[fbreader] Fixed the problem with external XML entities

XML parser's "hash_secret_salt" has to be set to anything non-zero. Otherwise this parser won't be able to use the entity cache filled by the child DTD parsers. For more details see CVE-2012-0876 and http://sourceforge.net/p/expat/bugs/496/
monich · Dec 14, 2015 · bd3dbb7 · bd3dbb7
1 parent c9ec2cb
commit bd3dbb7
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/fbreader/fbreader/zlibrary/core/src/xml/expat/ZLXMLReaderInternal.cpp b/fbreader/fbreader/zlibrary/core/src/xml/expat/ZLXMLReaderInternal.cpp
@@ -107,6 +107,10 @@ static void parseDTD(XML_Parser parser, const std::string &fileName) {
 ZLXMLReaderInternal::ZLXMLReaderInternal(ZLXMLReader &reader, const char *encoding) : myReader(reader) {
 	myParser = XML_ParserCreate(encoding);
 	myInitialized = false;
+	// Set salt to anything non-zero. Otherwise this parser won't be able
+	// to use the entity cache filled by the child DTD parsers. For more
+	// details see CVE-2012-0876 and http://sourceforge.net/p/expat/bugs/496/
+	XML_SetHashSalt(myParser, 42);
 }
 
 ZLXMLReaderInternal::~ZLXMLReaderInternal() {