From 55cda8c7125986e17d7e1825cba413bd94a35d02 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 1 Mar 2026 20:16:13 +0100
Subject: [PATCH 1/2] lib: Reject XML_TOK_INSTANCE_START infinite loop in
 entityValueProcessor

.. that OSS-Fuzz/ClusterFuzz uncovered
---
 expat/lib/xmlparse.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff -urp firefox-115.4.0.orig/parser/expat/lib/xmlparse.c firefox-115.4.0/parser/expat/lib/xmlparse.c
--- firefox-115.4.0.orig/parser/expat/lib/xmlparse.c	2026-04-25 05:00:29.864994760 -0500
+++ firefox-115.4.0/parser/expat/lib/xmlparse.c	2026-04-25 05:01:09.737259756 -0500
@@ -4346,7 +4346,7 @@ entityValueInitProcessor(XML_Parser pars
     }
     /* If we get this token, we have the start of what might be a
        normal tag, but not a declaration (i.e. it doesn't begin with
-       "<!").  In a DTD context, that isn't legal.
+       "<!" or "<?").  In a DTD context, that isn't legal.
     */
     else if (tok == XML_TOK_INSTANCE_START) {
       *nextPtr = next;
@@ -4430,6 +4430,15 @@ entityValueProcessor(XML_Parser parser,
       /* found end of entity value - can store it now */
       return storeEntityValue(parser, enc, s, end);
     }
+    /* If we get this token, we have the start of what might be a
+       normal tag, but not a declaration (i.e. it doesn't begin with
+       "<!" or "<?").  In a DTD context, that isn't legal.
+    */
+    else if (tok == XML_TOK_INSTANCE_START) {
+      *nextPtr = next;
+      return XML_ERROR_SYNTAX;
+    }
+
     start = next;
   }
 }