diff --git a/BUILD.gn b/BUILD.gn index eddd99628d44ddd22dc5de9a2d4b5c805916b72a..febb6d644b2833378850dc3c4f94dc648cdef2f3 100755 --- a/BUILD.gn +++ b/BUILD.gn @@ -17,247 +17,58 @@ import("//build/ohos.gni") action("libxml2_install_action") { script = "//third_party/libxml2/install.py" outputs = [ - "${target_gen_dir}/libxml2-2.9.14/config.h.cmake.in", - "${target_gen_dir}/libxml2-2.9.14/include/libxml/xmlversion.h.in", - "${target_gen_dir}/libxml2-2.9.14/DOCBparser.c", - "${target_gen_dir}/libxml2-2.9.14/HTMLparser.c", - "${target_gen_dir}/libxml2-2.9.14/HTMLtree.c", - "${target_gen_dir}/libxml2-2.9.14/SAX.c", - "${target_gen_dir}/libxml2-2.9.14/SAX2.c", - "${target_gen_dir}/libxml2-2.9.14/buf.c", - "${target_gen_dir}/libxml2-2.9.14/c14n.c", - "${target_gen_dir}/libxml2-2.9.14/catalog.c", - "${target_gen_dir}/libxml2-2.9.14/chvalid.c", - "${target_gen_dir}/libxml2-2.9.14/debugXML.c", - "${target_gen_dir}/libxml2-2.9.14/dict.c", - "${target_gen_dir}/libxml2-2.9.14/encoding.c", - "${target_gen_dir}/libxml2-2.9.14/entities.c", - "${target_gen_dir}/libxml2-2.9.14/error.c", - "${target_gen_dir}/libxml2-2.9.14/globals.c", - "${target_gen_dir}/libxml2-2.9.14/hash.c", - "${target_gen_dir}/libxml2-2.9.14/legacy.c", - "${target_gen_dir}/libxml2-2.9.14/list.c", - "${target_gen_dir}/libxml2-2.9.14/nanoftp.c", - "${target_gen_dir}/libxml2-2.9.14/nanohttp.c", - "${target_gen_dir}/libxml2-2.9.14/parser.c", - "${target_gen_dir}/libxml2-2.9.14/parserInternals.c", - "${target_gen_dir}/libxml2-2.9.14/pattern.c", - "${target_gen_dir}/libxml2-2.9.14/relaxng.c", - "${target_gen_dir}/libxml2-2.9.14/schematron.c", - "${target_gen_dir}/libxml2-2.9.14/threads.c", - "${target_gen_dir}/libxml2-2.9.14/tree.c", - "${target_gen_dir}/libxml2-2.9.14/uri.c", - "${target_gen_dir}/libxml2-2.9.14/valid.c", - "${target_gen_dir}/libxml2-2.9.14/xinclude.c", - "${target_gen_dir}/libxml2-2.9.14/xlink.c", - "${target_gen_dir}/libxml2-2.9.14/xmlIO.c", - "${target_gen_dir}/libxml2-2.9.14/xmlmemory.c", - "${target_gen_dir}/libxml2-2.9.14/xmlmodule.c", - "${target_gen_dir}/libxml2-2.9.14/xmlreader.c", - "${target_gen_dir}/libxml2-2.9.14/xmlregexp.c", - "${target_gen_dir}/libxml2-2.9.14/xmlsave.c", - "${target_gen_dir}/libxml2-2.9.14/xmlschemas.c", - "${target_gen_dir}/libxml2-2.9.14/xmlschemastypes.c", - "${target_gen_dir}/libxml2-2.9.14/xmlstring.c", - "${target_gen_dir}/libxml2-2.9.14/xmlunicode.c", - "${target_gen_dir}/libxml2-2.9.14/xmlwriter.c", - "${target_gen_dir}/libxml2-2.9.14/xpath.c", - "${target_gen_dir}/libxml2-2.9.14/xpointer.c", - "${target_gen_dir}/libxml2-2.9.14/xzlib.c", + "${target_gen_dir}/libxml2-2.14.0/config.h.cmake.in", + "${target_gen_dir}/libxml2-2.14.0/include/libxml/xmlversion.h.in", + "${target_gen_dir}/libxml2-2.14.0/HTMLparser.c", + "${target_gen_dir}/libxml2-2.14.0/HTMLtree.c", + "${target_gen_dir}/libxml2-2.14.0/SAX2.c", + "${target_gen_dir}/libxml2-2.14.0/buf.c", + "${target_gen_dir}/libxml2-2.14.0/c14n.c", + "${target_gen_dir}/libxml2-2.14.0/catalog.c", + "${target_gen_dir}/libxml2-2.14.0/chvalid.c", + "${target_gen_dir}/libxml2-2.14.0/debugXML.c", + "${target_gen_dir}/libxml2-2.14.0/dict.c", + "${target_gen_dir}/libxml2-2.14.0/encoding.c", + "${target_gen_dir}/libxml2-2.14.0/entities.c", + "${target_gen_dir}/libxml2-2.14.0/error.c", + "${target_gen_dir}/libxml2-2.14.0/globals.c", + "${target_gen_dir}/libxml2-2.14.0/hash.c", + "${target_gen_dir}/libxml2-2.14.0/list.c", + "${target_gen_dir}/libxml2-2.14.0/nanohttp.c", + "${target_gen_dir}/libxml2-2.14.0/parser.c", + "${target_gen_dir}/libxml2-2.14.0/parserInternals.c", + "${target_gen_dir}/libxml2-2.14.0/pattern.c", + "${target_gen_dir}/libxml2-2.14.0/relaxng.c", + "${target_gen_dir}/libxml2-2.14.0/schematron.c", + "${target_gen_dir}/libxml2-2.14.0/threads.c", + "${target_gen_dir}/libxml2-2.14.0/tree.c", + "${target_gen_dir}/libxml2-2.14.0/uri.c", + "${target_gen_dir}/libxml2-2.14.0/valid.c", + "${target_gen_dir}/libxml2-2.14.0/xinclude.c", + "${target_gen_dir}/libxml2-2.14.0/xlink.c", + "${target_gen_dir}/libxml2-2.14.0/xmlIO.c", + "${target_gen_dir}/libxml2-2.14.0/xmlmemory.c", + "${target_gen_dir}/libxml2-2.14.0/xmlmodule.c", + "${target_gen_dir}/libxml2-2.14.0/xmlreader.c", + "${target_gen_dir}/libxml2-2.14.0/xmlregexp.c", + "${target_gen_dir}/libxml2-2.14.0/xmlsave.c", + "${target_gen_dir}/libxml2-2.14.0/xmlschemas.c", + "${target_gen_dir}/libxml2-2.14.0/xmlschemastypes.c", + "${target_gen_dir}/libxml2-2.14.0/xmlstring.c", + "${target_gen_dir}/libxml2-2.14.0/xmlunicode.c", + "${target_gen_dir}/libxml2-2.14.0/xmlwriter.c", + "${target_gen_dir}/libxml2-2.14.0/xpath.c", + "${target_gen_dir}/libxml2-2.14.0/xpointer.c", + "${target_gen_dir}/libxml2-2.14.0/xzlib.c", + "${target_gen_dir}/libxml2-2.14.0/shell.c", + "${target_gen_dir}/libxml2-2.14.0/xmllint.c", ] - inputs = [ "//third_party/libxml2/libxml2-2.9.14.tar.xz" ] + inputs = [ "//third_party/libxml2/libxml2-2.14.0.tar.xz" ] inputs += [ - "Fix-memleaks-in-xmlXIncludeProcessFlags.patch", - "backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch", - "Fix-memory-leaks-for-xmlACatalogAdd.patch", - "Fix-memory-leaks-in-xmlACatalogAdd-when-xmlHashAddEntry-failed.patch", - "backport-CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_.patch", - "backport-CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch", - "backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch", - "libxml2-multilib.patch", - "Fix-CVE-2023-25062.patch", - "Fix-CVE-2023-45322-pre.patch", - "Fix-CVE-2023-45322-first.patch", - "Fix-CVE-2023-45322-second.patch", - "backport-Add-whitespace-folding-for-some-atomic-data-types-th.patch", - "backport-Properly-fold-whitespace-around-the-QName-value-when.patch", - "backport-Avoid-arithmetic-on-freed-pointers.patch", - "backport-fix-xmlXPathParserContext-could-be-double-delete-in-.patch", - "backport-Use-UPDATE_COMPAT-consistently-in-buf.c.patch", - "backport-Restore-behavior-of-htmlDocContentDumpFormatOutput.patch", - "backport-Fix-use-after-free-bugs-when-calling-xmlTextReaderCl.patch", - "backport-Use-xmlNewDocText-in-xmlXIncludeCopyRange.patch", - "backport-xmlBufAvail-should-return-length-without-including-a.patch", - "backport-Fix-integer-overflow-in-xmlBufferDump.patch", - "backport-Fix-missing-NUL-terminators-in-xmlBuf-and-xmlBuffer-.patch", - "backport-Reserve-byte-for-NUL-terminator-and-report-errors-co.patch", - "backport-Fix-unintended-fall-through-in-xmlNodeAddContentLen.patch", - "backport-Don-t-reset-nsDef-when-changing-node-content.patch", - "backport-Avoid-double-free-if-malloc-fails-in-inputPush.patch", - "backport-Fix-memory-leak-in-xmlLoadEntityContent-error-path.patch", - "backport-Reset-nsNr-in-xmlCtxtReset.patch", - "backport-Fix-htmlReadMemory-mixing-up-XML-and-HTML-functions.patch", - "backport-Don-t-initialize-SAX-handler-in-htmlReadMemory.patch", - "backport-Fix-HTML-parser-with-threads-and-without-legacy.patch", - "backport-Fix-xmlCtxtReadDoc-with-encoding.patch", - "backport-Use-xmlStrlen-in-CtxtReadDoc.patch", - "backport-Create-stream-with-buffer-in-xmlNewStringInputStream.patch", - "backport-Use-xmlStrlen-in-xmlNewStringInputStream.patch", - "backport-Fix-memory-leak-with-invalid-XSD.patch", - "backport-Make-XPath-depth-check-work-with-recursive-invocatio.patch", - "backport-Fix-overflow-check-in-SAX2.c.patch", - "backport-xinclude-Fix-memory-leak-when-fuzzing.patch", - "backport-xinclude-Fix-more-memory-leaks-in-xmlXIncludeLoadDoc.patch", - "backport-schemas-Fix-infinite-loop-in-xmlSchemaCheckElemSubst.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlCreatePushParserCt.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlNewPropInternal.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlNewDocNodeEatName.patch", - "backport-malloc-fail-Fix-infinite-loop-in-xmlSkipBlankChars.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlSAX2ExternalSubset.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlParseReference.patch", - "backport-malloc-fail-Fix-use-after-free-in-xmlXIncludeAddNode.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlStringGetNodeList.patch", - "backport-parser-Fix-error-message-in-xmlParseCommentComplex.patch", - "backport-io-Fix-buffer-full-error-with-certain-buffer-sizes.patch", - "backport-reader-Switch-to-xmlParserInputBufferCreateMem.patch", - "backport-uri-Allow-port-without-host.patch", - "backport-parser-Fix-consumed-accounting-when-switching-encodi.patch", - "backport-html-Fix-check-for-end-of-comment-in-push-parser.patch", - "backport-parser-Fix-push-parser-with-1-3-byte-initial-chunk.patch", - "backport-parser-Restore-parser-state-in-xmlParseCDSect.patch", - "backport-parser-Remove-dangerous-check-in-xmlParseCharData.patch", - "backport-parser-Don-t-call-DefaultSAXHandlerInit-from-xmlInit.patch", - "backport-Correctly-relocate-internal-pointers-after-realloc.patch", - "backport-Avoid-creating-an-out-of-bounds-pointer-by-rewriting.patch", - "backport-error-Make-sure-that-error-messages-are-valid-UTF-8.patch", - "backport-io-Check-for-memory-buffer-early-in-xmlParserInputGrow.patch", - "backport-io-Remove-xmlInputReadCallbackNop.patch", - "backport-Revert-uri-Allow-port-without-host.patch", - "backport-xmlParseStartTag2-contains-typo-when-checking-for-default.patch", - "backport-parser-Fix-integer-overflow-of-input-ID.patch", - "backport-parser-Don-t-increase-depth-twice-when-parsing-internal.patch", - "backport-xpath-number-should-return-NaN.patch", - "backport-error-Don-t-move-past-current-position.patch", - "backport-malloc-fail-Handle-memory-errors-in-xmlTextReaderEntPush.patch", - "backport-malloc-fail-Fix-infinite-loop-in-xmlParseTextDecl.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlAddDefAttrs.patch", - "backport-malloc-fail-Fix-null-deref-if-growing-input-buffer-fails.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlSAX2AttributeInternal.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlBufResize.patch", - "backport-buf-Fix-return-value-of-xmlBufGetInputBase.patch", - "backport-malloc-fail-Don-t-call-xmlErrMemory-in-xmlstring.c.patch", - "backport-malloc-fail-Fix-reallocation-in-inputPush.patch", - "backport-malloc-fail-Fix-use-after-free-in-xmlParseStartTag2.patch", - "backport-malloc-fail-Add-error-checks-in-xmlXPathEqualValuesCommon.patch", - "backport-malloc-fail-Add-error-check-in-xmlXPathEqualNodeSetFloat.patch", - "backport-malloc-fail-Fix-error-check-in-xmlXPathCompareValues.patch", - "backport-malloc-fail-Record-malloc-failure-in-xmlXPathCompLiteral.patch", - "backport-malloc-fail-Check-return-value-of-xmlXPathNodeSetDupNs.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlXIncludeLoadTxt.patch", - "backport-malloc-fail-Fix-reallocation-in-xmlXIncludeNewRef.patch", - "backport-xinclude-Fix-quadratic-behavior-in-xmlXIncludeLoadTx.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlParserInputBufferCreateMem.patch", - "backport-malloc-fail-Check-for-malloc-failure-in-xmlFindCharEncodingHandler.patch", - "backport-malloc-fail-Fix-leak-of-xmlCharEncodingHandler.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlParseEntityDecl.patch", - "backport-encoding-Cast-toupper-argument-to-unsigned-char.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlXPathCompareValues.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlXPathTryStreamCompile.patch", - "backport-malloc-fail-Fix-memory-leak-after-calling-valuePush.patch", - "backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapNodeSet.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeAddNode.patch", - "backport-malloc-fail-Fix-memory-leak-after-xmlRegNewState.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlSAX2StartElementNs.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlGetDtdElementDesc2.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlDocDumpFormatMemoryEnc.patch", - "backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag1.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeLoadTxt.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlCopyPropList.patch", - "backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathNodeSetMerge.patch", - "backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapString.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualValuesCommon.patch", - "backport-malloc-fail-Fix-memory-leak-in-htmlCreateMemoryParserCtxt.patch", - "backport-malloc-fail-Fix-memory-leak-in-htmlCreatePushParserCtxt.patch", - "backport-malloc-fail-Fix-infinite-loop-in-htmlParseContentInternal.patch", - "backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag2.patch", - "backport-malloc-fail-Fix-null-deref-in-htmlnamePush.patch", - "backport-malloc-fail-Fix-infinite-loop-in-htmlParseDocTypeDecl.patch", - "backport-malloc-fail-Fix-error-code-in-htmlParseChunk.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlFAParseCharProp.patch", - "backport-malloc-fail-Fix-leak-of-xmlRegAtom.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlRegexpCompile.patch", - "backport-malloc-fail-Fix-OOB-read-after-xmlRegGetCounter.patch", - "backport-parser-Fix-OOB-read-when-formatting-error-message.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualNodeSetF.patch", - "backport-malloc-fail-Fix-use-after-free-related-to-xmlXPathNo.patch", - "backport-regexp-Add-sanity-check-in-xmlRegCalloc2.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlXPathCompiledEvalIn.patch", - "backport-malloc-fail-Fix-null-deref-after-xmlPointerListAddSi.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlGetNsList.patch", - "backport-malloc-fail-Check-for-malloc-failure-in-xmlHashAddEn.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlXPathCacheNewNodeS.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlXPathDistinctSorte.patch", - "backport-xpath-Fix-harmless-integer-overflow-in-xmlXPathTrans.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlXPathNameFunction.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlSchemaItemListAddS.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlGet-Min-Max-Occurs.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlSchemaValAtomicType.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlSchemaInitTypes.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParse.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlCopyNamespaceList.patch", - "backport-malloc-fail-Fix-another-memory-leak-in-xmlSchemaBuck.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseUnion.patch", - "backport-malloc-fail-Fix-memory-leak-in-WXS_ADD_-LOCAL-GLOBAL.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlSchemaBucketCreate.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseWildcard.patch", - "backport-malloc-fail-Fix-type-confusion-after-xmlSchemaFixupT.patch", - "backport-malloc-fail-Fix-null-deref-after-xmlSchemaItemList-A.patch", - "backport-malloc-fail-Fix-null-deref-after-xmlSchemaCompareDat.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParseUnion.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlXPathRegisterNs.patch", - "backport-catalog-Fix-memory-leaks.patch", - "backport-CVE-2023-29469.patch", - "backport-CVE-2023-28484.patch", - "backport-valid-Allow-xmlFreeValidCtxt-NULL.patch", - "backport-parser-Use-size_t-when-subtracting-input-buffer-poin.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlParserInputShrink.patch", - "backport-xmllint-Fix-memory-leak-with-pattern-stream.patch", - "backport-xzlib-Fix-implicit-sign-change-in-xz_open.patch", - "backport-html-Fix-quadratic-behavior-in-htmlParseTryOrFinish.patch", - "backport-valid-Make-xmlValidateElement-non-recursive.patch", - "backport-malloc-fail-Fix-buffer-overread-in-htmlParseScript.patch", - "backport-malloc-fail-Add-more-error-checks-when-parsing-names.patch", - "backport-malloc-fail-Add-error-check-in-htmlParseHTMLAttribut.patch", - "backport-parser-Limit-name-length-in-xmlParseEncName.patch", - "backport-encoding-Fix-error-code-in-asciiToUTF8.patch", - "backport-malloc-fail-Fix-buffer-overread-with-HTML-doctype-de.patch", - "backport-parser-Fix-regression-in-xmlParserNodeInfo-accountin.patch", - "backport-regexp-Fix-cycle-check-in-xmlFAReduceEpsilonTransiti.patch", - "backport-regexp-Fix-checks-for-eliminated-transitions.patch", - "backport-regexp-Fix-determinism-checks.patch", - "backport-regexp-Fix-mistake-in-previous-commit.patch", - "backport-regexp-Fix-null-deref-in-xmlFAFinishReduceEpsilonTra.patch", - "backport-hash-Fix-possible-startup-crash-with-old-libxslt-ver.patch", - "backport-parser-Fix-old-SAX1-parser-with-custom-callbacks.patch", - "backport-xmllint-Fix-use-after-free-with-maxmem.patch", - "backport-malloc-fail-Check-for-malloc-failures-when-creating.patch", - "backport-malloc-fail-Fix-buffer-overread-after-htmlParseScrip.patch", - "backport-xmlValidatePopElement-can-return-invalid-value-1.patch", - "backport-Fix-use-after-free-in-xmlParseContentInternal.patch", - "backport-malloc-fail-Fix-null-deref-after-xmlXIncludeNewRef.patch", - "backport-xpath-Ignore-entity-ref-nodes-when-computing-node-ha.patch", - "backport-SAX-Always-initialize-SAX1-element-handlers.patch", - "Fix-malloc-fail.patch", - "Fix-CVE-2024-34459.patch", - "Fix-CVE-2024-56171.patch", - "Fix-CVE-2025-24928.patch", - "Fix-CVE-2025-27113.patch", - "Fix-type-confusion-in-xmlSchemaCheckAGPropsCorrect.patch", - "Fix-CVE-2019-19956.patch", - "Fix-CVE-2025-32414.patch", - "Fix-CVE-2025-32415.patch" - ] + "Backport-CVE-2025-32414-python-Read-at-most-len-4-ch-c.patch", + "Backport-CVE-2025-32415-schemas-Fix-heap-buffer-over-c.patch", + ] args = [ "--gen-dir", @@ -272,7 +83,7 @@ config("libxml2_config") { include_dirs = [ get_label_info(":libxml2_generate_header", "target_out_dir") + "/include", get_label_info(":libxml2_install_action", "target_gen_dir") + - "/libxml2-2.9.14/include", + "/libxml2-2.14.0/include", ] } @@ -294,6 +105,7 @@ config("libxml2_private_config") { "-Wno-enum-compare", "-Wno-int-conversion", "-Wno-uninitialized", + "-Wno-implicit-fallthrough", ] defines = [ "HAVE_CONFIG_H", @@ -309,7 +121,7 @@ config("libxml2_static_config") { include_dirs = [ get_label_info(":libxml2_generate_header", "target_out_dir") + "/include", get_label_info(":libxml2_install_action", "target_gen_dir") + - "/libxml2-2.9.14/include", + "/libxml2-2.14.0/include", ] if (is_mingw) { defines = [ "LIBXML_STATIC" ] @@ -351,6 +163,13 @@ ohos_shared_library("libxml2") { libs = [ "dl" ] } +if (is_mingw) { + libs = [ + "bcrypt", + "ws2_32", + ] + } + if (current_os == "ios") { ldflags = [ "-Wl", @@ -394,6 +213,13 @@ ohos_static_library("static_libxml2") { public_configs = [ ":libxml2_static_config" ] configs = [ ":libxml2_static_private_config" ] +if (is_mingw) { + libs = [ + "bcrypt", + "ws2_32", + ] + } + deps = [ ":libxml2_generate_header", ":libxml2_install_action", @@ -406,10 +232,10 @@ action("libxml2_generate_header") { script = "generate_header.py" config_in_path = get_label_info(":libxml2_install_action", "target_gen_dir") + - "/libxml2-2.9.14/config.h.cmake.in" + "/libxml2-2.14.0/config.h.cmake.in" xmlversion_in_path = get_label_info(":libxml2_install_action", "target_gen_dir") + - "/libxml2-2.9.14/include/libxml/xmlversion.h.in" + "/libxml2-2.14.0/include/libxml/xmlversion.h.in" config_json_path = "config_linux.json" xml_version_json_path = "xml_version.json" if (is_mingw) { diff --git a/Fix-CVE-2025-32414.patch b/Backport-CVE-2025-32414-python-Read-at-most-len-4-ch-c.patch similarity index 56% rename from Fix-CVE-2025-32414.patch rename to Backport-CVE-2025-32414-python-Read-at-most-len-4-ch-c.patch index 1977bd95f290e4000bbd88abb07e27636f7ae7ee..462e3e8be246ddef342eb1d6a5493f1a0c727b0a 100644 --- a/Fix-CVE-2025-32414.patch +++ b/Backport-CVE-2025-32414-python-Read-at-most-len-4-ch-c.patch @@ -1,61 +1,73 @@ -diff --git a/python/libxml.c b/python/libxml.c -index ef63025..2c1e95e 100644 ---- a/python/libxml.c -+++ b/python/libxml.c -@@ -287,7 +287,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { - #endif - file = (PyObject *) context; - if (file == NULL) return(-1); -- ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len); -+ /* When read() returns a string, the length is in characters not bytes, so -+ request at most len / 4 characters to leave space for UTF-8 encoding. */ -+ ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len / 4); - if (ret == NULL) { - printf("xmlPythonFileReadRaw: result is NULL\n"); - return(-1); -@@ -322,10 +324,12 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { - Py_DECREF(ret); - return(-1); - } -- if (lenread > len) -- memcpy(buffer, data, len); -- else -- memcpy(buffer, data, lenread); -+ if (lenread < 0 || lenread > len) { -+ printf("xmlPythonFileReadRaw: invalid lenread\n"); -+ Py_DECREF(ret); -+ return(-1); -+ } -+ memcpy(buffer, data, lenread); - Py_DECREF(ret); - return(lenread); - } -@@ -352,7 +356,9 @@ xmlPythonFileRead (void * context, char * buffer, int len) { - #endif - file = (PyObject *) context; - if (file == NULL) return(-1); -- ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len); -+ /* When io_read() returns a string, the length is in characters not bytes, so -+ request at most len / 4 characters to leave space for UTF-8 encoding. */ -+ ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4); - if (ret == NULL) { - printf("xmlPythonFileRead: result is NULL\n"); - return(-1); -@@ -387,10 +393,12 @@ xmlPythonFileRead (void * context, char * buffer, int len) { - Py_DECREF(ret); - return(-1); - } -- if (lenread > len) -- memcpy(buffer, data, len); -- else -- memcpy(buffer, data, lenread); -+ if (lenread < 0 || lenread > len) { -+ printf("xmlPythonFileRead: invalid lenread\n"); -+ Py_DECREF(ret); -+ return(-1); -+ } -+ memcpy(buffer, data, lenread); - Py_DECREF(ret); - return(lenread); - } - +From edd40353cfd6807b5395386fe2b8471abce752c6 Mon Sep 17 00:00:00 2001 +From: Maks Verver +Date: Tue, 8 Apr 2025 13:13:55 +0200 +Subject: [PATCH] [Backport][CVE-2025-32414] python: Read at most len/4 +CVE: CVE-2025-32414 +Reference:https://gitlab.gnome.org/GNOME/libxml2/-/commit/53d259454161eee801d22c56e08ea331b4c495b5 +--- + python/libxml.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git a/python/libxml.c b/python/libxml.c +index 5dea502..0a1e408 100644 +--- a/python/libxml.c ++++ b/python/libxml.c +@@ -237,7 +237,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { + + file = (PyObject *) context; + if (file == NULL) return(-1); +- ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len); ++ /* When read() returns a string, the length is in characters not bytes, so ++ request at most len / 4 characters to leave space for UTF-8 encoding. */ ++ ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len / 4); + if (ret == NULL) { + printf("xmlPythonFileReadRaw: result is NULL\n"); + return(-1); +@@ -272,10 +274,12 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { + Py_DECREF(ret); + return(-1); + } +- if (lenread > len) +- memcpy(buffer, data, len); +- else +- memcpy(buffer, data, lenread); ++ if (lenread < 0 || lenread > len) { ++ printf("xmlPythonFileReadRaw: invalid lenread\n"); ++ Py_DECREF(ret); ++ return(-1); ++ } ++ memcpy(buffer, data, lenread); + Py_DECREF(ret); + return(lenread); + } +@@ -299,7 +303,9 @@ xmlPythonFileRead (void * context, char * buffer, int len) { + + file = (PyObject *) context; + if (file == NULL) return(-1); +- ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len); ++ /* When io_read() returns a string, the length is in characters not bytes, so ++ request at most len / 4 characters to leave space for UTF-8 encoding. */ ++ ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4); + if (ret == NULL) { + printf("xmlPythonFileRead: result is NULL\n"); + return(-1); +@@ -334,10 +340,12 @@ xmlPythonFileRead (void * context, char * buffer, int len) { + Py_DECREF(ret); + return(-1); + } +- if (lenread > len) +- memcpy(buffer, data, len); +- else +- memcpy(buffer, data, lenread); ++ if (lenread < 0 || lenread > len) { ++ printf("xmlPythonFileRead: invalid lenread\n"); ++ Py_DECREF(ret); ++ return(-1); ++ } ++ memcpy(buffer, data, lenread); + Py_DECREF(ret); + return(lenread); + } +-- +2.1.4 + diff --git a/Fix-CVE-2025-32415.patch b/Backport-CVE-2025-32415-schemas-Fix-heap-buffer-over-c.patch similarity index 68% rename from Fix-CVE-2025-32415.patch rename to Backport-CVE-2025-32415-schemas-Fix-heap-buffer-over-c.patch index 084f1123943ba8496510e438b157bbc7a44cbfbd..5aa9138ec643e5690893e97fccd8795c8074ae21 100644 --- a/Fix-CVE-2025-32415.patch +++ b/Backport-CVE-2025-32415-schemas-Fix-heap-buffer-over-c.patch @@ -1,38 +1,35 @@ -From 8ac33b1c821b4e67326e8e416945b31c9537c7c0 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 6 Apr 2025 12:41:11 +0200 -Subject: [PATCH] [CVE-2025-32415] schemas: Fix heap buffer overflow in - xmlSchemaIDCFillNodeTables - -Don't use local variable which could contain a stale value. - -Fixes #890. ---- - xmlschemas.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/xmlschemas.c b/xmlschemas.c -index 796e0edf4..6a678ce7d 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -23336,7 +23336,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt, - j++; - } while (j < nbDupls); - } -- if (nbNodeTable) { -+ if (bind->nbNodes) { - j = 0; - do { - if (nbFields == 1) { -@@ -23387,7 +23387,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt, - - next_node_table_entry: - j++; -- } while (j < nbNodeTable); -+ } while (j < bind->nbNodes); - } - /* - * If everything is fine, then add the IDC target-node to --- -GitLab - +From 31f5d0a3636440ede2b08cad0ad48cbbf12b55e8 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 6 Apr 2025 12:41:11 +0200 +Subject: [PATCH] [Backport][CVE-2025-32415] schemas: Fix heap buffer overflow +CVE: CVE-2025-32415 +Reference: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8ac33b1c821b4e67326e8e416945b31c9537c7c0 +--- + xmlschemas.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 796e0ed..6a678ce 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -23336,7 +23336,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt, + j++; + } while (j < nbDupls); + } +- if (nbNodeTable) { ++ if (bind->nbNodes) { + j = 0; + do { + if (nbFields == 1) { +@@ -23387,7 +23387,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt, + + next_node_table_entry: + j++; +- } while (j < nbNodeTable); ++ } while (j < bind->nbNodes); + } + /* + * If everything is fine, then add the IDC target-node to +-- +2.1.4 + diff --git a/Fix-CVE-2019-19956.patch b/Fix-CVE-2019-19956.patch deleted file mode 100644 index 0d9ba3837cae99b60e73aeb93ffdc00c1eb91a2f..0000000000000000000000000000000000000000 --- a/Fix-CVE-2019-19956.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/parser.c b/parser.c -index 0f58bf7..bcf9a2e 100644 ---- a/parser.c -+++ b/parser.c -@@ -13877,8 +13877,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax, - xmlFreeParserCtxt(ctxt); - newDoc->intSubset = NULL; - newDoc->extSubset = NULL; -- /* This leaks the namespace list if doc == NULL */ -- newDoc->oldNs = NULL; -+ if(doc != NULL) -+ newDoc->oldNs = NULL; - xmlFreeDoc(newDoc); - - return(ret); diff --git a/Fix-CVE-2023-25062.patch b/Fix-CVE-2023-25062.patch deleted file mode 100644 index 4951d0e706287d451845f18c7b59c7979ee75c34..0000000000000000000000000000000000000000 --- a/Fix-CVE-2023-25062.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 92721970884fcc13305cb8e23cdc5f0dd7667c2c Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sat, 14 Oct 2023 22:45:54 +0200 -Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when - backtracking - -Fixes a use-after-free if XML Reader if used with DTD validation and -XInclude expansion. - -Fixes #604. ---- - xmlreader.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/xmlreader.c b/xmlreader.c -index 5c37738e..1f903306 100644 ---- a/xmlreader.c -+++ b/xmlreader.c -@@ -1378,6 +1378,7 @@ node_found: - * Handle XInclude if asked for - */ - if ((reader->xinclude) && (reader->in_xinclude == 0) && -+ (reader->state != XML_TEXTREADER_BACKTRACK) && - (reader->node != NULL) && - (reader->node->type == XML_ELEMENT_NODE) && - (reader->node->ns != NULL) && --- -GitLab - diff --git a/Fix-CVE-2023-45322-first.patch b/Fix-CVE-2023-45322-first.patch deleted file mode 100644 index 482840a1c1787904ecfe9d459250ba2337626a4e..0000000000000000000000000000000000000000 --- a/Fix-CVE-2023-45322-first.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 30d7660ba87c8487b26582ccc050f4d2880ccb3c Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 28 Nov 2023 13:27:25 +0100 -Subject: [PATCH] tree: Fix #583 again - -Only set doc->intSubset after successful copy to avoid dangling pointers -in error case. ---- - tree.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/tree.c b/tree.c -index 5a9c24d1b..35dabb97c 100644 ---- a/tree.c -+++ b/tree.c -@@ -4378,6 +4378,7 @@ xmlNodePtr - xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { - xmlNodePtr ret = NULL; - xmlNodePtr p = NULL,q; -+ xmlDtdPtr newSubset = NULL; - - while (node != NULL) { - #ifdef LIBXML_TREE_ENABLED -@@ -4385,12 +4386,12 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { - node = node->next; - continue; - } -- if (doc->intSubset == NULL) { -+ if ((doc->intSubset == NULL) && (newSubset == NULL)) { - q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); - if (q == NULL) goto error; - q->doc = doc; - q->parent = parent; -- doc->intSubset = (xmlDtdPtr) q; -+ newSubset = (xmlDtdPtr) q; - xmlAddChild(parent, q); - } else { - q = (xmlNodePtr) doc->intSubset; -@@ -4411,6 +4412,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { - } - node = node->next; - } -+ if ((doc != NULL) && (newSubset != NULL)) -+ doc->intSubset = newSubset; - return(ret); - error: - xmlFreeNodeList(ret); --- -GitLab - diff --git a/Fix-CVE-2023-45322-pre.patch b/Fix-CVE-2023-45322-pre.patch deleted file mode 100644 index c5d0e6e8cacf008650ee3b54b353b15c9fd37cd6..0000000000000000000000000000000000000000 --- a/Fix-CVE-2023-45322-pre.patch +++ /dev/null @@ -1,45 +0,0 @@ -From a22bd982bf10291deea8ba0c61bf75b898c604ce Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 2 Nov 2022 15:44:42 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlStaticCopyNodeList - -Found with libFuzzer, see #344. ---- - tree.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/tree.c b/tree.c -index 507869efe..647288ce3 100644 ---- a/tree.c -+++ b/tree.c -@@ -4388,7 +4388,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { - } - if (doc->intSubset == NULL) { - q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); -- if (q == NULL) return(NULL); -+ if (q == NULL) goto error; - q->doc = doc; - q->parent = parent; - doc->intSubset = (xmlDtdPtr) q; -@@ -4400,7 +4400,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { - } else - #endif /* LIBXML_TREE_ENABLED */ - q = xmlStaticCopyNode(node, doc, parent, 1); -- if (q == NULL) return(NULL); -+ if (q == NULL) goto error; - if (ret == NULL) { - q->prev = NULL; - ret = p = q; -@@ -4413,6 +4413,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { - node = node->next; - } - return(ret); -+error: -+ xmlFreeNodeList(ret); -+ return(NULL); - } - - /** --- -GitLab - diff --git a/Fix-CVE-2023-45322-second.patch b/Fix-CVE-2023-45322-second.patch deleted file mode 100644 index 53adbe8f66b627ed1feed0992c64d432c945bff4..0000000000000000000000000000000000000000 --- a/Fix-CVE-2023-45322-second.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 502971cc23e0ebb2677124b41b70c321c6dd5c02 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 1 Dec 2023 17:49:48 +0100 -Subject: [PATCH] tree: Another fix related to #538 - -Should fix #639. ---- - tree.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/tree.c b/tree.c -index 35dabb97c..dc3ac4f92 100644 ---- a/tree.c -+++ b/tree.c -@@ -4379,6 +4379,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { - xmlNodePtr ret = NULL; - xmlNodePtr p = NULL,q; - xmlDtdPtr newSubset = NULL; -+ int linkedSubset = 0; - - while (node != NULL) { - #ifdef LIBXML_TREE_ENABLED -@@ -4395,6 +4396,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { - newSubset = (xmlDtdPtr) q; - xmlAddChild(parent, q); - } else { -+ linkedSubset = 1; - q = (xmlNodePtr) doc->intSubset; - xmlAddChild(parent, q); - } -@@ -4417,6 +4419,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { - doc->intSubset = newSubset; - return(ret); - error: -+ if (linkedSubset != 0) -+ xmlUnlinkNode((xmlNodePtr) doc->intSubset); - xmlFreeNodeList(ret); - return(NULL); - } --- -GitLab - diff --git a/Fix-CVE-2024-34459.patch b/Fix-CVE-2024-34459.patch deleted file mode 100644 index a7e5feca7fdebaf658deb00f125c70eac5f2b1a4..0000000000000000000000000000000000000000 --- a/Fix-CVE-2024-34459.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 2876ac5392a4e891b81e40e592c3ac6cb46016ce Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 8 May 2024 11:49:31 +0200 -Subject: [PATCH] [CVE-2024-34459] Fix buffer overread with `xmllint --htmlout` - -Add a missing bounds check. ---- - xmllint.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xmllint.c b/xmllint.c -index 82a878651..4d84c640b 100644 ---- a/xmllint.c -+++ b/xmllint.c -@@ -599,7 +599,7 @@ xmlHTMLPrintFileContext(xmlParserInputPtr input) { - len = strlen(buffer); - snprintf(&buffer[len], sizeof(buffer) - len, "\n"); - cur = input->cur; -- while ((*cur == '\n') || (*cur == '\r')) -+ while ((cur > base) && ((*cur == '\n') || (*cur == '\r'))) - cur--; - n = 0; - while ((cur != base) && (n++ < 80)) { --- -GitLab - diff --git a/Fix-CVE-2024-56171.patch b/Fix-CVE-2024-56171.patch deleted file mode 100644 index 320a579f01ad23cf6363ee1022810e5402d5c68b..0000000000000000000000000000000000000000 --- a/Fix-CVE-2024-56171.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 5880a9a6bd97c0f9ac8fc4f30110fe023f484746 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 10 Dec 2024 16:52:05 +0100 -Subject: [PATCH] [CVE-2024-56171] Fix use-after-free after - xmlSchemaItemListAdd - -xmlSchemaItemListAdd can reallocate the items array. Update local -variables after adding item in - -- xmlSchemaIDCFillNodeTables -- xmlSchemaBubbleIDCNodeTables - -Fixes #828. ---- - xmlschemas.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/xmlschemas.c b/xmlschemas.c -index 1b3c524f2..95be97c96 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -23374,6 +23374,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt, - } - if (xmlSchemaItemListAdd(bind->dupls, bind->nodeTable[j]) == -1) - goto internal_error; -+ dupls = (xmlSchemaPSVIIDCNodePtr *) bind->dupls->items; - /* - * Remove the duplicate entry from the IDC node-table. - */ -@@ -23590,6 +23591,8 @@ xmlSchemaBubbleIDCNodeTables(xmlSchemaValidCtxtPtr vctxt) - goto internal_error; - } - xmlSchemaItemListAdd(parBind->dupls, parNode); -+ dupls = (xmlSchemaPSVIIDCNodePtr *) -+ parBind->dupls->items; - } else { - /* - * Add the node-table entry (node and key-sequence) of --- -GitLab - diff --git a/Fix-CVE-2025-24928.patch b/Fix-CVE-2025-24928.patch deleted file mode 100644 index 0a0653b94daa21decf6c444d5a594fce4a174864..0000000000000000000000000000000000000000 --- a/Fix-CVE-2025-24928.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff --git a/valid.c b/valid.c -index 92aaedb..2ba5cdd 100644 ---- a/valid.c -+++ b/valid.c -@@ -5268,25 +5268,26 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) { - return; - } - switch (cur->type) { -- case XML_ELEMENT_NODE: -+ case XML_ELEMENT_NODE: { -+ int qnameLen = xmlStrlen(cur->name); -+ -+ if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) -+ qnameLen += xmlStrlen(cur->ns->prefix) + 1; -+ if (size - len < qnameLen + 10) { -+ if ((size - len > 4) && (buf[len - 1] != '.')) -+ strcat(buf, " ..."); -+ return; -+ } - if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) { -- if (size - len < xmlStrlen(cur->ns->prefix) + 10) { -- if ((size - len > 4) && (buf[len - 1] != '.')) -- strcat(buf, " ..."); -- return; -- } - strcat(buf, (char *) cur->ns->prefix); - strcat(buf, ":"); - } -- if (size - len < xmlStrlen(cur->name) + 10) { -- if ((size - len > 4) && (buf[len - 1] != '.')) -- strcat(buf, " ..."); -- return; -- } -- strcat(buf, (char *) cur->name); -- if (cur->next != NULL) -- strcat(buf, " "); -+ if (cur->name != NULL) -+ strcat(buf, (char *) cur->name); -+ if (cur->next != NULL) -+ strcat(buf, " "); - break; -+ } - case XML_TEXT_NODE: - if (xmlIsBlankNode(cur)) - break; diff --git a/Fix-CVE-2025-27113.patch b/Fix-CVE-2025-27113.patch deleted file mode 100644 index 3602af66adf8a9fdb03478c3c46952758b0ce479..0000000000000000000000000000000000000000 --- a/Fix-CVE-2025-27113.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 6c716d491dd2e67f08066f4dc0619efeb49e43e6 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 13 Feb 2025 16:48:53 +0100 -Subject: [PATCH] pattern: Fix compilation of explicit child axis - -The child axis is the default axis and should generate XML_OP_ELEM like -the case without an axis. ---- - pattern.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/pattern.c b/pattern.c -index 0877fc1a0..6fa88f759 100644 ---- a/pattern.c -+++ b/pattern.c -@@ -1035,10 +1035,10 @@ xmlCompileStepPattern(xmlPatParserContextPtr ctxt) { - goto error; - } - } else { -- PUSH(XML_OP_CHILD, token, URL); -+ PUSH(XML_OP_ELEM, token, URL); - } - } else -- PUSH(XML_OP_CHILD, name, NULL); -+ PUSH(XML_OP_ELEM, name, NULL); - return; - } else if (xmlStrEqual(name, (const xmlChar *) "attribute")) { - XML_PAT_FREE_STRING(ctxt, name) --- -GitLab - diff --git a/Fix-malloc-fail.patch b/Fix-malloc-fail.patch deleted file mode 100644 index 3edbb299c55f32c61dfbfd2bc0ca61b4ccd92376..0000000000000000000000000000000000000000 --- a/Fix-malloc-fail.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/buf.c b/buf.c -index d8992f7..1ae7542 100644 ---- a/buf.c -+++ b/buf.c -@@ -1261,7 +1261,7 @@ xmlBufMergeBuffer(xmlBufPtr buf, xmlBufferPtr buffer) { - */ - int - xmlBufResetInput(xmlBufPtr buf, xmlParserInputPtr input) { -- if ((input == NULL) || (buf == NULL) || (buf->error)) -+ if ((input == NULL) || (buf == NULL)) - return(-1); - CHECK_COMPAT(buf) - input->base = input->cur = buf->content; diff --git a/Fix-memleaks-in-xmlXIncludeProcessFlags.patch b/Fix-memleaks-in-xmlXIncludeProcessFlags.patch deleted file mode 100755 index 40a76fe465e10bb767fa75716afa0f6002d98e5c..0000000000000000000000000000000000000000 --- a/Fix-memleaks-in-xmlXIncludeProcessFlags.patch +++ /dev/null @@ -1,41 +0,0 @@ -From b01853fb42257136461d1b45e45ecaa3f3ecd570 Mon Sep 17 00:00:00 2001 -From: panxiaohe -Date: Tue, 9 Nov 2021 14:27:24 +0800 -Subject: [PATCH] Fix memleaks in xmlXIncludeProcessFlags - ---- - tree.c | 18 +++++++++++++----- - 1 file changed, 13 insertions(+), 5 deletions(-) - -diff --git a/tree.c b/tree.c -index 17e59d7..64799fb 100644 ---- a/tree.c -+++ b/tree.c -@@ -3720,11 +3720,19 @@ xmlFreeNodeList(xmlNodePtr cur) { - * Otherwise the node name might come from the document's - * dictionary - */ -- if ((cur->name != NULL) && -- (cur->type != XML_TEXT_NODE) && -- (cur->type != XML_COMMENT_NODE)) -- DICT_FREE(cur->name) -- xmlFree(cur); -+ if ((cur->type == XML_DOCUMENT_NODE) || -+#ifdef LIBXML_DOCB_ENABLED -+ (cur->type == XML_DOCB_DOCUMENT_NODE) || -+#endif -+ (cur->type == XML_HTML_DOCUMENT_NODE)) { -+ xmlFreeDoc((xmlDocPtr) cur); -+ } else { -+ if ((cur->name != NULL) && -+ (cur->type != XML_TEXT_NODE) && -+ (cur->type != XML_COMMENT_NODE)) -+ DICT_FREE(cur->name) -+ xmlFree(cur); -+ } - } - - if (next != NULL) { --- -1.8.3.1 - diff --git a/Fix-memory-leaks-for-xmlACatalogAdd.patch b/Fix-memory-leaks-for-xmlACatalogAdd.patch deleted file mode 100755 index cbb655b38f27d862947062a2e5c68afded8968a3..0000000000000000000000000000000000000000 --- a/Fix-memory-leaks-for-xmlACatalogAdd.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 9736e895d02e889b25c7e8a73afe3f7bf61dca27 Mon Sep 17 00:00:00 2001 -From: xiezhipeng -Date: Thu, 16 Jun 2022 19:13:10 +0800 -Subject: [PATCH] Fix memory leaks for xmlACatalogAdd - ---- - xmlcatalog.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/xmlcatalog.c b/xmlcatalog.c -index 3f0e1b9..6fdbff9 100644 ---- a/xmlcatalog.c -+++ b/xmlcatalog.c -@@ -527,6 +527,11 @@ int main(int argc, char **argv) { - xmlACatalogDump(catal, stdout); - } - i += 2; -+ /* Check for memory leaks */ -+ if (catal != NULL) -+ xmlFreeCatalog(catal); -+ if (super != NULL) -+ xmlFreeCatalog(super); - } else { - if ((!strcmp(argv[i], "-add")) || - (!strcmp(argv[i], "--add"))) { --- -1.8.3.1 - diff --git a/Fix-memory-leaks-in-xmlACatalogAdd-when-xmlHashAddEntry-failed.patch b/Fix-memory-leaks-in-xmlACatalogAdd-when-xmlHashAddEntry-failed.patch deleted file mode 100755 index 08dc01e35540e5b160b4efd8667898a274afe7e8..0000000000000000000000000000000000000000 --- a/Fix-memory-leaks-in-xmlACatalogAdd-when-xmlHashAddEntry-failed.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 43555b3ff9c28a44aa27f447475b9f9cfccbe702 Mon Sep 17 00:00:00 2001 -From: xiezhipeng -Date: Fri, 24 Jun 2022 09:39:54 +0800 -Subject: [PATCH] fix memory leaks in xmlACatalogAdd - ---- - catalog.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/catalog.c b/catalog.c -index effbb2e..866e753 100644 ---- a/catalog.c -+++ b/catalog.c -@@ -2981,6 +2981,8 @@ xmlACatalogAdd(xmlCatalogPtr catal, const xmlChar * type, - if (catal->sgml == NULL) - catal->sgml = xmlHashCreate(10); - res = xmlHashAddEntry(catal->sgml, orig, entry); -+ if (res) -+ xmlFreeCatalogEntry(entry, NULL); - } - } - return (res); --- -1.8.3.1 - diff --git a/Fix-type-confusion-in-xmlSchemaCheckAGPropsCorrect.patch b/Fix-type-confusion-in-xmlSchemaCheckAGPropsCorrect.patch deleted file mode 100644 index b708cd3a7700e9d40eaae5a3e73445f6bd578520..0000000000000000000000000000000000000000 --- a/Fix-type-confusion-in-xmlSchemaCheckAGPropsCorrect.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 9f8484602f53ac23c5af031c96c36829191e6b92 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 9 Mar 2025 13:31:10 +0100 -Subject: [PATCH] malloc-fail: Fix type confusion in - xmlSchemaCheckAGPropsCorrect - -Attribute groups must be marked as containing references also if an OOM -error occurred. Otherwise, references won't be resolved, leading to type -confusion in xmlSchemaCheckAGPropsCorrect later in the fixup phase. - -I'm not sure why xmlSchemaFixupComponents is called at all if an error -occurred. This has lead to similar issues in the past. On the other -hand, continuing in the presence of errors helps when fuzzing. - -See #344. ---- - xmlschemas.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/xmlschemas.c b/xmlschemas.c -index b3214f508..796e0edf4 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -7715,6 +7715,7 @@ xmlSchemaParseAttributeGroupDefinition(xmlSchemaParserCtxtPtr pctxt, - xmlNodePtr child = NULL; - xmlAttrPtr attr; - int hasRefs = 0; -+ int res; - - if ((pctxt == NULL) || (schema == NULL) || (node == NULL)) - return (NULL); -@@ -7769,12 +7770,13 @@ xmlSchemaParseAttributeGroupDefinition(xmlSchemaParserCtxtPtr pctxt, - /* - * Parse contained attribute decls/refs. - */ -- if (xmlSchemaParseLocalAttributes(pctxt, schema, &child, -+ res = xmlSchemaParseLocalAttributes(pctxt, schema, &child, - (xmlSchemaItemListPtr *) &(ret->attrUses), -- XML_SCHEMA_TYPE_ATTRIBUTEGROUP, &hasRefs) == -1) -- return(NULL); -+ XML_SCHEMA_TYPE_ATTRIBUTEGROUP, &hasRefs); - if (hasRefs) - ret->flags |= XML_SCHEMAS_ATTRGROUP_HAS_REFS; -+ if (res == -1) -+ return(NULL); - /* - * Parse the attribute wildcard. - */ --- -GitLab \ No newline at end of file diff --git a/README.OpenSource b/README.OpenSource index 6bf03f4c59a23d811e748590d828e625a3162477..ef9abcabcd95b47b4a04579760a1ed0712084a31 100644 --- a/README.OpenSource +++ b/README.OpenSource @@ -3,9 +3,9 @@ "Name": "openEuler:libxml2", "License": "MIT License", "License File": "Copyright", - "Version Number": "2.9.14-9.oe2203sp3", + "Version Number": "2.14.0", "Owner": "jameslee@huawei.com", - "Upstream URL": "https://repo.openeuler.org/openEuler-22.03-LTS-SP3/source/Packages/libxml2-2.9.14-9.oe2203sp3.src.rpm", + "Upstream URL": "https://gitlab.gnome.org/GNOME/libxml2/-/archive/v2.14.0/libxml2-v2.14.0.zip", "Description": "Libxml2 is the XML C parser and toolkit developed for the Gnome project (but usable outside of the Gnome platform), it is free software available under the MIT License" } ] diff --git a/backport-Add-whitespace-folding-for-some-atomic-data-types-th.patch b/backport-Add-whitespace-folding-for-some-atomic-data-types-th.patch deleted file mode 100644 index 5316326a94cee60ad53b2b81558c1dc55a3c591a..0000000000000000000000000000000000000000 --- a/backport-Add-whitespace-folding-for-some-atomic-data-types-th.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 966b0f21c15de0c959f4db88d658ba66bda41575 Mon Sep 17 00:00:00 2001 -From: Damjan Jovanovic -Date: Thu, 19 Aug 2021 02:46:32 +0200 -Subject: [PATCH] Add whitespace folding for some atomic data types that it's - missing on. - -XSD validation fails when some atomic types contain surrounding whitespace -even though XML Schema Part 2: Datatypes Second Edition, section 4.3.6 -says they should be collapsed. Fix this. - -(I am not sure whether the test is correct.) - -Issue: #278 - -Conflict:NA -Reference:https://gitlab.gnome.org/GNOME/libxml2/-/commit/966b0f21c15de0c959f4db88d658ba66bda41575 - ---- - test/xsdtest/xsdtest.xml | 5 +++++ - xmlschemastypes.c | 8 ++++++++ - 2 files changed, 13 insertions(+) - -diff --git a/test/xsdtest/xsdtest.xml b/test/xsdtest/xsdtest.xml -index b8a6de9..2807d26 100644 ---- a/test/xsdtest/xsdtest.xml -+++ b/test/xsdtest/xsdtest.xml -@@ -657,6 +657,7 @@ B EEF - - - 1 -+ 1 - 127 - -128 - 128 -@@ -665,6 +666,7 @@ B EEF - - 1 - +1 -+ 1 - -1 - 0 - 18446744073709551615 -@@ -674,6 +676,7 @@ B EEF - - 1 - +1 -+ 1 - 0 - 4294967295 - 4294967296 -@@ -682,6 +685,7 @@ B EEF - - 1 - +1 -+ 1 - 0 - 65535 - 65536 -@@ -689,6 +693,7 @@ B EEF - - - 1 -+ 1 - +1 - 0 - 255 -diff --git a/xmlschemastypes.c b/xmlschemastypes.c -index af31be5..ebb0219 100644 ---- a/xmlschemastypes.c -+++ b/xmlschemastypes.c -@@ -3308,6 +3308,8 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value, - - if (cur == NULL) - goto return1; -+ if (normOnTheFly) -+ while IS_WSP_BLANK_CH(*cur) cur++; - if (*cur == '-') { - sign = 1; - cur++; -@@ -3316,6 +3318,8 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value, - ret = xmlSchemaParseUInt(&cur, &lo, &mi, &hi); - if (ret < 0) - goto return1; -+ if (normOnTheFly) -+ while IS_WSP_BLANK_CH(*cur) cur++; - if (*cur != 0) - goto return1; - if (type->builtInType == XML_SCHEMAS_LONG) { -@@ -3380,9 +3384,13 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value, - - if (cur == NULL) - goto return1; -+ if (normOnTheFly) -+ while IS_WSP_BLANK_CH(*cur) cur++; - ret = xmlSchemaParseUInt(&cur, &lo, &mi, &hi); - if (ret < 0) - goto return1; -+ if (normOnTheFly) -+ while IS_WSP_BLANK_CH(*cur) cur++; - if (*cur != 0) - goto return1; - if (type->builtInType == XML_SCHEMAS_ULONG) { --- -2.27.0 - diff --git a/backport-Avoid-arithmetic-on-freed-pointers.patch b/backport-Avoid-arithmetic-on-freed-pointers.patch deleted file mode 100644 index 8204291b3ddec063658f328d0cf089357769dfc8..0000000000000000000000000000000000000000 --- a/backport-Avoid-arithmetic-on-freed-pointers.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 4951c462eae68562df335ff6d611f4352ea9931d Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 6 Mar 2022 02:29:00 +0100 -Subject: [PATCH] Avoid arithmetic on freed pointers - -Conflict:NA -Reference:https://gitlab.gnome.org/GNOME/libxml2/-/commit/4951c462eae68562df335ff6d611f4352ea9931d - ---- - parserInternals.c | 45 +++++++++------------------------------------ - 1 file changed, 9 insertions(+), 36 deletions(-) - -diff --git a/parserInternals.c b/parserInternals.c -index c5c0b16..d68592f 100644 ---- a/parserInternals.c -+++ b/parserInternals.c -@@ -300,7 +300,6 @@ int - xmlParserInputGrow(xmlParserInputPtr in, int len) { - int ret; - size_t indx; -- const xmlChar *content; - - if ((in == NULL) || (len < 0)) return(-1); - #ifdef DEBUG_INPUT -@@ -325,22 +324,8 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) { - } else - return(0); - -- /* -- * NOTE : in->base may be a "dangling" i.e. freed pointer in this -- * block, but we use it really as an integer to do some -- * pointer arithmetic. Insure will raise it as a bug but in -- * that specific case, that's not ! -- */ -- -- content = xmlBufContent(in->buf->buffer); -- if (in->base != content) { -- /* -- * the buffer has been reallocated -- */ -- indx = in->cur - in->base; -- in->base = content; -- in->cur = &content[indx]; -- } -+ in->base = xmlBufContent(in->buf->buffer); -+ in->cur = in->base + indx; - in->end = xmlBufEnd(in->buf->buffer); - - CHECK_BUFFER(in); -@@ -358,8 +343,6 @@ void - xmlParserInputShrink(xmlParserInputPtr in) { - size_t used; - size_t ret; -- size_t indx; -- const xmlChar *content; - - #ifdef DEBUG_INPUT - xmlGenericError(xmlGenericErrorContext, "Shrink\n"); -@@ -372,7 +355,7 @@ xmlParserInputShrink(xmlParserInputPtr in) { - - CHECK_BUFFER(in); - -- used = in->cur - xmlBufContent(in->buf->buffer); -+ used = in->cur - in->base; - /* - * Do not shrink on large buffers whose only a tiny fraction - * was consumed -@@ -380,27 +363,17 @@ xmlParserInputShrink(xmlParserInputPtr in) { - if (used > INPUT_CHUNK) { - ret = xmlBufShrink(in->buf->buffer, used - LINE_LEN); - if (ret > 0) { -- in->cur -= ret; -+ used -= ret; - in->consumed += ret; - } -- in->end = xmlBufEnd(in->buf->buffer); - } - -- CHECK_BUFFER(in); -- -- if (xmlBufUse(in->buf->buffer) > INPUT_CHUNK) { -- return; -- } -- xmlParserInputBufferRead(in->buf, 2 * INPUT_CHUNK); -- content = xmlBufContent(in->buf->buffer); -- if (in->base != content) { -- /* -- * the buffer has been reallocated -- */ -- indx = in->cur - in->base; -- in->base = content; -- in->cur = &content[indx]; -+ if (xmlBufUse(in->buf->buffer) <= INPUT_CHUNK) { -+ xmlParserInputBufferRead(in->buf, 2 * INPUT_CHUNK); - } -+ -+ in->base = xmlBufContent(in->buf->buffer); -+ in->cur = in->base + used; - in->end = xmlBufEnd(in->buf->buffer); - - CHECK_BUFFER(in); --- -2.27.0 - diff --git a/backport-Avoid-creating-an-out-of-bounds-pointer-by-rewriting.patch b/backport-Avoid-creating-an-out-of-bounds-pointer-by-rewriting.patch deleted file mode 100644 index 2a4c31c3b9427ff46a91d970fc57cd2f9c9a337c..0000000000000000000000000000000000000000 --- a/backport-Avoid-creating-an-out-of-bounds-pointer-by-rewriting.patch +++ /dev/null @@ -1,33 +0,0 @@ -From d58bff6125f066689a872113123152fdcfe693cc Mon Sep 17 00:00:00 2001 -From: Alex Richardson -Date: Thu, 1 Dec 2022 12:53:15 +0000 -Subject: [PATCH 27/28] Avoid creating an out-of-bounds pointer by rewriting a - check - -Creating more than one-past-the-end pointers is undefined behaviour in C -and while this code is unlikely to be miscompiled, I discovered that an -out-of-bounds pointer is being created using UBSan on a CHERI-enabled -system. - -Reference: https://github.com/GNOME/libxml2/commit/c715ded0861af956ba584f566bc7db6717f519d0 -Conflict: NA ---- - HTMLparser.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index 746edf6..60dea30 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -2333,7 +2333,7 @@ htmlEncodeEntities(unsigned char* out, int *outlen, - else - cp = ent->name; - len = strlen(cp); -- if (out + 2 + len > outend) -+ if (outend - out < len + 2) - break; - *out++ = '&'; - memcpy(out, cp, len); --- -2.27.0 - diff --git a/backport-Avoid-double-free-if-malloc-fails-in-inputPush.patch b/backport-Avoid-double-free-if-malloc-fails-in-inputPush.patch deleted file mode 100644 index f77f8dbe588b40dcab50c3ba502b7152a75fcc32..0000000000000000000000000000000000000000 --- a/backport-Avoid-double-free-if-malloc-fails-in-inputPush.patch +++ /dev/null @@ -1,32 +0,0 @@ -From ecba4cbd4335b31aa7a815701971ed09cfffea9b Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 28 Jun 2022 19:22:31 +0200 -Subject: [PATCH] Avoid double-free if malloc fails in inputPush - -It's the caller's responsibility to free the input stream if this -function fails. - -Reference:https://github.com/GNOME/libxml2/commit/ecba4cbd4335b31aa7a815701971ed09cfffea9b -Conflict:NA - ---- - parser.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/parser.c b/parser.c -index 0d5bcc1..d8225bd 100644 ---- a/parser.c -+++ b/parser.c -@@ -1763,9 +1763,7 @@ inputPush(xmlParserCtxtPtr ctxt, xmlParserInputPtr value) - sizeof(ctxt->inputTab[0])); - if (ctxt->inputTab == NULL) { - xmlErrMemory(ctxt, NULL); -- xmlFreeInputStream(value); - ctxt->inputMax /= 2; -- value = NULL; - return (-1); - } - } --- -2.27.0 - diff --git a/backport-CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_.patch b/backport-CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_.patch deleted file mode 100755 index e28ff49d9e1b3de568fcbda17d2d90856bef40be..