From 7a2d412f681fa4847c5351d7944a1de6959685da Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Tue, 31 Oct 2023 20:15:38 +0100 Subject: [PATCH] parser: Copy default namespace in xmlParseBalancedChunkMemory --- parser.c | 15 +++++++++--- result/noent/ns-ent.xml | 9 ++++--- result/noent/ns-ent.xml.sax2 | 40 +++++++++++++++++++++---------- result/ns-ent.xml | 9 ++++--- result/ns-ent.xml.rde | 18 ++++++++++---- result/ns-ent.xml.rdr | 22 ++++++++++++----- result/ns-ent.xml.sax | 42 ++++++++++++++++++++++---------- result/ns-ent.xml.sax2 | 46 +++++++++++++++++++++++++----------- test/ns-ent.xml | 9 ++++--- 9 files changed, 150 insertions(+), 60 deletions(-) diff --git a/parser.c b/parser.c index fffb31c6..9fbd5466 100644 --- a/parser.c +++ b/parser.c @@ -12994,6 +12994,7 @@ xmlParseBalancedChunkMemoryInternal(xmlParserCtxtPtr oldctxt, xmlNodePtr content = NULL; xmlNodePtr last = NULL; xmlParserErrors ret = XML_ERR_OK; + xmlHashedString hprefix, huri; unsigned i; if (((oldctxt->depth > 40) && ((oldctxt->options & XML_PARSE_HUGE) == 0)) || @@ -13030,9 +13031,17 @@ xmlParseBalancedChunkMemoryInternal(xmlParserCtxtPtr oldctxt, * Making entities and namespaces work correctly requires additional * changes, see xmlParseReference. */ + + /* Default namespace */ + hprefix.name = NULL; + hprefix.hashValue = 0; + huri.name = xmlParserNsLookupUri(oldctxt, &hprefix); + huri.hashValue = 0; + if (huri.name != NULL) + xmlParserNsPush(ctxt, NULL, &huri, NULL, 0); + for (i = 0; i < oldctxt->nsdb->hashSize; i++) { xmlParserNsBucket *bucket = &oldctxt->nsdb->hash[i]; - xmlHashedString hprefix, huri; const xmlChar **ns; xmlParserNsExtra *extra; unsigned nsIndex; @@ -13048,8 +13057,8 @@ xmlParseBalancedChunkMemoryInternal(xmlParserCtxtPtr oldctxt, huri.name = ns[1]; huri.hashValue = extra->uriHashValue; /* - * Don't copy SAX data top avoid a use-after-free in reader - * mode. This matches the pre-2.12 behavior. + * Don't copy SAX data to avoid a use-after-free with XML reader. + * This matches the pre-2.12 behavior. */ xmlParserNsPush(ctxt, &hprefix, &huri, NULL, 0); } diff --git a/result/noent/ns-ent.xml b/result/noent/ns-ent.xml index 08610b1f..2d02e3dd 100644 --- a/result/noent/ns-ent.xml +++ b/result/noent/ns-ent.xml @@ -1,8 +1,11 @@ "> +"> +"> ]> - - + + + + diff --git a/result/noent/ns-ent.xml.sax2 b/result/noent/ns-ent.xml.sax2 index b1d8e761..7fe00ae1 100644 --- a/result/noent/ns-ent.xml.sax2 +++ b/result/noent/ns-ent.xml.sax2 @@ -1,24 +1,40 @@ SAX.setDocumentLocator() SAX.startDocument() SAX.internalSubset(doc, , ) -SAX.entityDecl(ent, 1, (null), (null), ) -SAX.getEntity(ent) +SAX.entityDecl(ent1, 1, (null), (null), ) +SAX.getEntity(ent1) +SAX.entityDecl(ent2, 1, (null), (null), ) +SAX.getEntity(ent2) SAX.externalSubset(doc, , ) SAX.startElementNs(doc, NULL, NULL, 0, 0, 0) SAX.characters( , 5) -SAX.startElementNs(c1, NULL, NULL, 1, xmlns:ns='urn:ns1', 0, 0) -SAX.getEntity(ent) -SAX.startElementNs(elem, ns, 'urn:ns1', 0, 0, 0) -SAX.endElementNs(elem, ns, 