From eb8f10fb1f4eb13c5a2ba1edbfd64b5f2a50ff4a Mon Sep 17 00:00:00 2001 From: Sadaf Ebrahimi Date: Wed, 16 Nov 2022 16:31:05 +0000 Subject: [CVE-2022-43680] Fix overeager DTD destruction (fixes #649) Bug: http://b/255449293 Test: TreeHugger Change-Id: I15ba529c07a6b868484bd5972be154c07cd97cc6 --- lib/xmlparse.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/xmlparse.c b/lib/xmlparse.c index 14ea9673..074c841a 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c @@ -1016,7 +1016,15 @@ parserCreate(const XML_Char *encodingName, poolInit(&parser->m_temp2Pool, &(parser->m_mem)); parserInit(parser, encodingName); - if (encodingName && !parser->m_protocolEncodingName) { + if (encodingName && ! parser->m_protocolEncodingName) { + if (dtd) { + // We need to stop the upcoming call to XML_ParserFree from happily + // destroying parser->m_dtd because the DTD is shared with the parent + // parser and the only guard that keeps XML_ParserFree from destroying + // parser->m_dtd is parser->m_isParamEntity but it will be set to + // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). + parser->m_dtd = NULL; + } XML_ParserFree(parser); return NULL; } -- cgit v1.2.3 From 6944d3ebed0d631c92fdc31098e751b13dd110ba Mon Sep 17 00:00:00 2001 From: Sadaf Ebrahimi Date: Wed, 16 Nov 2022 16:31:05 +0000 Subject: [CVE-2022-43680] Fix overeager DTD destruction (fixes #649) Bug: http://b/255449293 Test: TreeHugger Change-Id: I15ba529c07a6b868484bd5972be154c07cd97cc6 --- lib/xmlparse.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/xmlparse.c b/lib/xmlparse.c index 06dcb32a..c84b5ede 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c @@ -970,6 +970,14 @@ parserCreate(const XML_Char *encodingName, parserInit(parser, encodingName); if (encodingName && ! parser->m_protocolEncodingName) { + if (dtd) { + // We need to stop the upcoming call to XML_ParserFree from happily + // destroying parser->m_dtd because the DTD is shared with the parent + // parser and the only guard that keeps XML_ParserFree from destroying + // parser->m_dtd is parser->m_isParamEntity but it will be set to + // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). + parser->m_dtd = NULL; + } XML_ParserFree(parser); return NULL; } -- cgit v1.2.3 From 5834ffe36a2999b8c68663fa05e4487a3c67209f Mon Sep 17 00:00:00 2001 From: Sadaf Ebrahimi Date: Wed, 16 Nov 2022 16:31:05 +0000 Subject: [CVE-2022-43680] Fix overeager DTD destruction (fixes #649) Bug: http://b/255449293 Test: TreeHugger Change-Id: I15ba529c07a6b868484bd5972be154c07cd97cc6 --- lib/xmlparse.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/xmlparse.c b/lib/xmlparse.c index 06dcb32a..c84b5ede 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c @@ -970,6 +970,14 @@ parserCreate(const XML_Char *encodingName, parserInit(parser, encodingName); if (encodingName && ! parser->m_protocolEncodingName) { + if (dtd) { + // We need to stop the upcoming call to XML_ParserFree from happily + // destroying parser->m_dtd because the DTD is shared with the parent + // parser and the only guard that keeps XML_ParserFree from destroying + // parser->m_dtd is parser->m_isParamEntity but it will be set to + // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). + parser->m_dtd = NULL; + } XML_ParserFree(parser); return NULL; } -- cgit v1.2.3 From 33765f82b29f6c1c5cecbbb8cf9dbd7327b3a93a Mon Sep 17 00:00:00 2001 From: Sadaf Ebrahimi Date: Wed, 16 Nov 2022 16:31:05 +0000 Subject: [CVE-2022-43680] Fix overeager DTD destruction (fixes #649) Bug: http://b/255449293 Test: TreeHugger Change-Id: I15ba529c07a6b868484bd5972be154c07cd97cc6 --- lib/xmlparse.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/xmlparse.c b/lib/xmlparse.c index 729f94b8..381f3ef3 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c @@ -978,6 +978,14 @@ parserCreate(const XML_Char *encodingName, parserInit(parser, encodingName); if (encodingName && ! parser->m_protocolEncodingName) { + if (dtd) { + // We need to stop the upcoming call to XML_ParserFree from happily + // destroying parser->m_dtd because the DTD is shared with the parent + // parser and the only guard that keeps XML_ParserFree from destroying + // parser->m_dtd is parser->m_isParamEntity but it will be set to + // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). + parser->m_dtd = NULL; + } XML_ParserFree(parser); return NULL; } -- cgit v1.2.3 From ee4b26f9db83dbb51639143719f8f67df025a519 Mon Sep 17 00:00:00 2001 From: Sadaf Ebrahimi Date: Wed, 16 Nov 2022 16:31:05 +0000 Subject: [CVE-2022-43680] Fix overeager DTD destruction (fixes #649) Bug: http://b/255449293 Test: TreeHugger Change-Id: I15ba529c07a6b868484bd5972be154c07cd97cc6 --- lib/xmlparse.