Blob Blame History Raw
diff -up firefox-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25236 firefox-91.7.0/parser/expat/lib/xmlparse.c
--- firefox-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25236	2022-03-02 18:08:40.085642028 +0100
+++ firefox-91.7.0/parser/expat/lib/xmlparse.c	2022-03-02 18:13:31.838667958 +0100
@@ -700,8 +700,7 @@ XML_ParserCreate(const XML_Char *encodin
 XML_Parser XMLCALL
 XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep)
 {
-  XML_Char tmp[2];
-  *tmp = nsSep;
+  XML_Char tmp[2] = {nsSep, 0};
   return XML_ParserCreate_MM(encodingName, NULL, tmp);
 }
 #endif
@@ -1276,8 +1275,7 @@ XML_ExternalEntityParserCreate(XML_Parse
      would be otherwise.
   */
   if (ns) {
-    XML_Char tmp[2];
-    *tmp = namespaceSeparator;
+    XML_Char tmp[2] = {parser->m_namespaceSeparator, 0};
     parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
   }
   else {
@@ -3667,6 +3665,16 @@ addBinding(XML_Parser parser, PREFIX *pr
     if (!mustBeXML && isXMLNS
         && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
       isXMLNS = XML_FALSE;
+    // NOTE: While Expat does not validate namespace URIs against RFC 3986,
+    //       we have to at least make sure that the XML processor on top of
+    //       Expat (that is splitting tag names by namespace separator into
+    //       2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
+    //       by an attacker putting additional namespace separator characters
+    //       into namespace declarations.  That would be ambiguous and not to
+    //       be expected.
+    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
+      return XML_ERROR_SYNTAX;
+    }
   }
   isXML = isXML && len == xmlLen;
   isXMLNS = isXMLNS && len == xmlnsLen;