From: jeanlf <jeanlf@gpac.io>
Date: Mon, 22 May 2023 15:35:19 +0000 (+0200)
Subject: [PATCH] fixed #2473
X-Git-Tag: archive/raspbian/1.0.1+dfsg1-4+rpi1+deb11u3^2~10
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=0dab27082fb870fc2f96abc4b9fe0f84445c5c5f;p=gpac.git

[PATCH] fixed #2473


Gbp-Pq: Name CVE-2023-2837.patch
---

diff --git a/src/utils/xml_parser.c b/src/utils/xml_parser.c
index 9c48e03..3fdf82c 100644
--- a/src/utils/xml_parser.c
+++ b/src/utils/xml_parser.c
@@ -190,6 +190,7 @@ struct _tag_sax_parser
 	GF_XMLAttribute *attrs;
 	GF_XMLSaxAttribute *sax_attrs;
 	u32 nb_attrs, nb_alloc_attrs;
+	u32 ent_rec_level;
 };
 
 static GF_XMLSaxAttribute *xml_get_sax_attribute(GF_SAXParser *parser)
@@ -882,7 +883,14 @@ restart:
 						parser->line_size = 0;
 						parser->elt_start_pos = 0;
 						parser->sax_state = SAX_STATE_TEXT_CONTENT;
-						e = gf_xml_sax_parse_intern(parser, orig_buf);
+						parser->ent_rec_level++;
+						if (parser->ent_rec_level>100) {
+							GF_LOG(GF_LOG_WARNING, GF_LOG_CORE, ("[XML] Too many recursions in entity solving, max 100 allowed\n"));
+							e = GF_NOT_SUPPORTED;
+						} else {
+							e = gf_xml_sax_parse_intern(parser, orig_buf);
+							parser->ent_rec_level--;
+						}
 						gf_free(orig_buf);
 						return e;
 					}
@@ -1055,8 +1063,9 @@ static GF_Err gf_xml_sax_parse_intern(GF_SAXParser *parser, char *current)
 		/*append entity*/
 		line_num = parser->line;
 		xml_sax_append_string(parser, ent->value);
-		xml_sax_parse(parser, GF_TRUE);
+		GF_Err e = xml_sax_parse(parser, GF_TRUE);
 		parser->line = line_num;
+		if (e) return e;
 
 	}
 	xml_sax_append_string(parser, current);