fix huge number of declaration security issue

2018-07-28 14:56:20 -07:00
parent c483646db0
commit db13a82e62
3 changed files with 32 additions and 9 deletions
--- a/resources/xmltest-5662204197076992.xml
+++ b/resources/xmltest-5662204197076992.xml
--- a/tinyxml2.cpp
+++ b/tinyxml2.cpp
@@ -1032,15 +1032,25 @@ char* XMLNode::ParseDeep( char* p, StrPair* parentEndTag, int* curLineNumPtr )
        XMLDeclaration* decl = node->ToDeclaration();
        if ( decl ) {
            // Declarations are only allowed at document level
-            bool wellLocated = ( ToDocument() != 0 );
-            if ( wellLocated ) {
-                // Multiple declarations are allowed but all declarations
-                // must occur before anything else
-                for ( const XMLNode* existingNode = _document->FirstChild(); existingNode; existingNode = existingNode->NextSibling() ) {
-                    if ( !existingNode->ToDeclaration() ) {
-                        wellLocated = false;
-                        break;
-                    }
+            //
+            // Multiple declarations are allowed but all declarations
+            // must occur before anything else. 
+            //
+            // Optimized due to a security test case. If the first node is 
+            // a declaration, and the last node is a declaration, then only 
+            // declarations have so far been addded.
+            bool wellLocated = false;
+
+            if (ToDocument()) {
+                if (FirstChild()) {
+                    wellLocated =
+                        FirstChild() &&
+                        FirstChild()->ToDeclaration() &&
+                        LastChild() &&
+                        LastChild()->ToDeclaration();
+                }
+                else {
+                    wellLocated = true;
                }
            }
            if ( !wellLocated ) {
--- a/xmltest.cpp
+++ b/xmltest.cpp
@@ -2050,6 +2050,18 @@ int main( int argc, const char ** argv )
 			XMLTest("Stack overflow prevented.", XML_ELEMENT_DEPTH_EXCEEDED, doc.ErrorID());
 		}
 	}
+    {
+        const char* TESTS[] = {
+            "./resources/xmltest-5662204197076992.xml",     // Security-level performance issue.
+            0
+        };
+        for (int i = 0; TESTS[i]; ++i) {
+            XMLDocument doc;
+            doc.LoadFile(TESTS[i]);
+            // Need only not crash / lock up.
+            XMLTest("Fuzz attack prevented.", true, true);
+        }
+    }
 	{
 		// Crashing reported via email.
 		const char* xml =