Details
-
Bug
-
Resolution: Done
-
P2: Important
-
4.8.6, 5.2.0
-
None
-
Fedora 18, i686
-
185ba7f4cfd577189f9d8b9d55d7f9ae467055d3 (qt/qtbase/dev)
Description
The fix for CVE-2013-4549 introduces a hard limit of 1024 characters (QXmlSimpleReaderPrivate::entityCharacterLimit) for the length of an entity, at least when processing nested entities.
Unfortunately, this breaks some XML files in actual use. One such file is KatePart's lilypond.xml syntax highlighting definition. The version I tested:
https://projects.kde.org/projects/kde/applications/kate/repository/entry/part/syntax/data/lilypond.xml?rev=KDE%2F4.10
Trying to open any *.ly file in any KatePart-based editor (you can even use a dummy file with any contents to reproduce the error, only the syntax highlighting definition matters) yields the following error:
The error The XML entity "commands-other" expands too a string that is too large to process (2594 characters > 1024).
has been detected in the file /usr/share/kde4/apps/katepart/syntax/lilypond.xml at 15/56
I suggest increasing the limit to at least 65536.