From 732cf4f705206c7ae2d5d31d073af3812971ba49 Mon Sep 17 00:00:00 2001
From: gaochao <gaochao69@huawei.com>
Date: Sat, 22 Mar 2025 15:08:48 +0800
Subject: [PATCH] =?UTF-8?q?libxml2=E5=AE=89=E5=85=A8=E6=BC=8F=E6=B4=9E?=
 =?UTF-8?q?=E8=A1=A5=E4=B8=81=20Signed-off-by:=20gaochao=20<gaochao69@huaw?=
 =?UTF-8?q?ei.com>?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Fix-CVE-2019-19956.patch                      | 15 ++++++
 Fix-CVE-2025-24928.patch                      | 31 ++++--------
 Fix-malloc-fail.patch                         |  6 +--
 ...sion-in-xmlSchemaCheckAGPropsCorrect.patch | 50 +++++++++++++++++++
 install.py                                    |  5 +-
 5 files changed, 81 insertions(+), 26 deletions(-)
 create mode 100644 Fix-CVE-2019-19956.patch
 create mode 100644 Fix-type-confusion-in-xmlSchemaCheckAGPropsCorrect.patch

diff --git a/Fix-CVE-2019-19956.patch b/Fix-CVE-2019-19956.patch
new file mode 100644
index 0000000..0d9ba38
--- /dev/null
+++ b/Fix-CVE-2019-19956.patch
@@ -0,0 +1,15 @@
+diff --git a/parser.c b/parser.c
+index 0f58bf7..bcf9a2e 100644
+--- a/parser.c
++++ b/parser.c
+@@ -13877,8 +13877,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax,
+     xmlFreeParserCtxt(ctxt);
+     newDoc->intSubset = NULL;
+     newDoc->extSubset = NULL;
+-    /* This leaks the namespace list if doc == NULL */
+-    newDoc->oldNs = NULL;
++    if(doc != NULL)
++        newDoc->oldNs = NULL;
+     xmlFreeDoc(newDoc);
+ 
+     return(ret);
diff --git a/Fix-CVE-2025-24928.patch b/Fix-CVE-2025-24928.patch
index 7e38b31..0a0653b 100644
--- a/Fix-CVE-2025-24928.patch
+++ b/Fix-CVE-2025-24928.patch
@@ -1,19 +1,8 @@
-From 8c8753ad5280ee13aee5eec9b0f6eee2ed920f57 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 11 Feb 2025 17:30:40 +0100
-Subject: [PATCH] [CVE-2025-24928] Fix stack-buffer-overflow in
- xmlSnprintfElements
-
-Fixes #847.
----
- valid.c | 22 +++++++++++-----------
- 1 file changed, 11 insertions(+), 11 deletions(-)
-
 diff --git a/valid.c b/valid.c
-index d63137fa0..6a8ae1fb4 100644
+index 92aaedb..2ba5cdd 100644
 --- a/valid.c
 +++ b/valid.c
-@@ -4997,26 +4997,26 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) {
+@@ -5268,25 +5268,26 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) {
  	    return;
  	}
          switch (cur->type) {
@@ -42,15 +31,15 @@ index d63137fa0..6a8ae1fb4 100644
 -			strcat(buf, " ...");
 -		    return;
 -		}
-                 if (cur->name != NULL)
- 	            strcat(buf, (char *) cur->name);
- 		if (cur->next != NULL)
- 		    strcat(buf, " ");
+-	        strcat(buf, (char *) cur->name);
+-		if (cur->next != NULL)
+-		    strcat(buf, " ");
++        if (cur->name != NULL)
++            strcat(buf, (char *) cur->name);
++        if (cur->next != NULL)
++            strcat(buf, " ");
  		break;
-+            }
++			}
              case XML_TEXT_NODE:
  		if (xmlIsBlankNode(cur))
  		    break;
--- 
-GitLab
-
diff --git a/Fix-malloc-fail.patch b/Fix-malloc-fail.patch
index e8ec411..3edbb29 100644
--- a/Fix-malloc-fail.patch
+++ b/Fix-malloc-fail.patch
@@ -1,8 +1,8 @@
 diff --git a/buf.c b/buf.c
-index 40a5ee06..1fa975a6 100644
+index d8992f7..1ae7542 100644
 --- a/buf.c
 +++ b/buf.c
-@@ -1265,7 +1265,7 @@ xmlBufMergeBuffer(xmlBufPtr buf, xmlBufferPtr buffer) {
+@@ -1261,7 +1261,7 @@ xmlBufMergeBuffer(xmlBufPtr buf, xmlBufferPtr buffer) {
   */
  int
  xmlBufResetInput(xmlBufPtr buf, xmlParserInputPtr input) {
@@ -10,4 +10,4 @@ index 40a5ee06..1fa975a6 100644
 +    if ((input == NULL) || (buf == NULL))
          return(-1);
      CHECK_COMPAT(buf)
-     input->base = input->cur = buf->content;
\ No newline at end of file
+     input->base = input->cur = buf->content;
diff --git a/Fix-type-confusion-in-xmlSchemaCheckAGPropsCorrect.patch b/Fix-type-confusion-in-xmlSchemaCheckAGPropsCorrect.patch
new file mode 100644
index 0000000..b708cd3
--- /dev/null
+++ b/Fix-type-confusion-in-xmlSchemaCheckAGPropsCorrect.patch
@@ -0,0 +1,50 @@
+From 9f8484602f53ac23c5af031c96c36829191e6b92 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 9 Mar 2025 13:31:10 +0100
+Subject: [PATCH] malloc-fail: Fix type confusion in
+ xmlSchemaCheckAGPropsCorrect
+
+Attribute groups must be marked as containing references also if an OOM
+error occurred. Otherwise, references won't be resolved, leading to type
+confusion in xmlSchemaCheckAGPropsCorrect later in the fixup phase.
