From 72732a7434e34896304236e52bd6dd61adbc46d4 Mon Sep 17 00:00:00 2001 From: zhuofeng Date: Thu, 8 Jun 2023 11:26:54 +0800 Subject: [PATCH 1/6] backport upstream patches --- ...rt-io-Remove-xmlInputReadCallbackNop.patch | 116 ++++++++++++++++++ ...llint-Fix-use-after-free-with-maxmem.patch | 93 ++++++++++++++ libxml2.spec | 10 +- 3 files changed, 218 insertions(+), 1 deletion(-) create mode 100644 backport-io-Remove-xmlInputReadCallbackNop.patch create mode 100644 backport-xmllint-Fix-use-after-free-with-maxmem.patch diff --git a/backport-io-Remove-xmlInputReadCallbackNop.patch b/backport-io-Remove-xmlInputReadCallbackNop.patch new file mode 100644 index 0000000..a11a8f1 --- /dev/null +++ b/backport-io-Remove-xmlInputReadCallbackNop.patch @@ -0,0 +1,116 @@ +From ee6c6084e58ab114bddd06453790d22b08e45d93 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 13 Nov 2022 16:30:46 +0100 +Subject: [PATCH] io: Remove xmlInputReadCallbackNop + +In some cases, for example when using encoders, the read callback was +set to NULL, in other cases it was set to xmlInputReadCallbackNop. +xmlGROW only tested for xmlInputReadCallbackNop, resulting in errors +when parsing large encoded content from memory. + +Always use a NULL callback for memory buffers to avoid ambiguities. + +Fixes #262. + +Reference:https://github.com/GNOME/libxml2/commit/46cd7d224ed5c4cdbd4f72ec899db24e18d21fe7 +Conflict:include/private/io.h, parserInternals.c + +--- + parser.c | 2 +- + parserInternals.c | 4 ++++ + xmlIO.c | 30 ++++-------------------------- + 3 files changed, 9 insertions(+), 27 deletions(-) + +diff --git a/parser.c b/parser.c +index 0d5bcc1..4af757e 100644 +--- a/parser.c ++++ b/parser.c +@@ -2136,7 +2136,7 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { + if (((curEnd > XML_MAX_LOOKUP_LIMIT) || + (curBase > XML_MAX_LOOKUP_LIMIT)) && + ((ctxt->input->buf) && +- (ctxt->input->buf->readcallback != xmlInputReadCallbackNop)) && ++ (ctxt->input->buf->readcallback != NULL)) && + ((ctxt->options & XML_PARSE_HUGE) == 0)) { + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup"); + xmlHaltParser(ctxt); +diff --git a/parserInternals.c b/parserInternals.c +index c5c0b16..a418c63 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -320,6 +320,10 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) { + + return(0); + } ++ ++ if ((in->buf->encoder == NULL) && (in->buf->readcallback == NULL)) ++ return(0); ++ + if (in->buf->readcallback != NULL) { + ret = xmlParserInputBufferGrow(in->buf, len); + } else +diff --git a/xmlIO.c b/xmlIO.c +index 007144c..3546bd4 100644 +--- a/xmlIO.c ++++ b/xmlIO.c +@@ -729,20 +729,6 @@ xmlCheckFilename (const char *path) + return 1; + } + +-/** +- * xmlInputReadCallbackNop: +- * +- * No Operation xmlInputReadCallback function, does nothing. +- * +- * Returns zero +- */ +-int +-xmlInputReadCallbackNop(void *context ATTRIBUTE_UNUSED, +- char *buffer ATTRIBUTE_UNUSED, +- int len ATTRIBUTE_UNUSED) { +- return(0); +-} +- + /** + * xmlFdRead: + * @context: the I/O context +@@ -2963,7 +2949,7 @@ xmlParserInputBufferCreateMem(const char *mem, int size, xmlCharEncoding enc) { + ret = xmlAllocParserInputBuffer(enc); + if (ret != NULL) { + ret->context = (void *) mem; +- ret->readcallback = xmlInputReadCallbackNop; ++ ret->readcallback = NULL; + ret->closecallback = NULL; + errcode = xmlBufAdd(ret->buffer, (const xmlChar *) mem, size); + if (errcode != 0) { +@@ -3267,10 +3253,8 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) { + res = in->readcallback(in->context, &buffer[0], len); + if (res <= 0) + in->readcallback = endOfInput; +- } else { +- xmlIOErr(XML_IO_NO_INPUT, NULL); +- in->error = XML_IO_NO_INPUT; +- return(-1); ++ } else if (in->encoder == NULL) { ++ return(0); + } + if (res < 0) { + return(-1); +@@ -3337,13 +3321,7 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) { + */ + int + xmlParserInputBufferRead(xmlParserInputBufferPtr in, int len) { +- if ((in == NULL) || (in->error)) return(-1); +- if (in->readcallback != NULL) +- return(xmlParserInputBufferGrow(in, len)); +- else if (xmlBufGetAllocationScheme(in->buffer) == XML_BUFFER_ALLOC_IMMUTABLE) +- return(0); +- else +- return(-1); ++ return(xmlParserInputBufferGrow(in, len)); + } + + #ifdef LIBXML_OUTPUT_ENABLED +-- +2.33.0 + diff --git a/backport-xmllint-Fix-use-after-free-with-maxmem.patch b/backport-xmllint-Fix-use-after-free-with-maxmem.patch new file mode 100644 index 0000000..195a1ad --- /dev/null +++ b/backport-xmllint-Fix-use-after-free-with-maxmem.patch @@ -0,0 +1,93 @@ +From d7daf9fd967ad7fcd509e6355f12f824327f07a4 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 14 Mar 2023 13:02:36 +0100 +Subject: [PATCH] xmllint: Fix use-after-free with --maxmem + +Fixes #498. + +Reference:https://github.com/GNOME/libxml2/commit/d7daf9fd967ad7fcd509e6355f12f824327f07a4 +Conflict:include/libxml/xmlmemory.h + + +--- + include/libxml/xmlmemory.h | 2 ++ + xmllint.c | 15 ++++++--------- + xmlmemory.c | 21 +++++++++++++++++++++ + 3 files changed, 29 insertions(+), 9 deletions(-) + +diff --git a/include/libxml/xmlmemory.h b/include/libxml/xmlmemory.h +index 17e375a..0a5f3eb 100644 +--- a/include/libxml/xmlmemory.h ++++ b/include/libxml/xmlmemory.h +@@ -137,6 +137,8 @@ XMLPUBFUN void XMLCALL + /* + * These are specific to the XML debug memory wrapper. + */ ++XMLPUBFUN size_t ++ xmlMemSize (void *ptr); + XMLPUBFUN int XMLCALL + xmlMemUsed (void); + XMLPUBFUN int XMLCALL +diff --git a/xmllint.c b/xmllint.c +index fd43893..a17aa07 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -358,17 +358,14 @@ myMallocFunc(size_t size) + static void * + myReallocFunc(void *mem, size_t size) + { +- void *ret; ++ size_t oldsize = xmlMemSize(mem); + +- ret = xmlMemRealloc(mem, size); +- if (ret != NULL) { +- if (xmlMemUsed() > maxmem) { +- OOM(); +- xmlMemFree(ret); +- return (NULL); +- } ++ if (xmlMemUsed() + size - oldsize > (size_t) maxmem) { ++ OOM(); ++ return (NULL); + } +- return (ret); ++ ++ return (xmlMemRealloc(mem, size)); + } + static char * + myStrdupFunc(const char *str) +diff --git a/xmlmemory.c b/xmlmemory.c +index c51f49a..469fcfb 100644 +--- a/xmlmemory.c ++++ b/xmlmemory.c +@@ -573,6 +573,27 @@ xmlMemoryStrdup(const char *str) { + return(xmlMemStrdupLoc(str, "none", 0)); + } + ++/** ++ * xmlMemSize: ++ * @ptr: pointer to the memory allocation ++ * ++ * Returns the size of a memory allocation. ++ */ ++ ++size_t ++xmlMemSize(void *ptr) { ++ MEMHDR *p; ++ ++ if (ptr == NULL) ++ return(0); ++ ++ p = CLIENT_2_HDR(ptr); ++ if (p->mh_tag != MEMTAG) ++ return(0); ++ ++ return(p->mh_size); ++} ++ + /** + * xmlMemUsed: + * +-- +2.27.0 + diff --git a/libxml2.spec b/libxml2.spec index 55da634..9ddd684 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.9.14 -Release: 5 +Release: 6 License: MIT Group: Development/Libraries Source: https://download.gnome.org/sources/%{name}/2.9/%{name}-%{version}.tar.xz @@ -17,6 +17,8 @@ Patch7: backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch Patch8: backport-CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch Patch9: backport-CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch +Patch10: backport-xmllint-Fix-use-after-free-with-maxmem.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python3-devel BuildRequires: zlib-devel @@ -171,6 +173,12 @@ rm -fr %{buildroot} %changelog +* Thu Jun 08 2023 zhuofeng - 2.9.14-6 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:backport upstream patches + * Thu Apr 20 2023 BruceGW - 2.9.14-5 - Type:CVE - CVE:CVE-2023-28484 CVE-2023-29469 -- Gitee From 22c38d8b690726bd47de63d3f4fe26a1628a5846 Mon Sep 17 00:00:00 2001 From: zhuofeng Date: Thu, 8 Jun 2023 15:54:22 +0800 Subject: [PATCH 2/6] 1 --- ...olding-for-some-atomic-data-types-th.patch | 105 ++++++++++++++++++ ...t-Avoid-arithmetic-on-freed-pointers.patch | 104 +++++++++++++++++ ...n-out-of-bounds-pointer-by-rewriting.patch | 33 ++++++ ...le-free-if-malloc-fails-in-inputPush.patch | 32 ++++++ ...mpl.patch => backport-CVE-2023-28484.patch | 16 ++- ...t-d.patch => backport-CVE-2023-29469.patch | 8 +- ...rt-io-Remove-xmlInputReadCallbackNop.patch | 66 ++++++----- 7 files changed, 322 insertions(+), 42 deletions(-) create mode 100644 backport-Add-whitespace-folding-for-some-atomic-data-types-th.patch create mode 100644 backport-Avoid-arithmetic-on-freed-pointers.patch create mode 100644 backport-Avoid-creating-an-out-of-bounds-pointer-by-rewriting.patch create mode 100644 backport-Avoid-double-free-if-malloc-fails-in-inputPush.patch rename backport-CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch => backport-CVE-2023-28484.patch (88%) rename backport-CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch => backport-CVE-2023-29469.patch (82%) diff --git a/backport-Add-whitespace-folding-for-some-atomic-data-types-th.patch b/backport-Add-whitespace-folding-for-some-atomic-data-types-th.patch new file mode 100644 index 0000000..5316326 --- /dev/null +++ b/backport-Add-whitespace-folding-for-some-atomic-data-types-th.patch @@ -0,0 +1,105 @@ +From 966b0f21c15de0c959f4db88d658ba66bda41575 Mon Sep 17 00:00:00 2001 +From: Damjan Jovanovic +Date: Thu, 19 Aug 2021 02:46:32 +0200 +Subject: [PATCH] Add whitespace folding for some atomic data types that it's + missing on. + +XSD validation fails when some atomic types contain surrounding whitespace +even though XML Schema Part 2: Datatypes Second Edition, section 4.3.6 +says they should be collapsed. Fix this. + +(I am not sure whether the test is correct.) + +Issue: #278 + +Conflict:NA +Reference:https://gitlab.gnome.org/GNOME/libxml2/-/commit/966b0f21c15de0c959f4db88d658ba66bda41575 + +--- + test/xsdtest/xsdtest.xml | 5 +++++ + xmlschemastypes.c | 8 ++++++++ + 2 files changed, 13 insertions(+) + +diff --git a/test/xsdtest/xsdtest.xml b/test/xsdtest/xsdtest.xml +index b8a6de9..2807d26 100644 +--- a/test/xsdtest/xsdtest.xml ++++ b/test/xsdtest/xsdtest.xml +@@ -657,6 +657,7 @@ B EEF + + + 1 ++ 1 + 127 + -128 + 128 +@@ -665,6 +666,7 @@ B EEF + + 1 + +1 ++ 1 + -1 + 0 + 18446744073709551615 +@@ -674,6 +676,7 @@ B EEF + + 1 + +1 ++ 1 + 0 + 4294967295 + 4294967296 +@@ -682,6 +685,7 @@ B EEF + + 1 + +1 ++ 1 + 0 + 65535 + 65536 +@@ -689,6 +693,7 @@ B EEF + + + 1 ++ 1 + +1 + 0 + 255 +diff --git a/xmlschemastypes.c b/xmlschemastypes.c +index af31be5..ebb0219 100644 +--- a/xmlschemastypes.c ++++ b/xmlschemastypes.c +@@ -3308,6 +3308,8 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value, + + if (cur == NULL) + goto return1; ++ if (normOnTheFly) ++ while IS_WSP_BLANK_CH(*cur) cur++; + if (*cur == '-') { + sign = 1; + cur++; +@@ -3316,6 +3318,8 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value, + ret = xmlSchemaParseUInt(&cur, &lo, &mi, &hi); + if (ret < 0) + goto return1; ++ if (normOnTheFly) ++ while IS_WSP_BLANK_CH(*cur) cur++; + if (*cur != 0) + goto return1; + if (type->builtInType == XML_SCHEMAS_LONG) { +@@ -3380,9 +3384,13 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value, + + if (cur == NULL) + goto return1; ++ if (normOnTheFly) ++ while IS_WSP_BLANK_CH(*cur) cur++; + ret = xmlSchemaParseUInt(&cur, &lo, &mi, &hi); + if (ret < 0) + goto return1; ++ if (normOnTheFly) ++ while IS_WSP_BLANK_CH(*cur) cur++; + if (*cur != 0) + goto return1; + if (type->builtInType == XML_SCHEMAS_ULONG) { +-- +2.27.0 + diff --git a/backport-Avoid-arithmetic-on-freed-pointers.patch b/backport-Avoid-arithmetic-on-freed-pointers.patch new file mode 100644 index 0000000..8204291 --- /dev/null +++ b/backport-Avoid-arithmetic-on-freed-pointers.patch @@ -0,0 +1,104 @@ +From 4951c462eae68562df335ff6d611f4352ea9931d Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 6 Mar 2022 02:29:00 +0100 +Subject: [PATCH] Avoid arithmetic on freed pointers + +Conflict:NA +Reference:https://gitlab.gnome.org/GNOME/libxml2/-/commit/4951c462eae68562df335ff6d611f4352ea9931d + +--- + parserInternals.c | 45 +++++++++------------------------------------ + 1 file changed, 9 insertions(+), 36 deletions(-) + +diff --git a/parserInternals.c b/parserInternals.c +index c5c0b16..d68592f 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -300,7 +300,6 @@ int + xmlParserInputGrow(xmlParserInputPtr in, int len) { + int ret; + size_t indx; +- const xmlChar *content; + + if ((in == NULL) || (len < 0)) return(-1); + #ifdef DEBUG_INPUT +@@ -325,22 +324,8 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) { + } else + return(0); + +- /* +- * NOTE : in->base may be a "dangling" i.e. freed pointer in this +- * block, but we use it really as an integer to do some +- * pointer arithmetic. Insure will raise it as a bug but in +- * that specific case, that's not ! +- */ +- +- content = xmlBufContent(in->buf->buffer); +- if (in->base != content) { +- /* +- * the buffer has been reallocated +- */ +- indx = in->cur - in->base; +- in->base = content; +- in->cur = &content[indx]; +- } ++ in->base = xmlBufContent(in->buf->buffer); ++ in->cur = in->base + indx; + in->end = xmlBufEnd(in->buf->buffer); + + CHECK_BUFFER(in); +@@ -358,8 +343,6 @@ void + xmlParserInputShrink(xmlParserInputPtr in) { + size_t used; + size_t ret; +- size_t indx; +- const xmlChar *content; + + #ifdef DEBUG_INPUT + xmlGenericError(xmlGenericErrorContext, "Shrink\n"); +@@ -372,7 +355,7 @@ xmlParserInputShrink(xmlParserInputPtr in) { + + CHECK_BUFFER(in); + +- used = in->cur - xmlBufContent(in->buf->buffer); ++ used = in->cur - in->base; + /* + * Do not shrink on large buffers whose only a tiny fraction + * was consumed +@@ -380,27 +363,17 @@ xmlParserInputShrink(xmlParserInputPtr in) { + if (used > INPUT_CHUNK) { + ret = xmlBufShrink(in->buf->buffer, used - LINE_LEN); + if (ret > 0) { +- in->cur -= ret; ++ used -= ret; + in->consumed += ret; + } +- in->end = xmlBufEnd(in->buf->buffer); + } + +- CHECK_BUFFER(in); +- +- if (xmlBufUse(in->buf->buffer) > INPUT_CHUNK) { +- return; +- } +- xmlParserInputBufferRead(in->buf, 2 * INPUT_CHUNK); +- content = xmlBufContent(in->buf->buffer); +- if (in->base != content) { +- /* +- * the buffer has been reallocated +- */ +- indx = in->cur - in->base; +- in->base = content; +- in->cur = &content[indx]; ++ if (xmlBufUse(in->buf->buffer) <= INPUT_CHUNK) { ++ xmlParserInputBufferRead(in->buf, 2 * INPUT_CHUNK); + } ++ ++ in->base = xmlBufContent(in->buf->buffer); ++ in->cur = in->base + used; + in->end = xmlBufEnd(in->buf->buffer); + + CHECK_BUFFER(in); +-- +2.27.0 + diff --git a/backport-Avoid-creating-an-out-of-bounds-pointer-by-rewriting.patch b/backport-Avoid-creating-an-out-of-bounds-pointer-by-rewriting.patch new file mode 100644 index 0000000..2a4c31c --- /dev/null +++ b/backport-Avoid-creating-an-out-of-bounds-pointer-by-rewriting.patch @@ -0,0 +1,33 @@ +From d58bff6125f066689a872113123152fdcfe693cc Mon Sep 17 00:00:00 2001 +From: Alex Richardson +Date: Thu, 1 Dec 2022 12:53:15 +0000 +Subject: [PATCH 27/28] Avoid creating an out-of-bounds pointer by rewriting a + check + +Creating more than one-past-the-end pointers is undefined behaviour in C +and while this code is unlikely to be miscompiled, I discovered that an +out-of-bounds pointer is being created using UBSan on a CHERI-enabled +system. + +Reference: https://github.com/GNOME/libxml2/commit/c715ded0861af956ba584f566bc7db6717f519d0 +Conflict: NA +--- + HTMLparser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 746edf6..60dea30 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -2333,7 +2333,7 @@ htmlEncodeEntities(unsigned char* out, int *outlen, + else + cp = ent->name; + len = strlen(cp); +- if (out + 2 + len > outend) ++ if (outend - out < len + 2) + break; + *out++ = '&'; + memcpy(out, cp, len); +-- +2.27.0 + diff --git a/backport-Avoid-double-free-if-malloc-fails-in-inputPush.patch b/backport-Avoid-double-free-if-malloc-fails-in-inputPush.patch new file mode 100644 index 0000000..f77f8db --- /dev/null +++ b/backport-Avoid-double-free-if-malloc-fails-in-inputPush.patch @@ -0,0 +1,32 @@ +From ecba4cbd4335b31aa7a815701971ed09cfffea9b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 28 Jun 2022 19:22:31 +0200 +Subject: [PATCH] Avoid double-free if malloc fails in inputPush + +It's the caller's responsibility to free the input stream if this +function fails. + +Reference:https://github.com/GNOME/libxml2/commit/ecba4cbd4335b31aa7a815701971ed09cfffea9b +Conflict:NA + +--- + parser.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/parser.c b/parser.c +index 0d5bcc1..d8225bd 100644 +--- a/parser.c ++++ b/parser.c +@@ -1763,9 +1763,7 @@ inputPush(xmlParserCtxtPtr ctxt, xmlParserInputPtr value) + sizeof(ctxt->inputTab[0])); + if (ctxt->inputTab == NULL) { + xmlErrMemory(ctxt, NULL); +- xmlFreeInputStream(value); + ctxt->inputMax /= 2; +- value = NULL; + return (-1); + } + } +-- +2.27.0 + diff --git a/backport-CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch b/backport-CVE-2023-28484.patch similarity index 88% rename from backport-CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch rename to backport-CVE-2023-28484.patch index 7201dde..8617ddb 100644 --- a/backport-CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch +++ b/backport-CVE-2023-28484.patch @@ -1,4 +1,4 @@ -From 647e072ea0a2f12687fa05c172f4c4713fdb0c4f Mon Sep 17 00:00:00 2001 +From e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Fri, 7 Apr 2023 11:46:35 +0200 Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType @@ -8,6 +8,10 @@ Fix a null pointer dereference when parsing (invalid) XML schemas. Thanks to Robby Simpson for the report! Fixes #491. + +Reference:https://github.com/GNOME/libxml2/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68 +Conflict:NA + --- result/schemas/issue491_0_0.err | 1 + test/schemas/issue491_0.xml | 1 + @@ -20,21 +24,21 @@ Fixes #491. diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err new file mode 100644 -index 00000000..9b2bb969 +index 0000000..9b2bb96 --- /dev/null +++ b/result/schemas/issue491_0_0.err @@ -0,0 +1 @@ +./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'. diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml new file mode 100644 -index 00000000..e2b2fc2e +index 0000000..e2b2fc2 --- /dev/null +++ b/test/schemas/issue491_0.xml @@ -0,0 +1 @@ +5 diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd new file mode 100644 -index 00000000..81702649 +index 0000000..8170264 --- /dev/null +++ b/test/schemas/issue491_0.xsd @@ -0,0 +1,18 @@ @@ -57,10 +61,10 @@ index 00000000..81702649 + + diff --git a/xmlschemas.c b/xmlschemas.c -index 17aa6dfa..36cd6730 100644 +index 4dbee37..7199d23 100644 --- a/xmlschemas.c +++ b/xmlschemas.c -@@ -18563,7 +18563,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt, +@@ -18640,7 +18640,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt, "allowed to appear inside other model groups", NULL, NULL); diff --git a/backport-CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch b/backport-CVE-2023-29469.patch similarity index 82% rename from backport-CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch rename to backport-CVE-2023-29469.patch index 8b702ce..2e0881c 100644 --- a/backport-CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch +++ b/backport-CVE-2023-29469.patch @@ -1,4 +1,4 @@ -From 09a2dd453007f9c7205274623acdd73747c22d64 Mon Sep 17 00:00:00 2001 +From 547edbf1cbdccd46b2e8ff322a456eaa5931c5df Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Fri, 7 Apr 2023 11:49:27 +0200 Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't @@ -14,12 +14,16 @@ have an impact on security. Found by OSS-Fuzz. Fixes #510. + +Reference:https://github.com/GNOME/libxml2/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df +Conflict:NA + --- dict.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dict.c b/dict.c -index 26ce516d..57b76fae 100644 +index 90e4d81..e39e8a4 100644 --- a/dict.c +++ b/dict.c @@ -451,7 +451,8 @@ static unsigned long diff --git a/backport-io-Remove-xmlInputReadCallbackNop.patch b/backport-io-Remove-xmlInputReadCallbackNop.patch index a11a8f1..0f3f98e 100644 --- a/backport-io-Remove-xmlInputReadCallbackNop.patch +++ b/backport-io-Remove-xmlInputReadCallbackNop.patch @@ -1,31 +1,30 @@ -From ee6c6084e58ab114bddd06453790d22b08e45d93 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 13 Nov 2022 16:30:46 +0100 -Subject: [PATCH] io: Remove xmlInputReadCallbackNop - -In some cases, for example when using encoders, the read callback was -set to NULL, in other cases it was set to xmlInputReadCallbackNop. -xmlGROW only tested for xmlInputReadCallbackNop, resulting in errors -when parsing large encoded content from memory. - -Always use a NULL callback for memory buffers to avoid ambiguities. - -Fixes #262. - -Reference:https://github.com/GNOME/libxml2/commit/46cd7d224ed5c4cdbd4f72ec899db24e18d21fe7 -Conflict:include/private/io.h, parserInternals.c +From ee6c6084e58ab114bddd06453790d22b08e45d93 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 13 Nov 2022 16:30:46 +0100 +Subject: [PATCH] io: Remove xmlInputReadCallbackNop +In some cases, for example when using encoders, the read callback was +set to NULL, in other cases it was set to xmlInputReadCallbackNop. +xmlGROW only tested for xmlInputReadCallbackNop, resulting in errors +when parsing large encoded content from memory. + +Always use a NULL callback for memory buffers to avoid ambiguities. + +Fixes #262. + +Reference:https://github.com/GNOME/libxml2/commit/46cd7d224ed5c4cdbd4f72ec899db24e18d21fe7 +Conflict:include/private/io.h --- parser.c | 2 +- - parserInternals.c | 4 ++++ + parserInternals.c | 3 ++- xmlIO.c | 30 ++++-------------------------- - 3 files changed, 9 insertions(+), 27 deletions(-) + 3 files changed, 7 insertions(+), 28 deletions(-) diff --git a/parser.c b/parser.c -index 0d5bcc1..4af757e 100644 +index adc449c..f13287a 100644 --- a/parser.c +++ b/parser.c -@@ -2136,7 +2136,7 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { +@@ -2134,7 +2134,7 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { if (((curEnd > XML_MAX_LOOKUP_LIMIT) || (curBase > XML_MAX_LOOKUP_LIMIT)) && ((ctxt->input->buf) && @@ -35,22 +34,21 @@ index 0d5bcc1..4af757e 100644 xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup"); xmlHaltParser(ctxt); diff --git a/parserInternals.c b/parserInternals.c -index