From 55cda8c7125986e17d7e1825cba413bd94a35d02 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 1 Mar 2026 20:16:13 +0100
Subject: [PATCH 1/2] lib: Reject XML_TOK_INSTANCE_START infinite loop in
 entityValueProcessor

.. that OSS-Fuzz/ClusterFuzz uncovered
---
 expat/lib/xmlparse.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff -urp firefox-52.6.0esr.orig/parser/expat/lib/xmlparse.c firefox-52.6.0esr/parser/expat/lib/xmlparse.c
--- firefox-52.6.0esr.orig/parser/expat/lib/xmlparse.c	2026-04-25 19:27:29.977730655 -0500
+++ firefox-52.6.0esr/parser/expat/lib/xmlparse.c	2026-04-25 19:27:59.584555316 -0500
@@ -3795,6 +3795,15 @@ entityValueProcessor(XML_Parser parser,
       /* found end of entity value - can store it now */
       return storeEntityValue(parser, enc, s, end);
     }
+    /* If we get this token, we have the start of what might be a
+       normal tag, but not a declaration (i.e. it doesn't begin with
+       "<!" or "<?").  In a DTD context, that isn't legal.
+    */
+    else if (tok == XML_TOK_INSTANCE_START) {
+      *nextPtr = next;
+      return XML_ERROR_SYNTAX;
+    }
+
     start = next;
   }
 }