+
+I'm not sure why xmlSchemaFixupComponents is called at all if an error
+occurred. This has lead to similar issues in the past. On the other
+hand, continuing in the presence of errors helps when fuzzing.
+
+See #344.
+---
+ xmlschemas.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/xmlschemas.c b/xmlschemas.c
+index b3214f508..796e0edf4 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -7715,6 +7715,7 @@ xmlSchemaParseAttributeGroupDefinition(xmlSchemaParserCtxtPtr pctxt,
+     xmlNodePtr child = NULL;
+     xmlAttrPtr attr;
+     int hasRefs = 0;
++    int res;
+ 
+     if ((pctxt == NULL) || (schema == NULL) || (node == NULL))
+         return (NULL);
+@@ -7769,12 +7770,13 @@ xmlSchemaParseAttributeGroupDefinition(xmlSchemaParserCtxtPtr pctxt,
+     /*
+     * Parse contained attribute decls/refs.
+     */
+-    if (xmlSchemaParseLocalAttributes(pctxt, schema, &child,
++    res = xmlSchemaParseLocalAttributes(pctxt, schema, &child,
+ 	(xmlSchemaItemListPtr *) &(ret->attrUses),
+-	XML_SCHEMA_TYPE_ATTRIBUTEGROUP, &hasRefs) == -1)
+-	return(NULL);
++	XML_SCHEMA_TYPE_ATTRIBUTEGROUP, &hasRefs);
+     if (hasRefs)
+ 	ret->flags |= XML_SCHEMAS_ATTRGROUP_HAS_REFS;
++    if (res == -1)
++	return(NULL);
+     /*
+     * Parse the attribute wildcard.
+     */
+-- 
+GitLab
\ No newline at end of file
diff --git a/install.py b/install.py
index 9fdb839..b7ebc78 100755
--- a/install.py
+++ b/install.py
@@ -91,7 +91,6 @@ def do_patch(args, target_dir):
         "backport-xinclude-Fix-more-memory-leaks-in-xmlXIncludeLoadDoc.patch",
         "backport-schemas-Fix-infinite-loop-in-xmlSchemaCheckElemSubst.patch",
         "backport-malloc-fail-Fix-memory-leak-in-xmlCreatePushParserCt.patch",
-        "backport-malloc-fail-Fix-memory-leak-in-xmlStaticCopyNodeList.patch",
         "backport-malloc-fail-Fix-memory-leak-in-xmlNewPropInternal.patch",
         "backport-malloc-fail-Fix-memory-leak-in-xmlNewDocNodeEatName.patch",
         "backport-malloc-fail-Fix-infinite-loop-in-xmlSkipBlankChars.patch",
@@ -233,7 +232,9 @@ def do_patch(args, target_dir):
         "Fix-CVE-2024-34459.patch",
         "Fix-CVE-2024-56171.patch",
         "Fix-CVE-2025-24928.patch",
-        "Fix-CVE-2025-27113.patch"
+        "Fix-CVE-2025-27113.patch",
+        "Fix-type-confusion-in-xmlSchemaCheckAGPropsCorrect.patch",
+        "Fix-CVE-2019-19956.patch"
     ]
 
     for patch in patch_file:
-- 
Gitee