlChar *rep = NULL;
	284	size_t len = 0;
	285	size_t buf_size = 0;
	286	+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
	287	+ XML_MAX_HUGE_LENGTH :
	288	+ XML_MAX_TEXT_LENGTH;
	289	int c, l, in_space = 0;
	290	xmlChar *current = NULL;
	291	xmlEntityPtr ent;
	292	@@ -3925,16 +3925,6 @@
	293	while (((NXT(0) != limit) && /* checked */
	294	(IS_CHAR(c)) && (c != '<')) &&
	295	(ctxt->instate != XML_PARSER_EOF)) {
	296	- /*
	297	- * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE
	298	- * special option is given
	299	- */
	300	- if ((len > XML_MAX_TEXT_LENGTH) &&
	301	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	302	- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
	303	- "AttValue length too long\n");
	304	- goto mem_error;
	305	- }
	306	if (c == 0) break;
	307	if (c == '&') {
	308	in_space = 0;
	309	@@ -4093,6 +4105,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
	310	}
	311	GROW;
	312	c = CUR_CHAR(l);
	313	+ if (len > maxLength) {
	314	+ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
	315	+ "AttValue length too long\n");
	316	+ goto mem_error;
	317	+ }
	318	}
	319	if (ctxt->instate == XML_PARSER_EOF)
	320	goto error;
	321	@@ -4114,16 +4131,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
	322	} else
	323	NEXT;
	324
	325	- /*
	326	- * There we potentially risk an overflow, don't allow attribute value of
	327	- * length more than INT_MAX it is a very reasonable assumption !
	328	- */
	329	- if (len >= INT_MAX) {
	330	- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
	331	- "AttValue length too long\n");
	332	- goto mem_error;
	333	- }
	334	-
	335	if (attlen != NULL) *attlen = (int) len;
	336	return(buf);
	337
	338	@@ -4194,6 +4201,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
	339	int len = 0;
	340	int size = XML_PARSER_BUFFER_SIZE;
	341	int cur, l;
	342	+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
	343	+ XML_MAX_TEXT_LENGTH :
	344	+ XML_MAX_NAME_LENGTH;
	345	xmlChar stop;
	346	int state = ctxt->instate;
	347	int count = 0;
	348	@@ -4221,13 +4231,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
	349	if (len + 5 >= size) {
	350	xmlChar *tmp;
	351
	352	- if ((size > XML_MAX_NAME_LENGTH) &&
	353	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	354	- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
	355	- xmlFree(buf);
	356	- ctxt->instate = (xmlParserInputState) state;
	357	- return(NULL);
	358	- }
	359	size *= 2;
	360	tmp = (xmlChar ) xmlRealloc(buf, size sizeof(xmlChar));
	361	if (tmp == NULL) {
	362	@@ -4256,6 +4259,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
	363	SHRINK;
	364	cur = CUR_CHAR(l);
	365	}
	366	+ if (len > maxLength) {
	367	+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
	368	+ xmlFree(buf);
	369	+ ctxt->instate = (xmlParserInputState) state;
	370	+ return(NULL);
	371	+ }
	372	}
	373	buf[len] = 0;
	374	ctxt->instate = (xmlParserInputState) state;
	375	@@ -4283,6 +4292,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
	376	xmlChar *buf = NULL;
	377	int len = 0;
	378	int size = XML_PARSER_BUFFER_SIZE;
	379	+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
	380	+ XML_MAX_TEXT_LENGTH :
	381	+ XML_MAX_NAME_LENGTH;
	382	xmlChar cur;
	383	xmlChar stop;
	384	int count = 0;
	385	@@ -4310,12 +4322,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
	386	if (len + 1 >= size) {
	387	xmlChar *tmp;
	388
	389	- if ((size > XML_MAX_NAME_LENGTH) &&
	390	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	391	- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
	392	- xmlFree(buf);
	393	- return(NULL);
	394	- }
	395	size *= 2;
	396	tmp = (xmlChar ) xmlRealloc(buf, size sizeof(xmlChar));
	397	if (tmp == NULL) {
	398	@@ -4343,6 +4349,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
	399	SHRINK;
	400	cur = CUR;
	401	}
	402	+ if (len > maxLength) {
	403	+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
	404	+ xmlFree(buf);
	405	+ return(NULL);
	406	+ }
	407	}
	408	buf[len] = 0;
	409	if (cur != stop) {
	410	@@ -4742,6 +4753,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
	411	int r, rl;
	412	int cur, l;
	413	size_t count = 0;
	414	+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
	415	+ XML_MAX_HUGE_LENGTH :
	416	+ XML_MAX_TEXT_LENGTH;
	417	int inputid;
	418
	419	inputid = ctxt->input->id;
	420	@@ -4787,13 +4801,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
	421	if ((r == '-') && (q == '-')) {
	422	xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL);
	423	}
	424	- if ((len > XML_MAX_TEXT_LENGTH) &&
	425	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	426	- xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
	427	- "Comment too big found", NULL);
	428	- xmlFree (buf);
	429	- return;
	430	- }
	431	if (len + 5 >= size) {
	432	xmlChar *new_buf;
	433	size_t new_size;
	434	@@ -4831,6 +4838,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
	435	GROW;
	436	cur = CUR_CHAR(l);
	437	}
	438	+
	439	+ if (len > maxLength) {
	440	+ xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
	441	+ "Comment too big found", NULL);
	442	+ xmlFree (buf);
	443	+ return;
	444	+ }
	445	}
	446	buf[len] = 0;
	447	if (cur == 0) {
	448	@@ -4875,6 +4889,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) {
	449	xmlChar *buf = NULL;
	450	size_t size = XML_PARSER_BUFFER_SIZE;
	451	size_t len = 0;
	452	+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
	453	+ XML_MAX_HUGE_LENGTH :
	454	+ XML_MAX_TEXT_LENGTH;
	455	xmlParserInputState state;
	456	const xmlChar *in;
	457	size_t nbchar = 0;
	458	@@ -4958,8 +4975,7 @@ get_more:
	459	buf[len] = 0;
	460	}
	461	}
	462	- if ((len > XML_MAX_TEXT_LENGTH) &&
	463	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	464	+ if (len > maxLength) {
