From 60959f2b491876199879d97c8ed956eabb0c2e73 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Fri, 14 May 2021 20:09:22 +0200
Subject: [PATCH] lib: Fix accounting of CDATA sections inside of general
 entities

---
 Changes        |  9 +++++----
 lib/xmlparse.c | 20 ++++++++++++--------
 2 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/Changes b/Changes
index a435999..e62814b 100644
--- a/Changes
+++ b/Changes
@@ -4,7 +4,7 @@ NOTE: We are looking for help with a few things:
 
 Release 2.2.9 Wed Septemper 25 2019
         Security fixes:
-        #34 #466  CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
+   #34 #466 #484  CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
                     (denial-of-service; flavors targeting CPU time or RAM or both,
                     leveraging general entities or parameter entities or both)
                     by tracking and limiting the input amplification factor
@@ -20,18 +20,18 @@ Release 2.2.9 Wed Septemper 25 2019
                     -DXML_UNICODE that was introduced with Expat 2.0.1
 
         New features:
-        #34 #466  Add two new API functions to further tighten billion laughs
+   #34 #466 #484  Add two new API functions to further tighten billion laughs
                     protection parameters when desired.
                     - XML_SetBillionLaughsAttackProtectionMaximumAmplification
                     - XML_SetBillionLaughsAttackProtectionActivationThreshold
                     Please see file "doc/reference.html" for more details.
                     If you ever need to increase the defaults for non-attack XML
                     payload, please file a bug report with libexpat.
-        #34 #466  Introduce environment switches EXPAT_ACCOUNTING_DEBUG=(0|1|2|3)
+   #34 #466 #484  Introduce environment switches EXPAT_ACCOUNTING_DEBUG=(0|1|2|3)
                     and EXPAT_ENTITY_DEBUG=(0|1) for runtime debugging of accounting
                     and entity processing; specific behavior of these values may
                     change in the future.
-        #34 #466  xmlwf: Add arguments "-a FACTOR" and "-b BYTES" to further tighten
+   #34 #466 #484  xmlwf: Add arguments "-a FACTOR" and "-b BYTES" to further tighten
                     billion laughs protection parameters when desired.
                     If you ever need to increase the defaults for non-attack XML
                     payload, please file a bug report with libexpat.
@@ -54,6 +54,7 @@ Release 2.2.9 Wed Septemper 25 2019
                  and
             Clang LeakSan
             JetBrains
+            OSS-Fuzz
 
 Release 2.2.8 Fri Septemper 13 2019
         Security fixes:
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 3870dfa..64d5dc3 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -448,7 +448,8 @@ static enum XML_Error doContent(XML_Parser parser, int startTagLevel,
                                 XML_Bool haveMore, enum XML_Account account);
 static enum XML_Error doCdataSection(XML_Parser parser, const ENCODING *,
                                      const char **startPtr, const char *end,
-                                     const char **nextPtr, XML_Bool haveMore);
+                                     const char **nextPtr, XML_Bool haveMore,
+                                     enum XML_Account account);
 #ifdef XML_DTD
 static enum XML_Error doIgnoreSection(XML_Parser parser, const ENCODING *,
                                       const char **startPtr, const char *end,
@@ -3062,7 +3063,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
       /* END disabled code */
       else if (parser->m_defaultHandler)
         reportDefault(parser, enc, s, next);
-      result = doCdataSection(parser, enc, &next, end, nextPtr, haveMore);
+      result
+          = doCdataSection(parser, enc, &next, end, nextPtr, haveMore, account);
       if (result != XML_ERROR_NONE)
         return result;
       else if (! next) {
@@ -3691,9 +3693,9 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
 static enum XML_Error PTRCALL
 cdataSectionProcessor(XML_Parser parser, const char *start, const char *end,
                       const char **endPtr) {
-  enum XML_Error result
-      = doCdataSection(parser, parser->m_encoding, &start, end, endPtr,
-                       (XML_Bool)! parser->m_parsingStatus.finalBuffer);
+  enum XML_Error result = doCdataSection(
+      parser, parser->m_encoding, &start, end, endPtr,
+      (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_ACCOUNT_DIRECT);
   if (result != XML_ERROR_NONE)
     return result;
   if (start) {
@@ -3713,7 +3715,8 @@ cdataSectionProcessor(XML_Parser parser, const char *start, const char *end,
 */
 static enum XML_Error
 doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
-               const char *end, const char **nextPtr, XML_Bool haveMore) {
+               const char *end, const char **nextPtr, XML_Bool haveMore,
+               enum XML_Account account) {
   const char *s = *startPtr;
   const char **eventPP;
   const char **eventEndPP;
@@ -3732,11 +3735,12 @@ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
     const char *next;
     int tok = XmlCdataSectionTok(enc, s, end, &next);
 #ifdef XML_DTD
-    if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
-                                  XML_ACCOUNT_DIRECT)) {
+    if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) {
       accountingOnAbort(parser);
       return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
     }
+#else
+    UNUSED_P(account);
 #endif
     *eventEndPP = next;
     switch (tok) {
-- 
1.8.3.1