[CVE-2022-40674] Ensure raw tagnames are safe exiting internalEntityParser #629
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
It is possible to concoct a situation in which parsing is suspended while substituting in an internal entity, so that
XML_ResumeParserdirectly usesinternalEntityProcessoras its processor. If the subsequent parse includes some unclosed tags, this will return without callingstoreRawNamesto ensure that the raw versions of the tag names are stored in memory otherthan the parse buffer itself. If the parse buffer is then changed or reallocated (for example if processing a file line by line), badness will ensue.
This patch ensures
storeRawNamesis always called when needed after callingdoContent. The earlier call todoContentdoes not need the same protection; it only deals with entity substitution, which cannot leave unbalanced tags, and in any case the raw names will be pointing into the stored entity value (memory that is going to stick around) not the parse buffer.