From e5269fd1e83743f7e62c89eca45000c2e84e6edc Mon Sep 17 00:00:00 2001
From: Peter Simons <psimons@suse.com>
Date: Thu, 14 Apr 2016 16:15:13 +0200
Subject: [PATCH 1/2] xmlStringGetNodeList: limit the function to 1024
 recursions to avoid CVE-2016-3627

This patch prevents stack overflows like the one reported in
https://bugzilla.gnome.org/show_bug.cgi?id=762100.
---
 tree.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

Index: libxml2-2.9.3/tree.c
===================================================================
--- libxml2-2.9.3.orig/tree.c
+++ libxml2-2.9.3/tree.c
@@ -1464,6 +1464,8 @@ out:
     return(ret);
 }
 
+static xmlNodePtr xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel);
+
 /**
  * xmlStringGetNodeList:
  * @doc:  the document
@@ -1475,6 +1477,12 @@ out:
  */
 xmlNodePtr
 xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
+   return xmlStringGetNodeListInternal(doc, value, 0);
+ }
+
+xmlNodePtr
+xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel) {
+
     xmlNodePtr ret = NULL, last = NULL;
     xmlNodePtr node;
     xmlChar *val;
@@ -1483,6 +1491,8 @@ xmlStringGetNodeList(const xmlDoc *doc,
     xmlEntityPtr ent;
     xmlBufPtr buf;
 
+    if (recursionLevel > 1024) return(NULL);
+
     if (value == NULL) return(NULL);
 
     buf = xmlBufCreateSize(0);
@@ -1593,8 +1603,9 @@ xmlStringGetNodeList(const xmlDoc *doc,
 			else if ((ent != NULL) && (ent->children == NULL)) {
 			    xmlNodePtr temp;
 
-			    ent->children = xmlStringGetNodeList(doc,
-				    (const xmlChar*)node->content);
+			    ent->children = xmlStringGetNodeListInternal(doc,
+				    (const xmlChar*)node->content,
+                                    recursionLevel+1);
 			    ent->owner = 1;
 			    temp = ent->children;
 			    while (temp) {