diff options
| author | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-03-12 17:40:55 +0100 |
|---|---|---|
| committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2023-03-12 17:40:55 +0100 |
| commit | bd63d730b80308faece87ede04c200bba1dddc5d (patch) | |
| tree | 5e52a250018d7a14848af74e3db61e965275ca96 | |
| parent | 3eb6bf03869b449bbe990efe7e5101457d40f36e (diff) | |
| download | libxml2-bd63d730b80308faece87ede04c200bba1dddc5d.tar.gz | |
html: Impose some length limits
Impose length limits on names, attribute values, PIs and comments,
similar to the XML parser.
| -rw-r--r-- | HTMLparser.c | 36 | ||||
| -rw-r--r-- | include/libxml/parserInternals.h | 7 | ||||
| -rw-r--r-- | parser.c | 2 |
3 files changed, 43 insertions, 2 deletions
diff --git a/HTMLparser.c b/HTMLparser.c index 76934ce9..38caa10d 100644 --- a/HTMLparser.c +++ b/HTMLparser.c @@ -2671,6 +2671,9 @@ htmlParseNameComplex(xmlParserCtxtPtr ctxt) { int len = 0, l; int c; int count = 0; + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? + XML_MAX_TEXT_LENGTH : + XML_MAX_NAME_LENGTH; const xmlChar *base = ctxt->input->base; /* @@ -2695,6 +2698,10 @@ htmlParseNameComplex(xmlParserCtxtPtr ctxt) { GROW; } len += l; + if (len > maxLength) { + htmlParseErr(ctxt, XML_ERR_NAME_TOO_LONG, "name too long", NULL, NULL); + return(NULL); + } NEXTL(l); c = CUR_CHAR(l); if (ctxt->input->base != base) { @@ -2732,6 +2739,9 @@ static xmlChar * htmlParseHTMLAttribute(htmlParserCtxtPtr ctxt, const xmlChar stop) { xmlChar *buffer = NULL; int buffer_size = 0; + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? + XML_MAX_HUGE_LENGTH : + XML_MAX_TEXT_LENGTH; xmlChar *out = NULL; const xmlChar *name = NULL; const xmlChar *cur = NULL; @@ -2851,6 +2861,12 @@ htmlParseHTMLAttribute(htmlParserCtxtPtr ctxt, const xmlChar stop) { } NEXT; } + if (out - buffer > maxLength) { + htmlParseErr(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "attribute value too long\n", NULL, NULL); + xmlFree(buffer); + return(NULL); + } } *out = 0; return(buffer); @@ -3345,6 +3361,9 @@ htmlParsePI(htmlParserCtxtPtr ctxt) { int len = 0; int size = HTML_PARSER_BUFFER_SIZE; int cur, l; + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? + XML_MAX_HUGE_LENGTH : + XML_MAX_TEXT_LENGTH; const xmlChar *target; xmlParserInputState state; int count = 0; @@ -3416,6 +3435,13 @@ htmlParsePI(htmlParserCtxtPtr ctxt) { "Invalid char in processing instruction " "0x%X\n", cur); } + if (len > maxLength) { + htmlParseErr(ctxt, XML_ERR_PI_NOT_FINISHED, + "PI %s too long", target, NULL); + xmlFree(buf); + ctxt->instate = state; + return; + } NEXTL(l); cur = CUR_CHAR(l); if (cur == 0) { @@ -3465,6 +3491,9 @@ htmlParseComment(htmlParserCtxtPtr ctxt) { int r, rl; int cur, l; int next, nl; + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? + XML_MAX_HUGE_LENGTH : + XML_MAX_TEXT_LENGTH; xmlParserInputState state; /* @@ -3541,6 +3570,13 @@ htmlParseComment(htmlParserCtxtPtr ctxt) { htmlParseErrInt(ctxt, XML_ERR_INVALID_CHAR, "Invalid char in comment 0x%X\n", q); } + if (len > maxLength) { + htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, + "comment too long", NULL, NULL); + xmlFree(buf); + ctxt->instate = state; + return; + } q = r; ql = rl; diff --git a/include/libxml/parserInternals.h b/include/libxml/parserInternals.h index 55d6527d..ce8dbd1f 100644 --- a/include/libxml/parserInternals.h +++ b/include/libxml/parserInternals.h @@ -41,6 +41,13 @@ XMLPUBVAR unsigned int xmlParserMaxDepth; #define XML_MAX_TEXT_LENGTH 10000000 /** + * XML_MAX_HUGE_LENGTH: + * + * Maximum size allowed when XML_PARSE_HUGE is set. + */ +#define XML_MAX_HUGE_LENGTH 1000000000 + +/** * XML_MAX_NAME_LENGTH: * * Maximum size allowed for a markup identifier. @@ -114,8 +114,6 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt); * * ************************************************************************/ -#define XML_MAX_HUGE_LENGTH 1000000000 - #define XML_PARSER_BIG_ENTITY 1000 #define XML_PARSER_LOT_ENTITY 5000 |