diff options
author | Sadaf Ebrahimi <sadafebrahimi@google.com> | 2022-12-01 19:09:51 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2022-12-01 19:09:51 +0000 |
commit | 811c3ce5a3692eb882c4f5ec05dae308051e3de6 (patch) | |
tree | a3f09e37a6ad41a16a923648a040f3a874ccdd4a | |
parent | 4fb4092bb2b218b7d77324e09516b79df79f9580 (diff) | |
parent | eb8f10fb1f4eb13c5a2ba1edbfd64b5f2a50ff4a (diff) | |
download | expat-811c3ce5a3692eb882c4f5ec05dae308051e3de6.tar.gz |
[CVE-2022-43680] Fix overeager DTD destruction (fixes #649) am: eb8f10fb1f
Original change: https://googleplex-android-review.googlesource.com/c/platform/external/expat/+/20494973
Change-Id: Iea283dd594ddbe04e61639680b7365a5d2424c87
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
-rw-r--r-- | lib/xmlparse.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/xmlparse.c b/lib/xmlparse.c index 14ea9673..074c841a 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c @@ -1016,7 +1016,15 @@ parserCreate(const XML_Char *encodingName, poolInit(&parser->m_temp2Pool, &(parser->m_mem)); parserInit(parser, encodingName); - if (encodingName && !parser->m_protocolEncodingName) { + if (encodingName && ! parser->m_protocolEncodingName) { + if (dtd) { + // We need to stop the upcoming call to XML_ParserFree from happily + // destroying parser->m_dtd because the DTD is shared with the parent + // parser and the only guard that keeps XML_ParserFree from destroying + // parser->m_dtd is parser->m_isParamEntity but it will be set to + // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). + parser->m_dtd = NULL; + } XML_ParserFree(parser); return NULL; } |