@@ -191,6 +191,7 @@ struct _tag_sax_parser
191191 GF_XMLAttribute * attrs ;
192192 GF_XMLSaxAttribute * sax_attrs ;
193193 u32 nb_attrs , nb_alloc_attrs ;
194+ u32 ent_rec_level ;
194195};
195196
196197static GF_XMLSaxAttribute * xml_get_sax_attribute (GF_SAXParser * parser )
@@ -902,7 +903,14 @@ static GF_Err xml_sax_parse(GF_SAXParser *parser, Bool force_parse)
902903 parser -> line_size = 0 ;
903904 parser -> elt_start_pos = 0 ;
904905 parser -> sax_state = SAX_STATE_TEXT_CONTENT ;
905- e = gf_xml_sax_parse_intern (parser , orig_buf );
906+ parser -> ent_rec_level ++ ;
907+ if (parser -> ent_rec_level > 100 ) {
908+ GF_LOG (GF_LOG_WARNING , GF_LOG_CORE , ("[XML] Too many recursions in entity solving, max 100 allowed\n" ));
909+ e = GF_NOT_SUPPORTED ;
910+ } else {
911+ e = gf_xml_sax_parse_intern (parser , orig_buf );
912+ parser -> ent_rec_level -- ;
913+ }
906914 gf_free (orig_buf );
907915 return e ;
908916 }
@@ -1075,8 +1083,9 @@ static GF_Err gf_xml_sax_parse_intern(GF_SAXParser *parser, char *current)
10751083 /*append entity*/
10761084 line_num = parser -> line ;
10771085 xml_sax_append_string (parser , ent -> value );
1078- xml_sax_parse (parser , GF_TRUE );
1086+ GF_Err e = xml_sax_parse (parser , GF_TRUE );
10791087 parser -> line = line_num ;
1088+ if (e ) return e ;
10801089
10811090 }
10821091 xml_sax_append_string (parser , current );
0 commit comments