File expat-CVE-2019-15903.patch of Package expat.12445

From c20b758c332d9a13afbbb276d30db1d183a85d43 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Wed, 28 Aug 2019 00:24:59 +0200
Subject: [PATCH] xmlparse.c: Deny internal entities closing the doctype

---
 expat/lib/xmlparse.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

Index: expat-2.1.0/lib/xmlparse.c
===================================================================
--- expat-2.1.0.orig/lib/xmlparse.c
+++ expat-2.1.0/lib/xmlparse.c
@@ -338,7 +338,7 @@ initializeEncoding(XML_Parser parser);
 static enum XML_Error
 doProlog(XML_Parser parser, const ENCODING *enc, const char *s,
          const char *end, int tok, const char *next, const char **nextPtr,
-         XML_Bool haveMore);
+         XML_Bool haveMore, XML_Bool allowClosingDoctype);
 static enum XML_Error
 processInternalEntity(XML_Parser parser, ENTITY *entity,
                       XML_Bool betweenDecl);
@@ -3745,7 +3745,7 @@ externalParEntProcessor(XML_Parser parse
 
   processor = prologProcessor;
   return doProlog(parser, encoding, s, end, tok, next,
-                  nextPtr, (XML_Bool)!ps_finalBuffer);
+                  nextPtr, (XML_Bool)!ps_finalBuffer, XML_TRUE);
 }
 
 static enum XML_Error PTRCALL
@@ -3795,7 +3795,7 @@ prologProcessor(XML_Parser parser,
   const char *next = s;
   int tok = XmlPrologTok(encoding, s, end, &next);
   return doProlog(parser, encoding, s, end, tok, next,
-                  nextPtr, (XML_Bool)!ps_finalBuffer);
+                  nextPtr, (XML_Bool)!ps_finalBuffer, XML_TRUE);
 }
 
 static enum XML_Error
@@ -3806,7 +3806,8 @@ doProlog(XML_Parser parser,
          int tok,
          const char *next,
          const char **nextPtr,
-         XML_Bool haveMore)
+         XML_Bool haveMore,
+	 XML_Bool allowClosingDoctype)
 {
 #ifdef XML_DTD
   static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' };
@@ -3982,6 +3983,10 @@ doProlog(XML_Parser parser,
       }
       break;
     case XML_ROLE_DOCTYPE_CLOSE:
+      if (allowClosingDoctype != XML_TRUE) {
+	/* Must not close doctype from within expanded parameter entities */
+	return XML_ERROR_INVALID_TOKEN;
+      }
       if (doctypeName) {
         startDoctypeDeclHandler(handlerArg, doctypeName,
                                 doctypeSysid, doctypePubid, 0);
@@ -4883,7 +4888,7 @@ processInternalEntity(XML_Parser parser,
   if (entity->is_param) {
     int tok = XmlPrologTok(internalEncoding, textStart, textEnd, &next);
     result = doProlog(parser, internalEncoding, textStart, textEnd, tok,
-                      next, &next, XML_FALSE);
+                      next, &next, XML_FALSE, XML_FALSE);
   }
   else
 #endif /* XML_DTD */
@@ -4928,7 +4933,7 @@ internalEntityProcessor(XML_Parser parse
   if (entity->is_param) {
     int tok = XmlPrologTok(internalEncoding, textStart, textEnd, &next);
     result = doProlog(parser, internalEncoding, textStart, textEnd, tok,
-                      next, &next, XML_FALSE);
+                      next, &next, XML_FALSE, XML_TRUE);
   }
   else
 #endif /* XML_DTD */
@@ -4955,7 +4960,7 @@ internalEntityProcessor(XML_Parser parse
     processor = prologProcessor;
     tok = XmlPrologTok(encoding, s, end, &next);
     return doProlog(parser, encoding, s, end, tok, next, nextPtr,
-                    (XML_Bool)!ps_finalBuffer);
+                    (XML_Bool)!ps_finalBuffer, XML_TRUE);
   }
   else
 #endif /* XML_DTD */
openSUSE Build Service is sponsored by