--- parser.c.orig 2001-09-14 16:09:41.000000000 +0200 +++ parser.c 2009-08-03 17:02:24.000000000 +0200 @@ -5164,11 +5164,15 @@ xmlParseNotationType(xmlParserCtxtPtr ct "Name expected in NOTATION declaration\n"); ctxt->wellFormed = 0; ctxt->disableSAX = 1; - return(ret); + xmlFreeEnumeration(ret); + return(NULL); } cur = xmlCreateEnumeration(name); xmlFree(name); - if (cur == NULL) return(ret); + if (cur == NULL) { + xmlFreeEnumeration(ret); + return(NULL); + } if (last == NULL) ret = last = cur; else { last->next = cur; @@ -5183,9 +5187,8 @@ xmlParseNotationType(xmlParserCtxtPtr ct "')' required to finish NOTATION declaration\n"); ctxt->wellFormed = 0; ctxt->disableSAX = 1; - if ((last != NULL) && (last != ret)) - xmlFreeEnumeration(last); - return(ret); + xmlFreeEnumeration(ret); + return(NULL); } NEXT; return(ret); @@ -5232,11 +5235,15 @@ xmlParseEnumerationType(xmlParserCtxtPtr "NmToken expected in ATTLIST enumeration\n"); ctxt->wellFormed = 0; ctxt->disableSAX = 1; - return(ret); + xmlFreeEnumeration(ret); + return(NULL); } cur = xmlCreateEnumeration(name); xmlFree(name); - if (cur == NULL) return(ret); + if (cur == NULL) { + xmlFreeEnumeration(ret); + return(NULL); + } if (last == NULL) ret = last = cur; else { last->next = cur; @@ -5251,7 +5258,8 @@ xmlParseEnumerationType(xmlParserCtxtPtr "')' required to finish ATTLIST enumeration\n"); ctxt->wellFormed = 0; ctxt->disableSAX = 1; - return(ret); + xmlFreeEnumeration(ret); + return(NULL); } NEXT; return(ret); @@ -5715,13 +5723,25 @@ xmlParseElementChildrenContentDecl xmlChar *elem; xmlChar type = 0; + if (ctxt->depth > 128) { + ctxt->errNo = XML_ERR_ELEMCONTENT_NOT_FINISHED; + if ((ctxt->sax != NULL) && (ctxt->sax->error != NULL)) + ctxt->sax->error(ctxt->userData, + "xmlParseElementChildrenContentDecl : depth %d too deep\n", + ctxt->depth); + ctxt->wellFormed = 0; + ctxt->disableSAX = 1; + return(NULL); + } SKIP_BLANKS; GROW; if (RAW == '(') { /* Recurse on first child */ NEXT; SKIP_BLANKS; + ctxt->depth++; cur = ret = xmlParseElementChildrenContentDecl(ctxt); + ctxt->depth--; SKIP_BLANKS; GROW; } else { @@ -5865,7 +5885,9 @@ xmlParseElementChildrenContentDecl /* Recurse on second child */ NEXT; SKIP_BLANKS; + ctxt->depth++; last = xmlParseElementChildrenContentDecl(ctxt); + ctxt->depth--; SKIP_BLANKS; } else { elem = xmlParseNameComplex(ctxt);