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_.patch +++ /dev/null @@ -1,618 +0,0 @@ -From c846986356fc149915a74972bf198abc266bc2c0 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 25 Aug 2022 17:43:08 +0200 -Subject: [PATCH] [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE - -Also impose size limits when XML_PARSE_HUGE is set. Limit size of names -to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to -XML_MAX_HUGE_LENGTH (1 billion bytes). - -Move some the length checks to the end of the respective loop to make -them strict. - -xmlParseEntityValue didn't have a length limitation at all. But without -XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW. - -Thanks to Maddie Stone working with Google Project Zero for the report! ---- - parser.c | 233 +++++++++++++++++++++++++++++-------------------------- - 1 file changed, 121 insertions(+), 112 deletions(-) - -diff --git a/parser.c b/parser.c -index 93f031be..79479979 100644 ---- a/parser.c -+++ b/parser.c -@@ -102,6 +102,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt); - * * - ************************************************************************/ - -+#define XML_MAX_HUGE_LENGTH 1000000000 -+ - #define XML_PARSER_BIG_ENTITY 1000 - #define XML_PARSER_LOT_ENTITY 5000 - -@@ -552,7 +554,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info) - errmsg = "Malformed declaration expecting version"; - break; - case XML_ERR_NAME_TOO_LONG: -- errmsg = "Name too long use XML_PARSE_HUGE option"; -+ errmsg = "Name too long"; - break; - #if 0 - case: -@@ -3202,6 +3204,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { - int len = 0, l; - int c; - int count = 0; -+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_TEXT_LENGTH : -+ XML_MAX_NAME_LENGTH; - - #ifdef DEBUG - nbParseNameComplex++; -@@ -3267,7 +3272,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { - if (ctxt->instate == XML_PARSER_EOF) - return(NULL); - } -- len += l; -+ if (len <= INT_MAX - l) -+ len += l; - NEXTL(l); - c = CUR_CHAR(l); - } -@@ -3293,13 +3299,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { - if (ctxt->instate == XML_PARSER_EOF) - return(NULL); - } -- len += l; -+ if (len <= INT_MAX - l) -+ len += l; - NEXTL(l); - c = CUR_CHAR(l); - } - } -- if ((len > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if (len > maxLength) { - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); - return(NULL); - } -@@ -3338,7 +3344,10 @@ const xmlChar * - xmlParseName(xmlParserCtxtPtr ctxt) { - const xmlChar *in; - const xmlChar *ret; -- int count = 0; -+ size_t count = 0; -+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_TEXT_LENGTH : -+ XML_MAX_NAME_LENGTH; - - GROW; - -@@ -3362,8 +3371,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) { - in++; - if ((*in > 0) && (*in < 0x80)) { - count = in - ctxt->input->cur; -- if ((count > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if (count > maxLength) { - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); - return(NULL); - } -@@ -3384,6 +3392,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { - int len = 0, l; - int c; - int count = 0; -+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_TEXT_LENGTH : -+ XML_MAX_NAME_LENGTH; - size_t startPosition = 0; - - #ifdef DEBUG -@@ -3404,17 +3415,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { - while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */ - (xmlIsNameChar(ctxt, c) && (c != ':'))) { - if (count++ > XML_PARSER_CHUNK_SIZE) { -- if ((len > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); -- return(NULL); -- } - count = 0; - GROW; - if (ctxt->instate == XML_PARSER_EOF) - return(NULL); - } -- len += l; -+ if (len <= INT_MAX - l) -+ len += l; - NEXTL(l); - c = CUR_CHAR(l); - if (c == 0) { -@@ -3432,8 +3439,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { - c = CUR_CHAR(l); - } - } -- if ((len > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if (len > maxLength) { - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); - return(NULL); - } -@@ -3459,7 +3465,10 @@ static const xmlChar * - xmlParseNCName(xmlParserCtxtPtr ctxt) { - const xmlChar *in, *e; - const xmlChar *ret; -- int count = 0; -+ size_t count = 0; -+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_TEXT_LENGTH : -+ XML_MAX_NAME_LENGTH; - - #ifdef DEBUG - nbParseNCName++; -@@ -3484,8 +3493,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { - goto complex; - if ((*in > 0) && (*in < 0x80)) { - count = in - ctxt->input->cur; -- if ((count > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if (count > maxLength) { - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); - return(NULL); - } -@@ -3567,6 +3575,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { - const xmlChar *cur = *str; - int len = 0, l; - int c; -+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_TEXT_LENGTH : -+ XML_MAX_NAME_LENGTH; - - #ifdef DEBUG - nbParseStringName++; -@@ -3602,12 +3613,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { - if (len + 10 > max) { - xmlChar *tmp; - -- if ((len > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); -- xmlFree(buffer); -- return(NULL); -- } - max *= 2; - tmp = (xmlChar *) xmlRealloc(buffer, - max * sizeof(xmlChar)); -@@ -3621,14 +3626,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { - COPY_BUF(l,buffer,len,c); - cur += l; - c = CUR_SCHAR(cur, l); -+ if (len > maxLength) { -+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); -+ xmlFree(buffer); -+ return(NULL); -+ } - } - buffer[len] = 0; - *str = cur; - return(buffer); - } - } -- if ((len > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if (len > maxLength) { - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); - return(NULL); - } -@@ -3655,6 +3664,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { - int len = 0, l; - int c; - int count = 0; -+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_TEXT_LENGTH : -+ XML_MAX_NAME_LENGTH; - - #ifdef DEBUG - nbParseNmToken++; -@@ -3706,12 +3718,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { - if (len + 10 > max) { - xmlChar *tmp; - -- if ((max > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); -- xmlFree(buffer); -- return(NULL); -- } - max *= 2; - tmp = (xmlChar *) xmlRealloc(buffer, - max * sizeof(xmlChar)); -@@ -3725,6 +3731,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { - COPY_BUF(l,buffer,len,c); - NEXTL(l); - c = CUR_CHAR(l); -+ if (len > maxLength) { -+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); -+ xmlFree(buffer); -+ return(NULL); -+ } - } - buffer[len] = 0; - return(buffer); -@@ -3732,8 +3743,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { - } - if (len == 0) - return(NULL); -- if ((len > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if (len > maxLength) { - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); - return(NULL); - } -@@ -3759,6 +3769,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { - int len = 0; - int size = XML_PARSER_BUFFER_SIZE; - int c, l; -+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_HUGE_LENGTH : -+ XML_MAX_TEXT_LENGTH; - xmlChar stop; - xmlChar *ret = NULL; - const xmlChar *cur = NULL; -@@ -3818,6 +3831,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { - GROW; - c = CUR_CHAR(l); - } -+ -+ if (len > maxLength) { -+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED, -+ "entity value too long\n"); -+ goto error; -+ } - } - buf[len] = 0; - if (ctxt->instate == XML_PARSER_EOF) -@@ -3905,6 +3924,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { - xmlChar *rep = NULL; - size_t len = 0; - size_t buf_size = 0; -+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_HUGE_LENGTH : -+ XML_MAX_TEXT_LENGTH; - int c, l, in_space = 0; - xmlChar *current = NULL; - xmlEntityPtr ent; -@@ -3936,16 +3958,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { - while (((NXT(0) != limit) && /* checked */ - (IS_CHAR(c)) && (c != '<')) && - (ctxt->instate != XML_PARSER_EOF)) { -- /* -- * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE -- * special option is given -- */ -- if ((len > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, -- "AttValue length too long\n"); -- goto mem_error; -- } - if (c == '&') { - in_space = 0; - if (NXT(1) == '#') { -@@ -4093,6 +4105,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { - } - GROW; - c = CUR_CHAR(l); -+ if (len > maxLength) { -+ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, -+ "AttValue length too long\n"); -+ goto mem_error; -+ } - } - if (ctxt->instate == XML_PARSER_EOF) - goto error; -@@ -4114,16 +4131,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { - } else - NEXT; - -- /* -- * There we potentially risk an overflow, don't allow attribute value of -- * length more than INT_MAX it is a very reasonable assumption ! -- */ -- if (len >= INT_MAX) { -- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, -- "AttValue length too long\n"); -- goto mem_error; -- } -- - if (attlen != NULL) *attlen = (int) len; - return(buf); - -@@ -4194,6 +4201,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { - int len = 0; - int size = XML_PARSER_BUFFER_SIZE; - int cur, l; -+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_TEXT_LENGTH : -+ XML_MAX_NAME_LENGTH; - xmlChar stop; - int state = ctxt->instate; - int count = 0; -@@ -4221,13 +4231,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { - if (len + 5 >= size) { - xmlChar *tmp; - -- if ((size > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); -- xmlFree(buf); -- ctxt->instate = (xmlParserInputState) state; -- return(NULL); -- } - size *= 2; - tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); - if (tmp == NULL) { -@@ -4256,6 +4259,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { - SHRINK; - cur = CUR_CHAR(l); - } -+ if (len > maxLength) { -+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); -+ xmlFree(buf); -+ ctxt->instate = (xmlParserInputState) state; -+ return(NULL); -+ } - } - buf[len] = 0; - ctxt->instate = (xmlParserInputState) state; -@@ -4283,6 +4292,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { - xmlChar *buf = NULL; - int len = 0; - int size = XML_PARSER_BUFFER_SIZE; -+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_TEXT_LENGTH : -+ XML_MAX_NAME_LENGTH; - xmlChar cur; - xmlChar stop; - int count = 0; -@@ -4310,12 +4322,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { - if (len + 1 >= size) { - xmlChar *tmp; - -- if ((size > XML_MAX_NAME_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); -- xmlFree(buf); -- return(NULL); -- } - size *= 2; - tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); - if (tmp == NULL) { -@@ -4343,6 +4349,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { - SHRINK; - cur = CUR; - } -+ if (len > maxLength) { -+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); -+ xmlFree(buf); -+ return(NULL); -+ } - } - buf[len] = 0; - if (cur != stop) { -@@ -4742,6 +4753,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, - int r, rl; - int cur, l; - size_t count = 0; -+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_HUGE_LENGTH : -+ XML_MAX_TEXT_LENGTH; - int inputid; - - inputid = ctxt->input->id; -@@ -4787,13 +4801,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, - if ((r == '-') && (q == '-')) { - xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL); - } -- if ((len > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -- xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, -- "Comment too big found", NULL); -- xmlFree (buf); -- return; -- } - if (len + 5 >= size) { - xmlChar *new_buf; - size_t new_size; -@@ -4831,6 +4838,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, - GROW; - cur = CUR_CHAR(l); - } -+ -+ if (len > maxLength) { -+ xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, -+ "Comment too big found", NULL); -+ xmlFree (buf); -+ return; -+ } - } - buf[len] = 0; - if (cur == 0) { -@@ -4875,6 +4889,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) { - xmlChar *buf = NULL; - size_t size = XML_PARSER_BUFFER_SIZE; - size_t len = 0; -+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_HUGE_LENGTH : -+ XML_MAX_TEXT_LENGTH; - xmlParserInputState state; - const xmlChar *in; - size_t nbchar = 0; -@@ -4958,8 +4975,7 @@ get_more: - buf[len] = 0; - } - } -- if ((len > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if (len > maxLength) { - xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, - "Comment too big found", NULL); - xmlFree (buf); -@@ -5159,6 +5175,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { - xmlChar *buf = NULL; - size_t len = 0; - size_t size = XML_PARSER_BUFFER_SIZE; -+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_HUGE_LENGTH : -+ XML_MAX_TEXT_LENGTH; - int cur, l; - const xmlChar *target; - xmlParserInputState state; -@@ -5234,14 +5253,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { - return; - } - count = 0; -- if ((len > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, -- "PI %s too big found", target); -- xmlFree(buf); -- ctxt->instate = state; -- return; -- } - } - COPY_BUF(l,buf,len,cur); - NEXTL(l); -@@ -5251,15 +5262,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { - GROW; - cur = CUR_CHAR(l); - } -+ if (len > maxLength) { -+ xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, -+ "PI %s too big found", target); -+ xmlFree(buf); -+ ctxt->instate = state; -+ return; -+ } - } -- if ((len > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, -- "PI %s too big found", target); -- xmlFree(buf); -- ctxt->instate = state; -- return; -- } - buf[len] = 0; - if (cur != '?') { - xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, -@@ -8954,6 +8964,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, - const xmlChar *in = NULL, *start, *end, *last; - xmlChar *ret = NULL; - int line, col; -+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_HUGE_LENGTH : -+ XML_MAX_TEXT_LENGTH; - - GROW; - in = (xmlChar *) CUR_PTR; -@@ -8993,8 +9006,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, - start = in; - if (in >= end) { - GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) -- if (((in - start) > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if ((in - start) > maxLength) { - xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, - "AttValue length too long\n"); - return(NULL); -@@ -9007,8 +9019,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, - if ((*in++ == 0x20) && (*in == 0x20)) break; - if (in >= end) { - GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) -- if (((in - start) > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if ((in - start) > maxLength) { - xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, - "AttValue length too long\n"); - return(NULL); -@@ -9041,16 +9052,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, - last = last + delta; - } - end = ctxt->input->end; -- if (((in - start) > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if ((in - start) > maxLength) { - xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, - "AttValue length too long\n"); - return(NULL); - } - } - } -- if (((in - start) > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if ((in - start) > maxLength) { - xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, - "AttValue length too long\n"); - return(NULL); -@@ -9063,8 +9072,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, - col++; - if (in >= end) { - GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) -- if (((in - start) > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if ((in - start) > maxLength) { - xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, - "AttValue length too long\n"); - return(NULL); -@@ -9072,8 +9080,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, - } - } - last = in; -- if (((in - start) > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -+ if ((in - start) > maxLength) { - xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, - "AttValue length too long\n"); - return(NULL); -@@ -9763,6 +9770,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { - int s, sl; - int cur, l; - int count = 0; -+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_HUGE_LENGTH : -+ XML_MAX_TEXT_LENGTH; - - /* Check 2.6.0 was NXT(0) not RAW */ - if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) { -@@ -9796,13 +9806,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { - if (len + 5 >= size) { - xmlChar *tmp; - -- if ((size > XML_MAX_TEXT_LENGTH) && -- ((ctxt->options & XML_PARSE_HUGE) == 0)) { -- xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED, -- "CData section too big found", NULL); -- xmlFree (buf); -- return; -- } - tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar)); - if (tmp == NULL) { - xmlFree(buf); -@@ -9829,6 +9832,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { - } - NEXTL(l); - cur = CUR_CHAR(l); -+ if (len > maxLength) { -+ xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED, -+ "CData section too big found\n"); -+ xmlFree(buf); -+ return; -+ } - } - buf[len] = 0; - ctxt->instate = XML_PARSER_CONTENT; --- -2.27.0 - diff --git a/backport-CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch b/backport-CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch deleted file mode 100755 index 50443907c8c2a42da10b39e7df01c26c8b77a601..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 1b41ec4e9433b05bb0376be4725804c54ef1d80b Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 31 Aug 2022 22:11:25 +0200 -Subject: [PATCH] [CVE-2022-40304] Fix dict corruption caused by entity - reference cycles - -When an entity reference cycle is detected, the entity content is -cleared by setting its first byte to zero. But the entity content might -be allocated from a dict. In this case, the dict entry becomes corrupted -leading to all kinds of logic errors, including memory errors like -double-frees. - -Stop storing entity content, orig, ExternalID and SystemID in a dict. -These values are unlikely to occur multiple times in a document, so they -shouldn't have been stored in a dict in the first place. - -Thanks to Ned Williamson and Nathan Wachholz working with Google Project -Zero for the report! ---- - entities.c | 55 ++++++++++++++++-------------------------------------- - 1 file changed, 16 insertions(+), 39 deletions(-) - -diff --git a/entities.c b/entities.c -index 84435515..d4e5412e 100644 ---- a/entities.c -+++ b/entities.c -@@ -128,36 +128,19 @@ xmlFreeEntity(xmlEntityPtr entity) - if ((entity->children) && (entity->owner == 1) && - (entity == (xmlEntityPtr) entity->children->parent)) - xmlFreeNodeList(entity->children); -- if (dict != NULL) { -- if ((entity->name != NULL) && (!xmlDictOwns(dict, entity->name))) -- xmlFree((char *) entity->name); -- if ((entity->ExternalID != NULL) && -- (!xmlDictOwns(dict, entity->ExternalID))) -- xmlFree((char *) entity->ExternalID); -- if ((entity->SystemID != NULL) && -- (!xmlDictOwns(dict, entity->SystemID))) -- xmlFree((char *) entity->SystemID); -- if ((entity->URI != NULL) && (!xmlDictOwns(dict, entity->URI))) -- xmlFree((char *) entity->URI); -- if ((entity->content != NULL) -- && (!xmlDictOwns(dict, entity->content))) -- xmlFree((char *) entity->content); -- if ((entity->orig != NULL) && (!xmlDictOwns(dict, entity->orig))) -- xmlFree((char *) entity->orig); -- } else { -- if (entity->name != NULL) -- xmlFree((char *) entity->name); -- if (entity->ExternalID != NULL) -- xmlFree((char *) entity->ExternalID); -- if (entity->SystemID != NULL) -- xmlFree((char *) entity->SystemID); -- if (entity->URI != NULL) -- xmlFree((char *) entity->URI); -- if (entity->content != NULL) -- xmlFree((char *) entity->content); -- if (entity->orig != NULL) -- xmlFree((char *) entity->orig); -- } -+ if ((entity->name != NULL) && -+ ((dict == NULL) || (!xmlDictOwns(dict, entity->name)))) -+ xmlFree((char *) entity->name); -+ if (entity->ExternalID != NULL) -+ xmlFree((char *) entity->ExternalID); -+ if (entity->SystemID != NULL) -+ xmlFree((char *) entity->SystemID); -+ if (entity->URI != NULL) -+ xmlFree((char *) entity->URI); -+ if (entity->content != NULL) -+ xmlFree((char *) entity->content); -+ if (entity->orig != NULL) -+ xmlFree((char *) entity->orig); - xmlFree(entity); - } - -@@ -193,18 +176,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type, - ret->SystemID = xmlStrdup(SystemID); - } else { - ret->name = xmlDictLookup(dict, name, -1); -- if (ExternalID != NULL) -- ret->ExternalID = xmlDictLookup(dict, ExternalID, -1); -- if (SystemID != NULL) -- ret->SystemID = xmlDictLookup(dict, SystemID, -1); -+ ret->ExternalID = xmlStrdup(ExternalID); -+ ret->SystemID = xmlStrdup(SystemID); - } - if (content != NULL) { - ret->length = xmlStrlen(content); -- if ((dict != NULL) && (ret->length < 5)) -- ret->content = (xmlChar *) -- xmlDictLookup(dict, content, ret->length); -- else -- ret->content = xmlStrndup(content, ret->length); -+ ret->content = xmlStrndup(content, ret->length); - } else { - ret->length = 0; - ret->content = NULL; --- -2.27.0 - diff --git a/backport-CVE-2023-28484.patch b/backport-CVE-2023-28484.patch deleted file mode 100644 index 8617ddb192462072effaf0d850d062dd0d684a0a..0000000000000000000000000000000000000000 --- a/backport-CVE-2023-28484.patch +++ /dev/null @@ -1,78 +0,0 @@ -From e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 7 Apr 2023 11:46:35 +0200 -Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType - -Fix a null pointer dereference when parsing (invalid) XML schemas. - -Thanks to Robby Simpson for the report! - -Fixes #491. - -Reference:https://github.com/GNOME/libxml2/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68 -Conflict:NA - ---- - result/schemas/issue491_0_0.err | 1 + - test/schemas/issue491_0.xml | 1 + - test/schemas/issue491_0.xsd | 18 ++++++++++++++++++ - xmlschemas.c | 2 +- - 4 files changed, 21 insertions(+), 1 deletion(-) - create mode 100644 result/schemas/issue491_0_0.err - create mode 100644 test/schemas/issue491_0.xml - create mode 100644 test/schemas/issue491_0.xsd - -diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err -new file mode 100644 -index 0000000..9b2bb96 ---- /dev/null -+++ b/result/schemas/issue491_0_0.err -@@ -0,0 +1 @@ -+./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'. -diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml -new file mode 100644 -index 0000000..e2b2fc2 ---- /dev/null -+++ b/test/schemas/issue491_0.xml -@@ -0,0 +1 @@ -+5 -diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd -new file mode 100644 -index 0000000..8170264 ---- /dev/null -+++ b/test/schemas/issue491_0.xsd -@@ -0,0 +1,18 @@ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -diff --git a/xmlschemas.c b/xmlschemas.c -index 4dbee37..7199d23 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -18640,7 +18640,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt, - "allowed to appear inside other model groups", - NULL, NULL); - -- } else if (! dummySequence) { -+ } else if ((!dummySequence) && (baseType->subtypes != NULL)) { - xmlSchemaTreeItemPtr effectiveContent = - (xmlSchemaTreeItemPtr) type->subtypes; - /* --- -2.27.0 - diff --git a/backport-CVE-2023-29469.patch b/backport-CVE-2023-29469.patch deleted file mode 100644 index 2e0881c1b64ffda0124a74795e9e3d24f3913cfd..0000000000000000000000000000000000000000 --- a/backport-CVE-2023-29469.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 547edbf1cbdccd46b2e8ff322a456eaa5931c5df Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 7 Apr 2023 11:49:27 +0200 -Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't - deterministic - -When hashing empty strings which aren't null-terminated, -xmlDictComputeFastKey could produce inconsistent results. This could -lead to various logic or memory errors, including double frees. - -For consistency the seed is also taken into account, but this shouldn't -have an impact on security. - -Found by OSS-Fuzz. - -Fixes #510. - -Reference:https://github.com/GNOME/libxml2/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df -Conflict:NA - ---- - dict.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/dict.c b/dict.c -index 90e4d81..e39e8a4 100644 ---- a/dict.c -+++ b/dict.c -@@ -451,7 +451,8 @@ static unsigned long - xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) { - unsigned long value = seed; - -- if (name == NULL) return(0); -+ if ((name == NULL) || (namelen <= 0)) -+ return(value); - value += *name; - value <<= 5; - if (namelen > 10) { --- -2.27.0 - diff --git a/backport-CVE-2023-45322.patch b/backport-CVE-2023-45322.patch deleted file mode 100644 index 6b7bc5b4583841947b7850d81be051e0d868ec9b..0000000000000000000000000000000000000000 --- a/backport-CVE-2023-45322.patch +++ /dev/null @@ -1,74 +0,0 @@ -From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 23 Aug 2023 20:24:24 +0200 -Subject: [PATCH] tree: Fix copying of DTDs - -- Don't create multiple DTD nodes. -- Fix UAF if malloc fails. -- Skip DTD nodes if tree module is disabled. - -Fixes #583. ---- - tree.c | 31 ++++++++++++++++--------------- - 1 file changed, 16 insertions(+), 15 deletions(-) - -diff --git a/tree.c b/tree.c -index 6c8a875b..02c1b579 100644 ---- a/tree.c -+++ b/tree.c -@@ -4386,29 +4386,28 @@ xmlNodePtr - xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { - xmlNodePtr ret = NULL; - xmlNodePtr p = NULL,q; -+ xmlDtdPtr newSubset = NULL; - - while (node != NULL) { --#ifdef LIBXML_TREE_ENABLED - if (node->type == XML_DTD_NODE ) { -- if (doc == NULL) { -+#ifdef LIBXML_TREE_ENABLED -+ if ((doc == NULL) || (doc->intSubset != NULL)) { - node = node->next; - continue; - } -- if (doc->intSubset == NULL) { -- q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); -- if (q == NULL) goto error; -- q->doc = doc; -- q->parent = parent; -- doc->intSubset = (xmlDtdPtr) q; -- xmlAddChild(parent, q); -- } else { -- q = (xmlNodePtr) doc->intSubset; -- xmlAddChild(parent, q); -- } -- } else -+ q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); -+ if (q == NULL) goto error; -+ q->doc = doc; -+ q->parent = parent; -+ newSubset = (xmlDtdPtr) q; -+#else -+ node = node->next; -+ continue; - #endif /* LIBXML_TREE_ENABLED */ -+ } else { - q = xmlStaticCopyNode(node, doc, parent, 1); -- if (q == NULL) goto error; -+ if (q == NULL) goto error; -+ } - if (ret == NULL) { - q->prev = NULL; - ret = p = q; -@@ -4420,6 +4419,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { - } - node = node->next; - } -+ if (newSubset != NULL) -+ doc->intSubset = newSubset; - return(ret); - error: - xmlFreeNodeList(ret); --- -2.27.0 - diff --git a/backport-Correctly-relocate-internal-pointers-after-realloc.patch b/backport-Correctly-relocate-internal-pointers-after-realloc.patch deleted file mode 100644 index 17a7f98a64fa4c67cf9524c2b6a6060706fa3cd0..0000000000000000000000000000000000000000 --- a/backport-Correctly-relocate-internal-pointers-after-realloc.patch +++ /dev/null @@ -1,42 +0,0 @@ -From d038d7177668030f0c54fa1772d3f174cf6527f1 Mon Sep 17 00:00:00 2001 -From: Alex Richardson -Date: Thu, 1 Dec 2022 12:58:11 +0000 -Subject: [PATCH 26/28] Correctly relocate internal pointers after realloc() - -Adding an offset to a deallocated pointer and assuming that it can be -dereferenced is undefined behaviour. When running libxml2 on CHERI-enabled -systems such as Arm Morello this results in the creation of an out-of-bounds -pointer that cannot be dereferenced and therefore crashes at runtime. - -The effect of this UB is not just limited to architectures such as CHERI, -incorrect relocation of pointers after realloc can in fact cause -FORTIFY_SOURCE errors with recent GCC: -https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level - -Reference: https://github.com/GNOME/libxml2/commit/c62c0d82ccacc2000c45f211166f008687fb97a0 -Conflict: NA ---- - parser.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/parser.c b/parser.c -index 9d50138..adc449c 100644 ---- a/parser.c -+++ b/parser.c -@@ -9514,10 +9514,10 @@ next_attr: - * Arithmetic on dangling pointers is technically undefined - * behavior, but well... - */ -- ptrdiff_t offset = ctxt->input->base - atts[i+2]; -+ const xmlChar *old = atts[i+2]; - atts[i+2] = NULL; /* Reset repurposed namespace URI */ -- atts[i+3] += offset; /* value */ -- atts[i+4] += offset; /* valuend */ -+ atts[i+3] = ctxt->input->base + (atts[i+3] - old); /* value */ -+ atts[i+4] = ctxt->input->base + (atts[i+4] - old); /* valuend */ - } - } - --- -2.27.0 - diff --git a/backport-Create-stream-with-buffer-in-xmlNewStringInputStream.patch b/backport-Create-stream-with-buffer-in-xmlNewStringInputStream.patch deleted file mode 100644 index 59198749c0cf866c2b4a0517a2cfc4043fe7b93c..0000000000000000000000000000000000000000 --- a/backport-Create-stream-with-buffer-in-xmlNewStringInputStream.patch +++ /dev/null @@ -1,56 +0,0 @@ -From b1b654171e44dba90bbc6836ca05dd4e1161b4b0 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sat, 20 Aug 2022 15:15:04 +0200 -Subject: [PATCH] Create stream with buffer in xmlNewStringInputStream - -Create an input stream with a buffer in xmlNewStringInputStream. -Otherwise, switching encodings won't work. - -See #34. -Reference:https://github.com/GNOME/libxml2/commit/b1b654171e44dba90bbc6836ca05dd4e1161b4b0 -Conflict:NA ---- - parserInternals.c | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - -diff --git a/parserInternals.c b/parserInternals.c -index d68592f..6ef7671 100644 ---- a/parserInternals.c -+++ b/parserInternals.c -@@ -1465,6 +1465,7 @@ xmlNewEntityInputStream(xmlParserCtxtPtr ctxt, xmlEntityPtr entity) { - xmlParserInputPtr - xmlNewStringInputStream(xmlParserCtxtPtr ctxt, const xmlChar *buffer) { - xmlParserInputPtr input; -+ xmlParserInputBufferPtr buf; - - if (buffer == NULL) { - xmlErrInternal(ctxt, "xmlNewStringInputStream string = NULL\n", -@@ -1474,15 +1475,21 @@ xmlNewStringInputStream(xmlParserCtxtPtr ctxt, const xmlChar *buffer) { - if (xmlParserDebugEntities) - xmlGenericError(xmlGenericErrorContext, - "new fixed input: %.30s\n", buffer); -+ buf = xmlParserInputBufferCreateMem((const char *) buffer, -+ strlen((const char *) buffer), -+ XML_CHAR_ENCODING_NONE); -+ if (buf == NULL) { -+ xmlErrMemory(ctxt, NULL); -+ return(NULL); -+ } - input = xmlNewInputStream(ctxt); - if (input == NULL) { - xmlErrMemory(ctxt, "couldn't allocate a new input stream\n"); -+ xmlFreeParserInputBuffer(buf); - return(NULL); - } -- input->base = buffer; -- input->cur = buffer; -- input->length = xmlStrlen(buffer); -- input->end = &buffer[input->length]; -+ input->buf = buf; -+ xmlBufResetInput(input->buf->buffer, input); - return(input); - } - --- -2.27.0 - diff --git a/backport-Don-t-initialize-SAX-handler-in-htmlReadMemory.patch b/backport-Don-t-initialize-SAX-handler-in-htmlReadMemory.patch deleted file mode 100644 index 6d8f0a2c6133fd94782e2056b2f5ef8739f4c50f..0000000000000000000000000000000000000000 --- a/backport-Don-t-initialize-SAX-handler-in-htmlReadMemory.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 80bd34c3c650bd68e3c9c3e2308ac1988067ad50 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 22 Aug 2022 14:06:37 +0200 -Subject: [PATCH] Don't initialize SAX handler in htmlReadMemory - -The SAX handler is already initialized when creating the parser -context. -Reference:https://github.com/GNOME/libxml2/commit/80bd34c3c650bd68e3c9c3e2308ac1988067ad50 -Conflict:NA ---- - HTMLparser.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index c6b2183..e95d86b 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -6980,9 +6980,6 @@ htmlReadMemory(const char *buffer, int size, const char *URL, const char *encodi - ctxt = htmlCreateMemoryParserCtxt(buffer, size); - if (ctxt == NULL) - return (NULL); -- htmlDefaultSAXHandlerInit(); -- if (ctxt->sax != NULL) -- memcpy(ctxt->sax, &htmlDefaultSAXHandler, sizeof(xmlSAXHandlerV1)); - return (htmlDoRead(ctxt, URL, encoding, options, 0)); - } - --- -2.27.0 - diff --git a/backport-Don-t-reset-nsDef-when-changing-node-content.patch b/backport-Don-t-reset-nsDef-when-changing-node-content.patch deleted file mode 100644 index 168045fb0ef51334ddd6618057c28cdfe9bfc688..0000000000000000000000000000000000000000 --- a/backport-Don-t-reset-nsDef-when-changing-node-content.patch +++ /dev/null @@ -1,45 +0,0 @@ -From a17a1f564eaac42d6db561c639b5d2461884e829 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 18 May 2022 02:17:31 +0200 -Subject: [PATCH] Don't reset nsDef when changing node content - -nsDef is only used for element nodes. - -Reference:https://github.com/GNOME/libxml2/commit/a17a1f564eaac42d6db561c639b5d2461884e829 -Conflict:NA - ---- - tree.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/tree.c b/tree.c -index fe6f54a..84da156 100644 ---- a/tree.c -+++ b/tree.c -@@ -5721,7 +5721,6 @@ xmlNodeSetContent(xmlNodePtr cur, const xmlChar *content) { - } else - cur->content = NULL; - cur->properties = NULL; -- cur->nsDef = NULL; - break; - case XML_DOCUMENT_NODE: - case XML_HTML_DOCUMENT_NODE: -@@ -5799,7 +5798,6 @@ xmlNodeSetContentLen(xmlNodePtr cur, const xmlChar *content, int len) { - } else - cur->content = NULL; - cur->properties = NULL; -- cur->nsDef = NULL; - break; - case XML_DOCUMENT_NODE: - case XML_DTD_NODE: -@@ -5878,7 +5876,6 @@ xmlNodeAddContentLen(xmlNodePtr cur, const xmlChar *content, int len) { - xmlDictOwns(cur->doc->dict, cur->content))) { - cur->content = xmlStrncatNew(cur->content, content, len); - cur->properties = NULL; -- cur->nsDef = NULL; - } else { - cur->content = xmlStrncat(cur->content, content, len); - } --- -2.27.0 - diff --git a/backport-Fix-HTML-parser-with-threads-and-without-legacy.patch b/backport-Fix-HTML-parser-with-threads-and-without-legacy.patch deleted file mode 100644 index 619d4bec30735fe107dbb98662c180c4b72a4b12..0000000000000000000000000000000000000000 --- a/backport-Fix-HTML-parser-with-threads-and-without-legacy.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 38f04779f7afd758db6210123ec0b64c489595c5 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 22 Aug 2022 13:33:35 +0200 -Subject: [PATCH] Fix HTML parser with threads and --without-legacy - -If the legacy functions are disabled, the default "V1" HTML SAX handler -isn't initialized in threads other than the main thread. -htmlInitParserCtxt would later use the empty V1 SAX handler, resulting -in NULL documents. - -Change htmlInitParserCtxt to initialize the HTML SAX handler by calling -xmlSAX2InitHtmlDefaultSAXHandler. This removes the ability to change the -default handler but is more in line with the XML parser which -initializes the SAX handler by calling xmlSAXVersion, ignoring the V1 -default handler. - -Fixes #399. -Reference:https://github.com/GNOME/libxml2/commit/38f04779f7afd758db6210123ec0b64c489595c5 -Conflict:NA ---- - HTMLparser.c | 11 ++++------- - 1 file changed, 4 insertions(+), 7 deletions(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index e95d86b..98d73f3 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -5039,8 +5039,7 @@ htmlInitParserCtxt(htmlParserCtxtPtr ctxt) - htmlErrMemory(NULL, "htmlInitParserCtxt: out of memory\n"); - return(-1); - } -- else -- memset(sax, 0, sizeof(htmlSAXHandler)); -+ memset(sax, 0, sizeof(htmlSAXHandler)); - - /* Allocate the Input stack */ - ctxt->inputTab = (htmlParserInputPtr *) -@@ -5099,11 +5098,9 @@ htmlInitParserCtxt(htmlParserCtxtPtr ctxt) - ctxt->nodeInfoNr = 0; - ctxt->nodeInfoMax = 0; - -- if (sax == NULL) ctxt->sax = (xmlSAXHandlerPtr) &htmlDefaultSAXHandler; -- else { -- ctxt->sax = sax; -- memcpy(sax, &htmlDefaultSAXHandler, sizeof(xmlSAXHandlerV1)); -- } -+ ctxt->sax = sax; -+ xmlSAX2InitHtmlDefaultSAXHandler(sax); -+ - ctxt->userData = ctxt; - ctxt->myDoc = NULL; - ctxt->wellFormed = 1; --- -2.27.0 - diff --git a/backport-Fix-htmlReadMemory-mixing-up-XML-and-HTML-functions.patch b/backport-Fix-htmlReadMemory-mixing-up-XML-and-HTML-functions.patch deleted file mode 100644 index eeafeacb5eebda15c413cb33d2ae76e38433b2f4..0000000000000000000000000000000000000000 --- a/backport-Fix-htmlReadMemory-mixing-up-XML-and-HTML-functions.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 37cedc0b1563e5e312a924ac07168722a4e768d8 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 22 Aug 2022 14:04:07 +0200 -Subject: [PATCH] Fix htmlReadMemory mixing up XML and HTML functions - -Also see fe6890e2. -Reference:https://github.com/GNOME/libxml2/commit/37cedc0b1563e5e312a924ac07168722a4e768d8 -Conflict:NA ---- - HTMLparser.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index e720bb2..c6b2183 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -6977,7 +6977,7 @@ htmlReadMemory(const char *buffer, int size, const char *URL, const char *encodi - htmlParserCtxtPtr ctxt; - - xmlInitParser(); -- ctxt = xmlCreateMemoryParserCtxt(buffer, size); -+ ctxt = htmlCreateMemoryParserCtxt(buffer, size); - if (ctxt == NULL) - return (NULL); - htmlDefaultSAXHandlerInit(); --- -2.27.0 - diff --git a/backport-Fix-integer-overflow-in-xmlBufferDump.patch b/backport-Fix-integer-overflow-in-xmlBufferDump.patch deleted file mode 100644 index 0e6db8829a2d774ae439a72e78ed8e2a98518210..0000000000000000000000000000000000000000 --- a/backport-Fix-integer-overflow-in-xmlBufferDump.patch +++ /dev/null @@ -1,41 +0,0 @@ -From a6df42e649acacb55be832222d1f3f50c66720ff Mon Sep 17 00:00:00 2001 -From: David Kilzer -Date: Sat, 28 May 2022 08:08:29 -0700 -Subject: [PATCH 296/300] Fix integer overflow in xmlBufferDump() - -* tree.c: -(xmlBufferDump): -- Cap the return value to INT_MAX. - -Reference:https://github.com/GNOME/libxml2/commit/a6df42e649acacb55be832222d1f3f50c66720ff -Conflict:NA - ---- - tree.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/tree.c b/tree.c -index 0cf2483..3dff195 100644 ---- a/tree.c -+++ b/tree.c -@@ -7380,7 +7380,7 @@ xmlBufferGrow(xmlBufferPtr buf, unsigned int len) { - */ - int - xmlBufferDump(FILE *file, xmlBufferPtr buf) { -- int ret; -+ size_t ret; - - if (buf == NULL) { - #ifdef DEBUG_BUFFER -@@ -7399,7 +7399,7 @@ xmlBufferDump(FILE *file, xmlBufferPtr buf) { - if (file == NULL) - file = stdout; - ret = fwrite(buf->content, sizeof(xmlChar), buf->use, file); -- return(ret); -+ return(ret > INT_MAX ? INT_MAX : (int)ret); - } - - /** --- -2.27.0 - diff --git a/backport-Fix-memory-leak-in-xmlLoadEntityContent-error-path.patch b/backport-Fix-memory-leak-in-xmlLoadEntityContent-error-path.patch deleted file mode 100644 index 0384499e2c32aae0eda2d19525ecb821b0f3d461..0000000000000000000000000000000000000000 --- a/backport-Fix-memory-leak-in-xmlLoadEntityContent-error-path.patch +++ /dev/null @@ -1,33 +0,0 @@ -From ca2c91f139426f63646292da58a15a1511dccc0f Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 28 Jun 2022 19:24:14 +0200 -Subject: [PATCH] Fix memory leak in xmlLoadEntityContent error path - -Free the input stream if pushing it fails. - -Found by OSS-Fuzz. - -https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43743 - -Reference:https://github.com/GNOME/libxml2/commit/ca2c91f139426f63646292da58a15a1511dccc0f -Conflict:NA - ---- - parser.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/parser.c b/parser.c -index d8225bd..dd507c0 100644 ---- a/parser.c -+++ b/parser.c -@@ -8102,6 +8102,7 @@ xmlLoadEntityContent(xmlParserCtxtPtr ctxt, xmlEntityPtr entity) { - */ - if (xmlPushInput(ctxt, input) < 0) { - xmlBufferFree(buf); -+ xmlFreeInputStream(input); - return(-1); - } - --- -2.27.0 - diff --git a/backport-Fix-memory-leak-with-invalid-XSD.patch b/backport-Fix-memory-leak-with-invalid-XSD.patch deleted file mode 100644 index 55359ef042fd653f97535232255fc58c35d770d0..0000000000000000000000000000000000000000 --- a/backport-Fix-memory-leak-with-invalid-XSD.patch +++ /dev/null @@ -1,63 +0,0 @@ -From a09c89545d3ed5b56701abcc5d638faa01c5c903 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 15 Aug 2022 12:19:25 +0200 -Subject: [PATCH] Fix memory leak with invalid XSD - -xmlSchemaClearElemInfo can add new items to the "matcher" cache, so the -cache must be cleared after calling this function, not before. This -only seems to affect invalid XSDs. - -Fixes #390. -Reference:https://github.com/GNOME/libxml2/commit/a09c89545d3ed5b56701abcc5d638faa01c5c903 -Conflict:NA ---- - xmlschemas.c | 26 +++++++++++++++----------- - 1 file changed, 15 insertions(+), 11 deletions(-) - -diff --git a/xmlschemas.c b/xmlschemas.c -index 9da4cd1..9aa6acf 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -27830,17 +27830,6 @@ xmlSchemaClearValidCtxt(xmlSchemaValidCtxtPtr vctxt) - } while (cur != NULL); - vctxt->aidcs = NULL; - } -- if (vctxt->idcMatcherCache != NULL) { -- xmlSchemaIDCMatcherPtr matcher = vctxt->idcMatcherCache, tmp; -- -- while (matcher) { -- tmp = matcher; -- matcher = matcher->nextCached; -- xmlSchemaIDCFreeMatcherList(tmp); -- } -- vctxt->idcMatcherCache = NULL; -- } -- - - if (vctxt->idcNodes != NULL) { - int i; -@@ -27907,6 +27896,21 @@ xmlSchemaClearValidCtxt(xmlSchemaValidCtxtPtr vctxt) - xmlFree(vctxt->filename); - vctxt->filename = NULL; - } -+ -+ /* -+ * Note that some cleanup functions can move items to the cache, -+ * so the cache shouldn't be freed too early. -+ */ -+ if (vctxt->idcMatcherCache != NULL) { -+ xmlSchemaIDCMatcherPtr matcher = vctxt->idcMatcherCache, tmp; -+ -+ while (matcher) { -+ tmp = matcher; -+ matcher = matcher->nextCached; -+ xmlSchemaIDCFreeMatcherList(tmp); -+ } -+ vctxt->idcMatcherCache = NULL; -+ } - } - - /** --- -2.27.0 - diff --git a/backport-Fix-missing-NUL-terminators-in-xmlBuf-and-xmlBuffer-.patch b/backport-Fix-missing-NUL-terminators-in-xmlBuf-and-xmlBuffer-.patch deleted file mode 100644 index d2a4ba4e53217f07332230196f5f6f10582f558a..0000000000000000000000000000000000000000 --- a/backport-Fix-missing-NUL-terminators-in-xmlBuf-and-xmlBuffer-.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 4ce2abf6f656b3e78ad40e33191a8b42561c10b0 Mon Sep 17 00:00:00 2001 -From: David Kilzer -Date: Sun, 29 May 2022 09:46:00 -0700 -Subject: [PATCH 299/300] Fix missing NUL terminators in xmlBuf and xmlBuffer - functions - -* buf.c: -(xmlBufAddLen): -- Change check for remaining space to account for the NUL - terminator. When adding a length exactly equal to the number - of unused bytes, a NUL terminator was not written. -(xmlBufResize): -- Set `buf->use` and NUL terminator when allocating a new - buffer. -* tree.c: -(xmlBufferResize): -- Set `buf->use` and NUL terminator when allocating a new - buffer. -(xmlBufferAddHead): -- Set NUL terminator before returning early when shifting - contents. - -Reference:https://github.com/GNOME/libxml2/commit/4ce2abf6f656b3e78ad40e33191a8b42561c10b0 -Conflict:NA ---- - buf.c | 9 ++++----- - tree.c | 3 +++ - 2 files changed, 7 insertions(+), 5 deletions(-) - -diff --git a/buf.c b/buf.c -index f896826..da765f6 100644 ---- a/buf.c -+++ b/buf.c -@@ -613,14 +613,11 @@ xmlBufAddLen(xmlBufPtr buf, size_t len) { - if ((buf == NULL) || (buf->error)) - return(-1); - CHECK_COMPAT(buf) -- if (len > (buf->size - buf->use)) -+ if (len >= (buf->size - buf->use)) - return(-1); - buf->use += len; -+ buf->content[buf->use] = 0; - UPDATE_COMPAT(buf) -- if (buf->size > buf->use) -- buf->content[buf->use] = 0; -- else -- return(-1); - return(0); - } - -@@ -821,6 +818,8 @@ xmlBufResize(xmlBufPtr buf, size_t size) - } else { - if (buf->content == NULL) { - rebuf = (xmlChar *) xmlMallocAtomic(newSize); -+ buf->use = 0; -+ rebuf[buf->use] = 0; - } else if (buf->size - buf->use < 100) { - rebuf = (xmlChar *) xmlRealloc(buf->content, newSize); - } else { -diff --git a/tree.c b/tree.c -index 3dff195..e275671 100644 ---- a/tree.c -+++ b/tree.c -@@ -7529,6 +7529,8 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size) - } else { - if (buf->content == NULL) { - rebuf = (xmlChar *) xmlMallocAtomic(newSize); -+ buf->use = 0; -+ rebuf[buf->use] = 0; - } else if (buf->size - buf->use < 100) { - rebuf = (xmlChar *) xmlRealloc(buf->content, newSize); - } else { -@@ -7657,6 +7659,7 @@ xmlBufferAddHead(xmlBufferPtr buf, const xmlChar *str, int len) { - memmove(&buf->content[0], str, len); - buf->use += len; - buf->size += len; -+ buf->content[buf->use] = 0; - return(0); - } - } --- -2.27.0 - - diff --git a/backport-Fix-overflow-check-in-SAX2.c.patch b/backport-Fix-overflow-check-in-SAX2.c.patch deleted file mode 100644 index 4a0f2661b876dd58fb6f89e15bf248fd087c5bcf..0000000000000000000000000000000000000000 --- a/backport-Fix-overflow-check-in-SAX2.c.patch +++ /dev/null @@ -1,63 +0,0 @@ -From f5b31e49bcababb8da09c2697e24d0ba80a261b6 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 1 Sep 2022 02:33:16 +0200 -Subject: [PATCH] Fix overflow check in SAX2.c - -Reference:https://github.com/GNOME/libxml2/commit/aeb69fd3575a33eb2ffded18a444d8945bcbd741 -Conflict:SAX2.c ---- - SAX2.c | 24 ++++++++++-------------- - 1 file changed, 10 insertions(+), 14 deletions(-) - -diff --git a/SAX2.c b/SAX2.c -index 0319246..9801393 100644 ---- a/SAX2.c -+++ b/SAX2.c -@@ -28,11 +28,6 @@ - #include - #include - --/* Define SIZE_T_MAX unless defined through . */ --#ifndef SIZE_T_MAX --# define SIZE_T_MAX ((size_t)-1) --#endif /* !SIZE_T_MAX */ -- - /* #define DEBUG_SAX2 */ - /* #define DEBUG_SAX2_TREE */ - -@@ -2576,22 +2571,23 @@ xmlSAX2Text(xmlParserCtxtPtr ctxt, const xmlChar *ch, int len, - xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: xmlStrdup returned NULL"); - return; - } -- if (((size_t)ctxt->nodelen + (size_t)len > XML_MAX_TEXT_LENGTH) && -+ if (ctxt->nodelen > INT_MAX - len) { -+ xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented"); -+ return; -+ } -+ if ((ctxt->nodelen + len > XML_MAX_TEXT_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { - xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: huge text node"); - return; - } -- if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len || -- (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) { -- xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented"); -- return; -- } - if (ctxt->nodelen + len >= ctxt->nodemem) { - xmlChar *newbuf; -- size_t size; -+ int size; - -- size = ctxt->nodemem + len; -- size *= 2; -+ size = ctxt->nodemem > INT_MAX - len ? -+ INT_MAX : -+ ctxt->nodemem + len; -+ size = size > INT_MAX / 2 ? INT_MAX : size * 2; - newbuf = (xmlChar *) xmlRealloc(lastChild->content,size); - if (newbuf == NULL) { - xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters"); --- -2.27.0 - diff --git a/backport-Fix-unintended-fall-through-in-xmlNodeAddContentLen.patch b/backport-Fix-unintended-fall-through-in-xmlNodeAddContentLen.patch deleted file mode 100644 index 2b9e66653b9a3a9a2b456cbe022e5a36720624c0..0000000000000000000000000000000000000000 --- a/backport-Fix-unintended-fall-through-in-xmlNodeAddContentLen.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 2464652537fa5f3b89e71c31eed777b42fa64708 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 18 May 2022 02:16:34 +0200 -Subject: [PATCH] Fix unintended fall-through in xmlNodeAddContentLen - -Reference:https://github.com/GNOME/libxml2/commit/2464652537fa5f3b89e71c31eed777b42fa64708 -Conflict:NA - ---- - tree.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/tree.c b/tree.c -index ed0a838..fe6f54a 100644 ---- a/tree.c -+++ b/tree.c -@@ -5879,10 +5879,11 @@ xmlNodeAddContentLen(xmlNodePtr cur, const xmlChar *content, int len) { - cur->content = xmlStrncatNew(cur->content, content, len); - cur->properties = NULL; - cur->nsDef = NULL; -- break; -- } -- cur->content = xmlStrncat(cur->content, content, len); -+ } else { -+ cur->content = xmlStrncat(cur->content, content, len); -+ } - } -+ break; - case XML_DOCUMENT_NODE: - case XML_DTD_NODE: - case XML_HTML_DOCUMENT_NODE: --- -2.27.0 - diff --git a/backport-Fix-use-after-free-bugs-when-calling-xmlTextReaderCl.patch b/backport-Fix-use-after-free-bugs-when-calling-xmlTextReaderCl.patch deleted file mode 100644 index 49f06bbdcbb8ebabdd209b4ff75e3e03da0e7d66..0000000000000000000000000000000000000000 --- a/backport-Fix-use-after-free-bugs-when-calling-xmlTextReaderCl.patch +++ /dev/null @@ -1,115 +0,0 @@ -From c50196c13d348025a4843305902bb37df64bae36 Mon Sep 17 00:00:00 2001 -From: David Kilzer -Date: Sun, 10 Apr 2022 20:02:47 -0700 -Subject: [PATCH 289/300] Fix use-after-free bugs when calling - xmlTextReaderClose() before xmlFreeTextReader() on post-validating parser - -When creating an xmlTextReaderPtr using xmlReaderForMemory(), -there are two optional API functions that can be used: -- xmlTextReaderClose() may be called prior to calling - xmlFreeTextReader() to free parsing resources and close the - xmlTextReaderPtr without freeing it. -- xmlTextReaderCurrentDoc() may be called to return an - xmlDocPtr that's owned by the caller, and must be free using - xmlFreeDoc() after calling xmlFreeTextReader(). - -The use-after-free issues occur when calling -xmlTextReaderClose() before xmlFreeTextReader(), with different -issues occurring depending on whether xmlTextReaderCurrentDoc() -is also called. - -* xmlreader.c: -(xmlFreeTextReader): -- Move code to xmlTextReaderClose(), remove duplicate code, and - call xmlTextReaderClose() if it hasn't been called yet. -(xmlTextReaderClose): -- Move call to xmlFreeNode(reader->faketext) from - xmlFreeTextReader() to fix a use-after-free bug when calling - xmlTextReaderClose() before xmlFreeTextReader(), but not when - using xmlTextReaderCurrentDoc(). The bug was introduced in - 2002 by commit beb70bd39. In 2009 commit f4653dcd8 fixed the - use-after-free that occurred every time xmlFreeTextReader() - was called, but not the case where xmlTextReaderClose() was - called first. -- Move post-parsing validation code from xmlFreeTextReader() to - fix a second use-after-free when calling xmlTextReaderClose() - before xmlFreeTextReader(). This regressed in v2.9.10 with - commit 57a3af56f. - -Reference:https://github.com/GNOME/libxml2/commit/c50196c13d348025a4843305902bb37df64bae36 -Conflict:NA - ---- - xmlreader.c | 40 ++++++++++++++++++---------------------- - 1 file changed, 18 insertions(+), 22 deletions(-) - -diff --git a/xmlreader.c b/xmlreader.c -index 72e40b0..989b7c1 100644 ---- a/xmlreader.c -+++ b/xmlreader.c -@@ -2319,36 +2319,16 @@ xmlFreeTextReader(xmlTextReaderPtr reader) { - xmlFree(reader->patternTab); - } - #endif -- if (reader->faketext != NULL) { -- xmlFreeNode(reader->faketext); -- } -+ if (reader->mode != XML_TEXTREADER_MODE_CLOSED) -+ xmlTextReaderClose(reader); - if (reader->ctxt != NULL) { - if (reader->dict == reader->ctxt->dict) - reader->dict = NULL; --#ifdef LIBXML_VALID_ENABLED -- if ((reader->ctxt->vctxt.vstateTab != NULL) && -- (reader->ctxt->vctxt.vstateMax > 0)){ --#ifdef LIBXML_REGEXP_ENABLED -- while (reader->ctxt->vctxt.vstateNr > 0) -- xmlValidatePopElement(&reader->ctxt->vctxt, NULL, NULL, NULL); --#endif /* LIBXML_REGEXP_ENABLED */ -- xmlFree(reader->ctxt->vctxt.vstateTab); -- reader->ctxt->vctxt.vstateTab = NULL; -- reader->ctxt->vctxt.vstateMax = 0; -- } --#endif /* LIBXML_VALID_ENABLED */ -- if (reader->ctxt->myDoc != NULL) { -- if (reader->preserve == 0) -- xmlTextReaderFreeDoc(reader, reader->ctxt->myDoc); -- reader->ctxt->myDoc = NULL; -- } - if (reader->allocs & XML_TEXTREADER_CTXT) - xmlFreeParserCtxt(reader->ctxt); - } - if (reader->sax != NULL) - xmlFree(reader->sax); -- if ((reader->input != NULL) && (reader->allocs & XML_TEXTREADER_INPUT)) -- xmlFreeParserInputBuffer(reader->input); - if (reader->buffer != NULL) - xmlBufFree(reader->buffer); - if (reader->entTab != NULL) -@@ -2379,7 +2359,23 @@ xmlTextReaderClose(xmlTextReaderPtr reader) { - reader->node = NULL; - reader->curnode = NULL; - reader->mode = XML_TEXTREADER_MODE_CLOSED; -+ if (reader->faketext != NULL) { -+ xmlFreeNode(reader->faketext); -+ reader->faketext = NULL; -+ } - if (reader->ctxt != NULL) { -+#ifdef LIBXML_VALID_ENABLED -+ if ((reader->ctxt->vctxt.vstateTab != NULL) && -+ (reader->ctxt->vctxt.vstateMax > 0)){ -+#ifdef LIBXML_REGEXP_ENABLED -+ while (reader->ctxt->vctxt.vstateNr > 0) -+ xmlValidatePopElement(&reader->ctxt->vctxt, NULL, NULL, NULL); -+#endif /* LIBXML_REGEXP_ENABLED */ -+ xmlFree(reader->ctxt->vctxt.vstateTab); -+ reader->ctxt->vctxt.vstateTab = NULL; -+ reader->ctxt->vctxt.vstateMax = 0; -+ } -+#endif /* LIBXML_VALID_ENABLED */ - xmlStopParser(reader->ctxt); - if (reader->ctxt->myDoc != NULL) { - if (reader->preserve == 0) --- -2.27.0 - diff --git a/backport-Fix-use-after-free-in-xmlParseContentInternal.patch b/backport-Fix-use-after-free-in-xmlParseContentInternal.patch deleted file mode 100644 index e82c49c27f2d10b28043b59bebaf397b114bb258..0000000000000000000000000000000000000000 --- a/backport-Fix-use-after-free-in-xmlParseContentInternal.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 86105c0493f19ef8e1dd21ab5099613159224b4d Mon Sep 17 00:00:00 2001 -From: David Kilzer -Date: Sat, 15 Apr 2023 18:04:03 -0700 -Subject: [PATCH] Fix use-after-free in xmlParseContentInternal() - -* parser.c: -(xmlParseCharData): -- Check if the parser has stopped before advancing - `ctxt->input->cur`. This only occurs if a custom SAX error - handler calls xmlStopParser() on fatal errors. - -Fixes #518. - -Reference:https://github.com/GNOME/libxml2/commit/86105c0493f19ef8e1dd21ab5099613159224b4d -Conflict:parser.c - ---- - parser.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index f9b4012..ccddf07 100644 ---- a/parser.c -+++ b/parser.c -@@ -4504,7 +4504,8 @@ get_more: - if (*in == ']') { - if ((in[1] == ']') && (in[2] == '>')) { - xmlFatalErr(ctxt, XML_ERR_MISPLACED_CDATA_END, NULL); -- ctxt->input->cur = in + 1; -+ if (ctxt->instate != XML_PARSER_EOF) -+ ctxt->input->cur = in + 1; - return; - } - in++; --- -2.27.0 - diff --git a/backport-Fix-xmlCtxtReadDoc-with-encoding.patch b/backport-Fix-xmlCtxtReadDoc-with-encoding.patch deleted file mode 100644 index 1cf13904345725ca907722b9aa861a67116cbd3d..0000000000000000000000000000000000000000 --- a/backport-Fix-xmlCtxtReadDoc-with-encoding.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 4ad71c2d72beef0d10cf75aa417db10d77846f75 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sat, 20 Aug 2022 16:19:34 +0200 -Subject: [PATCH] Fix xmlCtxtReadDoc with encoding - -xmlCtxtReadDoc used to create an input stream involving -xmlNewStringInputStream. This would create a stream without an input -buffer, causing problems with encodings (see #34). - -After commit aab584dc3, an error was returned even with UTF-8 encodings -which happened to work before. - -Make xmlCtxtReadDoc call xmlCtxtReadMemory which doesn't suffer from -these issues. Also fix htmlCtxtReadDoc. - -Fixes #397. -Reference:https://github.com/GNOME/libxml2/commit/4ad71c2d72beef0d10cf75aa417db10d77846f75 -Conflict:NA ---- - HTMLparser.c | 17 ++++------------- - parser.c | 16 +++------------- - 2 files changed, 7 insertions(+), 26 deletions(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index 98d73f3..a4168f3 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -7087,22 +7087,13 @@ htmlDocPtr - htmlCtxtReadDoc(htmlParserCtxtPtr ctxt, const xmlChar * cur, - const char *URL, const char *encoding, int options) - { -- xmlParserInputPtr stream; -+ const char *buf; - - if (cur == NULL) - return (NULL); -- if (ctxt == NULL) -- return (NULL); -- xmlInitParser(); -- -- htmlCtxtReset(ctxt); -- -- stream = xmlNewStringInputStream(ctxt, cur); -- if (stream == NULL) { -- return (NULL); -- } -- inputPush(ctxt, stream); -- return (htmlDoRead(ctxt, URL, encoding, options, 1)); -+ buf = (const char *) cur; -+ return (htmlCtxtReadMemory(ctxt, buf, strlen(buf), URL, encoding, -+ options)); - } - - /** -diff --git a/parser.c b/parser.c -index 6b04bbf..fbeb7af 100644 ---- a/parser.c -+++ b/parser.c -@@ -15374,22 +15374,12 @@ xmlDocPtr - xmlCtxtReadDoc(xmlParserCtxtPtr ctxt, const xmlChar * cur, - const char *URL, const char *encoding, int options) - { -- xmlParserInputPtr stream; -+ const char *buf; - - if (cur == NULL) - return (NULL); -- if (ctxt == NULL) -- return (NULL); -- xmlInitParser(); -- -- xmlCtxtReset(ctxt); -- -- stream = xmlNewStringInputStream(ctxt, cur); -- if (stream == NULL) { -- return (NULL); -- } -- inputPush(ctxt, stream); -- return (xmlDoRead(ctxt, URL, encoding, options, 1)); -+ buf = (const char *) cur; -+ return (xmlCtxtReadMemory(ctxt, buf, strlen(buf), URL, encoding, options)); - } - - /** --- -2.27.0 - diff --git a/backport-Make-XPath-depth-check-work-with-recursive-invocatio.patch b/backport-Make-XPath-depth-check-work-with-recursive-invocatio.patch deleted file mode 100644 index 7729cde6c4251f23321f2b62e914328d67d16637..0000000000000000000000000000000000000000 --- a/backport-Make-XPath-depth-check-work-with-recursive-invocatio.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 677a42645ef22b5a50741bad5facf9d8a8bc6d21 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 28 Jul 2022 20:21:24 +0200 -Subject: [PATCH] Make XPath depth check work with recursive invocations - -EXSLT functions like dyn:map or dyn:evaluate invoke xmlXPathRunEval -recursively. Don't set depth to zero but keep and restore the original -value to avoid stack overflows when abusing these functions. - -Reference:https://github.com/GNOME/libxml2/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21 -Conflict:NA ---- - xpath.c | 23 +++++++++++++++++------ - 1 file changed, 17 insertions(+), 6 deletions(-) - -diff --git a/xpath.c b/xpath.c -index e79dcec..85d7919 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -13883,12 +13883,11 @@ static int - xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool) - { - xmlXPathCompExprPtr comp; -+ int oldDepth; - - if ((ctxt == NULL) || (ctxt->comp == NULL)) - return(-1); - -- ctxt->context->depth = 0; -- - if (ctxt->valueTab == NULL) { - /* Allocate the value stack */ - ctxt->valueTab = (xmlXPathObjectPtr *) -@@ -13942,11 +13941,13 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool) - "xmlXPathRunEval: last is less than zero\n"); - return(-1); - } -+ oldDepth = ctxt->context->depth; - if (toBool) - return(xmlXPathCompOpEvalToBoolean(ctxt, - &comp->steps[comp->last], 0)); - else - xmlXPathCompOpEval(ctxt, &comp->steps[comp->last]); -+ ctxt->context->depth = oldDepth; - - return(0); - } -@@ -14217,6 +14218,7 @@ xmlXPathCompExprPtr - xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) { - xmlXPathParserContextPtr pctxt; - xmlXPathCompExprPtr comp; -+ int oldDepth = 0; - - #ifdef XPATH_STREAMING - comp = xmlXPathTryStreamCompile(ctxt, str); -@@ -14230,8 +14232,10 @@ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) { - if (pctxt == NULL) - return NULL; - if (ctxt != NULL) -- ctxt->depth = 0; -+ oldDepth = ctxt->depth; - xmlXPathCompileExpr(pctxt, 1); -+ if (ctxt != NULL) -+ ctxt->depth = oldDepth; - - if( pctxt->error != XPATH_EXPRESSION_OK ) - { -@@ -14252,8 +14256,10 @@ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) { - comp = pctxt->comp; - if ((comp->nbStep > 1) && (comp->last >= 0)) { - if (ctxt != NULL) -- ctxt->depth = 0; -+ oldDepth = ctxt->depth; - xmlXPathOptimizeExpression(pctxt, &comp->steps[comp->last]); -+ if (ctxt != NULL) -+ ctxt->depth = oldDepth; - } - pctxt->comp = NULL; - } -@@ -14409,6 +14415,7 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) { - #ifdef XPATH_STREAMING - xmlXPathCompExprPtr comp; - #endif -+ int oldDepth = 0; - - if (ctxt == NULL) return; - -@@ -14422,8 +14429,10 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) { - #endif - { - if (ctxt->context != NULL) -- ctxt->context->depth = 0; -+ oldDepth = ctxt->context->depth; - xmlXPathCompileExpr(ctxt, 1); -+ if (ctxt->context != NULL) -+ ctxt->context->depth = oldDepth; - CHECK_ERROR; - - /* Check for trailing characters. */ -@@ -14432,9 +14441,11 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) { - - if ((ctxt->comp->nbStep > 1) && (ctxt->comp->last >= 0)) { - if (ctxt->context != NULL) -- ctxt->context->depth = 0; -+ oldDepth = ctxt->context->depth; - xmlXPathOptimizeExpression(ctxt, - &ctxt->comp->steps[ctxt->comp->last]); -+ if (ctxt->context != NULL) -+ ctxt->context->depth = oldDepth; - } - } - --- -2.27.0 - diff --git a/backport-Properly-fold-whitespace-around-the-QName-value-when.patch b/backport-Properly-fold-whitespace-around-the-QName-value-when.patch deleted file mode 100644 index d5f344fcac1a2b827ba9d60e32395bbc34c105dc..0000000000000000000000000000000000000000 --- a/backport-Properly-fold-whitespace-around-the-QName-value-when.