commit 60dded12cbf1705927803c5ed615a7a0132aebbd
author Nick Wellnhofer <wellnhofer@aevum.de> Mon Jan 22 15:04:58 2018 +0100
committer Nick Wellnhofer <wellnhofer@aevum.de> Mon Jan 22 15:23:22 2018 +0100
tree d956e68bea014ee442683293322cccac7d8e2411
parent 6e6ae5daa6cd9640c9a83c1070896273e9b30d14

Clear entity content in case of errors

This only affects recovery mode and avoids integer overflow in
xmlStringGetNodeList and possibly other nasty surprises.

See bug 783052 and

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3874
https://bugs.chromium.org/p/chromium/issues/detail?id=796804

parser.c

diff --git a/parser.c b/parser.c
index afc4cb1..d1ce8b5 100644
--- a/parser.c
+++ b/parser.c
@@ -149,7 +149,7 @@
 	rep = xmlStringDecodeEntities(ctxt, ent->content,
 				  XML_SUBSTITUTE_REF, 0, 0, 0);
         --ctxt->depth;
-	if (ctxt->errNo == XML_ERR_ENTITY_LOOP) {
+	if (rep == NULL) {
 	    ent->content[0] = 0;
 	}
 
@@ -7189,6 +7189,8 @@
 		   (ret != XML_WAR_UNDECLARED_ENTITY)) {
 	    xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY,
 		     "Entity '%s' failed to parse\n", ent->name);
+            if (ent->content != NULL)
+                ent->content[0] = 0;
 	    xmlParserEntityCheck(ctxt, 0, ent, 0);
 	} else if (list != NULL) {
 	    xmlFreeNodeList(list);