[CVE-2022-43680] Fix overeager DTD destruction (fixes #649) am: eb8f10fb1f

Original change: https://googleplex-android-review.googlesource.com/c/platform/external/expat/+/20494973

Change-Id: Iea283dd594ddbe04e61639680b7365a5d2424c87
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

1 files changed, 9 insertions, 1 deletions

diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 14ea9673..074c841a 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -1016,7 +1016,15 @@ parserCreate(const XML_Char *encodingName,
   poolInit(&parser->m_temp2Pool, &(parser->m_mem));
   parserInit(parser, encodingName);
 
-  if (encodingName && !parser->m_protocolEncodingName) {
+  if (encodingName && ! parser->m_protocolEncodingName) {
+    if (dtd) {
+      // We need to stop the upcoming call to XML_ParserFree from happily
+      // destroying parser->m_dtd because the DTD is shared with the parent
+      // parser and the only guard that keeps XML_ParserFree from destroying
+      // parser->m_dtd is parser->m_isParamEntity but it will be set to
+      // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all).
+      parser->m_dtd = NULL;
+    }
     XML_ParserFree(parser);
     return NULL;
   }