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 2fe372a0aa2cdeb5cf518cf430defba36647c502 Mon Sep 17 00:00:00 2001 -From: Damjan Jovanovic -Date: Sat, 21 Aug 2021 07:21:50 +0200 -Subject: [PATCH] Properly fold whitespace around the QName value when - validating an XSD schema. - -(May also need fixing in other places.) - -Issue: 239 - -Conflict:NA -Reference:https://gitlab.gnome.org/GNOME/libxml2/-/commit/2fe372a0aa2cdeb5cf518cf430defba36647c502 - ---- - xmlschemas.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/xmlschemas.c b/xmlschemas.c -index 2da962b..9da4cd1 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -24645,6 +24645,7 @@ xmlSchemaValidateQName(xmlSchemaValidCtxtPtr vctxt, - int valNeeded) - { - int ret; -+ xmlChar *stripped; - const xmlChar *nsName; - xmlChar *local, *prefix = NULL; - -@@ -24661,7 +24662,10 @@ xmlSchemaValidateQName(xmlSchemaValidCtxtPtr vctxt, - * NOTE: xmlSplitQName2 will always return a duplicated - * strings. - */ -- local = xmlSplitQName2(value, &prefix); -+ /* TODO: Export and use xmlSchemaStrip instead */ -+ stripped = xmlSchemaCollapseString(value); -+ local = xmlSplitQName2(stripped ? stripped : value, &prefix); -+ xmlFree(stripped); - if (local == NULL) - local = xmlStrdup(value); - /* --- -2.27.0 - diff --git a/backport-Reserve-byte-for-NUL-terminator-and-report-errors-co.patch b/backport-Reserve-byte-for-NUL-terminator-and-report-errors-co.patch deleted file mode 100644 index ed0a2105a24377431328413f252f2d6e7802ae68..0000000000000000000000000000000000000000 --- a/backport-Reserve-byte-for-NUL-terminator-and-report-errors-co.patch +++ /dev/null @@ -1,153 +0,0 @@ -From 6ef16dee7ac8af32b8a0dd793445b1148e240364 Mon Sep 17 00:00:00 2001 -From: David Kilzer -Date: Fri, 13 May 2022 14:43:33 -0700 -Subject: [PATCH 300/300] Reserve byte for NUL terminator and report errors - consistently in xmlBuf and xmlBuffer - -This is a follow-up to commit 6c283d83. - -* buf.c: -(xmlBufGrowInternal): -- Call xmlBufMemoryError() when the buffer size would overflow. -- Account for NUL terminator byte when using XML_MAX_TEXT_LENGTH. -- Do not include NUL terminator byte when returning length. -(xmlBufAdd): -- Call xmlBufMemoryError() when the buffer size would overflow. - -* tree.c: -(xmlBufferGrow): -- Call xmlTreeErrMemory() when the buffer size would overflow. -- Do not include NUL terminator byte when returning length. -(xmlBufferResize): -- Update error message in xmlTreeErrMemory() to be consistent - with other similar messages. -(xmlBufferAdd): -- Call xmlTreeErrMemory() when the buffer size would overflow. -(xmlBufferAddHead): -- Add overflow checks similar to those in xmlBufferAdd(). - -Reference:https://github.com/GNOME/libxml2/commit/6ef16dee7ac8af32b8a0dd793445b1148e240364 -Conflict:NA - ---- - buf.c | 15 ++++++++++----- - tree.c | 22 ++++++++++++++++------ - 2 files changed, 26 insertions(+), 11 deletions(-) - -diff --git a/buf.c b/buf.c -index da765f6..e851364 100644 ---- a/buf.c -+++ b/buf.c -@@ -440,9 +440,11 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { - - if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); - if (len < buf->size - buf->use) -- return(buf->size - buf->use); -- if (len > SIZE_MAX - buf->use) -+ return(buf->size - buf->use - 1); -+ if (len >= SIZE_MAX - buf->use) { -+ xmlBufMemoryError(buf, "growing buffer past SIZE_MAX"); - return(0); -+ } - - if (buf->size > (size_t) len) { - size = buf->size > SIZE_MAX / 2 ? SIZE_MAX : buf->size * 2; -@@ -455,7 +457,7 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { - /* - * Used to provide parsing limits - */ -- if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || -+ if ((buf->use + len + 1 >= XML_MAX_TEXT_LENGTH) || - (buf->size >= XML_MAX_TEXT_LENGTH)) { - xmlBufMemoryError(buf, "buffer error: text too long\n"); - return(0); -@@ -483,7 +485,7 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { - } - buf->size = size; - UPDATE_COMPAT(buf) -- return(buf->size - buf->use); -+ return(buf->size - buf->use - 1); - } - - /** -@@ -883,9 +885,12 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { - if (len < 0) return -1; - if (len == 0) return 0; - -+ /* Note that both buf->size and buf->use can be zero here. */ - if ((size_t) len >= buf->size - buf->use) { -- if ((size_t) len >= SIZE_MAX - buf->use) -+ if ((size_t) len >= SIZE_MAX - buf->use) { -+ xmlBufMemoryError(buf, "growing buffer past SIZE_MAX"); - return(-1); -+ } - needSize = buf->use + len + 1; - if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { - /* -diff --git a/tree.c b/tree.c -index e275671..ed0a838 100644 ---- a/tree.c -+++ b/tree.c -@@ -7338,8 +7338,10 @@ xmlBufferGrow(xmlBufferPtr buf, unsigned int len) { - if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); - if (len < buf->size - buf->use) - return(0); -- if (len > UINT_MAX - buf->use) -+ if (len >= UINT_MAX - buf->use) { -+ xmlTreeErrMemory("growing buffer past UINT_MAX"); - return(-1); -+ } - - if (buf->size > (size_t) len) { - size = buf->size > UINT_MAX / 2 ? UINT_MAX : buf->size * 2; -@@ -7367,7 +7369,7 @@ xmlBufferGrow(xmlBufferPtr buf, unsigned int len) { - buf->content = newbuf; - } - buf->size = size; -- return(buf->size - buf->use); -+ return(buf->size - buf->use - 1); - } - - /** -@@ -7464,7 +7466,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size) - return 1; - - if (size > UINT_MAX - 10) { -- xmlTreeErrMemory("growing buffer"); -+ xmlTreeErrMemory("growing buffer past UINT_MAX"); - return 0; - } - -@@ -7592,9 +7594,12 @@ xmlBufferAdd(xmlBufferPtr buf, const xmlChar *str, int len) { - if (len < 0) return -1; - if (len == 0) return 0; - -+ /* Note that both buf->size and buf->use can be zero here. */ - if ((unsigned) len >= buf->size - buf->use) { -- if ((unsigned) len >= UINT_MAX - buf->use) -+ if ((unsigned) len >= UINT_MAX - buf->use) { -+ xmlTreeErrMemory("growing buffer past UINT_MAX"); - return XML_ERR_NO_MEMORY; -+ } - needSize = buf->use + len + 1; - if (!xmlBufferResize(buf, needSize)){ - xmlTreeErrMemory("growing buffer"); -@@ -7663,8 +7668,13 @@ xmlBufferAddHead(xmlBufferPtr buf, const xmlChar *str, int len) { - return(0); - } - } -- needSize = buf->use + len + 2; -- if (needSize > buf->size){ -+ /* Note that both buf->size and buf->use can be zero here. */ -+ if ((unsigned) len >= buf->size - buf->use) { -+ if ((unsigned) len >= UINT_MAX - buf->use) { -+ xmlTreeErrMemory("growing buffer past UINT_MAX"); -+ return(-1); -+ } -+ needSize = buf->use + len + 1; - if (!xmlBufferResize(buf, needSize)){ - xmlTreeErrMemory("growing buffer"); - return XML_ERR_NO_MEMORY; --- -2.27.0 - diff --git a/backport-Reset-nsNr-in-xmlCtxtReset.patch b/backport-Reset-nsNr-in-xmlCtxtReset.patch deleted file mode 100644 index 0baf4784de450ad48c6f761e2deb71739f9309ef..0000000000000000000000000000000000000000 --- a/backport-Reset-nsNr-in-xmlCtxtReset.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 5930fe01963136ab92125feec0c6204d9c9225dc Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 18 Jul 2022 20:59:45 +0200 -Subject: [PATCH] Reset nsNr in xmlCtxtReset - -Reference:https://github.com/GNOME/libxml2/commit/5930fe01963136ab92125feec0c6204d9c9225dc -Conflict:NA - ---- - parser.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/parser.c b/parser.c -index dd507c0..6b04bbf 100644 ---- a/parser.c -+++ b/parser.c -@@ -14835,6 +14835,8 @@ xmlCtxtReset(xmlParserCtxtPtr ctxt) - ctxt->nameNr = 0; - ctxt->name = NULL; - -+ ctxt->nsNr = 0; -+ - DICT_FREE(ctxt->version); - ctxt->version = NULL; - DICT_FREE(ctxt->encoding); --- -2.27.0 - diff --git a/backport-Restore-behavior-of-htmlDocContentDumpFormatOutput.patch b/backport-Restore-behavior-of-htmlDocContentDumpFormatOutput.patch deleted file mode 100644 index 2c1cd5d505cf7d24aa1ce79a2b7016e1a5fb0f6b..0000000000000000000000000000000000000000 --- a/backport-Restore-behavior-of-htmlDocContentDumpFormatOutput.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 054e46b097524d3808fdc0815b64e14beb2baaf9 Mon Sep 17 00:00:00 2001 -From: David Kilzer -Date: Sat, 14 May 2022 08:48:01 -0700 -Subject: [PATCH 288/300] Restore behavior of htmlDocContentDumpFormatOutput() - -Patch by J Pascoe of Apple. - -* HTMLtree.c: -(htmlDocContentDumpFormatOutput): -- Prior to commit b79ab6e6d92, xmlDoc.type was set to - XML_HTML_DOCUMENT_NODE before dumping the HTML output, then - restored before returning. - -Reference:https://github.com/GNOME/libxml2/commit/054e46b097524d3808fdc0815b64e14beb2baaf9 -Conflict:NA - ---- - HTMLtree.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/HTMLtree.c b/HTMLtree.c -index 7a2b855..2e9fc57 100644 ---- a/HTMLtree.c -+++ b/HTMLtree.c -@@ -992,7 +992,14 @@ void - htmlDocContentDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr cur, - const char *encoding ATTRIBUTE_UNUSED, - int format) { -+ int type = 0; -+ if (cur) { -+ type = cur->type; -+ cur->type = XML_HTML_DOCUMENT_NODE; -+ } - htmlNodeDumpFormatOutput(buf, cur, (xmlNodePtr) cur, NULL, format); -+ if (cur) -+ cur->type = (xmlElementType) type; - } - - /** --- -2.27.0 - diff --git a/backport-Revert-uri-Allow-port-without-host.patch b/backport-Revert-uri-Allow-port-without-host.patch deleted file mode 100644 index 7c79435f6c48132e7e19a495e6457c36a451b42f..0000000000000000000000000000000000000000 --- a/backport-Revert-uri-Allow-port-without-host.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 8ed40c621b33b44c26e90505b9de1c92080c4a8e Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 13 Dec 2022 00:51:33 +0100 -Subject: [PATCH] Revert "uri: Allow port without host" - -This reverts commit f30adb54f55e4e765d58195163f2a21f7ac759fb. - -Fixes #460. - -Reference:https://github.com/GNOME/libxml2/commit/8ed40c621b33b44c26e90505b9de1c92080c4a8e -Conflict:NA ---- - uri.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/uri.c b/uri.c -index 79dc48b..ccc26aa 100644 ---- a/uri.c -+++ b/uri.c -@@ -768,6 +768,8 @@ xmlParse3986HierPart(xmlURIPtr uri, const char **str) - cur += 2; - ret = xmlParse3986Authority(uri, &cur); - if (ret != 0) return(ret); -+ if (uri->server == NULL) -+ uri->port = -1; - ret = xmlParse3986PathAbEmpty(uri, &cur); - if (ret != 0) return(ret); - *str = cur; --- -2.27.0 - diff --git a/backport-SAX-Always-initialize-SAX1-element-handlers.patch b/backport-SAX-Always-initialize-SAX1-element-handlers.patch deleted file mode 100644 index ec99681699035c24238ae621ad33d43d5366ead4..0000000000000000000000000000000000000000 --- a/backport-SAX-Always-initialize-SAX1-element-handlers.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 235b15a590eecf97b09e87bdb7e4f8333e9de129 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 8 May 2023 17:58:02 +0200 -Subject: [PATCH] SAX: Always initialize SAX1 element handlers - -Follow-up to commit d0c3f01e. A parser context will be initialized to -SAX version 2, but this can be overridden with XML_PARSE_SAX1 later, -so we must initialize the SAX1 element handlers as well. - -Change the check in xmlDetectSAX2 to only look for XML_SAX2_MAGIC, so -we don't switch to SAX1 if the SAX2 element handlers are NULL. ---- - SAX2.c | 11 +++++++---- - parser.c | 5 +---- - 2 files changed, 8 insertions(+), 8 deletions(-) - -diff --git a/SAX2.c b/SAX2.c -index b6be1a6c4..910193892 100644 ---- a/SAX2.c -+++ b/SAX2.c -@@ -2874,20 +2874,23 @@ xmlSAXVersion(xmlSAXHandler *hdlr, int version) - { - if (hdlr == NULL) return(-1); - if (version == 2) { -- hdlr->startElement = NULL; -- hdlr->endElement = NULL; - hdlr->startElementNs = xmlSAX2StartElementNs; - hdlr->endElementNs = xmlSAX2EndElementNs; - hdlr->serror = NULL; - hdlr->initialized = XML_SAX2_MAGIC; - #ifdef LIBXML_SAX1_ENABLED - } else if (version == 1) { -- hdlr->startElement = xmlSAX2StartElement; -- hdlr->endElement = xmlSAX2EndElement; - hdlr->initialized = 1; - #endif /* LIBXML_SAX1_ENABLED */ - } else - return(-1); -+#ifdef LIBXML_SAX1_ENABLED -+ hdlr->startElement = xmlSAX2StartElement; -+ hdlr->endElement = xmlSAX2EndElement; -+#else -+ hdlr->startElement = NULL; -+ hdlr->endElement = NULL; -+#endif /* LIBXML_SAX1_ENABLED */ - hdlr->internalSubset = xmlSAX2InternalSubset; - hdlr->externalSubset = xmlSAX2ExternalSubset; - hdlr->isStandalone = xmlSAX2IsStandalone; -diff --git a/parser.c b/parser.c -index 0c8bed129..e133fe0a6 100644 ---- a/parser.c -+++ b/parser.c -@@ -842,10 +842,7 @@ xmlDetectSAX2(xmlParserCtxtPtr ctxt) { - if (ctxt == NULL) return; - sax = ctxt->sax; - #ifdef LIBXML_SAX1_ENABLED -- if ((sax) && (sax->initialized == XML_SAX2_MAGIC) && -- ((sax->startElementNs != NULL) || -- (sax->endElementNs != NULL) || -- ((sax->startElement == NULL) && (sax->endElement == NULL)))) -+ if ((sax) && (sax->initialized == XML_SAX2_MAGIC)) - ctxt->sax2 = 1; - #else - ctxt->sax2 = 1; --- -GitLab - diff --git a/backport-Use-UPDATE_COMPAT-consistently-in-buf.c.patch b/backport-Use-UPDATE_COMPAT-consistently-in-buf.c.patch deleted file mode 100644 index 13bafae41d9a24e4efb99403eee8cc8c87f4b90d..0000000000000000000000000000000000000000 --- a/backport-Use-UPDATE_COMPAT-consistently-in-buf.c.patch +++ /dev/null @@ -1,92 +0,0 @@ -From a15f2abef1463c20bc62a455e983e34b2278f279 Mon Sep 17 00:00:00 2001 -From: David Kilzer -Date: Fri, 8 Apr 2022 12:16:51 -0700 -Subject: [PATCH 260/300] Use UPDATE_COMPAT() consistently in buf.c - -* buf.c: -(xmlBufCreate): -(xmlBufCreateSize): -(xmlBufDetach): -(xmlBufCreateStatic): -(xmlBufFromBuffer): - -Reference:https://github.com/GNOME/libxml2/commit/a15f2abef1463c20bc62a455e983e34b2278f279 -Conflict:Context adaptation - ---- - buf.c | 20 +++++--------------- - 1 file changed, 5 insertions(+), 15 deletions(-) - -diff --git a/buf.c b/buf.c -index 40a5ee0..d341750 100644 ---- a/buf.c -+++ b/buf.c -@@ -131,12 +131,11 @@ xmlBufCreate(void) { - xmlBufMemoryError(NULL, "creating buffer"); - return(NULL); - } -- ret->compat_use = 0; - ret->use = 0; - ret->error = 0; - ret->buffer = NULL; - ret->size = xmlDefaultBufferSize; -- ret->compat_size = xmlDefaultBufferSize; -+ UPDATE_COMPAT(ret); - ret->alloc = xmlBufferAllocScheme; - ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar)); - if (ret->content == NULL) { -@@ -167,13 +166,12 @@ xmlBufCreateSize(size_t size) { - xmlBufMemoryError(NULL, "creating buffer"); - return(NULL); - } -- ret->compat_use = 0; - ret->use = 0; - ret->error = 0; - ret->buffer = NULL; - ret->alloc = xmlBufferAllocScheme; - ret->size = (size ? size + 1 : 0); /* +1 for ending null */ -- ret->compat_size = (ret->size > INT_MAX ? INT_MAX : ret->size); -+ UPDATE_COMPAT(ret); - if (ret->size){ - ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar)); - if (ret->content == NULL) { -@@ -215,8 +213,7 @@ xmlBufDetach(xmlBufPtr buf) { - buf->content = NULL; - buf->size = 0; - buf->use = 0; -- buf->compat_use = 0; -- buf->compat_size = 0; -+ UPDATE_COMPAT(buf); - - return ret; - } -@@ -245,15 +242,9 @@ xmlBufCreateStatic(void *mem, size_t size) { - xmlBufMemoryError(NULL, "creating buffer"); - return(NULL); - } -- if (size < INT_MAX) { -- ret->compat_use = size; -- ret->compat_size = size; -- } else { -- ret->compat_use = INT_MAX; -- ret->compat_size = INT_MAX; -- } - ret->use = size; - ret->size = size; -+ UPDATE_COMPAT(ret); - ret->alloc = XML_BUFFER_ALLOC_IMMUTABLE; - ret->content = (xmlChar *) mem; - ret->error = 0; -@@ -1159,8 +1150,7 @@ xmlBufFromBuffer(xmlBufferPtr buffer) { - } - ret->use = buffer->use; - ret->size = buffer->size; -- ret->compat_use = buffer->use; -- ret->compat_size = buffer->size; -+ UPDATE_COMPAT(ret); - ret->error = 0; - ret->buffer = buffer; - ret->alloc = buffer->alloc; --- -2.27.0 - diff --git a/backport-Use-xmlNewDocText-in-xmlXIncludeCopyRange.patch b/backport-Use-xmlNewDocText-in-xmlXIncludeCopyRange.patch deleted file mode 100644 index 359cfaf2eaf444a799fbf1962819cdacd0b7fa59..0000000000000000000000000000000000000000 --- a/backport-Use-xmlNewDocText-in-xmlXIncludeCopyRange.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 0aa8652e596a20e95ed334ac65cf15e6e9ec4b3b Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 20 May 2022 14:54:49 +0200 -Subject: [PATCH 291/300] Use xmlNewDocText in xmlXIncludeCopyRange - -Otherwise, the initial node of the copy could be a text node with a -NULL document. This results in the NULL document being propagated to -copies of other nodes, losing information about the dictionary in which -node data is stored, and freeing a dict-allocated string. - -See discussion in !175. - -Reference:https://github.com/GNOME/libxml2/commit/0aa8652e596a20e95ed334ac65cf15e6e9ec4b3b -Conflict:NA - ---- - xinclude.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/xinclude.c b/xinclude.c -index e5fdf0f..8c14a68 100644 ---- a/xinclude.c -+++ b/xinclude.c -@@ -987,7 +987,7 @@ xmlXIncludeCopyRange(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target, - int len; - - if (content == NULL) { -- tmp = xmlNewTextLen(NULL, 0); -+ tmp = xmlNewDocTextLen(target, NULL, 0); - } else { - len = index2; - if ((cur == start) && (index1 > 1)) { -@@ -996,7 +996,7 @@ xmlXIncludeCopyRange(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target, - } else { - len = index2; - } -- tmp = xmlNewTextLen(content, len); -+ tmp = xmlNewDocTextLen(target, content, len); - } - /* single sub text node selection */ - if (list == NULL) -@@ -1047,13 +1047,13 @@ xmlXIncludeCopyRange(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target, - const xmlChar *content = cur->content; - - if (content == NULL) { -- tmp = xmlNewTextLen(NULL, 0); -+ tmp = xmlNewDocTextLen(target, NULL, 0); - } else { - if (index1 > 1) { - content += (index1 - 1); - index1 = 0; - } -- tmp = xmlNewText(content); -+ tmp = xmlNewDocText(target, content); - } - last = list = tmp; - listParent = cur->parent; --- -2.27.0 - diff --git a/backport-Use-xmlStrlen-in-CtxtReadDoc.patch b/backport-Use-xmlStrlen-in-CtxtReadDoc.patch deleted file mode 100644 index 817574ce416bce2d55793cfc4075d75c9298b922..0000000000000000000000000000000000000000 --- a/backport-Use-xmlStrlen-in-CtxtReadDoc.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 5b2d07a72670513e41b481a9d922c983a64027ca Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sat, 20 Aug 2022 17:00:50 +0200 -Subject: [PATCH] Use xmlStrlen in *CtxtReadDoc - -xmlStrlen handles buffers larger than INT_MAX more gracefully. - -Reference:https://github.com/GNOME/libxml2/commit/5b2d07a72670513e41b481a9d922c983a64027ca -Conflict:NA ---- - HTMLparser.c | 7 ++----- - parser.c | 6 ++---- - 2 files changed, 4 insertions(+), 9 deletions(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index a4168f3..e0b32fe 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -7087,13 +7087,10 @@ htmlDocPtr - htmlCtxtReadDoc(htmlParserCtxtPtr ctxt, const xmlChar * cur, - const char *URL, const char *encoding, int options) - { -- const char *buf; -- - if (cur == NULL) - return (NULL); -- buf = (const char *) cur; -- return (htmlCtxtReadMemory(ctxt, buf, strlen(buf), URL, encoding, -- options)); -+ return (htmlCtxtReadMemory(ctxt, (const char *) cur, xmlStrlen(cur), URL, -+ encoding, options)); - } - - /** -diff --git a/parser.c b/parser.c -index fbeb7af..23b031d 100644 ---- a/parser.c -+++ b/parser.c -@@ -15374,12 +15374,10 @@ xmlDocPtr - xmlCtxtReadDoc(xmlParserCtxtPtr ctxt, const xmlChar * cur, - const char *URL, const char *encoding, int options) - { -- const char *buf; -- - if (cur == NULL) - return (NULL); -- buf = (const char *) cur; -- return (xmlCtxtReadMemory(ctxt, buf, strlen(buf), URL, encoding, options)); -+ return (xmlCtxtReadMemory(ctxt, (const char *) cur, xmlStrlen(cur), URL, -+ encoding, options)); - } - - /** --- -2.27.0 - diff --git a/backport-Use-xmlStrlen-in-xmlNewStringInputStream.patch b/backport-Use-xmlStrlen-in-xmlNewStringInputStream.patch deleted file mode 100644 index 3d86ae745e6b9df3aa4041fe1d81d4a7c5723fca..0000000000000000000000000000000000000000 --- a/backport-Use-xmlStrlen-in-xmlNewStringInputStream.patch +++ /dev/null @@ -1,29 +0,0 @@ -From c21e9cd5d955e4d8afa514e1f7736ce6a9bb8f2e Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sat, 20 Aug 2022 17:02:02 +0200 -Subject: [PATCH] Use xmlStrlen in xmlNewStringInputStream - -xmlStrlen handles buffers larger than INT_MAX more gracefully. - -Reference:https://github.com/GNOME/libxml2/commit/c21e9cd5d955e4d8afa514e1f7736ce6a9bb8f2e -Conflict:NA ---- - parserInternals.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/parserInternals.c b/parserInternals.c -index 6ef7671..2b05dac 100644 ---- a/parserInternals.c -+++ b/parserInternals.c -@@ -1476,7 +1476,7 @@ xmlNewStringInputStream(xmlParserCtxtPtr ctxt, const xmlChar *buffer) { - xmlGenericError(xmlGenericErrorContext, - "new fixed input: %.30s\n", buffer); - buf = xmlParserInputBufferCreateMem((const char *) buffer, -- strlen((const char *) buffer), -+ xmlStrlen(buffer), - XML_CHAR_ENCODING_NONE); - if (buf == NULL) { - xmlErrMemory(ctxt, NULL); --- -2.27.0 - diff --git a/backport-buf-Fix-return-value-of-xmlBufGetInputBase.patch b/backport-buf-Fix-return-value-of-xmlBufGetInputBase.patch deleted file mode 100644 index 099793eb349f66372a1915b2e5a4d4c71f7389de..0000000000000000000000000000000000000000 --- a/backport-buf-Fix-return-value-of-xmlBufGetInputBase.patch +++ /dev/null @@ -1,31 +0,0 @@ -From f8c5e7fb75cd741fb576ddb4de8fcd61f9907549 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 22 Jan 2023 13:49:19 +0100 -Subject: [PATCH] buf: Fix return value of xmlBufGetInputBase - -Don't return (size_t) -1 in error case. - -Found with libFuzzer and -fsanitize=implicit-conversion. - -Reference:https://github.com/GNOME/libxml2/commit/f8c5e7fb75cd741fb576ddb4de8fcd61f9907549 -Conflict:NA ---- - buf.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/buf.c b/buf.c -index 69370b7..d8992f7 100644 ---- a/buf.c -+++ b/buf.c -@@ -1283,7 +1283,7 @@ xmlBufGetInputBase(xmlBufPtr buf, xmlParserInputPtr input) { - size_t base; - - if ((input == NULL) || (buf == NULL) || (buf->error)) -- return(-1); -+ return(0); - CHECK_COMPAT(buf) - base = input->base - buf->content; - /* --- -2.27.0 - diff --git a/backport-catalog-Fix-memory-leaks.patch b/backport-catalog-Fix-memory-leaks.patch deleted file mode 100644 index 4aff01be1d138a1363472d187a7e067865f0c72e..0000000000000000000000000000000000000000 --- a/backport-catalog-Fix-memory-leaks.patch +++ /dev/null @@ -1,48 +0,0 @@ -From c9e4c6d416d00968f2e2d7c68a9c0e809265baf2 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 21 Feb 2023 15:22:01 +0100 -Subject: [PATCH] catalog: Fix memory leaks - -Fixes #377. - -Reference:https://github.com/GNOME/libxml2/commit/c9e4c6d416d00968f2e2d7c68a9c0e809265baf2 -Conflict:catalog.c xmlcatalog.c - ---- - catalog.c | 2 +- - xmlcatalog.c | 6 ++---- - 2 files changed, 3 insertions(+), 5 deletions(-) - -diff --git a/catalog.c b/catalog.c -index b3a97da..4d84a6a 100644 ---- a/catalog.c -+++ b/catalog.c -@@ -2983,7 +2983,7 @@ xmlACatalogAdd(xmlCatalogPtr catal, const xmlChar * type, - if (catal->sgml == NULL) - catal->sgml = xmlHashCreate(10); - res = xmlHashAddEntry(catal->sgml, orig, entry); -- if (res) -+ if (res < 0) - xmlFreeCatalogEntry(entry, NULL); - } - } -diff --git a/xmlcatalog.c b/xmlcatalog.c -index 7fe25ac..c7a1dc8 100644 ---- a/xmlcatalog.c -+++ b/xmlcatalog.c -@@ -513,10 +513,8 @@ int main(int argc, char **argv) { - } - i += 2; - /* Check for memory leaks */ -- if (catal != NULL) -- xmlFreeCatalog(catal); -- if (super != NULL) -- xmlFreeCatalog(super); -+ xmlFreeCatalog(catal); -+ xmlFreeCatalog(super); - } else { - if ((!strcmp(argv[i], "-add")) || - (!strcmp(argv[i], "--add"))) { --- -2.27.0 - diff --git a/backport-encoding-Cast-toupper-argument-to-unsigned-char.patch b/backport-encoding-Cast-toupper-argument-to-unsigned-char.patch deleted file mode 100644 index bf6fd17abab5913585ea2de8b8c48bdd335d5290..0000000000000000000000000000000000000000 --- a/backport-encoding-Cast-toupper-argument-to-unsigned-char.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 3cc900f0989908f50d5544f00ede0f0236c4f350 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 16 Feb 2023 11:50:52 +0100 -Subject: [PATCH] encoding: Cast toupper argument to unsigned char - -Fixes undefined behavior. - -Also cast return value explicitly to fix implicit-integer-sign-change -checks. - -Reference:https://github.com/GNOME/libxml2/commit/3cc900f0989908f50d5544f00ede0f0236c4f350 -Conflict:NA ---- - encoding.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/encoding.c b/encoding.c -index 8b98f7d..d43361a 100644 ---- a/encoding.c -+++ b/encoding.c -@@ -1038,7 +1038,7 @@ xmlGetEncodingAlias(const char *alias) { - return(NULL); - - for (i = 0;i < 99;i++) { -- upper[i] = toupper(alias[i]); -+ upper[i] = (char) toupper((unsigned char) alias[i]); - if (upper[i] == 0) break; - } - upper[i] = 0; -@@ -1073,7 +1073,7 @@ xmlAddEncodingAlias(const char *name, const char *alias) { - return(-1); - - for (i = 0;i < 99;i++) { -- upper[i] = toupper(alias[i]); -+ upper[i] = (char) toupper((unsigned char) alias[i]); - if (upper[i] == 0) break; - } - upper[i] = 0; -@@ -1175,7 +1175,7 @@ xmlParseCharEncoding(const char* name) - name = alias; - - for (i = 0;i < 499;i++) { -- upper[i] = toupper(name[i]); -+ upper[i] = (char) toupper((unsigned char) name[i]); - if (upper[i] == 0) break; - } - upper[i] = 0; -@@ -1351,7 +1351,7 @@ xmlNewCharEncodingHandler(const char *name, - return(NULL); - } - for (i = 0;i < 499;i++) { -- upper[i] = toupper(name[i]); -+ upper[i] = (char) toupper((unsigned char) name[i]); - if (upper[i] == 0) break; - } - upper[i] = 0; -@@ -1689,7 +1689,7 @@ xmlFindCharEncodingHandler(const char *name) { - * Check first for directly registered encoding names - */ - for (i = 0;i < 99;i++) { -- upper[i] = toupper(name[i]); -+ upper[i] = (char) toupper((unsigned char) name[i]); - if (upper[i] == 0) break; - } - upper[i] = 0; --- -2.27.0 - diff --git a/backport-encoding-Fix-error-code-in-asciiToUTF8.patch b/backport-encoding-Fix-error-code-in-asciiToUTF8.patch deleted file mode 100644 index 322fac10fcca08e94664b55409db3a3287e3b0d1..0000000000000000000000000000000000000000 --- a/backport-encoding-Fix-error-code-in-asciiToUTF8.patch +++ /dev/null @@ -1,32 +0,0 @@ -From a6b9e55a9eb78e96f880afaf03ce8819bcd26a34 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 26 Mar 2023 15:42:02 +0200 -Subject: [PATCH] encoding: Fix error code in asciiToUTF8 - -Use correct error code when invalid ASCII bytes are encountered. - -Found by OSS-Fuzz. - -Reference:https://github.com/GNOME/libxml2/commit/a6b9e55a9eb78e96f880afaf03ce8819bcd26a34 -Conflict:NA - ---- - encoding.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/encoding.c b/encoding.c -index d43361a..9a7a611 100644 ---- a/encoding.c -+++ b/encoding.c -@@ -193,7 +193,7 @@ asciiToUTF8(unsigned char* out, int *outlen, - } else { - *outlen = out - outstart; - *inlen = processed - base; -- return(-1); -+ return(-2); - } - - processed = (const unsigned char*) in; --- -2.27.0 - diff --git a/backport-error-Don-t-move-past-current-position.patch b/backport-error-Don-t-move-past-current-position.patch deleted file mode 100644 index cbb6f2e1272aa3aa3fb61ea4e09c9fe536f4ef52..0000000000000000000000000000000000000000 --- a/backport-error-Don-t-move-past-current-position.patch +++ /dev/null @@ -1,39 +0,0 @@ -From d9a8dab3a3ba980f1efc1366c1b9a3a2434dcabd Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 22 Jan 2023 12:00:59 +0100 -Subject: [PATCH] error: Don't move past current position - -Make sure that we never move past the current position in -xmlParserPrintFileContextInternal. - -Found with libFuzzer and -fsanitize=implicit-conversion. - -Reference:https://github.com/GNOME/libxml2/commit/d9a8dab3a3ba980f1efc1366c1b9a3a2434dcabd -Conflict:NA ---- - error.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/error.c b/error.c -index fe9a7e2..5eee72a 100644 ---- a/error.c -+++ b/error.c -@@ -188,10 +188,12 @@ xmlParserPrintFileContextInternal(xmlParserInputPtr input , - } - n = 0; - /* search backwards for beginning-of-line (to max buff size) */ -- while ((n++ < (sizeof(content)-1)) && (cur > base) && -- (*(cur) != '\n') && (*(cur) != '\r')) -+ while ((n < sizeof(content) - 1) && (cur > base) && -+ (*cur != '\n') && (*cur != '\r')) { - cur--; -- if ((*(cur) == '\n') || (*(cur) == '\r')) { -+ n++; -+ } -+ if ((n > 0) && ((*cur == '\n') || (*cur == '\r'))) { - cur++; - } else { - /* skip over continuation bytes */ --- -2.27.0 - diff --git a/backport-error-Make-sure-that-error-messages-are-valid-UTF-8.patch b/backport-error-Make-sure-that-error-messages-are-valid-UTF-8.patch deleted file mode 100644 index b30e6d753ce2b689e1231413129e0c6f01ca3efc..0000000000000000000000000000000000000000 --- a/backport-error-Make-sure-that-error-messages-are-valid-UTF-8.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 9a0aec423d158a9e3d8e5cb6df0d5ce032be3524 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 4 Dec 2022 23:01:00 +0100 -Subject: [PATCH 28/28] error: Make sure that error messages are valid UTF-8 - -This has caused issues with the Python bindings for a long time. - -Should fix #64. - -Reference: https://github.com/GNOME/libxml2/commit/76c6da420923f2721a2e16adfcef8707a2454a1b -Conflict: result/,runtest.c,test/ ---- - error.c | 29 ++++++++++++++++++++--------- - 1 file changed, 20 insertions(+), 9 deletions(-) - -diff --git a/error.c b/error.c -index 9ff1c2b..fe9a7e2 100644 ---- a/error.c -+++ b/error.c -@@ -163,7 +163,7 @@ xmlParserPrintFileInfo(xmlParserInputPtr input) { - } - - /** -- * xmlParserPrintFileContext: -+ * xmlParserPrintFileContextInternal: - * @input: an xmlParserInputPtr input - * - * Displays current context within the input content for error tracking -@@ -172,7 +172,7 @@ xmlParserPrintFileInfo(xmlParserInputPtr input) { - static void - xmlParserPrintFileContextInternal(xmlParserInputPtr input , - xmlGenericErrorFunc channel, void *data ) { -- const xmlChar *cur, *base; -+ const xmlChar *cur, *base, *start; - unsigned int n, col; /* GCC warns if signed, because compared with sizeof() */ - xmlChar content[81]; /* space for 80 chars + line terminator */ - xmlChar *ctnt; -@@ -191,19 +191,30 @@ xmlParserPrintFileContextInternal(xmlParserInputPtr input , - while ((n++ < (sizeof(content)-1)) && (cur > base) && - (*(cur) != '\n') && (*(cur) != '\r')) - cur--; -- if ((*(cur) == '\n') || (*(cur) == '\r')) cur++; -+ if ((*(cur) == '\n') || (*(cur) == '\r')) { -+ cur++; -+ } else { -+ /* skip over continuation bytes */ -+ while ((cur < input->cur) && ((*cur & 0xC0) == 0x80)) -+ cur++; -+ } - /* calculate the error position in terms of the current position */ - col = input->cur - cur; - /* search forward for end-of-line (to max buff size) */ - n = 0; -- ctnt = content; -+ start = cur; - /* copy selected text to our buffer */ -- while ((*cur != 0) && (*(cur) != '\n') && -- (*(cur) != '\r') && (n < sizeof(content)-1)) { -- *ctnt++ = *cur++; -- n++; -+ while ((*cur != 0) && (*(cur) != '\n') && (*(cur) != '\r')) { -+ int len = input->end - cur; -+ int c = xmlGetUTF8Char(cur, &len); -+ -+ if ((c < 0) || (n + len > sizeof(content)-1)) -+ break; -+ cur += len; -+ n += len; - } -- *ctnt = 0; -+ memcpy(content, start, n); -+ content[n] = 0; - /* print out the selected text */ - channel(data ,"%s\n", content); - /* create blank line with problem pointer */ --- -2.27.0 - diff --git a/backport-fix-xmlXPathParserContext-could-be-double-delete-in-.patch b/backport-fix-xmlXPathParserContext-could-be-double-delete-in-.patch deleted file mode 100644 index 62129a88710c4d4f6e45486b7b168ec67df0deb2..0000000000000000000000000000000000000000 --- a/backport-fix-xmlXPathParserContext-could-be-double-delete-in-.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 74263eff5f6212afa2196022ecd2fbc39c6d3c36 Mon Sep 17 00:00:00 2001 -From: jinsub ahn -Date: Wed, 30 Mar 2022 06:02:31 +0000 -Subject: [PATCH 206/300] fix: xmlXPathParserContext could be double-delete in - OOM case. - -Reference:https://github.com/GNOME/libxml2/commit/74263eff5f6212afa2196022ecd2fbc39c6d3c36 -Conflict:NA ---- - xpath.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xpath.c b/xpath.c -index c2d8458..e79dcec 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -13895,7 +13895,7 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool) - xmlMalloc(10 * sizeof(xmlXPathObjectPtr)); - if (ctxt->valueTab == NULL) { - xmlXPathPErrMemory(ctxt, "creating evaluation context\n"); -- xmlFree(ctxt); -+ return(-1); - } - ctxt->valueNr = 0; - ctxt->valueMax = 10; --- -2.27.0 - - diff --git a/backport-hash-Fix-possible-startup-crash-with-old-libxslt-ver.patch b/backport-hash-Fix-possible-startup-crash-with-old-libxslt-ver.patch deleted file mode 100644 index 22409fdf9b88c50f0f61399e6efbf53878aab5f6..0000000000000000000000000000000000000000 --- a/backport-hash-Fix-possible-startup-crash-with-old-libxslt-ver.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 06a2c251a18d8cc93bcae82270997b27cbc9aaea Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sat, 6 May 2023 15:28:13 +0200 -Subject: [PATCH] hash: Fix possible startup crash with old libxslt versions - -Call xmlInitParser in xmlHashCreate to make it work if the library -wasn't initialized yet. - -Otherwise, exsltRegisterAll from libxslt 1.1.24 or older might cause -a crash. - -See #534. - -Reference:https://github.com/GNOME/libxml2/commit/06a2c251a18d8cc93bcae82270997b27cbc9aaea -Conflict:NA - ---- - hash.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/hash.c b/hash.c -index 00250ba..ac868ff 100644 ---- a/hash.c -+++ b/hash.c -@@ -181,6 +181,8 @@ xmlHashTablePtr - xmlHashCreate(int size) { - xmlHashTablePtr table; - -+ xmlInitParser(); -+ - if (size <= 0) - size = 256; - --- -2.27.0 - diff --git a/backport-html-Fix-check-for-end-of-comment-in-push-parser.patch b/backport-html-Fix-check-for-end-of-comment-in-push-parser.patch deleted file mode 100644 index 89102adf1c5d33295550974b630afad2ce089bda..0000000000000000000000000000000000000000 --- a/backport-html-Fix-check-for-end-of-comment-in-push-parser.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 63fa7b922a169ed6b86a4c6678140795c28657f5 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 20 Nov 2022 19:54:34 +0100 -Subject: [PATCH 20/28] html: Fix check for end of comment in push parser - -Make sure to reset checkIndex. Handle case where "--" or "--!" is at the -end of the buffer. Fix "avail" check in htmlParseOrTryFinish. - -Reference: https://github.com/GNOME/libxml2/commit/c93679381c565f4c110c7a6110372bd6d0610308 -Conflict: HTMLparser.c:, ---- - HTMLparser.c | 20 ++++++++++++++------ - 1 file changed, 14 insertions(+), 6 deletions(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index e0b32fe..746edf6 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -5405,14 +5405,22 @@ static int - htmlParseLookupCommentEnd(htmlParserCtxtPtr ctxt) - { - int mark = 0; -+ int offset; - int cur = CUR_PTR - BASE_PTR; - -- while (mark >= 0) { -+ while (1) { - mark = htmlParseLookupSequence(ctxt, '-', '-', 0, 0); -- if ((mark < 0) || -- (NXT(mark+2) == '>') || -+ if (mark < 0) -+ break; -+ if ((NXT(mark+2) == '>') || - ((NXT(mark+2) == '!') && (NXT(mark+3) == '>'))) { -- return mark; -+ ctxt->checkIndex = 0; -+ break; -+ } -+ offset = (NXT(mark+2) == '!') ? 3 : 2; -+ if (mark + offset >= ctxt->input->end - ctxt->input->cur) { -+ ctxt->checkIndex = mark; -+ return(-1); - } - ctxt->checkIndex = cur + mark + 1; - } -@@ -5949,6 +5957,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) { - break; - } - } else { -+ if ((cur == '<') && (next == '!') && (avail < 4)) -+ goto done; - /* - * Sometimes DOCTYPE arrives in the middle of the document - */ -@@ -5984,8 +5994,6 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) { - #endif - htmlParsePI(ctxt); - ctxt->instate = XML_PARSER_CONTENT; -- } else if ((cur == '<') && (next == '!') && (avail < 4)) { -- goto done; - } else if ((cur == '<') && (next == '/')) { - ctxt->instate = XML_PARSER_END_TAG; - ctxt->checkIndex = 0; --- -2.27.0 - diff --git a/backport-html-Fix-quadratic-behavior-in-htmlParseTryOrFinish.patch b/backport-html-Fix-quadratic-behavior-in-htmlParseTryOrFinish.patch deleted file mode 100644 index cf89ab5e73f0598aba45ead5e1c40b960c2ab827..0000000000000000000000000000000000000000 --- a/backport-html-Fix-quadratic-behavior-in-htmlParseTryOrFinish.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 4b3452d17123631ec43d532b83dc182c1a638fed Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 15 Mar 2023 16:56:36 +0100 -Subject: [PATCH] html: Fix quadratic behavior in htmlParseTryOrFinish - -Fix check for end of script content. - -Found by OSS-Fuzz. - -Reference:https://github.com/GNOME/libxml2/commit/4b3452d17123631ec43d532b83dc182c1a638fed -Conflict:NA - ---- - HTMLparser.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index b76218c..6c8f180 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -5984,8 +5984,14 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) { - if (idx < 0) - goto done; - val = in->cur[idx + 2]; -- if (val == 0) /* bad cut of input */ -+ if (val == 0) { /* bad cut of input */ -+ /* -+ * FIXME: htmlParseScript checks for additional -+ * characters after 'checkIndex = idx; - goto done; -+ } - } - htmlParseScript(ctxt); - if ((cur == '<') && (next == '/')) { --- -2.27.0 - diff --git a/backport-io-Check-for-memory-buffer-early-in-xmlParserInputGrow.patch b/backport-io-Check-for-memory-buffer-early-in-xmlParserInputGrow.patch deleted file mode 100644 index b0b19e2167e7f68631040da29a8f091d4388e904..0000000000000000000000000000000000000000 --- a/backport-io-Check-for-memory-buffer-early-in-xmlParserInputGrow.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 9feafbc5c5cce13852062a527d719ecce6b54661 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 13 Nov 2022 16:56:10 +0100 -Subject: [PATCH] io: Check for memory buffer early in xmlParserInputGrow - -Reference:https://github.com/GNOME/libxml2/commit/9feafbc5c5cce13852062a527d719ecce6b54661 -Conflict:NA ---- - parserInternals.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/parserInternals.c b/parserInternals.c -index b8eab4b..0ef44fe 100644 ---- a/parserInternals.c -+++ b/parserInternals.c -@@ -310,6 +310,9 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) { - if (in->cur == NULL) return(-1); - if (in->buf->buffer == NULL) return(-1); - -+ /* Don't grow memory buffers. */ -+ if (in->buf->readcallback == NULL) return(0); -+ - CHECK_BUFFER(in); - - indx = in->cur - in->base; -@@ -319,10 +322,7 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) { - - return(0); - } -- if (in->buf->readcallback != NULL) { -- ret = xmlParserInputBufferGrow(in->buf, len); -- } else -- return(0); -+ ret = xmlParserInputBufferGrow(in->buf, len); - - in->base = xmlBufContent(in->buf->buffer); - in->cur = in->base + indx; --- -2.27.0 - diff --git a/backport-io-Fix-buffer-full-error-with-certain-buffer-sizes.patch b/backport-io-Fix-buffer-full-error-with-certain-buffer-sizes.patch deleted file mode 100644 index 2c97fb4ac58e5fc8e4168c4fb334daa5aeeaba07..0000000000000000000000000000000000000000 --- a/backport-io-Fix-buffer-full-error-with-certain-buffer-sizes.patch +++ /dev/null @@ -1,36 +0,0 @@ -From cc645b439f54040b424bcb6c9b4c2c3f51cf2f9e Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 13 Nov 2022 15:08:44 +0100 -Subject: [PATCH 14/28] io: Fix "buffer full" error with certain buffer sizes - -Remove a useless check in xmlParserInputBufferGrow that could be -triggered after changing xmlBufAvail in c14cac8b. - -Fixes #438. - -Reference: https://github.com/GNOME/libxml2/commit/22d879bf0ab3ef14177a6388e28bb264bd36e64b -Conflict: NA ---- - xmlIO.c | 6 ------ - 1 file changed, 6 deletions(-) - -diff --git a/xmlIO.c b/xmlIO.c -index 3f5307f..0762034 100644 ---- a/xmlIO.c -+++ b/xmlIO.c -@@ -3247,12 +3247,6 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) { - if ((len <= MINLEN) && (len != 4)) - len = MINLEN; - -- if (xmlBufAvail(in->buffer) <= 0) { -- xmlIOErr(XML_IO_BUFFER_FULL, NULL); -- in->error = XML_IO_BUFFER_FULL; -- return(-1); -- } -- - if (xmlBufGrow(in->buffer, len + 1) < 0) { - xmlIOErrMemory("growing input buffer"); - in->error = XML_ERR_NO_MEMORY; --- -2.27.0 - diff --git a/backport-io-Remove-xmlInputReadCallbackNop.patch b/backport-io-Remove-xmlInputReadCallbackNop.patch deleted file mode 100644 index 0f3f98eb2d137dce550b67e5ec8530ed70abdeb6..0000000000000000000000000000000000000000 --- a/backport-io-Remove-xmlInputReadCallbackNop.patch +++ /dev/null @@ -1,114 +0,0 @@ -From ee6c6084e58ab114bddd06453790d22b08e45d93 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 13 Nov 2022 16:30:46 +0100 -Subject: [PATCH] io: Remove xmlInputReadCallbackNop - -In some cases, for example when using encoders, the read callback was -set to NULL, in other cases it was set to xmlInputReadCallbackNop. -xmlGROW only tested for xmlInputReadCallbackNop, resulting in errors -when parsing large encoded content from memory. - -Always use a NULL callback for memory buffers to avoid ambiguities. - -Fixes #262. - -Reference:https://github.com/GNOME/libxml2/commit/46cd7d224ed5c4cdbd4f72ec899db24e18d21fe7 -Conflict:include/private/io.h ---- - parser.c | 2 +- - parserInternals.c | 3 ++- - xmlIO.c | 30 ++++-------------------------- - 3 files changed, 7 insertions(+), 28 deletions(-) - -diff --git a/parser.c b/parser.c -index adc449c..f13287a 100644 ---- a/parser.c -+++ b/parser.c -@@ -2134,7 +2134,7 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { - if (((curEnd > XML_MAX_LOOKUP_LIMIT) || - (curBase > XML_MAX_LOOKUP_LIMIT)) && - ((ctxt->input->buf) && -- (ctxt->input->buf->readcallback != xmlInputReadCallbackNop)) && -+ (ctxt->input->buf->readcallback != NULL)) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { - xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup"); - xmlHaltParser(ctxt); -diff --git a/parserInternals.c b/parserInternals.c -index 0ef44fe..ef18ccf 100644 ---- a/parserInternals.c -+++ b/parserInternals.c -@@ -311,7 +311,8 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) { - if (in->buf->buffer == NULL) return(-1); - - /* Don't grow memory buffers. */ -- if (in->buf->readcallback == NULL) return(0); -+ if ((in->buf->encoder == NULL) && (in->buf->readcallback == NULL)) -+ return(0); - - CHECK_BUFFER(in); - -diff --git a/xmlIO.c b/xmlIO.c -index 0762034..71c9fbf 100644 ---- a/xmlIO.c -+++ b/xmlIO.c -@@ -729,20 +729,6 @@ xmlCheckFilename (const char *path) - return 1; - } - --/** -- * xmlInputReadCallbackNop: -- * -- * No Operation xmlInputReadCallback function, does nothing. -- * -- * Returns zero -- */ --int --xmlInputReadCallbackNop(void *context ATTRIBUTE_UNUSED, -- char *buffer ATTRIBUTE_UNUSED, -- int len ATTRIBUTE_UNUSED) { -- return(0); --} -- - /** - * xmlFdRead: - * @context: the I/O context -@@ -2963,7 +2949,7 @@ xmlParserInputBufferCreateMem(const char *mem, int size, xmlCharEncoding enc) { - ret = xmlAllocParserInputBuffer(enc); - if (ret != NULL) { - ret->context = (void *) mem; -- ret->readcallback = xmlInputReadCallbackNop; -+ ret->readcallback = NULL; - ret->closecallback = NULL; - errcode = xmlBufAdd(ret->buffer, (const xmlChar *) mem, size); - if (errcode != 0) { -@@ -3261,10 +3247,8 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) { - res = in->readcallback(in->context, &buffer[0], len); - if (res <= 0) - in->readcallback = endOfInput; -- } else { -- xmlIOErr(XML_IO_NO_INPUT, NULL); -- in->error = XML_IO_NO_INPUT; -- return(-1); -+ } else if (in->encoder == NULL) { -+ return(0); - } - if (res < 0) { - return(-1); -@@ -3331,13 +3315,7 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) { - */ - int - xmlParserInputBufferRead(xmlParserInputBufferPtr in, int len) { -- if ((in == NULL) || (in->error)) return(-1); -- if (in->readcallback != NULL) -- return(xmlParserInputBufferGrow(in, len)); -- else if (xmlBufGetAllocationScheme(in->buffer) == XML_BUFFER_ALLOC_IMMUTABLE) -- return(0); -- else -- return(-1); -+ return(xmlParserInputBufferGrow(in, len)); - } - - #ifdef LIBXML_OUTPUT_ENABLED --- -2.27.0 - diff --git a/backport-malloc-fail-Add-error-check-in-htmlParseHTMLAttribut.patch b/backport-malloc-fail-Add-error-check-in-htmlParseHTMLAttribut.patch deleted file mode 100644 index c9c201cd3880c3932c279743eb6e4ad759804974..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Add-error-check-in-htmlParseHTMLAttribut.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 62f199ed7d1c99999030810495bd12fd5b86fee1 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 17 Mar 2023 12:40:46 +0100 -Subject: [PATCH] malloc-fail: Add error check in htmlParseHTMLAttribute - -This function must return NULL is an error occurs. - -Found by OSS-Fuzz, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/62f199ed7d1c99999030810495bd12fd5b86fee1 -Conflict:NA - ---- - HTMLparser.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/HTMLparser.c b/HTMLparser.c -index 3682807..42d1b29 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -2846,6 +2846,10 @@ htmlParseHTMLAttribute(htmlParserCtxtPtr ctxt, const xmlChar stop) { - out = &buffer[indx]; - } - c = CUR_CHAR(l); -+ if (ctxt->instate == XML_PARSER_EOF) { -+ xmlFree(buffer); -+ return(NULL); -+ } - if (c < 0x80) - { *out++ = c; bits= -6; } - else if (c < 0x800) --- -2.27.0 - diff --git a/backport-malloc-fail-Add-error-check-in-xmlXPathEqualNodeSetFloat.patch b/backport-malloc-fail-Add-error-check-in-xmlXPathEqualNodeSetFloat.patch deleted file mode 100644 index c4acf5e29126de50793f78b2a38e4cc9e49d30a8..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Add-error-check-in-xmlXPathEqualNodeSetFloat.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 08695683dbd78301aa95bf3042871256479bc6a6 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 30 Jan 2023 15:52:00 +0100 -Subject: [PATCH] malloc-fail: Add error check in xmlXPathEqualNodeSetFloat - -Avoid null deref. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/08695683dbd78301aa95bf3042871256479bc6a6 -Conflict:NA ---- - xpath.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/xpath.c b/xpath.c -index 6d76e43..77d5434 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -6799,6 +6799,7 @@ xmlXPathEqualNodeSetFloat(xmlXPathParserContextPtr ctxt, - xmlFree(str2); - xmlXPathNumberFunction(ctxt, 1); - val = valuePop(ctxt); -+ CHECK_ERROR0; - v = val->floatval; - xmlXPathReleaseObject(ctxt->context, val); - if (!xmlXPathIsNaN(v)) { --- -2.27.0 - diff --git a/backport-malloc-fail-Add-error-checks-in-xmlXPathEqualValuesCommon.patch b/backport-malloc-fail-Add-error-checks-in-xmlXPathEqualValuesCommon.patch deleted file mode 100644 index 943098e8143e6868dcf0fe376b9eafb2b5815ed9..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Add-error-checks-in-xmlXPathEqualValuesCommon.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 7ec314efcd8b3df1d05d793812e54656bf539af8 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 30 Jan 2023 15:59:55 +0100 -Subject: [PATCH] malloc-fail: Add error checks in xmlXPathEqualValuesCommon - -Avoid null deref. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/7ec314efcd8b3df1d05d793812e54656bf539af8 -Conflict:NA ---- - xpath.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/xpath.c b/xpath.c -index fbec21b..6d76e43 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -7011,6 +7011,7 @@ xmlXPathEqualValuesCommon(xmlXPathParserContextPtr ctxt, - valuePush(ctxt, arg2); - xmlXPathNumberFunction(ctxt, 1); - arg2 = valuePop(ctxt); -+ CHECK_ERROR0; - /* Falls through. */ - case XPATH_NUMBER: - /* Hand check NaN and Infinity equalities */ -@@ -7074,6 +7075,7 @@ xmlXPathEqualValuesCommon(xmlXPathParserContextPtr ctxt, - valuePush(ctxt, arg1); - xmlXPathNumberFunction(ctxt, 1); - arg1 = valuePop(ctxt); -+ CHECK_ERROR0; - /* Hand check NaN and Infinity equalities */ - if (xmlXPathIsNaN(arg1->floatval) || - xmlXPathIsNaN(arg2->floatval)) { --- -2.27.0 - diff --git a/backport-malloc-fail-Add-more-error-checks-when-parsing-names.patch b/backport-malloc-fail-Add-more-error-checks-when-parsing-names.patch deleted file mode 100644 index 7d50afef56515f4d53f1a23a7e8519b911ee0fb2..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Add-more-error-checks-when-parsing-names.patch +++ /dev/null @@ -1,59 +0,0 @@ -From c81d0d04bfbdbccea0c5199bced95a6af961885a Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 17 Mar 2023 12:39:35 +0100 -Subject: [PATCH] malloc-fail: Add more error checks when parsing names - -xmlParseName and similar functions must return NULL if an error occurs. - -Found by OSS-Fuzz, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/c81d0d04bfbdbccea0c5199bced95a6af961885a -Conflict:NA - ---- - parser.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/parser.c b/parser.c -index 75bd27f..b872d34 100644 ---- a/parser.c -+++ b/parser.c -@@ -3355,6 +3355,8 @@ xmlParseName(xmlParserCtxtPtr ctxt) { - XML_MAX_NAME_LENGTH; - - GROW; -+ if (ctxt->instate == XML_PARSER_EOF) -+ return(NULL); - - #ifdef DEBUG - nbParseName++; -@@ -3410,6 +3412,8 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { - * Handler for more complex cases - */ - GROW; -+ if (ctxt->instate == XML_PARSER_EOF) -+ return(NULL); - startPosition = CUR_PTR - BASE_PTR; - c = CUR_CHAR(l); - if ((c == ' ') || (c == '>') || (c == '/') || /* accelerators */ -@@ -3686,6 +3690,8 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { - if (count++ > XML_PARSER_CHUNK_SIZE) { - count = 0; - GROW; -+ if (ctxt->instate == XML_PARSER_EOF) -+ return(NULL); - } - COPY_BUF(l,buf,len,c); - NEXTL(l); -@@ -8791,6 +8797,8 @@ xmlParseQName(xmlParserCtxtPtr ctxt, const xmlChar **prefix) { - const xmlChar *l, *p; - - GROW; -+ if (ctxt->instate == XML_PARSER_EOF) -+ return(NULL); - - l = xmlParseNCName(ctxt); - if (l == NULL) { --- -2.27.0 - diff --git a/backport-malloc-fail-Check-for-malloc-failure-in-xmlFindCharEncodingHandler.patch b/backport-malloc-fail-Check-for-malloc-failure-in-xmlFindCharEncodingHandler.patch deleted file mode 100644 index 8e0b923f0df0b43817bf364647185922c09b1ebd..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Check-for-malloc-failure-in-xmlFindCharEncodingHandler.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 1c5e1fc194a661783d4bffbfd4b4424a7d74881f Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 14 Feb 2023 13:56:21 +0100 -Subject: [PATCH] malloc-fail: Check for malloc failure in - xmlFindCharEncodingHandler - -Don't return encoding handlers with a NULL name. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/1c5e1fc194a661783d4bffbfd4b4424a7d74881f -Conflict:NA ---- - encoding.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/encoding.c b/encoding.c -index c073a9c..400e860 100644 ---- a/encoding.c -+++ b/encoding.c -@@ -1726,6 +1726,12 @@ xmlFindCharEncodingHandler(const char *name) { - } - memset(enc, 0, sizeof(xmlCharEncodingHandler)); - enc->name = xmlMemStrdup(name); -+ if (enc->name == NULL) { -+ xmlFree(enc); -+ iconv_close(icv_in); -+ iconv_close(icv_out); -+ return(NULL); -+ } - enc->input = NULL; - enc->output = NULL; - enc->iconv_in = icv_in; -@@ -1758,6 +1764,12 @@ xmlFindCharEncodingHandler(const char *name) { - } - memset(encu, 0, sizeof(xmlCharEncodingHandler)); - encu->name = xmlMemStrdup(name); -+ if (encu->name == NULL) { -+ xmlFree(encu); -+ closeIcuConverter(ucv_in); -+ closeIcuConverter(ucv_out); -+ return(NULL); -+ } - encu->input = NULL; - encu->output = NULL; - encu->uconv_in = ucv_in; --- -2.27.0 - diff --git a/backport-malloc-fail-Check-for-malloc-failure-in-xmlHashAddEn.patch b/backport-malloc-fail-Check-for-malloc-failure-in-xmlHashAddEn.patch deleted file mode 100644 index a6c26d13719ade5d0a90b6f0f95282dce8505258..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Check-for-malloc-failure-in-xmlHashAddEn.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 4499143a8737148b9be4e3c05e71bc60c5b52e4f Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 26 Feb 2023 15:43:50 +0100 -Subject: [PATCH] malloc-fail: Check for malloc failure in xmlHashAddEntry - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/4499143a8737148b9be4e3c05e71bc60c5b52e4f -Conflict:NA ---- - hash.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++---- - 1 file changed, 50 insertions(+), 4 deletions(-) - -diff --git a/hash.c b/hash.c -index 7b82d2f..00250ba 100644 ---- a/hash.c -+++ b/hash.c -@@ -614,8 +614,24 @@ xmlHashAddEntry3(xmlHashTablePtr table, const xmlChar *name, - entry->name3 = (xmlChar *) name3; - } else { - entry->name = xmlStrdup(name); -- entry->name2 = xmlStrdup(name2); -- entry->name3 = xmlStrdup(name3); -+ if (entry->name == NULL) { -+ entry->name2 = NULL; -+ goto error; -+ } -+ if (name2 == NULL) { -+ entry->name2 = NULL; -+ } else { -+ entry->name2 = xmlStrdup(name2); -+ if (entry->name2 == NULL) -+ goto error; -+ } -+ if (name3 == NULL) { -+ entry->name3 = NULL; -+ } else { -+ entry->name3 = xmlStrdup(name3); -+ if (entry->name3 == NULL) -+ goto error; -+ } - } - entry->payload = userdata; - entry->next = NULL; -@@ -631,6 +647,13 @@ xmlHashAddEntry3(xmlHashTablePtr table, const xmlChar *name, - xmlHashGrow(table, MAX_HASH_LEN * table->size); - - return(0); -+ -+error: -+ xmlFree(entry->name2); -+ xmlFree(entry->name); -+ if (insert != NULL) -+ xmlFree(entry); -+ return(-1); - } - - /** -@@ -744,8 +767,24 @@ xmlHashUpdateEntry3(xmlHashTablePtr table, const xmlChar *name, - entry->name3 = (xmlChar *) name3; - } else { - entry->name = xmlStrdup(name); -- entry->name2 = xmlStrdup(name2); -- entry->name3 = xmlStrdup(name3); -+ if (entry->name == NULL) { -+ entry->name2 = NULL; -+ goto error; -+ } -+ if (name2 == NULL) { -+ entry->name2 = NULL; -+ } else { -+ entry->name2 = xmlStrdup(name2); -+ if (entry->name2 == NULL) -+ goto error; -+ } -+ if (name3 == NULL) { -+ entry->name3 = NULL; -+ } else { -+ entry->name3 = xmlStrdup(name3); -+ if (entry->name3 == NULL) -+ goto error; -+ } - } - entry->payload = userdata; - entry->next = NULL; -@@ -757,6 +796,13 @@ xmlHashUpdateEntry3(xmlHashTablePtr table, const xmlChar *name, - insert->next = entry; - } - return(0); -+ -+error: -+ xmlFree(entry->name2); -+ xmlFree(entry->name); -+ if (insert != NULL) -+ xmlFree(entry); -+ return(-1); - } - - /** --- -2.27.0 - diff --git a/backport-malloc-fail-Check-for-malloc-failures-when-creating.patch b/backport-malloc-fail-Check-for-malloc-failures-when-creating.patch deleted file mode 100644 index 30ce4f2d9b8d49d946bb145eaa0bb365c08fdd33..