From . From e5269fd1e83743f7e62c89eca45000c2e84e6edc Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Thu, 14 Apr 2016 16:15:13 +0200 Subject: [PATCH 1/2] xmlStringGetNodeList: limit the function to 1024 recursions to avoid CVE-2016-3627 This patch prevents stack overflows like the one reported in https://bugzilla.gnome.org/show_bug.cgi?id=762100. --- tree.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) Index: libxml2-2.9.3/tree.c =================================================================== --- libxml2-2.9.3.orig/tree.c +++ libxml2-2.9.3/tree.c @@ -1464,6 +1464,8 @@ out: return(ret); } +static xmlNodePtr xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel); + /** * xmlStringGetNodeList: * @doc: the document @@ -1475,6 +1477,12 @@ out: */ xmlNodePtr xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { + return xmlStringGetNodeListInternal(doc, value, 0); + } + +xmlNodePtr +xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel) { + xmlNodePtr ret = NULL, last = NULL; xmlNodePtr node; xmlChar *val; @@ -1483,6 +1491,8 @@ xmlStringGetNodeList(const xmlDoc *doc, xmlEntityPtr ent; xmlBufPtr buf; + if (recursionLevel > 1024) return(NULL); + if (value == NULL) return(NULL); buf = xmlBufCreateSize(0); @@ -1593,8 +1603,9 @@ xmlStringGetNodeList(const xmlDoc *doc, else if ((ent != NULL) && (ent->children == NULL)) { xmlNodePtr temp; - ent->children = xmlStringGetNodeList(doc, - (const xmlChar*)node->content); + ent->children = xmlStringGetNodeListInternal(doc, + (const xmlChar*)node->content, + recursionLevel+1); ent->owner = 1; temp = ent->children; while (temp) {