Occurrence fuzzer causes resource exhaustion with recursive schemas #2
Description
If the XML schema defines a recursive element (so an element can be a child of
itself) then the Occurrence fuzzing will cause resource exhaustion if it finds
an actual instance of this in the XML and the number of occurrences specified
is high enough. See MathML and the <apply> element with 100 occurrences.
The problem is when the Occurrence fuzzer tries to fuzz the child instance it
will look for other valid instances of that XML element to generate the number
of occurrences. One of the instances it will find and use is the parent
element. But since the parent element contains the child element and we are
constantly adding occurrences in the child's position we are effectively adding
the parent element to itself, which causes an exponential growth in size.
We need to either
(a) ensure the instance of the element we find are not recursive
(b) makes deep copies of the instances of the elements we use for occurrence
fuzzing
I'd prefer (b), but (a) might be more practical
Original issue reported on code.google.com by d...@samadhicsecurity.com on 22 Mar 2014 at 5:55