Merge branch 'dev/10/fp2/security-aosp-qt-release' into int/10/fp2
* dev/10/fp2/security-aosp-qt-release:
Fix overeager DTD destruction (fixes #649)
Change-Id: If0d70a897f48bf3281d0791ce87e4b981689a068
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 14ea967..074c841 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -1016,7 +1016,15 @@
poolInit(&parser->m_temp2Pool, &(parser->m_mem));
parserInit(parser, encodingName);
- if (encodingName && !parser->m_protocolEncodingName) {
+ if (encodingName && ! parser->m_protocolEncodingName) {
+ if (dtd) {
+ // We need to stop the upcoming call to XML_ParserFree from happily
+ // destroying parser->m_dtd because the DTD is shared with the parent
+ // parser and the only guard that keeps XML_ParserFree from destroying
+ // parser->m_dtd is parser->m_isParamEntity but it will be set to
+ // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all).
+ parser->m_dtd = NULL;
+ }
XML_ParserFree(parser);
return NULL;
}