Disallow deep or widely nested entity references.

Nested entities with a depth of 2 or more will fail. Entities
that fully expand to more than 1024 characters will also fail.

Change-Id: I75525bc1edfa796c4db30a5109fe21011ad43a2d
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
(cherries picked from commits 46a8885ae4
and f1053d94f5)

src/xml/sax/qxml.cpp

@@ -424,6 +424,12 @@ private:
     int     stringValueLen;
     QString emptyStr;
 
+    // The limit to the amount of times the DTD parsing functions can be called
+    // for the DTD currently being parsed.
+    static const int dtdRecursionLimit = 2;
+    // The maximum amount of characters an entity value may contain, after expansion.
+    static const int entityCharacterLimit = 1024;
+
     const QString &string();
     void stringClear();
     void stringAddC(QChar);
@@ -493,6 +499,8 @@ private:
     void parseFailed(ParseFunction where, int state);
     void pushParseState(ParseFunction function, int state);
 
+    bool isExpandedEntityValueTooLarge(QString *errorMessage);
+
     Q_DECLARE_PUBLIC(QXmlSimpleReader)
     QXmlSimpleReader *q_ptr;
 
@@ -5035,6 +5043,11 @@ bool QXmlSimpleReaderPrivate::parseDoctype()
                 }
                 break;
             case Mup:
+                if (dtdRecursionLimit > 0 && parameterEntities.size() > dtdRecursionLimit) {
+                    reportParseError(QString::fromLatin1(
+                        "DTD parsing exceeded recursion limit of %1.").arg(dtdRecursionLimit));
+                    return false;
+                }
                 if (!parseMarkupdecl()) {
                     parseFailed(&QXmlSimpleReaderPrivate::parseDoctype, state);
                     return false;
@@ -6644,6 +6657,50 @@ bool QXmlSimpleReaderPrivate::parseChoiceSeq()
     return false;
 }
 
+bool QXmlSimpleReaderPrivate::isExpandedEntityValueTooLarge(QString *errorMessage)
+{
+    QMap<QString, int> literalEntitySizes;
+    // The entity at (QMap<QString,) referenced the entities at (QMap<QString,) (int>) times.
+    QMap<QString, QMap<QString, int> > referencesToOtherEntities;
+    QMap<QString, int> expandedSizes;
+
+    // For every entity, check how many times all entity names were referenced in its value.
+    foreach (QString toSearch, entities.keys()) {
+        // The amount of characters that weren't entity names, but literals, like 'X'.
+        QString leftOvers = entities.value(toSearch);
+        // How many times was entityName referenced by toSearch?
+        foreach (QString entityName, entities.keys()) {
+            for (int i = 0; i < leftOvers.size() && i != -1; ) {
+                i = leftOvers.indexOf(QString::fromLatin1("&%1;").arg(entityName), i);
+                if (i != -1) {
+                    leftOvers.remove(i, entityName.size() + 2);
+                    // The entityName we're currently trying to find was matched in this string; increase our count.
+                    ++referencesToOtherEntities[toSearch][entityName];
+                }
+            }
+        }
+        literalEntitySizes[toSearch] = leftOvers.size();
+    }
+
+    foreach (QString entity, referencesToOtherEntities.keys()) {
+        expandedSizes[entity] = literalEntitySizes[entity];
+        foreach (QString referenceTo, referencesToOtherEntities.value(entity).keys()) {
+            const int references = referencesToOtherEntities.value(entity).value(referenceTo);
+            // The total size of an entity's value is the expanded size of all of its referenced entities, plus its literal size.
+            expandedSizes[entity] += expandedSizes[referenceTo] * references + literalEntitySizes[referenceTo] * references;
+        }
+
+        if (expandedSizes[entity] > entityCharacterLimit) {
+            if (errorMessage) {
+                *errorMessage = QString::fromLatin1("The XML entity \"%1\" expands too a string that is too large to process (%2 characters > %3).");
+                *errorMessage = (*errorMessage).arg(entity).arg(expandedSizes[entity]).arg(entityCharacterLimit);
+            }
+            return true;
+        }
+    }
+    return false;
+}
+
 /*
   Parse a EntityDecl [70].
 
