xmlparse.c: Use Curl_load_library

diff --git a/expat/Changes b/expat/Changes
index d1693b73117745b9ad9178d9fadd36fb2c5f5ae5..418905f475efce43aee51c589f1cd9119170685a 100644 (file)
--- a/expat/Changes
+++ b/expat/Changes
@@ -5,7 +5,8 @@ NOTE: We are looking for help with a few things:
 Release 2.2.? ????????????????
         Security fixes:
              #81  Pre-10.7/Lion macOS: Support entropy from arc4random
-             #82  Windows: Fix DLL hijacking vulnerability
+             #82  Windows: Fix DLL hijacking vulnerability using
+                    Steve Holme's LoadLibrary wrapper for/of cURL
 
         Bug fixes:
              #85  Fix a dangling pointer issue related to realloc

diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
index 3201b2a8b5679bc64f6d2461a46e5b16242b2c70..4c470d4e33358a391d1c334faac8f16299b2a881 100644 (file)
--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c
@@ -804,6 +804,7 @@ writeRandomBytes_arc4random(void * target, size_t count) {
 #ifdef _WIN32
 
 typedef BOOLEAN (APIENTRY *RTLGENRANDOM_FUNC)(PVOID, ULONG);
+HMODULE Curl_load_library(LPCTSTR filename);  /* see loadlibrary.c */
 
 /* Obtain entropy on Windows XP / Windows Server 2003 and later.
  * Hint on RtlGenRandom and the following article from libsodium.
@@ -814,13 +815,7 @@ typedef BOOLEAN (APIENTRY *RTLGENRANDOM_FUNC)(PVOID, ULONG);
 static int
 writeRandomBytes_RtlGenRandom(void * target, size_t count) {
   int success = 0;  /* full count bytes written? */
-  const LPCTSTR file_name = TEXT("ADVAPI32.DLL");
-  HMODULE advapi32 = LoadLibraryEx(file_name, 0, LOAD_LIBRARY_SEARCH_SYSTEM32);
-
-  if (! advapi32) {
-    /* Try again without LOAD_LIBRARY_SEARCH_SYSTEM32 if unsupported */
-    advapi32 = LoadLibraryEx(file_name, 0, 0);
-  }
+  const HMODULE advapi32 = Curl_load_library(TEXT("ADVAPI32.DLL"));
 
   if (advapi32) {
     const RTLGENRANDOM_FUNC RtlGenRandom