Changes: Document CVE-2022-23990

2022-01-26 02:51:39 +01:00 · 2022-01-26 02:51:39 +01:00 · 6e3449594f
commit 6e3449594f
parent ede41d1e18
1 changed files with 6 additions and 0 deletions
--- a/expat/Changes
+++ b/expat/Changes
@ -10,12 +10,18 @@ Release x.x.x xxx xxxxxxx xx xxxx
                    for when XML_CONTEXT_BYTES is defined to >0 (which is both
                    common and default).
                    Impact is denial of service or more.
+            #551  CVE-2022-23990 -- Fix unsigned integer overflow in function
+                    doProlog triggered by large content in element type
+                    declarations when there is an element declaration handler
+                    present (from a prior call to XML_SetElementDeclHandler).
+                    Impact is denial of service or more.

        Bug fixes:
       #544 #545  xmlwf: Fix a memory leak on output file opening error

        Special thanks to:
            hwt0415
+            Roland Illig
            Samanta Navarro
                 and
            Clang LeakSan and the Clang team