1 From 3169602058bd2d04913909e869c61d1540bc7fb4 Mon Sep 17 00:00:00 2001
2 From: Alex Henrie <alexhenrie24@gmail.com>
3 Date: Thu, 26 May 2016 17:38:35 -0600
4 Subject: Fix attribute decoding during XML schema validation
6 For https://bugzilla.gnome.org/show_bug.cgi?id=766834
8 vctxt->parserCtxt is always NULL in xmlSchemaSAXHandleStartElementNs,
9 so this function can't call xmlStringLenDecodeEntities to decode the
12 xmlschemas.c | 30 +++++++++++++++++++++++++-----
13 1 file changed, 25 insertions(+), 5 deletions(-)
15 diff --git a/xmlschemas.c b/xmlschemas.c
16 index 7afe2eb..d42afb7 100644
19 @@ -27391,6 +27391,7 @@ xmlSchemaSAXHandleStartElementNs(void *ctx,
22 if (nb_attributes != 0) {
26 for (j = 0, i = 0; i < nb_attributes; i++, j += 5) {
27 @@ -27400,12 +27401,31 @@ xmlSchemaSAXHandleStartElementNs(void *ctx,
28 * libxml2 differs from normal SAX here in that it escapes all ampersands
29 * as & instead of delivering the raw converted string. Changing the
30 * behavior at this point would break applications that use this API, so
31 - * we are forced to work around it. There is no danger of accidentally
32 - * decoding some entity other than & in this step because without
33 - * unescaped ampersands there can be no other entities in the string.
34 + * we are forced to work around it.
36 - value = xmlStringLenDecodeEntities(vctxt->parserCtxt, attributes[j+3],
37 - attributes[j+4] - attributes[j+3], XML_SUBSTITUTE_REF, 0, 0, 0);
38 + valueLen = attributes[j+4] - attributes[j+3];
39 + value = xmlMallocAtomic(valueLen + 1);
40 + if (value == NULL) {
41 + xmlSchemaVErrMemory(vctxt,
42 + "allocating string for decoded attribute",
44 + goto internal_error;
46 + for (k = 0, l = 0; k < valueLen; l++) {
47 + if (k < valueLen - 4 &&
48 + attributes[j+3][k+0] == '&' &&
49 + attributes[j+3][k+1] == '#' &&
50 + attributes[j+3][k+2] == '3' &&
51 + attributes[j+3][k+3] == '8' &&
52 + attributes[j+3][k+4] == ';') {
56 + value[l] = attributes[j+3][k];
62 * TODO: Set the node line.