c5c0b16..a418c63 100644 +index 0ef44fe..ef18ccf 100644 --- a/parserInternals.c +++ b/parserInternals.c -@@ -320,6 +320,10 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) { +@@ -311,7 +311,8 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) { + if (in->buf->buffer == NULL) return(-1); - return(0); - } -+ + /* Don't grow memory buffers. */ +- if (in->buf->readcallback == NULL) return(0); + if ((in->buf->encoder == NULL) && (in->buf->readcallback == NULL)) -+ return(0); -+ - if (in->buf->readcallback != NULL) { - ret = xmlParserInputBufferGrow(in->buf, len); - } else ++ return(0); + + CHECK_BUFFER(in); + diff --git a/xmlIO.c b/xmlIO.c -index 007144c..3546bd4 100644 +index 0762034..71c9fbf 100644 --- a/xmlIO.c +++ b/xmlIO.c @@ -729,20 +729,6 @@ xmlCheckFilename (const char *path) @@ -83,7 +81,7 @@ index 007144c..3546bd4 100644 ret->closecallback = NULL; errcode = xmlBufAdd(ret->buffer, (const xmlChar *) mem, size); if (errcode != 0) { -@@ -3267,10 +3253,8 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) { +@@ -3261,10 +3247,8 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) { res = in->readcallback(in->context, &buffer[0], len); if (res <= 0) in->readcallback = endOfInput; @@ -96,7 +94,7 @@ index 007144c..3546bd4 100644 } if (res < 0) { return(-1); -@@ -3337,13 +3321,7 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) { +@@ -3331,13 +3315,7 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) { */ int xmlParserInputBufferRead(xmlParserInputBufferPtr in, int len) { @@ -112,5 +110,5 @@ index 007144c..3546bd4 100644 #ifdef LIBXML_OUTPUT_ENABLED -- -2.33.0 +2.27.0 -- Gitee From be9e0f14754731a4156b8ed3b5dbf8cb31c16efd Mon Sep 17 00:00:00 2001 From: zhuofeng Date: Thu, 8 Jun 2023 15:54:58 +0800 Subject: [PATCH 3/6] 2 --- ...cate-internal-pointers-after-realloc.patch | 42 +++++ ...th-buffer-in-xmlNewStringInputStream.patch | 56 +++++++ ...ialize-SAX-handler-in-htmlReadMemory.patch | 30 ++++ ...set-nsDef-when-changing-node-content.patch | 45 ++++++ ...rser-with-threads-and-without-legacy.patch | 55 +++++++ ...ory-mixing-up-XML-and-HTML-functions.patch | 28 ++++ ...ix-integer-overflow-in-xmlBufferDump.patch | 41 +++++ ...k-in-xmlLoadEntityContent-error-path.patch | 33 ++++ ...ort-Fix-memory-leak-with-invalid-XSD.patch | 63 ++++++++ ...terminators-in-xmlBuf-and-xmlBuffer-.patch | 84 ++++++++++ backport-Fix-overflow-check-in-SAX2.c.patch | 63 ++++++++ ...fall-through-in-xmlNodeAddContentLen.patch | 34 ++++ ...ee-bugs-when-calling-xmlTextReaderCl.patch | 115 +++++++++++++ ...fter-free-in-xmlParseContentInternal.patch | 37 +++++ ...ort-Fix-xmlCtxtReadDoc-with-encoding.patch | 87 ++++++++++ ...-check-work-with-recursive-invocatio.patch | 115 +++++++++++++ ...itespace-around-the-QName-value-when.patch | 44 +++++ ...-NUL-terminator-and-report-errors-co.patch | 153 ++++++++++++++++++ backport-Reset-nsNr-in-xmlCtxtReset.patch | 28 ++++ 19 files changed, 1153 insertions(+) create mode 100644 backport-Correctly-relocate-internal-pointers-after-realloc.patch create mode 100644 backport-Create-stream-with-buffer-in-xmlNewStringInputStream.patch create mode 100644 backport-Don-t-initialize-SAX-handler-in-htmlReadMemory.patch create mode 100644 backport-Don-t-reset-nsDef-when-changing-node-content.patch create mode 100644 backport-Fix-HTML-parser-with-threads-and-without-legacy.patch create mode 100644 backport-Fix-htmlReadMemory-mixing-up-XML-and-HTML-functions.patch create mode 100644 backport-Fix-integer-overflow-in-xmlBufferDump.patch create mode 100644 backport-Fix-memory-leak-in-xmlLoadEntityContent-error-path.patch create mode 100644 backport-Fix-memory-leak-with-invalid-XSD.patch create mode 100644 backport-Fix-missing-NUL-terminators-in-xmlBuf-and-xmlBuffer-.patch create mode 100644 backport-Fix-overflow-check-in-SAX2.c.patch create mode 100644 backport-Fix-unintended-fall-through-in-xmlNodeAddContentLen.patch create mode 100644 backport-Fix-use-after-free-bugs-when-calling-xmlTextReaderCl.patch create mode 100644 backport-Fix-use-after-free-in-xmlParseContentInternal.patch create mode 100644 backport-Fix-xmlCtxtReadDoc-with-encoding.patch create mode 100644 backport-Make-XPath-depth-check-work-with-recursive-invocatio.patch create mode 100644 backport-Properly-fold-whitespace-around-the-QName-value-when.patch create mode 100644 backport-Reserve-byte-for-NUL-terminator-and-report-errors-co.patch create mode 100644 backport-Reset-nsNr-in-xmlCtxtReset.patch diff --git a/backport-Correctly-relocate-internal-pointers-after-realloc.patch b/backport-Correctly-relocate-internal-pointers-after-realloc.patch new file mode 100644 index 0000000..17a7f98 --- /dev/null +++ b/backport-Correctly-relocate-internal-pointers-after-realloc.patch @@ -0,0 +1,42 @@ +From d038d7177668030f0c54fa1772d3f174cf6527f1 Mon Sep 17 00:00:00 2001 +From: Alex Richardson +Date: Thu, 1 Dec 2022 12:58:11 +0000 +Subject: [PATCH 26/28] Correctly relocate internal pointers after realloc() + +Adding an offset to a deallocated pointer and assuming that it can be +dereferenced is undefined behaviour. When running libxml2 on CHERI-enabled +systems such as Arm Morello this results in the creation of an out-of-bounds +pointer that cannot be dereferenced and therefore crashes at runtime. + +The effect of this UB is not just limited to architectures such as CHERI, +incorrect relocation of pointers after realloc can in fact cause +FORTIFY_SOURCE errors with recent GCC: +https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level + +Reference: https://github.com/GNOME/libxml2/commit/c62c0d82ccacc2000c45f211166f008687fb97a0 +Conflict: NA +--- + parser.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/parser.c b/parser.c +index 9d50138..adc449c 100644 +--- a/parser.c ++++ b/parser.c +@@ -9514,10 +9514,10 @@ next_attr: + * Arithmetic on dangling pointers is technically undefined + * behavior, but well... + */ +- ptrdiff_t offset = ctxt->input->base - atts[i+2]; ++ const xmlChar *old = atts[i+2]; + atts[i+2] = NULL; /* Reset repurposed namespace URI */ +- atts[i+3] += offset; /* value */ +- atts[i+4] += offset; /* valuend */ ++ atts[i+3] = ctxt->input->base + (atts[i+3] - old); /* value */ ++ atts[i+4] = ctxt->input->base + (atts[i+4] - old); /* valuend */ + } + } + +-- +2.27.0 + diff --git a/backport-Create-stream-with-buffer-in-xmlNewStringInputStream.patch b/backport-Create-stream-with-buffer-in-xmlNewStringInputStream.patch new file mode 100644 index 0000000..5919874 --- /dev/null +++ b/backport-Create-stream-with-buffer-in-xmlNewStringInputStream.patch @@ -0,0 +1,56 @@ +From b1b654171e44dba90bbc6836ca05dd4e1161b4b0 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 20 Aug 2022 15:15:04 +0200 +Subject: [PATCH] Create stream with buffer in xmlNewStringInputStream + +Create an input stream with a buffer in xmlNewStringInputStream. +Otherwise, switching encodings won't work. + +See #34. +Reference:https://github.com/GNOME/libxml2/commit/b1b654171e44dba90bbc6836ca05dd4e1161b4b0 +Conflict:NA +--- + parserInternals.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/parserInternals.c b/parserInternals.c +index d68592f..6ef7671 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -1465,6 +1465,7 @@ xmlNewEntityInputStream(xmlParserCtxtPtr ctxt, xmlEntityPtr entity) { + xmlParserInputPtr + xmlNewStringInputStream(xmlParserCtxtPtr ctxt, const xmlChar *buffer) { + xmlParserInputPtr input; ++ xmlParserInputBufferPtr buf; + + if (buffer == NULL) { + xmlErrInternal(ctxt, "xmlNewStringInputStream string = NULL\n", +@@ -1474,15 +1475,21 @@ xmlNewStringInputStream(xmlParserCtxtPtr ctxt, const xmlChar *buffer) { + if (xmlParserDebugEntities) + xmlGenericError(xmlGenericErrorContext, + "new fixed input: %.30s\n", buffer); ++ buf = xmlParserInputBufferCreateMem((const char *) buffer, ++ strlen((const char *) buffer), ++ XML_CHAR_ENCODING_NONE); ++ if (buf == NULL) { ++ xmlErrMemory(ctxt, NULL); ++ return(NULL); ++ } + input = xmlNewInputStream(ctxt); + if (input == NULL) { + xmlErrMemory(ctxt, "couldn't allocate a new input stream\n"); ++ xmlFreeParserInputBuffer(buf); + return(NULL); + } +- input->base = buffer; +- input->cur = buffer; +- input->length = xmlStrlen(buffer); +- input->end = &buffer[input->length]; ++ input->buf = buf; ++ xmlBufResetInput(input->buf->buffer, input); + return(input); + } + +-- +2.27.0 + diff --git a/backport-Don-t-initialize-SAX-handler-in-htmlReadMemory.patch b/backport-Don-t-initialize-SAX-handler-in-htmlReadMemory.patch new file mode 100644 index 0000000..6d8f0a2 --- /dev/null +++ b/backport-Don-t-initialize-SAX-handler-in-htmlReadMemory.patch @@ -0,0 +1,30 @@ +From 80bd34c3c650bd68e3c9c3e2308ac1988067ad50 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 22 Aug 2022 14:06:37 +0200 +Subject: [PATCH] Don't initialize SAX handler in htmlReadMemory + +The SAX handler is already initialized when creating the parser +context. +Reference:https://github.com/GNOME/libxml2/commit/80bd34c3c650bd68e3c9c3e2308ac1988067ad50 +Conflict:NA +--- + HTMLparser.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index c6b2183..e95d86b 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -6980,9 +6980,6 @@ htmlReadMemory(const char *buffer, int size, const char *URL, const char *encodi + ctxt = htmlCreateMemoryParserCtxt(buffer, size); + if (ctxt == NULL) + return (NULL); +- htmlDefaultSAXHandlerInit(); +- if (ctxt->sax != NULL) +- memcpy(ctxt->sax, &htmlDefaultSAXHandler, sizeof(xmlSAXHandlerV1)); + return (htmlDoRead(ctxt, URL, encoding, options, 0)); + } + +-- +2.27.0 + diff --git a/backport-Don-t-reset-nsDef-when-changing-node-content.patch b/backport-Don-t-reset-nsDef-when-changing-node-content.patch new file mode 100644 index 0000000..168045f --- /dev/null +++ b/backport-Don-t-reset-nsDef-when-changing-node-content.patch @@ -0,0 +1,45 @@ +From a17a1f564eaac42d6db561c639b5d2461884e829 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 18 May 2022 02:17:31 +0200 +Subject: [PATCH] Don't reset nsDef when changing node content + +nsDef is only used for element nodes. + +Reference:https://github.com/GNOME/libxml2/commit/a17a1f564eaac42d6db561c639b5d2461884e829 +Conflict:NA + +--- + tree.