parser: Fix entity check in attributes

Don't set the "checked" flag when checking entities in default attribute values. These entities could reference other entities which weren't defined yet, so the check isn't reliable. This fixes a short-lived regression which could lead to a call stack overflow later in xmlStringGetNodeList.
2025-03-28 21:33:13 +00:00 · 2023-01-17 13:50:51 +01:00 · 2023-01-17 13:50:51 +01:00 · d320a683d1
commit d320a683d1
parent 59b3366178
5 changed files with 35 additions and 2 deletions
--- a/parser.c
+++ b/parser.c
@ -4091,8 +4091,16 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
                                    /* check */ 1);
                            --ctxt->depth;

-                            ent->flags |= XML_ENT_CHECKED;
-                            ent->expandedSize = ctxt->sizeentcopy;
+                            /*
+                             * If we're parsing DTD content, the entity
+                             * might reference other entities which
+                             * weren't defined yet, so the check isn't
+                             * reliable.
+                             */
+                            if (ctxt->inSubset == 0) {
+                                ent->flags |= XML_ENT_CHECKED;
+                                ent->expandedSize = ctxt->sizeentcopy;
+                            }

                            if (rep != NULL) {
                                xmlFree(rep);
--- a/result/errors/rec_att_default.xml.ent
+++ b/result/errors/rec_att_default.xml.ent
@ -0,0 +1,6 @@
+./test/errors/rec_att_default.xml:3: parser error : Entity 'b' not defined
+  <!ATTLIST x y CDATA "&a;">
+                          ^
+./test/errors/rec_att_default.xml:6: parser error : Detected an entity reference loop
+<doc attr="&a;"/>
+              ^
--- a/result/errors/rec_att_default.xml.err
+++ b/result/errors/rec_att_default.xml.err
@ -0,0 +1,6 @@
+./test/errors/rec_att_default.xml:3: parser error : Entity 'b' not defined
+  <!ATTLIST x y CDATA "&a;">
+                          ^
+./test/errors/rec_att_default.xml:6: parser error : Detected an entity reference loop
+<doc attr="&a;"/>
+              ^
--- a/result/errors/rec_att_default.xml.str
+++ b/result/errors/rec_att_default.xml.str
@ -0,0 +1,7 @@
+./test/errors/rec_att_default.xml:3: parser error : Entity 'b' not defined
+  <!ATTLIST x y CDATA "&a;">
+                          ^
+./test/errors/rec_att_default.xml:6: parser error : Detected an entity reference loop
+<doc attr="&a;"/>
+              ^
+./test/errors/rec_att_default.xml : failed to parse
--- a/test/errors/rec_att_default.xml
+++ b/test/errors/rec_att_default.xml
@ -0,0 +1,6 @@
+<!DOCTYPE doc SYSTEM "N" [
+  <!ENTITY a "&b;">
+  <!ATTLIST x y CDATA "&a;">
+  <!ENTITY b "&a;">
+]>
+<doc attr="&a;"/>