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Check-for-malloc-failures-when-creating.patch +++ /dev/null @@ -1,210 +0,0 @@ -From b1319c902f6e44d08f8cb33f1fc28847f2bc8aeb Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sat, 18 Mar 2023 16:34:01 +0100 -Subject: [PATCH] malloc-fail: Check for malloc failures when creating XPath - strings - -Prevent null derefs. - -Found by OSS-Fuzz, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/b1319c902f6e44d08f8cb33f1fc28847f2bc8aeb -Conflict:xpath.c - ---- - xpath.c | 111 +++++++++++++++++++++----------------------------------- - 1 file changed, 42 insertions(+), 69 deletions(-) - -diff --git a/xpath.c b/xpath.c -index 005a6a2..2eceb5b 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -2476,17 +2476,17 @@ xmlXPathCacheNewNodeSet(xmlXPathContextPtr ctxt, xmlNodePtr val) - } - - /** -- * xmlXPathCacheNewCString: -+ * xmlXPathCacheNewString: - * @ctxt: the XPath context -- * @val: the char * value -+ * @val: the xmlChar * value - * -- * This is the cached version of xmlXPathNewCString(). -+ * This is the cached version of xmlXPathNewString(). - * Acquire an xmlXPathObjectPtr of type string and of value @val - * - * Returns the created or reused object. - */ - static xmlXPathObjectPtr --xmlXPathCacheNewCString(xmlXPathContextPtr ctxt, const char *val) -+xmlXPathCacheNewString(xmlXPathContextPtr ctxt, const xmlChar *val) - { - if ((ctxt != NULL) && (ctxt->cache)) { - xmlXPathContextCachePtr cache = (xmlXPathContextCachePtr) ctxt->cache; -@@ -2495,12 +2495,20 @@ xmlXPathCacheNewCString(xmlXPathContextPtr ctxt, const char *val) - (cache->stringObjs->number != 0)) - { - xmlXPathObjectPtr ret; -+ xmlChar *copy; -+ -+ if (val == NULL) -+ val = BAD_CAST ""; -+ copy = xmlStrdup(val); -+ if (copy == NULL) { -+ xmlXPathErrMemory(ctxt, NULL); -+ return(NULL); -+ } - - ret = (xmlXPathObjectPtr) - cache->stringObjs->items[--cache->stringObjs->number]; -- - ret->type = XPATH_STRING; -- ret->stringval = xmlStrdup(BAD_CAST val); -+ ret->stringval = copy; - #ifdef XP_DEBUG_OBJ_USAGE - xmlXPathDebugObjUsageRequested(ctxt, XPATH_STRING); - #endif -@@ -2509,73 +2517,44 @@ xmlXPathCacheNewCString(xmlXPathContextPtr ctxt, const char *val) - (cache->miscObjs->number != 0)) - { - xmlXPathObjectPtr ret; -+ xmlChar *copy; -+ -+ if (val == NULL) -+ val = BAD_CAST ""; -+ copy = xmlStrdup(val); -+ if (copy == NULL) { -+ xmlXPathErrMemory(ctxt, NULL); -+ return(NULL); -+ } - - ret = (xmlXPathObjectPtr) - cache->miscObjs->items[--cache->miscObjs->number]; - - ret->type = XPATH_STRING; -- ret->stringval = xmlStrdup(BAD_CAST val); -+ ret->stringval = copy; - #ifdef XP_DEBUG_OBJ_USAGE - xmlXPathDebugObjUsageRequested(ctxt, XPATH_STRING); - #endif - return(ret); - } - } -- return(xmlXPathNewCString(val)); -+ return(xmlXPathNewString(val)); - } - - /** -- * xmlXPathCacheNewString: -+ * xmlXPathCacheNewCString: - * @ctxt: the XPath context -- * @val: the xmlChar * value -+ * @val: the char * value - * -- * This is the cached version of xmlXPathNewString(). -+ * This is the cached version of xmlXPathNewCString(). - * Acquire an xmlXPathObjectPtr of type string and of value @val - * - * Returns the created or reused object. - */ - static xmlXPathObjectPtr --xmlXPathCacheNewString(xmlXPathContextPtr ctxt, const xmlChar *val) -+xmlXPathCacheNewCString(xmlXPathContextPtr ctxt, const char *val) - { -- if ((ctxt != NULL) && (ctxt->cache)) { -- xmlXPathContextCachePtr cache = (xmlXPathContextCachePtr) ctxt->cache; -- -- if ((cache->stringObjs != NULL) && -- (cache->stringObjs->number != 0)) -- { -- xmlXPathObjectPtr ret; -- -- ret = (xmlXPathObjectPtr) -- cache->stringObjs->items[--cache->stringObjs->number]; -- ret->type = XPATH_STRING; -- if (val != NULL) -- ret->stringval = xmlStrdup(val); -- else -- ret->stringval = xmlStrdup((const xmlChar *)""); --#ifdef XP_DEBUG_OBJ_USAGE -- xmlXPathDebugObjUsageRequested(ctxt, XPATH_STRING); --#endif -- return(ret); -- } else if ((cache->miscObjs != NULL) && -- (cache->miscObjs->number != 0)) -- { -- xmlXPathObjectPtr ret; -- -- ret = (xmlXPathObjectPtr) -- cache->miscObjs->items[--cache->miscObjs->number]; -- -- ret->type = XPATH_STRING; -- if (val != NULL) -- ret->stringval = xmlStrdup(val); -- else -- ret->stringval = xmlStrdup((const xmlChar *)""); --#ifdef XP_DEBUG_OBJ_USAGE -- xmlXPathDebugObjUsageRequested(ctxt, XPATH_STRING); --#endif -- return(ret); -- } -- } -- return(xmlXPathNewString(val)); -+ return xmlXPathCacheNewString(ctxt, BAD_CAST val); - } - - /** -@@ -5291,10 +5270,13 @@ xmlXPathNewString(const xmlChar *val) { - } - memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); - ret->type = XPATH_STRING; -- if (val != NULL) -- ret->stringval = xmlStrdup(val); -- else -- ret->stringval = xmlStrdup((const xmlChar *)""); -+ if (val == NULL) -+ val = BAD_CAST ""; -+ ret->stringval = xmlStrdup(val); -+ if (ret->stringval == NULL) { -+ xmlFree(ret); -+ return(NULL); -+ } - #ifdef XP_DEBUG_OBJ_USAGE - xmlXPathDebugObjUsageRequested(NULL, XPATH_STRING); - #endif -@@ -5340,20 +5322,7 @@ xmlXPathWrapString (xmlChar *val) { - */ - xmlXPathObjectPtr - xmlXPathNewCString(const char *val) { -- xmlXPathObjectPtr ret; -- -- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); -- if (ret == NULL) { -- xmlXPathErrMemory(NULL, "creating string object\n"); -- return(NULL); -- } -- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); -- ret->type = XPATH_STRING; -- ret->stringval = xmlStrdup(BAD_CAST val); --#ifdef XP_DEBUG_OBJ_USAGE -- xmlXPathDebugObjUsageRequested(NULL, XPATH_STRING); --#endif -- return(ret); -+ return(xmlXPathNewString(BAD_CAST val)); - } - - /** -@@ -5427,6 +5396,10 @@ xmlXPathObjectCopy(xmlXPathObjectPtr val) { - break; - case XPATH_STRING: - ret->stringval = xmlStrdup(val->stringval); -+ if (ret->stringval == NULL) { -+ xmlFree(ret); -+ return(NULL); -+ } - break; - case XPATH_XSLT_TREE: - #if 0 --- -2.27.0 - diff --git a/backport-malloc-fail-Check-return-value-of-xmlXPathNodeSetDupNs.patch b/backport-malloc-fail-Check-return-value-of-xmlXPathNodeSetDupNs.patch deleted file mode 100644 index dadd8514f63b985ad0fcfc55d962639c92e5046a..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Check-return-value-of-xmlXPathNodeSetDupNs.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 0e4421e793e52e2025297f9252c4dc76b72674c7 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 30 Jan 2023 15:05:58 +0100 -Subject: [PATCH] malloc-fail: Check return value of xmlXPathNodeSetDupNs - -Avoid null deref if allocation fails. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/0e4421e793e52e2025297f9252c4dc76b72674c7 -Conflict:NA ---- - xpath.c | 38 +++++++++++++++++++++++--------------- - 1 file changed, 23 insertions(+), 15 deletions(-) - -diff --git a/xpath.c b/xpath.c -index fe0e1e2..212a4e0 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -3588,10 +3588,13 @@ xmlXPathNodeSetCreate(xmlNodePtr val) { - ret->nodeMax = XML_NODESET_DEFAULT; - if (val->type == XML_NAMESPACE_DECL) { - xmlNsPtr ns = (xmlNsPtr) val; -+ xmlNodePtr nsNode = xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); - -- /* TODO: Check memory error. */ -- ret->nodeTab[ret->nodeNr++] = -- xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); -+ if (nsNode == NULL) { -+ xmlXPathFreeNodeSet(ret); -+ return(NULL); -+ } -+ ret->nodeTab[ret->nodeNr++] = nsNode; - } else - ret->nodeTab[ret->nodeNr++] = val; - } -@@ -3648,7 +3651,7 @@ xmlXPathNodeSetContains (xmlNodeSetPtr cur, xmlNodePtr val) { - int - xmlXPathNodeSetAddNs(xmlNodeSetPtr cur, xmlNodePtr node, xmlNsPtr ns) { - int i; -- -+ xmlNodePtr nsNode; - - if ((cur == NULL) || (ns == NULL) || (node == NULL) || - (ns->type != XML_NAMESPACE_DECL) || -@@ -3696,8 +3699,10 @@ xmlXPathNodeSetAddNs(xmlNodeSetPtr cur, xmlNodePtr node, xmlNsPtr ns) { - cur->nodeMax *= 2; - cur->nodeTab = temp; - } -- /* TODO: Check memory error. */ -- cur->nodeTab[cur->nodeNr++] = xmlXPathNodeSetDupNs(node, ns); -+ nsNode = xmlXPathNodeSetDupNs(node, ns); -+ if(nsNode == NULL) -+ return(-1); -+ cur->nodeTab[cur->nodeNr++] = nsNode; - return(0); - } - -@@ -3754,10 +3759,11 @@ xmlXPathNodeSetAdd(xmlNodeSetPtr cur, xmlNodePtr val) { - } - if (val->type == XML_NAMESPACE_DECL) { - xmlNsPtr ns = (xmlNsPtr) val; -+ xmlNodePtr nsNode = xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); - -- /* TODO: Check memory error. */ -- cur->nodeTab[cur->nodeNr++] = -- xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); -+ if (nsNode == NULL) -+ return(-1); -+ cur->nodeTab[cur->nodeNr++] = nsNode; - } else - cur->nodeTab[cur->nodeNr++] = val; - return(0); -@@ -3809,10 +3815,11 @@ xmlXPathNodeSetAddUnique(xmlNodeSetPtr cur, xmlNodePtr val) { - } - if (val->type == XML_NAMESPACE_DECL) { - xmlNsPtr ns = (xmlNsPtr) val; -+ xmlNodePtr nsNode = xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); - -- /* TODO: Check memory error. */ -- cur->nodeTab[cur->nodeNr++] = -- xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); -+ if (nsNode == NULL) -+ return(-1); -+ cur->nodeTab[cur->nodeNr++] = nsNode; - } else - cur->nodeTab[cur->nodeNr++] = val; - return(0); -@@ -3926,10 +3933,11 @@ xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) { - } - if (n2->type == XML_NAMESPACE_DECL) { - xmlNsPtr ns = (xmlNsPtr) n2; -+ xmlNodePtr nsNode = xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); - -- /* TODO: Check memory error. */ -- val1->nodeTab[val1->nodeNr++] = -- xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); -+ if (nsNode == NULL) -+ return(NULL); -+ val1->nodeTab[val1->nodeNr++] = nsNode; - } else - val1->nodeTab[val1->nodeNr++] = n2; - } --- -2.27.0 - diff --git a/backport-malloc-fail-Don-t-call-xmlErrMemory-in-xmlstring.c.patch b/backport-malloc-fail-Don-t-call-xmlErrMemory-in-xmlstring.c.patch deleted file mode 100644 index 1e6523710f1997cd5ae6f0e71eae0639bc7b8d20..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Don-t-call-xmlErrMemory-in-xmlstring.c.patch +++ /dev/null @@ -1,66 +0,0 @@ -From c7260a47f19e01f4f663b6a56fbdc2dafd8a6e7e Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 23 Jan 2023 10:19:59 +0100 -Subject: [PATCH] malloc-fail: Don't call xmlErrMemory in xmlstring.c - -Functions like xmlStrdup are called in the error handling code -(__xmlRaiseError) which can cause problems like use-after-free or -infinite loops when invoked recursively. - -Calling xmlErrMemory without a context argument isn't helpful anyway. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/c7260a47f19e01f4f663b6a56fbdc2dafd8a6e7e -Conflict:xmlstring.c ---- - xmlstring.c | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/xmlstring.c b/xmlstring.c -index 5a6875f..9709545 100644 ---- a/xmlstring.c -+++ b/xmlstring.c -@@ -45,7 +45,6 @@ xmlStrndup(const xmlChar *cur, int len) { - if ((cur == NULL) || (len < 0)) return(NULL); - ret = (xmlChar *) xmlMallocAtomic(((size_t) len + 1) * sizeof(xmlChar)); - if (ret == NULL) { -- xmlErrMemory(NULL, NULL); - return(NULL); - } - memcpy(ret, cur, len * sizeof(xmlChar)); -@@ -90,7 +89,6 @@ xmlCharStrndup(const char *cur, int len) { - if ((cur == NULL) || (len < 0)) return(NULL); - ret = (xmlChar *) xmlMallocAtomic(((size_t) len + 1) * sizeof(xmlChar)); - if (ret == NULL) { -- xmlErrMemory(NULL, NULL); - return(NULL); - } - for (i = 0;i < len;i++) { -@@ -465,7 +463,6 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) { - return(NULL); - ret = (xmlChar *) xmlRealloc(cur, ((size_t) size + len + 1) * sizeof(xmlChar)); - if (ret == NULL) { -- xmlErrMemory(NULL, NULL); - return(cur); - } - memcpy(&ret[size], add, len * sizeof(xmlChar)); -@@ -505,7 +502,6 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) { - return(NULL); - ret = (xmlChar *) xmlMalloc(((size_t) size + len + 1) * sizeof(xmlChar)); - if (ret == NULL) { -- xmlErrMemory(NULL, NULL); - return(xmlStrndup(str1, size)); - } - memcpy(ret, str1, size * sizeof(xmlChar)); -@@ -1034,7 +1030,6 @@ xmlEscapeFormatString(xmlChar **msg) - out-of-memory situations. */ - xmlFree(*msg); - *msg = NULL; -- xmlErrMemory(NULL, NULL); - return(NULL); - } - --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-OOB-read-after-xmlRegGetCounter.patch b/backport-malloc-fail-Fix-OOB-read-after-xmlRegGetCounter.patch deleted file mode 100644 index 05be61a74ee71003ef79dbcd2e42379a2b9c6dfe..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-OOB-read-after-xmlRegGetCounter.patch +++ /dev/null @@ -1,75 +0,0 @@ -From d08fd8306e224c48dedc1a9b549376ae1d4c7f6c Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 17 Feb 2023 15:53:07 +0100 -Subject: [PATCH] malloc-fail: Fix OOB read after xmlRegGetCounter - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/1743c4c3fc58cf38ecce68db9de51d0f3651e033 -Conflict:xmlregexp.c - ---- - xmlregexp.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/xmlregexp.c b/xmlregexp.c -index 360916f..e7c48a4 100644 ---- a/xmlregexp.c -+++ b/xmlregexp.c -@@ -1681,6 +1681,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, - } - inter = ctxt->state; - counter = xmlRegGetCounter(ctxt); -+ if (counter < 0) -+ return(-1); - ctxt->counters[counter].min = atom->min - 1; - ctxt->counters[counter].max = atom->max - 1; - /* count the number of times we see it again */ -@@ -1699,6 +1701,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, - * epsilon transition. - */ - counter = xmlRegGetCounter(ctxt); -+ if (counter < 0) -+ return(-1); - ctxt->counters[counter].min = atom->min - 1; - ctxt->counters[counter].max = atom->max - 1; - /* allow a way out based on the count */ -@@ -6025,6 +6029,8 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, - * associate a counter to the transition. - */ - counter = xmlRegGetCounter(am); -+ if (counter < 0) -+ goto error; - am->counters[counter].min = min; - am->counters[counter].max = max; - -@@ -6099,6 +6105,8 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, - * associate a counter to the transition. - */ - counter = xmlRegGetCounter(am); -+ if (counter < 0) -+ goto error; - am->counters[counter].min = min; - am->counters[counter].max = max; - -@@ -6191,6 +6199,8 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, - * associate a counter to the transition. - */ - counter = xmlRegGetCounter(am); -+ if (counter < 0) -+ goto error; - am->counters[counter].min = 1; - am->counters[counter].max = 1; - -@@ -6256,6 +6266,8 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, - * associate a counter to the transition. - */ - counter = xmlRegGetCounter(am); -+ if (counter < 0) -+ goto error; - am->counters[counter].min = 1; - am->counters[counter].max = 1; - --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-another-memory-leak-in-xmlSchemaBuck.patch b/backport-malloc-fail-Fix-another-memory-leak-in-xmlSchemaBuck.patch deleted file mode 100644 index 2390106ecb7cecd5fdb3b9b64c7b765803198220..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-another-memory-leak-in-xmlSchemaBuck.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 260d6b8d77d11a20a2614eef99e88e68eaca6550 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 5 Mar 2023 14:10:26 +0100 -Subject: [PATCH] malloc-fail: Fix another memory leak in xmlSchemaBucketCreate - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/260d6b8d77d11a20a2614eef99e88e68eaca6550 -Conflict:NA ---- - xmlschemas.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/xmlschemas.c b/xmlschemas.c -index fa9d113..06bf664 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -3742,7 +3742,10 @@ xmlSchemaBucketCreate(xmlSchemaParserCtxtPtr pctxt, - return(NULL); - } - } -- xmlSchemaItemListAdd(mainSchema->includes, ret); -+ if (xmlSchemaItemListAdd(mainSchema->includes, ret) < 0) { -+ xmlSchemaBucketFree(ret); -+ return(NULL); -+ } - } - /* - * Add to list of all buckets; this is used for lookup --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-buffer-overread-after-htmlParseScrip.patch b/backport-malloc-fail-Fix-buffer-overread-after-htmlParseScrip.patch deleted file mode 100644 index f937414fe9acbf10da86b3ee40e33725d7966554..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-buffer-overread-after-htmlParseScrip.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 44ecefc8cc299a66ac21ffec141eb261e92638da Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 20 Mar 2023 15:52:38 +0100 -Subject: [PATCH] malloc-fail: Fix buffer overread after htmlParseScript - -Found by OSS-Fuzz, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/44ecefc8cc299a66ac21ffec141eb261e92638da -Conflict:HTMLparser.c - ---- - HTMLparser.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index 0cc9824..4f1a3d8 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -3137,6 +3137,7 @@ htmlParseScript(htmlParserCtxtPtr ctxt) { - htmlParseErrInt(ctxt, XML_ERR_INVALID_CHAR, - "Invalid char in CDATA 0x%X\n", cur); - } -+ NEXTL(l); - if (nbchar >= HTML_PARSER_BIG_BUFFER_SIZE) { - buf[nbchar] = 0; - if (ctxt->sax->cdataBlock!= NULL) { -@@ -3149,7 +3150,6 @@ htmlParseScript(htmlParserCtxtPtr ctxt) { - } - nbchar = 0; - } -- NEXTL(l); - GROW; - cur = CUR_CHAR(l); - } --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-buffer-overread-in-htmlParseScript.patch b/backport-malloc-fail-Fix-buffer-overread-in-htmlParseScript.patch deleted file mode 100644 index 8d28f9dc73ae37313985bc15a47c780594d62da0..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-buffer-overread-in-htmlParseScript.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 8090e5856465c0b8e26e2a080f4b498f37fa83ab Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 17 Mar 2023 12:27:07 +0100 -Subject: [PATCH] malloc-fail: Fix buffer overread in htmlParseScript - -Found by OSS-Fuzz, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/8090e5856465c0b8e26e2a080f4b498f37fa83ab -Conflict:NA - ---- - HTMLparser.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index 6c8f180..3682807 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -3145,8 +3145,8 @@ htmlParseScript(htmlParserCtxtPtr ctxt) { - } - nbchar = 0; - } -- GROW; - NEXTL(l); -+ GROW; - cur = CUR_CHAR(l); - } - --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-buffer-overread-with-HTML-doctype-de.patch b/backport-malloc-fail-Fix-buffer-overread-with-HTML-doctype-de.patch deleted file mode 100644 index b363e6e56d47296754135635055d05235786f12e..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-buffer-overread-with-HTML-doctype-de.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 1061537efdf3874c91fd50d18f98c4b8a3518e52 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 26 Mar 2023 22:40:54 +0200 -Subject: [PATCH] malloc-fail: Fix buffer overread with HTML doctype - declarations - -Found by OSS-Fuzz, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/1061537efdf3874c91fd50d18f98c4b8a3518e52 -Conflict:NA - ---- - HTMLparser.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index 42d1b29..5e4f289 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -3008,9 +3008,9 @@ htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) { - htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, - "Unfinished SystemLiteral\n", NULL, NULL); - } else { -- NEXT; - if (err == 0) - ret = xmlStrndup((BASE_PTR+startPosition), len); -+ NEXT; - } - - return(ret); -@@ -3063,9 +3063,9 @@ htmlParsePubidLiteral(htmlParserCtxtPtr ctxt) { - htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, - "Unfinished PubidLiteral\n", NULL, NULL); - } else { -- NEXT; - if (err == 0) - ret = xmlStrndup((BASE_PTR + startPosition), len); -+ NEXT; - } - - return(ret); --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-error-check-in-xmlXPathCompareValues.patch b/backport-malloc-fail-Fix-error-check-in-xmlXPathCompareValues.patch deleted file mode 100644 index d1d25b987041694d2dadf6d857dc1b0c8a7bf81e..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-error-check-in-xmlXPathCompareValues.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 621c222efe87946ad8e53f59e28c782979d340c8 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 30 Jan 2023 15:48:11 +0100 -Subject: [PATCH] malloc-fail: Fix error check in xmlXPathCompareValues - -Avoid null deref. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/621c222efe87946ad8e53f59e28c782979d340c8 -Conflict:NA ---- - xpath.c | 12 ++---------- - 1 file changed, 2 insertions(+), 10 deletions(-) - -diff --git a/xpath.c b/xpath.c -index 77d5434..fcbc7e3 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -7367,21 +7367,13 @@ xmlXPathCompareValues(xmlXPathParserContextPtr ctxt, int inf, int strict) { - valuePush(ctxt, arg1); - xmlXPathNumberFunction(ctxt, 1); - arg1 = valuePop(ctxt); -- } -- if (arg1->type != XPATH_NUMBER) { -- xmlXPathFreeObject(arg1); -- xmlXPathFreeObject(arg2); -- XP_ERROR0(XPATH_INVALID_OPERAND); -+ CHECK_ERROR0; - } - if (arg2->type != XPATH_NUMBER) { - valuePush(ctxt, arg2); - xmlXPathNumberFunction(ctxt, 1); - arg2 = valuePop(ctxt); -- } -- if (arg2->type != XPATH_NUMBER) { -- xmlXPathReleaseObject(ctxt->context, arg1); -- xmlXPathReleaseObject(ctxt->context, arg2); -- XP_ERROR0(XPATH_INVALID_OPERAND); -+ CHECK_ERROR0; - } - /* - * Add tests for infinity and nan --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-error-code-in-htmlParseChunk.patch b/backport-malloc-fail-Fix-error-code-in-htmlParseChunk.patch deleted file mode 100644 index 8092d2d5f897467a888c97fb19310b67c671810c..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-error-code-in-htmlParseChunk.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 53d1cc98cf08c789087a92fd57da70811abe7d60 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 16 Feb 2023 15:09:32 +0100 -Subject: [PATCH] malloc-fail: Fix error code in htmlParseChunk - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/53d1cc98cf08c789087a92fd57da70811abe7d60 -Conflict:NA ---- - HTMLparser.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index 457b2a3..72ede56 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -6276,9 +6276,8 @@ htmlParseChunk(htmlParserCtxtPtr ctxt, const char *chunk, int size, - res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk); - xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur); - if (res < 0) { -- ctxt->errNo = XML_PARSER_EOF; -- ctxt->disableSAX = 1; -- return (XML_PARSER_EOF); -+ htmlErrMemory(ctxt, NULL); -+ return (ctxt->errNo); - } - #ifdef DEBUG_PUSH - xmlGenericError(xmlGenericErrorContext, "HPP: pushed %d\n", size); --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-infinite-loop-in-htmlParseContentInternal.patch b/backport-malloc-fail-Fix-infinite-loop-in-htmlParseContentInternal.patch deleted file mode 100644 index 3d5c32f3144f44930342f77094e8c845745dbb9e..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-infinite-loop-in-htmlParseContentInternal.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 04c2955197b53eb106037bc1d422bb80b39abbf6 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 16 Feb 2023 14:53:29 +0100 -Subject: [PATCH] malloc-fail: Fix infinite loop in htmlParseContentInternal - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/04c2955197b53eb106037bc1d422bb80b39abbf6 -Conflict:NA ---- - HTMLparser.c | 32 ++++++++++++++++++++++++++++++-- - 1 file changed, 30 insertions(+), 2 deletions(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index 5272c25..f90053a 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -4718,8 +4718,16 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { - int depth; - const xmlChar *name; - -- currentNode = xmlStrdup(ctxt->name); - depth = ctxt->nameNr; -+ if (depth <= 0) { -+ currentNode = NULL; -+ } else { -+ currentNode = xmlStrdup(ctxt->name); -+ if (currentNode == NULL) { -+ htmlErrMemory(ctxt, NULL); -+ return; -+ } -+ } - while (1) { - GROW; - -@@ -4735,8 +4743,16 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { - if (currentNode != NULL) - xmlFree(currentNode); - -- currentNode = xmlStrdup(ctxt->name); - depth = ctxt->nameNr; -+ if (depth <= 0) { -+ currentNode = NULL; -+ } else { -+ currentNode = xmlStrdup(ctxt->name); -+ if (currentNode == NULL) { -+ htmlErrMemory(ctxt, NULL); -+ break; -+ } -+ } - } - continue; /* while */ - } -@@ -4758,6 +4774,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { - xmlFree(currentNode); - - currentNode = xmlStrdup(ctxt->name); -+ if (currentNode == NULL) { -+ htmlErrMemory(ctxt, NULL); -+ break; -+ } - depth = ctxt->nameNr; - continue; - } -@@ -4781,6 +4801,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { - if (currentNode != NULL) xmlFree(currentNode); - - currentNode = xmlStrdup(ctxt->name); -+ if (currentNode == NULL) { -+ htmlErrMemory(ctxt, NULL); -+ break; -+ } - depth = ctxt->nameNr; - continue; - } -@@ -4829,6 +4853,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { - if (currentNode != NULL) xmlFree(currentNode); - - currentNode = xmlStrdup(ctxt->name); -+ if (currentNode == NULL) { -+ htmlErrMemory(ctxt, NULL); -+ break; -+ } - depth = ctxt->nameNr; - } - else if (CUR == '<') { --- -2.27.0 - - diff --git a/backport-malloc-fail-Fix-infinite-loop-in-htmlParseDocTypeDecl.patch b/backport-malloc-fail-Fix-infinite-loop-in-htmlParseDocTypeDecl.patch deleted file mode 100644 index 8454ecfcee722eff5bf86318675a5a2d41970e2e..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-infinite-loop-in-htmlParseDocTypeDecl.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 15b0ed0815d48ac48c7b95a28b8332a298ed7072 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 16 Feb 2023 15:09:02 +0100 -Subject: [PATCH] malloc-fail: Fix infinite loop in htmlParseDocTypeDecl - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/15b0ed0815d48ac48c7b95a28b8332a298ed7072 -Conflict:NA ---- - HTMLparser.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index e02a142..457b2a3 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -3695,7 +3695,8 @@ htmlParseDocTypeDecl(htmlParserCtxtPtr ctxt) { - htmlParseErr(ctxt, XML_ERR_DOCTYPE_NOT_FINISHED, - "DOCTYPE improperly terminated\n", NULL, NULL); - /* Ignore bogus content */ -- while ((CUR != 0) && (CUR != '>')) -+ while ((CUR != 0) && (CUR != '>') && -+ (ctxt->instate != XML_PARSER_EOF)) - NEXT; - } - if (CUR == '>') --- -2.27.0 - - diff --git a/backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag1.patch b/backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag1.patch deleted file mode 100644 index ba98aeec013248e8a045232914b96260f58e4034..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag1.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 643b4e90ebf619432b0287010b593edd8c0c0f8e Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 16 Feb 2023 14:45:06 +0100 -Subject: [PATCH] malloc-fail: Fix infinite loop in htmlParseStartTag - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/643b4e90ebf619432b0287010b593edd8c0c0f8e -Conflict:NA ---- - HTMLparser.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index 60dea30..0ccd6e8 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -2570,6 +2570,7 @@ static const xmlChar * htmlParseNameComplex(xmlParserCtxtPtr ctxt); - - static const xmlChar * - htmlParseHTMLName(htmlParserCtxtPtr ctxt) { -+ const xmlChar *ret; - int i = 0; - xmlChar loc[HTML_PARSER_BUFFER_SIZE]; - -@@ -2587,7 +2588,11 @@ htmlParseHTMLName(htmlParserCtxtPtr ctxt) { - NEXT; - } - -- return(xmlDictLookup(ctxt->dict, loc, i)); -+ ret = xmlDictLookup(ctxt->dict, loc, i); -+ if (ret == NULL) -+ htmlErrMemory(ctxt, NULL); -+ -+ return(ret); - } - - -@@ -4020,7 +4025,8 @@ htmlParseStartTag(htmlParserCtxtPtr ctxt) { - SKIP_BLANKS; - while ((CUR != 0) && - (CUR != '>') && -- ((CUR != '/') || (NXT(1) != '>'))) { -+ ((CUR != '/') || (NXT(1) != '>')) && -+ (ctxt->instate != XML_PARSER_EOF)) { - GROW; - attname = htmlParseAttribute(ctxt, &attvalue); - if (attname != NULL) { --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag2.patch b/backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag2.patch deleted file mode 100644 index 4013143015588ce221aac7ce5a7fd2aaaf6b7e53..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag2.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 0ec9c91064a58ce2932498a55ae63a85f43975f5 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 16 Feb 2023 14:57:24 +0100 -Subject: [PATCH] malloc-fail: Fix infinite loop in htmlParseStartTag - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/0ec9c91064a58ce2932498a55ae63a85f43975f5 -Conflict:NA ---- - HTMLparser.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index f90053a..ca551d9 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -4087,7 +4087,8 @@ htmlParseStartTag(htmlParserCtxtPtr ctxt) { - * the end of the tag. */ - while ((CUR != 0) && - !(IS_BLANK_CH(CUR)) && (CUR != '>') && -- ((CUR != '/') || (NXT(1) != '>'))) -+ ((CUR != '/') || (NXT(1) != '>')) && -+ (ctxt->instate != XML_PARSER_EOF)) - NEXT; - } - --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-infinite-loop-in-xmlParseTextDecl.patch b/backport-malloc-fail-Fix-infinite-loop-in-xmlParseTextDecl.patch deleted file mode 100644 index 56d84a599b1d1ba5f3f29b11b752836d18ecb671..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-infinite-loop-in-xmlParseTextDecl.patch +++ /dev/null @@ -1,32 +0,0 @@ -From d1b87856931797c5c527cee16d96e482a45b99ed Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 22 Jan 2023 17:42:09 +0100 -Subject: [PATCH] malloc-fail: Fix infinite loop in xmlParseTextDecl - -Memory errors can set `instate` to `XML_PARSER_EOF` which results in -`NEXT` making no progress. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/d1b87856931797c5c527cee16d96e482a45b99ed -Conflict:NA ---- - parser.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/parser.c b/parser.c -index 9127deb..fafae15 100644 ---- a/parser.c -+++ b/parser.c -@@ -6957,6 +6957,8 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) { - * We must have the encoding declaration - */ - encoding = xmlParseEncodingDecl(ctxt); -+ if (ctxt->instate == XML_PARSER_EOF) -+ return; - if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { - /* - * The XML REC instructs us to stop parsing right here --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-infinite-loop-in-xmlSkipBlankChars.patch b/backport-malloc-fail-Fix-infinite-loop-in-xmlSkipBlankChars.patch deleted file mode 100644 index f6b4b3dc2156a3230234e195608d18b66aa871c5..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-infinite-loop-in-xmlSkipBlankChars.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 71e81a4ce7946c43ca61124b142d86066590aeb0 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 2 Nov 2022 16:02:39 +0100 -Subject: [PATCH 08/28] malloc-fail: Fix infinite loop in xmlSkipBlankChars - -Found with libFuzzer, see #344. - -Reference: https://github.com/GNOME/libxml2/commit/e129c1d1a27abdeaab44f4d59eb0cb5052df7c6f -Conflict: NA ---- - parser.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index 443a216..780a8b3 100644 ---- a/parser.c -+++ b/parser.c -@@ -2220,7 +2220,7 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) { - } else { - int expandPE = ((ctxt->external != 0) || (ctxt->inputNr != 1)); - -- while (1) { -+ while (ctxt->instate != XML_PARSER_EOF) { - if (IS_BLANK_CH(CUR)) { /* CHECKED tstblanks.xml */ - NEXT; - } else if (CUR == '%') { --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-leak-of-xmlCharEncodingHandler.patch b/backport-malloc-fail-Fix-leak-of-xmlCharEncodingHandler.patch deleted file mode 100644 index 39be0b0bce4ae5a3b8d12671353b0d682e650def..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-leak-of-xmlCharEncodingHandler.patch +++ /dev/null @@ -1,31 +0,0 @@ -From d18f9c1102a45b401039dd899ce7069da7a73124 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 14 Feb 2023 13:50:46 +0100 -Subject: [PATCH] malloc-fail: Fix leak of xmlCharEncodingHandler - -Also free handler if its name is NULL. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/d18f9c1102a45b401039dd899ce7069da7a73124 -Conflict:encoding.c - ---- - encoding.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/encoding.c b/encoding.c -index 400e860..8b98f7d 100644 ---- a/encoding.c -+++ b/encoding.c -@@ -2792,7 +2792,6 @@ xmlCharEncCloseFunc(xmlCharEncodingHandler *handler) { - int i, handler_in_list = 0; - - if (handler == NULL) return(-1); -- if (handler->name == NULL) return(-1); - if (handlers != NULL) { - for (i = 0;i < nbCharEncodingHandler; i++) { - if (handler == handlers[i]) { --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-leak-of-xmlRegAtom.patch b/backport-malloc-fail-Fix-leak-of-xmlRegAtom.patch deleted file mode 100644 index d76459d7f55fa90263d0d4fe11c9b0507526c5aa..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-leak-of-xmlRegAtom.patch +++ /dev/null @@ -1,241 +0,0 @@ -From e64653c0e7975594e27d7de2ed4be062c1e4ad03 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 17 Feb 2023 15:20:33 +0100 -Subject: [PATCH] malloc-fail: Fix leak of xmlRegAtom - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/e64653c0e7975594e27d7de2ed4be062c1e4ad03 -Conflict:NA ---- - xmlregexp.c | 81 ++++++++++++++++++++++++++++++++++++----------------- - 1 file changed, 55 insertions(+), 26 deletions(-) - -diff --git a/xmlregexp.c b/xmlregexp.c -index 8c2ea81..11c684a 100644 ---- a/xmlregexp.c -+++ b/xmlregexp.c -@@ -1594,9 +1594,6 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, - * this is a subexpression handling one should not need to - * create a new node except for XML_REGEXP_QUANT_RANGE. - */ -- if (xmlRegAtomPush(ctxt, atom) < 0) { -- return(-1); -- } - if ((to != NULL) && (atom->stop != to) && - (atom->quant != XML_REGEXP_QUANT_RANGE)) { - /* -@@ -1678,8 +1675,10 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, - copy->max = 0; - - if (xmlFAGenerateTransitions(ctxt, atom->start, NULL, copy) -- < 0) -+ < 0) { -+ xmlRegFreeAtom(copy); - return(-1); -+ } - inter = ctxt->state; - counter = xmlRegGetCounter(ctxt); - ctxt->counters[counter].min = atom->min - 1; -@@ -1722,6 +1721,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, - default: - break; - } -+ if (xmlRegAtomPush(ctxt, atom) < 0) -+ return(-1); - return(0); - } - if ((atom->min == 0) && (atom->max == 0) && -@@ -1760,9 +1761,6 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, - xmlFAGenerateEpsilonTransition(ctxt, tmp, to); - to = tmp; - } -- if (xmlRegAtomPush(ctxt, atom) < 0) { -- return(-1); -- } - if ((atom->quant == XML_REGEXP_QUANT_RANGE) && - (atom->min == 0) && (atom->max > 0)) { - nullable = 1; -@@ -1793,6 +1791,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, - default: - break; - } -+ if (xmlRegAtomPush(ctxt, atom) < 0) -+ return(-1); - return(0); - } - -@@ -5447,8 +5447,12 @@ xmlFAParseBranch(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr to) { - xmlFAGenerateEpsilonTransition(ctxt, previous, to); - } else { - if (xmlFAGenerateTransitions(ctxt, previous, -- (CUR=='|' || CUR==')' || CUR==0) ? to : NULL, ctxt->atom) < 0) -+ (CUR=='|' || CUR==')' || CUR==0) ? to : NULL, -+ ctxt->atom) < 0) { -+ xmlRegFreeAtom(ctxt->atom); -+ ctxt->atom = NULL; - return(-1); -+ } - previous = ctxt->state; - ctxt->atom = NULL; - } -@@ -5457,8 +5461,11 @@ xmlFAParseBranch(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr to) { - if (ret != 0) { - if (xmlFAGenerateTransitions(ctxt, previous, - (CUR=='|' || CUR==')' || CUR==0) ? to : NULL, -- ctxt->atom) < 0) -- return(-1); -+ ctxt->atom) < 0) { -+ xmlRegFreeAtom(ctxt->atom); -+ ctxt->atom = NULL; -+ return(-1); -+ } - previous = ctxt->state; - ctxt->atom = NULL; - } -@@ -5990,6 +5997,8 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, - return(NULL); - if ((token2 == NULL) || (*token2 == 0)) { - atom->valuep = xmlStrdup(token); -+ if (atom->valuep == NULL) -+ goto error; - } else { - int lenn, lenp; - xmlChar *str; -@@ -5998,10 +6007,8 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, - lenp = strlen((char *) token); - - str = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2); -- if (str == NULL) { -- xmlRegFreeAtom(atom); -- return(NULL); -- } -+ if (str == NULL) -+ goto error; - memcpy(&str[0], token, lenp); - str[lenp] = '|'; - memcpy(&str[lenp + 1], token2, lenn); -@@ -6027,10 +6034,11 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, - if (to == NULL) { - to = xmlRegStatePush(am); - if (to == NULL) -- return(NULL); -+ goto error; - } - xmlRegStateAddTrans(am, from, atom, to, counter, -1); -- xmlRegAtomPush(am, atom); -+ if (xmlRegAtomPush(am, atom) < 0) -+ goto error; - am->state = to; - - if (to == NULL) -@@ -6040,6 +6048,10 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, - if (min == 0) - xmlFAGenerateEpsilonTransition(am, from, to); - return(to); -+ -+error: -+ xmlRegFreeAtom(atom); -+ return(NULL); - } - - /** -@@ -6076,6 +6088,8 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, - if (atom == NULL) - return(NULL); - atom->valuep = xmlStrdup(token); -+ if (atom->valuep == NULL) -+ goto error; - atom->data = data; - if (min == 0) - atom->min = 1; -@@ -6094,10 +6108,11 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, - if (to == NULL) { - to = xmlRegStatePush(am); - if (to == NULL) -- return(NULL); -+ goto error; - } - xmlRegStateAddTrans(am, from, atom, to, counter, -1); -- xmlRegAtomPush(am, atom); -+ if (xmlRegAtomPush(am, atom) < 0) -+ goto error; - am->state = to; - - if (to == NULL) -@@ -6107,6 +6122,10 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, - if (min == 0) - xmlFAGenerateEpsilonTransition(am, from, to); - return(to); -+ -+error: -+ xmlRegFreeAtom(atom); -+ return(NULL); - } - - /** -@@ -6147,6 +6166,8 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, - return(NULL); - if ((token2 == NULL) || (*token2 == 0)) { - atom->valuep = xmlStrdup(token); -+ if (atom->valuep == NULL) -+ goto error; - } else { - int lenn, lenp; - xmlChar *str; -@@ -6155,10 +6176,8 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, - lenp = strlen((char *) token); - - str = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2); -- if (str == NULL) { -- xmlRegFreeAtom(atom); -- return(NULL); -- } -+ if (str == NULL) -+ goto error; - memcpy(&str[0], token, lenp); - str[lenp] = '|'; - memcpy(&str[lenp + 1], token2, lenn); -@@ -6181,12 +6200,17 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, - if (to == NULL) { - to = xmlRegStatePush(am); - if (to == NULL) -- return(NULL); -+ goto error; - } - xmlRegStateAddTrans(am, from, atom, to, counter, -1); -- xmlRegAtomPush(am, atom); -+ if (xmlRegAtomPush(am, atom) < 0) -+ goto error; - am->state = to; - return(to); -+ -+error: -+ xmlRegFreeAtom(atom); -+ return(NULL); - } - - -@@ -6241,12 +6265,17 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, - if (to == NULL) { - to = xmlRegStatePush(am); - if (to == NULL) -- return(NULL); -+ goto error; - } - xmlRegStateAddTrans(am, from, atom, to, counter, -1); -- xmlRegAtomPush(am, atom); -+ if (xmlRegAtomPush(am, atom) < 0) -+ goto error; - am->state = to; - return(to); -+ -+error: -+ xmlRegFreeAtom(atom); -+ return(NULL); - } - - /** --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-after-calling-valuePush.patch b/backport-malloc-fail-Fix-memory-leak-after-calling-valuePush.patch deleted file mode 100644 index 3fc3db4190978974ea742f5cd3f8a57590f4e7c7..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-after-calling-valuePush.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 85bc313e7996c06d52b6f6f5c6a467ff3a148e75 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 15 Feb 2023 13:49:28 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak after calling valuePush - -Destroy the object in valuePush if the function fails. This is somewhat -dangerous but matches the expectations of users. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/85bc313e7996c06d52b6f6f5c6a467ff3a148e75 -Conflict:NA ---- - xpath.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/xpath.c b/xpath.c -index 7833870..dc99e63 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -2881,6 +2881,8 @@ valuePop(xmlXPathParserContextPtr ctxt) - * a memory error is recorded in the parser context. - * - * Returns the number of items on the value stack, or -1 in case of error. -+ * -+ * The object is destroyed in case of error. - */ - int - valuePush(xmlXPathParserContextPtr ctxt, xmlXPathObjectPtr value) -@@ -2899,6 +2901,7 @@ valuePush(xmlXPathParserContextPtr ctxt, xmlXPathObjectPtr value) - - if (ctxt->valueMax >= XPATH_MAX_STACK_DEPTH) { - xmlXPathPErrMemory(ctxt, "XPath stack depth limit reached\n"); -+ xmlXPathFreeObject(value); - return (-1); - } - tmp = (xmlXPathObjectPtr *) xmlRealloc(ctxt->valueTab, -@@ -2906,6 +2909,7 @@ valuePush(xmlXPathParserContextPtr ctxt, xmlXPathObjectPtr value) - sizeof(ctxt->valueTab[0])); - if (tmp == NULL) { - xmlXPathPErrMemory(ctxt, "pushing value\n"); -+ xmlXPathFreeObject(value); - return (-1); - } - ctxt->valueMax *= 2; --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathNodeSetMerge.patch b/backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathNodeSetMerge.patch deleted file mode 100644 index e0e66a2347b63ed9427406d2a155afd56a890fb4..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathNodeSetMerge.patch +++ /dev/null @@ -1,233 +0,0 @@ -From 8d22e065888942b8c1b5be8994c6887b5a687246 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 15 Feb 2023 14:41:11 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak after calling - xmlXPathNodeSetMerge - -Destroy the first argument in xmlXPathNodeSetMerge if the function -fails. This is somewhat dangerous but matches the expectations of users. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/8d22e065888942b8c1b5be8994c6887b5a687246 -Conflict:xpath.c ---- - xpath.c | 78 +++++++++++++++++++++++++++------------------------------ - 1 file changed, 37 insertions(+), 41 deletions(-) - -diff --git a/xpath.c b/xpath.c -index 9ead497..5a6d762 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -153,6 +153,9 @@ - * any use of the macros IS_ASCII_CHARACTER and IS_ASCII_DIGIT) - */ - -+static void -+xmlXPathNodeSetClear(xmlNodeSetPtr set, int hasNsNodes); -+ - #ifdef XP_OPTIMIZED_NON_ELEM_COMPARISON - /** - * xmlXPathCmpNodesExt: -@@ -3840,6 +3843,8 @@ xmlXPathNodeSetAddUnique(xmlNodeSetPtr cur, xmlNodePtr val) { - * if @val1 is NULL, a new set is created and copied from @val2 - * - * Returns @val1 once extended or NULL in case of error. -+ * -+ * Frees @val1 in case of error. - */ - xmlNodeSetPtr - xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) { -@@ -3849,35 +3854,8 @@ xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) { - if (val2 == NULL) return(val1); - if (val1 == NULL) { - val1 = xmlXPathNodeSetCreate(NULL); -- if (val1 == NULL) -- return (NULL); --#if 0 -- /* -- * TODO: The optimization won't work in every case, since -- * those nasty namespace nodes need to be added with -- * xmlXPathNodeSetDupNs() to the set; thus a pure -- * memcpy is not possible. -- * If there was a flag on the nodesetval, indicating that -- * some temporary nodes are in, that would be helpful. -- */ -- /* -- * Optimization: Create an equally sized node-set -- * and memcpy the content. -- */ -- val1 = xmlXPathNodeSetCreateSize(val2->nodeNr); -- if (val1 == NULL) -- return(NULL); -- if (val2->nodeNr != 0) { -- if (val2->nodeNr == 1) -- *(val1->nodeTab) = *(val2->nodeTab); -- else { -- memcpy(val1->nodeTab, val2->nodeTab, -- val2->nodeNr * sizeof(xmlNodePtr)); -- } -- val1->nodeNr = val2->nodeNr; -- } -- return(val1); --#endif -+ if (val1 == NULL) -+ return (NULL); - } - - /* @@ with_ns to check whether namespace nodes should be looked at @@ */ -@@ -3916,7 +3894,7 @@ xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) { - sizeof(xmlNodePtr)); - if (val1->nodeTab == NULL) { - xmlXPathErrMemory(NULL, "merging nodeset\n"); -- return(NULL); -+ goto error; - } - memset(val1->nodeTab, 0 , - XML_NODESET_DEFAULT * (size_t) sizeof(xmlNodePtr)); -@@ -3926,13 +3904,13 @@ xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) { - - if (val1->nodeMax >= XPATH_MAX_NODESET_LENGTH) { - xmlXPathErrMemory(NULL, "merging nodeset hit limit\n"); -- return(NULL); -+ goto error; - } - temp = (xmlNodePtr *) xmlRealloc(val1->nodeTab, val1->nodeMax * 2 * - sizeof(xmlNodePtr)); - if (temp == NULL) { - xmlXPathErrMemory(NULL, "merging nodeset\n"); -- return(NULL); -+ goto error; - } - val1->nodeTab = temp; - val1->nodeMax *= 2; -@@ -3942,13 +3920,17 @@ xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) { - xmlNodePtr nsNode = xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); - - if (nsNode == NULL) -- return(NULL); -+ goto error; - val1->nodeTab[val1->nodeNr++] = nsNode; - } else - val1->nodeTab[val1->nodeNr++] = n2; - } - - return(val1); -+ -+error: -+ xmlXPathFreeNodeSet(val1); -+ return(NULL); - } - - -@@ -3961,6 +3943,8 @@ xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) { - * Checks for duplicate nodes. Clears set2. - * - * Returns @set1 once extended or NULL in case of error. -+ * -+ * Frees @set1 in case of error. - */ - static xmlNodeSetPtr - xmlXPathNodeSetMergeAndClear(xmlNodeSetPtr set1, xmlNodeSetPtr set2) -@@ -3989,7 +3973,6 @@ xmlXPathNodeSetMergeAndClear(xmlNodeSetPtr set1, xmlNodeSetPtr set2) - /* - * Free the namespace node. - */ -- set2->nodeTab[i] = NULL; - xmlXPathNodeSetFreeNs((xmlNsPtr) n2); - goto skip_node; - } -@@ -4003,7 +3986,7 @@ xmlXPathNodeSetMergeAndClear(xmlNodeSetPtr set1, xmlNodeSetPtr set2) - XML_NODESET_DEFAULT * sizeof(xmlNodePtr)); - if (set1->nodeTab == NULL) { - xmlXPathErrMemory(NULL, "merging nodeset\n"); -- return(NULL); -+ goto error; - } - memset(set1->nodeTab, 0, - XML_NODESET_DEFAULT * (size_t) sizeof(xmlNodePtr)); -@@ -4013,24 +3996,29 @@ xmlXPathNodeSetMergeAndClear(xmlNodeSetPtr set1, xmlNodeSetPtr set2) - - if (set1->nodeMax >= XPATH_MAX_NODESET_LENGTH) { - xmlXPathErrMemory(NULL, "merging nodeset hit limit\n"); -- return(NULL); -+ goto error; - } - temp = (xmlNodePtr *) xmlRealloc( - set1->nodeTab, set1->nodeMax * 2 * sizeof(xmlNodePtr)); - if (temp == NULL) { - xmlXPathErrMemory(NULL, "merging nodeset\n"); -- return(NULL); -+ goto error; - } - set1->nodeTab = temp; - set1->nodeMax *= 2; - } - set1->nodeTab[set1->nodeNr++] = n2; - skip_node: -- {} -+ set2->nodeTab[i] = NULL; - } - } - set2->nodeNr = 0; - return(set1); -+ -+error: -+ xmlXPathFreeNodeSet(set1); -+ xmlXPathNodeSetClear(set2, 1); -+ return(NULL); - } - - /** -@@ -4042,6 +4030,8 @@ skip_node: - * Doesn't check for duplicate nodes. Clears set2. - * - * Returns @set1 once extended or NULL in case of error. -+ * -+ * Frees @set1 in case of error. - */ - static xmlNodeSetPtr - xmlXPathNodeSetMergeAndClearNoDupls(xmlNodeSetPtr set1, xmlNodeSetPtr set2) -@@ -4057,7 +4047,7 @@ xmlXPathNodeSetMergeAndClearNoDupls(xmlNodeSetPtr set1, xmlNodeSetPtr set2) - XML_NODESET_DEFAULT * sizeof(xmlNodePtr)); - if (set1->nodeTab == NULL) { - xmlXPathErrMemory(NULL, "merging nodeset\n"); -- return(NULL); -+ goto error; - } - memset(set1->nodeTab, 0, - XML_NODESET_DEFAULT * (size_t) sizeof(xmlNodePtr)); -@@ -4067,22 +4057,28 @@ xmlXPathNodeSetMergeAndClearNoDupls(xmlNodeSetPtr set1, xmlNodeSetPtr set2) - - if (set1->nodeMax >= XPATH_MAX_NODESET_LENGTH) { - xmlXPathErrMemory(NULL, "merging nodeset hit limit\n"); -- return(NULL); -+ goto error; - } - temp = (xmlNodePtr *) xmlRealloc( - set1->nodeTab, set1->nodeMax * 2 * sizeof(xmlNodePtr)); - if (temp == NULL) { - xmlXPathErrMemory(NULL, "merging nodeset\n"); -- return(NULL); -+ goto error; - } - set1->nodeTab = temp; - set1->nodeMax *= 2; - } - set1->nodeTab[set1->nodeNr++] = n2; -+ set2->nodeTab[i] = NULL; - } - } - set2->nodeNr = 0; - return(set1); -+ -+error: -+ xmlXPathFreeNodeSet(set1); -+ xmlXPathNodeSetClear(set2, 1); -+ return(NULL); - } - - /** --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapNodeSet.patch b/backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapNodeSet.patch deleted file mode 100644 index 1de414987748dbe37b022f998a7755de4af6d11e..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapNodeSet.patch +++ /dev/null @@ -1,50 +0,0 @@ -From f5e1174933c65556b5d1c0b3a8f13a27f37a1638 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 15 Feb 2023 13:48:18 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak after calling - xmlXPathWrapNodeSet - -Destroy the node set in xmlXPathWrapNodeSet if the function fails. -This is somewhat dangerous but matches the expectations of users. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/f5e1174933c65556b5d1c0b3a8f13a27f37a1638 -Conflict:xpath.c ---- - xpath.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/xpath.c b/xpath.c -index dc99e63..9ead497 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -2319,6 +2319,8 @@ xmlXPathContextSetCache(xmlXPathContextPtr ctxt, - * Wrap the Nodeset @val in a new xmlXPathObjectPtr - * - * Returns the created or reused object. -+ * -+ * In case of error the node set is destroyed and NULL is returned. - */ - static xmlXPathObjectPtr - xmlXPathCacheWrapNodeSet(xmlXPathContextPtr ctxt, xmlNodeSetPtr val) -@@ -4398,6 +4400,8 @@ xmlXPathNewNodeSetList(xmlNodeSetPtr val) - * Wrap the Nodeset @val in a new xmlXPathObjectPtr - * - * Returns the newly created object. -+ * -+ * In case of error the node set is destroyed and NULL is returned. - */ - xmlXPathObjectPtr - xmlXPathWrapNodeSet(xmlNodeSetPtr val) { -@@ -4406,6 +4410,7 @@ xmlXPathWrapNodeSet(xmlNodeSetPtr val) { - ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); - if (ret == NULL) { - xmlXPathErrMemory(NULL, "creating node set object\n"); -+ xmlXPathFreeNodeSet(val); - return(NULL); - } - memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapString.patch b/backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapString.patch deleted file mode 100644 index 3f1b50bb8dbb415891376bf6129df271010181f3..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapString.patch +++ /dev/null @@ -1,41 +0,0 @@ -From d31a0e8e7599bfb691616f7c59ff8d39b982aa55 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 15 Feb 2023 14:47:29 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak after calling xmlXPathWrapString - -Destroy the string in xmlXPathWrapString if the function fails. This is -somewhat dangerous but matches the expectations of users. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/d31a0e8e7599bfb691616f7c59ff8d39b982aa55 -Conflict:xpath.c ---- - xpath.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/xpath.c b/xpath.c -index 5a6d762..cf74030 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -5289,6 +5289,8 @@ xmlXPathNewString(const xmlChar *val) { - * Wraps the @val string into an XPath object. - * - * Returns the newly created object. -+ * -+ * Frees @val in case of error. - */ - xmlXPathObjectPtr - xmlXPathWrapString (xmlChar *val) { -@@ -5297,6 +5299,7 @@ xmlXPathWrapString (xmlChar *val) { - ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); - if (ret == NULL) { - xmlXPathErrMemory(NULL, "creating string object\n"); -+ xmlFree(val); - return(NULL); - } - memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); --- -2.27.0 - - diff --git a/backport-malloc-fail-Fix-memory-leak-after-xmlRegNewState.patch b/backport-malloc-fail-Fix-memory-leak-after-xmlRegNewState.patch deleted file mode 100644 index 1b21c6bc5f2b03f18a10c62ca7f5037a5fc4fd97..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-after-xmlRegNewState.patch +++ /dev/null @@ -1,331 +0,0 @@ -From e60c9f4c4b76da72772bfb6bb1f705e02fbb5324 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 15 Feb 2023 01:00:03 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak after xmlRegNewState - -Invoke xmlRegNewState from xmlRegStatePush to simplify error handling. