Author: scantor Date: Fri Jun 10 01:38:34 2016 New Revision: 1747619 URL: http://svn.apache.org/viewvc?rev=1747619&view=rev Log: https://issues.apache.org/jira/browse/XERCESC-2066 https://issues.apache.org/jira/browse/XERCESC-2069
Modified: xerces/c/branches/xerces-3.1/src/xercesc/validators/DTD/DTDScanner.cpp xerces/c/branches/xerces-3.1/src/xercesc/validators/DTD/DTDScanner.hpp Modified: xerces/c/branches/xerces-3.1/src/xercesc/validators/DTD/DTDScanner.cpp URL: http://svn.apache.org/viewvc/xerces/c/branches/xerces-3.1/src/xercesc/validators/DTD/DTDScanner.cpp?rev=1747619&r1=1747618&r2=1747619&view=diff ============================================================================== --- xerces/c/branches/xerces-3.1/src/xercesc/validators/DTD/DTDScanner.cpp (original) +++ xerces/c/branches/xerces-3.1/src/xercesc/validators/DTD/DTDScanner.cpp Fri Jun 10 01:38:34 2016 @@ -44,6 +44,8 @@ XERCES_CPP_NAMESPACE_BEGIN +#define CONTENTSPEC_DEPTH_LIMIT 1000 + // --------------------------------------------------------------------------- // Local methods // --------------------------------------------------------------------------- @@ -1038,8 +1040,13 @@ bool DTDScanner::scanCharRef(XMLCh& firs ContentSpecNode* -DTDScanner::scanChildren(const DTDElementDecl& elemDecl, XMLBuffer& bufToUse) +DTDScanner::scanChildren(const DTDElementDecl& elemDecl, XMLBuffer& bufToUse, unsigned int& depth) { + if (depth++ > CONTENTSPEC_DEPTH_LIMIT) { + fScanner->emitError(XMLErrs::UnterminatedDOCTYPE); + return 0; + } + // Check for a PE ref here, but don't require spaces checkForPERef(false, true); @@ -1240,7 +1247,7 @@ DTDScanner::scanChildren(const DTDElemen // Recurse to handle this new guy ContentSpecNode* subNode; try { - subNode = scanChildren(elemDecl, bufToUse); + subNode = scanChildren(elemDecl, bufToUse, depth); } catch (const XMLErrs::Codes) { @@ -1577,7 +1584,8 @@ bool DTDScanner::scanContentSpec(DTDElem // toFill.setModelType(DTDElementDecl::Children); XMLBufBid bbTmp(fBufMgr); - ContentSpecNode* resNode = scanChildren(toFill, bbTmp.getBuffer()); + unsigned int depth = 0; + ContentSpecNode* resNode = scanChildren(toFill, bbTmp.getBuffer(), depth); status = (resNode != 0); if (status) toFill.setContentSpec(resNode); @@ -2509,7 +2517,15 @@ void DTDScanner::scanExtSubsetDecl(const { while (true) { - const XMLCh nextCh = fReaderMgr->peekNextChar(); + XMLCh nextCh; + + try { + nextCh = fReaderMgr->peekNextChar(); + } + catch (XMLException& ex) { + fScanner->emitError(XMLErrs::XMLException_Fatal, ex.getCode(), ex.getMessage(), NULL, NULL); + nextCh = chNull; + } if (!nextCh) { Modified: xerces/c/branches/xerces-3.1/src/xercesc/validators/DTD/DTDScanner.hpp URL: http://svn.apache.org/viewvc/xerces/c/branches/xerces-3.1/src/xercesc/validators/DTD/DTDScanner.hpp?rev=1747619&r1=1747618&r2=1747619&view=diff ============================================================================== --- xerces/c/branches/xerces-3.1/src/xercesc/validators/DTD/DTDScanner.hpp (original) +++ xerces/c/branches/xerces-3.1/src/xercesc/validators/DTD/DTDScanner.hpp Fri Jun 10 01:38:34 2016 @@ -143,6 +143,7 @@ private: ( const DTDElementDecl& elemDecl , XMLBuffer& bufToUse + , unsigned int& depth ); bool scanCharRef(XMLCh& toFill, XMLCh& second); void scanComment(); --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@xerces.apache.org For additional commands, e-mail: commits-h...@xerces.apache.org