diff options
author | Nikias Bassen | 2016-12-21 02:36:34 +0100 |
---|---|---|
committer | Nikias Bassen | 2016-12-21 02:36:34 +0100 |
commit | 793228208a6523bdbe434ed536c5669e4bb04f7c (patch) | |
tree | 413322a8689cf5110934aad609abeceac7981896 | |
parent | d18c8cb6bdc07d6eb04d8fccdeed4dcd32486876 (diff) | |
download | libplist-793228208a6523bdbe434ed536c5669e4bb04f7c.tar.gz libplist-793228208a6523bdbe434ed536c5669e4bb04f7c.tar.bz2 |
xplist: Make sure to stop parsing on entity errors
-rw-r--r-- | src/xplist.c | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/src/xplist.c b/src/xplist.c index 1fc3fc1..250b623 100644 --- a/src/xplist.c +++ b/src/xplist.c @@ -624,7 +624,7 @@ static text_part_t* get_text_parts(parse_ctx ctx, const char* tag, size_t tag_le return parts; } -static void unescape_entities(char *str, size_t *length) +static int unescape_entities(char *str, size_t *length) { size_t i = 0; size_t len = *length; @@ -655,24 +655,24 @@ static void unescape_entities(char *str, size_t *length) char* ep = NULL; if (entlen > 8) { PLIST_XML_ERR("Invalid numerical character reference encountered, sequence too long: &%.*s;\n", entlen, entp); - return; + return -1; } if (*(entp+1) == 'x' || *(entp+1) == 'X') { if (entlen < 3) { PLIST_XML_ERR("Invalid numerical character reference encountered, sequence too short: &%.*s;\n", entlen, entp); - return; + return -1; } val = strtoull(entp+2, &ep, 16); } else { if (entlen < 2) { PLIST_XML_ERR("Invalid numerical character reference encountered, sequence too short: &%.*s;\n", entlen, entp); - return; + return -1; } val = strtoull(entp+1, &ep, 10); } if (val == 0 || val > 0x10FFFF || ep-entp != entlen) { PLIST_XML_ERR("Invalid numerical character reference found: &%.*s;\n", entlen, entp); - return; + return -1; } /* convert to UTF8 */ if (val >= 0x10000) { @@ -699,7 +699,7 @@ static void unescape_entities(char *str, size_t *length) } } else { PLIST_XML_ERR("Invalid entity encountered: &%.*s;\n", entlen, entp); - return; + return -1; } memmove(entp, str+i+1, len - i); i -= entlen; @@ -710,6 +710,7 @@ static void unescape_entities(char *str, size_t *length) i++; } *length = len; + return 0; } static char* text_parts_get_content(text_part_t *tp, int unesc_entities, size_t *length, int *requires_free) @@ -743,7 +744,10 @@ static char* text_parts_get_content(text_part_t *tp, int unesc_entities, size_t size_t len = tp->length; strncpy(p, tp->begin, len); if (!tp->is_cdata && unesc_entities) { - unescape_entities(p, &len); + if (unescape_entities(p, &len) < 0) { + free(str); + return NULL; + } } p += len; tp = tp->next; |