2 files changed, 6 insertions, 0 deletions

diff --git a/Misc/NEWS b/Misc/NEWS
index 2efa767..74a64f0 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -272,6 +272,9 @@ Extension Modules
 
 - Issue #6848: Fix curses module build failure on OS X 10.6.
 
+- Expat: Fix DoS via XML document with malformed UTF-8 sequences
+  (CVE_2009_3560).
+
 Tests
 -----
 
diff --git a/Modules/expat/xmlparse.c b/Modules/expat/xmlparse.c
index e04426d..105958b 100644
--- a/Modules/expat/xmlparse.c
+++ b/Modules/expat/xmlparse.c
@@ -3682,6 +3682,9 @@ doProlog(XML_Parser parser,
         return XML_ERROR_UNCLOSED_TOKEN;
       case XML_TOK_PARTIAL_CHAR:
         return XML_ERROR_PARTIAL_CHAR;
+      case -XML_TOK_PROLOG_S:
+        tok = -tok;
+        break;
       case XML_TOK_NONE:
 #ifdef XML_DTD
         /* for internal PE NOT referenced between declarations */