]> granicus.if.org Git - libexpat/commitdiff
xmlparse.c: Fix external entity infinite loop bug (CVE-2017-9233)
authorRhodri James <rhodri@kynesim.co.uk>
Wed, 14 Jun 2017 21:45:07 +0000 (23:45 +0200)
committerSebastian Pipping <sebastian@pipping.org>
Fri, 16 Jun 2017 23:00:05 +0000 (01:00 +0200)
expat/lib/xmlparse.c

index 7818f8dfa43de38de66e8ff5e05c8c1a506e1ef9..211459643aa4aa58b18f4fdf424b4f1b15fe5005 100644 (file)
@@ -3981,6 +3981,14 @@ entityValueInitProcessor(XML_Parser parser,
       *nextPtr = next;
       return XML_ERROR_NONE;
     }
+    /* If we get this token, we have the start of what might be a
+       normal tag, but not a declaration (i.e. it doesn't begin with
+       "<!").  In a DTD context, that isn't legal.
+    */
+    else if (tok == XML_TOK_INSTANCE_START) {
+      *nextPtr = next;
+      return XML_ERROR_SYNTAX;
+    }
     start = next;
     eventPtr = start;
   }