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/tree.c b/tree.c +index fe6f54a..84da156 100644 +--- a/tree.c ++++ b/tree.c +@@ -5721,7 +5721,6 @@ xmlNodeSetContent(xmlNodePtr cur, const xmlChar *content) { + } else + cur->content = NULL; + cur->properties = NULL; +- cur->nsDef = NULL; + break; + case XML_DOCUMENT_NODE: + case XML_HTML_DOCUMENT_NODE: +@@ -5799,7 +5798,6 @@ xmlNodeSetContentLen(xmlNodePtr cur, const xmlChar *content, int len) { + } else + cur->content = NULL; + cur->properties = NULL; +- cur->nsDef = NULL; + break; + case XML_DOCUMENT_NODE: + case XML_DTD_NODE: +@@ -5878,7 +5876,6 @@ xmlNodeAddContentLen(xmlNodePtr cur, const xmlChar *content, int len) { + xmlDictOwns(cur->doc->dict, cur->content))) { + cur->content = xmlStrncatNew(cur->content, content, len); + cur->properties = NULL; +- cur->nsDef = NULL; + } else { + cur->content = xmlStrncat(cur->content, content, len); + } +-- +2.27.0 + diff --git a/backport-Fix-HTML-parser-with-threads-and-without-legacy.patch b/backport-Fix-HTML-parser-with-threads-and-without-legacy.patch new file mode 100644 index 0000000..619d4be --- /dev/null +++ b/backport-Fix-HTML-parser-with-threads-and-without-legacy.patch @@ -0,0 +1,55 @@ +From 38f04779f7afd758db6210123ec0b64c489595c5 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 22 Aug 2022 13:33:35 +0200 +Subject: [PATCH] Fix HTML parser with threads and --without-legacy + +If the legacy functions are disabled, the default "V1" HTML SAX handler +isn't initialized in threads other than the main thread. +htmlInitParserCtxt would later use the empty V1 SAX handler, resulting +in NULL documents. + +Change htmlInitParserCtxt to initialize the HTML SAX handler by calling +xmlSAX2InitHtmlDefaultSAXHandler. This removes the ability to change the +default handler but is more in line with the XML parser which +initializes the SAX handler by calling xmlSAXVersion, ignoring the V1 +default handler. + +Fixes #399. +Reference:https://github.com/GNOME/libxml2/commit/38f04779f7afd758db6210123ec0b64c489595c5 +Conflict:NA +--- + HTMLparser.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index e95d86b..98d73f3 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -5039,8 +5039,7 @@ htmlInitParserCtxt(htmlParserCtxtPtr ctxt) + htmlErrMemory(NULL, "htmlInitParserCtxt: out of memory\n"); + return(-1); + } +- else +- memset(sax, 0, sizeof(htmlSAXHandler)); ++ memset(sax, 0, sizeof(htmlSAXHandler)); + + /* Allocate the Input stack */ + ctxt->inputTab = (htmlParserInputPtr *) +@@ -5099,11 +5098,9 @@ htmlInitParserCtxt(htmlParserCtxtPtr ctxt) + ctxt->nodeInfoNr = 0; + ctxt->nodeInfoMax = 0; + +- if (sax == NULL) ctxt->sax = (xmlSAXHandlerPtr) &htmlDefaultSAXHandler; +- else { +- ctxt->sax = sax; +- memcpy(sax, &htmlDefaultSAXHandler, sizeof(xmlSAXHandlerV1)); +- } ++ ctxt->sax = sax; ++ xmlSAX2InitHtmlDefaultSAXHandler(sax); ++ + ctxt->userData = ctxt; + ctxt->myDoc = NULL; + ctxt->wellFormed = 1; +-- +2.27.0 + diff --git a/backport-Fix-htmlReadMemory-mixing-up-XML-and-HTML-functions.patch b/backport-Fix-htmlReadMemory-mixing-up-XML-and-HTML-functions.patch new file mode 100644 index 0000000..eeafeac --- /dev/null +++ b/backport-Fix-htmlReadMemory-mixing-up-XML-and-HTML-functions.patch @@ -0,0 +1,28 @@ +From 37cedc0b1563e5e312a924ac07168722a4e768d8 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 22 Aug 2022 14:04:07 +0200 +Subject: [PATCH] Fix htmlReadMemory mixing up XML and HTML functions + +Also see fe6890e2. +Reference:https://github.com/GNOME/libxml2/commit/37cedc0b1563e5e312a924ac07168722a4e768d8 +Conflict:NA +--- + HTMLparser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index e720bb2..c6b2183 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -6977,7 +6977,7 @@ htmlReadMemory(const char *buffer, int size, const char *URL, const char *encodi + htmlParserCtxtPtr ctxt; + + xmlInitParser(); +- ctxt = xmlCreateMemoryParserCtxt(buffer, size); ++ ctxt = htmlCreateMemoryParserCtxt(buffer, size); + if (ctxt == NULL) + return (NULL); + htmlDefaultSAXHandlerInit(); +-- +2.27.0 + diff --git a/backport-Fix-integer-overflow-in-xmlBufferDump.patch b/backport-Fix-integer-overflow-in-xmlBufferDump.patch new file mode 100644 index 0000000..0e6db88 --- /dev/null +++ b/backport-Fix-integer-overflow-in-xmlBufferDump.patch @@ -0,0 +1,41 @@ +From a6df42e649acacb55be832222d1f3f50c66720ff Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Sat, 28 May 2022 08:08:29 -0700 +Subject: [PATCH 296/300] Fix integer overflow in xmlBufferDump() + +* tree.c: +(xmlBufferDump): +- Cap the return value to INT_MAX. + +Reference:https://github.com/GNOME/libxml2/commit/a6df42e649acacb55be832222d1f3f50c66720ff +Conflict:NA + +--- + tree.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tree.c b/tree.c +index 0cf2483..3dff195 100644 +--- a/tree.c ++++ b/tree.c +@@ -7380,7 +7380,7 @@ xmlBufferGrow(xmlBufferPtr buf, unsigned int len) { + */ + int + xmlBufferDump(FILE *file, xmlBufferPtr buf) { +- int ret; ++ size_t ret; + + if (buf == NULL) { + #ifdef DEBUG_BUFFER +@@ -7399,7 +7399,7 @@ xmlBufferDump(FILE *file, xmlBufferPtr buf) { + if (file == NULL) + file = stdout; + ret = fwrite(buf->content, sizeof(xmlChar), buf->use, file); +- return(ret); ++ return(ret > INT_MAX ? INT_MAX : (int)ret); + } + + /** +-- +2.27.0 + diff --git a/backport-Fix-memory-leak-in-xmlLoadEntityContent-error-path.patch b/backport-Fix-memory-leak-in-xmlLoadEntityContent-error-path.patch new file mode 100644 index 0000000..0384499 --- /dev/null +++ b/backport-Fix-memory-leak-in-xmlLoadEntityContent-error-path.patch @@ -0,0 +1,33 @@ +From ca2c91f139426f63646292da58a15a1511dccc0f Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 28 Jun 2022 19:24:14 +0200 +Subject: [PATCH] Fix memory leak in xmlLoadEntityContent error path + +Free the input stream if pushing it fails. + +Found by OSS-Fuzz. + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43743 + +Reference:https://github.com/GNOME/libxml2/commit/ca2c91f139426f63646292da58a15a1511dccc0f +Conflict:NA + +--- + parser.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/parser.c b/parser.c +index d8225bd..dd507c0 100644 +--- a/parser.c ++++ b/parser.c +@@ -8102,6 +8102,7 @@ xmlLoadEntityContent(xmlParserCtxtPtr ctxt, xmlEntityPtr entity) { + */ + if (xmlPushInput(ctxt, input) < 0) { + xmlBufferFree(buf); ++ xmlFreeInputStream(input); + return(-1); + } + +-- +2.27.0 + diff --git a/backport-Fix-memory-leak-with-invalid-XSD.patch b/backport-Fix-memory-leak-with-invalid-XSD.patch new file mode 100644 index 0000000..55359ef --- /dev/null +++ b/backport-Fix-memory-leak-with-invalid-XSD.patch @@ -0,0 +1,63 @@ +From a09c89545d3ed5b56701abcc5d638faa01c5c903 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 15 Aug 2022 12:19:25 +0200 +Subject: [PATCH] Fix memory leak with invalid XSD + +xmlSchemaClearElemInfo can add new items to the "matcher" cache, so the +cache must be cleared after calling this function, not before. This +only seems to affect invalid XSDs. + +Fixes #390. +Reference:https://github.com/GNOME/libxml2/commit/a09c89545d3ed5b56701abcc5d638faa01c5c903 +Conflict:NA +--- + xmlschemas.c | 26 +++++++++++++++----------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 9da4cd1..9aa6acf 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -27830,17 +27830,6 @@ xmlSchemaClearValidCtxt(xmlSchemaValidCtxtPtr vctxt) + } while (cur != NULL); + vctxt->aidcs = NULL; + } +- if (vctxt->idcMatcherCache != NULL) { +- xmlSchemaIDCMatcherPtr matcher = vctxt->idcMatcherCache, tmp; +- +- while (matcher) { +- tmp = matcher; +- matcher = matcher->nextCached; +- xmlSchemaIDCFreeMatcherList(tmp); +- } +- vctxt->idcMatcherCache = NULL; +- } +- + + if (vctxt->idcNodes != NULL) { + int i; +@@ -27907,6 +27896,21 @@ xmlSchemaClearValidCtxt(xmlSchemaValidCtxtPtr vctxt) + xmlFree(vctxt->filename); + vctxt->filename = NULL; + } ++ ++ /* ++ * Note that some cleanup functions can move items to the cache, ++ * so the cache shouldn't be freed too early. ++ */ ++ if (vctxt->idcMatcherCache != NULL) { ++ xmlSchemaIDCMatcherPtr matcher = vctxt->idcMatcherCache, tmp; ++ ++ while (matcher) { ++ tmp = matcher; ++ matcher = matcher->nextCached; ++ xmlSchemaIDCFreeMatcherList(tmp); ++ } ++ vctxt->idcMatcherCache = NULL; ++ } + } + + /** +-- +2.27.0 + diff --git a/backport-Fix-missing-NUL-terminators-in-xmlBuf-and-xmlBuffer-.patch b/backport-Fix-missing-NUL-terminators-in-xmlBuf-and-xmlBuffer-.patch new file mode 100644 index 0000000..d2a4ba4 --- /dev/null +++ b/backport-Fix-missing-NUL-terminators-in-xmlBuf-and-xmlBuffer-.patch @@ -0,0 +1,84 @@ +From 4ce2abf6f656b3e78ad40e33191a8b42561c10b0 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Sun, 29 May 2022 09:46:00 -0700 +Subject: [PATCH 299/300] Fix missing NUL terminators in xmlBuf and xmlBuffer + functions + +* buf.c: +(xmlBufAddLen): +- Change check for remaining space to account for the NUL + terminator. When adding a length exactly equal to the number + of unused bytes, a NUL terminator was not written. +(xmlBufResize): +- Set `buf->use` and NUL terminator when allocating a new + buffer. +* tree.c: +(xmlBufferResize): +- Set `buf->use` and NUL terminator when allocating a new + buffer. +(xmlBufferAddHead): +- Set NUL terminator before returning early when shifting + contents. + +Reference:https://github.com/GNOME/libxml2/commit/4ce2abf6f656b3e78ad40e33191a8b42561c10b0 +Conflict:NA +--- + buf.c | 9 ++++----- + tree.c | 3 +++ + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/buf.c b/buf.c +index f896826..da765f6 100644 +--- a/buf.c ++++ b/buf.c +@@ -613,14 +613,11 @@ xmlBufAddLen(xmlBufPtr buf, size_t len) { + if ((buf == NULL) || (buf->error)) + return(-1); + CHECK_COMPAT(buf) +- if (len > (buf->size - buf->use)) ++ if (len >= (buf->size - buf->use)) + return(-1); + buf->use += len; ++ buf->content[buf->use] = 0; + UPDATE_COMPAT(buf) +- if (buf->size > buf->use) +- buf->content[buf->use] = 0; +- else +- return(-1); + return(0); + } + +@@ -821,6 +818,8 @@ xmlBufResize(xmlBufPtr buf, size_t size) + } else { + if (buf->content == NULL) { + rebuf = (xmlChar *) xmlMallocAtomic(newSize); ++ buf->use = 0; ++ rebuf[buf->use] = 0; + } else if (buf->size - buf->use < 100) { + rebuf = (xmlChar *) xmlRealloc(buf->content, newSize); + } else { +diff --git a/tree.c b/tree.c +index 3dff195..e275671 100644 +--- a/tree.c ++++ b/tree.c +@@ -7529,6 +7529,8 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size) + } else { + if (buf->content == NULL) { + rebuf = (xmlChar *) xmlMallocAtomic(newSize); ++ buf->use = 0; ++ rebuf[buf->use] = 0; + } else if (buf->size - buf->use < 100) { + rebuf = (xmlChar *) xmlRealloc(buf->content, newSize); + } else { +@@ -7657,6 +7659,7 @@ xmlBufferAddHead(xmlBufferPtr buf, const xmlChar *str, int len) { + memmove(&buf->content[0], str, len); + buf->use += len; + buf->size += len; ++ buf->content[buf->use] = 0; + return(0); + } + } +-- +2.27.0 + + diff --git a/backport-Fix-overflow-check-in-SAX2.c.patch b/backport-Fix-overflow-check-in-SAX2.c.patch new file mode 100644 index 0000000..4a0f266 --- /dev/null +++ b/backport-Fix-overflow-check-in-SAX2.c.patch @@ -0,0 +1,63 @@ +From f5b31e49bcababb8da09c2697e24d0ba80a261b6 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 1 Sep 2022 02:33:16 +0200 +Subject: [PATCH] Fix overflow check in SAX2.c + +Reference:https://github.com/GNOME/libxml2/commit/aeb69fd3575a33eb2ffded18a444d8945bcbd741 +Conflict:SAX2.c +--- + SAX2.c | 24 ++++++++++-------------- + 1 file changed, 10 insertions(+), 14 deletions(-) + +diff --git a/SAX2.c b/SAX2.c +index 0319246..9801393 100644 +--- a/SAX2.c ++++ b/SAX2.c +@@ -28,11 +28,6 @@ + #include + #include + +-/* Define SIZE_T_MAX unless defined through . */ +-#ifndef SIZE_T_MAX +-# define SIZE_T_MAX ((size_t)-1) +-#endif /* !SIZE_T_MAX */ +- + /* #define DEBUG_SAX2 */ + /* #define DEBUG_SAX2_TREE */ + +@@ -2576,22 +2571,23 @@ xmlSAX2Text(xmlParserCtxtPtr ctxt, const xmlChar *ch, int len, + xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: xmlStrdup returned NULL"); + return; + } +- if (((size_t)ctxt->nodelen + (size_t)len > XML_MAX_TEXT_LENGTH) && ++ if (ctxt->nodelen > INT_MAX - len) { ++ xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented"); ++ return; ++ } ++ if ((ctxt->nodelen + len > XML_MAX_TEXT_LENGTH) && + ((ctxt->options & XML_PARSE_HUGE) == 0)) { + xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: huge text node"); + return; + } +- if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len || +- (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) { +- xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented"); +- return; +- } + if (ctxt->nodelen + len >= ctxt->nodemem) { + xmlChar *newbuf; +- size_t size; ++ int size; + +- size = ctxt->nodemem + len; +- size *= 2; ++ size = ctxt->nodemem > INT_MAX - len ? ++ INT_MAX : ++ ctxt->nodemem + len; ++ size = size > INT_MAX / 2 ? INT_MAX : size * 2; + newbuf = (xmlChar *) xmlRealloc(lastChild->content,size); + if (newbuf == NULL) { + xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters"); +-- +2.27.0 + diff --git a/backport-Fix-unintended-fall-through-in-xmlNodeAddContentLen.patch b/backport-Fix-unintended-fall-through-in-xmlNodeAddContentLen.patch new file mode 100644 index 0000000..2b9e666 --- /dev/null +++ b/backport-Fix-unintended-fall-through-in-xmlNodeAddContentLen.patch @@ -0,0 +1,34 @@ +From 2464652537fa5f3b89e71c31eed777b42fa64708 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 18 May 2022 02:16:34 +0200 +Subject: [PATCH] Fix unintended fall-through in xmlNodeAddContentLen + +Reference:https://github.com/GNOME/libxml2/commit/2464652537fa5f3b89e71c31eed777b42fa64708 +Conflict:NA + +--- + tree.