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/e60c9f4c4b76da72772bfb6bb1f705e02fbb5324 -Conflict:NA ---- - xmlregexp.c | 144 ++++++++++++++++++++++++++-------------------------- - 1 file changed, 71 insertions(+), 73 deletions(-) - -diff --git a/xmlregexp.c b/xmlregexp.c -index 657912e..fb2eadc 100644 ---- a/xmlregexp.c -+++ b/xmlregexp.c -@@ -1455,33 +1455,31 @@ xmlRegStateAddTrans(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr state, - xmlRegStateAddTransTo(ctxt, target, state->no); - } - --static int --xmlRegStatePush(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr state) { -- if (state == NULL) return(-1); -- if (ctxt->maxStates == 0) { -- ctxt->maxStates = 4; -- ctxt->states = (xmlRegStatePtr *) xmlMalloc(ctxt->maxStates * -- sizeof(xmlRegStatePtr)); -- if (ctxt->states == NULL) { -- xmlRegexpErrMemory(ctxt, "adding state"); -- ctxt->maxStates = 0; -- return(-1); -- } -- } else if (ctxt->nbStates >= ctxt->maxStates) { -+static xmlRegStatePtr -+xmlRegStatePush(xmlRegParserCtxtPtr ctxt) { -+ xmlRegStatePtr state; -+ -+ if (ctxt->nbStates >= ctxt->maxStates) { -+ size_t newSize = ctxt->maxStates ? ctxt->maxStates * 2 : 4; - xmlRegStatePtr *tmp; -- ctxt->maxStates *= 2; -- tmp = (xmlRegStatePtr *) xmlRealloc(ctxt->states, ctxt->maxStates * -- sizeof(xmlRegStatePtr)); -+ -+ tmp = xmlRealloc(ctxt->states, newSize * sizeof(tmp[0])); - if (tmp == NULL) { - xmlRegexpErrMemory(ctxt, "adding state"); -- ctxt->maxStates /= 2; -- return(-1); -+ return(NULL); - } - ctxt->states = tmp; -+ ctxt->maxStates = newSize; - } -+ -+ state = xmlRegNewState(ctxt); -+ if (state == NULL) -+ return(NULL); -+ - state->no = ctxt->nbStates; - ctxt->states[ctxt->nbStates++] = state; -- return(0); -+ -+ return(state); - } - - /** -@@ -1492,19 +1490,21 @@ xmlRegStatePush(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr state) { - * @lax: - * - */ --static void -+static int - xmlFAGenerateAllTransition(xmlRegParserCtxtPtr ctxt, - xmlRegStatePtr from, xmlRegStatePtr to, - int lax) { - if (to == NULL) { -- to = xmlRegNewState(ctxt); -- xmlRegStatePush(ctxt, to); -+ to = xmlRegStatePush(ctxt); -+ if (to == NULL) -+ return(-1); - ctxt->state = to; - } - if (lax) - xmlRegStateAddTrans(ctxt, from, NULL, to, -1, REGEXP_ALL_LAX_COUNTER); - else - xmlRegStateAddTrans(ctxt, from, NULL, to, -1, REGEXP_ALL_COUNTER); -+ return(0); - } - - /** -@@ -1514,15 +1514,17 @@ xmlFAGenerateAllTransition(xmlRegParserCtxtPtr ctxt, - * @to: the target state or NULL for building a new one - * - */ --static void -+static int - xmlFAGenerateEpsilonTransition(xmlRegParserCtxtPtr ctxt, - xmlRegStatePtr from, xmlRegStatePtr to) { - if (to == NULL) { -- to = xmlRegNewState(ctxt); -- xmlRegStatePush(ctxt, to); -+ to = xmlRegStatePush(ctxt); -+ if (to == NULL) -+ return(-1); - ctxt->state = to; - } - xmlRegStateAddTrans(ctxt, from, NULL, to, -1, -1); -+ return(0); - } - - /** -@@ -1533,15 +1535,17 @@ xmlFAGenerateEpsilonTransition(xmlRegParserCtxtPtr ctxt, - * counter: the counter for that transition - * - */ --static void -+static int - xmlFAGenerateCountedEpsilonTransition(xmlRegParserCtxtPtr ctxt, - xmlRegStatePtr from, xmlRegStatePtr to, int counter) { - if (to == NULL) { -- to = xmlRegNewState(ctxt); -- xmlRegStatePush(ctxt, to); -+ to = xmlRegStatePush(ctxt); -+ if (to == NULL) -+ return(-1); - ctxt->state = to; - } - xmlRegStateAddTrans(ctxt, from, NULL, to, counter, -1); -+ return(0); - } - - /** -@@ -1552,15 +1556,17 @@ xmlFAGenerateCountedEpsilonTransition(xmlRegParserCtxtPtr ctxt, - * counter: the counter for that transition - * - */ --static void -+static int - xmlFAGenerateCountedTransition(xmlRegParserCtxtPtr ctxt, - xmlRegStatePtr from, xmlRegStatePtr to, int counter) { - if (to == NULL) { -- to = xmlRegNewState(ctxt); -- xmlRegStatePush(ctxt, to); -+ to = xmlRegStatePush(ctxt); -+ if (to == NULL) -+ return(-1); - ctxt->state = to; - } - xmlRegStateAddTrans(ctxt, from, NULL, to, -1, counter); -+ return(0); - } - - /** -@@ -1599,8 +1605,9 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, - #ifdef DV - } else if ((to == NULL) && (atom->quant != XML_REGEXP_QUANT_RANGE) && - (atom->quant != XML_REGEXP_QUANT_ONCE)) { -- to = xmlRegNewState(ctxt); -- xmlRegStatePush(ctxt, to); -+ to = xmlRegStatePush(ctxt, to); -+ if (to == NULL) -+ return(-1); - ctxt->state = to; - xmlFAGenerateEpsilonTransition(ctxt, atom->stop, to); - #endif -@@ -1640,8 +1647,9 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, - if (to != NULL) { - newstate = to; - } else { -- newstate = xmlRegNewState(ctxt); -- xmlRegStatePush(ctxt, newstate); -+ newstate = xmlRegStatePush(ctxt); -+ if (newstate == NULL) -+ return(-1); - } - - /* -@@ -1721,12 +1729,9 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, - * we can discard the atom and generate an epsilon transition instead - */ - if (to == NULL) { -- to = xmlRegNewState(ctxt); -- if (to != NULL) -- xmlRegStatePush(ctxt, to); -- else { -+ to = xmlRegStatePush(ctxt); -+ if (to == NULL) - return(-1); -- } - } - xmlFAGenerateEpsilonTransition(ctxt, from, to); - ctxt->state = to; -@@ -1734,12 +1739,9 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, - return(0); - } - if (to == NULL) { -- to = xmlRegNewState(ctxt); -- if (to != NULL) -- xmlRegStatePush(ctxt, to); -- else { -+ to = xmlRegStatePush(ctxt); -+ if (to == NULL) - return(-1); -- } - } - end = to; - if ((atom->quant == XML_REGEXP_QUANT_MULT) || -@@ -1751,12 +1753,9 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, - */ - xmlRegStatePtr tmp; - -- tmp = xmlRegNewState(ctxt); -- if (tmp != NULL) -- xmlRegStatePush(ctxt, tmp); -- else { -+ tmp = xmlRegStatePush(ctxt); -+ if (tmp == NULL) - return(-1); -- } - xmlFAGenerateEpsilonTransition(ctxt, tmp, to); - to = tmp; - } -@@ -5562,9 +5561,11 @@ xmlRegexpCompile(const xmlChar *regexp) { - return(NULL); - - /* initialize the parser */ -+ ctxt->state = xmlRegStatePush(ctxt); -+ if (ctxt->state == NULL) -+ return(NULL); -+ ctxt->start = ctxt->state; - ctxt->end = NULL; -- ctxt->start = ctxt->state = xmlRegNewState(ctxt); -- xmlRegStatePush(ctxt, ctxt->start); - - /* parse the expression building an automata */ - xmlFAParseRegExp(ctxt, 1); -@@ -5712,18 +5713,15 @@ xmlNewAutomata(void) { - return(NULL); - - /* initialize the parser */ -- ctxt->end = NULL; -- ctxt->start = ctxt->state = xmlRegNewState(ctxt); -- if (ctxt->start == NULL) { -+ ctxt->state = xmlRegStatePush(ctxt); -+ if (ctxt->state == NULL) { - xmlFreeAutomata(ctxt); - return(NULL); - } -+ ctxt->start = ctxt->state; -+ ctxt->end = NULL; -+ - ctxt->start->type = XML_REGEXP_START_STATE; -- if (xmlRegStatePush(ctxt, ctxt->start) < 0) { -- xmlRegFreeState(ctxt->start); -- xmlFreeAutomata(ctxt); -- return(NULL); -- } - ctxt->flags = 0; - - return(ctxt); -@@ -6021,8 +6019,9 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, - - /* xmlFAGenerateTransitions(am, from, to, atom); */ - if (to == NULL) { -- to = xmlRegNewState(am); -- xmlRegStatePush(am, to); -+ to = xmlRegStatePush(am); -+ if (to == NULL) -+ return(NULL); - } - xmlRegStateAddTrans(am, from, atom, to, counter, -1); - xmlRegAtomPush(am, atom); -@@ -6087,8 +6086,9 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, - - /* xmlFAGenerateTransitions(am, from, to, atom); */ - if (to == NULL) { -- to = xmlRegNewState(am); -- xmlRegStatePush(am, to); -+ to = xmlRegStatePush(am); -+ if (to == NULL) -+ return(NULL); - } - xmlRegStateAddTrans(am, from, atom, to, counter, -1); - xmlRegAtomPush(am, atom); -@@ -6173,8 +6173,9 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, - - /* xmlFAGenerateTransitions(am, from, to, atom); */ - if (to == NULL) { -- to = xmlRegNewState(am); -- xmlRegStatePush(am, to); -+ to = xmlRegStatePush(am); -+ if (to == NULL) -+ return(NULL); - } - xmlRegStateAddTrans(am, from, atom, to, counter, -1); - xmlRegAtomPush(am, atom); -@@ -6232,8 +6233,9 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, - - /* xmlFAGenerateTransitions(am, from, to, atom); */ - if (to == NULL) { -- to = xmlRegNewState(am); -- xmlRegStatePush(am, to); -+ to = xmlRegStatePush(am); -+ if (to == NULL) -+ return(NULL); - } - xmlRegStateAddTrans(am, from, atom, to, counter, -1); - xmlRegAtomPush(am, atom); -@@ -6251,13 +6253,9 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, - */ - xmlAutomataStatePtr - xmlAutomataNewState(xmlAutomataPtr am) { -- xmlAutomataStatePtr to; -- - if (am == NULL) - return(NULL); -- to = xmlRegNewState(am); -- xmlRegStatePush(am, to); -- return(to); -+ return(xmlRegStatePush(am)); - } - - /** --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-WXS_ADD_-LOCAL-GLOBAL.patch b/backport-malloc-fail-Fix-memory-leak-in-WXS_ADD_-LOCAL-GLOBAL.patch deleted file mode 100644 index 18477406a762fadf7645d219da915537c696e5dc..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-WXS_ADD_-LOCAL-GLOBAL.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 9afb6c5fb86a0dca167b6ae60aa05211a25e435f Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 5 Mar 2023 14:09:49 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in WXS_ADD_{LOCAL,GLOBAL} - -It's somewhat dangerous to add the cleanup code to a macro, but -otherwise we'd have to fix all the call sites. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/9afb6c5fb86a0dca167b6ae60aa05211a25e435f -Conflict:NA ---- - xmlschemas.c | 17 +++++++++++++---- - 1 file changed, 13 insertions(+), 4 deletions(-) - -diff --git a/xmlschemas.c b/xmlschemas.c -index 5b93937..724920b 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -305,10 +305,20 @@ static const xmlChar *xmlNamespaceNs = (const xmlChar *) - #define WXS_SCHEMA(ctx) (ctx)->schema - - #define WXS_ADD_LOCAL(ctx, item) \ -- xmlSchemaAddItemSize(&(WXS_BUCKET(ctx)->locals), 10, item) -+ do { \ -+ if (xmlSchemaAddItemSize(&(WXS_BUCKET(ctx)->locals), 10, item) < 0) { \ -+ xmlFree(item); \ -+ item = NULL; \ -+ } \ -+ } while (0) - - #define WXS_ADD_GLOBAL(ctx, item) \ -- xmlSchemaAddItemSize(&(WXS_BUCKET(ctx)->globals), 5, item) -+ do { \ -+ if (xmlSchemaAddItemSize(&(WXS_BUCKET(ctx)->globals), 5, item) < 0) { \ -+ xmlFree(item); \ -+ item = NULL; \ -+ } \ -+ } while (0) - - #define WXS_ADD_PENDING(ctx, item) \ - xmlSchemaAddItemSize(&((ctx)->constructor->pending), 10, item) -@@ -3764,8 +3774,7 @@ xmlSchemaAddItemSize(xmlSchemaItemListPtr *list, int initialSize, void *item) - if (*list == NULL) - return(-1); - } -- xmlSchemaItemListAddSize(*list, initialSize, item); -- return(0); -+ return(xmlSchemaItemListAddSize(*list, initialSize, item)); - } - - /** --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-htmlCreateMemoryParserCtxt.patch b/backport-malloc-fail-Fix-memory-leak-in-htmlCreateMemoryParserCtxt.patch deleted file mode 100644 index 1baad07fde5c456fcda97023a60a26d3972c44a8..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-htmlCreateMemoryParserCtxt.patch +++ /dev/null @@ -1,31 +0,0 @@ -From fc256953d29698ba5918c32d14fc69ea69d7e64e Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 16 Feb 2023 14:47:41 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in htmlCreateMemoryParserCtxt - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/fc256953d29698ba5918c32d14fc69ea69d7e64e -Conflict:NA ---- - HTMLparser.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index 0ccd6e8..7ea2e62 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -5191,7 +5191,10 @@ htmlCreateMemoryParserCtxt(const char *buffer, int size) { - return(NULL); - - buf = xmlParserInputBufferCreateMem(buffer, size, XML_CHAR_ENCODING_NONE); -- if (buf == NULL) return(NULL); -+ if (buf == NULL) { -+ xmlFreeParserCtxt(ctxt); -+ return(NULL); -+ } - - input = xmlNewInputStream(ctxt); - if (input == NULL) { --- -2.27.0 diff --git a/backport-malloc-fail-Fix-memory-leak-in-htmlCreatePushParserCtxt.patch b/backport-malloc-fail-Fix-memory-leak-in-htmlCreatePushParserCtxt.patch deleted file mode 100644 index f9bec23a439d79375b014d83e357c40cbfd1ce6c..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-htmlCreatePushParserCtxt.patch +++ /dev/null @@ -1,28 +0,0 @@ -From f3e62035d8b80a6dba92639f2470f02258822a0a Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 16 Feb 2023 14:49:06 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in htmlCreatePushParserCtxt - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/f3e62035d8b80a6dba92639f2470f02258822a0a -Conflict:NA ---- - HTMLparser.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index 7ea2e62..5272c25 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -6355,7 +6355,7 @@ htmlCreatePushParserCtxt(htmlSAXHandlerPtr sax, void *user_data, - inputStream = htmlNewInputStream(ctxt); - if (inputStream == NULL) { - xmlFreeParserCtxt(ctxt); -- xmlFree(buf); -+ xmlFreeParserInputBuffer(buf); - return(NULL); - } - --- -2.27.0 diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlCopyNamespaceList.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlCopyNamespaceList.patch deleted file mode 100644 index 3699fb7135d01f558febd84b69432415174e686c..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlCopyNamespaceList.patch +++ /dev/null @@ -1,31 +0,0 @@ -From dbc893f5885cf60f9ebed89c363ff810bde3ebb5 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 3 Mar 2023 13:02:11 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlCopyNamespaceList - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/dbc893f5885cf60f9ebed89c363ff810bde3ebb5 -Conflict:NA ---- - tree.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/tree.c b/tree.c -index 4a80e28..14d5247 100644 ---- a/tree.c -+++ b/tree.c -@@ -4046,6 +4046,10 @@ xmlCopyNamespaceList(xmlNsPtr cur) { - - while (cur != NULL) { - q = xmlCopyNamespace(cur); -+ if (q == NULL) { -+ xmlFreeNsList(ret); -+ return(NULL); -+ } - if (p == NULL) { - ret = p = q; - } else { --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlCopyPropList.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlCopyPropList.patch deleted file mode 100644 index 4282a12fe04abbaaeebbf6c7667158a38d9f225e..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlCopyPropList.patch +++ /dev/null @@ -1,32 +0,0 @@ -From bc7740b3c30e1517dcf53a084766c74d25db222f Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 16 Feb 2023 11:45:58 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlCopyPropList - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/bc7740b3c30e1517dcf53a084766c74d25db222f -Conflict:NA ---- - tree.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/tree.c b/tree.c -index ac156e1..35bd948 100644 ---- a/tree.c -+++ b/tree.c -@@ -4190,8 +4190,10 @@ xmlCopyPropList(xmlNodePtr target, xmlAttrPtr cur) { - return(NULL); - while (cur != NULL) { - q = xmlCopyProp(target, cur); -- if (q == NULL) -+ if (q == NULL) { -+ xmlFreePropList(ret); - return(NULL); -+ } - if (p == NULL) { - ret = p = q; - } else { --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlCreatePushParserCt.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlCreatePushParserCt.patch deleted file mode 100644 index e7bc8d4e989c27d5725abef67395dc67bc3f6fe2..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlCreatePushParserCt.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 7de8005c52c1fc4289b737c8d12c0c4efd72b605 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 2 Nov 2022 15:46:11 +0100 -Subject: [PATCH 04/28] malloc-fail: Fix memory leak in xmlCreatePushParserCtxt - -Found with libFuzzer, see #344. - -Reference: https://github.com/GNOME/libxml2/commit/865e142c4188d892705a62f9ce9df896e7b4543d -Conflict: NA ---- - parser.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/parser.c b/parser.c -index 23b031d..443a216 100644 ---- a/parser.c -+++ b/parser.c -@@ -12508,6 +12508,7 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr sax, void *user_data, - inputStream->filename = (char *) - xmlCanonicPath((const xmlChar *) filename); - if (inputStream->filename == NULL) { -+ xmlFreeInputStream(inputStream); - xmlFreeParserCtxt(ctxt); - xmlFreeParserInputBuffer(buf); - return(NULL); --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlDocDumpFormatMemoryEnc.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlDocDumpFormatMemoryEnc.patch deleted file mode 100644 index 4a4c347ec5640c2028f84b2841b4ac973ea01f38..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlDocDumpFormatMemoryEnc.patch +++ /dev/null @@ -1,29 +0,0 @@ -From c82701ff0b24bc56c6814e690198599cfc8c273a Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 14 Feb 2023 15:13:06 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlDocDumpFormatMemoryEnc - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/c82701ff0b24bc56c6814e690198599cfc8c273a -Conflict:NA ---- - xmlsave.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/xmlsave.c b/xmlsave.c -index 489505f..90e1856 100644 ---- a/xmlsave.c -+++ b/xmlsave.c -@@ -2402,6 +2402,7 @@ xmlDocDumpFormatMemoryEnc(xmlDocPtr out_doc, xmlChar **doc_txt_ptr, - - if ((out_buff = xmlAllocOutputBuffer(conv_hdlr)) == NULL ) { - xmlSaveErrMemory("creating buffer"); -+ xmlCharEncCloseFunc(conv_hdlr); - return; - } - --- -2.27.0 - - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlFAParseCharProp.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlFAParseCharProp.patch deleted file mode 100644 index 2898b95b0c551d0f3179b1223024bd0459dd038f..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlFAParseCharProp.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 40bc1c699a7999626d3384be43684f2a68dad6c4 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 17 Feb 2023 15:40:32 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlFAParseCharProp - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/40bc1c699a7999626d3384be43684f2a68dad6c4 -Conflict:NA ---- - xmlregexp.c | 26 ++++++++++++++++---------- - 1 file changed, 16 insertions(+), 10 deletions(-) - -diff --git a/xmlregexp.c b/xmlregexp.c -index fb2eadc..8c2ea81 100644 ---- a/xmlregexp.c -+++ b/xmlregexp.c -@@ -1245,7 +1245,7 @@ xmlRegPrintCtxt(FILE *output, xmlRegParserCtxtPtr ctxt) { - * * - ************************************************************************/ - --static void -+static xmlRegRangePtr - xmlRegAtomAddRange(xmlRegParserCtxtPtr ctxt, xmlRegAtomPtr atom, - int neg, xmlRegAtomType type, int start, int end, - xmlChar *blockName) { -@@ -1253,11 +1253,11 @@ xmlRegAtomAddRange(xmlRegParserCtxtPtr ctxt, xmlRegAtomPtr atom, - - if (atom == NULL) { - ERROR("add range: atom is NULL"); -- return; -+ return(NULL); - } - if (atom->type != XML_REGEXP_RANGES) { - ERROR("add range: atom is not ranges"); -- return; -+ return(NULL); - } - if (atom->maxRanges == 0) { - atom->maxRanges = 4; -@@ -1266,7 +1266,7 @@ xmlRegAtomAddRange(xmlRegParserCtxtPtr ctxt, xmlRegAtomPtr atom, - if (atom->ranges == NULL) { - xmlRegexpErrMemory(ctxt, "adding ranges"); - atom->maxRanges = 0; -- return; -+ return(NULL); - } - } else if (atom->nbRanges >= atom->maxRanges) { - xmlRegRangePtr *tmp; -@@ -1276,16 +1276,17 @@ xmlRegAtomAddRange(xmlRegParserCtxtPtr ctxt, xmlRegAtomPtr atom, - if (tmp == NULL) { - xmlRegexpErrMemory(ctxt, "adding ranges"); - atom->maxRanges /= 2; -- return; -+ return(NULL); - } - atom->ranges = tmp; - } - range = xmlRegNewRange(ctxt, neg, type, start, end); - if (range == NULL) -- return; -+ return(NULL); - range->blockName = blockName; - atom->ranges[atom->nbRanges++] = range; - -+ return(range); - } - - static int -@@ -4899,11 +4900,16 @@ xmlFAParseCharProp(xmlRegParserCtxtPtr ctxt) { - } - if (ctxt->atom == NULL) { - ctxt->atom = xmlRegNewAtom(ctxt, type); -- if (ctxt->atom != NULL) -- ctxt->atom->valuep = blockName; -+ if (ctxt->atom == NULL) { -+ xmlFree(blockName); -+ return; -+ } -+ ctxt->atom->valuep = blockName; - } else if (ctxt->atom->type == XML_REGEXP_RANGES) { -- xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg, -- type, 0, 0, blockName); -+ if (xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg, -+ type, 0, 0, blockName) == NULL) { -+ xmlFree(blockName); -+ } - } - } - --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlGetDtdElementDesc2.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlGetDtdElementDesc2.patch deleted file mode 100644 index d08e53e4ce6da22fac0f869a6ea9b0537aca33cc..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlGetDtdElementDesc2.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 9fa1b228a5d60fab92a79c6c01c39e37454da1b3 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 14 Feb 2023 16:43:35 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlGetDtdElementDesc2 - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/9fa1b228a5d60fab92a79c6c01c39e37454da1b3 -Conflict:valid.c - ---- - valid.c | 23 +++++++++++++++-------- - 1 file changed, 15 insertions(+), 8 deletions(-) - -diff --git a/valid.c b/valid.c -index ed3c850..b7b92fe 100644 ---- a/valid.c -+++ b/valid.c -@@ -26,8 +26,9 @@ - #include - #include - --static xmlElementPtr xmlGetDtdElementDesc2(xmlDtdPtr dtd, const xmlChar *name, -- int create); -+static xmlElementPtr -+xmlGetDtdElementDesc2(xmlValidCtxtPtr ctxt, xmlDtdPtr dtd, const xmlChar *name, -+ int create); - /* #define DEBUG_VALID_ALGO */ - /* #define DEBUG_REGEXP_ALGO */ - -@@ -2135,7 +2136,7 @@ xmlAddAttributeDecl(xmlValidCtxtPtr ctxt, - * Validity Check: - * Multiple ID per element - */ -- elemDef = xmlGetDtdElementDesc2(dtd, elem, 1); -+ elemDef = xmlGetDtdElementDesc2(ctxt, dtd, elem, 1); - if (elemDef != NULL) { - - #ifdef LIBXML_VALID_ENABLED -@@ -3295,7 +3296,8 @@ xmlGetDtdElementDesc(xmlDtdPtr dtd, const xmlChar *name) { - */ - - static xmlElementPtr --xmlGetDtdElementDesc2(xmlDtdPtr dtd, const xmlChar *name, int create) { -+xmlGetDtdElementDesc2(xmlValidCtxtPtr ctxt, xmlDtdPtr dtd, const xmlChar *name, -+ int create) { - xmlElementTablePtr table; - xmlElementPtr cur; - xmlChar *uqname = NULL, *prefix = NULL; -@@ -3318,7 +3320,7 @@ xmlGetDtdElementDesc2(xmlDtdPtr dtd, const xmlChar *name, int create) { - dtd->elements = (void *) table; - } - if (table == NULL) { -- xmlVErrMemory(NULL, "element table allocation failed"); -+ xmlVErrMemory(ctxt, "element table allocation failed"); - return(NULL); - } - } -@@ -3331,8 +3333,8 @@ xmlGetDtdElementDesc2(xmlDtdPtr dtd, const xmlChar *name, int create) { - if ((cur == NULL) && (create)) { - cur = (xmlElementPtr) xmlMalloc(sizeof(xmlElement)); - if (cur == NULL) { -- xmlVErrMemory(NULL, "malloc failed"); -- return(NULL); -+ xmlVErrMemory(ctxt, "malloc failed"); -+ goto error; - } - memset(cur, 0, sizeof(xmlElement)); - cur->type = XML_ELEMENT_DECL; -@@ -3344,8 +3346,13 @@ xmlGetDtdElementDesc2(xmlDtdPtr dtd, const xmlChar *name, int create) { - cur->prefix = xmlStrdup(prefix); - cur->etype = XML_ELEMENT_TYPE_UNDEFINED; - -- xmlHashAddEntry2(table, name, prefix, cur); -+ if (xmlHashAddEntry2(table, name, prefix, cur) < 0) { -+ xmlVErrMemory(ctxt, "adding entry failed"); -+ xmlFreeElement(cur); -+ cur = NULL; -+ } - } -+error: - if (prefix != NULL) xmlFree(prefix); - if (uqname != NULL) xmlFree(uqname); - return(cur); --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlGetNsList.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlGetNsList.patch deleted file mode 100644 index ba6eeb62b66d9ee6e7aca66ef077c0acaad16ca2..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlGetNsList.patch +++ /dev/null @@ -1,70 +0,0 @@ -From a442d16a5fe61626f00f33abe547da9379a37d89 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 26 Feb 2023 14:48:23 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlGetNsList - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/a442d16a5fe61626f00f33abe547da9379a37d89 -Conflict:NA ---- - tree.c | 25 +++++++++---------------- - 1 file changed, 9 insertions(+), 16 deletions(-) - -diff --git a/tree.c b/tree.c -index 35bd948..4a80e28 100644 ---- a/tree.c -+++ b/tree.c -@@ -5971,7 +5971,7 @@ xmlGetNsList(const xmlDoc *doc ATTRIBUTE_UNUSED, const xmlNode *node) - xmlNsPtr cur; - xmlNsPtr *ret = NULL; - int nbns = 0; -- int maxns = 10; -+ int maxns = 0; - int i; - - if ((node == NULL) || (node->type == XML_NAMESPACE_DECL)) -@@ -5981,16 +5981,6 @@ xmlGetNsList(const xmlDoc *doc ATTRIBUTE_UNUSED, const xmlNode *node) - if (node->type == XML_ELEMENT_NODE) { - cur = node->nsDef; - while (cur != NULL) { -- if (ret == NULL) { -- ret = -- (xmlNsPtr *) xmlMalloc((maxns + 1) * -- sizeof(xmlNsPtr)); -- if (ret == NULL) { -- xmlTreeErrMemory("getting namespace list"); -- return (NULL); -- } -- ret[nbns] = NULL; -- } - for (i = 0; i < nbns; i++) { - if ((cur->prefix == ret[i]->prefix) || - (xmlStrEqual(cur->prefix, ret[i]->prefix))) -@@ -5998,15 +5988,18 @@ xmlGetNsList(const xmlDoc *doc ATTRIBUTE_UNUSED, const xmlNode *node) - } - if (i >= nbns) { - if (nbns >= maxns) { -- maxns *= 2; -- ret = (xmlNsPtr *) xmlRealloc(ret, -- (maxns + -- 1) * -+ xmlNsPtr *tmp; -+ -+ maxns = maxns ? maxns * 2 : 10; -+ tmp = (xmlNsPtr *) xmlRealloc(ret, -+ (maxns + 1) * - sizeof(xmlNsPtr)); -- if (ret == NULL) { -+ if (tmp == NULL) { - xmlTreeErrMemory("getting namespace list"); -+ xmlFree(ret); - return (NULL); - } -+ ret = tmp; - } - ret[nbns++] = cur; - ret[nbns] = NULL; --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlNewDocNodeEatName.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlNewDocNodeEatName.patch deleted file mode 100644 index df38268ffb75272780896c77986f03612e383cb1..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlNewDocNodeEatName.patch +++ /dev/null @@ -1,32 +0,0 @@ -From ec471ee3202d4434b695e652e1fd5e0dfc592d1b Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 2 Nov 2022 15:58:31 +0100 -Subject: [PATCH 07/28] malloc-fail: Fix memory leak in xmlNewDocNodeEatName - -Found with libFuzzer, see #344. - -Reference: https://github.com/GNOME/libxml2/commit/dd50cfeb61c4f74ffc1dca1e818e01cf478e366d -Conflict: NA ---- - tree.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/tree.c b/tree.c -index 6a8c2ea..bb85220 100644 ---- a/tree.c -+++ b/tree.c -@@ -2385,8 +2385,9 @@ xmlNewDocNodeEatName(xmlDocPtr doc, xmlNsPtr ns, - } - } else { - /* if name don't come from the doc dictionary free it here */ -- if ((name != NULL) && (doc != NULL) && -- (!(xmlDictOwns(doc->dict, name)))) -+ if ((name != NULL) && -+ ((doc == NULL) || (doc->dict == NULL) || -+ (!(xmlDictOwns(doc->dict, name))))) - xmlFree(name); - } - return(cur); --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlNewPropInternal.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlNewPropInternal.patch deleted file mode 100644 index 22a2f97a05fe22826d0d1c173f8791aad40b32b2..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlNewPropInternal.patch +++ /dev/null @@ -1,39 +0,0 @@ -From dee436cd010d7144730526914193bd9fe6c74821 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 2 Nov 2022 15:53:52 +0100 -Subject: [PATCH 06/28] malloc-fail: Fix memory leak in xmlNewPropInternal - -Also fixes a memory leak if called with a non-element node. - -Found with libFuzzer, see #344. - -Reference: https://github.com/GNOME/libxml2/commit/fa361de0b759f045c5f6f7f9c09a133abcc074c9 -Conflict: NA ---- - tree.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/tree.c b/tree.c -index b32561d..6a8c2ea 100644 ---- a/tree.c -+++ b/tree.c -@@ -1866,7 +1866,7 @@ xmlNewPropInternal(xmlNodePtr node, xmlNsPtr ns, - - if ((node != NULL) && (node->type != XML_ELEMENT_NODE)) { - if ((eatname == 1) && -- ((node->doc == NULL) || -+ ((node->doc == NULL) || (node->doc->dict == NULL) || - (!(xmlDictOwns(node->doc->dict, name))))) - xmlFree((xmlChar *) name); - return (NULL); -@@ -1879,6 +1879,7 @@ xmlNewPropInternal(xmlNodePtr node, xmlNsPtr ns, - if (cur == NULL) { - if ((eatname == 1) && - ((node == NULL) || (node->doc == NULL) || -+ (node->doc->dict == NULL) || - (!(xmlDictOwns(node->doc->dict, name))))) - xmlFree((xmlChar *) name); - xmlTreeErrMemory("building attribute"); --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlParseEntityDecl.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlParseEntityDecl.patch deleted file mode 100644 index c444997ccfd8f45b305882f94dcbb7bfbd37cb43..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlParseEntityDecl.patch +++ /dev/null @@ -1,38 +0,0 @@ -From f8852184a111f6c4abb38ea3d2b2b91f45347a7a Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 14 Feb 2023 13:03:13 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlParseEntityDecl - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/f8852184a111f6c4abb38ea3d2b2b91f45347a7a -Conflict:NA ---- - parser.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/parser.c b/parser.c -index 3aea3e2..37d7dec 100644 ---- a/parser.c -+++ b/parser.c -@@ -5518,7 +5518,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) { - ctxt->myDoc = xmlNewDoc(SAX_COMPAT_MODE); - if (ctxt->myDoc == NULL) { - xmlErrMemory(ctxt, "New Doc failed"); -- return; -+ goto done; - } - ctxt->myDoc->properties = XML_DOC_INTERNAL; - } -@@ -5589,7 +5589,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) { - ctxt->myDoc = xmlNewDoc(SAX_COMPAT_MODE); - if (ctxt->myDoc == NULL) { - xmlErrMemory(ctxt, "New Doc failed"); -- return; -+ goto done; - } - ctxt->myDoc->properties = XML_DOC_INTERNAL; - } --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlParseReference.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlParseReference.patch deleted file mode 100644 index bebb645983fdc594224b7e1e2b6769340b137382..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlParseReference.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 33264f08a089667a6b69f9ba019e8c3f0bb36d39 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 2 Nov 2022 16:11:00 +0100 -Subject: [PATCH 10/28] malloc-fail: Fix memory leak in xmlParseReference - -Found with libFuzzer, see #344. - -Reference: https://github.com/GNOME/libxml2/commit/afc7e3a7f41e2e29ac36d4d7cbd0c0755558fa5d -Conflict: NA ---- - parser.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index 780a8b3..334a0aa 100644 ---- a/parser.c -+++ b/parser.c -@@ -7463,8 +7463,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { - firstChild = cur; - } - xmlAddChild((xmlNodePtr) ent, nw); -- xmlAddChild(ctxt->node, cur); - } -+ xmlAddChild(ctxt->node, cur); - if (cur == last) - break; - cur = next; --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlParserInputBufferCreateMem.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlParserInputBufferCreateMem.patch deleted file mode 100644 index 2747ed5ea17ba834ccc0640833dcffbcccf90faf..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlParserInputBufferCreateMem.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 97086fd76b21fee6e41c13921c450411442d9da6 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 14 Feb 2023 14:45:58 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlParserInputBufferCreateMem - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/97086fd76b21fee6e41c13921c450411442d9da6 -Conflict:NA ---- - xmlIO.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xmlIO.c b/xmlIO.c -index 71c9fbf..edf31e8 100644 ---- a/xmlIO.c -+++ b/xmlIO.c -@@ -2953,7 +2953,7 @@ xmlParserInputBufferCreateMem(const char *mem, int size, xmlCharEncoding enc) { - ret->closecallback = NULL; - errcode = xmlBufAdd(ret->buffer, (const xmlChar *) mem, size); - if (errcode != 0) { -- xmlFree(ret); -+ xmlFreeParserInputBuffer(ret); - return(NULL); - } - } --- -2.27.0 - - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlRegexpCompile.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlRegexpCompile.patch deleted file mode 100644 index f9fb5512b4af85e65352bca24859949271c5f948..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlRegexpCompile.patch +++ /dev/null @@ -1,67 +0,0 @@ -From ed615967dfeba615218826bb4ef0c87877cb53cd Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 17 Feb 2023 15:23:42 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlRegexpCompile - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/ed615967dfeba615218826bb4ef0c87877cb53cd -Conflict:NA ---- - xmlregexp.c | 18 ++++++++---------- - 1 file changed, 8 insertions(+), 10 deletions(-) - -diff --git a/xmlregexp.c b/xmlregexp.c -index 11c684a..360916f 100644 ---- a/xmlregexp.c -+++ b/xmlregexp.c -@@ -5566,7 +5566,7 @@ xmlRegexpPrint(FILE *output, xmlRegexpPtr regexp) { - */ - xmlRegexpPtr - xmlRegexpCompile(const xmlChar *regexp) { -- xmlRegexpPtr ret; -+ xmlRegexpPtr ret = NULL; - xmlRegParserCtxtPtr ctxt; - - ctxt = xmlRegNewParserCtxt(regexp); -@@ -5576,7 +5576,7 @@ xmlRegexpCompile(const xmlChar *regexp) { - /* initialize the parser */ - ctxt->state = xmlRegStatePush(ctxt); - if (ctxt->state == NULL) -- return(NULL); -+ goto error; - ctxt->start = ctxt->state; - ctxt->end = NULL; - -@@ -5585,10 +5585,8 @@ xmlRegexpCompile(const xmlChar *regexp) { - if (CUR != 0) { - ERROR("xmlFAParseRegExp: extra characters"); - } -- if (ctxt->error != 0) { -- xmlRegFreeParserCtxt(ctxt); -- return(NULL); -- } -+ if (ctxt->error != 0) -+ goto error; - ctxt->end = ctxt->state; - ctxt->start->type = XML_REGEXP_START_STATE; - ctxt->end->type = XML_REGEXP_FINAL_STATE; -@@ -5597,11 +5595,11 @@ xmlRegexpCompile(const xmlChar *regexp) { - xmlFAEliminateEpsilonTransitions(ctxt); - - -- if (ctxt->error != 0) { -- xmlRegFreeParserCtxt(ctxt); -- return(NULL); -- } -+ if (ctxt->error != 0) -+ goto error; - ret = xmlRegEpxFromParse(ctxt); -+ -+error: - xmlRegFreeParserCtxt(ctxt); - return(ret); - } --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlSAX2ExternalSubset.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlSAX2ExternalSubset.patch deleted file mode 100644 index d581b50cc45b234a24bd0156592be07f52b1ce27..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlSAX2ExternalSubset.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 1a90087543485763d8e6124a1818e10637e512ae Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 2 Nov 2022 16:05:05 +0100 -Subject: [PATCH 09/28] malloc-fail: Fix memory leak in xmlSAX2ExternalSubset - -Found with libFuzzer, see #344. - -Reference: https://github.com/GNOME/libxml2/commit/7ceaee9430ca24bda7f2480f387dbebfc259002a -Conflict: NA ---- - SAX2.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/SAX2.c b/SAX2.c -index 9801393..96bbcb3 100644 ---- a/SAX2.c -+++ b/SAX2.c -@@ -436,6 +436,7 @@ xmlSAX2ExternalSubset(void *ctx, const xmlChar *name, - xmlMalloc(5 * sizeof(xmlParserInputPtr)); - if (ctxt->inputTab == NULL) { - xmlSAX2ErrMemory(ctxt, "xmlSAX2ExternalSubset"); -+ xmlFreeInputStream(input); - ctxt->input = oldinput; - ctxt->inputNr = oldinputNr; - ctxt->inputMax = oldinputMax; --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlSAX2StartElementNs.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlSAX2StartElementNs.patch deleted file mode 100644 index 7e6f360760dfa3568e7632a09b138eb8bed46bf9..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlSAX2StartElementNs.patch +++ /dev/null @@ -1,28 +0,0 @@ -From cb4334b7abf265f55d1a41f435fedd67494eeb18 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 14 Feb 2023 18:10:14 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlSAX2StartElementNs - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/cb4334b7abf265f55d1a41f435fedd67494eeb18 -Conflict:NA ---- - SAX2.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/SAX2.c b/SAX2.c -index 2426e93..916e974 100644 ---- a/SAX2.c -+++ b/SAX2.c -@@ -2242,6 +2242,7 @@ xmlSAX2StartElementNs(void *ctx, - ret->name = lname; - if (ret->name == NULL) { - xmlSAX2ErrMemory(ctxt, "xmlSAX2StartElementNs"); -+ xmlFree(ret); - return; - } - } --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaBucketCreate.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaBucketCreate.patch deleted file mode 100644 index e81ed3e8713db0cafc3ee816e0cbf941cebde476..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaBucketCreate.patch +++ /dev/null @@ -1,35 +0,0 @@ -From a5787229e5c53d522364cd68397cdc61094ac51a Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 5 Mar 2023 14:09:34 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlSchemaBucketCreate - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/260d6b8d77d11a20a2614eef99e88e68eaca6550 -Conflict:NA ---- - xmlschemas.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/xmlschemas.c b/xmlschemas.c -index 724920b..9ace2b7 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -3658,12 +3658,12 @@ xmlSchemaBucketCreate(xmlSchemaParserCtxtPtr pctxt, - ret->type = type; - ret->globals = xmlSchemaItemListCreate(); - if (ret->globals == NULL) { -- xmlFree(ret); -+ xmlSchemaBucketFree(ret); - return(NULL); - } - ret->locals = xmlSchemaItemListCreate(); - if (ret->locals == NULL) { -- xmlFree(ret); -+ xmlSchemaBucketFree(ret); - return(NULL); - } - /* --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaItemListAddS.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaItemListAddS.patch deleted file mode 100644 index d6ae2049c3c81281b38cc67823997dd77ed5bb04..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaItemListAddS.patch +++ /dev/null @@ -1,41 +0,0 @@ -From ba290a86639a6a9fc8af81936ad2d3a4d22d502f Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 5 Mar 2023 14:08:57 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlSchemaItemListAddSize - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/ba290a86639a6a9fc8af81936ad2d3a4d22d502f -Conflict:NA ---- - xmlschemas.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/xmlschemas.c b/xmlschemas.c -index 4a767ac..9be7999 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -3445,14 +3445,17 @@ xmlSchemaItemListAddSize(xmlSchemaItemListPtr list, - } - list->sizeItems = initialSize; - } else if (list->sizeItems <= list->nbItems) { -+ void **tmp; -+ - list->sizeItems *= 2; -- list->items = (void **) xmlRealloc(list->items, -+ tmp = (void **) xmlRealloc(list->items, - list->sizeItems * sizeof(void *)); -- if (list->items == NULL) { -+ if (tmp == NULL) { - xmlSchemaPErrMemory(NULL, "growing item list", NULL); -- list->sizeItems = 0; -+ list->sizeItems /= 2; - return(-1); - } -+ list->items = tmp; - } - list->items[list->nbItems++] = item; - return(0); --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParse.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParse.patch deleted file mode 100644 index c9e7fce44161add2e4374fc74ee96ec6e3220282..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParse.patch +++ /dev/null @@ -1,29 +0,0 @@ -From cfbc1f48ee6259efaedcdc485d86b90e252da970 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 5 Mar 2023 14:06:51 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlSchemaParse - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/cfbc1f48ee6259efaedcdc485d86b90e252da970 -Conflict:NA ---- - xmlschemas.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xmlschemas.c b/xmlschemas.c -index c68103c..fa9d113 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -21473,7 +21473,7 @@ xmlSchemaParse(xmlSchemaParserCtxtPtr ctxt) - if (ctxt->constructor == NULL) { - ctxt->constructor = xmlSchemaConstructionCtxtCreate(ctxt->dict); - if (ctxt->constructor == NULL) -- return(NULL); -+ goto exit_failure; - /* Take ownership of the constructor to be able to free it. */ - ctxt->ownsConstructor = 1; - } --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParseUnion.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParseUnion.patch deleted file mode 100644 index 107357f0d41692d87ff99c591a33781562bf5fc5..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParseUnion.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 961a4f35bfcbe3f2b0ca0932e880ea73cbb2ab2c Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 5 Mar 2023 14:10:41 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlSchemaParseUnion - -Also report malloc failure from xmlStrndup. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/961a4f35bfcbe3f2b0ca0932e880ea73cbb2ab2c -Conflict:NA ---- - xmlschemas.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/xmlschemas.c b/xmlschemas.c -index d2f8bf1..4dbee37 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -9017,6 +9017,11 @@ xmlSchemaParseUnion(xmlSchemaParserCtxtPtr ctxt, xmlSchemaPtr schema, - if (end == cur) - break; - tmp = xmlStrndup(cur, end - cur); -+ if (tmp == NULL) { -+ xmlSchemaPErrMemory(ctxt, "xmlSchemaParseUnion, " -+ "duplicating type name", NULL); -+ return (-1); -+ } - if (xmlSchemaPValAttrNodeQNameValue(ctxt, schema, - NULL, attr, BAD_CAST tmp, &nsName, &localName) == 0) { - /* -@@ -9027,6 +9032,7 @@ xmlSchemaParseUnion(xmlSchemaParserCtxtPtr ctxt, xmlSchemaPtr schema, - if (link == NULL) { - xmlSchemaPErrMemory(ctxt, "xmlSchemaParseUnion, " - "allocating a type link", NULL); -+ FREE_AND_NULL(tmp) - return (-1); - } - link->type = NULL; --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlStaticCopyNodeList.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlStaticCopyNodeList.patch deleted file mode 100644 index 6cd04d822758c035420690d0ec2e697f5857a9b2..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlStaticCopyNodeList.patch +++ /dev/null @@ -1,48 +0,0 @@ -From f0b5515c26a65c218dcab95b411f25f2e57328d0 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 2 Nov 2022 15:44:42 +0100 -Subject: [PATCH 05/28] malloc-fail: Fix memory leak in xmlStaticCopyNodeList - -Found with libFuzzer, see #344. - -Reference: https://github.com/GNOME/libxml2/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce -Conflict: NA ---- - tree.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/tree.c b/tree.c -index 84da156..b32561d 100644 ---- a/tree.c -+++ b/tree.c -@@ -4388,7 +4388,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { - } - if (doc->intSubset == NULL) { - q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); -- if (q == NULL) return(NULL); -+ if (q == NULL) goto error; - q->doc = doc; - q->parent = parent; - doc->intSubset = (xmlDtdPtr) q; -@@ -4400,7 +4400,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { - } else - #endif /* LIBXML_TREE_ENABLED */ - q = xmlStaticCopyNode(node, doc, parent, 1); -- if (q == NULL) return(NULL); -+ if (q == NULL) goto error; - if (ret == NULL) { - q->prev = NULL; - ret = p = q; -@@ -4413,6 +4413,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { - node = node->next; - } - return(ret); -+error: -+ xmlFreeNodeList(ret); -+ return(NULL); - } - - /** --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlStringGetNodeList.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlStringGetNodeList.patch deleted file mode 100644 index 661afc5257e85e73e31e33424003c86ad26bb5bb..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlStringGetNodeList.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 2fbf7876510dd9c5996151e2569078146e869697 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 2 Nov 2022 16:22:54 +0100 -Subject: [PATCH 12/28] malloc-fail: Fix memory leak in xmlStringGetNodeList - -Also make sure to return NULL on error instead of a partial node list. - -Found with libFuzzer, see #344. - -Reference: https://github.com/GNOME/libxml2/commit/b45927095e0c857b68a96466e3075d60a6a5dd9e -Conflict: NA ---- - tree.c | 36 ++++++++++++++++++------------------ - 1 file changed, 18 insertions(+), 18 deletions(-) - -diff --git a/tree.c b/tree.c -index bb85220..ac156e1 100644 ---- a/tree.c -+++ b/tree.c -@@ -1496,9 +1496,9 @@ out: - */ - xmlNodePtr - xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { -- xmlNodePtr ret = NULL, last = NULL; -+ xmlNodePtr ret = NULL, head = NULL, last = NULL; - xmlNodePtr node; -- xmlChar *val; -+ xmlChar *val = NULL; - const xmlChar *cur = value; - const xmlChar *q; - xmlEntityPtr ent; -@@ -1596,14 +1596,12 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { - */ - if (!xmlBufIsEmpty(buf)) { - node = xmlNewDocText(doc, NULL); -- if (node == NULL) { -- if (val != NULL) xmlFree(val); -- goto out; -- } -+ if (node == NULL) -+ goto out; - node->content = xmlBufDetach(buf); - - if (last == NULL) { -- last = ret = node; -+ last = head = node; - } else { - last = xmlAddNextSibling(last, node); - } -@@ -1613,11 +1611,9 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { - * Create a new REFERENCE_REF node - */ - node = xmlNewReference(doc, val); -- if (node == NULL) { -- if (val != NULL) xmlFree(val); -+ if (node == NULL) - goto out; -- } -- else if ((ent != NULL) && (ent->children == NULL)) { -+ if ((ent != NULL) && (ent->children == NULL)) { - xmlNodePtr temp; - - /* Set to non-NULL value to avoid recursion. */ -@@ -1633,12 +1629,13 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { - } - } - if (last == NULL) { -- last = ret = node; -+ last = head = node; - } else { - last = xmlAddNextSibling(last, node); - } - } - xmlFree(val); -+ val = NULL; - } - cur++; - q = cur; -@@ -1657,7 +1654,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { - } else - cur++; - } -- if ((cur != q) || (ret == NULL)) { -+ if ((cur != q) || (head == NULL)) { - /* - * Handle the last piece of text. - */ -@@ -1666,21 +1663,24 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { - - if (!xmlBufIsEmpty(buf)) { - node = xmlNewDocText(doc, NULL); -- if (node == NULL) { -- xmlBufFree(buf); -- return(NULL); -- } -+ if (node == NULL) -+ goto out; - node->content = xmlBufDetach(buf); - - if (last == NULL) { -- ret = node; -+ head = node; - } else { - xmlAddNextSibling(last, node); - } - } - -+ ret = head; -+ head = NULL; -+ - out: - xmlBufFree(buf); -+ if (val != NULL) xmlFree(val); -+ if (head != NULL) xmlFreeNodeList(head); - return(ret); - } - --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeAddNode.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeAddNode.patch deleted file mode 100644 index 4abe2795a230ee804297522ee90dc19742434c60..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeAddNode.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 3b59fdf001f030e1b2180d3303347119e05d8dcb Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 15 Feb 2023 13:28:24 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlXIncludeAddNode - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/3b59fdf001f030e1b2180d3303347119e05d8dcb -Conflict:xinclude.c - ---- - xinclude.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/xinclude.c b/xinclude.c -index 6e5b61d..cc22848 100644 ---- a/xinclude.c -+++ b/xinclude.c -@@ -660,6 +660,7 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) { - ref = xmlXIncludeNewRef(ctxt, URL, cur); - xmlFree(URL); - if (ref == NULL) { -+ xmlFree(fragment); - return(-1); - } - ref->fragment = fragment; --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeLoadTxt.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeLoadTxt.patch deleted file mode 100644 index 93173aef493d44f8252618b62755228375f70816..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeLoadTxt.patch +++ /dev/null @@ -1,164 +0,0 @@ -From ec05f04d8b5a0a60515235f65ed1256644a77741 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 16 Feb 2023 12:40:02 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlXIncludeLoadTxt - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/ec05f04d8b5a0a60515235f65ed1256644a77741 -Conflict:xinclude.c - ---- - xinclude.c | 67 +++++++++++++++++++++++------------------------------- - 1 file changed, 28 insertions(+), 39 deletions(-) - -diff --git a/xinclude.c b/xinclude.c -index cc22848..c0b4439 100644 ---- a/xinclude.c -+++ b/xinclude.c -@@ -1791,14 +1791,15 @@ error: - static int - xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { - xmlParserInputBufferPtr buf; -- xmlNodePtr node; -- xmlURIPtr uri; -- xmlChar *URL; -+ xmlNodePtr node = NULL; -+ xmlURIPtr uri = NULL; -+ xmlChar *URL = NULL; - int i; -+ int ret = -1; - xmlChar *encoding = NULL; - xmlCharEncoding enc = (xmlCharEncoding) 0; -- xmlParserCtxtPtr pctxt; -- xmlParserInputPtr inputStream; -+ xmlParserCtxtPtr pctxt = NULL; -+ xmlParserInputPtr inputStream = NULL; - int len; - const xmlChar *content; - -@@ -1814,21 +1815,19 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { - if (uri == NULL) { - xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, XML_XINCLUDE_HREF_URI, - "invalid value URI %s\n", url); -- return(-1); -+ goto error; - } - if (uri->fragment != NULL) { - xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, XML_XINCLUDE_TEXT_FRAGMENT, - "fragment identifier forbidden for text: %s\n", - (const xmlChar *) uri->fragment); -- xmlFreeURI(uri); -- return(-1); -+ goto error; - } - URL = xmlSaveUri(uri); -- xmlFreeURI(uri); - if (URL == NULL) { - xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, XML_XINCLUDE_HREF_URI, - "invalid value URI %s\n", url); -- return(-1); -+ goto error; - } - - /* -@@ -1839,8 +1838,7 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { - xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, - XML_XINCLUDE_TEXT_DOCUMENT, - "text serialization of document not available\n", NULL); -- xmlFree(URL); -- return(-1); -+ goto error; - } - - /* -@@ -1870,11 +1868,8 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { - xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, - XML_XINCLUDE_UNKNOWN_ENCODING, - "encoding %s not supported\n", encoding); -- xmlFree(encoding); -- xmlFree(URL); -- return(-1); -+ goto error; - } -- xmlFree(encoding); - } - - /* -@@ -1882,27 +1877,18 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { - */ - pctxt = xmlNewParserCtxt(); - inputStream = xmlLoadExternalEntity((const char*)URL, NULL, pctxt); -- if(inputStream == NULL) { -- xmlFreeParserCtxt(pctxt); -- xmlFree(URL); -- return(-1); -- } -+ if(inputStream == NULL) -+ goto error; - buf = inputStream->buf; -- if (buf == NULL) { -- xmlFreeInputStream (inputStream); -- xmlFreeParserCtxt(pctxt); -- xmlFree(URL); -- return(-1); -- } -+ if (buf == NULL) -+ goto error; - if (buf->encoder) - xmlCharEncCloseFunc(buf->encoder); - buf->encoder = xmlGetCharEncodingHandler(enc); - node = xmlNewText(NULL); - if (node == NULL) { -- xmlFreeInputStream(inputStream); -- xmlFreeParserCtxt(pctxt); -- xmlFree(URL); -- return(-1); -+ xmlXIncludeErrMemory(ctxt, ctxt->incTab[nr]->ref, NULL); -+ goto error; - } - - /* -@@ -1921,28 +1907,31 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { - if (!IS_CHAR(cur)) { - xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, XML_XINCLUDE_INVALID_CHAR, - "%s contains invalid char\n", URL); -- xmlFreeNode(node); -- xmlFreeInputStream(inputStream); -- xmlFreeParserCtxt(pctxt); -- xmlFree(URL); -- return(-1); -+ goto error; - } - - i += l; - } - - xmlNodeAddContentLen(node, content, len); -- xmlFreeParserCtxt(pctxt); - xmlXIncludeAddTxt(ctxt, node->content, URL); -- xmlFreeInputStream(inputStream); - - loaded: - /* - * Add the element as the replacement copy. - */ - ctxt->incTab[nr]->inc = node; -+ node = NULL; -+ ret = 0; -+ -+error: -+ xmlFreeNode(node); -+ xmlFreeInputStream(inputStream); -+ xmlFreeParserCtxt(pctxt); -+ xmlFree(encoding); -+ xmlFreeURI(uri); - xmlFree(URL); -- return(0); -+ return(ret); - } - - /** --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathCacheNewNodeS.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathCacheNewNodeS.patch deleted file mode 100644 index 752cbcb97ba35aaf76b0110061be47a8cbaf5449..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathCacheNewNodeS.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 6f9604f0e3e52e96881ab3b662f35fbe04cd49ac Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 26 Feb 2023 16:09:50 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlXPathCacheNewNodeSet - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/6f9604f0e3e52e96881ab3b662f35fbe04cd49ac -Conflict:NA ---- - xpath.c | 15 +++++++++------ - 1 file changed, 9 insertions(+), 6 deletions(-) - -diff --git a/xpath.c b/xpath.c -index 84b139d..1f358e3 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -2448,21 +2448,24 @@ xmlXPathCacheNewNodeSet(xmlXPathContextPtr ctxt, xmlNodePtr val) - (cache->miscObjs->number != 0)) - { - xmlXPathObjectPtr ret; -+ xmlNodeSetPtr set; - /* - * Fallback to misc-cache. - */ - -+ set = xmlXPathNodeSetCreate(val); -+ if (set == NULL) { -+ ctxt->lastError.domain = XML_FROM_XPATH; -+ ctxt->lastError.code = XML_ERR_NO_MEMORY; -+ return(NULL); -+ } -+ - ret = (xmlXPathObjectPtr) - cache->miscObjs->items[--cache->miscObjs->number]; - - ret->type = XPATH_NODESET; - ret->boolval = 0; -- ret->nodesetval = xmlXPathNodeSetCreate(val); -- if (ret->nodesetval == NULL) { -- ctxt->lastError.domain = XML_FROM_XPATH; -- ctxt->lastError.code = XML_ERR_NO_MEMORY; -- return(NULL); -- } -+ ret->nodesetval = set; - #ifdef XP_DEBUG_OBJ_USAGE - xmlXPathDebugObjUsageRequested(ctxt, XPATH_NODESET); - #endif --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathCompareValues.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathCompareValues.patch deleted file mode 100644 index 91e4bf725729eb6f72065789565b2211f582652f..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathCompareValues.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 691f7eb44dd82a3de79e492bbe6c5426c96cbdde Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 15 Feb 2023 14:05:13 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlXPathCompareValues - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/691f7eb44dd82a3de79e492bbe6c5426c96cbdde -Conflict:NA ---- - xpath.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/xpath.c b/xpath.c -index 212a4e0..c1d119b 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -7375,14 +7375,14 @@ xmlXPathCompareValues(xmlXPathParserContextPtr ctxt, int inf, int strict) { - valuePush(ctxt, arg1); - xmlXPathNumberFunction(ctxt, 1); - arg1 = valuePop(ctxt); -- CHECK_ERROR0; - } - if (arg2->type != XPATH_NUMBER) { - valuePush(ctxt, arg2); - xmlXPathNumberFunction(ctxt, 1); - arg2 = valuePop(ctxt); -- CHECK_ERROR0; - } -+ if (ctxt->error) -+ goto error; - /* - * Add tests for infinity and nan - * => feedback on 3.4 for Inf and NaN -@@ -7432,6 +7432,7 @@ xmlXPathCompareValues(xmlXPathParserContextPtr ctxt, int inf, int strict) { - } - } - } -+error: - xmlXPathReleaseObject(ctxt->context, arg1); - xmlXPathReleaseObject(ctxt->context, arg2); - return(ret); --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathDistinctSorte.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathDistinctSorte.patch deleted file mode 100644 index ccbcb9045b2af3828f743b6e45eb8adc4e8d9e24..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathDistinctSorte.patch +++ /dev/null @@ -1,47 +0,0 @@ -From bc9f372c1001ff64353400edf489fb0ce4ab17fc Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 26 Feb 2023 18:00:30 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlXPathDistinctSorted - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/bc9f372c1001ff64353400edf489fb0ce4ab17fc -Conflict:NA ---- - xpath.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/xpath.c b/xpath.c -index 1f358e3..b6a3983 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -4540,16 +4540,23 @@ xmlXPathDistinctSorted (xmlNodeSetPtr nodes) { - cur = xmlXPathNodeSetItem(nodes, i); - strval = xmlXPathCastNodeToString(cur); - if (xmlHashLookup(hash, strval) == NULL) { -- xmlHashAddEntry(hash, strval, strval); -- /* TODO: Propagate memory error. */ -+ if (xmlHashAddEntry(hash, strval, strval) < 0) { -+ xmlFree(strval); -+ goto error; -+ } - if (xmlXPathNodeSetAddUnique(ret, cur) < 0) -- break; -+ goto error; - } else { - xmlFree(strval); - } - } - xmlHashFree(hash, xmlHashDefaultDeallocator); - return(ret); -+ -+error: -+ xmlHashFree(hash, xmlHashDefaultDeallocator); -+ xmlXPathFreeNodeSet(ret); -+ return(NULL); - } - - /** --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualNodeSetF.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualNodeSetF.patch deleted file mode 100644 index bd9f6a91407e978a13174ec6af6470e7f77b3256..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualNodeSetF.patch +++ /dev/null @@ -1,30 +0,0 @@ -From a3e11b385c04f2d0dc7d8c51635e5deb5b867261 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sat, 25 Feb 2023 16:05:24 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlXPathEqualNodeSetFloat - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/a3e11b385c04f2d0dc7d8c51635e5deb5b867261 -Conflict:NA ---- - xpath.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xpath.c b/xpath.c -index ef9f517..7f2c92a 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -6814,8 +6814,8 @@ xmlXPathEqualNodeSetFloat(xmlXPathParserContextPtr ctxt, - valuePush(ctxt, xmlXPathCacheNewString(ctxt->context, str2)); - xmlFree(str2); - xmlXPathNumberFunction(ctxt, 1); -- val = valuePop(ctxt); - CHECK_ERROR0; -+ val = valuePop(ctxt); - v = val->floatval; - xmlXPathReleaseObject(ctxt->context, val); - if (!xmlXPathIsNaN(v)) { --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualValuesCommon.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualValuesCommon.patch deleted file mode 100644 index d652995ceea87b82f5ea0c7156964588e2f8ee13..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualValuesCommon.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 3dc645227ed1ac463c9d333c6eb92d1b6bb26ae9 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 15 Feb 2023 14:30:40 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlXPathEqualValuesCommon - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/3dc645227ed1ac463c9d333c6eb92d1b6bb26ae9 -Conflict:NA ---- - xpath.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/xpath.c b/xpath.c -index cf74030..ef9f517 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -7028,7 +7028,8 @@ xmlXPathEqualValuesCommon(xmlXPathParserContextPtr ctxt, - valuePush(ctxt, arg2); - xmlXPathNumberFunction(ctxt, 1); - arg2 = valuePop(ctxt); -- CHECK_ERROR0; -+ if (ctxt->error) -+ break; - /* Falls through. */ - case XPATH_NUMBER: - /* Hand check NaN and Infinity equalities */ -@@ -7092,7 +7093,8 @@ xmlXPathEqualValuesCommon(xmlXPathParserContextPtr ctxt, - valuePush(ctxt, arg1); - xmlXPathNumberFunction(ctxt, 1); - arg1 = valuePop(ctxt); -- CHECK_ERROR0; -+ if (ctxt->error) -+ break; - /* Hand check NaN and Infinity equalities */ - if (xmlXPathIsNaN(arg1->floatval) || - xmlXPathIsNaN(arg2->floatval)) { --- -2.27.0 - - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathNameFunction.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathNameFunction.patch deleted file mode 100644 index d85e89e839a9fb2e56e71fa64efbc2495cf4e26d..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathNameFunction.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 282b75f1108e81e483d95a08397da282233f9667 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 28 Feb 2023 12:14:33 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlXPathNameFunction - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/282b75f1108e81e483d95a08397da282233f9667 -Conflict:NA ---- - xpath.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/xpath.c b/xpath.c -index d17ad5e..56a59c1 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -8857,9 +8857,8 @@ xmlXPathNameFunction(xmlXPathParserContextPtr ctxt, int nargs) - NULL, 0); - if (fullname == cur->nodesetval->nodeTab[i]->name) - fullname = xmlStrdup(cur->nodesetval->nodeTab[i]->name); -- if (fullname == NULL) { -- XP_ERROR(XPATH_MEMORY_ERROR); -- } -+ if (fullname == NULL) -+ xmlXPathPErrMemory(ctxt, NULL); - valuePush(ctxt, xmlXPathCacheWrapString( - ctxt->context, fullname)); - } --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathRegisterNs.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathRegisterNs.patch deleted file mode 100644 index cda925e76b7ff48cb81da357028d1f057dfe29f1..