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/xmlparse.c b/lib/xmlparse.c index 729f94b8..381f3ef3 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c @@ -978,6 +978,14 @@ parserCreate(const XML_Char *encodingName, parserInit(parser, encodingName); if (encodingName && ! parser->m_protocolEncodingName) { + if (dtd) { + // We need to stop the upcoming call to XML_ParserFree from happily + // destroying parser->m_dtd because the DTD is shared with the parent + // parser and the only guard that keeps XML_ParserFree from destroying + // parser->m_dtd is parser->m_isParamEntity but it will be set to + // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). + parser->m_dtd = NULL; + } XML_ParserFree(parser); return NULL; } -- cgit v1.2.3 From 9b0f62fd0f75a5dd555e882b8f8bd2075723ea70 Mon Sep 17 00:00:00 2001 From: Sadaf Ebrahimi Date: Wed, 16 Nov 2022 16:31:05 +0000 Subject: [CVE-2022-43680] Fix overeager DTD destruction (fixes #649) Bug: http://b/255449293 Test: TreeHugger Change-Id: I15ba529c07a6b868484bd5972be154c07cd97cc6 --- lib/xmlparse.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/xmlparse.c b/lib/xmlparse.c index 729f94b8..381f3ef3 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c @@ -978,6 +978,14 @@ parserCreate(const XML_Char *encodingName, parserInit(parser, encodingName); if (encodingName && ! parser->m_protocolEncodingName) { + if (dtd) { + // We need to stop the upcoming call to XML_ParserFree from happily + // destroying parser->m_dtd because the DTD is shared with the parent + // parser and the only guard that keeps XML_ParserFree from destroying + // parser->m_dtd is parser->m_isParamEntity but it will be set to + // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). + parser->m_dtd = NULL; + } XML_ParserFree(parser); return NULL; } -- cgit v1.2.3 From 63727cb0b8bdba580f5be48f7260e6e08fea5a5a Mon Sep 17 00:00:00 2001 From: Sadaf Ebrahimi Date: Wed, 16 Nov 2022 16:31:05 +0000 Subject: [CVE-2022-43680] Fix overeager DTD destruction (fixes #649) Bug: http://b/255449293 Test: TreeHugger Change-Id: I15ba529c07a6b868484bd5972be154c07cd97cc6 --- lib/xmlparse.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/xmlparse.c b/lib/xmlparse.c index 7db28d07..7e981919 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c @@ -1066,6 +1066,14 @@ parserCreate(const XML_Char *encodingName, parserInit(parser, encodingName); if (encodingName && ! parser->m_protocolEncodingName) { + if (dtd) { + // We need to stop the upcoming call to XML_ParserFree from happily + // destroying parser->m_dtd because the DTD is shared with the parent + // parser and the only guard that keeps XML_ParserFree from destroying + // parser->m_dtd is parser->m_isParamEntity but it will be set to + // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). + parser->m_dtd = NULL; + } XML_ParserFree(parser); return NULL; } -- cgit v1.2.3 From 03836568ec3e5a4051e54bf39568656d07f5a3dd Mon Sep 17 00:00:00 2001 From: Sadaf Ebrahimi Date: Wed, 16 Nov 2022 16:31:05 +0000 Subject: [CVE-2022-43680] Fix overeager DTD destruction (fixes #649) Bug: http://b/255449293 Test: TreeHugger Change-Id: I15ba529c07a6b868484bd5972be154c07cd97cc6 --- lib/xmlparse.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/xmlparse.c b/lib/xmlparse.c index 7db28d07..7e981919 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c @@ -1066,6 +1066,14 @@ parserCreate(const XML_Char *encodingName, parserInit(parser, encodingName); if (encodingName && ! parser->m_protocolEncodingName) { + if (dtd) { + // We need to stop the upcoming call to XML_ParserFree from happily + // destroying parser->m_dtd because the DTD is shared with the parent + // parser and the only guard that keeps XML_ParserFree from destroying + // parser->m_dtd is parser->m_isParamEntity but it will be set to + // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). + parser->m_dtd = NULL; + } XML_ParserFree(parser); return NULL; } -- cgit v1.2.3