1
0
forked from pool/mozjs115
Files
mozjs115/mozjs115-CVE-2026-32777.patch

40 lines
1.5 KiB
Diff

From 55cda8c7125986e17d7e1825cba413bd94a35d02 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 1 Mar 2026 20:16:13 +0100
Subject: [PATCH 1/2] lib: Reject XML_TOK_INSTANCE_START infinite loop in
entityValueProcessor
.. that OSS-Fuzz/ClusterFuzz uncovered
---
expat/lib/xmlparse.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff -urp firefox-115.4.0.orig/parser/expat/lib/xmlparse.c firefox-115.4.0/parser/expat/lib/xmlparse.c
--- firefox-115.4.0.orig/parser/expat/lib/xmlparse.c 2026-04-25 05:00:29.864994760 -0500
+++ firefox-115.4.0/parser/expat/lib/xmlparse.c 2026-04-25 05:01:09.737259756 -0500
@@ -4346,7 +4346,7 @@ entityValueInitProcessor(XML_Parser pars
}
/* If we get this token, we have the start of what might be a
normal tag, but not a declaration (i.e. it doesn't begin with
- "<!"). In a DTD context, that isn't legal.
+ "<!" or "<?"). In a DTD context, that isn't legal.
*/
else if (tok == XML_TOK_INSTANCE_START) {
*nextPtr = next;
@@ -4430,6 +4430,15 @@ entityValueProcessor(XML_Parser parser,
/* found end of entity value - can store it now */
return storeEntityValue(parser, enc, s, end);
}
+ /* If we get this token, we have the start of what might be a
+ normal tag, but not a declaration (i.e. it doesn't begin with
+ "<!" or "<?"). In a DTD context, that isn't legal.
+ */
+ else if (tok == XML_TOK_INSTANCE_START) {
+ *nextPtr = next;
+ return XML_ERROR_SYNTAX;
+ }
+
start = next;
}
}