diff options
author | Sadaf Ebrahimi <sadafebrahimi@google.com> | 2022-11-16 16:31:05 +0000 |
---|---|---|
committer | Sadaf Ebrahimi <sadafebrahimi@google.com> | 2022-11-16 19:45:32 +0000 |
commit | 9b0f62fd0f75a5dd555e882b8f8bd2075723ea70 (patch) | |
tree | 517ae94e1fc5f487fd2c8f3986eb6e7bc2fc5cd0 | |
parent | ebc9c65282235d493fbe009f045d0cf1a355701e (diff) | |
download | expat-9b0f62fd0f75a5dd555e882b8f8bd2075723ea70.tar.gz |
[CVE-2022-43680] Fix overeager DTD destruction (fixes #649)
Bug: http://b/255449293
Test: TreeHugger
Change-Id: I15ba529c07a6b868484bd5972be154c07cd97cc6
-rw-r--r-- | lib/xmlparse.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/xmlparse.c b/lib/xmlparse.c index 729f94b8..381f3ef3 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c @@ -978,6 +978,14 @@ parserCreate(const XML_Char *encodingName, parserInit(parser, encodingName); if (encodingName && ! parser->m_protocolEncodingName) { + if (dtd) { + // We need to stop the upcoming call to XML_ParserFree from happily + // destroying parser->m_dtd because the DTD is shared with the parent + // parser and the only guard that keeps XML_ParserFree from destroying + // parser->m_dtd is parser->m_isParamEntity but it will be set to + // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). + parser->m_dtd = NULL; + } XML_ParserFree(parser); return NULL; } |