Fix copying external entity from an ext_ent_handler handler

With libxml2-2.12.0 and perl-5.38.0 t/44extent.t failed: $ perl -Iblib/{lib,arch} ./t/44extent.t 1..7 Entity: line 1: parser error : Char 0x0 out of allowed range pseudoroot ^ Entity: line 1: parser error : PCDATA invalid Char value 0 pseudoroot ^ [...] :8: parser error : Entity 'b' failed to parse <b>&b;</b> ^ # Looks like your test exited with 2 before it could output anything. The cause was xmlParserInputBufferCreateMem() which does not copy a supplied buffer. A string returned by the ext_ent_handler handler. As a result, libxml2 read from a deallocated memory parsing random garbage. This patch fixes it by copying the string with xmlParserInputBufferPush(). #81
shlomif · Nov 28, 2023 · c2e705e · c2e705e
1 parent 8751785
commit c2e705e
Showing 1 changed file with 12 additions and 5 deletions.
diff --git a/LibXML.xs b/LibXML.xs
@@ -25,6 +25,7 @@ extern "C" {
 #include "Av_CharPtrPtr.h"  /* XS_*_charPtrPtr() */
 
 #include <fcntl.h>
+#include <limits.h> /* INT_MAX */
 
 #ifndef WIN32
 #include <unistd.h>
@@ -869,11 +870,17 @@ LibXML_load_external_entity(
         results = POPs;
 
         results_pv = SvPV(results, results_len);
-        input_buf = xmlParserInputBufferCreateMem(
-                        results_pv,
-                        results_len,
-                        XML_CHAR_ENCODING_NONE
-                        );
+        if (results_len > INT_MAX) {
+            croak("a buffer would be too big\n");
+        }
+        input_buf = xmlAllocParserInputBuffer(XML_CHAR_ENCODING_NONE);
+        if (!input_buf) {
+            croak("cannot create a buffer!\n");
+        }
+        if (-1 == xmlParserInputBufferPush(input_buf, (int)results_len, results_pv)) {
+            xmlFreeParserInputBuffer(input_buf);
+            croak("cannot push an external entity into a buffer!\n");
+        }
 
         PUTBACK;
         FREETMPS;