# HG changeset patch # User Kim Alvefur # Date 1642669040 -3600 # Node ID e5e0ab93d7f462f45e6fd0bfe19f5787a3a3f5e4 # Parent 5e21cf21d398552e266e230e6ebc655740d76ba6 util.xml: Break reference to help the GC (fix #1711) LuaExpat uses a registry reference to track handlers, which makes it so that an upvalue like this creates a reference loop that keeps the parser and its handlers from being garbage collected. The same issue has affected util.xmppstream in the past. Code for checking: local xml_parse = require"util.xml".parse; for i = 1, 10000 do xml_parse("") end collectgarbage(); collectgarbage(); print(collectgarbage("count"), "KiB"); A future release of LuaExpat may fix the underlying issue there. diff -r 5e21cf21d398 -r e5e0ab93d7f4 util/xml.lua --- a/util/xml.lua Thu Jan 13 12:18:49 2022 +0000 +++ b/util/xml.lua Thu Jan 20 09:57:20 2022 +0100 @@ -65,27 +65,26 @@ function handler:EndElement() stanza:up(); end - local parser; -- SECURITY: These two handlers, especially the Doctype one, are required to prevent exploits such as Billion Laughs. function handler:StartDoctypeDecl() - if not parser.stop or not parser:stop() then + if not self.stop or not self:stop() then error("Failed to abort parsing"); end end function handler:ProcessingInstruction() - if not parser.stop or not parser:stop() then + if not self.stop or not self:stop() then error("Failed to abort parsing"); end end if not options or not options.allow_comments then -- NOTE: comments are generally harmless and can be useful when parsing configuration files or other data, even user-provided data function handler:Comment() - if not parser.stop or not parser:stop() then + if not self.stop or not self:stop() then error("Failed to abort parsing"); end end end - parser = lxp.new(handler, ns_separator); + local parser = lxp.new(handler, ns_separator); local ok, err, line, col = parser:parse(xml); if ok then ok, err, line, col = parser:parse(); end --parser:close();