@@ -6738,6 +6795,12 @@ bool QXmlSimpleReaderPrivate::parseEntityDecl()
         switch (state) {
             case EValue:
                 if ( !entityExist(name())) {
+                    QString errorMessage;
+                    if (isExpandedEntityValueTooLarge(&errorMessage)) {
+                        reportParseError(errorMessage);
+                        return false;
+                    }
+
                     entities.insert(name(), string());
                     if (declHnd) {
                         if (!declHnd->internalEntityDecl(name(), string())) {

tests/auto/xml/sax/qxmlsimplereader/tst_qxmlsimplereader.cpp

@@ -160,6 +160,7 @@ class tst_QXmlSimpleReader : public QObject
         void reportNamespace() const;
         void reportNamespace_data() const;
         void roundtripWithNamespaces() const;
+        void dtdRecursionLimit();
 
     private:
         static QDomDocument fromByteArray(const QString &title, const QByteArray &ba, bool *ok);
@@ -770,5 +771,62 @@ void tst_QXmlSimpleReader::roundtripWithNamespaces() const
     }
 }
 
+class TestHandler : public QXmlDefaultHandler
+{
+public:
+    TestHandler() :
+        recursionCount(0)
+    {
+    }
+
+    bool internalEntityDecl(const QString &name, const QString &value)
+    {
+        ++recursionCount;
+        return QXmlDefaultHandler::internalEntityDecl(name, value);
+    }
+
+    int recursionCount;
+};
+
+void tst_QXmlSimpleReader::dtdRecursionLimit()
+{
+    QFile file("xmldocs/2-levels-nested-dtd.xml");
+    QVERIFY(file.open(QIODevice::ReadOnly));
+    QXmlSimpleReader xmlReader;
+    {
+        QXmlInputSource *source = new QXmlInputSource(&file);
+        TestHandler handler;
+        xmlReader.setDeclHandler(&handler);
+        xmlReader.setErrorHandler(&handler);
+        QVERIFY(!xmlReader.parse(source));
+    }
+
+    file.close();
+    file.setFileName("xmldocs/1-levels-nested-dtd.xml");
+    QVERIFY(file.open(QIODevice::ReadOnly));
+    {
+        QXmlInputSource *source = new QXmlInputSource(&file);
+        TestHandler handler;
+        xmlReader.setDeclHandler(&handler);
+        xmlReader.setErrorHandler(&handler);
+        QVERIFY(!xmlReader.parse(source));
+        // The error wasn't because of the recursion limit being reached,
+        // it was because the document is not valid.
+        QVERIFY(handler.recursionCount < 2);
+    }
+
+    file.close();
+    file.setFileName("xmldocs/internal-entity-polynomial-attribute.xml");
+    QVERIFY(file.open(QIODevice::ReadOnly));
+    {
+        QXmlInputSource *source = new QXmlInputSource(&file);
+        TestHandler handler;
+        xmlReader.setDeclHandler(&handler);
+        xmlReader.setErrorHandler(&handler);
+        QVERIFY(!xmlReader.parse(source));
+        QCOMPARE(handler.recursionCount, 2);
+    }
+}
+
 QTEST_MAIN(tst_QXmlSimpleReader)
 #include "tst_qxmlsimplereader.moc"

tests/auto/xml/sax/qxmlsimplereader/xmldocs/1-levels-nested-dtd.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+<!-- Test non-deterministic content model matching.
+
+Entity references are not part of the internal DTD subset (for good reason).
+
+-->
+<!DOCTYPE root [
+<!ELEMENT e0 EMPTY>
+<!ENTITY % e1 "(e0,e0)">
+<!ELEMENT root (%e1;)?>
+]>
+<root/>

tests/auto/xml/sax/qxmlsimplereader/xmldocs/2-levels-nested-dtd.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0"?>
+<!-- Test non-deterministic content model matching.
+
+Entity references are not part of the internal DTD subset (for good reason).
+
+-->
+<!DOCTYPE root [
+<!ELEMENT e0 EMPTY>
+<!ENTITY % e1 "(e0,e0)">
+<!ENTITY % e2 "(%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;,%e1;)">
+<!ELEMENT root (%e2;)?>
+]>
+<root/>

tests/auto/xml/sax/qxmlsimplereader/xmldocs/internal-entity-polynomial-attribute.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0"?>
+<!-- Test polynomial growth of expanded XML.
+     Expansion happens in an attribute. -->
+<!DOCTYPE root [
+<!ELEMENT root EMPTY>
+<!ATTLIST root id CDATA #IMPLIED>
+<!ENTITY e1 "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX">
+<!ENTITY e2 "&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;&e1;">
+<!ENTITY e3 "&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;&e2;">
+<!ENTITY e4 "&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;&e3;">
+]>
+<root id="&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;&e4;"/>
+