--- parser.c.orig	2009-08-03 15:33:12.000000000 +0200
+++ parser.c	2009-08-03 15:36:26.000000000 +0200
@@ -5300,7 +5300,8 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) {
 	if (name == NULL) {
 	    xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED,
 			   "Name expected in NOTATION declaration\n");
-	    return(ret);
+	    xmlFreeEnumeration(ret);
+	    return(NULL);
 	}
 	tmp = ret;
 	while (tmp != NULL) {
@@ -5316,7 +5317,10 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) {
 	}
 	if (tmp == NULL) {
 	    cur = xmlCreateEnumeration(name);
-	    if (cur == NULL) return(ret);
+	    if (cur == NULL) {
+		xmlFreeEnumeration(ret);
+		return(NULL);
+	    }
 	    if (last == NULL) ret = last = cur;
 	    else {
 		last->next = cur;
@@ -4791,9 +4796,8 @@ xmlParseNotationType(xmlParserCtxtPtr ct
     } while (RAW == '|');
     if (RAW != ')') {
 	xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL);
-	if ((last != NULL) && (last != ret))
-	    xmlFreeEnumeration(last);
-	return(ret);
+        xmlFreeEnumeration(ret);
+	return(NULL);
     }
     NEXT;
     return(ret);
@@ -4834,7 +4838,10 @@ xmlParseEnumerationType(xmlParserCtxtPtr
 	    cur = xmlCreateEnumeration(name);
 	    if (!xmlDictOwns(ctxt->dict, name))
 		xmlFree(name);
-	    if (cur == NULL) return(ret);
+	    if (cur == NULL) {
+		xmlFreeEnumeration(ret);
+		return(NULL);
+	    }
 	    if (last == NULL) ret = last = cur;
 	    else {
 		last->next = cur;
@@ -5232,6 +5239,12 @@ xmlParseElementChildrenContentDecl (xmlP
     const xmlChar *elem;
     xmlChar type = 0;
 
+    if (ctxt->depth > 128) {
+        xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED,
+                "xmlParseElementChildrenContentDecl : depth %d too deep\n",
+                          ctxt->depth);
+	return(NULL);
+    }
     SKIP_BLANKS;
     GROW;
     if (RAW == '(') {
@@ -5240,7 +5253,9 @@ xmlParseElementChildrenContentDecl (xmlP
         /* Recurse on first child */
 	NEXT;
 	SKIP_BLANKS;
+        ctxt->depth++;
         cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid);
+        ctxt->depth--;
 	SKIP_BLANKS;
 	GROW;
     } else {
@@ -5370,7 +5385,9 @@ xmlParseElementChildrenContentDecl (xmlP
 	    /* Recurse on second child */
 	    NEXT;
 	    SKIP_BLANKS;
+            ctxt->depth++;
 	    last = xmlParseElementChildrenContentDecl(ctxt, inputid);
+            ctxt->depth--;
 	    SKIP_BLANKS;
 	} else {
 	    elem = xmlParseName(ctxt);