8 yıl önce · f928c35186
--- a/resources/xmltest-4636783552757760.xml
+++ b/resources/xmltest-4636783552757760.xml
--- a/resources/xmltest-5720541257269248.xml
+++ b/resources/xmltest-5720541257269248.xml
--- a/tinyxml2.cpp
+++ b/tinyxml2.cpp
@@ -2384,21 +2384,18 @@ void XMLDocument::Parse()
 
				     ParseDeep(p, 0, &_parseCurLineNum );

			
 
				 }

			
 
				 

			
 
				-bool XMLDocument::PushDepth()

			
 
				+void XMLDocument::PushDepth()

			
 
				 {

			
 
				 	_parsingDepth++;

			
 
				 	if (_parsingDepth == TINYXML2_MAX_ELEMENT_DEPTH) {

			
 
				 		SetError(XMLError::XML_ELEMENT_DEPTH_EXCEEDED, _parseCurLineNum, "Element nesting is too deep." );

			
 
				-		return false;

			
 
				 	}

			
 
				-	return true;

			
 
				 }

			
 
				 

			
 
				-bool XMLDocument::PopDepth()

			
 
				+void XMLDocument::PopDepth()

			
 
				 {

			
 
				 	TIXMLASSERT(_parsingDepth > 0);

			
 
				 	--_parsingDepth;

			
 
				-	return true;

			
 
				 }

			
 
				 

			
 
				 XMLPrinter::XMLPrinter( FILE* file, bool compact, int depth ) :

			
--- a/tinyxml2.h
+++ b/tinyxml2.h
@@ -106,10 +106,12 @@ static const int TIXML2_PATCH_VERSION = 0;
 
				 #define TINYXML2_MINOR_VERSION 1

			
 
				 #define TINYXML2_PATCH_VERSION 0

			
 
				 

			
 
				-// This is problematic. There needs to be a limit to avoid a stack

			
 
				-// overflow. However, that limit varies per system. Going with 

			
 
				-// the MS value for now. May adjust in future versions.

			
 
				-static const int TINYXML2_MAX_ELEMENT_DEPTH = 256;

			
 
				+// A fixed element depth limit is problematic. There needs to be a 

			
 
				+// limit to avoid a stack overflow. However, that limit varies per 

			
 
				+// system, and the capacity of the stack. On the other hand, it's a trivial 

			
 
				+// attack that can result from ill, malicious, or even correctly formed XML, 

			
 
				+// so there needs to be a limit in place.

			
 
				+static const int TINYXML2_MAX_ELEMENT_DEPTH = 100;

			
 
				 

			
 
				 namespace tinyxml2

			
 
				 {

			
@@ -1915,8 +1917,8 @@ private:
 
				 	private:

			
 
				 		XMLDocument * _document;

			
 
				 	};

			
 
				-	bool PushDepth();

			
 
				-	bool PopDepth();

			
 
				+	void PushDepth();

			
 
				+	void PopDepth();

			
 
				 

			
 
				     template<class NodeType, int PoolElementSize>

			
 
				     NodeType* CreateUnlinkedNode( MemPoolT<PoolElementSize>& pool );

			
--- a/xmltest.cpp
+++ b/xmltest.cpp
@@ -2026,12 +2026,19 @@ int main( int argc, const char ** argv )
 
				 	}

			
 
				 

			
 
				 	{

			
 
				-		// Bad bad crash.

			
 
				-		XMLDocument doc;

			
 
				-		doc.LoadFile("./resources/xmltest-5330.xml");

			
 
				-		XMLTest("Stack overflow prevented.", XMLError::XML_ELEMENT_DEPTH_EXCEEDED, doc.ErrorID());

			
 
				+		// Bad bad crash. Parsing error results in stack overflow, if uncaught.

			
 
				+		const char* TESTS[] = {

			
 
				+			"./resources/xmltest-5330.xml",

			
 
				+			"./resources/xmltest-4636783552757760.xml",

			
 
				+			"./resources/xmltest-5720541257269248.xml",

			
 
				+			0

			
 
				+		};

			
 
				+		for (int i=0; TESTS[i]; ++i) {

			
 
				+			XMLDocument doc;

			
 
				+			doc.LoadFile(TESTS[i]);

			
 
				+			XMLTest("Stack overflow prevented.", XMLError::XML_ELEMENT_DEPTH_EXCEEDED, doc.ErrorID());

			
 
				+		}

			
 
				 	}

			
 
				-

			
 
				 	{

			
 
				 		// Crashing reported via email.

			
 
				 		const char* xml =