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/tree.c b/tree.c +index ed0a838..fe6f54a 100644 +--- a/tree.c ++++ b/tree.c +@@ -5879,10 +5879,11 @@ xmlNodeAddContentLen(xmlNodePtr cur, const xmlChar *content, int len) { + cur->content = xmlStrncatNew(cur->content, content, len); + cur->properties = NULL; + cur->nsDef = NULL; +- break; +- } +- cur->content = xmlStrncat(cur->content, content, len); ++ } else { ++ cur->content = xmlStrncat(cur->content, content, len); ++ } + } ++ break; + case XML_DOCUMENT_NODE: + case XML_DTD_NODE: + case XML_HTML_DOCUMENT_NODE: +-- +2.27.0 + diff --git a/backport-Fix-use-after-free-bugs-when-calling-xmlTextReaderCl.patch b/backport-Fix-use-after-free-bugs-when-calling-xmlTextReaderCl.patch new file mode 100644 index 0000000..49f06bb --- /dev/null +++ b/backport-Fix-use-after-free-bugs-when-calling-xmlTextReaderCl.patch @@ -0,0 +1,115 @@ +From c50196c13d348025a4843305902bb37df64bae36 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Sun, 10 Apr 2022 20:02:47 -0700 +Subject: [PATCH 289/300] Fix use-after-free bugs when calling + xmlTextReaderClose() before xmlFreeTextReader() on post-validating parser + +When creating an xmlTextReaderPtr using xmlReaderForMemory(), +there are two optional API functions that can be used: +- xmlTextReaderClose() may be called prior to calling + xmlFreeTextReader() to free parsing resources and close the + xmlTextReaderPtr without freeing it. +- xmlTextReaderCurrentDoc() may be called to return an + xmlDocPtr that's owned by the caller, and must be free using + xmlFreeDoc() after calling xmlFreeTextReader(). + +The use-after-free issues occur when calling +xmlTextReaderClose() before xmlFreeTextReader(), with different +issues occurring depending on whether xmlTextReaderCurrentDoc() +is also called. + +* xmlreader.c: +(xmlFreeTextReader): +- Move code to xmlTextReaderClose(), remove duplicate code, and + call xmlTextReaderClose() if it hasn't been called yet. +(xmlTextReaderClose): +- Move call to xmlFreeNode(reader->faketext) from + xmlFreeTextReader() to fix a use-after-free bug when calling + xmlTextReaderClose() before xmlFreeTextReader(), but not when + using xmlTextReaderCurrentDoc(). The bug was introduced in + 2002 by commit beb70bd39. In 2009 commit f4653dcd8 fixed the + use-after-free that occurred every time xmlFreeTextReader() + was called, but not the case where xmlTextReaderClose() was + called first. +- Move post-parsing validation code from xmlFreeTextReader() to + fix a second use-after-free when calling xmlTextReaderClose() + before xmlFreeTextReader(). This regressed in v2.9.10 with + commit 57a3af56f. + +Reference:https://github.com/GNOME/libxml2/commit/c50196c13d348025a4843305902bb37df64bae36 +Conflict:NA + +--- + xmlreader.c | 40 ++++++++++++++++++---------------------- + 1 file changed, 18 insertions(+), 22 deletions(-) + +diff --git a/xmlreader.c b/xmlreader.c +index 72e40b0..989b7c1 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -2319,36 +2319,16 @@ xmlFreeTextReader(xmlTextReaderPtr reader) { + xmlFree(reader->patternTab); + } + #endif +- if (reader->faketext != NULL) { +- xmlFreeNode(reader->faketext); +- } ++ if (reader->mode != XML_TEXTREADER_MODE_CLOSED) ++ xmlTextReaderClose(reader); + if (reader->ctxt != NULL) { + if (reader->dict == reader->ctxt->dict) + reader->dict = NULL; +-#ifdef LIBXML_VALID_ENABLED +- if ((reader->ctxt->vctxt.vstateTab != NULL) && +- (reader->ctxt->vctxt.vstateMax > 0)){ +-#ifdef LIBXML_REGEXP_ENABLED +- while (reader->ctxt->vctxt.vstateNr > 0) +- xmlValidatePopElement(&reader->ctxt->vctxt, NULL, NULL, NULL); +-#endif /* LIBXML_REGEXP_ENABLED */ +- xmlFree(reader->ctxt->vctxt.vstateTab); +- reader->ctxt->vctxt.vstateTab = NULL; +- reader->ctxt->vctxt.vstateMax = 0; +- } +-#endif /* LIBXML_VALID_ENABLED */ +- if (reader->ctxt->myDoc != NULL) { +- if (reader->preserve == 0) +- xmlTextReaderFreeDoc(reader, reader->ctxt->myDoc); +- reader->ctxt->myDoc = NULL; +- } + if (reader->allocs & XML_TEXTREADER_CTXT) + xmlFreeParserCtxt(reader->ctxt); + } + if (reader->sax != NULL) + xmlFree(reader->sax); +- if ((reader->input != NULL) && (reader->allocs & XML_TEXTREADER_INPUT)) +- xmlFreeParserInputBuffer(reader->input); + if (reader->buffer != NULL) + xmlBufFree(reader->buffer); + if (reader->entTab != NULL) +@@ -2379,7 +2359,23 @@ xmlTextReaderClose(xmlTextReaderPtr reader) { + reader->node = NULL; + reader->curnode = NULL; + reader->mode = XML_TEXTREADER_MODE_CLOSED; ++ if (reader->faketext != NULL) { ++ xmlFreeNode(reader->faketext); ++ reader->faketext = NULL; ++ } + if (reader->ctxt != NULL) { ++#ifdef LIBXML_VALID_ENABLED ++ if ((reader->ctxt->vctxt.vstateTab != NULL) && ++ (reader->ctxt->vctxt.vstateMax > 0)){ ++#ifdef LIBXML_REGEXP_ENABLED ++ while (reader->ctxt->vctxt.vstateNr > 0) ++ xmlValidatePopElement(&reader->ctxt->vctxt, NULL, NULL, NULL); ++#endif /* LIBXML_REGEXP_ENABLED */ ++ xmlFree(reader->ctxt->vctxt.vstateTab); ++ reader->ctxt->vctxt.vstateTab = NULL; ++ reader->ctxt->vctxt.vstateMax = 0; ++ } ++#endif /* LIBXML_VALID_ENABLED */ + xmlStopParser(reader->ctxt); + if (reader->ctxt->myDoc != NULL) { + if (reader->preserve == 0) +-- +2.27.0 + diff --git a/backport-Fix-use-after-free-in-xmlParseContentInternal.patch b/backport-Fix-use-after-free-in-xmlParseContentInternal.patch new file mode 100644 index 0000000..e82c49c --- /dev/null +++ b/backport-Fix-use-after-free-in-xmlParseContentInternal.patch @@ -0,0 +1,37 @@ +From 86105c0493f19ef8e1dd21ab5099613159224b4d Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Sat, 15 Apr 2023 18:04:03 -0700 +Subject: [PATCH] Fix use-after-free in xmlParseContentInternal() + +* parser.c: +(xmlParseCharData): +- Check if the parser has stopped before advancing + `ctxt->input->cur`. This only occurs if a custom SAX error + handler calls xmlStopParser() on fatal errors. + +Fixes #518. + +Reference:https://github.com/GNOME/libxml2/commit/86105c0493f19ef8e1dd21ab5099613159224b4d +Conflict:parser.c + +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index f9b4012..ccddf07 100644 +--- a/parser.c ++++ b/parser.c +@@ -4504,7 +4504,8 @@ get_more: + if (*in == ']') { + if ((in[1] == ']') && (in[2] == '>')) { + xmlFatalErr(ctxt, XML_ERR_MISPLACED_CDATA_END, NULL); +- ctxt->input->cur = in + 1; ++ if (ctxt->instate != XML_PARSER_EOF) ++ ctxt->input->cur = in + 1; + return; + } + in++; +-- +2.27.0 + diff --git a/backport-Fix-xmlCtxtReadDoc-with-encoding.patch b/backport-Fix-xmlCtxtReadDoc-with-encoding.patch new file mode 100644 index 0000000..1cf1390 --- /dev/null +++ b/backport-Fix-xmlCtxtReadDoc-with-encoding.patch @@ -0,0 +1,87 @@ +From 4ad71c2d72beef0d10cf75aa417db10d77846f75 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 20 Aug 2022 16:19:34 +0200 +Subject: [PATCH] Fix xmlCtxtReadDoc with encoding + +xmlCtxtReadDoc used to create an input stream involving +xmlNewStringInputStream. This would create a stream without an input +buffer, causing problems with encodings (see #34). + +After commit aab584dc3, an error was returned even with UTF-8 encodings +which happened to work before. + +Make xmlCtxtReadDoc call xmlCtxtReadMemory which doesn't suffer from +these issues. Also fix htmlCtxtReadDoc. + +Fixes #397. +Reference:https://github.com/GNOME/libxml2/commit/4ad71c2d72beef0d10cf75aa417db10d77846f75 +Conflict:NA +--- + HTMLparser.c | 17 ++++------------- + parser.c | 16 +++------------- + 2 files changed, 7 insertions(+), 26 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 98d73f3..a4168f3 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -7087,22 +7087,13 @@ htmlDocPtr + htmlCtxtReadDoc(htmlParserCtxtPtr ctxt, const xmlChar * cur, + const char *URL, const char *encoding, int options) + { +- xmlParserInputPtr stream; ++ const char *buf; + + if (cur == NULL) + return (NULL); +- if (ctxt == NULL) +- return (NULL); +- xmlInitParser(); +- +- htmlCtxtReset(ctxt); +- +- stream = xmlNewStringInputStream(ctxt, cur); +- if (stream == NULL) { +- return (NULL); +- } +- inputPush(ctxt, stream); +- return (htmlDoRead(ctxt, URL, encoding, options, 1)); ++ buf = (const char *) cur; ++ return (htmlCtxtReadMemory(ctxt, buf, strlen(buf), URL, encoding, ++ options)); + } + + /** +diff --git a/parser.c b/parser.c +index 6b04bbf..fbeb7af 100644 +--- a/parser.c ++++ b/parser.c +@@ -15374,22 +15374,12 @@ xmlDocPtr + xmlCtxtReadDoc(xmlParserCtxtPtr ctxt, const xmlChar * cur, + const char *URL, const char *encoding, int options) + { +- xmlParserInputPtr stream; ++ const char *buf; + + if (cur == NULL) + return (NULL); +- if (ctxt == NULL) +- return (NULL); +- xmlInitParser(); +- +- xmlCtxtReset(ctxt); +- +- stream = xmlNewStringInputStream(ctxt, cur); +- if (stream == NULL) { +- return (NULL); +- } +- inputPush(ctxt, stream); +- return (xmlDoRead(ctxt, URL, encoding, options, 1)); ++ buf = (const char *) cur; ++ return (xmlCtxtReadMemory(ctxt, buf, strlen(buf), URL, encoding, options)); + } + + /** +-- +2.27.0 + diff --git a/backport-Make-XPath-depth-check-work-with-recursive-invocatio.patch b/backport-Make-XPath-depth-check-work-with-recursive-invocatio.patch new file mode 100644 index 0000000..7729cde --- /dev/null +++ b/backport-Make-XPath-depth-check-work-with-recursive-invocatio.patch @@ -0,0 +1,115 @@ +From 677a42645ef22b5a50741bad5facf9d8a8bc6d21 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 28 Jul 2022 20:21:24 +0200 +Subject: [PATCH] Make XPath depth check work with recursive invocations + +EXSLT functions like dyn:map or dyn:evaluate invoke xmlXPathRunEval +recursively. Don't set depth to zero but keep and restore the original +value to avoid stack overflows when abusing these functions. + +Reference:https://github.com/GNOME/libxml2/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21 +Conflict:NA +--- + xpath.