Details
Description
If the parser needs to autodetect the encoding of the input stream, it wraps the input stream using the RewindableInputStream class within XMLEntityManager. But this class buffers everything that is read from the stream, even after the autodetection is complete (and no possibility of rewind being used exists anymore). It is therefore trivial to submit XML to xerces2-j which causes an "OutOfMemoryError" exception to be thrown, which could lead to a denial of service under appropriate conditions.
The fix I created for this involved adding a method "stopBuffering()" to the RewindableInputStream class, which shuts off further buffering by that class. I call this method when the encoding has been decided upon (i.e. right before createReader is called, everywhere).