This is an automated email from the git hooks/post-receive script.
richard pushed a commit to branch tor-browser-91.13.0esr-11.5-1 in repository tor-browser.
The following commit(s) were added to refs/heads/tor-browser-91.13.0esr-11.5-1 by this push: new 147bc200fb10 Bug 1797336 - Apply expat CVE-2022-43680 fix. r=mccr8, a=dmeehan 147bc200fb10 is described below
commit 147bc200fb10ad3dcdee20bd6caa81163789a5b7 Author: Peter Van der Beken peterv@propagandism.org AuthorDate: Sun Oct 30 19:12:03 2022 +0000
Bug 1797336 - Apply expat CVE-2022-43680 fix. r=mccr8, a=dmeehan
Differential Revision: https://phabricator.services.mozilla.com/D160676 --- parser/expat/lib/xmlparse.c | 8 ++++++++ 1 file changed, 8 insertions(+)
diff --git a/parser/expat/lib/xmlparse.c b/parser/expat/lib/xmlparse.c index 05d5f0221e47..239f4fe281a7 100644 --- a/parser/expat/lib/xmlparse.c +++ b/parser/expat/lib/xmlparse.c @@ -1005,6 +1005,14 @@ parserCreate(const XML_Char *encodingName, parserInit(parser, encodingName);
if (encodingName && !protocolEncodingName) { + if (dtd) { + // We need to stop the upcoming call to XML_ParserFree from happily + // destroying parser->m_dtd because the DTD is shared with the parent + // parser and the only guard that keeps XML_ParserFree from destroying + // parser->m_dtd is parser->m_isParamEntity but it will be set to + // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). + parser->m_dtd = NULL; + } XML_ParserFree(parser); return NULL; }