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +diff --git a/xpath.c b/xpath.c +index e79dcec..85d7919 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -13883,12 +13883,11 @@ static int + xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool) + { + xmlXPathCompExprPtr comp; ++ int oldDepth; + + if ((ctxt == NULL) || (ctxt->comp == NULL)) + return(-1); + +- ctxt->context->depth = 0; +- + if (ctxt->valueTab == NULL) { + /* Allocate the value stack */ + ctxt->valueTab = (xmlXPathObjectPtr *) +@@ -13942,11 +13941,13 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool) + "xmlXPathRunEval: last is less than zero\n"); + return(-1); + } ++ oldDepth = ctxt->context->depth; + if (toBool) + return(xmlXPathCompOpEvalToBoolean(ctxt, + &comp->steps[comp->last], 0)); + else + xmlXPathCompOpEval(ctxt, &comp->steps[comp->last]); ++ ctxt->context->depth = oldDepth; + + return(0); + } +@@ -14217,6 +14218,7 @@ xmlXPathCompExprPtr + xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) { + xmlXPathParserContextPtr pctxt; + xmlXPathCompExprPtr comp; ++ int oldDepth = 0; + + #ifdef XPATH_STREAMING + comp = xmlXPathTryStreamCompile(ctxt, str); +@@ -14230,8 +14232,10 @@ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) { + if (pctxt == NULL) + return NULL; + if (ctxt != NULL) +- ctxt->depth = 0; ++ oldDepth = ctxt->depth; + xmlXPathCompileExpr(pctxt, 1); ++ if (ctxt != NULL) ++ ctxt->depth = oldDepth; + + if( pctxt->error != XPATH_EXPRESSION_OK ) + { +@@ -14252,8 +14256,10 @@ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) { + comp = pctxt->comp; + if ((comp->nbStep > 1) && (comp->last >= 0)) { + if (ctxt != NULL) +- ctxt->depth = 0; ++ oldDepth = ctxt->depth; + xmlXPathOptimizeExpression(pctxt, &comp->steps[comp->last]); ++ if (ctxt != NULL) ++ ctxt->depth = oldDepth; + } + pctxt->comp = NULL; + } +@@ -14409,6 +14415,7 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) { + #ifdef XPATH_STREAMING + xmlXPathCompExprPtr comp; + #endif ++ int oldDepth = 0; + + if (ctxt == NULL) return; + +@@ -14422,8 +14429,10 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) { + #endif + { + if (ctxt->context != NULL) +- ctxt->context->depth = 0; ++ oldDepth = ctxt->context->depth; + xmlXPathCompileExpr(ctxt, 1); ++ if (ctxt->context != NULL) ++ ctxt->context->depth = oldDepth; + CHECK_ERROR; + + /* Check for trailing characters. */ +@@ -14432,9 +14441,11 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) { + + if ((ctxt->comp->nbStep > 1) && (ctxt->comp->last >= 0)) { + if (ctxt->context != NULL) +- ctxt->context->depth = 0; ++ oldDepth = ctxt->context->depth; + xmlXPathOptimizeExpression(ctxt, + &ctxt->comp->steps[ctxt->comp->last]); ++ if (ctxt->context != NULL) ++ ctxt->context->depth = oldDepth; + } + } + +-- +2.27.0 + diff --git a/backport-Properly-fold-whitespace-around-the-QName-value-when.patch b/backport-Properly-fold-whitespace-around-the-QName-value-when.patch new file mode 100644 index 0000000..d5f344f --- /dev/null +++ b/backport-Properly-fold-whitespace-around-the-QName-value-when.patch @@ -0,0 +1,44 @@ +From 2fe372a0aa2cdeb5cf518cf430defba36647c502 Mon Sep 17 00:00:00 2001 +From: Damjan Jovanovic +Date: Sat, 21 Aug 2021 07:21:50 +0200 +Subject: [PATCH] Properly fold whitespace around the QName value when + validating an XSD schema. + +(May also need fixing in other places.) + +Issue: 239 + +Conflict:NA +Reference:https://gitlab.gnome.org/GNOME/libxml2/-/commit/2fe372a0aa2cdeb5cf518cf430defba36647c502 + +--- + xmlschemas.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 2da962b..9da4cd1 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -24645,6 +24645,7 @@ xmlSchemaValidateQName(xmlSchemaValidCtxtPtr vctxt, + int valNeeded) + { + int ret; ++ xmlChar *stripped; + const xmlChar *nsName; + xmlChar *local, *prefix = NULL; + +@@ -24661,7 +24662,10 @@ xmlSchemaValidateQName(xmlSchemaValidCtxtPtr vctxt, + * NOTE: xmlSplitQName2 will always return a duplicated + * strings. + */ +- local = xmlSplitQName2(value, &prefix); ++ /* TODO: Export and use xmlSchemaStrip instead */ ++ stripped = xmlSchemaCollapseString(value); ++ local = xmlSplitQName2(stripped ? stripped : value, &prefix); ++ xmlFree(stripped); + if (local == NULL) + local = xmlStrdup(value); + /* +-- +2.27.0 + diff --git a/backport-Reserve-byte-for-NUL-terminator-and-report-errors-co.patch b/backport-Reserve-byte-for-NUL-terminator-and-report-errors-co.patch new file mode 100644 index 0000000..ed0a210 --- /dev/null +++ b/backport-Reserve-byte-for-NUL-terminator-and-report-errors-co.patch @@ -0,0 +1,153 @@ +From 6ef16dee7ac8af32b8a0dd793445b1148e240364 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Fri, 13 May 2022 14:43:33 -0700 +Subject: [PATCH 300/300] Reserve byte for NUL terminator and report errors + consistently in xmlBuf and xmlBuffer + +This is a follow-up to commit 6c283d83. + +* buf.c: +(xmlBufGrowInternal): +- Call xmlBufMemoryError() when the buffer size would overflow. +- Account for NUL terminator byte when using XML_MAX_TEXT_LENGTH. +- Do not include NUL terminator byte when returning length. +(xmlBufAdd): +- Call xmlBufMemoryError() when the buffer size would overflow. + +* tree.c: +(xmlBufferGrow): +- Call xmlTreeErrMemory() when the buffer size would overflow. +- Do not include NUL terminator byte when returning length. +(xmlBufferResize): +- Update error message in xmlTreeErrMemory() to be consistent + with other similar messages. +(xmlBufferAdd): +- Call xmlTreeErrMemory() when the buffer size would overflow. +(xmlBufferAddHead): +- Add overflow checks similar to those in xmlBufferAdd(). + +Reference:https://github.com/GNOME/libxml2/commit/6ef16dee7ac8af32b8a0dd793445b1148e240364 +Conflict:NA + +--- + buf.c | 15 ++++++++++----- + tree.c | 22 ++++++++++++++++------ + 2 files changed, 26 insertions(+), 11 deletions(-) + +diff --git a/buf.c b/buf.c +index da765f6..e851364 100644 +--- a/buf.c ++++ b/buf.c +@@ -440,9 +440,11 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { + + if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); + if (len < buf->size - buf->use) +- return(buf->size - buf->use); +- if (len > SIZE_MAX - buf->use) ++ return(buf->size - buf->use - 1); ++ if (len >= SIZE_MAX - buf->use) { ++ xmlBufMemoryError(buf, "growing buffer past SIZE_MAX"); + return(0); ++ } + + if (buf->size > (size_t) len) { + size = buf->size > SIZE_MAX / 2 ? SIZE_MAX : buf->size * 2; +@@ -455,7 +457,7 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { + /* + * Used to provide parsing limits + */ +- if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || ++ if ((buf->use + len + 1 >= XML_MAX_TEXT_LENGTH) || + (buf->size >= XML_MAX_TEXT_LENGTH)) { + xmlBufMemoryError(buf, "buffer error: text too long\n"); + return(0); +@@ -483,7 +485,7 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { + } + buf->size = size; + UPDATE_COMPAT(buf) +- return(buf->size - buf->use); ++ return(buf->size - buf->use - 1); + } + + /** +@@ -883,9 +885,12 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { + if (len < 0) return -1; + if (len == 0) return 0; + ++ /* Note that both buf->size and buf->use can be zero here. */ + if ((size_t) len >= buf->size - buf->use) { +- if ((size_t) len >= SIZE_MAX - buf->use) ++ if ((size_t) len >= SIZE_MAX - buf->use) { ++ xmlBufMemoryError(buf, "growing buffer past SIZE_MAX"); + return(-1); ++ } + needSize = buf->use + len + 1; + if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { + /* +diff --git a/tree.c b/tree.c +index e275671..ed0a838 100644 +--- a/tree.c ++++ b/tree.c +@@ -7338,8 +7338,10 @@ xmlBufferGrow(xmlBufferPtr buf, unsigned int len) { + if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); + if (len < buf->size - buf->use) + return(0); +- if (len > UINT_MAX - buf->use) ++ if (len >= UINT_MAX - buf->use) { ++ xmlTreeErrMemory("growing buffer past UINT_MAX"); + return(-1); ++ } + + if (buf->size > (size_t) len) { + size = buf->size > UINT_MAX / 2 ? UINT_MAX : buf->size * 2; +@@ -7367,7 +7369,7 @@ xmlBufferGrow(xmlBufferPtr buf, unsigned int len) { + buf->content = newbuf; + } + buf->size = size; +- return(buf->size - buf->use); ++ return(buf->size - buf->use - 1); + } + + /** +@@ -7464,7 +7466,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size) + return 1; + + if (size > UINT_MAX - 10) { +- xmlTreeErrMemory("growing buffer"); ++ xmlTreeErrMemory("growing buffer past UINT_MAX"); + return 0; + } + +@@ -7592,9 +7594,12 @@ xmlBufferAdd(xmlBufferPtr buf, const xmlChar *str, int len) { + if (len < 0) return -1; + if (len == 0) return 0; + ++ /* Note that both buf->size and buf->use can be zero here. */ + if ((unsigned) len >= buf->size - buf->use) { +- if ((unsigned) len >= UINT_MAX - buf->use) ++ if ((unsigned) len >= UINT_MAX - buf->use) { ++ xmlTreeErrMemory("growing buffer past UINT_MAX"); + return XML_ERR_NO_MEMORY; ++ } + needSize = buf->use + len + 1; + if (!xmlBufferResize(buf, needSize)){ + xmlTreeErrMemory("growing buffer"); +@@ -7663,8 +7668,13 @@ xmlBufferAddHead(xmlBufferPtr buf, const xmlChar *str, int len) { + return(0); + } + } +- needSize = buf->use + len + 2; +- if (needSize > buf->size){ ++ /* Note that both buf->size and buf->use can be zero here. */ ++ if ((unsigned) len >= buf->size - buf->use) { ++ if ((unsigned) len >= UINT_MAX - buf->use) { ++ xmlTreeErrMemory("growing buffer past UINT_MAX"); ++ return(-1); ++ } ++ needSize = buf->use + len + 1; + if (!xmlBufferResize(buf, needSize)){ + xmlTreeErrMemory("growing buffer"); + return XML_ERR_NO_MEMORY; +-- +2.27.0 + diff --git a/backport-Reset-nsNr-in-xmlCtxtReset.patch b/backport-Reset-nsNr-in-xmlCtxtReset.patch new file mode 100644 index 0000000..0baf478 --- /dev/null +++ b/backport-Reset-nsNr-in-xmlCtxtReset.patch @@ -0,0 +1,28 @@ +From 5930fe01963136ab92125feec0c6204d9c9225dc Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 18 Jul 2022 20:59:45 +0200 +Subject: [PATCH] Reset nsNr in xmlCtxtReset + +Reference:https://github.com/GNOME/libxml2/commit/5930fe01963136ab92125feec0c6204d9c9225dc +Conflict:NA + +--- + parser.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/parser.c b/parser.c +index dd507c0..6b04bbf 100644 +--- a/parser.c ++++ b/parser.c +@@ -14835,6 +14835,8 @@ xmlCtxtReset(xmlParserCtxtPtr ctxt) + ctxt->nameNr = 0; + ctxt->name = NULL; + ++ ctxt->nsNr = 0; ++ + DICT_FREE(ctxt->version); + ctxt->version = NULL; + DICT_FREE(ctxt->encoding); +-- +2.27.0 + -- Gitee From 6ae5b639bb3eeb7948026dd3fc94cb6793697486 Mon Sep 17 00:00:00 2001 From: zhuofeng Date: Thu, 8 Jun 2023 15:56:28 +0800 Subject: [PATCH 4/6] 3 --- ...or-of-htmlDocContentDumpFormatOutput.patch | 42 +++ ...t-Revert-uri-Allow-port-without-host.patch | 31 ++ ...