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathRegisterNs.patch +++ /dev/null @@ -1,49 +0,0 @@ -From bd6fa2c1d5c163ab94edaf2e62d18cdfee33f913 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 9 Mar 2023 22:33:19 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlXPathRegisterNs - -Found by OSS-Fuzz. - -Reference:https://github.com/GNOME/libxml2/commit/bd6fa2c1d5c163ab94edaf2e62d18cdfee33f913 -Conflict:NA ---- - xpath.c | 15 +++++++++++++-- - 1 file changed, 13 insertions(+), 2 deletions(-) - -diff --git a/xpath.c b/xpath.c -index 56a59c1..e3a8c14 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -5133,6 +5133,8 @@ xmlXPathRegisteredVariablesCleanup(xmlXPathContextPtr ctxt) { - int - xmlXPathRegisterNs(xmlXPathContextPtr ctxt, const xmlChar *prefix, - const xmlChar *ns_uri) { -+ xmlChar *copy; -+ - if (ctxt == NULL) - return(-1); - if (prefix == NULL) -@@ -5147,8 +5149,17 @@ xmlXPathRegisterNs(xmlXPathContextPtr ctxt, const xmlChar *prefix, - if (ns_uri == NULL) - return(xmlHashRemoveEntry(ctxt->nsHash, prefix, - xmlHashDefaultDeallocator)); -- return(xmlHashUpdateEntry(ctxt->nsHash, prefix, (void *) xmlStrdup(ns_uri), -- xmlHashDefaultDeallocator)); -+ -+ copy = xmlStrdup(ns_uri); -+ if (copy == NULL) -+ return(-1); -+ if (xmlHashUpdateEntry(ctxt->nsHash, prefix, copy, -+ xmlHashDefaultDeallocator) < 0) { -+ xmlFree(copy); -+ return(-1); -+ } -+ -+ return(0); - } - - /** --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathTryStreamCompile.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathTryStreamCompile.patch deleted file mode 100644 index 87169480af80285b29698a114febf6586dd8a4fa..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathTryStreamCompile.patch +++ /dev/null @@ -1,27 +0,0 @@ -From ac746afd33a938b6704ba32824e076af939665fb Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 15 Feb 2023 13:54:55 +0100 -Subject: [PATCH] malloc-fail: Fix memory leak in xmlXPathTryStreamCompile - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/ac746afd33a938b6704ba32824e076af939665fb -Conflict:NA ---- - xpath.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/xpath.c b/xpath.c -index c1d119b..7833870 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -14121,6 +14121,7 @@ xmlXPathTryStreamCompile(xmlXPathContextPtr ctxt, const xmlChar *str) { - comp = xmlXPathNewCompExpr(); - if (comp == NULL) { - xmlXPathErrMemory(ctxt, "allocating streamable expression\n"); -+ xmlFreePattern(stream); - return(NULL); - } - comp->stream = stream; --- -2.27.0 diff --git a/backport-malloc-fail-Fix-null-deref-after-xmlPointerListAddSi.patch b/backport-malloc-fail-Fix-null-deref-after-xmlPointerListAddSi.patch deleted file mode 100644 index 6b5ec328123bd590ad437688b567b27d02de1309..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-null-deref-after-xmlPointerListAddSi.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 44947afba0ded433c6f4ffc10ee646c4b267f2b7 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 26 Feb 2023 14:41:35 +0100 -Subject: [PATCH] malloc-fail: Fix null deref after xmlPointerListAddSize - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/44947afba0ded433c6f4ffc10ee646c4b267f2b7 -Conflict:NA ---- - xpath.c | 40 +++++++++++++++++++--------------------- - 1 file changed, 19 insertions(+), 21 deletions(-) - -diff --git a/xpath.c b/xpath.c -index 54d9c58..84b139d 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -812,32 +812,30 @@ xmlPointerListAddSize(xmlPointerListPtr list, - void *item, - int initialSize) - { -- if (list->items == NULL) { -- if (initialSize <= 0) -- initialSize = 1; -- list->items = (void **) xmlMalloc(initialSize * sizeof(void *)); -- if (list->items == NULL) { -- xmlXPathErrMemory(NULL, -- "xmlPointerListCreate: allocating item\n"); -- return(-1); -- } -- list->number = 0; -- list->size = initialSize; -- } else if (list->size <= list->number) { -- if (list->size > 50000000) { -- xmlXPathErrMemory(NULL, -- "xmlPointerListAddSize: re-allocating item\n"); -- return(-1); -+ if (list->size <= list->number) { -+ void **tmp; -+ size_t newSize; -+ -+ if (list->size == 0) { -+ if (initialSize <= 0) -+ initialSize = 1; -+ newSize = initialSize; -+ } else { -+ if (list->size > 50000000) { -+ xmlXPathErrMemory(NULL, -+ "xmlPointerListAddSize: re-allocating item\n"); -+ return(-1); -+ } -+ newSize = list->size * 2; - } -- list->size *= 2; -- list->items = (void **) xmlRealloc(list->items, -- list->size * sizeof(void *)); -- if (list->items == NULL) { -+ tmp = (void **) xmlRealloc(list->items, newSize * sizeof(void *)); -+ if (tmp == NULL) { - xmlXPathErrMemory(NULL, - "xmlPointerListAddSize: re-allocating item\n"); -- list->size = 0; - return(-1); - } -+ list->items = tmp; -+ list->size = newSize; - } - list->items[list->number++] = item; - return(0); --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-null-deref-after-xmlSchemaCompareDat.patch b/backport-malloc-fail-Fix-null-deref-after-xmlSchemaCompareDat.patch deleted file mode 100644 index 716d6847eb1cdb585c8c85f1741b31b88f42876a..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-null-deref-after-xmlSchemaCompareDat.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 19b197b61646fd2ad7e584b739500876681c4e3d Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 5 Mar 2023 14:10:56 +0100 -Subject: [PATCH] malloc-fail: Fix null deref after xmlSchemaCompareDates - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/19b197b61646fd2ad7e584b739500876681c4e3d -Conflict:NA ---- - xmlschemastypes.c | 28 ++++++++++++++++++++++++++++ - 1 file changed, 28 insertions(+) - -diff --git a/xmlschemastypes.c b/xmlschemastypes.c -index 160777f..d5c7790 100644 ---- a/xmlschemastypes.c -+++ b/xmlschemastypes.c -@@ -4146,9 +4146,15 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) - - if (!y->value.date.tz_flag) { - p1 = xmlSchemaDateNormalize(x, 0); -+ if (p1 == NULL) -+ return -2; - p1d = _xmlSchemaDateCastYMToDays(p1) + p1->value.date.day; - /* normalize y + 14:00 */ - q1 = xmlSchemaDateNormalize(y, (14 * SECS_PER_HOUR)); -+ if (q1 == NULL) { -+ xmlSchemaFreeValue(p1); -+ return -2; -+ } - - q1d = _xmlSchemaDateCastYMToDays(q1) + q1->value.date.day; - if (p1d < q1d) { -@@ -4167,6 +4173,11 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) - int ret = 0; - /* normalize y - 14:00 */ - q2 = xmlSchemaDateNormalize(y, -(14 * SECS_PER_HOUR)); -+ if (q2 == NULL) { -+ xmlSchemaFreeValue(p1); -+ xmlSchemaFreeValue(q1); -+ return -2; -+ } - q2d = _xmlSchemaDateCastYMToDays(q2) + q2->value.date.day; - if (p1d > q2d) - ret = 1; -@@ -4190,10 +4201,16 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) - } - } else if (y->value.date.tz_flag) { - q1 = xmlSchemaDateNormalize(y, 0); -+ if (q1 == NULL) -+ return -2; - q1d = _xmlSchemaDateCastYMToDays(q1) + q1->value.date.day; - - /* normalize x - 14:00 */ - p1 = xmlSchemaDateNormalize(x, -(14 * SECS_PER_HOUR)); -+ if (p1 == NULL) { -+ xmlSchemaFreeValue(q1); -+ return -2; -+ } - p1d = _xmlSchemaDateCastYMToDays(p1) + p1->value.date.day; - - if (p1d < q1d) { -@@ -4212,6 +4229,11 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) - int ret = 0; - /* normalize x + 14:00 */ - p2 = xmlSchemaDateNormalize(x, (14 * SECS_PER_HOUR)); -+ if (p2 == NULL) { -+ xmlSchemaFreeValue(p1); -+ xmlSchemaFreeValue(q1); -+ return -2; -+ } - p2d = _xmlSchemaDateCastYMToDays(p2) + p2->value.date.day; - - if (p2d > q1d) { -@@ -4241,9 +4263,15 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) - if (x->type == y->type) { - int ret = 0; - q1 = xmlSchemaDateNormalize(y, 0); -+ if (q1 == NULL) -+ return -2; - q1d = _xmlSchemaDateCastYMToDays(q1) + q1->value.date.day; - - p1 = xmlSchemaDateNormalize(x, 0); -+ if (p1 == NULL) { -+ xmlSchemaFreeValue(q1); -+ return -2; -+ } - p1d = _xmlSchemaDateCastYMToDays(p1) + p1->value.date.day; - - if (p1d < q1d) { --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-null-deref-after-xmlSchemaItemList-A.patch b/backport-malloc-fail-Fix-null-deref-after-xmlSchemaItemList-A.patch deleted file mode 100644 index e22c223f5fc1662142bb19acc093fc3d9b14afec..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-null-deref-after-xmlSchemaItemList-A.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 767ae50bc9e94a35bfede3af291cf0060893db0f Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 5 Mar 2023 14:11:24 +0100 -Subject: [PATCH] malloc-fail: Fix null deref after - xmlSchemaItemList{Add,Insert} - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/767ae50bc9e94a35bfede3af291cf0060893db0f -Conflict:NA ---- - xmlschemas.c | 44 ++++++++++++++++---------------------------- - 1 file changed, 16 insertions(+), 28 deletions(-) - -diff --git a/xmlschemas.c b/xmlschemas.c -index 46cbe0f..d2f8bf1 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -3417,23 +3417,17 @@ xmlSchemaItemListClear(xmlSchemaItemListPtr list) - static int - xmlSchemaItemListAdd(xmlSchemaItemListPtr list, void *item) - { -- if (list->items == NULL) { -- list->items = (void **) xmlMalloc( -- 20 * sizeof(void *)); -- if (list->items == NULL) { -- xmlSchemaPErrMemory(NULL, "allocating new item list", NULL); -- return(-1); -- } -- list->sizeItems = 20; -- } else if (list->sizeItems <= list->nbItems) { -- list->sizeItems *= 2; -- list->items = (void **) xmlRealloc(list->items, -- list->sizeItems * sizeof(void *)); -- if (list->items == NULL) { -+ if (list->sizeItems <= list->nbItems) { -+ void **tmp; -+ size_t newSize = list->sizeItems == 0 ? 20 : list->sizeItems * 2; -+ -+ tmp = (void **) xmlRealloc(list->items, newSize * sizeof(void *)); -+ if (tmp == NULL) { - xmlSchemaPErrMemory(NULL, "growing item list", NULL); -- list->sizeItems = 0; - return(-1); - } -+ list->items = tmp; -+ list->sizeItems = newSize; - } - list->items[list->nbItems++] = item; - return(0); -@@ -3474,23 +3468,17 @@ xmlSchemaItemListAddSize(xmlSchemaItemListPtr list, - static int - xmlSchemaItemListInsert(xmlSchemaItemListPtr list, void *item, int idx) - { -- if (list->items == NULL) { -- list->items = (void **) xmlMalloc( -- 20 * sizeof(void *)); -- if (list->items == NULL) { -- xmlSchemaPErrMemory(NULL, "allocating new item list", NULL); -- return(-1); -- } -- list->sizeItems = 20; -- } else if (list->sizeItems <= list->nbItems) { -- list->sizeItems *= 2; -- list->items = (void **) xmlRealloc(list->items, -- list->sizeItems * sizeof(void *)); -- if (list->items == NULL) { -+ if (list->sizeItems <= list->nbItems) { -+ void **tmp; -+ size_t newSize = list->sizeItems == 0 ? 20 : list->sizeItems * 2; -+ -+ tmp = (void **) xmlRealloc(list->items, newSize * sizeof(void *)); -+ if (tmp == NULL) { - xmlSchemaPErrMemory(NULL, "growing item list", NULL); -- list->sizeItems = 0; - return(-1); - } -+ list->items = tmp; -+ list->sizeItems = newSize; - } - /* - * Just append if the index is greater/equal than the item count. --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-null-deref-after-xmlXIncludeNewRef.patch b/backport-malloc-fail-Fix-null-deref-after-xmlXIncludeNewRef.patch deleted file mode 100644 index a9d74984ae2745f71f69815a708d1223ee7c717b..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-null-deref-after-xmlXIncludeNewRef.patch +++ /dev/null @@ -1,51 +0,0 @@ -From c40cbf07a30c264846ad1135a3670535942441f6 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 8 May 2023 17:03:00 +0200 -Subject: [PATCH] malloc-fail: Fix null deref after xmlXIncludeNewRef - -See #344. - -Reference:https://github.com/GNOME/libxml2/commit/c40cbf07a30c264846ad1135a3670535942441f6 -Conflict:xinclude.c - ---- - xinclude.c | 14 ++------------ - 1 file changed, 2 insertions(+), 12 deletions(-) - -diff --git a/xinclude.c b/xinclude.c -index c0b4439..a9da439 100644 ---- a/xinclude.c -+++ b/xinclude.c -@@ -246,19 +246,9 @@ xmlXIncludeNewRef(xmlXIncludeCtxtPtr ctxt, const xmlChar *URI, - ret->count = 0; - ret->xml = 0; - ret->inc = NULL; -- if (ctxt->incMax == 0) { -- ctxt->incMax = 4; -- ctxt->incTab = (xmlXIncludeRefPtr *) xmlMalloc(ctxt->incMax * -- sizeof(ctxt->incTab[0])); -- if (ctxt->incTab == NULL) { -- xmlXIncludeErrMemory(ctxt, ref, "growing XInclude context"); -- xmlXIncludeFreeRef(ret); -- return(NULL); -- } -- } - if (ctxt->incNr >= ctxt->incMax) { - xmlXIncludeRefPtr *tmp; -- size_t newSize = ctxt->incMax * 2; -+ size_t newSize = ctxt->incMax ? ctxt->incMax * 2 : 4; - - tmp = (xmlXIncludeRefPtr *) xmlRealloc(ctxt->incTab, - newSize * sizeof(ctxt->incTab[0])); -@@ -268,7 +258,7 @@ xmlXIncludeNewRef(xmlXIncludeCtxtPtr ctxt, const xmlChar *URI, - return(NULL); - } - ctxt->incTab = tmp; -- ctxt->incMax *= 2; -+ ctxt->incMax = newSize; - } - ctxt->incTab[ctxt->incNr++] = ret; - return(ret); --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-null-deref-if-growing-input-buffer-fails.patch b/backport-malloc-fail-Fix-null-deref-if-growing-input-buffer-fails.patch deleted file mode 100644 index 39e0b4ccefd6b06f69cdd8d2bfd1d873964e26a6..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-null-deref-if-growing-input-buffer-fails.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 2355eac59e91e1465696150cf0efc9029ba4f9b2 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 22 Jan 2023 14:52:06 +0100 -Subject: [PATCH] malloc-fail: Fix null deref if growing input buffer fails - -Also add some error checks. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/2355eac59e91e1465696150cf0efc9029ba4f9b2 -Conflict:xmlIO.c ---- - encoding.c | 3 ++- - parserInternals.c | 6 ++++++ - 2 files changed, 8 insertions(+), 1 deletion(-) - -diff --git a/encoding.c b/encoding.c -index 8ce407f..c073a9c 100644 ---- a/encoding.c -+++ b/encoding.c -@@ -2288,7 +2288,8 @@ xmlCharEncInput(xmlParserInputBufferPtr input, int flush) - toconv = 64 * 1024; - written = xmlBufAvail(out); - if (toconv * 2 >= written) { -- xmlBufGrow(out, toconv * 2); -+ if (xmlBufGrow(out, toconv * 2) < 0) -+ return (-1); - written = xmlBufAvail(out); - } - if ((written > 128 * 1024) && (flush == 0)) -diff --git a/parserInternals.c b/parserInternals.c -index cee4cd9..dd1dc9c 100644 ---- a/parserInternals.c -+++ b/parserInternals.c -@@ -326,6 +326,12 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) { - ret = xmlParserInputBufferGrow(in->buf, len); - - in->base = xmlBufContent(in->buf->buffer); -+ if (in->base == NULL) { -+ in->base = BAD_CAST ""; -+ in->cur = in->base; -+ in->end = in->base; -+ return(-1); -+ } - in->cur = in->base + indx; - in->end = xmlBufEnd(in->buf->buffer); - --- -2.27.0 - - diff --git a/backport-malloc-fail-Fix-null-deref-in-htmlnamePush.patch b/backport-malloc-fail-Fix-null-deref-in-htmlnamePush.patch deleted file mode 100644 index 61bada74f86d7105fb12281ef6c56efffd9eaf17..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-null-deref-in-htmlnamePush.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 041789d9ec5a0f592e200bcb7313d88ff14707e4 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 16 Feb 2023 15:02:08 +0100 -Subject: [PATCH] malloc-fail: Fix null deref in htmlnamePush - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/041789d9ec5a0f592e200bcb7313d88ff14707e4 -Conflict:NA ---- - HTMLparser.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index ca551d9..e02a142 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -161,7 +161,7 @@ htmlParseErrInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, - * - * Pushes a new element name on top of the name stack - * -- * Returns 0 in case of error, the index in the stack otherwise -+ * Returns -1 in case of error, the index in the stack otherwise - */ - static int - htmlnamePush(htmlParserCtxtPtr ctxt, const xmlChar * value) -@@ -171,15 +171,17 @@ htmlnamePush(htmlParserCtxtPtr ctxt, const xmlChar * value) - if ((ctxt->html < 10) && (xmlStrEqual(value, BAD_CAST "body"))) - ctxt->html = 10; - if (ctxt->nameNr >= ctxt->nameMax) { -- ctxt->nameMax *= 2; -- ctxt->nameTab = (const xmlChar * *) -- xmlRealloc((xmlChar * *)ctxt->nameTab, -- ctxt->nameMax * -- sizeof(ctxt->nameTab[0])); -- if (ctxt->nameTab == NULL) { -+ size_t newSize = ctxt->nameMax * 2; -+ const xmlChar **tmp; -+ -+ tmp = xmlRealloc((xmlChar **) ctxt->nameTab, -+ newSize * sizeof(ctxt->nameTab[0])); -+ if (tmp == NULL) { - htmlErrMemory(ctxt, NULL); -- return (0); -+ return (-1); - } -+ ctxt->nameTab = tmp; -+ ctxt->nameMax = newSize; - } - ctxt->nameTab[ctxt->nameNr] = value; - ctxt->name = value; --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlAddDefAttrs.patch b/backport-malloc-fail-Fix-null-deref-in-xmlAddDefAttrs.patch deleted file mode 100644 index c5f945c828faab07c9f8dc627f14713df91afd87..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-null-deref-in-xmlAddDefAttrs.patch +++ /dev/null @@ -1,29 +0,0 @@ -From bd9de3a31f66bbf38b2e90cc9efb1374cc1314da Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 22 Jan 2023 16:52:39 +0100 -Subject: [PATCH] malloc-fail: Fix null deref in xmlAddDefAttrs - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/bd9de3a31f66bbf38b2e90cc9efb1374cc1314da -Conflict:NA ---- - parser.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/parser.c b/parser.c -index fafae15..3c06439 100644 ---- a/parser.c -+++ b/parser.c -@@ -1334,6 +1334,8 @@ xmlAddDefAttrs(xmlParserCtxtPtr ctxt, - /* intern the string and precompute the end */ - len = xmlStrlen(value); - value = xmlDictLookup(ctxt->dict, value, len); -+ if (value == NULL) -+ goto mem_error; - defaults->values[5 * defaults->nbAttrs + 2] = value; - defaults->values[5 * defaults->nbAttrs + 3] = value + len; - if (ctxt->external) --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlBufResize.patch b/backport-malloc-fail-Fix-null-deref-in-xmlBufResize.patch deleted file mode 100644 index 3b6f60358ee58adfe184898dbc42d8f3bc23d523..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-null-deref-in-xmlBufResize.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 1aabc9db40dc5ec1f8f22c09e74c63dda53f7ed6 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 22 Jan 2023 13:20:15 +0100 -Subject: [PATCH] malloc-fail: Fix null deref in xmlBufResize - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/1aabc9db40dc5ec1f8f22c09e74c63dda53f7ed6 -Conflict:NA ---- - buf.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/buf.c b/buf.c -index e851364..69370b7 100644 ---- a/buf.c -+++ b/buf.c -@@ -821,7 +821,8 @@ xmlBufResize(xmlBufPtr buf, size_t size) - if (buf->content == NULL) { - rebuf = (xmlChar *) xmlMallocAtomic(newSize); - buf->use = 0; -- rebuf[buf->use] = 0; -+ if (rebuf != NULL) -+ rebuf[buf->use] = 0; - } else if (buf->size - buf->use < 100) { - rebuf = (xmlChar *) xmlRealloc(buf->content, newSize); - } else { --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlGet-Min-Max-Occurs.patch b/backport-malloc-fail-Fix-null-deref-in-xmlGet-Min-Max-Occurs.patch deleted file mode 100644 index 391b4223bcc671d45de9acb849fd36bb0658e12f..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-null-deref-in-xmlGet-Min-Max-Occurs.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 0263b357567870c20de26c90dbc962aec81c5a19 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 5 Mar 2023 14:08:35 +0100 -Subject: [PATCH] malloc-fail: Fix null deref in xmlGet{Min,Max}Occurs - -Also report memory error in xmlSchemaGetNodeContent. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/0263b357567870c20de26c90dbc962aec81c5a19 -Conflict:NA ---- - xmlschemas.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/xmlschemas.c b/xmlschemas.c -index 9be7999..c68103c 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -4760,6 +4760,8 @@ xmlSchemaGetNodeContent(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node) - val = xmlStrdup((xmlChar *)""); - ret = xmlDictLookup(ctxt->dict, val, -1); - xmlFree(val); -+ if (ret == NULL) -+ xmlSchemaPErrMemory(ctxt, "getting node content", node); - return(ret); - } - -@@ -6103,6 +6105,8 @@ xmlGetMaxOccurs(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, - if (attr == NULL) - return (def); - val = xmlSchemaGetNodeContent(ctxt, (xmlNodePtr) attr); -+ if (val == NULL) -+ return (def); - - if (xmlStrEqual(val, (const xmlChar *) "unbounded")) { - if (max != UNBOUNDED) { -@@ -6177,6 +6181,8 @@ xmlGetMinOccurs(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, - if (attr == NULL) - return (def); - val = xmlSchemaGetNodeContent(ctxt, (xmlNodePtr) attr); -+ if (val == NULL) -+ return (def); - cur = val; - while (IS_BLANK_CH(*cur)) - cur++; --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlParserInputShrink.patch b/backport-malloc-fail-Fix-null-deref-in-xmlParserInputShrink.patch deleted file mode 100644 index 2e11c36b44b2089f87b7d6184284bcb6817d7faf..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-null-deref-in-xmlParserInputShrink.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 457fc622d5e8e3734d9c294c81d6c1babb9c5dd5 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 13 Mar 2023 16:51:14 +0100 -Subject: [PATCH] malloc-fail: Fix null deref in xmlParserInputShrink - -Found by OSS-Fuzz. - -Reference:https://github.com/GNOME/libxml2/commit/457fc622d5e8e3734d9c294c81d6c1babb9c5dd5 -Conflict:NA - ---- - parserInternals.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/parserInternals.c b/parserInternals.c -index dd1dc9c..08d8d55 100644 ---- a/parserInternals.c -+++ b/parserInternals.c -@@ -380,6 +380,13 @@ xmlParserInputShrink(xmlParserInputPtr in) { - } - - in->base = xmlBufContent(in->buf->buffer); -+ if (in->base == NULL) { -+ /* TODO: raise error */ -+ in->base = BAD_CAST ""; -+ in->cur = in->base; -+ in->end = in->base; -+ return; -+ } - in->cur = in->base + used; - in->end = xmlBufEnd(in->buf->buffer); - --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlSAX2AttributeInternal.patch b/backport-malloc-fail-Fix-null-deref-in-xmlSAX2AttributeInternal.patch deleted file mode 100644 index 4b6f67d7ce921358e52c0db5113853ece0257115..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-null-deref-in-xmlSAX2AttributeInternal.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 0c5f40b788410753eb73e3040be4f50b608923e1 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 22 Jan 2023 13:27:41 +0100 -Subject: [PATCH] malloc-fail: Fix null deref in xmlSAX2AttributeInternal - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/0c5f40b788410753eb73e3040be4f50b608923e1 -Conflict:NA ---- - SAX2.c | 36 ++++++++++++++++++------------------ - 1 file changed, 18 insertions(+), 18 deletions(-) - -diff --git a/SAX2.c b/SAX2.c -index 3eebd2b..2426e93 100644 ---- a/SAX2.c -+++ b/SAX2.c -@@ -1297,25 +1297,25 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname, - - /* !!!!!! */ - ret = xmlNewNsPropEatName(ctxt->node, namespace, name, NULL); -+ if (ret == NULL) -+ goto error; - -- if (ret != NULL) { -- if ((ctxt->replaceEntities == 0) && (!ctxt->html)) { -- xmlNodePtr tmp; -- -- ret->children = xmlStringGetNodeList(ctxt->myDoc, value); -- tmp = ret->children; -- while (tmp != NULL) { -- tmp->parent = (xmlNodePtr) ret; -- if (tmp->next == NULL) -- ret->last = tmp; -- tmp = tmp->next; -- } -- } else if (value != NULL) { -- ret->children = xmlNewDocText(ctxt->myDoc, value); -- ret->last = ret->children; -- if (ret->children != NULL) -- ret->children->parent = (xmlNodePtr) ret; -- } -+ if ((ctxt->replaceEntities == 0) && (!ctxt->html)) { -+ xmlNodePtr tmp; -+ -+ ret->children = xmlStringGetNodeList(ctxt->myDoc, value); -+ tmp = ret->children; -+ while (tmp != NULL) { -+ tmp->parent = (xmlNodePtr) ret; -+ if (tmp->next == NULL) -+ ret->last = tmp; -+ tmp = tmp->next; -+ } -+ } else if (value != NULL) { -+ ret->children = xmlNewDocText(ctxt->myDoc, value); -+ ret->last = ret->children; -+ if (ret->children != NULL) -+ ret->children->parent = (xmlNodePtr) ret; - } - - #ifdef LIBXML_VALID_ENABLED --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlSchemaInitTypes.patch b/backport-malloc-fail-Fix-null-deref-in-xmlSchemaInitTypes.patch deleted file mode 100644 index a73b4c49425b400ab4af21395c7e988f9522387e..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-null-deref-in-xmlSchemaInitTypes.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 112340c6c0d6554865220d61f169074aae64da57 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 5 Mar 2023 14:07:57 +0100 -Subject: [PATCH] malloc-fail: Fix null deref in xmlSchemaInitTypes - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/112340c6c0d6554865220d61f169074aae64da57 -Conflict:NA ---- - xmlschemastypes.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/xmlschemastypes.c b/xmlschemastypes.c -index d4864b7..160777f 100644 ---- a/xmlschemastypes.c -+++ b/xmlschemastypes.c -@@ -406,6 +406,10 @@ xmlSchemaInitTypes(void) - xmlSchemaTypeAnyTypeDef = xmlSchemaInitBasicType("anyType", - XML_SCHEMAS_ANYTYPE, - NULL); -+ if (xmlSchemaTypeAnyTypeDef == NULL) { -+ xmlSchemaTypeErrMemory(NULL, NULL); -+ return; -+ } - xmlSchemaTypeAnyTypeDef->baseType = xmlSchemaTypeAnyTypeDef; - xmlSchemaTypeAnyTypeDef->contentType = XML_SCHEMA_CONTENT_MIXED; - /* --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseUnion.patch b/backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseUnion.patch deleted file mode 100644 index 9dcd9c7ec1a8b2871ef9f1e0f6d0657424601210..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseUnion.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 31844c74df39c3b88735ef884c33c41da9d52795 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 5 Mar 2023 14:10:08 +0100 -Subject: [PATCH] malloc-fail: Fix null deref in xmlSchemaParseUnion - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/31844c74df39c3b88735ef884c33c41da9d52795 -Conflict:NA ---- - xmlschemas.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/xmlschemas.c b/xmlschemas.c -index 06bf664..5b93937 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -9006,6 +9006,8 @@ xmlSchemaParseUnion(xmlSchemaParserCtxtPtr ctxt, xmlSchemaPtr schema, - xmlSchemaQNameRefPtr ref; - - cur = xmlSchemaGetNodeContent(ctxt, (xmlNodePtr) attr); -+ if (cur == NULL) -+ return (-1); - type->base = cur; - do { - while (IS_BLANK_CH(*cur)) --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseWildcard.patch b/backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseWildcard.patch deleted file mode 100644 index bac2142c446b629a055cd9dd449364aed0422efb..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseWildcard.patch +++ /dev/null @@ -1,29 +0,0 @@ -From e15838ab5454514e53981585c71cd20bb1537d01 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 5 Mar 2023 14:09:14 +0100 -Subject: [PATCH] malloc-fail: Fix null deref in xmlSchemaParseWildcardNs - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/e15838ab5454514e53981585c71cd20bb1537d01 -Conflict:NA ---- - xmlschemas.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/xmlschemas.c b/xmlschemas.c -index 9ace2b7..dd79d2e 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -6867,6 +6867,8 @@ xmlSchemaParseWildcardNs(xmlSchemaParserCtxtPtr ctxt, - */ - attr = xmlSchemaGetPropNode(node, "namespace"); - ns = xmlSchemaGetNodeContent(ctxt, (xmlNodePtr) attr); -+ if (ns == NULL) -+ return (-1); - if ((attr == NULL) || (xmlStrEqual(ns, BAD_CAST "##any"))) - wildc->any = 1; - else if (xmlStrEqual(ns, BAD_CAST "##other")) { --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlSchemaValAtomicType.patch b/backport-malloc-fail-Fix-null-deref-in-xmlSchemaValAtomicType.patch deleted file mode 100644 index bcc63b3553a604d5b1ebc88dfae503d2753d3298..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-null-deref-in-xmlSchemaValAtomicType.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 7762e8eda184bc755dcc3c2d4aed259f95670ccd Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 5 Mar 2023 14:08:15 +0100 -Subject: [PATCH] malloc-fail: Fix null deref in xmlSchemaValAtomicType - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/7762e8eda184bc755dcc3c2d4aed259f95670ccd -Conflict:NA ---- - xmlschemastypes.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/xmlschemastypes.c b/xmlschemastypes.c -index ebb0219..d4864b7 100644 ---- a/xmlschemastypes.c -+++ b/xmlschemastypes.c -@@ -3033,6 +3033,8 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value, - value = norm; - } - tmpval = xmlStrdup(value); -+ if (tmpval == NULL) -+ goto error; - for (cur = tmpval; *cur; ++cur) { - if (*cur < 32 || *cur >= 127 || *cur == ' ' || - *cur == '<' || *cur == '>' || *cur == '"' || --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlXIncludeLoadTxt.patch b/backport-malloc-fail-Fix-null-deref-in-xmlXIncludeLoadTxt.patch deleted file mode 100644 index c1e9a5786aa0f3b4054651ad8c94700ffc85a844..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-null-deref-in-xmlXIncludeLoadTxt.patch +++ /dev/null @@ -1,33 +0,0 @@ -From dc2dde1ab92e50766df654fa9445456adb007605 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sat, 4 Feb 2023 15:00:54 +0100 -Subject: [PATCH] malloc-fail: Fix null deref in xmlXIncludeLoadTxt - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/dc2dde1ab92e50766df654fa9445456adb007605 -Conflict:xinclude.c ---- - xinclude.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/xinclude.c b/xinclude.c -index e5e3b16..60a0d7b 100644 ---- a/xinclude.c -+++ b/xinclude.c -@@ -1891,6 +1891,12 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { - xmlCharEncCloseFunc(buf->encoder); - buf->encoder = xmlGetCharEncodingHandler(enc); - node = xmlNewText(NULL); -+ if (node == NULL) { -+ xmlFreeInputStream(inputStream); -+ xmlFreeParserCtxt(pctxt); -+ xmlFree(URL); -+ return(-1); -+ } - - /* - * Scan all chars from the resource and add the to the node --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlXPathCompiledEvalIn.patch b/backport-malloc-fail-Fix-null-deref-in-xmlXPathCompiledEvalIn.patch deleted file mode 100644 index 510c1db206ca42f93c35d3d0ed121e821333d4c9..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-null-deref-in-xmlXPathCompiledEvalIn.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 70b21c9f2a31b3ecfe8aa624c01da3ebba9e06c8 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 26 Feb 2023 14:33:16 +0100 -Subject: [PATCH] malloc-fail: Fix null deref in xmlXPathCompiledEvalInternal - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/70b21c9f2a31b3ecfe8aa624c01da3ebba9e06c8 -Conflict:NA ---- - xpath.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/xpath.c b/xpath.c -index d63bdd7..54d9c58 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -14370,6 +14370,8 @@ xmlXPathCompiledEvalInternal(xmlXPathCompExprPtr comp, - } - #endif - pctxt = xmlXPathCompParserContext(comp, ctxt); -+ if (pctxt == NULL) -+ return(-1); - res = xmlXPathRunEval(pctxt, toBool); - - if (pctxt->error != XPATH_EXPRESSION_OK) { --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-reallocation-in-inputPush.patch b/backport-malloc-fail-Fix-reallocation-in-inputPush.patch deleted file mode 100644 index ccb9da49763c0067a48b0747fb4092ca6610f5dc..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-reallocation-in-inputPush.patch +++ /dev/null @@ -1,48 +0,0 @@ -From e6d22f925ad65ce93312815aa20c7eeea58640fe Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 23 Jan 2023 01:48:37 +0100 -Subject: [PATCH] malloc-fail: Fix reallocation in inputPush - -Store xmlRealloc result in temporary variable to avoid null deref in -error handler. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/e6d22f925ad65ce93312815aa20c7eeea58640fe -Conflict:NA ---- - parser.c | 15 ++++++++------- - 1 file changed, 8 insertions(+), 7 deletions(-) - -diff --git a/parser.c b/parser.c -index 3c06439..88f04e4 100644 ---- a/parser.c -+++ b/parser.c -@@ -1758,16 +1758,17 @@ inputPush(xmlParserCtxtPtr ctxt, xmlParserInputPtr value) - if ((ctxt == NULL) || (value == NULL)) - return(-1); - if (ctxt->inputNr >= ctxt->inputMax) { -- ctxt->inputMax *= 2; -- ctxt->inputTab = -- (xmlParserInputPtr *) xmlRealloc(ctxt->inputTab, -- ctxt->inputMax * -- sizeof(ctxt->inputTab[0])); -- if (ctxt->inputTab == NULL) { -+ size_t newSize = ctxt->inputMax * 2; -+ xmlParserInputPtr *tmp; -+ -+ tmp = (xmlParserInputPtr *) xmlRealloc(ctxt->inputTab, -+ newSize * sizeof(*tmp)); -+ if (tmp == NULL) { - xmlErrMemory(ctxt, NULL); -- ctxt->inputMax /= 2; - return (-1); - } -+ ctxt->inputTab = tmp; -+ ctxt->inputMax = newSize; - } - ctxt->inputTab[ctxt->inputNr] = value; - ctxt->input = value; --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-reallocation-in-xmlXIncludeNewRef.patch b/backport-malloc-fail-Fix-reallocation-in-xmlXIncludeNewRef.patch deleted file mode 100644 index 65fd47fade2137ab16c27b7c70bebc46e82980bb..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-reallocation-in-xmlXIncludeNewRef.patch +++ /dev/null @@ -1,45 +0,0 @@ -From a3749551e65a8caf146ea2bccf610e718d90bde0 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 3 Feb 2023 14:00:13 +0100 -Subject: [PATCH] malloc-fail: Fix reallocation in xmlXIncludeNewRef - -Avoid null deref. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/a3749551e65a8caf146ea2bccf610e718d90bde0 -Conflict:xinclude.c ---- - xinclude.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/xinclude.c b/xinclude.c -index 60a0d7b..cc486f5 100644 ---- a/xinclude.c -+++ b/xinclude.c -@@ -257,14 +257,18 @@ xmlXIncludeNewRef(xmlXIncludeCtxtPtr ctxt, const xmlChar *URI, - } - } - if (ctxt->incNr >= ctxt->incMax) { -- ctxt->incMax *= 2; -- ctxt->incTab = (xmlXIncludeRefPtr *) xmlRealloc(ctxt->incTab, -- ctxt->incMax * sizeof(ctxt->incTab[0])); -- if (ctxt->incTab == NULL) { -+ xmlXIncludeRefPtr *tmp; -+ size_t newSize = ctxt->incMax * 2; -+ -+ tmp = (xmlXIncludeRefPtr *) xmlRealloc(ctxt->incTab, -+ newSize * sizeof(ctxt->incTab[0])); -+ if (tmp == NULL) { - xmlXIncludeErrMemory(ctxt, ref, "growing XInclude context"); - xmlXIncludeFreeRef(ret); - return(NULL); - } -+ ctxt->incTab = tmp; -+ ctxt->incMax *= 2; - } - ctxt->incTab[ctxt->incNr++] = ret; - return(ret); --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-type-confusion-after-xmlSchemaFixupT.patch b/backport-malloc-fail-Fix-type-confusion-after-xmlSchemaFixupT.patch deleted file mode 100644 index d84890d4ce5cd40f11f80035fea7cdee9a46651b..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-type-confusion-after-xmlSchemaFixupT.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 73bd5d52ae314a17a6b60f7c0ab893c812e714e7 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 5 Mar 2023 14:11:55 +0100 -Subject: [PATCH] malloc-fail: Fix type confusion after - xmlSchemaFixupTypeAttributeUses - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/73bd5d52ae314a17a6b60f7c0ab893c812e714e7 -Conflict:NA ---- - xmlschemas.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/xmlschemas.c b/xmlschemas.c -index dd79d2e..46cbe0f 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -14572,6 +14572,7 @@ xmlSchemaFixupTypeAttributeUses(xmlSchemaParserCtxtPtr pctxt, - { - PERROR_INT("xmlSchemaFixupTypeAttributeUses", - "failed to expand attributes"); -+ return(-1); - } - if (pctxt->attrProhibs->nbItems != 0) - prohibs = pctxt->attrProhibs; -@@ -14582,6 +14583,7 @@ xmlSchemaFixupTypeAttributeUses(xmlSchemaParserCtxtPtr pctxt, - { - PERROR_INT("xmlSchemaFixupTypeAttributeUses", - "failed to expand attributes"); -+ return(-1); - } - } - } --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-use-after-free-in-xmlParseStartTag2.patch b/backport-malloc-fail-Fix-use-after-free-in-xmlParseStartTag2.patch deleted file mode 100644 index 129e151b4533d9567f9e8e517ed4196d5ef92c46..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-use-after-free-in-xmlParseStartTag2.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 6fd8904108f23810699d3a242e3612c4ec2f9cf2 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 22 Jan 2023 19:42:41 +0100 -Subject: [PATCH] malloc-fail: Fix use-after-free in xmlParseStartTag2 - -Fix error handling in xmlCtxtGrowAttrs. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/6fd8904108f23810699d3a242e3612c4ec2f9cf2 -Conflict:NA ---- - parser.c | 26 +++++++++++--------------- - 1 file changed, 11 insertions(+), 15 deletions(-) - -diff --git a/parser.c b/parser.c -index 88f04e4..3aea3e2 100644 ---- a/parser.c -+++ b/parser.c -@@ -1715,25 +1715,21 @@ xmlCtxtGrowAttrs(xmlParserCtxtPtr ctxt, int nr) { - int *attallocs; - int maxatts; - -- if (ctxt->atts == NULL) { -- maxatts = 55; /* allow for 10 attrs by default */ -- atts = (const xmlChar **) -- xmlMalloc(maxatts * sizeof(xmlChar *)); -- if (atts == NULL) goto mem_error; -- ctxt->atts = atts; -- attallocs = (int *) xmlMalloc((maxatts / 5) * sizeof(int)); -- if (attallocs == NULL) goto mem_error; -- ctxt->attallocs = attallocs; -- ctxt->maxatts = maxatts; -- } else if (nr + 5 > ctxt->maxatts) { -- maxatts = (nr + 5) * 2; -- atts = (const xmlChar **) xmlRealloc((void *) ctxt->atts, -+ if (nr + 5 > ctxt->maxatts) { -+ maxatts = ctxt->maxatts == 0 ? 55 : (nr + 5) * 2; -+ atts = (const xmlChar **) xmlMalloc( - maxatts * sizeof(const xmlChar *)); - if (atts == NULL) goto mem_error; -- ctxt->atts = atts; - attallocs = (int *) xmlRealloc((void *) ctxt->attallocs, - (maxatts / 5) * sizeof(int)); -- if (attallocs == NULL) goto mem_error; -+ if (attallocs == NULL) { -+ xmlFree(atts); -+ goto mem_error; -+ } -+ if (ctxt->maxatts > 0) -+ memcpy(atts, ctxt->atts, ctxt->maxatts * sizeof(const xmlChar *)); -+ xmlFree(ctxt->atts); -+ ctxt->atts = atts; - ctxt->attallocs = attallocs; - ctxt->maxatts = maxatts; - } --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-use-after-free-in-xmlXIncludeAddNode.patch b/backport-malloc-fail-Fix-use-after-free-in-xmlXIncludeAddNode.patch deleted file mode 100644 index bd07d2a854a65e1d43cbf6db6b76d6b000594bf5..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-use-after-free-in-xmlXIncludeAddNode.patch +++ /dev/null @@ -1,37 +0,0 @@ -From ae6fa0521c34449b54f9cb3257a4df9b79f3212f Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 2 Nov 2022 16:13:27 +0100 -Subject: [PATCH 11/28] malloc-fail: Fix use-after-free in xmlXIncludeAddNode - -Found with libFuzzer, see #344. - -Reference: https://github.com/GNOME/libxml2/commit/5a19e21605398cef6a8b1452477a8705cb41562b -Conflict: xinclude.c: ---- - xinclude.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/xinclude.c b/xinclude.c -index cd1e1b1..e5e3b16 100644 ---- a/xinclude.c -+++ b/xinclude.c -@@ -612,14 +612,15 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) { - } - URL = xmlSaveUri(uri); - xmlFreeURI(uri); -- xmlFree(URI); - if (URL == NULL) { - xmlXIncludeErr(ctxt, cur, XML_XINCLUDE_HREF_URI, - "invalid value URI %s\n", URI); - if (fragment != NULL) - xmlFree(fragment); -+ xmlFree(URI); - return(-1); - } -+ xmlFree(URI); - - if (xmlStrEqual(URL, ctxt->doc->URL)) - local = 1; --- -2.27.0 - diff --git a/backport-malloc-fail-Fix-use-after-free-related-to-xmlXPathNo.patch b/backport-malloc-fail-Fix-use-after-free-related-to-xmlXPathNo.patch deleted file mode 100644 index dbd7e7ab0af81e85de1f8f9b4e8b78b036e718e4..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Fix-use-after-free-related-to-xmlXPathNo.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 0f112d02890c218965235b8d1c42573fcaeec051 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 24 Feb 2023 18:00:03 +0100 -Subject: [PATCH] malloc-fail: Fix use-after-free related to - xmlXPathNodeSetFilter - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/0f112d02890c218965235b8d1c42573fcaeec051 -Conflict:xpath.c ---- - xpath.c | 21 +++++++++++++++++++-- - 1 file changed, 19 insertions(+), 2 deletions(-) - -diff --git a/xpath.c b/xpath.c -index 7f2c92a..d63bdd7 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -12876,6 +12876,7 @@ xmlXPathCompOpEvalFilterFirst(xmlXPathParserContextPtr ctxt, - { - int total = 0; - xmlXPathCompExprPtr comp; -+ xmlXPathObjectPtr obj; - xmlNodeSetPtr set; - - CHECK_ERROR0; -@@ -12943,13 +12944,20 @@ xmlXPathCompOpEvalFilterFirst(xmlXPathParserContextPtr ctxt, - } - #endif /* LIBXML_XPTR_ENABLED */ - -+ /* -+ * In case of errors, xmlXPathNodeSetFilter can pop additional nodes from -+ * the stack. We have to temporarily remove the nodeset object from the -+ * stack to avoid freeing it prematurely. -+ */ - CHECK_TYPE0(XPATH_NODESET); -- set = ctxt->value->nodesetval; -+ obj = valuePop(ctxt); -+ set = obj->nodesetval; - if (set != NULL) { - xmlXPathNodeSetFilter(ctxt, set, op->ch2, 1, 1, 1); - if (set->nodeNr > 0) - *first = set->nodeTab[0]; - } -+ valuePush(ctxt, obj); - - return (total); - } -@@ -13247,6 +13255,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) - break; - case XPATH_OP_PREDICATE: - case XPATH_OP_FILTER:{ -+ xmlXPathObjectPtr obj; - xmlNodeSetPtr set; - - /* -@@ -13361,11 +13370,19 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) - } - #endif /* LIBXML_XPTR_ENABLED */ - -+ /* -+ * In case of errors, xmlXPathNodeSetFilter can pop additional -+ * nodes from the stack. We have to temporarily remove the -+ * nodeset object from the stack to avoid freeing it -+ * prematurely. -+ */ - CHECK_TYPE0(XPATH_NODESET); -- set = ctxt->value->nodesetval; -+ obj = valuePop(ctxt); -+ set = obj->nodesetval; - if (set != NULL) - xmlXPathNodeSetFilter(ctxt, set, op->ch2, - 1, set->nodeNr, 1); -+ valuePush(ctxt, obj); - break; - } - case XPATH_OP_SORT: --- -2.27.0 - diff --git a/backport-malloc-fail-Handle-memory-errors-in-xmlTextReaderEntPush.patch b/backport-malloc-fail-Handle-memory-errors-in-xmlTextReaderEntPush.patch deleted file mode 100644 index 12825d33750c4e647f491cebb3fcacbedd0887c4..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Handle-memory-errors-in-xmlTextReaderEntPush.patch +++ /dev/null @@ -1,84 +0,0 @@ ---- - xmlreader.c | 36 +++++++++++++++++------------------- - 1 file changed, 17 insertions(+), 19 deletions(-) - -diff --git a/xmlreader.c b/xmlreader.c -index ac97bde..193a5d4 100644 ---- a/xmlreader.c -+++ b/xmlreader.c -@@ -676,30 +676,23 @@ xmlTextReaderDebug(xmlTextReaderPtr reader) { - * - * Pushes a new entity reference node on top of the entities stack - * -- * Returns 0 in case of error, the index in the stack otherwise -+ * Returns -1 in case of error, the index in the stack otherwise - */ - static int - xmlTextReaderEntPush(xmlTextReaderPtr reader, xmlNodePtr value) - { -- if (reader->entMax <= 0) { -- reader->entMax = 10; -- reader->entTab = (xmlNodePtr *) xmlMalloc(reader->entMax * -- sizeof(reader->entTab[0])); -- if (reader->entTab == NULL) { -- xmlGenericError(xmlGenericErrorContext, "xmlMalloc failed !\n"); -- return (0); -- } -- } - if (reader->entNr >= reader->entMax) { -- reader->entMax *= 2; -- reader->entTab = -- (xmlNodePtr *) xmlRealloc(reader->entTab, -- reader->entMax * -- sizeof(reader->entTab[0])); -- if (reader->entTab == NULL) { -+ size_t newSize = reader->entMax == 0 ? 10 : reader->entMax * 2; -+ xmlNodePtr *tmp; -+ -+ tmp = (xmlNodePtr *) xmlRealloc(reader->entTab, -+ newSize * sizeof(*tmp)); -+ if (tmp == NULL) { - xmlGenericError(xmlGenericErrorContext, "xmlRealloc failed !\n"); -- return (0); -+ return (-1); - } -+ reader->entTab = tmp; -+ reader->entMax = newSize; - } - reader->entTab[reader->entNr] = value; - reader->ent = value; -@@ -1174,7 +1167,11 @@ xmlTextReaderValidateEntity(xmlTextReaderPtr reader) { - if ((node->children != NULL) && - (node->children->type == XML_ENTITY_DECL) && - (node->children->children != NULL)) { -- xmlTextReaderEntPush(reader, node); -+ if (xmlTextReaderEntPush(reader, node) < 0) { -+ if (node == oldnode) -+ break; -+ goto skip_children; -+ } - node = node->children->children; - continue; - } else { -@@ -1621,7 +1618,8 @@ node_found: - if ((reader->node->children != NULL) && - (reader->node->children->type == XML_ENTITY_DECL) && - (reader->node->children->children != NULL)) { -- xmlTextReaderEntPush(reader, reader->node); -+ if (xmlTextReaderEntPush(reader, reader->node) < 0) -+ goto get_next_node; - reader->node = reader->node->children->children; - } - #ifdef LIBXML_REGEXP_ENABLED --- -2.27.0 - -ush(reader, reader->node); -+ if (xmlTextReaderEntPush(reader, reader->node) < 0) -+ goto get_next_node; - reader->node = reader->node->children->children; - } - #ifdef LIBXML_REGEXP_ENABLED --- -2.27.0 - diff --git a/backport-malloc-fail-Record-malloc-failure-in-xmlXPathCompLiteral.patch b/backport-malloc-fail-Record-malloc-failure-in-xmlXPathCompLiteral.patch deleted file mode 100644 index bae2ed11ec5894aac8bb0439b93f44480cc9ff0d..0000000000000000000000000000000000000000 --- a/backport-malloc-fail-Record-malloc-failure-in-xmlXPathCompLiteral.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 755344013e161ab7c982290c6c78903bd9bd300e Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 30 Jan 2023 15:40:23 +0100 -Subject: [PATCH] malloc-fail: Record malloc failure in xmlXPathCompLiteral - -Avoid OOB array access. - -Found with libFuzzer, see #344. - -Reference:https://github.com/GNOME/libxml2/commit/755344013e161ab7c982290c6c78903bd9bd300e -Conflict:NA ---- - xpath.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/xpath.c b/xpath.c -index fcbc7e3..fe0e1e2 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -10245,7 +10245,10 @@ xmlXPathCompLiteral(xmlXPathParserContextPtr ctxt) { - } else { - XP_ERROR(XPATH_START_LITERAL_ERROR); - } -- if (ret == NULL) return; -+ if (ret == NULL) { -+ xmlXPathPErrMemory(ctxt, NULL); -+ return; -+ } - lit = xmlXPathCacheNewString(ctxt->context, ret); - if (lit == NULL) { - ctxt->error = XPATH_MEMORY_ERROR; --- -2.27.0 - diff --git a/backport-parser-Don-t-call-DefaultSAXHandlerInit-from-xmlInit.patch b/backport-parser-Don-t-call-DefaultSAXHandlerInit-from-xmlInit.patch deleted file mode 100644 index c04403fbabd5b47888bada630b0b39059f6dde9b..0000000000000000000000000000000000000000 --- a/backport-parser-Don-t-call-DefaultSAXHandlerInit-from-xmlInit.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 4adaddde0ce237da7e8eb5210f1f0eb529c39447 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 24 Nov 2022 16:38:47 +0100 -Subject: [PATCH 25/28] parser: Don't call *DefaultSAXHandlerInit from - xmlInitParser - -Change the default handler definitions to match the result after calling -the initialization functions. - -This makes sure that no thread-local variables are accessed when calling -xmlInitParser. - -Reference: https://github.com/GNOME/libxml2/commit/cecd364dd2f55810ab27eb0f44b35197a1a358d8 -Conflict: SAX2.c: parser.c: ---- - SAX2.c | 4 ---- - globals.c | 6 +++--- - parser.c | 2 -- - 3 files changed, 3 insertions(+), 9 deletions(-) - -diff --git a/SAX2.c b/SAX2.c -index 96bbcb3..3eebd2b 100644 ---- a/SAX2.c -+++ b/SAX2.c -@@ -2910,9 +2910,6 @@ xmlSAX2InitDefaultSAXHandler(xmlSAXHandler *hdlr, int warning) - void - xmlDefaultSAXHandlerInit(void) - { --#ifdef LIBXML_SAX1_ENABLED -- xmlSAXVersion((xmlSAXHandlerPtr) &xmlDefaultSAXHandler, 1); --#endif /* LIBXML_SAX1_ENABLED */ - } - - #ifdef LIBXML_HTML_ENABLED -@@ -2968,7 +2965,6 @@ xmlSAX2InitHtmlDefaultSAXHandler(xmlSAXHandler *hdlr) - void - htmlDefaultSAXHandlerInit(void) - { -- xmlSAX2InitHtmlDefaultSAXHandler((xmlSAXHandlerPtr) &htmlDefaultSAXHandler); - } - - #endif /* LIBXML_HTML_ENABLED */ -diff --git a/globals.c b/globals.c -index 893fb73..836bee1 100644 ---- a/globals.c -+++ b/globals.c -@@ -388,7 +388,7 @@ xmlSAXHandlerV1 xmlDefaultSAXHandler = { - xmlSAX2GetParameterEntity, - xmlSAX2CDataBlock, - xmlSAX2ExternalSubset, -- 0, -+ 1, - }; - #endif /* LIBXML_SAX1_ENABLED */ - -@@ -436,10 +436,10 @@ xmlSAXHandlerV1 htmlDefaultSAXHandler = { - xmlParserWarning, - xmlParserError, - xmlParserError, -- xmlSAX2GetParameterEntity, -+ NULL, - xmlSAX2CDataBlock, - NULL, -- 0, -+ 1, - }; - #endif /* LIBXML_HTML_ENABLED */ - -diff --git a/parser.c b/parser.c -index 4405a7e..9d50138 100644 ---- a/parser.c -+++ b/parser.c -@@ -14696,14 +14696,12 @@ xmlInitParser(void) { - xmlInitMemory(); - xmlInitializeDict(); - xmlInitCharEncodingHandlers(); -- xmlDefaultSAXHandlerInit(); - xmlRegisterDefaultInputCallbacks(); - #ifdef LIBXML_OUTPUT_ENABLED - xmlRegisterDefaultOutputCallbacks(); - #endif /* LIBXML_OUTPUT_ENABLED */ - #ifdef LIBXML_HTML_ENABLED - htmlInitAutoClose(); -- htmlDefaultSAXHandlerInit(); - #endif - #ifdef LIBXML_XPATH_ENABLED - xmlXPathInit(); --- -2.27.0 - diff --git a/backport-parser-Don-t-increase-depth-twice-when-parsing-internal.patch b/backport-parser-Don-t-increase-depth-twice-when-parsing-internal.patch deleted file mode 100644 index a55e2ae6410d125c2cea194bdd0fe26c1f84afad..0000000000000000000000000000000000000000 --- a/backport-parser-Don-t-increase-depth-twice-when-parsing-internal.patch +++ /dev/null @@ -1,30 +0,0 @@ -From dd62e541ecd142ebfb16cb7abe3d3ef4ee6617bd Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 23 Dec 2022 21:53:30 +0100 -Subject: [PATCH] parser: Don't increase depth twice when parsing internal - entities - -Fix xmlParseBalancedChunkMemoryInternal. - -Reference:https://github.com/GNOME/libxml2/commit/dd62e541ecd142ebfb16cb7abe3d3ef4ee6617bd -Conflict:NA ---- - parser.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index 431851f..9127deb 100644 ---- a/parser.c -+++ b/parser.c -@@ -13388,7 +13388,7 @@ xmlParseBalancedChunkMemoryInternal(xmlParserCtxtPtr oldctxt, - xmlAddChild((xmlNodePtr) ctxt->myDoc, newRoot); - nodePush(ctxt, ctxt->myDoc->children); - ctxt->instate = XML_PARSER_CONTENT; -- ctxt->depth = oldctxt->depth + 1; -+ ctxt->depth = oldctxt->depth; - - ctxt->validate = 0; - ctxt->loadsubset = oldctxt->loadsubset; --- -2.27.0 - diff --git a/backport-parser-Fix-OOB-read-when-formatting-error-message.patch b/backport-parser-Fix-OOB-read-when-formatting-error-message.patch deleted file mode 100644 index 7c7e8970bb14b2b7f28dc96436f318aadcf8728b..0000000000000000000000000000000000000000 --- a/backport-parser-Fix-OOB-read-when-formatting-error-message.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 5d55315e32b34af7070d38060ccf9a60941b9696 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sat, 18 Feb 2023 17:29:07 +0100 -Subject: [PATCH] parser: Fix OOB read when formatting error message - -Don't try to print characters beyond the end of the buffer. - -Found by OSS-Fuzz. - -Reference:https://github.com/GNOME/libxml2/commit/5d55315e32b34af7070d38060ccf9a60941b9696 -Conflict:NA ---- - parser.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index 37d7dec..c276a1a 100644 ---- a/parser.c -+++ b/parser.c -@@ -12162,7 +12162,11 @@ done: - #endif - return(ret); - encoding_error: -- { -+ if (ctxt->input->end - ctxt->input->cur < 4) { -+ __xmlErrEncoding(ctxt, XML_ERR_INVALID_CHAR, -+ "Input is not proper UTF-8, indicate encoding !\n", -+ NULL, NULL); -+ } else { - char buffer[150]; - - snprintf(buffer, 149, "Bytes: 0x%02X 0x%02X 0x%02X 0x%02X\n", --- -2.27.0 - diff --git a/backport-parser-Fix-consumed-accounting-when-switching-encodi.patch b/backport-parser-Fix-consumed-accounting-when-switching-encodi.patch deleted file mode 100644 index 84e48d0f4b1ecab2d6304e252913d03cb65fd9f9..0000000000000000000000000000000000000000 --- a/backport-parser-Fix-consumed-accounting-when-switching-encodi.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 0ab4b951f6906b341201dba46d4ebec05156cbe6 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 20 Nov 2022 19:55:12 +0100 -Subject: [PATCH 19/28] parser: Fix 'consumed' accounting when switching - encodings - -Reference: https://github.com/GNOME/libxml2/commit/691a7719566141bb5fbe6212498d1f0568c2610f -Conflict: parserInternals.c: ---- - parserInternals.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/parserInternals.c b/parserInternals.c -index 2b05dac..422dfc0 100644 ---- a/parserInternals.c -+++ b/parserInternals.c -@@ -1178,6 +1178,7 @@ xmlSwitchInputEncodingInt(xmlParserCtxtPtr ctxt, xmlParserInputPtr input, - */ - processed = input->cur - input->base; - xmlBufShrink(input->buf->buffer, processed); -+ input->consumed += processed; - input->buf->raw = input->buf->buffer; - input->buf->buffer = xmlBufCreate(); - input->buf->rawconsumed = processed; --- -2.27.0 - diff --git a/backport-parser-Fix-error-message-in-xmlParseCommentComplex.patch b/backport-parser-Fix-error-message-in-xmlParseCommentComplex.patch deleted file mode 100644 index da44a2a744111f37706bf3521716bc65ae409b12..0000000000000000000000000000000000000000 --- a/backport-parser-Fix-error-message-in-xmlParseCommentComplex.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 418e9677092d10bcf45fa3d8776a2c1277d76201 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Fri, 4 Nov 2022 14:03:31 +0100 -Subject: [PATCH 13/28] parser: Fix error message in xmlParseCommentComplex - -Fixes #421. - -Reference: https://github.com/GNOME/libxml2/commit/a70f7d47152a3b34b4c9932aaeedcdcb90039cd0 -Conflict: NA ---- - parser.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index 334a0aa..7553f86 100644 ---- a/parser.c -+++ b/parser.c -@@ -4793,7 +4793,7 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, - if (!IS_CHAR(r)) { - xmlFatalErrMsgInt(ctxt, XML_ERR_INVALID_CHAR, - "xmlParseComment: invalid xmlChar value %d\n", -- q); -+ r); - xmlFree (buf); - return; - } --- -2.27.0 - diff --git a/backport-parser-Fix-integer-overflow-of-input-ID.patch b/backport-parser-Fix-integer-overflow-of-input-ID.patch deleted file mode 100644 index 4608f5400a6b6205a56153152b8d5635ba156bbb..0000000000000000000000000000000000000000 --- a/backport-parser-Fix-integer-overflow-of-input-ID.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 077df27eb1bdc2a3268f7596415fd91db76d29d4 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 22 Dec 2022 15:22:01 +0100 -Subject: [PATCH] parser: Fix integer overflow of input ID - -Applies a patch from Chromium. Also stop incrementing input ID of -subcontexts. This isn't necessary. - -Fixes #465. - -Reference:https://github.com/GNOME/libxml2/commit/077df27eb1bdc2a3268f7596415fd91db76d29d4 -Conflict:NA ---- - parser.c | 8 ++------ - parserInternals.c | 7 ++++++- - 2 files changed, 8 insertions(+), 7 deletions(-) - -diff --git a/parser.c b/parser.c -index 2207404..431851f 100644 ---- a/parser.c -+++ b/parser.c -@@ -13337,7 +13337,7 @@ xmlParseBalancedChunkMemoryInternal(xmlParserCtxtPtr oldctxt, - ctxt->userData = ctxt; - if (ctxt->dict != NULL) xmlDictFree(ctxt->dict); - ctxt->dict = oldctxt->dict; -- ctxt->input_id = oldctxt->input_id + 1; -+ ctxt->input_id = oldctxt->input_id; - ctxt->str_xml = xmlDictLookup(ctxt->dict, BAD_CAST "xml", 3); - ctxt->str_xmlns = xmlDictLookup(ctxt->dict, BAD_CAST "xmlns", 5); - ctxt->str_xml_ns = xmlDictLookup(ctxt->dict, XML_XML_NAMESPACE, 36); -@@ -13968,11 +13968,7 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, - if (pctx != NULL) { - ctxt->options = pctx->options; - ctxt->_private = pctx->_private; -- /* -- * this is a subparser of pctx, so the input_id should be -- * incremented to distinguish from main entity -- */ -- ctxt->input_id = pctx->input_id + 1; -+ ctxt->input_id = pctx->input_id; - } - - /* Don't read from stdin. */ -diff --git a/parserInternals.c b/parserInternals.c -index ef18ccf..cee4cd9 100644 ---- a/parserInternals.c -+++ b/parserInternals.c -@@ -1352,8 +1352,13 @@ xmlNewInputStream(xmlParserCtxtPtr ctxt) { - * should not happen while parsing which is the situation where - * the id is actually needed. - */ -- if (ctxt != NULL) -+ if (ctxt != NULL) { -+ if (input->id >= INT_MAX) { -+ xmlErrMemory(ctxt, "Input ID overflow\n"); -+ return(NULL); -+ } - input->id = ctxt->input_id++; -+ } - - return(input); - } --- -2.27.0 - diff --git a/backport-parser-Fix-old-SAX1-parser-with-custom-callbacks.patch b/backport-parser-Fix-old-SAX1-parser-with-custom-callbacks.patch deleted file mode 100644 index 3dc57a6815da03393594f15ce3d33c7f9015d452..0000000000000000000000000000000000000000 --- a/backport-parser-Fix-old-SAX1-parser-with-custom-callbacks.patch +++ /dev/null @@ -1,36 +0,0 @@ -From d0c3f01e110d54415611c5fa0040cdf4a56053f9 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sat, 6 May 2023 17:47:37 +0200 -Subject: [PATCH] parser: Fix old SAX1 parser with custom callbacks - -For some reason, xmlCtxtUseOptionsInternal set the start and end element -SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1 -was specified. This means that custom SAX handlers could never work with -that flag because these functions would receive the wrong user data -argument and crash immediately. - -Fixes #535. - -Reference:https://github.com/GNOME/libxml2/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9 -Conflict:NA - ---- - parser.