'urn:ns1') -SAX.endElementNs(c1, NULL, NULL) +SAX.startElementNs(a, NULL, 'urn:a', 1, xmlns='urn:a', 0, 0) +SAX.getEntity(ent1) +SAX.startElementNs(elem, NULL, 'urn:a', 0, 0, 0) +SAX.endElementNs(elem, NULL, 'urn:a') +SAX.endElementNs(a, NULL, 'urn:a') SAX.characters( , 5) -SAX.startElementNs(c2, NULL, NULL, 1, xmlns:ns='urn:ns2', 0, 0) -SAX.getEntity(ent) -SAX.startElementNs(elem, ns, 'urn:ns2', 0, 0, 0) -SAX.endElementNs(elem, ns, 'urn:ns2') -SAX.endElementNs(c2, NULL, NULL) +SAX.startElementNs(b, NULL, 'urn:b', 1, xmlns='urn:b', 0, 0) +SAX.getEntity(ent1) +SAX.startElementNs(elem, NULL, 'urn:b', 0, 0, 0) +SAX.endElementNs(elem, NULL, 'urn:b') +SAX.endElementNs(b, NULL, 'urn:b') +SAX.characters( + , 5) +SAX.startElementNs(a, NULL, NULL, 1, xmlns:ns='urn:a', 0, 0) +SAX.getEntity(ent2) +SAX.startElementNs(elem, ns, 'urn:a', 0, 0, 0) +SAX.endElementNs(elem, ns, 'urn:a') +SAX.endElementNs(a, NULL, NULL) +SAX.characters( + , 5) +SAX.startElementNs(b, NULL, NULL, 1, xmlns:ns='urn:b', 0, 0) +SAX.getEntity(ent2) +SAX.startElementNs(elem, ns, 'urn:b', 0, 0, 0) +SAX.endElementNs(elem, ns, 'urn:b') +SAX.endElementNs(b, NULL, NULL) SAX.characters( , 1) SAX.endElementNs(doc, NULL, NULL) diff --git a/result/ns-ent.xml b/result/ns-ent.xml index 3df3fbfd..94f89b17 100644 --- a/result/ns-ent.xml +++ b/result/ns-ent.xml @@ -1,8 +1,11 @@ "> +"> +"> ]> - &ent; - &ent; + &ent1; + &ent1; + &ent2; + &ent2; diff --git a/result/ns-ent.xml.rde b/result/ns-ent.xml.rde index 02372464..0b79eaa8 100644 --- a/result/ns-ent.xml.rde +++ b/result/ns-ent.xml.rde @@ -2,14 +2,24 @@ 0 1 doc 0 0 1 14 #text 0 1 -1 1 c1 0 0 +1 1 a 0 0 2 1 elem 1 0 -1 15 c1 0 0 +1 15 a 0 0 1 14 #text 0 1 -1 1 c2 0 0 +1 1 b 0 0 2 1 elem 1 0 -1 15 c2 0 0 +1 15 b 0 0 +1 14 #text 0 1 + +1 1 a 0 0 +2 1 elem 1 0 +1 15 a 0 0 +1 14 #text 0 1 + +1 1 b 0 0 +2 1 elem 1 0 +1 15 b 0 0 1 14 #text 0 1 0 15 doc 0 0 diff --git a/result/ns-ent.xml.rdr b/result/ns-ent.xml.rdr index aaad6531..88bcf472 100644 --- a/result/ns-ent.xml.rdr +++ b/result/ns-ent.xml.rdr @@ -2,14 +2,24 @@ 0 1 doc 0 0 1 14 #text 0 1 -1 1 c1 0 0 -2 5 ent 0 0 -1 15 c1 0 0 +1 1 a 0 0 +2 5 ent1 0 0 +1 15 a 0 0 1 14 #text 0 1 -1 1 c2 0 0 -2 5 ent 0 0 -1 15 c2 0 0 +1 1 b 0 0 +2 5 ent1 0 0 +1 15 b 0 0 +1 14 #text 0 1 + +1 1 a 0 0 +2 5 ent2 0 0 +1 15 a 0 0 +1 14 #text 0 1 + +1 1 b 0 0 +2 5 ent2 0 0 +1 15 b 0 0 1 14 #text 0 1 0 15 doc 0 0 diff --git a/result/ns-ent.xml.sax b/result/ns-ent.xml.sax index c32b6978..98b63fcd 100644 --- a/result/ns-ent.xml.sax +++ b/result/ns-ent.xml.sax @@ -1,26 +1,44 @@ SAX.setDocumentLocator() SAX.startDocument() SAX.internalSubset(doc, , ) -SAX.entityDecl(ent, 1, (null), (null), ) -SAX.getEntity(ent) +SAX.entityDecl(ent1, 1, (null), (null), ) +SAX.getEntity(ent1) +SAX.entityDecl(ent2, 1, (null), (null), ) +SAX.getEntity(ent2) SAX.externalSubset(doc, , ) SAX.startElement(doc) SAX.characters( , 5) -SAX.startElement(c1, xmlns:ns='urn:ns1') -SAX.getEntity(ent) -SAX.startElement(ns:elem) -SAX.endElement(ns:elem) -SAX.reference(ent) -SAX.endElement(c1) +SAX.startElement(a, xmlns='urn:a') +SAX.getEntity(ent1) +SAX.startElement(elem) +SAX.endElement(elem) +SAX.reference(ent1) +SAX.endElement(a) SAX.characters( , 