diff options
author | Sadaf Ebrahimi <sadafebrahimi@google.com> | 2022-12-01 19:17:25 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2022-12-01 19:17:25 +0000 |
commit | 9cde97f869844474a7a5c29dfd8eb33f5e67c4e5 (patch) | |
tree | 3501dadfc8a8559645900663b74f481da07c113f | |
parent | 8e667dc0289c7917b4b67479d689bee4036f10b4 (diff) | |
parent | 63727cb0b8bdba580f5be48f7260e6e08fea5a5a (diff) | |
download | expat-9cde97f869844474a7a5c29dfd8eb33f5e67c4e5.tar.gz |
[CVE-2022-43680] Fix overeager DTD destruction (fixes #649) am: 63727cb0b8
Original change: https://googleplex-android-review.googlesource.com/c/platform/external/expat/+/20497954
Change-Id: I9f3d5f05f088764c1698af87b0d79a6dec12d2b8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
-rw-r--r-- | lib/xmlparse.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/xmlparse.c b/lib/xmlparse.c index 7db28d07..7e981919 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c @@ -1066,6 +1066,14 @@ parserCreate(const XML_Char *encodingName, parserInit(parser, encodingName); if (encodingName && ! parser->m_protocolEncodingName) { + if (dtd) { + // We need to stop the upcoming call to XML_ParserFree from happily + // destroying parser->m_dtd because the DTD is shared with the parent + // parser and the only guard that keeps XML_ParserFree from destroying + // parser->m_dtd is parser->m_isParamEntity but it will be set to + // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). + parser->m_dtd = NULL; + } XML_ParserFree(parser); return NULL; } |