-UPDATE_COMPAT-consistently-in-buf.c.patch | 92 +++++ ...mlNewDocText-in-xmlXIncludeCopyRange.patch | 60 ++++ backport-Use-xmlStrlen-in-CtxtReadDoc.patch | 56 +++ ...xmlStrlen-in-xmlNewStringInputStream.patch | 29 ++ ...x-return-value-of-xmlBufGetInputBase.patch | 31 ++ backport-catalog-Fix-memory-leaks.patch | 48 +++ ...st-toupper-argument-to-unsigned-char.patch | 68 ++++ ...coding-Fix-error-code-in-asciiToUTF8.patch | 32 ++ ...ror-Don-t-move-past-current-position.patch | 39 +++ ...-that-error-messages-are-valid-UTF-8.patch | 78 +++++ ...erContext-could-be-double-delete-in-.patch | 29 ++ ...e-startup-crash-with-old-libxslt-ver.patch | 36 ++ ...ck-for-end-of-comment-in-push-parser.patch | 66 ++++ ...tic-behavior-in-htmlParseTryOrFinish.patch | 39 +++ ...y-buffer-early-in-xmlParserInputGrow.patch | 40 +++ ...full-error-with-certain-buffer-sizes.patch | 36 ++ ...error-check-in-htmlParseHTMLAttribut.patch | 34 ++ ...r-check-in-xmlXPathEqualNodeSetFloat.patch | 30 ++ ...-checks-in-xmlXPathEqualValuesCommon.patch | 38 ++ ...more-error-checks-when-parsing-names.patch | 59 ++++ ...ailure-in-xmlFindCharEncodingHandler.patch | 49 +++ ...k-for-malloc-failure-in-xmlHashAddEn.patch | 102 ++++++ ...ck-for-malloc-failures-when-creating.patch | 210 +++++++++++ ...return-value-of-xmlXPathNodeSetDupNs.patch | 106 ++++++ ...n-t-call-xmlErrMemory-in-xmlstring.c.patch | 66 ++++ ...-Fix-OOB-read-after-xmlRegGetCounter.patch | 75 ++++ ...another-memory-leak-in-xmlSchemaBuck.patch | 32 ++ ...buffer-overread-after-htmlParseScrip.patch | 37 ++ ...x-buffer-overread-in-htmlParseScript.patch | 31 ++ ...buffer-overread-with-HTML-doctype-de.patch | 44 +++ ...error-check-in-xmlXPathCompareValues.patch | 46 +++ ...ail-Fix-error-code-in-htmlParseChunk.patch | 32 ++ ...ite-loop-in-htmlParseContentInternal.patch | 90 +++++ ...nfinite-loop-in-htmlParseDocTypeDecl.patch | 31 ++ ...-infinite-loop-in-htmlParseStartTag1.patch | 51 +++ ...-infinite-loop-in-htmlParseStartTag2.patch | 30 ++ ...ix-infinite-loop-in-xmlParseTextDecl.patch | 32 ++ ...x-infinite-loop-in-xmlSkipBlankChars.patch | 29 ++ ...l-Fix-leak-of-xmlCharEncodingHandler.patch | 31 ++ ...t-malloc-fail-Fix-leak-of-xmlRegAtom.patch | 241 +++++++++++++ ...-memory-leak-after-calling-valuePush.patch | 48 +++ ...k-after-calling-xmlXPathNodeSetMerge.patch | 233 ++++++++++++ ...ak-after-calling-xmlXPathWrapNodeSet.patch | 50 +++ ...eak-after-calling-xmlXPathWrapString.patch | 41 +++ ...Fix-memory-leak-after-xmlRegNewState.patch | 331 ++++++++++++++++++ ...memory-leak-in-WXS_ADD_-LOCAL-GLOBAL.patch | 56 +++ ...y-leak-in-htmlCreateMemoryParserCtxt.patch | 31 ++ 49 files changed, 3168 insertions(+) create mode 100644 backport-Restore-behavior-of-htmlDocContentDumpFormatOutput.patch create mode 100644 backport-Revert-uri-Allow-port-without-host.patch create mode 100644 backport-Use-UPDATE_COMPAT-consistently-in-buf.c.patch create mode 100644 backport-Use-xmlNewDocText-in-xmlXIncludeCopyRange.patch create mode 100644 backport-Use-xmlStrlen-in-CtxtReadDoc.patch create mode 100644 backport-Use-xmlStrlen-in-xmlNewStringInputStream.patch create mode 100644 backport-buf-Fix-return-value-of-xmlBufGetInputBase.patch create mode 100644 backport-catalog-Fix-memory-leaks.patch create mode 100644 backport-encoding-Cast-toupper-argument-to-unsigned-char.patch create mode 100644 backport-encoding-Fix-error-code-in-asciiToUTF8.patch create mode 100644 backport-error-Don-t-move-past-current-position.patch create mode 100644 backport-error-Make-sure-that-error-messages-are-valid-UTF-8.patch create mode 100644 backport-fix-xmlXPathParserContext-could-be-double-delete-in-.patch create mode 100644 backport-hash-Fix-possible-startup-crash-with-old-libxslt-ver.patch create mode 100644 backport-html-Fix-check-for-end-of-comment-in-push-parser.patch create mode 100644 backport-html-Fix-quadratic-behavior-in-htmlParseTryOrFinish.patch create mode 100644 backport-io-Check-for-memory-buffer-early-in-xmlParserInputGrow.patch create mode 100644 backport-io-Fix-buffer-full-error-with-certain-buffer-sizes.patch create mode 100644 backport-malloc-fail-Add-error-check-in-htmlParseHTMLAttribut.patch create mode 100644 backport-malloc-fail-Add-error-check-in-xmlXPathEqualNodeSetFloat.patch create mode 100644 backport-malloc-fail-Add-error-checks-in-xmlXPathEqualValuesCommon.patch create mode 100644 backport-malloc-fail-Add-more-error-checks-when-parsing-names.patch create mode 100644 backport-malloc-fail-Check-for-malloc-failure-in-xmlFindCharEncodingHandler.patch create mode 100644 backport-malloc-fail-Check-for-malloc-failure-in-xmlHashAddEn.patch create mode 100644 backport-malloc-fail-Check-for-malloc-failures-when-creating.patch create mode 100644 backport-malloc-fail-Check-return-value-of-xmlXPathNodeSetDupNs.patch create mode 100644 backport-malloc-fail-Don-t-call-xmlErrMemory-in-xmlstring.c.patch create mode 100644 backport-malloc-fail-Fix-OOB-read-after-xmlRegGetCounter.patch create mode 100644 backport-malloc-fail-Fix-another-memory-leak-in-xmlSchemaBuck.patch create mode 100644 backport-malloc-fail-Fix-buffer-overread-after-htmlParseScrip.patch create mode 100644 backport-malloc-fail-Fix-buffer-overread-in-htmlParseScript.patch create mode 100644 backport-malloc-fail-Fix-buffer-overread-with-HTML-doctype-de.patch create mode 100644 backport-malloc-fail-Fix-error-check-in-xmlXPathCompareValues.patch create mode 100644 backport-malloc-fail-Fix-error-code-in-htmlParseChunk.patch create mode 100644 backport-malloc-fail-Fix-infinite-loop-in-htmlParseContentInternal.patch create mode 100644 backport-malloc-fail-Fix-infinite-loop-in-htmlParseDocTypeDecl.patch create mode 100644 backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag1.patch create mode 100644 backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag2.patch create mode 100644 backport-malloc-fail-Fix-infinite-loop-in-xmlParseTextDecl.patch create mode 100644 backport-malloc-fail-Fix-infinite-loop-in-xmlSkipBlankChars.patch create mode 100644 backport-malloc-fail-Fix-leak-of-xmlCharEncodingHandler.patch create mode 100644 backport-malloc-fail-Fix-leak-of-xmlRegAtom.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-after-calling-valuePush.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathNodeSetMerge.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapNodeSet.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapString.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-after-xmlRegNewState.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-WXS_ADD_-LOCAL-GLOBAL.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-htmlCreateMemoryParserCtxt.patch diff --git a/backport-Restore-behavior-of-htmlDocContentDumpFormatOutput.patch b/backport-Restore-behavior-of-htmlDocContentDumpFormatOutput.patch new file mode 100644 index 0000000..2c1cd5d --- /dev/null +++ b/backport-Restore-behavior-of-htmlDocContentDumpFormatOutput.patch @@ -0,0 +1,42 @@ +From 054e46b097524d3808fdc0815b64e14beb2baaf9 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Sat, 14 May 2022 08:48:01 -0700 +Subject: [PATCH 288/300] Restore behavior of htmlDocContentDumpFormatOutput() + +Patch by J Pascoe of Apple. + +* HTMLtree.c: +(htmlDocContentDumpFormatOutput): +- Prior to commit b79ab6e6d92, xmlDoc.type was set to + XML_HTML_DOCUMENT_NODE before dumping the HTML output, then + restored before returning. + +Reference:https://github.com/GNOME/libxml2/commit/054e46b097524d3808fdc0815b64e14beb2baaf9 +Conflict:NA + +--- + HTMLtree.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/HTMLtree.c b/HTMLtree.c +index 7a2b855..2e9fc57 100644 +--- a/HTMLtree.c ++++ b/HTMLtree.c +@@ -992,7 +992,14 @@ void + htmlDocContentDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr cur, + const char *encoding ATTRIBUTE_UNUSED, + int format) { ++ int type = 0; ++ if (cur) { ++ type = cur->type; ++ cur->type = XML_HTML_DOCUMENT_NODE; ++ } + htmlNodeDumpFormatOutput(buf, cur, (xmlNodePtr) cur, NULL, format); ++ if (cur) ++ cur->type = (xmlElementType) type; + } + + /** +-- +2.27.0 + diff --git a/backport-Revert-uri-Allow-port-without-host.patch b/backport-Revert-uri-Allow-port-without-host.patch new file mode 100644 index 0000000..7c79435 --- /dev/null +++ b/backport-Revert-uri-Allow-port-without-host.patch @@ -0,0 +1,31 @@ +From 8ed40c621b33b44c26e90505b9de1c92080c4a8e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 13 Dec 2022 00:51:33 +0100 +Subject: [PATCH] Revert "uri: Allow port without host" + +This reverts commit f30adb54f55e4e765d58195163f2a21f7ac759fb. + +Fixes #460. + +Reference:https://github.com/GNOME/libxml2/commit/8ed40c621b33b44c26e90505b9de1c92080c4a8e +Conflict:NA +--- + uri.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/uri.c b/uri.c +index 79dc48b..ccc26aa 100644 +--- a/uri.c ++++ b/uri.c +@@ -768,6 +768,8 @@ xmlParse3986HierPart(xmlURIPtr uri, const char **str) + cur += 2; + ret = xmlParse3986Authority(uri, &cur); + if (ret != 0) return(ret); ++ if (uri->server == NULL) ++ uri->port = -1; + ret = xmlParse3986PathAbEmpty(uri, &cur); + if (ret != 0) return(ret); + *str = cur; +-- +2.27.0 + diff --git a/backport-Use-UPDATE_COMPAT-consistently-in-buf.c.patch b/backport-Use-UPDATE_COMPAT-consistently-in-buf.c.patch new file mode 100644 index 0000000..13bafae --- /dev/null +++ b/backport-Use-UPDATE_COMPAT-consistently-in-buf.c.patch @@ -0,0 +1,92 @@ +From a15f2abef1463c20bc62a455e983e34b2278f279 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Fri, 8 Apr 2022 12:16:51 -0700 +Subject: [PATCH 260/300] Use UPDATE_COMPAT() consistently in buf.c + +* buf.c: +(xmlBufCreate): +(xmlBufCreateSize): +(xmlBufDetach): +(xmlBufCreateStatic): +(xmlBufFromBuffer): + +Reference:https://github.com/GNOME/libxml2/commit/a15f2abef1463c20bc62a455e983e34b2278f279 +Conflict:Context adaptation + +--- + buf.c | 20 +++++--------------- + 1 file changed, 5 insertions(+), 15 deletions(-) + +diff --git a/buf.c b/buf.c +index 40a5ee0..d341750 100644 +--- a/buf.c ++++ b/buf.c +@@ -131,12 +131,11 @@ xmlBufCreate(void) { + xmlBufMemoryError(NULL, "creating buffer"); + return(NULL); + } +- ret->compat_use = 0; + ret->use = 0; + ret->error = 0; + ret->buffer = NULL; + ret->size = xmlDefaultBufferSize; +- ret->compat_size = xmlDefaultBufferSize; ++ UPDATE_COMPAT(ret); + ret->alloc = xmlBufferAllocScheme; + ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar)); + if (ret->content == NULL) { +@@ -167,13 +166,12 @@ xmlBufCreateSize(size_t size) { + xmlBufMemoryError(NULL, "creating buffer"); + return(NULL); + } +- ret->compat_use = 0; + ret->use = 0; + ret->error = 0; + ret->buffer = NULL; + ret->alloc = xmlBufferAllocScheme; + ret->size = (size ? size + 1 : 0); /* +1 for ending null */ +- ret->compat_size = (ret->size > INT_MAX ? INT_MAX : ret->size); ++ UPDATE_COMPAT(ret); + if (ret->size){ + ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar)); + if (ret->content == NULL) { +@@ -215,8 +213,7 @@ xmlBufDetach(xmlBufPtr buf) { + buf->content = NULL; + buf->size = 0; + buf->use = 0; +- buf->compat_use = 0; +- buf->compat_size = 0; ++ UPDATE_COMPAT(buf); + + return ret; + } +@@ -245,15 +242,9 @@ xmlBufCreateStatic(void *mem, size_t size) { + xmlBufMemoryError(NULL, "creating buffer"); + return(NULL); + } +- if (size < INT_MAX) { +- ret->compat_use = size; +- ret->compat_size = size; +- } else { +- ret->compat_use = INT_MAX; +- ret->compat_size = INT_MAX; +- } + ret->use = size; + ret->size = size; ++ UPDATE_COMPAT(ret); + ret->alloc = XML_BUFFER_ALLOC_IMMUTABLE; + ret->content = (xmlChar *) mem; + ret->error = 0; +@@ -1159,8 +1150,7 @@ xmlBufFromBuffer(xmlBufferPtr buffer) { + } + ret->use = buffer->use; + ret->size = buffer->size; +- ret->compat_use = buffer->use; +- ret->compat_size = buffer->size; ++ UPDATE_COMPAT(ret); + ret->error = 0; + ret->buffer = buffer; + ret->alloc = buffer->alloc; +-- +2.27.0 + diff --git a/backport-Use-xmlNewDocText-in-xmlXIncludeCopyRange.patch b/backport-Use-xmlNewDocText-in-xmlXIncludeCopyRange.patch new file mode 100644 index 0000000..359cfaf --- /dev/null +++ b/backport-Use-xmlNewDocText-in-xmlXIncludeCopyRange.patch @@ -0,0 +1,60 @@ +From 0aa8652e596a20e95ed334ac65cf15e6e9ec4b3b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 20 May 2022 14:54:49 +0200 +Subject: [PATCH 291/300] Use xmlNewDocText in xmlXIncludeCopyRange + +Otherwise, the initial node of the copy could be a text node with a +NULL document. This results in the NULL document being propagated to +copies of other nodes, losing information about the dictionary in which +node data is stored, and freeing a dict-allocated string. + +See discussion in !175. + +Reference:https://github.com/GNOME/libxml2/commit/0aa8652e596a20e95ed334ac65cf15e6e9ec4b3b +Conflict:NA + +--- + xinclude.