5) -SAX.startElement(c2, xmlns:ns='urn:ns2') -SAX.getEntity(ent) +SAX.startElement(b, xmlns='urn:b') +SAX.getEntity(ent1) +SAX.startElement(elem) +SAX.endElement(elem) +SAX.reference(ent1) +SAX.endElement(b) +SAX.characters( + , 5) +SAX.startElement(a, xmlns:ns='urn:a') +SAX.getEntity(ent2) SAX.startElement(ns:elem) SAX.endElement(ns:elem) -SAX.reference(ent) -SAX.endElement(c2) +SAX.reference(ent2) +SAX.endElement(a) +SAX.characters( + , 5) +SAX.startElement(b, xmlns:ns='urn:b') +SAX.getEntity(ent2) +SAX.startElement(ns:elem) +SAX.endElement(ns:elem) +SAX.reference(ent2) +SAX.endElement(b) SAX.characters( , 1) SAX.endElement(doc) diff --git a/result/ns-ent.xml.sax2 b/result/ns-ent.xml.sax2 index 582dcc42..25106c41 100644 --- a/result/ns-ent.xml.sax2 +++ b/result/ns-ent.xml.sax2 @@ -1,26 +1,44 @@ SAX.setDocumentLocator() SAX.startDocument() SAX.internalSubset(doc, , ) -SAX.entityDecl(ent, 1, (null), (null), ) -SAX.getEntity(ent) +SAX.entityDecl(ent1, 1, (null), (null), ) +SAX.getEntity(ent1) +SAX.entityDecl(ent2, 1, (null), (null), ) +SAX.getEntity(ent2) SAX.externalSubset(doc, , ) SAX.startElementNs(doc, NULL, NULL, 0, 0, 0) SAX.characters( , 5) -SAX.startElementNs(c1, NULL, NULL, 1, xmlns:ns='urn:ns1', 0, 0) -SAX.getEntity(ent) -SAX.startElementNs(elem, ns, 'urn:ns1', 0, 0, 0) -SAX.endElementNs(elem, ns, 'urn:ns1') -SAX.reference(ent) -SAX.endElementNs(c1, NULL, NULL) +SAX.startElementNs(a, NULL, 'urn:a', 1, xmlns='urn:a', 0, 0) +SAX.getEntity(ent1) +SAX.startElementNs(elem, NULL, 'urn:a', 0, 0, 0) +SAX.endElementNs(elem, NULL, 'urn:a') +SAX.reference(ent1) +SAX.endElementNs(a, NULL, 'urn:a') SAX.characters( , 5) -SAX.startElementNs(c2, NULL, NULL, 1, xmlns:ns='urn:ns2', 0, 0) -SAX.getEntity(ent) -SAX.startElementNs(elem, ns, 'urn:ns2', 0, 0, 0) -SAX.endElementNs(elem, ns, 'urn:ns2') -SAX.reference(ent) -SAX.endElementNs(c2, NULL, NULL) +SAX.startElementNs(b, NULL, 'urn:b', 1, xmlns='urn:b', 0, 0) +SAX.getEntity(ent1) +SAX.startElementNs(elem, NULL, 'urn:b', 0, 0, 0) +SAX.endElementNs(elem, NULL, 'urn:b') +SAX.reference(ent1) +SAX.endElementNs(b, NULL, 'urn:b') +SAX.characters( + , 5) +SAX.startElementNs(a, NULL, NULL, 1, xmlns:ns='urn:a', 0, 0) +SAX.getEntity(ent2) +SAX.startElementNs(elem, ns, 'urn:a', 0, 0, 0) +SAX.endElementNs(elem, ns, 'urn:a') +SAX.reference(ent2) +SAX.endElementNs(a, NULL, NULL) +SAX.characters( + , 5) +SAX.startElementNs(b, NULL, NULL, 1, xmlns:ns='urn:b', 0, 0) +SAX.getEntity(ent2) +SAX.startElementNs(elem, ns, 'urn:b', 0, 0, 0) +SAX.endElementNs(elem, ns, 'urn:b') +SAX.reference(ent2) +SAX.endElementNs(b, NULL, NULL) SAX.characters( , 1) SAX.endElementNs(doc, NULL, NULL) diff --git a/test/ns-ent.xml b/test/ns-ent.xml index 5ff11678..f81fdfc4 100644 --- a/test/ns-ent.xml +++ b/test/ns-ent.xml @@ -1,7 +1,10 @@ "> + "> + "> ]> - &ent; - &ent; + &ent1; + &ent1; + &ent2; + &ent2;