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/parser.c b/parser.c -index 94a6298..f9b4012 100644 ---- a/parser.c -+++ b/parser.c -@@ -15074,8 +15074,6 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi - } - #ifdef LIBXML_SAX1_ENABLED - if (options & XML_PARSE_SAX1) { -- ctxt->sax->startElement = xmlSAX2StartElement; -- ctxt->sax->endElement = xmlSAX2EndElement; - ctxt->sax->startElementNs = NULL; - ctxt->sax->endElementNs = NULL; - ctxt->sax->initialized = 1; --- -2.27.0 - diff --git a/backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch b/backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch deleted file mode 100755 index 00aaf69a9381ab54bc80d1ace35d9f9eeed5a386..0000000000000000000000000000000000000000 --- a/backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 1a2d8ddc066143d256fdb8cc554707fe141dd2f6 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 11 Oct 2022 13:02:47 +0200 -Subject: [PATCH] parser: Fix potential memory leak in xmlParseAttValueInternal - -Fix memory leak in case xmlParseAttValueInternal is called with a NULL -`len` a non-NULL `alloc` argument. This static function is never called -with such arguments internally, but the misleading code should be fixed -nevertheless. - -Fixes #422. - -Reference:https://github.com/GNOME/libxml2/commit/1a2d8ddc066143d256fdb8cc554707fe141dd2f6 -Conflict:NA - ---- - parser.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index 7bb47366..337e62f6 100644 ---- a/parser.c -+++ b/parser.c -@@ -9155,6 +9155,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, - in++; - col++; - if (len != NULL) { -+ if (alloc) *alloc = 0; - *len = last - start; - ret = (xmlChar *) start; - } else { -@@ -9164,7 +9165,6 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, - CUR_PTR = in; - ctxt->input->line = line; - ctxt->input->col = col; -- if (alloc) *alloc = 0; - return ret; - need_complex: - if (alloc) *alloc = 1; --- -2.27.0 - diff --git a/backport-parser-Fix-push-parser-with-1-3-byte-initial-chunk.patch b/backport-parser-Fix-push-parser-with-1-3-byte-initial-chunk.patch deleted file mode 100644 index 963dc4cd4f862b100217eda88e5b91ae75c31ab1..0000000000000000000000000000000000000000 --- a/backport-parser-Fix-push-parser-with-1-3-byte-initial-chunk.patch +++ /dev/null @@ -1,34 +0,0 @@ -From e2d37972e41224b11ff76f3a9fd689207b6108a6 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 20 Nov 2022 15:35:49 +0100 -Subject: [PATCH 21/28] parser: Fix push parser with 1-3 byte initial chunk - -Make sure that ctxt->charset is initialized properly. - -Reference: https://github.com/GNOME/libxml2/commit/55fb8f72ac726b4f760136070e0d2093ffcdb3ac -Conflict: NA ---- - parser.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/parser.c b/parser.c -index 7553f86..4615db0 100644 ---- a/parser.c -+++ b/parser.c -@@ -12523,9 +12523,10 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr sax, void *user_data, - * the encoding, we set the context to XML_CHAR_ENCODING_NONE so - * that it can be automatically determined later - */ -- if ((size == 0) || (chunk == NULL)) { -- ctxt->charset = XML_CHAR_ENCODING_NONE; -- } else if ((ctxt->input != NULL) && (ctxt->input->buf != NULL)) { -+ ctxt->charset = XML_CHAR_ENCODING_NONE; -+ -+ if ((size != 0) && (chunk != NULL) && -+ (ctxt->input != NULL) && (ctxt->input->buf != NULL)) { - size_t base = xmlBufGetInputBase(ctxt->input->buf->buffer, ctxt->input); - size_t cur = ctxt->input->cur - ctxt->input->base; - --- -2.27.0 - diff --git a/backport-parser-Fix-regression-in-xmlParserNodeInfo-accountin.patch b/backport-parser-Fix-regression-in-xmlParserNodeInfo-accountin.patch deleted file mode 100644 index 40befecc1795fcc78ef48d7f7dca8a974fe76a03..0000000000000000000000000000000000000000 --- a/backport-parser-Fix-regression-in-xmlParserNodeInfo-accountin.patch +++ /dev/null @@ -1,171 +0,0 @@ -From 250faf3c832d998baa559ca1a1c61935235aba20 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 20 Apr 2023 12:35:21 +0200 -Subject: [PATCH] parser: Fix regression in xmlParserNodeInfo accounting - -Commit 62150ed2 broke begin_pos and begin_line when extra node info was -recorded. - -Fixes #523. - -Reference:https://github.com/GNOME/libxml2/commit/250faf3c832d998baa559ca1a1c61935235aba20 -Conflict:NA - ---- - SAX2.c | 20 ++------------------ - parser.c | 53 +++++++++++++++++++++++++---------------------------- - 2 files changed, 27 insertions(+), 46 deletions(-) - -diff --git a/SAX2.c b/SAX2.c -index 916e974..822b975 100644 ---- a/SAX2.c -+++ b/SAX2.c -@@ -1783,13 +1783,6 @@ xmlSAX2EndElement(void *ctx, const xmlChar *name ATTRIBUTE_UNUSED) - xmlGenericError(xmlGenericErrorContext, "SAX.xmlSAX2EndElement(%s)\n", name); - #endif - -- /* Capture end position and add node */ -- if (cur != NULL && ctxt->record_info) { -- ctxt->nodeInfo->end_pos = ctxt->input->cur - ctxt->input->base; -- ctxt->nodeInfo->end_line = ctxt->input->line; -- ctxt->nodeInfo->node = cur; -- xmlParserAddNodeInfo(ctxt, ctxt->nodeInfo); -- } - ctxt->nodemem = -1; - - #ifdef LIBXML_VALID_ENABLED -@@ -2433,24 +2426,15 @@ xmlSAX2EndElementNs(void *ctx, - const xmlChar * URI ATTRIBUTE_UNUSED) - { - xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; -- xmlParserNodeInfo node_info; -- xmlNodePtr cur; - - if (ctx == NULL) return; -- cur = ctxt->node; -- /* Capture end position and add node */ -- if ((ctxt->record_info) && (cur != NULL)) { -- node_info.end_pos = ctxt->input->cur - ctxt->input->base; -- node_info.end_line = ctxt->input->line; -- node_info.node = cur; -- xmlParserAddNodeInfo(ctxt, &node_info); -- } - ctxt->nodemem = -1; - - #ifdef LIBXML_VALID_ENABLED - if (ctxt->validate && ctxt->wellFormed && - ctxt->myDoc && ctxt->myDoc->intSubset) -- ctxt->valid &= xmlValidateOneElement(&ctxt->vctxt, ctxt->myDoc, cur); -+ ctxt->valid &= xmlValidateOneElement(&ctxt->vctxt, ctxt->myDoc, -+ ctxt->node); - #endif /* LIBXML_VALID_ENABLED */ - - /* -diff --git a/parser.c b/parser.c -index a4c9fb2..94a6298 100644 ---- a/parser.c -+++ b/parser.c -@@ -10025,7 +10025,7 @@ xmlParseElementStart(xmlParserCtxtPtr ctxt) { - const xmlChar *URI = NULL; - xmlParserNodeInfo node_info; - int line, tlen = 0; -- xmlNodePtr ret; -+ xmlNodePtr cur; - int nsNr = ctxt->nsNr; - - if (((unsigned int) ctxt->nameNr > xmlParserMaxDepth) && -@@ -10067,7 +10067,7 @@ xmlParseElementStart(xmlParserCtxtPtr ctxt) { - return(-1); - } - nameNsPush(ctxt, name, prefix, URI, line, ctxt->nsNr - nsNr); -- ret = ctxt->node; -+ cur = ctxt->node; - - #ifdef LIBXML_VALID_ENABLED - /* -@@ -10100,17 +10100,23 @@ xmlParseElementStart(xmlParserCtxtPtr ctxt) { - spacePop(ctxt); - if (nsNr != ctxt->nsNr) - nsPop(ctxt, ctxt->nsNr - nsNr); -- if ( ret != NULL && ctxt->record_info ) { -- node_info.end_pos = ctxt->input->consumed + -- (CUR_PTR - ctxt->input->base); -- node_info.end_line = ctxt->input->line; -- node_info.node = ret; -- xmlParserAddNodeInfo(ctxt, &node_info); -+ if (cur != NULL && ctxt->record_info) { -+ node_info.node = cur; -+ node_info.end_pos = ctxt->input->consumed + -+ (CUR_PTR - ctxt->input->base); -+ node_info.end_line = ctxt->input->line; -+ xmlParserAddNodeInfo(ctxt, &node_info); - } - return(1); - } - if (RAW == '>') { - NEXT1; -+ if (cur != NULL && ctxt->record_info) { -+ node_info.node = cur; -+ node_info.end_pos = 0; -+ node_info.end_line = 0; -+ xmlParserAddNodeInfo(ctxt, &node_info); -+ } - } else { - xmlFatalErrMsgStrIntStr(ctxt, XML_ERR_GT_REQUIRED, - "Couldn't find end of Start Tag %s line %d\n", -@@ -10124,17 +10130,6 @@ xmlParseElementStart(xmlParserCtxtPtr ctxt) { - spacePop(ctxt); - if (nsNr != ctxt->nsNr) - nsPop(ctxt, ctxt->nsNr - nsNr); -- -- /* -- * Capture end position and add node -- */ -- if ( ret != NULL && ctxt->record_info ) { -- node_info.end_pos = ctxt->input->consumed + -- (CUR_PTR - ctxt->input->base); -- node_info.end_line = ctxt->input->line; -- node_info.node = ret; -- xmlParserAddNodeInfo(ctxt, &node_info); -- } - return(-1); - } - -@@ -10149,8 +10144,7 @@ xmlParseElementStart(xmlParserCtxtPtr ctxt) { - */ - static void - xmlParseElementEnd(xmlParserCtxtPtr ctxt) { -- xmlParserNodeInfo node_info; -- xmlNodePtr ret = ctxt->node; -+ xmlNodePtr cur = ctxt->node; - - if (ctxt->nameNr <= 0) - return; -@@ -10168,14 +10162,17 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt) { - #endif /* LIBXML_SAX1_ENABLED */ - - /* -- * Capture end position and add node -+ * Capture end position - */ -- if ( ret != NULL && ctxt->record_info ) { -- node_info.end_pos = ctxt->input->consumed + -- (CUR_PTR - ctxt->input->base); -- node_info.end_line = ctxt->input->line; -- node_info.node = ret; -- xmlParserAddNodeInfo(ctxt, &node_info); -+ if (cur != NULL && ctxt->record_info) { -+ xmlParserNodeInfoPtr node_info; -+ -+ node_info = (xmlParserNodeInfoPtr) xmlParserFindNodeInfo(ctxt, cur); -+ if (node_info != NULL) { -+ node_info->end_pos = ctxt->input->consumed + -+ (CUR_PTR - ctxt->input->base); -+ node_info->end_line = ctxt->input->line; -+ } - } - } - --- -2.27.0 - diff --git a/backport-parser-Limit-name-length-in-xmlParseEncName.patch b/backport-parser-Limit-name-length-in-xmlParseEncName.patch deleted file mode 100644 index 189a53b49bce224c6dfb3ea5da1389e3fd60d232..0000000000000000000000000000000000000000 --- a/backport-parser-Limit-name-length-in-xmlParseEncName.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 3eb9f5ca4e6b0933ac1dc7fbcce38669ac002b7f Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 21 Mar 2023 13:19:31 +0100 -Subject: [PATCH] parser: Limit name length in xmlParseEncName - - -Reference:https://github.com/GNOME/libxml2/commit/3eb9f5ca4e6b0933ac1dc7fbcce38669ac002b7f -Conflict:NA - ---- - parser.c | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - -diff --git a/parser.c b/parser.c -index b872d34..a4c9fb2 100644 ---- a/parser.c -+++ b/parser.c -@@ -10301,6 +10301,9 @@ xmlParseEncName(xmlParserCtxtPtr ctxt) { - xmlChar *buf = NULL; - int len = 0; - int size = 10; -+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? -+ XML_MAX_TEXT_LENGTH : -+ XML_MAX_NAME_LENGTH; - xmlChar cur; - - cur = CUR; -@@ -10333,13 +10336,13 @@ xmlParseEncName(xmlParserCtxtPtr ctxt) { - buf = tmp; - } - buf[len++] = cur; -+ if (len > maxLength) { -+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "EncName"); -+ xmlFree(buf); -+ return(NULL); -+ } - NEXT; - cur = CUR; -- if (cur == 0) { -- SHRINK; -- GROW; -- cur = CUR; -- } - } - buf[len] = 0; - } else { --- -2.27.0 - diff --git a/backport-parser-Remove-dangerous-check-in-xmlParseCharData.patch b/backport-parser-Remove-dangerous-check-in-xmlParseCharData.patch deleted file mode 100644 index 2c97ddb4b55367df119cef0d71d5517ffd2e4d82..0000000000000000000000000000000000000000 --- a/backport-parser-Remove-dangerous-check-in-xmlParseCharData.patch +++ /dev/null @@ -1,35 +0,0 @@ -From c6c7068e995c00d978282e7103c04ffcffca9a23 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 21 Nov 2022 22:09:19 +0100 -Subject: [PATCH 24/28] parser: Remove dangerous check in xmlParseCharData - -If this check succeeds, xmlParseCharData could be called over and over -again without making progress, resulting in an infinite loop. - -It's only important to check for XML_PARSER_EOF which is done later. - -Related to #441. - -Reference: https://github.com/GNOME/libxml2/commit/0e193f0d61f6d6f29c31ac5f801975e810df7a04 -Conflict: NA ---- - parser.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/parser.c b/parser.c -index 4360479..4405a7e 100644 ---- a/parser.c -+++ b/parser.c -@@ -4535,9 +4535,6 @@ get_more: - line = ctxt->input->line; - col = ctxt->input->col; - } -- /* something really bad happened in the SAX callback */ -- if (ctxt->instate != XML_PARSER_CONTENT) -- return; - } - ctxt->input->cur = in; - if (*in == 0xD) { --- -2.27.0 - diff --git a/backport-parser-Restore-parser-state-in-xmlParseCDSect.patch b/backport-parser-Restore-parser-state-in-xmlParseCDSect.patch deleted file mode 100644 index 368becce8c84d58ec8757dd74b9b1d4b18521fed..0000000000000000000000000000000000000000 --- a/backport-parser-Restore-parser-state-in-xmlParseCDSect.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 003d0baef83a3c694fba6f194cfc8c14bc035082 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 21 Nov 2022 22:07:11 +0100 -Subject: [PATCH 23/28] parser: Restore parser state in xmlParseCDSect - -Fixes #441. - -Reference: https://github.com/GNOME/libxml2/commit/94ca36c2c48ad3857175ea66a373e51e67b98f00 -Conflict: parser.c: ---- - parser.c | 25 +++++++++++-------------- - 1 file changed, 11 insertions(+), 14 deletions(-) - -diff --git a/parser.c b/parser.c -index 6e55838..4360479 100644 ---- a/parser.c -+++ b/parser.c -@@ -9788,22 +9788,20 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { - r = CUR_CHAR(rl); - if (!IS_CHAR(r)) { - xmlFatalErr(ctxt, XML_ERR_CDATA_NOT_FINISHED, NULL); -- ctxt->instate = XML_PARSER_CONTENT; -- return; -+ goto out; - } - NEXTL(rl); - s = CUR_CHAR(sl); - if (!IS_CHAR(s)) { - xmlFatalErr(ctxt, XML_ERR_CDATA_NOT_FINISHED, NULL); -- ctxt->instate = XML_PARSER_CONTENT; -- return; -+ goto out; - } - NEXTL(sl); - cur = CUR_CHAR(l); - buf = (xmlChar *) xmlMallocAtomic(size * sizeof(xmlChar)); - if (buf == NULL) { - xmlErrMemory(ctxt, NULL); -- return; -+ goto out; - } - while (IS_CHAR(cur) && - ((r != ']') || (s != ']') || (cur != '>'))) { -@@ -9812,9 +9810,8 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { - - tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar)); - if (tmp == NULL) { -- xmlFree(buf); - xmlErrMemory(ctxt, NULL); -- return; -+ goto out; - } - buf = tmp; - size *= 2; -@@ -9829,8 +9826,7 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { - SHRINK; - GROW; - if (ctxt->instate == XML_PARSER_EOF) { -- xmlFree(buf); -- return; -+ goto out; - } - count = 0; - } -@@ -9839,17 +9835,14 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { - if (len > maxLength) { - xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED, - "CData section too big found\n"); -- xmlFree(buf); -- return; -+ goto out; - } - } - buf[len] = 0; -- ctxt->instate = XML_PARSER_CONTENT; - if (cur != '>') { - xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED, - "CData section not finished\n%.50s\n", buf); -- xmlFree(buf); -- return; -+ goto out; - } - NEXTL(l); - -@@ -9862,6 +9855,10 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { - else if (ctxt->sax->characters != NULL) - ctxt->sax->characters(ctxt->userData, buf, len); - } -+ -+out: -+ if (ctxt->instate != XML_PARSER_EOF) -+ ctxt->instate = XML_PARSER_CONTENT; - xmlFree(buf); - } - --- -2.27.0 - diff --git a/backport-parser-Use-size_t-when-subtracting-input-buffer-poin.patch b/backport-parser-Use-size_t-when-subtracting-input-buffer-poin.patch deleted file mode 100644 index 9a7527e62adb71cf58fd24c57b187949ac5117a8..0000000000000000000000000000000000000000 --- a/backport-parser-Use-size_t-when-subtracting-input-buffer-poin.patch +++ /dev/null @@ -1,54 +0,0 @@ -From b75976e02999c453ae80bb1ade72f704a78b95ce Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 12 Mar 2023 19:06:19 +0100 -Subject: [PATCH] parser: Use size_t when subtracting input buffer pointers - -Avoid integer overflows. - -Reference:https://github.com/GNOME/libxml2/commit/b75976e02999c453ae80bb1ade72f704a78b95ce -Conflict:NA - ---- - HTMLparser.c | 2 +- - parser.c | 5 +++-- - 2 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index 72ede56..b76218c 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -3833,7 +3833,7 @@ htmlCheckEncodingDirect(htmlParserCtxtPtr ctxt, const xmlChar *encoding) { - (ctxt->input->buf->raw != NULL) && - (ctxt->input->buf->buffer != NULL)) { - int nbchars; -- int processed; -+ size_t processed; - - /* - * convert as much as possible to the parser reading buffer. -diff --git a/parser.c b/parser.c -index c276a1a..75bd27f 100644 ---- a/parser.c -+++ b/parser.c -@@ -9267,7 +9267,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref, - int maxatts = ctxt->maxatts; - int nratts, nbatts, nbdef, inputid; - int i, j, nbNs, attval; -- unsigned long cur; -+ size_t cur; - int nsNr = ctxt->nsNr; - - if (RAW != '<') return(NULL); -@@ -11202,7 +11202,8 @@ xmlCheckCdataPush(const xmlChar *utf, int len, int complete) { - static int - xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) { - int ret = 0; -- int avail, tlen; -+ int tlen; -+ size_t avail; - xmlChar cur, next; - const xmlChar *lastlt, *lastgt; - --- -2.27.0 - diff --git a/backport-reader-Switch-to-xmlParserInputBufferCreateMem.patch b/backport-reader-Switch-to-xmlParserInputBufferCreateMem.patch deleted file mode 100644 index 995613dd5dad4ab267e9954bc373de785f15452f..0000000000000000000000000000000000000000 --- a/backport-reader-Switch-to-xmlParserInputBufferCreateMem.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 800bb118a5cb30232a295b89df8cb749eece49af Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 14 Nov 2022 22:00:50 +0100 -Subject: [PATCH 16/28] reader: Switch to xmlParserInputBufferCreateMem - -This is less efficient but can't result in input buffer overreads. - -Fixes #326. - -Reference: https://github.com/GNOME/libxml2/commit/1ca0dfec351a089537127911607c5e89bc937840 -Conflict: NA ---- - xmlreader.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/xmlreader.c b/xmlreader.c -index 989b7c1..ac97bde 100644 ---- a/xmlreader.c -+++ b/xmlreader.c -@@ -5508,8 +5508,7 @@ xmlReaderForMemory(const char *buffer, int size, const char *URL, - xmlTextReaderPtr reader; - xmlParserInputBufferPtr buf; - -- buf = xmlParserInputBufferCreateStatic(buffer, size, -- XML_CHAR_ENCODING_NONE); -+ buf = xmlParserInputBufferCreateMem(buffer, size, XML_CHAR_ENCODING_NONE); - if (buf == NULL) { - return (NULL); - } -@@ -5735,7 +5734,7 @@ xmlReaderNewMemory(xmlTextReaderPtr reader, const char *buffer, int size, - if (buffer == NULL) - return (-1); - -- input = xmlParserInputBufferCreateStatic(buffer, size, -+ input = xmlParserInputBufferCreateMem(buffer, size, - XML_CHAR_ENCODING_NONE); - if (input == NULL) { - return (-1); --- -2.27.0 - diff --git a/backport-regexp-Add-sanity-check-in-xmlRegCalloc2.patch b/backport-regexp-Add-sanity-check-in-xmlRegCalloc2.patch deleted file mode 100644 index c88ab7b5467b887873b2496ca1b78741e4c27045..0000000000000000000000000000000000000000 --- a/backport-regexp-Add-sanity-check-in-xmlRegCalloc2.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 85057e513111f69f5a8af94f3a82899d23d4c057 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 21 Feb 2023 15:24:19 +0100 -Subject: [PATCH] regexp: Add sanity check in xmlRegCalloc2 - -These arguments should be non-zero, but add a sanity check to avoid -division by zero. - -Fixes #450. - -Reference:https://github.com/GNOME/libxml2/commit/85057e513111f69f5a8af94f3a82899d23d4c057 -Conflict:NA ---- - xmlregexp.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/xmlregexp.c b/xmlregexp.c -index e7c48a4..cc4ae6f 100644 ---- a/xmlregexp.c -+++ b/xmlregexp.c -@@ -443,7 +443,8 @@ xmlRegCalloc2(size_t dim1, size_t dim2, size_t elemSize) { - void *ret; - - /* Check for overflow */ -- if (dim1 > SIZE_MAX / dim2 / elemSize) -+ if ((dim2 == 0) || (elemSize == 0) || -+ (dim1 > SIZE_MAX / dim2 / elemSize)) - return (NULL); - totalSize = dim1 * dim2 * elemSize; - ret = xmlMalloc(totalSize); --- -2.27.0 - diff --git a/backport-regexp-Fix-checks-for-eliminated-transitions.patch b/backport-regexp-Fix-checks-for-eliminated-transitions.patch deleted file mode 100644 index 949bea6949d52261c398022e51e1bfebec9c6e52..0000000000000000000000000000000000000000 --- a/backport-regexp-Fix-checks-for-eliminated-transitions.patch +++ /dev/null @@ -1,68 +0,0 @@ -From e301865e69b9b834f7b777dc58a9cee40ae056b2 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 9 Mar 2023 05:34:38 +0100 -Subject: [PATCH] regexp: Fix checks for eliminated transitions - -'to' can be set to -1 or -2 when eliminating transitions, so check for -all negative values. - -Reference:https://github.com/GNOME/libxml2/commit/e301865e69b9b834f7b777dc58a9cee40ae056b2 -Conflict:NA - ---- - xmlregexp.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/xmlregexp.c b/xmlregexp.c -index 24f9fc0..df0626c 100644 ---- a/xmlregexp.c -+++ b/xmlregexp.c -@@ -607,7 +607,7 @@ xmlRegEpxFromParse(xmlRegParserCtxtPtr ctxt) { - - for (j = 0;j < state->nbTrans;j++) { - trans = &(state->trans[j]); -- if ((trans->to == -1) || (trans->atom == NULL)) -+ if ((trans->to < 0) || (trans->atom == NULL)) - continue; - atomno = stringRemap[trans->atom->no]; - if ((trans->atom->data != NULL) && (transdata == NULL)) { -@@ -2783,11 +2783,11 @@ xmlFAComputesDeterminism(xmlRegParserCtxtPtr ctxt) { - /* t1->nd = 1; */ - continue; - } -- if (t1->to == -1) /* eliminated */ -+ if (t1->to < 0) /* eliminated */ - continue; - for (i = 0;i < transnr;i++) { - t2 = &(state->trans[i]); -- if (t2->to == -1) /* eliminated */ -+ if (t2->to < 0) /* eliminated */ - continue; - if (t2->atom != NULL) { - if (t1->to == t2->to) { -@@ -2825,11 +2825,11 @@ xmlFAComputesDeterminism(xmlRegParserCtxtPtr ctxt) { - if (t1->atom == NULL) { - continue; - } -- if (t1->to == -1) /* eliminated */ -+ if (t1->to < 0) /* eliminated */ - continue; - for (i = 0;i < transnr;i++) { - t2 = &(state->trans[i]); -- if (t2->to == -1) /* eliminated */ -+ if (t2->to < 0) /* eliminated */ - continue; - if (t2->atom != NULL) { - /* -@@ -2843,7 +2843,7 @@ xmlFAComputesDeterminism(xmlRegParserCtxtPtr ctxt) { - t2->nd = 1; - last = t1; - } -- } else if (t1->to != -1) { -+ } else { - /* - * do the closure in case of remaining specific - * epsilon transitions like choices or all --- -2.27.0 - diff --git a/backport-regexp-Fix-cycle-check-in-xmlFAReduceEpsilonTransiti.patch b/backport-regexp-Fix-cycle-check-in-xmlFAReduceEpsilonTransiti.patch deleted file mode 100644 index 769b1c1b5223bacd11d6df5a4afd0e50cdaccf1c..0000000000000000000000000000000000000000 --- a/backport-regexp-Fix-cycle-check-in-xmlFAReduceEpsilonTransiti.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 9f7b114232904a7d0e304bff30ed4b255f34a572 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 9 Mar 2023 05:25:09 +0100 -Subject: [PATCH] regexp: Fix cycle check in xmlFAReduceEpsilonTransitions - -The visited flag must only be reset after the first call to -xmlFAReduceEpsilonTransitions has finished. Visiting states multiple -times could lead to unnecessary processing of duplicate transitions. - -Similar to 68eadabd. - -Reference:https://github.com/GNOME/libxml2/commit/9f7b114232904a7d0e304bff30ed4b255f34a572 -Conflict:NA - ---- - xmlregexp.c | 26 ++++++++++++++++++++++++++ - 1 file changed, 26 insertions(+) - -diff --git a/xmlregexp.c b/xmlregexp.c -index cc4ae6f..24f9fc0 100644 ---- a/xmlregexp.c -+++ b/xmlregexp.c -@@ -1880,7 +1880,32 @@ xmlFAReduceEpsilonTransitions(xmlRegParserCtxtPtr ctxt, int fromnr, - } - } - } -+} -+ -+/** -+ * xmlFAFinishReduceEpsilonTransitions: -+ * @ctxt: a regexp parser context -+ * @fromnr: the from state -+ * @tonr: the to state -+ * @counter: should that transition be associated to a counted -+ * -+ */ -+static void -+xmlFAFinishReduceEpsilonTransitions(xmlRegParserCtxtPtr ctxt, int tonr) { -+ int transnr; -+ xmlRegStatePtr to; -+ -+ to = ctxt->states[tonr]; -+ if ((to->mark == XML_REGEXP_MARK_START) || -+ (to->mark == XML_REGEXP_MARK_NORMAL)) -+ return; -+ - to->mark = XML_REGEXP_MARK_NORMAL; -+ for (transnr = 0;transnr < to->nbTrans;transnr++) { -+ xmlRegTransPtr t1 = &to->trans[transnr]; -+ if ((t1->to >= 0) && (t1->atom == NULL)) -+ xmlFAFinishReduceEpsilonTransitions(ctxt, t1->to); -+ } - } - - /** -@@ -2032,6 +2057,7 @@ xmlFAEliminateEpsilonTransitions(xmlRegParserCtxtPtr ctxt) { - state->mark = XML_REGEXP_MARK_START; - xmlFAReduceEpsilonTransitions(ctxt, statenr, - newto, state->trans[transnr].counter); -+ xmlFAFinishReduceEpsilonTransitions(ctxt, newto); - state->mark = XML_REGEXP_MARK_NORMAL; - #ifdef DEBUG_REGEXP_GRAPH - } else { --- -2.27.0 - diff --git a/backport-regexp-Fix-determinism-checks.patch b/backport-regexp-Fix-determinism-checks.patch deleted file mode 100644 index a0d01591a40b2550ac2abebe5df7c28b106871a7..0000000000000000000000000000000000000000 --- a/backport-regexp-Fix-determinism-checks.patch +++ /dev/null @@ -1,121 +0,0 @@ -From a06eaa6119ca5b296b8105dc8c9a34ed5fc1f338 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 9 Mar 2023 06:58:24 +0100 -Subject: [PATCH] regexp: Fix determinism checks - -Swap arguments in initial call to xmlFARecurseDeterminism. - -Fix the check whether we revisit the initial state in -xmlFARecurseDeterminism. - -If there are transitions with equal atoms and targets but different -counters, treat the regex as deterministic but mark the transitions as -non-deterministic internally. - -Don't overwrite zero return value of xmlFAComputesDeterminism -with non-zero value from xmlFARecurseDeterminism. - -Most of these errors lead to non-deterministic regexes not being -detected which typically isn't an issue. The improved code may break -users who relied on buggy behavior or cause other bugs to become -visible. - -Fixes #469. - -Reference:https://github.com/GNOME/libxml2/commit/a06eaa6119ca5b296b8105dc8c9a34ed5fc1f338 -Conflict:NA - ---- - xmlregexp.c | 34 +++++++++++++++++++++++----------- - 1 file changed, 23 insertions(+), 11 deletions(-) - -diff --git a/xmlregexp.c b/xmlregexp.c -index df0626c..c89f0c7 100644 ---- a/xmlregexp.c -+++ b/xmlregexp.c -@@ -2665,7 +2665,7 @@ not_determinist: - */ - static int - xmlFARecurseDeterminism(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr state, -- int to, xmlRegAtomPtr atom) { -+ int fromnr, int tonr, xmlRegAtomPtr atom) { - int ret = 1; - int res; - int transnr, nbTrans; -@@ -2690,21 +2690,23 @@ xmlFARecurseDeterminism(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr state, - /* - * check transitions conflicting with the one looked at - */ -+ if ((t1->to < 0) || (t1->to == fromnr)) -+ continue; - if (t1->atom == NULL) { -- if (t1->to < 0) -- continue; - state->markd = XML_REGEXP_MARK_VISITED; - res = xmlFARecurseDeterminism(ctxt, ctxt->states[t1->to], -- to, atom); -+ fromnr, tonr, atom); - if (res == 0) { - ret = 0; - /* t1->nd = 1; */ - } - continue; - } -- if (t1->to != to) -- continue; - if (xmlFACompareAtoms(t1->atom, atom, deep)) { -+ /* Treat equal transitions as deterministic. */ -+ if ((t1->to != tonr) || -+ (!xmlFAEqualAtoms(t1->atom, atom, deep))) -+ ret = 0; - ret = 0; - /* mark the transition as non-deterministic */ - t1->nd = 1; -@@ -2837,29 +2839,39 @@ xmlFAComputesDeterminism(xmlRegParserCtxtPtr ctxt) { - * find transitions which indicate a conflict - */ - if (xmlFACompareAtoms(t1->atom, t2->atom, 1)) { -- ret = 0; -+ /* -+ * Treat equal counter transitions that couldn't be -+ * eliminated as deterministic. -+ */ -+ if ((t1->to != t2->to) || -+ (t1->counter == t2->counter) || -+ (!xmlFAEqualAtoms(t1->atom, t2->atom, deep))) -+ ret = 0; - /* mark the transitions as non-deterministic ones */ - t1->nd = 1; - t2->nd = 1; - last = t1; - } - } else { -+ int res; -+ - /* - * do the closure in case of remaining specific - * epsilon transitions like choices or all - */ -- ret = xmlFARecurseDeterminism(ctxt, ctxt->states[t1->to], -- t2->to, t2->atom); -- xmlFAFinishRecurseDeterminism(ctxt, ctxt->states[t1->to]); -+ res = xmlFARecurseDeterminism(ctxt, ctxt->states[t2->to], -+ statenr, t1->to, t1->atom); -+ xmlFAFinishRecurseDeterminism(ctxt, ctxt->states[t2->to]); - /* don't shortcut the computation so all non deterministic - transition get marked down - if (ret == 0) - return(0); - */ -- if (ret == 0) { -+ if (res == 0) { - t1->nd = 1; - /* t2->nd = 1; */ - last = t1; -+ ret = 0; - } - } - } --- -2.27.0 - diff --git a/backport-regexp-Fix-mistake-in-previous-commit.patch b/backport-regexp-Fix-mistake-in-previous-commit.patch deleted file mode 100644 index 43ad0d68abe0c944449c693bcf66d86fb781dd24..0000000000000000000000000000000000000000 --- a/backport-regexp-Fix-mistake-in-previous-commit.patch +++ /dev/null @@ -1,31 +0,0 @@ -From c613ab14b85d5813ff834afe23adcab2cc82dc04 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 2 May 2023 00:32:50 +0200 -Subject: [PATCH] regexp: Fix mistake in previous commit - -The `ret = 0` line should have been deleted. - -Fixes #531. - -Reference:https://github.com/GNOME/libxml2/commit/c613ab14b85d5813ff834afe23adcab2cc82dc04 -Conflict:NA - ---- - xmlregexp.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/xmlregexp.c b/xmlregexp.c -index c89f0c7..185fcda 100644 ---- a/xmlregexp.c -+++ b/xmlregexp.c -@@ -2707,7 +2707,6 @@ xmlFARecurseDeterminism(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr state, - if ((t1->to != tonr) || - (!xmlFAEqualAtoms(t1->atom, atom, deep))) - ret = 0; -- ret = 0; - /* mark the transition as non-deterministic */ - t1->nd = 1; - } --- -2.27.0 - diff --git a/backport-regexp-Fix-null-deref-in-xmlFAFinishReduceEpsilonTra.patch b/backport-regexp-Fix-null-deref-in-xmlFAFinishReduceEpsilonTra.patch deleted file mode 100644 index 1e2b018efed47becbf004261782ac575bbd23498..0000000000000000000000000000000000000000 --- a/backport-regexp-Fix-null-deref-in-xmlFAFinishReduceEpsilonTra.patch +++ /dev/null @@ -1,30 +0,0 @@ -From a800b7e058b09031aba92949eecf2c76fa030635 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 4 May 2023 12:47:00 +0200 -Subject: [PATCH] regexp: Fix null deref in xmlFAFinishReduceEpsilonTransitions - -Short-lived regression found by OSS-Fuzz. - -Reference:https://github.com/GNOME/libxml2/commit/a800b7e058b09031aba92949eecf2c76fa030635 -Conflict:NA - ---- - xmlregexp.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/xmlregexp.c b/xmlregexp.c -index 185fcda..b0111e2 100644 ---- a/xmlregexp.c -+++ b/xmlregexp.c -@@ -1896,6 +1896,8 @@ xmlFAFinishReduceEpsilonTransitions(xmlRegParserCtxtPtr ctxt, int tonr) { - xmlRegStatePtr to; - - to = ctxt->states[tonr]; -+ if (to == NULL) -+ return; - if ((to->mark == XML_REGEXP_MARK_START) || - (to->mark == XML_REGEXP_MARK_NORMAL)) - return; --- -2.27.0 - diff --git a/backport-schemas-Fix-infinite-loop-in-xmlSchemaCheckElemSubst.patch b/backport-schemas-Fix-infinite-loop-in-xmlSchemaCheckElemSubst.patch deleted file mode 100644 index 8240017b235796328ad31da250cf6779690b7184..0000000000000000000000000000000000000000 --- a/backport-schemas-Fix-infinite-loop-in-xmlSchemaCheckElemSubst.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 1813411ca9f9b60e62ef70e8be2e169af0831edb Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 2 Nov 2022 10:53:24 +0100 -Subject: [PATCH 03/28] schemas: Fix infinite loop in - xmlSchemaCheckElemSubstGroup - -Types like xmlSchemaTypeAnyTypeDef have a base type pointing to itself, -resulting in an infinite loop. - -Fixes #430. - -Reference: https://github.com/GNOME/libxml2/commit/abb5a93fed95cfd628db72e9e1a51fc3ced5c941 -Conflict: NA ---- - xmlschemas.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/xmlschemas.c b/xmlschemas.c -index 9aa6acf..4a767ac 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -19957,7 +19957,8 @@ xmlSchemaCheckElemSubstGroup(xmlSchemaParserCtxtPtr ctxt, - /* - * The set of all {derivation method}s involved in the derivation - */ -- while ((type != NULL) && (type != headType)) { -+ while ((type != NULL) && (type != headType) && -+ (type != type->baseType)) { - if ((WXS_IS_EXTENSION(type)) && - ((methSet & XML_SCHEMAS_TYPE_BLOCK_RESTRICTION) == 0)) - methSet |= XML_SCHEMAS_TYPE_BLOCK_EXTENSION; --- -2.27.0 - diff --git a/backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch b/backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch deleted file mode 100755 index da0b3871a4970157820857ab26c2f8163006db74..0000000000000000000000000000000000000000 --- a/backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 1d4f5d24ac3976012ab1f5b811385e7b00caaecf Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 13 Sep 2022 16:40:31 +0200 -Subject: [PATCH] schemas: Fix null-pointer-deref in - xmlSchemaCheckCOSSTDerivedOK - -Found by OSS-Fuzz. - -Reference:https://github.com/GNOME/libxml2/commit/1d4f5d24ac3976012ab1f5b811385e7b00caaecf -Conflict:NA - ---- - result/schemas/oss-fuzz-51295_0_0.err | 2 ++ - test/schemas/oss-fuzz-51295_0.xml | 1 + - test/schemas/oss-fuzz-51295_0.xsd | 4 ++++ - xmlschemas.c | 15 +++++++++++++-- - 4 files changed, 20 insertions(+), 2 deletions(-) - create mode 100644 result/schemas/oss-fuzz-51295_0_0.err - create mode 100644 test/schemas/oss-fuzz-51295_0.xml - create mode 100644 test/schemas/oss-fuzz-51295_0.xsd - -diff --git a/result/schemas/oss-fuzz-51295_0_0.err b/result/schemas/oss-fuzz-51295_0_0.err -new file mode 100644 -index 00000000..1e89524f ---- /dev/null -+++ b/result/schemas/oss-fuzz-51295_0_0.err -@@ -0,0 +1,2 @@ -+./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'. -+./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'. -diff --git a/test/schemas/oss-fuzz-51295_0.xml b/test/schemas/oss-fuzz-51295_0.xml -new file mode 100644 -index 00000000..10a7e703 ---- /dev/null -+++ b/test/schemas/oss-fuzz-51295_0.xml -@@ -0,0 +1 @@ -+ -diff --git a/test/schemas/oss-fuzz-51295_0.xsd b/test/schemas/oss-fuzz-51295_0.xsd -new file mode 100644 -index 00000000..fde96af5 ---- /dev/null -+++ b/test/schemas/oss-fuzz-51295_0.xsd -@@ -0,0 +1,4 @@ -+ -+ -+ -+ -diff --git a/xmlschemas.c b/xmlschemas.c -index ade10f78..de6ea2b0 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -13348,8 +13348,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr elemDecl, - * declaration `resolved` to by the `actual value` - * of the substitutionGroup [attribute], if present" - */ -- if (elemDecl->subtypes == NULL) -- elemDecl->subtypes = substHead->subtypes; -+ if (elemDecl->subtypes == NULL) { -+ if (substHead->subtypes == NULL) { -+ /* -+ * This can happen with self-referencing substitution -+ * groups. The cycle will be detected later, but we have -+ * to set subtypes to avoid null-pointer dereferences. -+ */ -+ elemDecl->subtypes = xmlSchemaGetBuiltInType( -+ XML_SCHEMAS_ANYTYPE); -+ } else { -+ elemDecl->subtypes = substHead->subtypes; -+ } -+ } - } - } - /* --- -2.27.0 - diff --git a/backport-uri-Allow-port-without-host.patch b/backport-uri-Allow-port-without-host.patch deleted file mode 100644 index 37a09f104b04020a9bd650b632726f570e5cd371..0000000000000000000000000000000000000000 --- a/backport-uri-Allow-port-without-host.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 7810d0e3f0bebe58cf6de877cbcb302f073c75e7 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 14 Nov 2022 21:05:32 +0100 -Subject: [PATCH 17/28] uri: Allow port without host - -Don't set port to -1 when host is missing. Host can be empty according -to spec. - -Fixes #71. - -Reference: https://github.com/GNOME/libxml2/commit/f30adb54f55e4e765d58195163f2a21f7ac759fb -Conflict: NA ---- - uri.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/uri.c b/uri.c -index ccc26aa..79dc48b 100644 ---- a/uri.c -+++ b/uri.c -@@ -768,8 +768,6 @@ xmlParse3986HierPart(xmlURIPtr uri, const char **str) - cur += 2; - ret = xmlParse3986Authority(uri, &cur); - if (ret != 0) return(ret); -- if (uri->server == NULL) -- uri->port = -1; - ret = xmlParse3986PathAbEmpty(uri, &cur); - if (ret != 0) return(ret); - *str = cur; --- -2.27.0 - diff --git a/backport-valid-Allow-xmlFreeValidCtxt-NULL.patch b/backport-valid-Allow-xmlFreeValidCtxt-NULL.patch deleted file mode 100644 index f0c7fba7e73c00bd15d40e7420e16440fbe63532..0000000000000000000000000000000000000000 --- a/backport-valid-Allow-xmlFreeValidCtxt-NULL.patch +++ /dev/null @@ -1,29 +0,0 @@ -From a57a7549fabfb7112510a2ee80a874e988200c32 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 12 Mar 2023 16:06:19 +0100 -Subject: [PATCH] valid: Allow xmlFreeValidCtxt(NULL) - - -Reference:https://github.com/GNOME/libxml2/commit/a57a7549fabfb7112510a2ee80a874e988200c32 -Conflict:NA - ---- - valid.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/valid.c b/valid.c -index b7b92fe..9a2c708 100644 ---- a/valid.c -+++ b/valid.c -@@ -899,6 +899,8 @@ xmlValidCtxtPtr xmlNewValidCtxt(void) { - */ - void - xmlFreeValidCtxt(xmlValidCtxtPtr cur) { -+ if (cur == NULL) -+ return; - if (cur->vstateTab != NULL) - xmlFree(cur->vstateTab); - if (cur->nodeTab != NULL) --- -2.27.0 - diff --git a/backport-valid-Make-xmlValidateElement-non-recursive.patch b/backport-valid-Make-xmlValidateElement-non-recursive.patch deleted file mode 100644 index afb6d3c28ef5d96d7b7068296b5c9f6798664c7e..0000000000000000000000000000000000000000 --- a/backport-valid-Make-xmlValidateElement-non-recursive.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 08f9d319ebe99f41f71336ea01767b9c652ef34f Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 16 Mar 2023 17:01:05 +0100 -Subject: [PATCH] valid: Make xmlValidateElement non-recursive - -Fixes call stack overflows when validating deeply nested documents. - -Found by OSS-Fuzz. - -Reference:https://github.com/GNOME/libxml2/commit/08f9d319ebe99f41f71336ea01767b9c652ef34f -Conflict:NA - ---- - valid.c | 86 ++++++++++++++++++++++++++++----------------------------- - 1 file changed, 43 insertions(+), 43 deletions(-) - -diff --git a/valid.c b/valid.c -index 9a2c708..3c0a869 100644 ---- a/valid.c -+++ b/valid.c -@@ -6480,60 +6480,60 @@ name_ok: - */ - - int --xmlValidateElement(xmlValidCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr elem) { -- xmlNodePtr child; -+xmlValidateElement(xmlValidCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr root) { -+ xmlNodePtr elem; - xmlAttrPtr attr; - xmlNsPtr ns; - const xmlChar *value; - int ret = 1; - -- if (elem == NULL) return(0); -- -- /* -- * XInclude elements were added after parsing in the infoset, -- * they don't really mean anything validation wise. -- */ -- if ((elem->type == XML_XINCLUDE_START) || -- (elem->type == XML_XINCLUDE_END) || -- (elem->type == XML_NAMESPACE_DECL)) -- return(1); -+ if (root == NULL) return(0); - - CHECK_DTD; - -- /* -- * Entities references have to be handled separately -- */ -- if (elem->type == XML_ENTITY_REF_NODE) { -- return(1); -- } -+ elem = root; -+ while (1) { -+ ret &= xmlValidateOneElement(ctxt, doc, elem); -+ -+ if (elem->type == XML_ELEMENT_NODE) { -+ attr = elem->properties; -+ while (attr != NULL) { -+ value = xmlNodeListGetString(doc, attr->children, 0); -+ ret &= xmlValidateOneAttribute(ctxt, doc, elem, attr, value); -+ if (value != NULL) -+ xmlFree((char *)value); -+ attr= attr->next; -+ } - -- ret &= xmlValidateOneElement(ctxt, doc, elem); -- if (elem->type == XML_ELEMENT_NODE) { -- attr = elem->properties; -- while (attr != NULL) { -- value = xmlNodeListGetString(doc, attr->children, 0); -- ret &= xmlValidateOneAttribute(ctxt, doc, elem, attr, value); -- if (value != NULL) -- xmlFree((char *)value); -- attr= attr->next; -- } -- ns = elem->nsDef; -- while (ns != NULL) { -- if (elem->ns == NULL) -- ret &= xmlValidateOneNamespace(ctxt, doc, elem, NULL, -- ns, ns->href); -- else -- ret &= xmlValidateOneNamespace(ctxt, doc, elem, -- elem->ns->prefix, ns, ns->href); -- ns = ns->next; -- } -- } -- child = elem->children; -- while (child != NULL) { -- ret &= xmlValidateElement(ctxt, doc, child); -- child = child->next; -+ ns = elem->nsDef; -+ while (ns != NULL) { -+ if (elem->ns == NULL) -+ ret &= xmlValidateOneNamespace(ctxt, doc, elem, NULL, -+ ns, ns->href); -+ else -+ ret &= xmlValidateOneNamespace(ctxt, doc, elem, -+ elem->ns->prefix, ns, -+ ns->href); -+ ns = ns->next; -+ } -+ -+ if (elem->children != NULL) { -+ elem = elem->children; -+ continue; -+ } -+ } -+ -+ while (1) { -+ if (elem == root) -+ goto done; -+ if (elem->next != NULL) -+ break; -+ elem = elem->parent; -+ } -+ elem = elem->next; - } - -+done: - return(ret); - } - --- -2.27.0 - diff --git a/backport-xinclude-Fix-memory-leak-when-fuzzing.patch b/backport-xinclude-Fix-memory-leak-when-fuzzing.patch deleted file mode 100644 index faa00e18cce3ed5f5ede9d6ed2bdb4d3fad954ca..0000000000000000000000000000000000000000 --- a/backport-xinclude-Fix-memory-leak-when-fuzzing.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 48c13bd5203b325deb670d5b69015e9adc40990f Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sat, 29 Oct 2022 15:38:16 +0200 -Subject: [PATCH 01/28] xinclude: Fix memory leak when fuzzing - -This only affects the fuzzing build mode. - -Reference: https://github.com/GNOME/libxml2/commit/075cee9e9f1bedb6b2ca87e73a952fb2e92da3c1 -Conflict: xinclude.c: ---- - xinclude.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xinclude.c b/xinclude.c -index 8c14a68..6ee58cb 100644 ---- a/xinclude.c -+++ b/xinclude.c -@@ -2424,7 +2424,7 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree, - * of replacements. - */ - if (ctxt->incTotal >= 20) -- return(-1); -+ break; - #endif - ctxt->incTotal++; - xmlXIncludePreProcessNode(ctxt, cur); --- -2.27.0 - diff --git a/backport-xinclude-Fix-more-memory-leaks-in-xmlXIncludeLoadDoc.patch b/backport-xinclude-Fix-more-memory-leaks-in-xmlXIncludeLoadDoc.patch deleted file mode 100644 index 9fc753cc591b72e46f11ab66b02230f4af726f0b..0000000000000000000000000000000000000000 --- a/backport-xinclude-Fix-more-memory-leaks-in-xmlXIncludeLoadDoc.patch +++ /dev/null @@ -1,126 +0,0 @@ -From f442a3290626a522b6e71c902a971859b15566f3 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 30 Oct 2022 12:32:14 +0100 -Subject: [PATCH 02/28] xinclude: Fix more memory leaks in xmlXIncludeLoadDoc - -Reference: https://github.com/GNOME/libxml2/commit/f14529baf5315b3d77877fd1617b0e1f3df564d0 -Conflict: xinclude.c: ---- - xinclude.c | 37 ++++++++++++++----------------------- - 1 file changed, 14 insertions(+), 23 deletions(-) - -diff --git a/xinclude.c b/xinclude.c -index 6ee58cb..cd1e1b1 100644 ---- a/xinclude.c -+++ b/xinclude.c -@@ -1417,9 +1417,10 @@ static int - xmlXIncludeLoadDoc(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { - xmlDocPtr doc; - xmlURIPtr uri; -- xmlChar *URL; -+ xmlChar *URL = NULL; - xmlChar *fragment = NULL; - int i = 0; -+ int ret = -1; - #ifdef LIBXML_XPTR_ENABLED - int saveFlags; - #endif -@@ -1435,7 +1436,7 @@ xmlXIncludeLoadDoc(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { - xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, - XML_XINCLUDE_HREF_URI, - "invalid value URI %s\n", url); -- return(-1); -+ goto error; - } - if (uri->fragment != NULL) { - fragment = (xmlChar *) uri->fragment; -@@ -1457,9 +1458,7 @@ xmlXIncludeLoadDoc(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { - xmlXIncludeErr(ctxt, NULL, - XML_XINCLUDE_HREF_URI, - "invalid value URI %s\n", url); -- if (fragment != NULL) -- xmlFree(fragment); -- return(-1); -+ goto error; - } - - /* -@@ -1509,10 +1508,7 @@ xmlXIncludeLoadDoc(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { - ctxt->parseFlags = saveFlags; - #endif - if (doc == NULL) { -- xmlFree(URL); -- if (fragment != NULL) -- xmlFree(fragment); -- return(-1); -+ goto error; - } - ctxt->incTab[nr]->doc = doc; - /* -@@ -1578,9 +1574,7 @@ loaded: - xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, - XML_XINCLUDE_XPTR_FAILED, - "could not create XPointer context\n", NULL); -- xmlFree(URL); -- xmlFree(fragment); -- return(-1); -+ goto error; - } - xptr = xmlXPtrEval(fragment, xptrctxt); - if (xptr == NULL) { -@@ -1589,9 +1583,7 @@ loaded: - "XPointer evaluation failed: #%s\n", - fragment); - xmlXPathFreeContext(xptrctxt); -- xmlFree(URL); -- xmlFree(fragment); -- return(-1); -+ goto error; - } - switch (xptr->type) { - case XPATH_UNDEFINED: -@@ -1607,17 +1599,13 @@ loaded: - fragment); - xmlXPathFreeObject(xptr); - xmlXPathFreeContext(xptrctxt); -- xmlFree(URL); -- xmlFree(fragment); -- return(-1); -+ goto error; - case XPATH_NODESET: - if ((xptr->nodesetval == NULL) || - (xptr->nodesetval->nodeNr <= 0)) { - xmlXPathFreeObject(xptr); - xmlXPathFreeContext(xptrctxt); -- xmlFree(URL); -- xmlFree(fragment); -- return(-1); -+ goto error; - } - - case XPATH_RANGE: -@@ -1681,7 +1669,6 @@ loaded: - xmlXIncludeCopyXPointer(ctxt, ctxt->doc, doc, xptr); - xmlXPathFreeObject(xptr); - xmlXPathFreeContext(xptrctxt); -- xmlFree(fragment); - } - #endif - -@@ -1777,8 +1764,12 @@ loaded: - xmlFreeDoc(ctxt->incTab[nr]->doc); - ctxt->incTab[nr]->doc = NULL; - } -+ ret = 0; -+ -+error: - xmlFree(URL); -- return(0); -+ xmlFree(fragment); -+ return(ret); - } - - /** --- -2.27.0 - diff --git a/backport-xinclude-Fix-quadratic-behavior-in-xmlXIncludeLoadTx.patch b/backport-xinclude-Fix-quadratic-behavior-in-xmlXIncludeLoadTx.patch deleted file mode 100644 index dc684673eba2576a2f36422159c71e804fc1450c..0000000000000000000000000000000000000000 --- a/backport-xinclude-Fix-quadratic-behavior-in-xmlXIncludeLoadTx.patch +++ /dev/null @@ -1,147 +0,0 @@ -From e20f4d7a656e47553f9da9d594e299e2fa2dbe41 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 13 Feb 2023 14:38:05 +0100 -Subject: [PATCH] xinclude: Fix quadratic behavior in xmlXIncludeLoadTxt - -Also make text inclusions work with memory buffers, for example when -using a custom entity loader, and fix a memory leak in case of invalid -characters. - -Fixes #483. - -Reference:https://github.com/GNOME/libxml2/commit/e20f4d7a656e47553f9da9d594e299e2fa2dbe41 -Conflict:NA - ---- - result/XInclude/invalid_char.xml.err | 2 + - result/XInclude/invalid_char.xml.rdr | 7 ++++ - test/XInclude/docs/invalid_char.xml | 3 ++ - test/XInclude/ents/invalid_char.txt | 1 + - xinclude.c | 61 ++++++++++++---------------- - 5 files changed, 39 insertions(+), 35 deletions(-) - create mode 100644 result/XInclude/invalid_char.xml.err - create mode 100644 result/XInclude/invalid_char.xml.rdr - create mode 100644 test/XInclude/docs/invalid_char.xml - create mode 100644 test/XInclude/ents/invalid_char.txt - -diff --git a/result/XInclude/invalid_char.xml.err b/result/XInclude/invalid_char.xml.err -new file mode 100644 -index 0000000..c28c109 ---- /dev/null -+++ b/result/XInclude/invalid_char.xml.err -@@ -0,0 +1,2 @@ -+./test/XInclude/docs/invalid_char.xml:2: element include: XInclude error : test/XInclude/ents/invalid_char.txt contains invalid char -+./test/XInclude/docs/invalid_char.xml:2: element include: XInclude error : could not load test/XInclude/ents/invalid_char.txt, and no fallback was found -diff --git a/result/XInclude/invalid_char.xml.rdr b/result/XInclude/invalid_char.xml.rdr -new file mode 100644 -index 0000000..1fb5774 ---- /dev/null -+++ b/result/XInclude/invalid_char.xml.rdr -@@ -0,0 +1,7 @@ -+0 1 x 0 0 -+1 14 #text 0 1 -+ -+1 1 xinclude:include 1 0 -+1 14 #text 0 1 -+ -+0 15 x 0 0 -diff --git a/test/XInclude/docs/invalid_char.xml b/test/XInclude/docs/invalid_char.xml -new file mode 100644 -index 0000000..28e5a48 ---- /dev/null -+++ b/test/XInclude/docs/invalid_char.xml -@@ -0,0 +1,3 @@ -+ -+ -+ -diff --git a/test/XInclude/ents/invalid_char.txt b/test/XInclude/ents/invalid_char.txt -new file mode 100644 -index 0000000..ae06618 ---- /dev/null -+++ b/test/XInclude/ents/invalid_char.txt -@@ -0,0 +1 @@ -+invalid: ÿ -\ No newline at end of file -diff --git a/xinclude.c b/xinclude.c -index cc486f5..6e5b61d 100644 ---- a/xinclude.c -+++ b/xinclude.c -@@ -1798,7 +1798,9 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { - xmlCharEncoding enc = (xmlCharEncoding) 0; - xmlParserCtxtPtr pctxt; - xmlParserInputPtr inputStream; -- int xinclude_multibyte_fallback_used = 0; -+ int len; -+ const xmlChar *content; -+ - - /* Don't read from stdin. */ - if (xmlStrcmp(url, BAD_CAST "-") == 0) -@@ -1905,41 +1907,30 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { - /* - * Scan all chars from the resource and add the to the node - */ --xinclude_multibyte_fallback: -- while (xmlParserInputBufferRead(buf, 128) > 0) { -- int len; -- const xmlChar *content; -- -- content = xmlBufContent(buf->buffer); -- len = xmlBufLength(buf->buffer); -- for (i = 0;i < len;) { -- int cur; -- int l; -- -- cur = xmlStringCurrentChar(NULL, &content[i], &l); -- if (!IS_CHAR(cur)) { -- /* Handle split multibyte char at buffer boundary */ -- if (((len - i) < 4) && (!xinclude_multibyte_fallback_used)) { -- xinclude_multibyte_fallback_used = 1; -- xmlBufShrink(buf->buffer, i); -- goto xinclude_multibyte_fallback; -- } else { -- xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, -- XML_XINCLUDE_INVALID_CHAR, -- "%s contains invalid char\n", URL); -- xmlFreeParserCtxt(pctxt); -- xmlFreeParserInputBuffer(buf); -- xmlFree(URL); -- return(-1); -- } -- } else { -- xinclude_multibyte_fallback_used = 0; -- xmlNodeAddContentLen(node, &content[i], l); -- } -- i += l; -- } -- xmlBufShrink(buf->buffer, len); -+ while (xmlParserInputBufferRead(buf, 4096) > 0) -+ ; -+ -+ content = xmlBufContent(buf->buffer); -+ len = xmlBufLength(buf->buffer); -+ for (i = 0; i < len;) { -+ int cur; -+ int l; -+ -+ cur = xmlStringCurrentChar(NULL, &content[i], &l); -+ if (!IS_CHAR(cur)) { -+ xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, XML_XINCLUDE_INVALID_CHAR, -+ "%s contains invalid char\n", URL); -+ xmlFreeNode(node); -+ xmlFreeInputStream(inputStream); -+ xmlFreeParserCtxt(pctxt); -+ xmlFree(URL); -+ return(-1); -+ } -+ -+ i += l; - } -+ -+ xmlNodeAddContentLen(node, content, len); - xmlFreeParserCtxt(pctxt); - xmlXIncludeAddTxt(ctxt, node->content, URL); - xmlFreeInputStream(inputStream); --- -2.27.0 - diff --git a/backport-xmlBufAvail-should-return-length-without-including-a.patch b/backport-xmlBufAvail-should-return-length-without-including-a.patch deleted file mode 100644 index edb67b1120e1037e26db287fc6ea847fc3e4ae9d..0000000000000000000000000000000000000000 --- a/backport-xmlBufAvail-should-return-length-without-including-a.patch +++ /dev/null @@ -1,136 +0,0 @@ -From c14cac8bbabdfbcd23b45dcb0901f1bd951159a4 Mon Sep 17 00:00:00 2001 -From: David Kilzer -Date: Wed, 25 May 2022 18:13:07 -0700 -Subject: [PATCH 295/300] xmlBufAvail() should return length without including - a byte for NUL terminator - -* buf.c: -(xmlBufAvail): -- Return the number of bytes available in the buffer, but do not - include a byte for the NUL terminator so that it is reserved. - -* encoding.c: -(xmlCharEncFirstLineInput): -(xmlCharEncInput): -(xmlCharEncOutput): -* xmlIO.c: -(xmlOutputBufferWriteEscape): -- Remove code that subtracts 1 from the return value of - xmlBufAvail(). It was implemented inconsistently anyway. - -Reference:https://github.com/GNOME/libxml2/commit/c14cac8bbabdfbcd23b45dcb0901f1bd951159a4 -Conflict:NA - ---- - buf.c | 9 +++++---- - encoding.c | 14 ++++---------- - xmlIO.c | 2 +- - 3 files changed, 10 insertions(+), 15 deletions(-) - -diff --git a/buf.c b/buf.c -index d341750..f896826 100644 ---- a/buf.c -+++ b/buf.c -@@ -689,10 +689,11 @@ xmlBufUse(const xmlBufPtr buf) - * @buf: the buffer - * - * Function to find how much free space is allocated but not -- * used in the buffer. It does not account for the terminating zero -- * usually needed -+ * used in the buffer. It reserves one byte for the NUL -+ * terminator character that is usually needed, so there is -+ * no need to subtract 1 from the result anymore. - * -- * Returns the amount or 0 if none or an error occurred -+ * Returns the amount, or 0 if none or if an error occurred. - */ - - size_t -@@ -702,7 +703,7 @@ xmlBufAvail(const xmlBufPtr buf) - return 0; - CHECK_COMPAT(buf) - -- return(buf->size - buf->use); -+ return((buf->size > buf->use) ? (buf->size - buf->use - 1) : 0); - } - - /** -diff --git a/encoding.c b/encoding.c -index c14c9ff..8ce407f 100644 ---- a/encoding.c -+++ b/encoding.c -@@ -2177,7 +2177,7 @@ xmlCharEncFirstLineInput(xmlParserInputBufferPtr input, int len) - toconv = xmlBufUse(in); - if (toconv == 0) - return (0); -- written = xmlBufAvail(out) - 1; /* count '\0' */ -+ written = xmlBufAvail(out); - /* - * echo '' | wc -c => 38 - * 45 chars should be sufficient to reach the end of the encoding -@@ -2195,7 +2195,7 @@ xmlCharEncFirstLineInput(xmlParserInputBufferPtr input, int len) - } - if (toconv * 2 >= written) { - xmlBufGrow(out, toconv * 2); -- written = xmlBufAvail(out) - 1; -+ written = xmlBufAvail(out); - } - if (written > 360) - written = 360; -@@ -2287,13 +2287,9 @@ xmlCharEncInput(xmlParserInputBufferPtr input, int flush) - if ((toconv > 64 * 1024) && (flush == 0)) - toconv = 64 * 1024; - written = xmlBufAvail(out); -- if (written > 0) -- written--; /* count '\0' */ - if (toconv * 2 >= written) { - xmlBufGrow(out, toconv * 2); - written = xmlBufAvail(out); -- if (written > 0) -- written--; /* count '\0' */ - } - if ((written > 128 * 1024) && (flush == 0)) - written = 128 * 1024; -@@ -2475,8 +2471,6 @@ xmlCharEncOutput(xmlOutputBufferPtr output, int init) - retry: - - written = xmlBufAvail(out); -- if (written > 0) -- written--; /* count '\0' */ - - /* - * First specific handling of the initialization call -@@ -2505,7 +2499,7 @@ retry: - toconv = 64 * 1024; - if (toconv * 4 >= written) { - xmlBufGrow(out, toconv * 4); -- written = xmlBufAvail(out) - 1; -+ written = xmlBufAvail(out); - } - if (written > 256 * 1024) - written = 256 * 1024; -@@ -2580,7 +2574,7 @@ retry: - "&#%d;", cur); - xmlBufShrink(in, len); - xmlBufGrow(out, charrefLen * 4); -- c_out = xmlBufAvail(out) - 1; -+ c_out = xmlBufAvail(out); - c_in = charrefLen; - ret = xmlEncOutputChunk(output->encoder, xmlBufEnd(out), &c_out, - charref, &c_in); -diff --git a/xmlIO.c b/xmlIO.c -index 007144c..3f5307f 100644 ---- a/xmlIO.c -+++ b/xmlIO.c -@@ -3560,7 +3560,7 @@ xmlOutputBufferWriteEscape(xmlOutputBufferPtr out, const xmlChar *str, - * how many bytes to consume and how many bytes to store. - */ - cons = len; -- chunk = xmlBufAvail(out->buffer) - 1; -+ chunk = xmlBufAvail(out->buffer); - - /* - * make sure we have enough room to save first, if this is --- -2.27.0 - diff --git a/backport-xmlParseStartTag2-contains-typo-when-checking-for-default.patch b/backport-xmlParseStartTag2-contains-typo-when-checking-for-default.patch deleted file mode 100644 index 70325cdb9c9dbbd843bb2a300d869a28fd9033cf..0000000000000000000000000000000000000000 --- a/backport-xmlParseStartTag2-contains-typo-when-checking-for-default.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 0bd4e4e032d57ecf982b57312eb6136efdd35d56 Mon Sep 17 00:00:00 2001 -From: David Kilzer -Date: Wed, 21 Dec 2022 19:21:30 -0800 -Subject: [PATCH] xmlParseStartTag2() contains typo when checking for default - definitions for an attribute in a namespace - -* parser.c: -(xmlParseStartTag2): -- Fix index into defaults->values. It is only correct the first - time through the loop when i == 0. - -Fixes #467.. - -Reference:https://github.com/GNOME/libxml2/commit/0bd4e4e032d57ecf982b57312eb6136efdd35d56 -Conflict:NA ---- - parser.