Merge pull request #484 from libexpat/fix-accounting-issues

Fix accounting issues

expat/Changes

@@ -4,7 +4,7 @@ NOTE: We are looking for help with a few things:
 
 Release X.X.X XXX XXXXX XX XXXX
         Security fixes:
-        #34 #466  CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
+   #34 #466 #484  CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
                     (denial-of-service; flavors targeting CPU time or RAM or both,
                     leveraging general entities or parameter entities or both)
                     by tracking and limiting the input amplification factor
@@ -21,18 +21,18 @@ Release X.X.X XXX XXXXX XX XXXX
                     for UTF-16 payloads containing CDATA sections.
 
         New features:
-        #34 #466  Add two new API functions to further tighten billion laughs
+   #34 #466 #484  Add two new API functions to further tighten billion laughs
                     protection parameters when desired.
                     - XML_SetBillionLaughsAttackProtectionMaximumAmplification
                     - XML_SetBillionLaughsAttackProtectionActivationThreshold
                     Please see file "doc/reference.html" for more details.
                     If you ever need to increase the defaults for non-attack XML
                     payload, please file a bug report with libexpat.
-        #34 #466  Introduce environment switches EXPAT_ACCOUNTING_DEBUG=(0|1|2|3)
+   #34 #466 #484  Introduce environment switches EXPAT_ACCOUNTING_DEBUG=(0|1|2|3)
                     and EXPAT_ENTITY_DEBUG=(0|1) for runtime debugging of accounting
                     and entity processing; specific behavior of these values may
                     change in the future.
-        #34 #466  xmlwf: Add arguments "-a FACTOR" and "-b BYTES" to further tighten
+   #34 #466 #484  xmlwf: Add arguments "-a FACTOR" and "-b BYTES" to further tighten
                     billion laughs protection parameters when desired.
                     If you ever need to increase the defaults for non-attack XML
                     payload, please file a bug report with libexpat.
@@ -51,6 +51,7 @@ Release X.X.X XXX XXXXX XX XXXX
                  and
             Clang LeakSan
             JetBrains
+            OSS-Fuzz
 
 Release 2.3.0 Thu March 25 2021
         Bug fixes:

expat/lib/xmlparse.c

@@ -462,7 +462,8 @@ static enum XML_Error doContent(XML_Parser parser, int startTagLevel,
                                 XML_Bool haveMore, enum XML_Account account);
 static enum XML_Error doCdataSection(XML_Parser parser, const ENCODING *,
                                      const char **startPtr, const char *end,
-                                     const char **nextPtr, XML_Bool haveMore);
+                                     const char **nextPtr, XML_Bool haveMore,
+                                     enum XML_Account account);
 #ifdef XML_DTD
 static enum XML_Error doIgnoreSection(XML_Parser parser, const ENCODING *,
                                       const char **startPtr, const char *end,
@@ -3096,7 +3097,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
       /* END disabled code */
       else if (parser->m_defaultHandler)
         reportDefault(parser, enc, s, next);
-      result = doCdataSection(parser, enc, &next, end, nextPtr, haveMore);
+      result
+          = doCdataSection(parser, enc, &next, end, nextPtr, haveMore, account);
       if (result != XML_ERROR_NONE)
         return result;
       else if (! next) {
@@ -3725,9 +3727,9 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
 static enum XML_Error PTRCALL
 cdataSectionProcessor(XML_Parser parser, const char *start, const char *end,
                       const char **endPtr) {
-  enum XML_Error result
-      = doCdataSection(parser, parser->m_encoding, &start, end, endPtr,
-                       (XML_Bool)! parser->m_parsingStatus.finalBuffer);
+  enum XML_Error result = doCdataSection(
+      parser, parser->m_encoding, &start, end, endPtr,
+      (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_ACCOUNT_DIRECT);
   if (result != XML_ERROR_NONE)
     return result;
   if (start) {
@@ -3747,7 +3749,8 @@ cdataSectionProcessor(XML_Parser parser, const char *start, const char *end,
 */
 static enum XML_Error
 doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
-               const char *end, const char **nextPtr, XML_Bool haveMore) {
+               const char *end, const char **nextPtr, XML_Bool haveMore,
+               enum XML_Account account) {
   const char *s = *startPtr;
   const char **eventPP;
   const char **eventEndPP;
@@ -3766,11 +3769,12 @@ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
     const char *next = s; /* in case of XML_TOK_NONE or XML_TOK_PARTIAL */
     int tok = XmlCdataSectionTok(enc, s, end, &next);
 #ifdef XML_DTD
-    if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
-                                  XML_ACCOUNT_DIRECT)) {
+    if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) {
       accountingOnAbort(parser);
       return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
     }
+#else
+    UNUSED_P(account);
 #endif
     *eventEndPP = next;
     switch (tok) {

expat/tests/runtests.c

@@ -11318,6 +11318,16 @@ START_TEST(test_accounting_precision) {
 
       /* CDATA */
       {"<e><![CDATA[one two three]]></e>", NULL, NULL, 0, filled_later},
+      /* The following is the essence of this OSS-Fuzz finding:
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34302
+         https://oss-fuzz.com/testcase-detail/4860575394955264
+      */
+      {"<!DOCTYPE r [\n"
+       "<!ENTITY e \"111<![CDATA[2 <= 2]]>333\">\n"
+       "]>\n"
+       "<r>&e;</r>\n",
+       NULL, NULL, sizeof(XML_Char) * strlen("111<![CDATA[2 <= 2]]>333"),
+       filled_later},
 
       /* Conditional sections */
       {"<!DOCTYPE r [\n"