[CVE-2022-43680] Fix overeager DTD destruction (fixes #649)

Bug: http://b/255449293 Test: TreeHugger Change-Id: I15ba529c07a6b868484bd5972be154c07cd97cc6 (cherry picked from commit 6944d3ebed0d631c92fdc31098e751b13dd110ba) Merged-In: I15ba529c07a6b868484bd5972be154c07cd97cc6
author: Sadaf Ebrahimi <sadafebrahimi@google.com> 2022-11-16 16:31:05 +0000
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2022-12-08 04:02:03 +0000
commit: 1c67edf168725bc3be8a84336636533932a98c92 (patch)
tree: b3732c1c5d6c0f72d78df2d68d37ad37a7fa0d90
parent: 0305a41b4de3c8c98e173315c0804fc74cb3e2ba (diff)
download: expat-1c67edf168725bc3be8a84336636533932a98c92.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 06dcb32a..c84b5ede 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -970,6 +970,14 @@ parserCreate(const XML_Char *encodingName,
   parserInit(parser, encodingName);
 
   if (encodingName && ! parser->m_protocolEncodingName) {
+    if (dtd) {
+      // We need to stop the upcoming call to XML_ParserFree from happily
+      // destroying parser->m_dtd because the DTD is shared with the parent
+      // parser and the only guard that keeps XML_ParserFree from destroying
+      // parser->m_dtd is parser->m_isParamEntity but it will be set to
+      // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all).
+      parser->m_dtd = NULL;
+    }
     XML_ParserFree(parser);
     return NULL;
   }
author	Sadaf Ebrahimi <sadafebrahimi@google.com>	2022-11-16 16:31:05 +0000
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2022-12-08 04:02:03 +0000
commit	1c67edf168725bc3be8a84336636533932a98c92 (patch)
tree	b3732c1c5d6c0f72d78df2d68d37ad37a7fa0d90
parent	0305a41b4de3c8c98e173315c0804fc74cb3e2ba (diff)
download	expat-1c67edf168725bc3be8a84336636533932a98c92.tar.gz