	465	xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
	466	"Comment too big found", NULL);
	467	xmlFree (buf);
	468	@@ -5159,6 +5175,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
	469	xmlChar *buf = NULL;
	470	size_t len = 0;
	471	size_t size = XML_PARSER_BUFFER_SIZE;
	472	+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
	473	+ XML_MAX_HUGE_LENGTH :
	474	+ XML_MAX_TEXT_LENGTH;
	475	int cur, l;
	476	const xmlChar *target;
	477	xmlParserInputState state;
	478	@@ -5234,14 +5253,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
	479	return;
	480	}
	481	count = 0;
	482	- if ((len > XML_MAX_TEXT_LENGTH) &&
	483	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	484	- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
	485	- "PI %s too big found", target);
	486	- xmlFree(buf);
	487	- ctxt->instate = state;
	488	- return;
	489	- }
	490	}
	491	COPY_BUF(l,buf,len,cur);
	492	NEXTL(l);
	493	@@ -5251,15 +5262,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
	494	GROW;
	495	cur = CUR_CHAR(l);
	496	}
	497	+ if (len > maxLength) {
	498	+ xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
	499	+ "PI %s too big found", target);
	500	+ xmlFree(buf);
	501	+ ctxt->instate = state;
	502	+ return;
	503	+ }
	504	}
	505	- if ((len > XML_MAX_TEXT_LENGTH) &&
	506	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	507	- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
	508	- "PI %s too big found", target);
	509	- xmlFree(buf);
	510	- ctxt->instate = state;
	511	- return;
	512	- }
	513	buf[len] = 0;
	514	if (cur != '?') {
	515	xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
	516	@@ -8954,6 +8964,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int len, int alloc,
	517	const xmlChar in = NULL, start, end, last;
	518	xmlChar *ret = NULL;
	519	int line, col;
	520	+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
	521	+ XML_MAX_HUGE_LENGTH :
	522	+ XML_MAX_TEXT_LENGTH;
	523
	524	GROW;
	525	in = (xmlChar *) CUR_PTR;
	526	@@ -8993,8 +9006,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int len, int alloc,
	527	start = in;
	528	if (in >= end) {
	529	GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
	530	- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
	531	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	532	+ if ((in - start) > maxLength) {
	533	xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
	534	"AttValue length too long\n");
	535	return(NULL);
	536	@@ -9007,8 +9019,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int len, int alloc,
	537	if ((in++ == 0x20) && (in == 0x20)) break;
	538	if (in >= end) {
	539	GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
	540	- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
	541	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	542	+ if ((in - start) > maxLength) {
	543	xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
	544	"AttValue length too long\n");
	545	return(NULL);
	546	@@ -9041,16 +9052,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int len, int alloc,
	547	last = last + delta;
	548	}
	549	end = ctxt->input->end;
	550	- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
	551	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	552	+ if ((in - start) > maxLength) {
	553	xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
	554	"AttValue length too long\n");
	555	return(NULL);
	556	}
	557	}
	558	}
	559	- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
	560	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	561	+ if ((in - start) > maxLength) {
	562	xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
	563	"AttValue length too long\n");
	564	return(NULL);
	565	@@ -9063,8 +9072,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int len, int alloc,
	566	col++;
	567	if (in >= end) {
	568	GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
	569	- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
	570	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	571	+ if ((in - start) > maxLength) {
	572	xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
	573	"AttValue length too long\n");
	574	return(NULL);
	575	@@ -9072,8 +9080,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int len, int alloc,
	576	}
	577	}
	578	last = in;
	579	- if (((in - start) > XML_MAX_TEXT_LENGTH) &&
	580	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	581	+ if ((in - start) > maxLength) {
	582	xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
	583	"AttValue length too long\n");
	584	return(NULL);
	585	@@ -9763,6 +9770,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
	586	int s, sl;
	587	int cur, l;
	588	int count = 0;
	589	+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
	590	+ XML_MAX_HUGE_LENGTH :
	591	+ XML_MAX_TEXT_LENGTH;
	592
	593	/* Check 2.6.0 was NXT(0) not RAW */
	594	if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) {
	595	@@ -9796,13 +9806,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
	596	if (len + 5 >= size) {
	597	xmlChar *tmp;
	598
	599	- if ((size > XML_MAX_TEXT_LENGTH) &&
	600	- ((ctxt->options & XML_PARSE_HUGE) == 0)) {
	601	- xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED,
	602	- "CData section too big found", NULL);
	603	- xmlFree (buf);
	604	- return;
	605	- }
	606	tmp = (xmlChar ) xmlRealloc(buf, size 2 * sizeof(xmlChar));
	607	if (tmp == NULL) {
	608	xmlFree(buf);
	609	@@ -9829,6 +9832,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
	610	}
	611	NEXTL(l);
	612	cur = CUR_CHAR(l);
	613	+ if (len > maxLength) {
	614	+ xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED,
	615	+ "CData section too big found\n");
	616	+ xmlFree(buf);
	617	+ return;
	618	+ }
	619	}
	620	buf[len] = 0;
	621	ctxt->instate = XML_PARSER_CONTENT;
	622	--
	623	GitLab