Details
-
New Feature
-
Status: Open
-
Major
-
Resolution: Unresolved
-
2.12.2
-
None
Description
When parsing an xml file similar to the following by calling the javax.xml.parsers.DocumentBuilder#parse(java.io.File) method, the elements are nested layer by layer and there is no element closing tag. Since the depth of elements cannot be verified, the array in org.apache.xerces.impl.XMLDocumentFragmentScannerImpl#fElementStack will continue to increase the number of QName objects, resulting in excessive memory and DOS problems.
<?xml version=”1.0” encoding=”UTF-8” standalone=”no” ?>
<A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”><A a=”1”>…
After testing, we found that a file of 12.93M will cause an OOM exception in a service with a maximum heap memory of 250M.
We checked the jdk information and found that we can limit the nesting depth of xml elements by setting the system property jdk.xml.maxElementDepth. We hope xerces can solve this problem.
