From ba80428c2207259103b73871d447dee34755340c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Berkay=20Eren=20=C3=9Cr=C3=BCn?= <berkay.ueruen@tum.de>
Date: Tue, 23 Sep 2025 11:22:14 +0200
Subject: [PATCH] lib: Fix detection of asynchronous tags in entities

According to the XML standard, tags must be closed within the same
element in which they are opened. Since the change of the entity
processing method in version 2.7.0, violations of this rule have not
been handled correctly for entities.

This commit adds the required checks to detect any violations and
restores the correct behaviour.

CVE: CVE-2024-8176
Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1059]
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 lib/xmlparse.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index ce29ab6f..ba4e3c48 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -6087,6 +6087,10 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
     // process its possible inner entities (which are added to the
     // m_openInternalEntities during doProlog or doContent calls above)
     entity->hasMore = XML_FALSE;
+    if (! entity->is_param
+        && (openEntity->startTagLevel != parser->m_tagLevel)) {
+      return XML_ERROR_ASYNC_ENTITY;
+    }
     triggerReenter(parser);
     return result;
   } // End of entity processing, "if" block will return here