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index f13287a..2207404 100644 ---- a/parser.c -+++ b/parser.c -@@ -9561,7 +9561,7 @@ next_attr: - if (j <= nbNs) continue; - - nsname = xmlGetNamespace(ctxt, attname); -- if (nsname != defaults->values[2]) { -+ if (nsname != defaults->values[5 * i + 2]) { - if (nsPush(ctxt, attname, - defaults->values[5 * i + 2]) > 0) - nbNs++; --- -2.27.0 - diff --git a/backport-xmlValidatePopElement-can-return-invalid-value-1.patch b/backport-xmlValidatePopElement-can-return-invalid-value-1.patch deleted file mode 100644 index 2b1bb4802947cca2af0900ae6448277bf9b1649c..0000000000000000000000000000000000000000 --- a/backport-xmlValidatePopElement-can-return-invalid-value-1.patch +++ /dev/null @@ -1,122 +0,0 @@ -From cb1b8b8516ade9add9f63fa0e39eaa3bc7034828 Mon Sep 17 00:00:00 2001 -From: David Kilzer -Date: Mon, 10 Apr 2023 13:06:18 -0700 -Subject: [PATCH] xmlValidatePopElement() can return invalid value (-1) - -Covered by: test/VC/ElementValid5 - -This only affects XML Reader API with LIBXML_REGEXP_ENABLED and -LIBXML_VALID_ENABLED turned on. - -* result/VC/ElementValid5.rdr: -- Update result to add missing error message. - -* python/tests/reader2.py: -* result/VC/ElementValid6.rdr: -* result/VC/ElementValid7.rdr: -* result/valid/781333.xml.err.rdr: -- Update result to fix grammar issue. - -* valid.c: -(xmlValidatePopElement): -- Check return value of xmlRegExecPushString() to handle -1, and - assign 'ret = 0;' to return 0 from xmlValidatePopElement(). - This change affects xmlTextReaderValidatePop() from - xmlreader.c. -- Fix grammar of error message by changing 'child' to - 'children'. - -Reference:https://github.com/GNOME/libxml2/commit/cb1b8b8516ade9add9f63fa0e39eaa3bc7034828 -Conflict:python/tests/reader2.py - ---- - python/tests/reader2.py | 2 +- - result/VC/ElementValid5.rdr | 3 +++ - result/VC/ElementValid6.rdr | 2 +- - result/VC/ElementValid7.rdr | 2 +- - result/valid/781333.xml.err.rdr | 2 +- - valid.c | 5 +++-- - 6 files changed, 10 insertions(+), 6 deletions(-) - -diff --git a/python/tests/reader2.py b/python/tests/reader2.py -index b50180d..b581674 100755 ---- a/python/tests/reader2.py -+++ b/python/tests/reader2.py -@@ -39,7 +39,7 @@ value - """../../test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got - - ^ --../../test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child -+../../test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more children - - ^ - """, -diff --git a/result/VC/ElementValid5.rdr b/result/VC/ElementValid5.rdr -index 899d759..91eef9c 100644 ---- a/result/VC/ElementValid5.rdr -+++ b/result/VC/ElementValid5.rdr -@@ -4,3 +4,6 @@ - ./test/VC/ElementValid5:8: element doc: validity error : Element doc content does not follow the DTD, Misplaced b - - ^ -+./test/VC/ElementValid5:8: element doc: validity error : Element doc content does not follow the DTD, Expecting more children -+ -+^ -diff --git a/result/VC/ElementValid6.rdr b/result/VC/ElementValid6.rdr -index aeafd6b..3b51d1a 100644 ---- a/result/VC/ElementValid6.rdr -+++ b/result/VC/ElementValid6.rdr -@@ -1,6 +1,6 @@ - ./test/VC/ElementValid6:7: element doc: validity error : Element doc content does not follow the DTD, expecting (a , b? , c+)?, got (a b) - lacks c - ^ --./test/VC/ElementValid6:8: element doc: validity error : Element doc content does not follow the DTD, Expecting more child -+./test/VC/ElementValid6:8: element doc: validity error : Element doc content does not follow the DTD, Expecting more children - - ^ -diff --git a/result/VC/ElementValid7.rdr b/result/VC/ElementValid7.rdr -index f001fd2..ecafd1d 100644 ---- a/result/VC/ElementValid7.rdr -+++ b/result/VC/ElementValid7.rdr -@@ -1,6 +1,6 @@ - ./test/VC/ElementValid7:7: element doc: validity error : Element doc content does not follow the DTD, expecting ((a | b)* , c+ , a , b? , c , a?), got (a b a c c a) - - ^ --./test/VC/ElementValid7:8: element doc: validity error : Element doc content does not follow the DTD, Expecting more child -+./test/VC/ElementValid7:8: element doc: validity error : Element doc content does not follow the DTD, Expecting more children - - ^ -diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr -index 5ff5699..dd9df08 100644 ---- a/result/valid/781333.xml.err.rdr -+++ b/result/valid/781333.xml.err.rdr -@@ -1,6 +1,6 @@ - ./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got - - ^ --./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child -+./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more children - - ^ -diff --git a/valid.c b/valid.c -index 3c0a869..92aaedb 100644 ---- a/valid.c -+++ b/valid.c -@@ -6012,11 +6012,12 @@ xmlValidatePopElement(xmlValidCtxtPtr ctxt, xmlDocPtr doc ATTRIBUTE_UNUSED, - if (elemDecl->etype == XML_ELEMENT_TYPE_ELEMENT) { - if (state->exec != NULL) { - ret = xmlRegExecPushString(state->exec, NULL, NULL); -- if (ret == 0) { -+ if (ret <= 0) { - xmlErrValidNode(ctxt, state->node, - XML_DTD_CONTENT_MODEL, -- "Element %s content does not follow the DTD, Expecting more child\n", -+ "Element %s content does not follow the DTD, Expecting more children\n", - state->node->name, NULL,NULL); -+ ret = 0; - } else { - /* - * previous validation errors should not generate --- -2.27.0 - diff --git a/backport-xmllint-Fix-memory-leak-with-pattern-stream.patch b/backport-xmllint-Fix-memory-leak-with-pattern-stream.patch deleted file mode 100644 index ee74c69add439df40eba5770211422c878c6863b..0000000000000000000000000000000000000000 --- a/backport-xmllint-Fix-memory-leak-with-pattern-stream.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 64b76f8163d3608f9881b4de23dcc06530ba9323 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 14 Mar 2023 13:17:20 +0100 -Subject: [PATCH] xmllint: Fix memory leak with --pattern --stream - -Fixes #499. - -Reference:https://github.com/GNOME/libxml2/commit/64b76f8163d3608f9881b4de23dcc06530ba9323 -Conflict:NA - ---- - xmllint.c | 9 --------- - 1 file changed, 9 deletions(-) - -diff --git a/xmllint.c b/xmllint.c -index ee6bfdc..c79b8e9 100644 ---- a/xmllint.c -+++ b/xmllint.c -@@ -1848,15 +1848,6 @@ static void streamFile(char *filename) { - #endif - reader = xmlReaderForFile(filename, NULL, options); - #ifdef LIBXML_PATTERN_ENABLED -- if (pattern != NULL) { -- patternc = xmlPatterncompile((const xmlChar *) pattern, NULL, 0, NULL); -- if (patternc == NULL) { -- xmlGenericError(xmlGenericErrorContext, -- "Pattern %s failed to compile\n", pattern); -- progresult = XMLLINT_ERR_SCHEMAPAT; -- pattern = NULL; -- } -- } - if (patternc != NULL) { - patstream = xmlPatternGetStreamCtxt(patternc); - if (patstream != NULL) { --- -2.27.0 - diff --git a/backport-xmllint-Fix-use-after-free-with-maxmem.patch b/backport-xmllint-Fix-use-after-free-with-maxmem.patch deleted file mode 100644 index 195a1adfe063e672073be4b0b1d9127d66da558d..0000000000000000000000000000000000000000 --- a/backport-xmllint-Fix-use-after-free-with-maxmem.patch +++ /dev/null @@ -1,93 +0,0 @@ -From d7daf9fd967ad7fcd509e6355f12f824327f07a4 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 14 Mar 2023 13:02:36 +0100 -Subject: [PATCH] xmllint: Fix use-after-free with --maxmem - -Fixes #498. - -Reference:https://github.com/GNOME/libxml2/commit/d7daf9fd967ad7fcd509e6355f12f824327f07a4 -Conflict:include/libxml/xmlmemory.h - - ---- - include/libxml/xmlmemory.h | 2 ++ - xmllint.c | 15 ++++++--------- - xmlmemory.c | 21 +++++++++++++++++++++ - 3 files changed, 29 insertions(+), 9 deletions(-) - -diff --git a/include/libxml/xmlmemory.h b/include/libxml/xmlmemory.h -index 17e375a..0a5f3eb 100644 ---- a/include/libxml/xmlmemory.h -+++ b/include/libxml/xmlmemory.h -@@ -137,6 +137,8 @@ XMLPUBFUN void XMLCALL - /* - * These are specific to the XML debug memory wrapper. - */ -+XMLPUBFUN size_t -+ xmlMemSize (void *ptr); - XMLPUBFUN int XMLCALL - xmlMemUsed (void); - XMLPUBFUN int XMLCALL -diff --git a/xmllint.c b/xmllint.c -index fd43893..a17aa07 100644 ---- a/xmllint.c -+++ b/xmllint.c -@@ -358,17 +358,14 @@ myMallocFunc(size_t size) - static void * - myReallocFunc(void *mem, size_t size) - { -- void *ret; -+ size_t oldsize = xmlMemSize(mem); - -- ret = xmlMemRealloc(mem, size); -- if (ret != NULL) { -- if (xmlMemUsed() > maxmem) { -- OOM(); -- xmlMemFree(ret); -- return (NULL); -- } -+ if (xmlMemUsed() + size - oldsize > (size_t) maxmem) { -+ OOM(); -+ return (NULL); - } -- return (ret); -+ -+ return (xmlMemRealloc(mem, size)); - } - static char * - myStrdupFunc(const char *str) -diff --git a/xmlmemory.c b/xmlmemory.c -index c51f49a..469fcfb 100644 ---- a/xmlmemory.c -+++ b/xmlmemory.c -@@ -573,6 +573,27 @@ xmlMemoryStrdup(const char *str) { - return(xmlMemStrdupLoc(str, "none", 0)); - } - -+/** -+ * xmlMemSize: -+ * @ptr: pointer to the memory allocation -+ * -+ * Returns the size of a memory allocation. -+ */ -+ -+size_t -+xmlMemSize(void *ptr) { -+ MEMHDR *p; -+ -+ if (ptr == NULL) -+ return(0); -+ -+ p = CLIENT_2_HDR(ptr); -+ if (p->mh_tag != MEMTAG) -+ return(0); -+ -+ return(p->mh_size); -+} -+ - /** - * xmlMemUsed: - * --- -2.27.0 - diff --git a/backport-xpath-Fix-harmless-integer-overflow-in-xmlXPathTrans.patch b/backport-xpath-Fix-harmless-integer-overflow-in-xmlXPathTrans.patch deleted file mode 100644 index a93ee724d594a73898d1edd63bf96f9abfdddc6d..0000000000000000000000000000000000000000 --- a/backport-xpath-Fix-harmless-integer-overflow-in-xmlXPathTrans.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 524654ed3c85e356261fc52533d86d43005a0420 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 26 Feb 2023 17:19:47 +0100 -Subject: [PATCH] xpath: Fix harmless integer overflow in - xmlXPathTranslateFunction - - -Reference:https://github.com/GNOME/libxml2/commit/524654ed3c85e356261fc52533d86d43005a0420 -Conflict:NA ---- - xpath.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xpath.c b/xpath.c -index b6a3983..d17ad5e 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -9351,7 +9351,7 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) { - xmlXPathObjectPtr to; - xmlBufPtr target; - int offset, max; -- xmlChar ch; -+ int ch; - const xmlChar *point; - xmlChar *cptr; - --- -2.27.0 - diff --git a/backport-xpath-Ignore-entity-ref-nodes-when-computing-node-ha.patch b/backport-xpath-Ignore-entity-ref-nodes-when-computing-node-ha.patch deleted file mode 100644 index e79886a1c391cbdebe0d796505fc4891b96131e5..0000000000000000000000000000000000000000 --- a/backport-xpath-Ignore-entity-ref-nodes-when-computing-node-ha.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 6273df6c6d84b6be8a62a62abf1d9b79cc2035f8 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 30 May 2023 12:30:27 +0200 -Subject: [PATCH] xpath: Ignore entity ref nodes when computing node hash - -XPath queries only work reliably if entities are substituted. -Nevertheless, it's possible to query a document with entity reference -nodes. xmllint even deletes entities when the `--dropdtd` option is -passed, resulting in dangling pointers, so it's best to skip entity -reference nodes to avoid a use-after-free. - -Fixes #550. - -Reference:https://github.com/GNOME/libxml2/commit/6273df6c6d84b6be8a62a62abf1d9b79cc2035f8 -Conflict:NA - ---- - xpath.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/xpath.c b/xpath.c -index 3d1ca71..3128efb 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -6396,11 +6396,12 @@ xmlXPathNodeValHash(xmlNodePtr node) { - /* - * Skip to next node - */ -- if ((tmp->children != NULL) && (tmp->type != XML_DTD_NODE)) { -- if (tmp->children->type != XML_ENTITY_DECL) { -- tmp = tmp->children; -- continue; -- } -+ if ((tmp->children != NULL) && -+ (tmp->type != XML_DTD_NODE) && -+ (tmp->type != XML_ENTITY_REF_NODE) && -+ (tmp->children->type != XML_ENTITY_DECL)) { -+ tmp = tmp->children; -+ continue; - } - if (tmp == node) - break; --- -2.27.0 - diff --git a/backport-xpath-number-should-return-NaN.patch b/backport-xpath-number-should-return-NaN.patch deleted file mode 100644 index e964c368d0891a3432ddb9698ae5a32a0509039c..0000000000000000000000000000000000000000 --- a/backport-xpath-number-should-return-NaN.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 608c65bb8ebfc12763aee1cc1f3778e17d71596e Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 18 Jan 2023 15:15:41 +0100 -Subject: [PATCH] xpath: number('-') should return NaN - -Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/81 - -Reference:https://github.com/GNOME/libxml2/commit/608c65bb8ebfc12763aee1cc1f3778e17d71596e -Conflict:NA ---- - result/XPath/expr/functions | 4 ++++ - test/XPath/expr/functions | 1 + - xpath.c | 6 +++--- - 3 files changed, 8 insertions(+), 3 deletions(-) - -diff --git a/result/XPath/expr/functions b/result/XPath/expr/functions -index e09eb4a..4ff9c58 100644 ---- a/result/XPath/expr/functions -+++ b/result/XPath/expr/functions -@@ -19,6 +19,10 @@ Object is a number : NaN - Expression: -number('abc') - Object is a number : NaN - -+======================== -+Expression: number('-') -+Object is a number : NaN -+ - ======================== - Expression: floor(0.1) - Object is a number : 0 -diff --git a/test/XPath/expr/functions b/test/XPath/expr/functions -index 00b9461..6008a07 100644 ---- a/test/XPath/expr/functions -+++ b/test/XPath/expr/functions -@@ -3,6 +3,7 @@ false() - number("1.5") - number('abc') - -number('abc') -+number('-') - floor(0.1) - floor(-0.1) - floor(-0) -diff --git a/xpath.c b/xpath.c -index 85d7919..fbec21b 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -9987,13 +9987,13 @@ xmlXPathStringEvalNumber(const xmlChar *str) { - #endif - if (cur == NULL) return(0); - while (IS_BLANK_CH(*cur)) cur++; -- if ((*cur != '.') && ((*cur < '0') || (*cur > '9')) && (*cur != '-')) { -- return(xmlXPathNAN); -- } - if (*cur == '-') { - isneg = 1; - cur++; - } -+ if ((*cur != '.') && ((*cur < '0') || (*cur > '9'))) { -+ return(xmlXPathNAN); -+ } - - #ifdef __GNUC__ - /* --- -2.27.0 - diff --git a/backport-xzlib-Fix-implicit-sign-change-in-xz_open.patch b/backport-xzlib-Fix-implicit-sign-change-in-xz_open.patch deleted file mode 100644 index 887dec080f4bc1b2a22a07d22555d15ad9a1f67c..0000000000000000000000000000000000000000 --- a/backport-xzlib-Fix-implicit-sign-change-in-xz_open.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 1a6a9d6878ed00265941939adc468a517cd5ef36 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 14 Mar 2023 14:19:03 +0100 -Subject: [PATCH] xzlib: Fix implicit sign change in xz_open - - -Reference:https://github.com/GNOME/libxml2/commit/1a6a9d6878ed00265941939adc468a517cd5ef36 -Conflict:NA - ---- - xzlib.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/xzlib.c b/xzlib.c -index 9a34738..8d75590 100644 ---- a/xzlib.c -+++ b/xzlib.c -@@ -139,6 +139,7 @@ static xzFile - xz_open(const char *path, int fd, const char *mode ATTRIBUTE_UNUSED) - { - xz_statep state; -+ off_t offset; - - /* allocate xzFile structure to return */ - state = xmlMalloc(sizeof(xz_state)); -@@ -173,9 +174,11 @@ xz_open(const char *path, int fd, const char *mode ATTRIBUTE_UNUSED) - } - - /* save the current position for rewinding (only if reading) */ -- state->start = lseek(state->fd, 0, SEEK_CUR); -- if (state->start == (uint64_t) - 1) -+ offset = lseek(state->fd, 0, SEEK_CUR); -+ if (offset == -1) - state->start = 0; -+ else -+ state->start = offset; - - /* initialize stream */ - xz_reset(state); --- -2.27.0 - diff --git a/bundle.json b/bundle.json index 5018953c7a62cce5233a164327845d093b36821c..836eb2b9eac0177b1fc6ba50c3d33ca1a8faf21a 100644 --- a/bundle.json +++ b/bundle.json @@ -32,14 +32,14 @@ "name": "//third_party/libxml2:libxml2", "header": { "header_files": [], - "header_base": "${root_gen_dir}/third_party/libxml2/libxml2-2.9.14/include" + "header_base": "${root_gen_dir}/third_party/libxml2/libxml2-2.14.0/include" } }, { "name": "//third_party/libxml2:static_libxml2", "header": { "header_files": [], - "header_base": "${root_gen_dir}/third_party/libxml2/libxml2-2.9.14/include" + "header_base": "${root_gen_dir}/third_party/libxml2/libxml2-2.14.0/include" } } ], diff --git a/config_linux.json b/config_linux.json index ce9a1f2bb1e81a3037a2406801fa104c06edfdfd..c756dab332819858d2e19a4dc1ae6cc04ec65cdf 100755 --- a/config_linux.json +++ b/config_linux.json @@ -50,14 +50,14 @@ "PACKAGE":"libxml2", "PACKAGE_BUGREPORT":"xml@gnome.org", "PACKAGE_NAME":"libxml2", - "PACKAGE_STRING":"libxml2 2.9.14", + "PACKAGE_STRING":"libxml2 2.14.0", "PACKAGE_TARNAME":"libxml2", "PACKAGE_URL":"http://www.xmlsoft.org/", - "PACKAGE_VERSION":"2.9.14", + "PACKAGE_VERSION":"2.14.0", "SEND_ARG2_CAST":"", "STDC_HEADERS":"1", "VA_LIST_IS_ARRAY":"1", - "VERSION":"2.9.14", + "VERSION":"2.14.0", "XML_SOCKLEN_T":"socklen_t", "HAVE_ARPA_INET_H":"1", "HAVE_ARPA_NAMESER_H":1, @@ -73,5 +73,6 @@ "HAVE_RESOLV_H":"1", "HAVE_SYS_MMAN_H":"1", "HAVE_SYS_SELECT_H":"1", - "HAVE_SYS_SOCKET_H":"1" + "HAVE_SYS_SOCKET_H":"1", + "XML_SYSCONFDIR":"/usr/local/etc" } \ No newline at end of file diff --git a/config_win.json b/config_win.json index 0fe45a89e49e871c8e5c56a20f7a0144a380ec01..bb9e343730212769aec9e37a67a4c60c4ae35313 100755 --- a/config_win.json +++ b/config_win.json @@ -49,13 +49,14 @@ "PACKAGE":"libxml2", "PACKAGE_BUGREPORT":"xml@gnome.org", "PACKAGE_NAME":"libxml2", - "PACKAGE_STRING":"libxml2 2.9.14", + "PACKAGE_STRING":"libxml2 2.14.0", "PACKAGE_TARNAME":"libxml2", "PACKAGE_URL":"http://www.xmlsoft.org/", - "PACKAGE_VERSION":"2.9.14", + "PACKAGE_VERSION":"2.14.0", "SEND_ARG2_CAST":"(char*)", "STDC_HEADERS":"1", "VA_LIST_IS_ARRAY":"1", - "VERSION":"2.9.14", - "XML_SOCKLEN_T":"int" + "VERSION":"2.14.0", + "XML_SOCKLEN_T":"int", + "XML_SYSCONFDIR":"/etc" } \ No newline at end of file diff --git a/generate_header.py b/generate_header.py index fb2420c0308a72ae7e6bdddf266590e824400af3..9afe50fe14e2955d109244f0a6c0bced0078b025 100755 --- a/generate_header.py +++ b/generate_header.py @@ -64,7 +64,9 @@ class ConfigHeader: self.write_buffer.append(value) def write_file(self, file_path): + self.write_buffer.append("#define HAVE_SNPRINTF 1\n") with os.fdopen(os.open(file_path, os.O_WRONLY | os.O_CREAT, 0o755), 'w') as file: + file.truncate(0) file.writelines(self.write_buffer) @@ -99,6 +101,7 @@ class XmlVersionHeader: def write_file(self, file_path): with os.fdopen(os.open(file_path, os.O_WRONLY | os.O_CREAT, 0o755), 'w') as file: + file.truncate(0) file.writelines(self.write_buffer) if __name__ == "__main__": diff --git a/install.py b/install.py index c514fee10960834c7b8a2809b6d4aac252507d4f..35265c1c30917368d398fbd7c16d4812bb3289c3 100755 --- a/install.py +++ b/install.py @@ -48,195 +48,8 @@ def apply_patch(patch_file, target_dir): def do_patch(args, target_dir): patch_file = [ - "Fix-memleaks-in-xmlXIncludeProcessFlags.patch", - "backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch", - "Fix-memory-leaks-for-xmlACatalogAdd.patch", - "Fix-memory-leaks-in-xmlACatalogAdd-when-xmlHashAddEntry-failed.patch", - "backport-CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_.patch", - "backport-CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch", - "backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch", - "libxml2-multilib.patch", - "Fix-CVE-2023-25062.patch", - "Fix-CVE-2023-45322-pre.patch", - "Fix-CVE-2023-45322-first.patch", - "Fix-CVE-2023-45322-second.patch", - "backport-Add-whitespace-folding-for-some-atomic-data-types-th.patch", - "backport-Properly-fold-whitespace-around-the-QName-value-when.patch", - "backport-Avoid-arithmetic-on-freed-pointers.patch", - "backport-fix-xmlXPathParserContext-could-be-double-delete-in-.patch", - "backport-Use-UPDATE_COMPAT-consistently-in-buf.c.patch", - "backport-Restore-behavior-of-htmlDocContentDumpFormatOutput.patch", - "backport-Fix-use-after-free-bugs-when-calling-xmlTextReaderCl.patch", - "backport-Use-xmlNewDocText-in-xmlXIncludeCopyRange.patch", - "backport-xmlBufAvail-should-return-length-without-including-a.patch", - "backport-Fix-integer-overflow-in-xmlBufferDump.patch", - "backport-Fix-missing-NUL-terminators-in-xmlBuf-and-xmlBuffer-.patch", - "backport-Reserve-byte-for-NUL-terminator-and-report-errors-co.patch", - "backport-Fix-unintended-fall-through-in-xmlNodeAddContentLen.patch", - "backport-Don-t-reset-nsDef-when-changing-node-content.patch", - "backport-Avoid-double-free-if-malloc-fails-in-inputPush.patch", - "backport-Fix-memory-leak-in-xmlLoadEntityContent-error-path.patch", - "backport-Reset-nsNr-in-xmlCtxtReset.patch", - "backport-Fix-htmlReadMemory-mixing-up-XML-and-HTML-functions.patch", - "backport-Don-t-initialize-SAX-handler-in-htmlReadMemory.patch", - "backport-Fix-HTML-parser-with-threads-and-without-legacy.patch", - "backport-Fix-xmlCtxtReadDoc-with-encoding.patch", - "backport-Use-xmlStrlen-in-CtxtReadDoc.patch", - "backport-Create-stream-with-buffer-in-xmlNewStringInputStream.patch", - "backport-Use-xmlStrlen-in-xmlNewStringInputStream.patch", - "backport-Fix-memory-leak-with-invalid-XSD.patch", - "backport-Make-XPath-depth-check-work-with-recursive-invocatio.patch", - "backport-Fix-overflow-check-in-SAX2.c.patch", - "backport-xinclude-Fix-memory-leak-when-fuzzing.patch", - "backport-xinclude-Fix-more-memory-leaks-in-xmlXIncludeLoadDoc.patch", - "backport-schemas-Fix-infinite-loop-in-xmlSchemaCheckElemSubst.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlCreatePushParserCt.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlNewPropInternal.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlNewDocNodeEatName.patch", - "backport-malloc-fail-Fix-infinite-loop-in-xmlSkipBlankChars.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlSAX2ExternalSubset.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlParseReference.patch", - "backport-malloc-fail-Fix-use-after-free-in-xmlXIncludeAddNode.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlStringGetNodeList.patch", - "backport-parser-Fix-error-message-in-xmlParseCommentComplex.patch", - "backport-io-Fix-buffer-full-error-with-certain-buffer-sizes.patch", - "backport-reader-Switch-to-xmlParserInputBufferCreateMem.patch", - "backport-uri-Allow-port-without-host.patch", - "backport-parser-Fix-consumed-accounting-when-switching-encodi.patch", - "backport-html-Fix-check-for-end-of-comment-in-push-parser.patch", - "backport-parser-Fix-push-parser-with-1-3-byte-initial-chunk.patch", - "backport-parser-Restore-parser-state-in-xmlParseCDSect.patch", - "backport-parser-Remove-dangerous-check-in-xmlParseCharData.patch", - "backport-parser-Don-t-call-DefaultSAXHandlerInit-from-xmlInit.patch", - "backport-Correctly-relocate-internal-pointers-after-realloc.patch", - "backport-Avoid-creating-an-out-of-bounds-pointer-by-rewriting.patch", - "backport-error-Make-sure-that-error-messages-are-valid-UTF-8.patch", - "backport-io-Check-for-memory-buffer-early-in-xmlParserInputGrow.patch", - "backport-io-Remove-xmlInputReadCallbackNop.patch", - "backport-Revert-uri-Allow-port-without-host.patch", - "backport-xmlParseStartTag2-contains-typo-when-checking-for-default.patch", - "backport-parser-Fix-integer-overflow-of-input-ID.patch", - "backport-parser-Don-t-increase-depth-twice-when-parsing-internal.patch", - "backport-xpath-number-should-return-NaN.patch", - "backport-error-Don-t-move-past-current-position.patch", - "backport-malloc-fail-Handle-memory-errors-in-xmlTextReaderEntPush.patch", - "backport-malloc-fail-Fix-infinite-loop-in-xmlParseTextDecl.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlAddDefAttrs.patch", - "backport-malloc-fail-Fix-null-deref-if-growing-input-buffer-fails.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlSAX2AttributeInternal.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlBufResize.patch", - "backport-buf-Fix-return-value-of-xmlBufGetInputBase.patch", - "backport-malloc-fail-Don-t-call-xmlErrMemory-in-xmlstring.c.patch", - "backport-malloc-fail-Fix-reallocation-in-inputPush.patch", - "backport-malloc-fail-Fix-use-after-free-in-xmlParseStartTag2.patch", - "backport-malloc-fail-Add-error-checks-in-xmlXPathEqualValuesCommon.patch", - "backport-malloc-fail-Add-error-check-in-xmlXPathEqualNodeSetFloat.patch", - "backport-malloc-fail-Fix-error-check-in-xmlXPathCompareValues.patch", - "backport-malloc-fail-Record-malloc-failure-in-xmlXPathCompLiteral.patch", - "backport-malloc-fail-Check-return-value-of-xmlXPathNodeSetDupNs.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlXIncludeLoadTxt.patch", - "backport-malloc-fail-Fix-reallocation-in-xmlXIncludeNewRef.patch", - "backport-xinclude-Fix-quadratic-behavior-in-xmlXIncludeLoadTx.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlParserInputBufferCreateMem.patch", - "backport-malloc-fail-Check-for-malloc-failure-in-xmlFindCharEncodingHandler.patch", - "backport-malloc-fail-Fix-leak-of-xmlCharEncodingHandler.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlParseEntityDecl.patch", - "backport-encoding-Cast-toupper-argument-to-unsigned-char.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlXPathCompareValues.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlXPathTryStreamCompile.patch", - "backport-malloc-fail-Fix-memory-leak-after-calling-valuePush.patch", - "backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapNodeSet.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeAddNode.patch", - "backport-malloc-fail-Fix-memory-leak-after-xmlRegNewState.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlSAX2StartElementNs.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlGetDtdElementDesc2.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlDocDumpFormatMemoryEnc.patch", - "backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag1.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeLoadTxt.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlCopyPropList.patch", - "backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathNodeSetMerge.patch", - "backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapString.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualValuesCommon.patch", - "backport-malloc-fail-Fix-memory-leak-in-htmlCreateMemoryParserCtxt.patch", - "backport-malloc-fail-Fix-memory-leak-in-htmlCreatePushParserCtxt.patch", - "backport-malloc-fail-Fix-infinite-loop-in-htmlParseContentInternal.patch", - "backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag2.patch", - "backport-malloc-fail-Fix-null-deref-in-htmlnamePush.patch", - "backport-malloc-fail-Fix-infinite-loop-in-htmlParseDocTypeDecl.patch", - "backport-malloc-fail-Fix-error-code-in-htmlParseChunk.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlFAParseCharProp.patch", - "backport-malloc-fail-Fix-leak-of-xmlRegAtom.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlRegexpCompile.patch", - "backport-malloc-fail-Fix-OOB-read-after-xmlRegGetCounter.patch", - "backport-parser-Fix-OOB-read-when-formatting-error-message.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualNodeSetF.patch", - "backport-malloc-fail-Fix-use-after-free-related-to-xmlXPathNo.patch", - "backport-regexp-Add-sanity-check-in-xmlRegCalloc2.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlXPathCompiledEvalIn.patch", - "backport-malloc-fail-Fix-null-deref-after-xmlPointerListAddSi.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlGetNsList.patch", - "backport-malloc-fail-Check-for-malloc-failure-in-xmlHashAddEn.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlXPathCacheNewNodeS.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlXPathDistinctSorte.patch", - "backport-xpath-Fix-harmless-integer-overflow-in-xmlXPathTrans.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlXPathNameFunction.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlSchemaItemListAddS.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlGet-Min-Max-Occurs.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlSchemaValAtomicType.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlSchemaInitTypes.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParse.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlCopyNamespaceList.patch", - "backport-malloc-fail-Fix-another-memory-leak-in-xmlSchemaBuck.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseUnion.patch", - "backport-malloc-fail-Fix-memory-leak-in-WXS_ADD_-LOCAL-GLOBAL.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlSchemaBucketCreate.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseWildcard.patch", - "backport-malloc-fail-Fix-type-confusion-after-xmlSchemaFixupT.patch", - "backport-malloc-fail-Fix-null-deref-after-xmlSchemaItemList-A.patch", - "backport-malloc-fail-Fix-null-deref-after-xmlSchemaCompareDat.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParseUnion.patch", - "backport-malloc-fail-Fix-memory-leak-in-xmlXPathRegisterNs.patch", - "backport-catalog-Fix-memory-leaks.patch", - "backport-CVE-2023-29469.patch", - "backport-CVE-2023-28484.patch", - "backport-valid-Allow-xmlFreeValidCtxt-NULL.patch", - "backport-parser-Use-size_t-when-subtracting-input-buffer-poin.patch", - "backport-malloc-fail-Fix-null-deref-in-xmlParserInputShrink.patch", - "backport-xmllint-Fix-memory-leak-with-pattern-stream.patch", - "backport-xzlib-Fix-implicit-sign-change-in-xz_open.patch", - "backport-html-Fix-quadratic-behavior-in-htmlParseTryOrFinish.patch", - "backport-valid-Make-xmlValidateElement-non-recursive.patch", - "backport-malloc-fail-Fix-buffer-overread-in-htmlParseScript.patch", - "backport-malloc-fail-Add-more-error-checks-when-parsing-names.patch", - "backport-malloc-fail-Add-error-check-in-htmlParseHTMLAttribut.patch", - "backport-parser-Limit-name-length-in-xmlParseEncName.patch", - "backport-encoding-Fix-error-code-in-asciiToUTF8.patch", - "backport-malloc-fail-Fix-buffer-overread-with-HTML-doctype-de.patch", - "backport-parser-Fix-regression-in-xmlParserNodeInfo-accountin.patch", - "backport-regexp-Fix-cycle-check-in-xmlFAReduceEpsilonTransiti.patch", - "backport-regexp-Fix-checks-for-eliminated-transitions.patch", - "backport-regexp-Fix-determinism-checks.patch", - "backport-regexp-Fix-mistake-in-previous-commit.patch", - "backport-regexp-Fix-null-deref-in-xmlFAFinishReduceEpsilonTra.patch", - "backport-hash-Fix-possible-startup-crash-with-old-libxslt-ver.patch", - "backport-parser-Fix-old-SAX1-parser-with-custom-callbacks.patch", - "backport-xmllint-Fix-use-after-free-with-maxmem.patch", - "backport-malloc-fail-Check-for-malloc-failures-when-creating.patch", - "backport-malloc-fail-Fix-buffer-overread-after-htmlParseScrip.patch", - "backport-xmlValidatePopElement-can-return-invalid-value-1.patch", - "backport-Fix-use-after-free-in-xmlParseContentInternal.patch", - "backport-malloc-fail-Fix-null-deref-after-xmlXIncludeNewRef.patch", - "backport-xpath-Ignore-entity-ref-nodes-when-computing-node-ha.patch", - "backport-SAX-Always-initialize-SAX1-element-handlers.patch", - "Fix-malloc-fail.patch", - "Fix-CVE-2024-34459.patch", - "Fix-CVE-2024-56171.patch", - "Fix-CVE-2025-24928.patch", - "Fix-CVE-2025-27113.patch", - "Fix-type-confusion-in-xmlSchemaCheckAGPropsCorrect.patch", - "Fix-CVE-2019-19956.patch", - "Fix-CVE-2025-32414.patch", - "Fix-CVE-2025-32415.patch" + "Backport-CVE-2025-32414-python-Read-at-most-len-4-ch-c.patch", + "Backport-CVE-2025-32415-schemas-Fix-heap-buffer-over-c.patch" ] for patch in patch_file: @@ -249,8 +62,8 @@ def main(): libpng_path.add_argument('--gen-dir', help='generate path of libxml2') libpng_path.add_argument('--source-file', help='libxml2 source compressed dir') args = libpng_path.parse_args() - tar_file_path = os.path.join(args.source_file, "libxml2-2.9.14.tar.xz") - target_dir = os.path.join(args.gen_dir, "libxml2-2.9.14") + tar_file_path = os.path.join(args.source_file, "libxml2-2.14.0.tar.xz") + target_dir = os.path.join(args.gen_dir, "libxml2-2.14.0") untar_file(tar_file_path, target_dir, args) do_patch(args, target_dir) return 0 diff --git a/libxml2-2.14.0.tar.xz b/libxml2-2.14.0.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..aae6c8cc5d0f0297f56afed85082629f3cc9dbe0 Binary files /dev/null and b/libxml2-2.14.0.tar.xz differ diff --git a/libxml2-2.9.14.tar.xz b/libxml2-2.9.14.tar.xz deleted file mode 100755 index b0ecdbc4942276b99f6c7d93c24af5d651b12f0e..0000000000000000000000000000000000000000 Binary files a/libxml2-2.9.14.tar.xz and /dev/null differ diff --git a/libxml2-multilib.patch b/libxml2-multilib.patch deleted file mode 100755 index be907f6333532d3bcaca514101ba2aaa3f58eb72..0000000000000000000000000000000000000000 --- a/libxml2-multilib.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff --git a/xml2-config.in b/xml2-config.in -index 5863ffa..47f205e 100644 ---- a/xml2-config.in -+++ b/xml2-config.in -@@ -3,7 +3,12 @@ - prefix=@prefix@ - exec_prefix=@exec_prefix@ - includedir=@includedir@ --libdir=@libdir@ -+if [ "`ldd /bin/sh | grep lib64`" = "" ] -+then -+ libdir=${exec_prefix}/lib -+else -+ libdir=${exec_prefix}/lib64 -+fi - cflags= - libs= - diff --git a/libxml2.spec b/libxml2.spec deleted file mode 100755 index 43fb830fd03d0a751c7c300c66f25b6025345637..0000000000000000000000000000000000000000 --- a/libxml2.spec +++ /dev/null @@ -1,566 +0,0 @@ -Summary: Library providing XML and HTML support -Name: libxml2 -Version: 2.9.14 -Release: 9 -License: MIT -Group: Development/Libraries -Source: https://download.gnome.org/sources/%{name}/2.9/%{name}-%{version}.tar.xz - -Patch0: libxml2-multilib.patch -Patch1: Fix-memleaks-in-xmlXIncludeProcessFlags.patch -Patch2: Fix-memory-leaks-for-xmlACatalogAdd.patch -Patch3: Fix-memory-leaks-in-xmlACatalogAdd-when-xmlHashAddEntry-failed.patch -Patch4: backport-CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_.patch -Patch5: backport-CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch -Patch6: backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch -Patch7: backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch - -Patch6000: backport-Add-whitespace-folding-for-some-atomic-data-types-th.patch -Patch6001: backport-Properly-fold-whitespace-around-the-QName-value-when.patch -Patch6002: backport-Avoid-arithmetic-on-freed-pointers.patch -Patch6003: backport-fix-xmlXPathParserContext-could-be-double-delete-in-.patch -Patch6004: backport-Use-UPDATE_COMPAT-consistently-in-buf.c.patch -Patch6005: backport-Restore-behavior-of-htmlDocContentDumpFormatOutput.patch -Patch6006: backport-Fix-use-after-free-bugs-when-calling-xmlTextReaderCl.patch -Patch6007: backport-Use-xmlNewDocText-in-xmlXIncludeCopyRange.patch -Patch6008: backport-xmlBufAvail-should-return-length-without-including-a.patch -Patch6009: backport-Fix-integer-overflow-in-xmlBufferDump.patch -Patch6010: backport-Fix-missing-NUL-terminators-in-xmlBuf-and-xmlBuffer-.patch -Patch6011: backport-Reserve-byte-for-NUL-terminator-and-report-errors-co.patch -Patch6012: backport-Fix-unintended-fall-through-in-xmlNodeAddContentLen.patch -Patch6013: backport-Don-t-reset-nsDef-when-changing-node-content.patch -Patch6014: backport-Avoid-double-free-if-malloc-fails-in-inputPush.patch -Patch6015: backport-Fix-memory-leak-in-xmlLoadEntityContent-error-path.patch -Patch6016: backport-Reset-nsNr-in-xmlCtxtReset.patch -Patch6017: backport-Fix-htmlReadMemory-mixing-up-XML-and-HTML-functions.patch -Patch6018: backport-Don-t-initialize-SAX-handler-in-htmlReadMemory.patch -Patch6019: backport-Fix-HTML-parser-with-threads-and-without-legacy.patch -Patch6020: backport-Fix-xmlCtxtReadDoc-with-encoding.patch -Patch6021: backport-Use-xmlStrlen-in-CtxtReadDoc.patch -Patch6022: backport-Create-stream-with-buffer-in-xmlNewStringInputStream.patch -Patch6023: backport-Use-xmlStrlen-in-xmlNewStringInputStream.patch -Patch6024: backport-Fix-memory-leak-with-invalid-XSD.patch -Patch6025: backport-Make-XPath-depth-check-work-with-recursive-invocatio.patch -Patch6026: backport-Fix-overflow-check-in-SAX2.c.patch -Patch6027: backport-xinclude-Fix-memory-leak-when-fuzzing.patch -Patch6028: backport-xinclude-Fix-more-memory-leaks-in-xmlXIncludeLoadDoc.patch -Patch6029: backport-schemas-Fix-infinite-loop-in-xmlSchemaCheckElemSubst.patch -Patch6030: backport-malloc-fail-Fix-memory-leak-in-xmlCreatePushParserCt.patch -Patch6031: backport-malloc-fail-Fix-memory-leak-in-xmlStaticCopyNodeList.patch -Patch6032: backport-malloc-fail-Fix-memory-leak-in-xmlNewPropInternal.patch -Patch6033: backport-malloc-fail-Fix-memory-leak-in-xmlNewDocNodeEatName.patch -Patch6034: backport-malloc-fail-Fix-infinite-loop-in-xmlSkipBlankChars.patch -Patch6035: backport-malloc-fail-Fix-memory-leak-in-xmlSAX2ExternalSubset.patch -Patch6036: backport-malloc-fail-Fix-memory-leak-in-xmlParseReference.patch -Patch6037: backport-malloc-fail-Fix-use-after-free-in-xmlXIncludeAddNode.patch -Patch6038: backport-malloc-fail-Fix-memory-leak-in-xmlStringGetNodeList.patch -Patch6039: backport-parser-Fix-error-message-in-xmlParseCommentComplex.patch -Patch6040: backport-io-Fix-buffer-full-error-with-certain-buffer-sizes.patch -Patch6041: backport-reader-Switch-to-xmlParserInputBufferCreateMem.patch -Patch6042: backport-uri-Allow-port-without-host.patch -Patch6043: backport-parser-Fix-consumed-accounting-when-switching-encodi.patch -Patch6044: backport-html-Fix-check-for-end-of-comment-in-push-parser.patch -Patch6045: backport-parser-Fix-push-parser-with-1-3-byte-initial-chunk.patch - -Patch6047: backport-parser-Restore-parser-state-in-xmlParseCDSect.patch -Patch6048: backport-parser-Remove-dangerous-check-in-xmlParseCharData.patch -Patch6049: backport-parser-Don-t-call-DefaultSAXHandlerInit-from-xmlInit.patch -Patch6050: backport-Correctly-relocate-internal-pointers-after-realloc.patch -Patch6051: backport-Avoid-creating-an-out-of-bounds-pointer-by-rewriting.patch -Patch6052: backport-error-Make-sure-that-error-messages-are-valid-UTF-8.patch -Patch6053: backport-io-Check-for-memory-buffer-early-in-xmlParserInputGrow.patch -Patch6054: backport-io-Remove-xmlInputReadCallbackNop.patch -Patch6055: backport-Revert-uri-Allow-port-without-host.patch -Patch6056: backport-xmlParseStartTag2-contains-typo-when-checking-for-default.patch -Patch6057: backport-parser-Fix-integer-overflow-of-input-ID.patch -Patch6058: backport-parser-Don-t-increase-depth-twice-when-parsing-internal.patch -Patch6059: backport-xpath-number-should-return-NaN.patch -Patch6060: backport-error-Don-t-move-past-current-position.patch -Patch6061: backport-malloc-fail-Handle-memory-errors-in-xmlTextReaderEntPush.patch -Patch6062: backport-malloc-fail-Fix-infinite-loop-in-xmlParseTextDecl.patch -Patch6063: backport-malloc-fail-Fix-null-deref-in-xmlAddDefAttrs.patch -Patch6064: backport-malloc-fail-Fix-null-deref-if-growing-input-buffer-fails.patch -Patch6065: backport-malloc-fail-Fix-null-deref-in-xmlSAX2AttributeInternal.patch -Patch6066: backport-malloc-fail-Fix-null-deref-in-xmlBufResize.patch -Patch6067: backport-buf-Fix-return-value-of-xmlBufGetInputBase.patch -Patch6068: backport-malloc-fail-Don-t-call-xmlErrMemory-in-xmlstring.c.patch -Patch6069: backport-malloc-fail-Fix-reallocation-in-inputPush.patch -Patch6070: backport-malloc-fail-Fix-use-after-free-in-xmlParseStartTag2.patch -Patch6071: backport-malloc-fail-Add-error-checks-in-xmlXPathEqualValuesCommon.patch -Patch6072: backport-malloc-fail-Add-error-check-in-xmlXPathEqualNodeSetFloat.patch -Patch6073: backport-malloc-fail-Fix-error-check-in-xmlXPathCompareValues.patch -Patch6074: backport-malloc-fail-Record-malloc-failure-in-xmlXPathCompLiteral.patch -Patch6075: backport-malloc-fail-Check-return-value-of-xmlXPathNodeSetDupNs.patch -Patch6076: backport-malloc-fail-Fix-null-deref-in-xmlXIncludeLoadTxt.patch -Patch6077: backport-malloc-fail-Fix-reallocation-in-xmlXIncludeNewRef.patch -Patch6078: backport-xinclude-Fix-quadratic-behavior-in-xmlXIncludeLoadTx.patch -Patch6079: backport-malloc-fail-Fix-memory-leak-in-xmlParserInputBufferCreateMem.patch -Patch6080: backport-malloc-fail-Check-for-malloc-failure-in-xmlFindCharEncodingHandler.patch -Patch6081: backport-malloc-fail-Fix-leak-of-xmlCharEncodingHandler.patch -Patch6082: backport-malloc-fail-Fix-memory-leak-in-xmlParseEntityDecl.patch -Patch6083: backport-encoding-Cast-toupper-argument-to-unsigned-char.patch -Patch6084: backport-malloc-fail-Fix-memory-leak-in-xmlXPathCompareValues.patch -Patch6085: backport-malloc-fail-Fix-memory-leak-in-xmlXPathTryStreamCompile.patch -Patch6086: backport-malloc-fail-Fix-memory-leak-after-calling-valuePush.patch -Patch6087: backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapNodeSet.patch -Patch6088: backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeAddNode.patch -Patch6089: backport-malloc-fail-Fix-memory-leak-after-xmlRegNewState.patch -Patch6090: backport-malloc-fail-Fix-memory-leak-in-xmlSAX2StartElementNs.patch -Patch6091: backport-malloc-fail-Fix-memory-leak-in-xmlGetDtdElementDesc2.patch -Patch6092: backport-malloc-fail-Fix-memory-leak-in-xmlDocDumpFormatMemoryEnc.patch -Patch6093: backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag1.patch -Patch6094: backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeLoadTxt.patch -Patch6095: backport-malloc-fail-Fix-memory-leak-in-xmlCopyPropList.patch -Patch6096: backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathNodeSetMerge.patch -Patch6097: backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapString.patch -Patch6098: backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualValuesCommon.patch -Patch6099: backport-malloc-fail-Fix-memory-leak-in-htmlCreateMemoryParserCtxt.patch -Patch6100: backport-malloc-fail-Fix-memory-leak-in-htmlCreatePushParserCtxt.patch -Patch6101: backport-malloc-fail-Fix-infinite-loop-in-htmlParseContentInternal.patch -Patch6102: backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag2.patch -Patch6103: backport-malloc-fail-Fix-null-deref-in-htmlnamePush.patch -Patch6104: backport-malloc-fail-Fix-infinite-loop-in-htmlParseDocTypeDecl.patch -Patch6105: backport-malloc-fail-Fix-error-code-in-htmlParseChunk.patch -Patch6106: backport-malloc-fail-Fix-memory-leak-in-xmlFAParseCharProp.patch -Patch6107: backport-malloc-fail-Fix-leak-of-xmlRegAtom.patch -Patch6108: backport-malloc-fail-Fix-memory-leak-in-xmlRegexpCompile.patch -Patch6109: backport-malloc-fail-Fix-OOB-read-after-xmlRegGetCounter.patch -Patch6110: backport-parser-Fix-OOB-read-when-formatting-error-message.patch -Patch6111: backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualNodeSetF.patch -Patch6112: backport-malloc-fail-Fix-use-after-free-related-to-xmlXPathNo.patch -Patch6113: backport-regexp-Add-sanity-check-in-xmlRegCalloc2.patch -Patch6114: backport-malloc-fail-Fix-null-deref-in-xmlXPathCompiledEvalIn.patch -Patch6115: backport-malloc-fail-Fix-null-deref-after-xmlPointerListAddSi.patch -Patch6116: backport-malloc-fail-Fix-memory-leak-in-xmlGetNsList.patch -Patch6117: backport-malloc-fail-Check-for-malloc-failure-in-xmlHashAddEn.patch -Patch6118: backport-malloc-fail-Fix-memory-leak-in-xmlXPathCacheNewNodeS.patch -Patch6119: backport-malloc-fail-Fix-memory-leak-in-xmlXPathDistinctSorte.patch -Patch6120: backport-xpath-Fix-harmless-integer-overflow-in-xmlXPathTrans.patch -Patch6121: backport-malloc-fail-Fix-memory-leak-in-xmlXPathNameFunction.patch -Patch6122: backport-malloc-fail-Fix-memory-leak-in-xmlSchemaItemListAddS.patch -Patch6123: backport-malloc-fail-Fix-null-deref-in-xmlGet-Min-Max-Occurs.patch -Patch6124: backport-malloc-fail-Fix-null-deref-in-xmlSchemaValAtomicType.patch -Patch6125: backport-malloc-fail-Fix-null-deref-in-xmlSchemaInitTypes.patch -Patch6126: backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParse.patch -Patch6127: backport-malloc-fail-Fix-memory-leak-in-xmlCopyNamespaceList.patch -Patch6128: backport-malloc-fail-Fix-another-memory-leak-in-xmlSchemaBuck.patch -Patch6129: backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseUnion.patch -Patch6130: backport-malloc-fail-Fix-memory-leak-in-WXS_ADD_-LOCAL-GLOBAL.patch -Patch6131: backport-malloc-fail-Fix-memory-leak-in-xmlSchemaBucketCreate.patch -Patch6132: backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseWildcard.patch -Patch6133: backport-malloc-fail-Fix-type-confusion-after-xmlSchemaFixupT.patch -Patch6134: backport-malloc-fail-Fix-null-deref-after-xmlSchemaItemList-A.patch -Patch6135: backport-malloc-fail-Fix-null-deref-after-xmlSchemaCompareDat.patch -Patch6136: backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParseUnion.patch -Patch6137: backport-malloc-fail-Fix-memory-leak-in-xmlXPathRegisterNs.patch -Patch6138: backport-catalog-Fix-memory-leaks.patch - -Patch6139: backport-CVE-2023-29469.patch -Patch6140: backport-CVE-2023-28484.patch - -Patch6141: backport-valid-Allow-xmlFreeValidCtxt-NULL.patch -Patch6142: backport-parser-Use-size_t-when-subtracting-input-buffer-poin.patch -Patch6143: backport-malloc-fail-Fix-null-deref-in-xmlParserInputShrink.patch -Patch6144: backport-xmllint-Fix-memory-leak-with-pattern-stream.patch -Patch6145: backport-xzlib-Fix-implicit-sign-change-in-xz_open.patch -Patch6146: backport-html-Fix-quadratic-behavior-in-htmlParseTryOrFinish.patch -Patch6147: backport-valid-Make-xmlValidateElement-non-recursive.patch -Patch6148: backport-malloc-fail-Fix-buffer-overread-in-htmlParseScript.patch -Patch6149: backport-malloc-fail-Add-more-error-checks-when-parsing-names.patch -Patch6150: backport-malloc-fail-Add-error-check-in-htmlParseHTMLAttribut.patch -Patch6151: backport-parser-Limit-name-length-in-xmlParseEncName.patch -Patch6152: backport-encoding-Fix-error-code-in-asciiToUTF8.patch -Patch6153: backport-malloc-fail-Fix-buffer-overread-with-HTML-doctype-de.patch -Patch6154: backport-parser-Fix-regression-in-xmlParserNodeInfo-accountin.patch -Patch6155: backport-regexp-Fix-cycle-check-in-xmlFAReduceEpsilonTransiti.patch -Patch6156: backport-regexp-Fix-checks-for-eliminated-transitions.patch -Patch6157: backport-regexp-Fix-determinism-checks.patch -Patch6158: backport-regexp-Fix-mistake-in-previous-commit.patch -Patch6159: backport-regexp-Fix-null-deref-in-xmlFAFinishReduceEpsilonTra.patch -Patch6160: backport-hash-Fix-possible-startup-crash-with-old-libxslt-ver.patch -Patch6161: backport-parser-Fix-old-SAX1-parser-with-custom-callbacks.patch -Patch6162: backport-xmllint-Fix-use-after-free-with-maxmem.patch -Patch6163: backport-malloc-fail-Check-for-malloc-failures-when-creating.patch -Patch6164: backport-malloc-fail-Fix-buffer-overread-after-htmlParseScrip.patch -Patch6165: backport-xmlValidatePopElement-can-return-invalid-value-1.patch -Patch6166: backport-Fix-use-after-free-in-xmlParseContentInternal.patch -Patch6167: backport-malloc-fail-Fix-null-deref-after-xmlXIncludeNewRef.patch - -Patch6168: backport-xpath-Ignore-entity-ref-nodes-when-computing-node-ha.patch -Patch6169: backport-SAX-Always-initialize-SAX1-element-handlers.patch -Patch6170: backport-CVE-2023-45322.patch - -BuildRoot: %{_tmppath}/%{name}-%{version}-root -BuildRequires: python3-devel -BuildRequires: zlib-devel -BuildRequires: pkgconfig -BuildRequires: xz-devel -BuildRequires: libtool -URL: http://xmlsoft.org/ - -%description -This library allows to manipulate XML files. It includes support -to read, modify and write XML and HTML files. There is DTDs support -this includes parsing and validation even with complex DtDs, either -at parse time or later once the document has been modified. The output -can be a simple SAX stream or and in-memory DOM like representations. -In this case one can use the built-in XPath and XPointer implementation -to select sub nodes or ranges. A flexible Input/Output mechanism is -available, with existing HTTP and FTP modules and combined to an -URI library. - -%package devel -Summary: Libraries, includes, etc. to develop XML and HTML applications -Group: Development/Libraries -Requires: libxml2 = %{version}-%{release} -Requires: zlib-devel -Requires: xz-devel -Requires: pkgconfig -Obsoletes: %{name}-static < %{version}-%{release} -Provides: %{name}-static - -%description devel -Libraries, include files, etc you can use to develop XML applications. -This library allows to manipulate XML files. It includes support -to read, modify and write XML and HTML files. There is DTDs support -this includes parsing and validation even with complex DtDs, either -at parse time or later once the document has been modified. The output -can be a simple SAX stream or and in-memory DOM like representations. -In this case one can use the built-in XPath and XPointer implementation -to select sub nodes or ranges. A flexible Input/Output mechanism is -available, with existing HTTP and FTP modules and combined to an -URI library. - -%package -n python3-%{name} -Summary: Python 3 bindings for the libxml2 library -Group: Development/Libraries -Requires: libxml2 = %{version}-%{release} -Obsoletes: %{name}-python3 < %{version}-%{release} -Provides: %{name}-python3 = %{version}-%{release} - -%description -n python3-%{name} -The libxml2-python3 package contains a Python 3 module that permits -applications written in the Python programming language, version 3, to use the -interface supplied by the libxml2 library to manipulate XML files. - -This library allows to manipulate XML files. It includes support -to read, modify and write XML and HTML files. There is DTDs support -this includes parsing and validation even with complex DTDs, either -at parse time or later once the document has been modified. - -%package help -Summary: Man page for libxml2 -BuildArch: noarch - -%description help -%{summary}. - - -%prep -%autosetup -n %{name}-%{version} -p1 - -mkdir py3doc -cp doc/*.py py3doc -sed -i 's|#!/usr/bin/python |#!%{__python3} |' py3doc/*.py - -%build -./autogen.sh -%configure -%make_build - -find doc -type f -exec chmod 0644 \{\} \; - -%install -%configure --with-python=%{__python3} -%make_install - -rm -f $RPM_BUILD_ROOT%{_libdir}/*.la -rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.a -rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.la -rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/libxml2-%{version}/* -rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/libxml2-python-%{version}/* -(cd doc/examples ; make clean ; rm -rf .deps Makefile) -gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz - -%check -make runtests - -%clean -rm -fr %{buildroot} - -%post -p /sbin/ldconfig - -%postun -p /sbin/ldconfig - -%files -%defattr(-, root, root) - -%doc %{_datadir}/doc/libxml2 - -%{_libdir}/lib*.so.* -%{_bindir}/xmllint -%{_bindir}/xmlcatalog - -%files devel -%defattr(-, root, root) - -%doc NEWS README.md Copyright -%doc doc/*.html doc/html doc/*.gif doc/*.png -%doc doc/tutorial doc/libxml2-api.xml.gz -%doc doc/examples -%doc %dir %{_datadir}/gtk-doc/html/libxml2 -%doc %{_datadir}/gtk-doc/html/libxml2/*.devhelp2 -%doc %{_datadir}/gtk-doc/html/libxml2/*.html -%doc %{_datadir}/gtk-doc/html/libxml2/*.png -%doc %{_datadir}/gtk-doc/html/libxml2/*.css - -%{_libdir}/lib*.so -%{_libdir}/*.sh -%{_includedir}/* -%{_bindir}/xml2-config -%{_datadir}/aclocal/libxml.m4 -%{_libdir}/pkgconfig/libxml-2.0.pc -%{_libdir}/cmake/libxml2/libxml2-config.cmake - -%{_libdir}/*a - -%files -n python3-%{name} -%defattr(-, root, root) - -%{_libdir}/python3*/site-packages/libxml2.py* -%{_libdir}/python3*/site-packages/drv_libxml2.py* -%{_libdir}/python3*/site-packages/__pycache__/*py* -%{_libdir}/python3*/site-packages/libxml2mod* -%doc python/TODO -%doc python/libxml2class.txt -%doc py3doc/*.py -%doc doc/python.html - -%files help -%doc %{_mandir}/man1/xml2-config.1* -%doc %{_mandir}/man1/xmllint.1* -%doc %{_mandir}/man1/xmlcatalog.1* -%doc %{_mandir}/man3/libxml.3* - - -%changelog -* Mon Oct 16 2023 BruceGW - 2.9.14-9 -- Type:CVE -- CVE:CVE-2023-45322 -- SUG:NA -- DESC:fix CVE-2023-45322 - -* Fri Sep 01 2023 liningjie - 2.9.14-8 -- SAX: Always initialize SAX1 element handlers - -* Mon Jun 19 2023 zhuofeng - 2.9.14-7 -- Type:bugfix -- CVE:NA -- SUG:NA -- DESC:revert parser-Fix-progress-check - -* Thu Jun 08 2023 zhuofeng - 2.9.14-6 -- Type:bugfix -- CVE:NA -- SUG:NA -- DESC:backport upstream patches - -* Thu Apr 20 2023 BruceGW - 2.9.14-5 -- Type:CVE -- CVE:CVE-2023-28484 CVE-2023-29469 -- SUG:NA -- DESC:fix CVE-2023-28484CVE-2023-29469 - -* Mon Nov 21 2022 fuanan - 2.9.14-4 -- Type:bugfix -- CVE:NA -- SUG:NA -- DESC:backport upstream patches - -* Tue Nov 08 2022 fuanan - 2.9.14-3 -- fix CVE-2022-40303 CVE-2022-40304 - -* Tue Sep 13 2022 fuanan - 2.9.14-2 -- Fix Obsoletes in spec - -* Wed Jul 13 2022 fuanan - 2.9.14-1 -- Type:enhancement -- ID:NA -- SUG:NA -- DESC:Upgrade to upstream v2.9.14 and Cleanup duplicate installation - -* Fri Jun 24 2022 fuanan - 2.9.12-8 -- Type:bugfix -- ID:NA -- SUG:NA -- DESC:Fix memory leaks in xmlACatalogAdd when xmlHashAddEntry failed - -* Thu Jun 16 2022 fuanan - 2.9.12-7 -- Type:bugfix -- ID:NA -- SUG:NA -- DESC:Fix memory leaks for xmlACatalogAdd - -* Mon May 09 2022 fuanan - 2.9.12-6 -- Type:CVE -- ID:CVE-2022-29824 -- SUG:NA -- DESC:fix CVE-2022-29824 - -* Wed Mar 09 2022 fuanan - 2.9.12-5 -- Type:CVE -- ID:CVE-2022-23308 -- SUG:NA -- DESC:fix CVE-2022-23308 - -* Sat Feb 12 2022 fuanan - 2.9.12-4 -- Type:bugfix -- ID:NA -- SUG:NA -- DESC:use upstream patch refix heap-use-after-free in xmlAddNextSibling and xmlAddChild - -* Fri Nov 12 2021 panxiaohe - 2.9.12-3 -- Type:bugfix -- ID:NA -- SUG:NA -- DESC:add backport bug fixes. - work around lxml API abuse - fix regression in xmlNodeDumpOutputInternal - fix whitespace when serializing empty HTML documents - forbid epsilon-reduction of final states - fix buffering in xmlOutputBufferWrite - -* Thu Nov 11 2021 panxiaohe - 2.9.12-2 -- Type:bugfix -- ID:NA -- SUG:NA -- DESC:fix heap-use-after-free in xmlAddNextSibling and xmlAddChild - -* Wed Nov 10 2021 Zhipeng Xie - 2.9.12-1 -- Type:enhancement -- ID:NA -- SUG:NA -- DESC:upgrade to upstream v2.9.12 - -* Tue Nov 9 2021 panxiaohe - 2.9.10-19 -- Type:bugfix -- ID:NA -- SUG:NA -- DESC:fix memleaks in xmlXIncludeProcessFlags - -* Sat Oct 30 2021 huangduirong - 2.9.10-18 -- Type:bugfix -- ID:NA -- SUG:NA -- DESC:fix fuzz issues, fix null-deref in xmlSchemaGetComponentTargetNs - -* Sat Oct 23 2021 panxiaohe - 2.9.10-17 -- Type:bugfix -- ID:NA -- SUG:NA -- DESC:fix fuzz issues - fix memory leaks in XPointer string-range function - fix null pointer deref in xmlXPtrRangeInsideFunction - stop using maxParserDepth in xpath.c - hardcode maximum XPath recursion depth - fix XPath recursion limit - -* Thu Oct 21 2021 panxiaohe - 2.9.10-16 -- Type:bugfix -- ID:NA -- SUG:NA -- DESC:fix fuzz issues - fix heap-use-after-free in xmlXIncludeIncludeNode - fix stack overflow in xmlDocDumpMemory - fix stack overflow in htmlDocContentDumpOutput - -* Wed Jun 2 2021 guoxiaoqi - 2.9.10-15 -- Type:CVE -- ID:CVE-2021-3541 -- SUG:NA -- DESC:fix CVE-2021-3541 - -* Sat May 29 2021 zoulin - 2.9.10-14 -- Type:bugfix -- ID:NA -- SUG:NA -- DESC:[add] patches from upstream - Fix-handling-of-unexpected-EOF-in-xmlParseContent.patch - Fix-line-numbers-in-error-messages-for-mismatched-ta.patch - Fix-null-deref-in-legacy-SAX1-parser.patch - update-for-xsd-language-type-check.patch - Fix-dangling-pointer-with-xmllint-dropdtd.patch - Fix-duplicate-xmlStrEqual-calls-in-htmlParseEndTag.patch - Fix-exponential-behavior-with-recursive-entities.patch - Fix-quadratic-behavior-when-looking-up-xml-attribute.patch - Fix-use-after-free-with-xmllint-html-push.patch - Fix-xmlGetNodePath-with-invalid-node-types.patch - Stop-checking-attributes-for-UTF-8-validity.patch - -* Fri May 28 2021 guoxiaoqi - 2.9.10-13 -- Type:CVE -- ID:CVE-2021-3517, CVE-2021-3518 -- SUG:NA -- DESC:fix CVE-2021-3517 and CVE-2021-3518 - -* Wed May 26 2021 yangkang - 2.9.10-12 -- Type:CVE -- ID:CVE-2021-3537 -- SUG:NA -- DESC:fix CVE-2021-3537 - -* Tue Mar 2 2021 Lirui - 2.9.10-11 -- fix problems detected by oss-fuzz test - -* Thu Nov 12 2020 Liquor - 2.9.10-10 -- fix problems detected by oss-fuzz test - -* Thu Oct 29 2020 panxiaohe - 2.9.10-9 -- remove subpackage python2-libxml2 - -* Mon Sep 14 2020 yangzhuangzhuang - 2.9.10-8 -- revert Don-t-try-to-handle-namespaces-when-building-HTML-do.patch. - rubygem-nokogoro test case fail,because this patch remove xml namespace function. - -* Thu Sep 10 2020 yangzhuangzhuang - 2.9.10-7 -- Fixed some issues found in fuzzing testcases - -* Fri Aug 28 2020 zoulin - 2.9.10-6 -- Fix more quadratic runtime issues in HTML push parse -- Fix reset HTML parser input before reporting error - -* Wed Aug 12 2020 Liquor - 2.9.10-5 -- Limit regexp nesting depth -- Fix exponential runtime in xmlFARecurseDeterminism - -* Mon Aug 3 2020 Liquor - 2.9.10-4 -- Fix integer overflow in xmlFAParseQuantExact - -* Tue Jul 28 2020 shenyangyang - 2.9.10-3 -- Fix-use-after-free-with-validating-reader and - Never-expand-parameter-entities-in-text-declaration - -* Fri Jul 3 2020 wangchen - 2.9.10-2 -- Sync some patches from community - -* Fri Apr 24 2020 BruceGW - 2.9.10-1 -- update upstream to 2.9.10 - -* Tue Mar 17 2020 Leo Fang - 2.9.8-9 -- Sync some patches from community - -* Thu Dec 19 2019 openEuler Buildteam - 2.9.8-8 -- Delete unused infomation - -* Tue Sep 24 2019 openEuler Buildteam - 2.9.8-7 -- Fix memory leak in xmlSchemaValidateStream - -* Fri Sep 20 2019 openEuler Buildteam - 2.9.8-6 -- Delete redundant information - -* Tue Sep 10 2019 openEuler Buildteam - 2.9.8-5 -- Delete epoch - -* Thu Sep 5 2019 openEuler Buildteam - 2.9.8-2 -- Backport upstream patches and merge static library to devel package -