[tbb-commits] [tor-browser] branch tor-browser-91.13.0esr-11.5-1 updated: Bug 1797336 - Apply expat CVE-2022-43680 fix. r=mccr8, a=dmeehan

gitolite role git at cupani.torproject.org
Thu Nov 17 20:20:17 UTC 2022


This is an automated email from the git hooks/post-receive script.

richard pushed a commit to branch tor-browser-91.13.0esr-11.5-1
in repository tor-browser.

The following commit(s) were added to refs/heads/tor-browser-91.13.0esr-11.5-1 by this push:
     new 147bc200fb10 Bug 1797336 - Apply expat CVE-2022-43680 fix. r=mccr8, a=dmeehan
147bc200fb10 is described below

commit 147bc200fb10ad3dcdee20bd6caa81163789a5b7
Author: Peter Van der Beken <peterv at propagandism.org>
AuthorDate: Sun Oct 30 19:12:03 2022 +0000

    Bug 1797336 - Apply expat CVE-2022-43680 fix. r=mccr8, a=dmeehan
    
    Differential Revision: https://phabricator.services.mozilla.com/D160676
---
 parser/expat/lib/xmlparse.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/parser/expat/lib/xmlparse.c b/parser/expat/lib/xmlparse.c
index 05d5f0221e47..239f4fe281a7 100644
--- a/parser/expat/lib/xmlparse.c
+++ b/parser/expat/lib/xmlparse.c
@@ -1005,6 +1005,14 @@ parserCreate(const XML_Char *encodingName,
   parserInit(parser, encodingName);
 
   if (encodingName && !protocolEncodingName) {
+    if (dtd) {
+      // We need to stop the upcoming call to XML_ParserFree from happily
+      // destroying parser->m_dtd because the DTD is shared with the parent
+      // parser and the only guard that keeps XML_ParserFree from destroying
+      // parser->m_dtd is parser->m_isParamEntity but it will be set to
+      // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all).
+      parser->m_dtd = NULL;
+    }
     XML_ParserFree(parser);
     return NULL;
   }

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.


More information about the tbb-commits mailing list