From c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f Mon Sep 17 00:00:00 2001
From: Rhodri James <rhodri@kynesim.co.uk>
Date: Wed, 14 Jun 2017 23:45:07 +0200
Subject: [PATCH] xmlparse.c: Fix external entity infinite loop bug
 (CVE-2017-9233)

---
 expat/lib/xmlparse.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 7818f8d..2114596 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -3981,6 +3981,14 @@ entityValueInitProcessor(XML_Parser parser,
       *nextPtr = next;
       return XML_ERROR_NONE;
     }
+    /* If we get this token, we have the start of what might be a
+       normal tag, but not a declaration (i.e. it doesn't begin with
+       "<!").  In a DTD context, that isn't legal.
+    */
+    else if (tok == XML_TOK_INSTANCE_START) {
+      *nextPtr = next;
+      return XML_ERROR_SYNTAX;
+    }
     start = next;
     eventPtr = start;
   }