From: Markus Koschany <apo@debian.org>
Date: Tue, 19 Feb 2019 19:20:16 +0100
Subject: CVE-2017-18197

Origin: https://bitbucket.org/jgraph/mxgraph2/commits/7d159ca3259b961cbb1c51b4ea42cb408c624ff1
Bug-Upstream: https://github.com/jgraph/mxgraph/issues/124
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891796
---
 src/com/mxgraph/reader/mxGraphViewImageReader.java | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/com/mxgraph/reader/mxGraphViewImageReader.java b/src/com/mxgraph/reader/mxGraphViewImageReader.java
index 0e55710..2939cea 100644
--- a/src/com/mxgraph/reader/mxGraphViewImageReader.java
+++ b/src/com/mxgraph/reader/mxGraphViewImageReader.java
@@ -12,7 +12,6 @@ import java.io.IOException;
 import java.util.Map;
 
 import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
 
 import org.xml.sax.InputSource;
@@ -271,9 +270,13 @@ public class mxGraphViewImageReader extends mxGraphViewReader
 			throws ParserConfigurationException, SAXException, IOException
 	{
 		BufferedImage result = null;
-		SAXParser parser = SAXParserFactory.newInstance().newSAXParser();
-		XMLReader reader = parser.getXMLReader();
-
+		
+		XMLReader reader = SAXParserFactory.newInstance().newSAXParser().getXMLReader();
+		reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+		reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+		reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+		reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+		
 		reader.setContentHandler(viewReader);
 		reader.parse(inputSource);