diff options
| author | Rhodri James <rhodri@wildebeest.org.uk> | 2022-07-22 14:52:14 +0100 |
|---|---|---|
| committer | Sebastian Pipping <sebastian@pipping.org> | 2022-09-21 00:27:33 +0200 |
| commit | c697c3ed6e70656765a34be973aebf36f3260224 (patch) | |
| tree | 4cdeef353b343f8d29ff1d3c0272b8528f3ddb17 /expat | |
| parent | b4eecc131ff133e938a875a7263af73b75eb7bfc (diff) | |
| download | libexpat-git-c697c3ed6e70656765a34be973aebf36f3260224.tar.gz | |
Regression test for #612: tempPool corrupt from attribute types.
Attribute type declarations accumulate the type in m_tempPool.
When parsing is skipped because of (for example) a missing
parameter entity, the accumulated definition is not cleared out
as it normally would be, and corrupts the data passed to future
handlers.
Note this commit leaves the regression tests failing (which is
after all what we were trying to prove).
Diffstat (limited to 'expat')
| -rw-r--r-- | expat/tests/runtests.c | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c index 938956ac..a8cc1f03 100644 --- a/expat/tests/runtests.c +++ b/expat/tests/runtests.c @@ -6734,6 +6734,60 @@ START_TEST(test_empty_element_abort) { } END_TEST +/* Regression test for GH issue #612: unfinished m_declAttributeType + * allocation in ->m_tempPool can corrupt following allocation. + */ +static int XMLCALL +external_entity_unfinished_attlist(XML_Parser parser, const XML_Char *context, + const XML_Char *base, + const XML_Char *systemId, + const XML_Char *publicId) { + const char *text = "<!ELEMENT barf ANY>\n" + "<!ATTLIST barf my_attr (blah|%blah;a|foo) #REQUIRED>\n" + "<!--COMMENT-->\n"; + XML_Parser ext_parser; + + UNUSED_P(base); + UNUSED_P(publicId); + if (systemId == NULL) + return XML_STATUS_OK; + + ext_parser = XML_ExternalEntityParserCreate(parser, context, NULL); + if (ext_parser == NULL) + fail("Could not create external entity parser"); + + if (_XML_Parse_SINGLE_BYTES(ext_parser, text, (int)strlen(text), XML_TRUE) + == XML_STATUS_ERROR) + xml_failure(ext_parser); + + XML_ParserFree(ext_parser); + return XML_STATUS_OK; +} + +START_TEST(test_pool_integrity_with_unfinished_attr) { + const char *text = "<?xml version='1.0' encoding='UTF-8'?>\n" + "<!DOCTYPE foo [\n" + "<!ELEMENT foo ANY>\n" + "<!ENTITY % entp SYSTEM \"external.dtd\">\n" + "%entp;\n" + "]>\n" + "<a></a>\n"; + const XML_Char *expected = XCS("COMMENT"); + CharData storage; + + CharData_Init(&storage); + XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS); + XML_SetExternalEntityRefHandler(g_parser, external_entity_unfinished_attlist); + XML_SetAttlistDeclHandler(g_parser, dummy_attlist_decl_handler); + XML_SetCommentHandler(g_parser, accumulate_comment); + XML_SetUserData(g_parser, &storage); + if (_XML_Parse_SINGLE_BYTES(g_parser, text, (int)strlen(text), XML_TRUE) + == XML_STATUS_ERROR) + xml_failure(g_parser); + CharData_CheckXMLChars(&storage, expected); +} +END_TEST + /* * Namespaces tests. */ @@ -12169,6 +12223,8 @@ make_suite(void) { tcase_add_test(tc_basic, test_bad_notation); tcase_add_test(tc_basic, test_default_doctype_handler); tcase_add_test(tc_basic, test_empty_element_abort); + tcase_add_test__ifdef_xml_dtd(tc_basic, + test_pool_integrity_with_unfinished_attr); suite_add_tcase(s, tc_namespace); tcase_add_checked_fixture(tc_namespace, namespace_setup, namespace_teardown); |