https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6080

diff --git a/MagickCore/xml-tree.c b/MagickCore/xml-tree.c
index 245af83ac714b8a9daf9688cfb13750ffe9dcf3a..914d98e4f2da6b329b2bab86d2517b6e0fbd4a9a 100644 (file)
--- a/MagickCore/xml-tree.c
+++ b/MagickCore/xml-tree.c
@@ -1583,7 +1583,8 @@ static XMLTreeInfo *ParseCloseTag(XMLTreeRoot *root,char *tag,
   return((XMLTreeInfo *) NULL);
 }
 
-static MagickBooleanType ValidateEntities(char *tag,char *xml,char **entities)
+static MagickBooleanType ValidateEntities(char *tag,char *xml,char **entities,
+  const size_t depth)
 {
   register ssize_t
     i;
@@ -1591,6 +1592,8 @@ static MagickBooleanType ValidateEntities(char *tag,char *xml,char **entities)
   /*
     Check for circular entity references.
   */
+  if (depth > MagickMaxRecursionDepth)
+    return(MagickFalse);
   for ( ; ; xml++)
   {
     while ((*xml != '\0') && (*xml != '&'))
@@ -1604,7 +1607,7 @@ static MagickBooleanType ValidateEntities(char *tag,char *xml,char **entities)
            (strncmp(entities[i],xml+1,strlen(entities[i])) == 0))
       i+=2;
     if ((entities[i] != (char *) NULL) &&
-        (ValidateEntities(tag,entities[i+1],entities) == 0))
+        (ValidateEntities(tag,entities[i+1],entities,depth) == 0))
       return(MagickFalse);
   }
 }
@@ -1754,7 +1757,7 @@ static MagickBooleanType ParseInternalDoctype(XMLTreeRoot *root,char *xml,
           }
         entities[i+1]=ParseEntities(v,predefined_entitites,'%');
         entities[i+2]=(char *) NULL;
-        if (ValidateEntities(n,entities[i+1],entities) != MagickFalse)
+        if (ValidateEntities(n,entities[i+1],entities,0) != MagickFalse)
           entities[i]=n;
         else
           {