From 256366ed60f8795279b25f7b7b55e8089b4c6ff4 Mon Sep 17 00:00:00 2001 From: Alex Henrie Date: Thu, 26 May 2016 17:38:35 -0600 Subject: [PATCH] Fix attribute decoding during XML schema validation For https://bugzilla.gnome.org/show_bug.cgi?id=766834 vctxt->parserCtxt is always NULL in xmlSchemaSAXHandleStartElementNs, so this function can't call xmlStringLenDecodeEntities to decode the entities. --- xmlschemas.c | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/xmlschemas.c b/xmlschemas.c index e1b3a4f..59535e5 100644 --- a/xmlschemas.c +++ b/xmlschemas.c @@ -27391,6 +27391,7 @@ xmlSchemaSAXHandleStartElementNs(void *ctx, * attributes yet. */ if (nb_attributes != 0) { + int valueLen, k, l; xmlChar *value; for (j = 0, i = 0; i < nb_attributes; i++, j += 5) { @@ -27400,12 +27401,31 @@ xmlSchemaSAXHandleStartElementNs(void *ctx, * libxml2 differs from normal SAX here in that it escapes all ampersands * as & instead of delivering the raw converted string. Changing the * behavior at this point would break applications that use this API, so - * we are forced to work around it. There is no danger of accidentally - * decoding some entity other than & in this step because without - * unescaped ampersands there can be no other entities in the string. + * we are forced to work around it. */ - value = xmlStringLenDecodeEntities(vctxt->parserCtxt, attributes[j+3], - attributes[j+4] - attributes[j+3], XML_SUBSTITUTE_REF, 0, 0, 0); + valueLen = attributes[j+4] - attributes[j+3]; + value = xmlMallocAtomic(valueLen + 1); + if (value == NULL) { + xmlSchemaVErrMemory(vctxt, + "allocating string for decoded attribute", + NULL); + goto internal_error; + } + for (k = 0, l = 0; k < valueLen; l++) { + if (k < valueLen - 4 && + attributes[j+3][k+0] == '&' && + attributes[j+3][k+1] == '#' && + attributes[j+3][k+2] == '3' && + attributes[j+3][k+3] == '8' && + attributes[j+3][k+4] == ';') { + value[l] = '&'; + k += 5; + } else { + value[l] = attributes[j+3][k]; + k++; + } + } + value[l] = '\0'; /* * TODO: Set the node line. */ -- 2.8.3