From: bluhm <bluhm@openbsd.org>
Date: Thu, 14 Mar 2024 17:35:37 +0000 (+0000)
Subject: Cerry-pick fix for CVE-2024-28757 from libexpat.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=c53bfe587459b8969b9f2306e53762f1dcfd401f;p=openbsd

Cerry-pick fix for CVE-2024-28757 from libexpat.

Detect billion laughs attack with isolated external parser.
github commit 1d50b80cf31de87750103656f6eb693746854aa8

OK deraadt@
---

diff --git a/lib/libexpat/lib/xmlparse.c b/lib/libexpat/lib/xmlparse.c
index aaf0fa9c8f9..dfaa527af3a 100644
--- a/lib/libexpat/lib/xmlparse.c
+++ b/lib/libexpat/lib/xmlparse.c
@@ -7779,6 +7779,8 @@ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) {
 
 static float
 accountingGetCurrentAmplification(XML_Parser rootParser) {
+  //                                          1.........1.........12 => 22
+  const size_t lenOfShortestInclude = sizeof("<!ENTITY a SYSTEM 'b'>") - 1;
   const XmlBigCount countBytesOutput
       = rootParser->m_accounting.countBytesDirect
         + rootParser->m_accounting.countBytesIndirect;
@@ -7786,7 +7788,9 @@ accountingGetCurrentAmplification(XML_Parser rootParser) {
       = rootParser->m_accounting.countBytesDirect
             ? (countBytesOutput
                / (float)(rootParser->m_accounting.countBytesDirect))
-            : 1.0f;
+            : ((lenOfShortestInclude
+                + rootParser->m_accounting.countBytesIndirect)
+               / (float)lenOfShortestInclude);
   assert(! rootParser->m_parentParser);
   return amplificationFactor;
 }