From 10f820b18d8c6011a7f98e56ac859903c56b15e6 Mon Sep 17 00:00:00 2001
From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Mon, 27 Oct 2014 11:24:04 +0000
Subject: merge revision(s) 48161:

	* lib/rexml/entity.rb: keep the entity size within the limitation.
	  reported by Willis Vandevanter <will@silentrobots.com> and
	  patched by nahi.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_3@48164 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog                   |  6 ++++++
 lib/rexml/entity.rb         |  6 ++++++
 test/rexml/test_document.rb | 27 +++++++++++++++++++++++++++
 test/rexml/test_entity.rb   | 16 ++++++++++++++++
 version.h                   |  6 +++---
 5 files changed, 58 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 1e8d9fc054..5568b7a2ac 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+Mon Oct 27 20:23:27 2014  NAKAMURA Usaku  <usa@ruby-lang.org>
+
+	* lib/rexml/entity.rb: keep the entity size within the limitation.
+	  reported by Willis Vandevanter <will@silentrobots.com> and
+	  patched by nahi.
+
 Thu Oct 24 12:00:55 2014  CHIKANAGA Tomoyuki  <nagachika@ruby-lang.org>
 
 	* ext/openssl/lib/openssl/ssl-internal.rb (DEFAULT_PARAMS): override
diff --git a/lib/rexml/entity.rb b/lib/rexml/entity.rb
index 3d81fbc738..dc3f666cad 100644
--- a/lib/rexml/entity.rb
+++ b/lib/rexml/entity.rb
@@ -138,8 +138,14 @@ module REXML
         matches = @value.scan(PEREFERENCE_RE)
         rv = @value.clone
         if @parent
+          sum = 0
           matches.each do |entity_reference|
             entity_value = @parent.entity( entity_reference[0] )
+            if sum + entity_value.bytesize > Document.entity_expansion_text_limit
+              raise "entity expansion has grown too large"
+            else
+              sum += entity_value.bytesize
+            end
             rv.gsub!( /%#{entity_reference.join};/um, entity_value )
           end
         end
diff --git a/test/rexml/test_document.rb b/test/rexml/test_document.rb
index ab0b1e4e96..b89e7372ad 100644
--- a/test/rexml/test_document.rb
+++ b/test/rexml/test_document.rb
@@ -45,6 +45,20 @@ EOF
 <member>
 &a;
 </member>
+EOF
+
+    XML_WITH_NESTED_PARAMETER_ENTITY = <<EOF
+<!DOCTYPE root [
+  <!ENTITY % a "BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.">
+  <!ENTITY % b "%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;">
+  <!ENTITY % c "%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;">
+  <!ENTITY % d "%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;">
+  <!ENTITY % e "%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;">
+  <!ENTITY % f "%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;">
+  <!ENTITY % g "%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;">
+ <!ENTITY test "test %g;">
++]>
+<cd></cd>
 EOF
 
   XML_WITH_4_ENTITY_EXPANSION = <<EOF
@@ -85,6 +99,19 @@ EOF
     REXML::Document.entity_expansion_limit = 10000
   end
 
+  def test_entity_expansion_limit_for_parameter_entity
+    assert_raise(REXML::ParseException) do
+      REXML::Document.new(XML_WITH_NESTED_PARAMETER_ENTITY)
+    end
+    REXML::Document.entity_expansion_limit = 100
+    assert_equal(100, REXML::Document.entity_expansion_limit)
+    assert_raise(REXML::ParseException) do
+      REXML::Document.new(XML_WITH_NESTED_PARAMETER_ENTITY)
+    end
+  ensure
+    REXML::Document.entity_expansion_limit = 10000
+  end
+
   def test_tag_in_cdata_with_not_ascii_only_but_ascii8bit_encoding_source
     tag = "<b>...</b>"
     message = "こんにちは、世界！" # Hello world! in Japanese
diff --git a/test/rexml/test_entity.rb b/test/rexml/test_entity.rb
index 5900fac7a8..93c4c838f6 100644
--- a/test/rexml/test_entity.rb
+++ b/test/rexml/test_entity.rb
@@ -122,6 +122,22 @@ class EntityTester < Test::Unit::TestCase
     end
   end
 
+  def test_entity_string_limit_for_parameter_entity
+    template = '<!DOCTYPE bomb [ <!ENTITY % a "^" > <!ENTITY bomb "$" > ]><root/>'
+    len      = 5120 # 5k per entity
+    template.sub!(/\^/, "B" * len)
+
+    # 10k is OK
+    entities = '%a;' * 2 # 5k entity * 2 = 10k
+    REXML::Document.new(template.sub(/\$/, entities))
+
+    # above 10k explodes
+    entities = '%a;' * 3 # 5k entity * 2 = 15k
+    assert_raises(REXML::ParseException) do
+      REXML::Document.new(template.sub(/\$/, entities))
+    end
+  end
+
   def test_raw
     source = '<!DOCTYPE foo [
 <!ENTITY ent "replace">
diff --git a/version.h b/version.h
index 74cbca8ecd..923231cba1 100644
--- a/version.h
+++ b/version.h
@@ -1,10 +1,10 @@
 #define RUBY_VERSION "1.9.3"
-#define RUBY_PATCHLEVEL 549
+#define RUBY_PATCHLEVEL 550
 
-#define RUBY_RELEASE_DATE "2014-10-24"
+#define RUBY_RELEASE_DATE "2014-10-27"
 #define RUBY_RELEASE_YEAR 2014
 #define RUBY_RELEASE_MONTH 10
-#define RUBY_RELEASE_DAY 24
+#define RUBY_RELEASE_DAY 27
 
 #include "ruby/version.h"
 
-- 
cgit v1.2.3