41 lines
1.7 KiB
Diff
41 lines
1.7 KiB
Diff
diff -up firefox-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25236 firefox-91.7.0/parser/expat/lib/xmlparse.c
|
|
--- firefox-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25236 2022-03-02 18:08:40.085642028 +0100
|
|
+++ firefox-91.7.0/parser/expat/lib/xmlparse.c 2022-03-02 18:13:31.838667958 +0100
|
|
@@ -700,8 +700,7 @@ XML_ParserCreate(const XML_Char *encodin
|
|
XML_Parser XMLCALL
|
|
XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep)
|
|
{
|
|
- XML_Char tmp[2];
|
|
- *tmp = nsSep;
|
|
+ XML_Char tmp[2] = {nsSep, 0};
|
|
return XML_ParserCreate_MM(encodingName, NULL, tmp);
|
|
}
|
|
#endif
|
|
@@ -1276,8 +1275,7 @@ XML_ExternalEntityParserCreate(XML_Parse
|
|
would be otherwise.
|
|
*/
|
|
if (ns) {
|
|
- XML_Char tmp[2];
|
|
- *tmp = namespaceSeparator;
|
|
+ XML_Char tmp[2] = {parser->m_namespaceSeparator, 0};
|
|
parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
|
|
}
|
|
else {
|
|
@@ -3667,6 +3665,16 @@ addBinding(XML_Parser parser, PREFIX *pr
|
|
if (!mustBeXML && isXMLNS
|
|
&& (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
|
|
isXMLNS = XML_FALSE;
|
|
+ // NOTE: While Expat does not validate namespace URIs against RFC 3986,
|
|
+ // we have to at least make sure that the XML processor on top of
|
|
+ // Expat (that is splitting tag names by namespace separator into
|
|
+ // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
|
|
+ // by an attacker putting additional namespace separator characters
|
|
+ // into namespace declarations. That would be ambiguous and not to
|
|
+ // be expected.
|
|
+ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
|
|
+ return XML_ERROR_SYNTAX;
|
|
+ }
|
|
}
|
|
isXML = isXML && len == xmlLen;
|
|
isXMLNS = isXMLNS && len == xmlnsLen;
|