Bug 1374012 - Update to Expat 2.2.1. Part 3: Reject invalid DTD. r=erahm, a=RyanVM
authorPeter Van der Beken <peterv@propagandism.org>
Thu, 27 Dec 2018 15:13:12 +0000
changeset 509229 17e8d96276c7ebb7653008b1786de8fb17e681ab
parent 509228 e1a947b12b5838f7e26204130a743a57526a2303
child 509230 23c14c1175b646c67fd4637982a714da57b43e62
push id1905
push userffxbld-merge
push dateMon, 21 Jan 2019 12:33:13 +0000
treeherdermozilla-release@c2fca1944d8c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerserahm, RyanVM
bugs1374012
milestone65.0
Bug 1374012 - Update to Expat 2.2.1. Part 3: Reject invalid DTD. r=erahm, a=RyanVM Differential Revision: https://phabricator.services.mozilla.com/D14442
parser/expat/lib/xmlparse.c
--- a/parser/expat/lib/xmlparse.c
+++ b/parser/expat/lib/xmlparse.c
@@ -3929,16 +3929,24 @@ entityValueInitProcessor(XML_Parser pars
        tokens, but not for the BOM - we would rather like to skip it;
        then, when this routine is entered the next time, XmlPrologTok will
        return XML_TOK_INVALID, since the BOM is still in the buffer
     */
     else if (tok == XML_TOK_BOM && next == end && !ps_finalBuffer) {
       *nextPtr = next;
       return XML_ERROR_NONE;
     }
+    /* If we get this token, we have the start of what might be a
+       normal tag, but not a declaration (i.e. it doesn't begin with
+       "<!").  In a DTD context, that isn't legal.
+    */
+    else if (tok == XML_TOK_INSTANCE_START) {
+      *nextPtr = next;
+      return XML_ERROR_SYNTAX;
+    }
     start = next;
     eventPtr = start;
   }
 }
 
 static enum XML_Error PTRCALL
 externalParEntProcessor(XML_Parser parser,
                         const char *s,