From d320a683d14669cd2426245767fd944e68564cda Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 17 Jan 2023 13:50:51 +0100
Subject: [PATCH] parser: Fix entity check in attributes

Don't set the "checked" flag when checking entities in default attribute
values. These entities could reference other entities which weren't
defined yet, so the check isn't reliable.

This fixes a short-lived regression which could lead to a call stack
overflow later in xmlStringGetNodeList.
---
 parser.c                              | 12 ++++++++++--
 result/errors/rec_att_default.xml.ent |  6 ++++++
 result/errors/rec_att_default.xml.err |  6 ++++++
 result/errors/rec_att_default.xml.str |  7 +++++++
 test/errors/rec_att_default.xml       |  6 ++++++
 5 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 result/errors/rec_att_default.xml.ent
 create mode 100644 result/errors/rec_att_default.xml.err
 create mode 100644 result/errors/rec_att_default.xml.str
 create mode 100644 test/errors/rec_att_default.xml

diff --git a/parser.c b/parser.c
index 28b95200..ea4202ff 100644
--- a/parser.c
+++ b/parser.c
@@ -4091,8 +4091,16 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
                                     /* check */ 1);
                             --ctxt->depth;
 
-                            ent->flags |= XML_ENT_CHECKED;
-                            ent->expandedSize = ctxt->sizeentcopy;
+                            /*
+                             * If we're parsing DTD content, the entity
+                             * might reference other entities which
+                             * weren't defined yet, so the check isn't
+                             * reliable.
+                             */
+                            if (ctxt->inSubset == 0) {
+                                ent->flags |= XML_ENT_CHECKED;
+                                ent->expandedSize = ctxt->sizeentcopy;
+                            }
 
                             if (rep != NULL) {
                                 xmlFree(rep);
diff --git a/result/errors/rec_att_default.xml.ent b/result/errors/rec_att_default.xml.ent
new file mode 100644
index 00000000..375a0d65
--- /dev/null
+++ b/result/errors/rec_att_default.xml.ent
@@ -0,0 +1,6 @@
+./test/errors/rec_att_default.xml:3: parser error : Entity 'b' not defined
+  <!ATTLIST x y CDATA "&a;">
+                          ^
+./test/errors/rec_att_default.xml:6: parser error : Detected an entity reference loop
+<doc attr="&a;"/>
+              ^
diff --git a/result/errors/rec_att_default.xml.err b/result/errors/rec_att_default.xml.err
new file mode 100644
index 00000000..375a0d65
--- /dev/null
+++ b/result/errors/rec_att_default.xml.err
@@ -0,0 +1,6 @@
+./test/errors/rec_att_default.xml:3: parser error : Entity 'b' not defined
+  <!ATTLIST x y CDATA "&a;">
+                          ^
+./test/errors/rec_att_default.xml:6: parser error : Detected an entity reference loop
+<doc attr="&a;"/>
+              ^
diff --git a/result/errors/rec_att_default.xml.str b/result/errors/rec_att_default.xml.str
new file mode 100644
index 00000000..11e6556b
--- /dev/null
+++ b/result/errors/rec_att_default.xml.str
@@ -0,0 +1,7 @@
+./test/errors/rec_att_default.xml:3: parser error : Entity 'b' not defined
+  <!ATTLIST x y CDATA "&a;">
+                          ^
+./test/errors/rec_att_default.xml:6: parser error : Detected an entity reference loop
+<doc attr="&a;"/>
+              ^
+./test/errors/rec_att_default.xml : failed to parse
diff --git a/test/errors/rec_att_default.xml b/test/errors/rec_att_default.xml
new file mode 100644
index 00000000..9a336008
--- /dev/null
+++ b/test/errors/rec_att_default.xml
@@ -0,0 +1,6 @@
+<!DOCTYPE doc SYSTEM "N" [
+  <!ENTITY a "&b;">
+  <!ATTLIST x y CDATA "&a;">
+  <!ENTITY b "&a;">
+]>
+<doc attr="&a;"/>