c/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2 synced 2025-03-28 21:33:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix exponential runtime and memory in xi:fallback processing

Browse Source 
When creating XML_XINCLUDE_START nodes, the children of the original
xi:include node must be freed, otherwise fallback content is copied
twice, doubling runtime and memory consumption for each nested
xi:fallback/xi:include pair.

Found with libFuzzer.
This commit is contained in:
Nick Wellnhofer 2020-08-06 17:51:57 +02:00
parent 11b5745927
commit 1abf2967f9
4 changed files with 258 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
result/XInclude/fallback5.xml Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0"?>
<a>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
<elem/>
</a>

116
result/XInclude/fallback5.xml.rdr Normal file
View File

@ -0,0 +1,116 @@
0 1 a 0 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 1 elem 1 0
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
1 14 #text 0 1
0 15 a 0 0

83
test/XInclude/docs/fallback5.xml Normal file
View File

@ -0,0 +1,83 @@
<a>
<xi:include href="a01.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:fallback>
<elem/>
<xi:include href="a02.xml">
<xi:fallback>
<elem/>
<xi:include href="a03.xml">
<xi:fallback>
<elem/>
<xi:include href="a04.xml">
<xi:fallback>
<elem/>
<xi:include href="a05.xml">
<xi:fallback>
<elem/>
<xi:include href="a06.xml">
<xi:fallback>
<elem/>
<xi:include href="a07.xml">
<xi:fallback>
<elem/>
<xi:include href="a08.xml">
<xi:fallback>
<elem/>
<xi:include href="a09.xml">
<xi:fallback>
<elem/>
<xi:include href="a10.xml">
<xi:fallback>
<elem/>
<xi:include href="a11.xml">
<xi:fallback>
<elem/>
<xi:include href="a12.xml">
<xi:fallback>
<elem/>
<xi:include href="a13.xml">
<xi:fallback>
<elem/>
<xi:include href="a14.xml">
<xi:fallback>
<elem/>
<xi:include href="a15.xml">
<xi:fallback>
<elem/>
<xi:include href="a16.xml">
<xi:fallback>
<elem/>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</xi:fallback>
</xi:include>
</a>

8
xinclude.c
View File

@ -2260,11 +2260,19 @@ xmlXIncludeIncludeNode(xmlXIncludeCtxtPtr ctxt, int nr) {
xmlUnlinkNode(cur);
xmlFreeNode(cur);
} else {
xmlNodePtr child, next;
/*
* Change the current node as an XInclude start one, and add an
* XInclude end one
*/
cur->type = XML_XINCLUDE_START;
/* Remove fallback children */
for (child = cur->children; child != NULL; child = next) {
next = child->next;
xmlUnlinkNode(child);
xmlFreeNode(child);
}
end = xmlNewDocNode(cur->doc, cur->ns, cur->name, NULL);
if (end == NULL) {
xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref,