Clear entity content in case of errors
This only affects recovery mode and avoids integer overflow in
xmlStringGetNodeList and possibly other nasty surprises.
See bug 783052 and
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3874
https://bugs.chromium.org/p/chromium/issues/detail?id=796804
diff --git a/parser.c b/parser.c
index afc4cb1..d1ce8b5 100644
--- a/parser.c
+++ b/parser.c
@@ -149,7 +149,7 @@
rep = xmlStringDecodeEntities(ctxt, ent->content,
XML_SUBSTITUTE_REF, 0, 0, 0);
--ctxt->depth;
- if (ctxt->errNo == XML_ERR_ENTITY_LOOP) {
+ if (rep == NULL) {
ent->content[0] = 0;
}
@@ -7189,6 +7189,8 @@
(ret != XML_WAR_UNDECLARED_ENTITY)) {
xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY,
"Entity '%s' failed to parse\n", ent->name);
+ if (ent->content != NULL)
+ ent->content[0] = 0;
xmlParserEntityCheck(ctxt, 0, ent, 0);
} else if (list != NULL) {
xmlFreeNodeList(list);