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xinclude.c b/xinclude.c +index e5fdf0f..8c14a68 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -987,7 +987,7 @@ xmlXIncludeCopyRange(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target, + int len; + + if (content == NULL) { +- tmp = xmlNewTextLen(NULL, 0); ++ tmp = xmlNewDocTextLen(target, NULL, 0); + } else { + len = index2; + if ((cur == start) && (index1 > 1)) { +@@ -996,7 +996,7 @@ xmlXIncludeCopyRange(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target, + } else { + len = index2; + } +- tmp = xmlNewTextLen(content, len); ++ tmp = xmlNewDocTextLen(target, content, len); + } + /* single sub text node selection */ + if (list == NULL) +@@ -1047,13 +1047,13 @@ xmlXIncludeCopyRange(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target, + const xmlChar *content = cur->content; + + if (content == NULL) { +- tmp = xmlNewTextLen(NULL, 0); ++ tmp = xmlNewDocTextLen(target, NULL, 0); + } else { + if (index1 > 1) { + content += (index1 - 1); + index1 = 0; + } +- tmp = xmlNewText(content); ++ tmp = xmlNewDocText(target, content); + } + last = list = tmp; + listParent = cur->parent; +-- +2.27.0 + diff --git a/backport-Use-xmlStrlen-in-CtxtReadDoc.patch b/backport-Use-xmlStrlen-in-CtxtReadDoc.patch new file mode 100644 index 0000000..817574c --- /dev/null +++ b/backport-Use-xmlStrlen-in-CtxtReadDoc.patch @@ -0,0 +1,56 @@ +From 5b2d07a72670513e41b481a9d922c983a64027ca Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 20 Aug 2022 17:00:50 +0200 +Subject: [PATCH] Use xmlStrlen in *CtxtReadDoc + +xmlStrlen handles buffers larger than INT_MAX more gracefully. + +Reference:https://github.com/GNOME/libxml2/commit/5b2d07a72670513e41b481a9d922c983a64027ca +Conflict:NA +--- + HTMLparser.c | 7 ++----- + parser.c | 6 ++---- + 2 files changed, 4 insertions(+), 9 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index a4168f3..e0b32fe 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -7087,13 +7087,10 @@ htmlDocPtr + htmlCtxtReadDoc(htmlParserCtxtPtr ctxt, const xmlChar * cur, + const char *URL, const char *encoding, int options) + { +- const char *buf; +- + if (cur == NULL) + return (NULL); +- buf = (const char *) cur; +- return (htmlCtxtReadMemory(ctxt, buf, strlen(buf), URL, encoding, +- options)); ++ return (htmlCtxtReadMemory(ctxt, (const char *) cur, xmlStrlen(cur), URL, ++ encoding, options)); + } + + /** +diff --git a/parser.c b/parser.c +index fbeb7af..23b031d 100644 +--- a/parser.c ++++ b/parser.c +@@ -15374,12 +15374,10 @@ xmlDocPtr + xmlCtxtReadDoc(xmlParserCtxtPtr ctxt, const xmlChar * cur, + const char *URL, const char *encoding, int options) + { +- const char *buf; +- + if (cur == NULL) + return (NULL); +- buf = (const char *) cur; +- return (xmlCtxtReadMemory(ctxt, buf, strlen(buf), URL, encoding, options)); ++ return (xmlCtxtReadMemory(ctxt, (const char *) cur, xmlStrlen(cur), URL, ++ encoding, options)); + } + + /** +-- +2.27.0 + diff --git a/backport-Use-xmlStrlen-in-xmlNewStringInputStream.patch b/backport-Use-xmlStrlen-in-xmlNewStringInputStream.patch new file mode 100644 index 0000000..3d86ae7 --- /dev/null +++ b/backport-Use-xmlStrlen-in-xmlNewStringInputStream.patch @@ -0,0 +1,29 @@ +From c21e9cd5d955e4d8afa514e1f7736ce6a9bb8f2e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 20 Aug 2022 17:02:02 +0200 +Subject: [PATCH] Use xmlStrlen in xmlNewStringInputStream + +xmlStrlen handles buffers larger than INT_MAX more gracefully. + +Reference:https://github.com/GNOME/libxml2/commit/c21e9cd5d955e4d8afa514e1f7736ce6a9bb8f2e +Conflict:NA +--- + parserInternals.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/parserInternals.c b/parserInternals.c +index 6ef7671..2b05dac 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -1476,7 +1476,7 @@ xmlNewStringInputStream(xmlParserCtxtPtr ctxt, const xmlChar *buffer) { + xmlGenericError(xmlGenericErrorContext, + "new fixed input: %.30s\n", buffer); + buf = xmlParserInputBufferCreateMem((const char *) buffer, +- strlen((const char *) buffer), ++ xmlStrlen(buffer), + XML_CHAR_ENCODING_NONE); + if (buf == NULL) { + xmlErrMemory(ctxt, NULL); +-- +2.27.0 + diff --git a/backport-buf-Fix-return-value-of-xmlBufGetInputBase.patch b/backport-buf-Fix-return-value-of-xmlBufGetInputBase.patch new file mode 100644 index 0000000..099793e --- /dev/null +++ b/backport-buf-Fix-return-value-of-xmlBufGetInputBase.patch @@ -0,0 +1,31 @@ +From f8c5e7fb75cd741fb576ddb4de8fcd61f9907549 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 22 Jan 2023 13:49:19 +0100 +Subject: [PATCH] buf: Fix return value of xmlBufGetInputBase + +Don't return (size_t) -1 in error case. + +Found with libFuzzer and -fsanitize=implicit-conversion. + +Reference:https://github.com/GNOME/libxml2/commit/f8c5e7fb75cd741fb576ddb4de8fcd61f9907549 +Conflict:NA +--- + buf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/buf.c b/buf.c +index 69370b7..d8992f7 100644 +--- a/buf.c ++++ b/buf.c +@@ -1283,7 +1283,7 @@ xmlBufGetInputBase(xmlBufPtr buf, xmlParserInputPtr input) { + size_t base; + + if ((input == NULL) || (buf == NULL) || (buf->error)) +- return(-1); ++ return(0); + CHECK_COMPAT(buf) + base = input->base - buf->content; + /* +-- +2.27.0 + diff --git a/backport-catalog-Fix-memory-leaks.patch b/backport-catalog-Fix-memory-leaks.patch new file mode 100644 index 0000000..4aff01b --- /dev/null +++ b/backport-catalog-Fix-memory-leaks.patch @@ -0,0 +1,48 @@ +From c9e4c6d416d00968f2e2d7c68a9c0e809265baf2 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 21 Feb 2023 15:22:01 +0100 +Subject: [PATCH] catalog: Fix memory leaks + +Fixes #377. + +Reference:https://github.com/GNOME/libxml2/commit/c9e4c6d416d00968f2e2d7c68a9c0e809265baf2 +Conflict:catalog.c xmlcatalog.c + +--- + catalog.c | 2 +- + xmlcatalog.c | 6 ++---- + 2 files changed, 3 insertions(+), 5 deletions(-) + +diff --git a/catalog.c b/catalog.c +index b3a97da..4d84a6a 100644 +--- a/catalog.c ++++ b/catalog.c +@@ -2983,7 +2983,7 @@ xmlACatalogAdd(xmlCatalogPtr catal, const xmlChar * type, + if (catal->sgml == NULL) + catal->sgml = xmlHashCreate(10); + res = xmlHashAddEntry(catal->sgml, orig, entry); +- if (res) ++ if (res < 0) + xmlFreeCatalogEntry(entry, NULL); + } + } +diff --git a/xmlcatalog.c b/xmlcatalog.c +index 7fe25ac..c7a1dc8 100644 +--- a/xmlcatalog.c ++++ b/xmlcatalog.c +@@ -513,10 +513,8 @@ int main(int argc, char **argv) { + } + i += 2; + /* Check for memory leaks */ +- if (catal != NULL) +- xmlFreeCatalog(catal); +- if (super != NULL) +- xmlFreeCatalog(super); ++ xmlFreeCatalog(catal); ++ xmlFreeCatalog(super); + } else { + if ((!strcmp(argv[i], "-add")) || + (!strcmp(argv[i], "--add"))) { +-- +2.27.0 + diff --git a/backport-encoding-Cast-toupper-argument-to-unsigned-char.patch b/backport-encoding-Cast-toupper-argument-to-unsigned-char.patch new file mode 100644 index 0000000..bf6fd17 --- /dev/null +++ b/backport-encoding-Cast-toupper-argument-to-unsigned-char.patch @@ -0,0 +1,68 @@ +From 3cc900f0989908f50d5544f00ede0f0236c4f350 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 16 Feb 2023 11:50:52 +0100 +Subject: [PATCH] encoding: Cast toupper argument to unsigned char + +Fixes undefined behavior. + +Also cast return value explicitly to fix implicit-integer-sign-change +checks. + +Reference:https://github.com/GNOME/libxml2/commit/3cc900f0989908f50d5544f00ede0f0236c4f350 +Conflict:NA +--- + encoding.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/encoding.c b/encoding.c +index 8b98f7d..d43361a 100644 +--- a/encoding.c ++++ b/encoding.c +@@ -1038,7 +1038,7 @@ xmlGetEncodingAlias(const char *alias) { + return(NULL); + + for (i = 0;i < 99;i++) { +- upper[i] = toupper(alias[i]); ++ upper[i] = (char) toupper((unsigned char) alias[i]); + if (upper[i] == 0) break; + } + upper[i] = 0; +@@ -1073,7 +1073,7 @@ xmlAddEncodingAlias(const char *name, const char *alias) { + return(-1); + + for (i = 0;i < 99;i++) { +- upper[i] = toupper(alias[i]); ++ upper[i] = (char) toupper((unsigned char) alias[i]); + if (upper[i] == 0) break; + } + upper[i] = 0; +@@ -1175,7 +1175,7 @@ xmlParseCharEncoding(const char* name) + name = alias; + + for (i = 0;i < 499;i++) { +- upper[i] = toupper(name[i]); ++ upper[i] = (char) toupper((unsigned char) name[i]); + if (upper[i] == 0) break; + } + upper[i] = 0; +@@ -1351,7 +1351,7 @@ xmlNewCharEncodingHandler(const char *name, + return(NULL); + } + for (i = 0;i < 499;i++) { +- upper[i] = toupper(name[i]); ++ upper[i] = (char) toupper((unsigned char) name[i]); + if (upper[i] == 0) break; + } + upper[i] = 0; +@@ -1689,7 +1689,7 @@ xmlFindCharEncodingHandler(const char *name) { + * Check first for directly registered encoding names + */ + for (i = 0;i < 99;i++) { +- upper[i] = toupper(name[i]); ++ upper[i] = (char) toupper((unsigned char) name[i]); + if (upper[i] == 0) break; + } + upper[i] = 0; +-- +2.27.0 + diff --git a/backport-encoding-Fix-error-code-in-asciiToUTF8.patch b/backport-encoding-Fix-error-code-in-asciiToUTF8.patch new file mode 100644 index 0000000..322fac1 --- /dev/null +++ b/backport-encoding-Fix-error-code-in-asciiToUTF8.patch @@ -0,0 +1,32 @@ +From a6b9e55a9eb78e96f880afaf03ce8819bcd26a34 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 26 Mar 2023 15:42:02 +0200 +Subject: [PATCH] encoding: Fix error code in asciiToUTF8 + +Use correct error code when invalid ASCII bytes are encountered. + +Found by OSS-Fuzz. + +Reference:https://github.com/GNOME/libxml2/commit/a6b9e55a9eb78e96f880afaf03ce8819bcd26a34 +Conflict:NA + +--- + encoding.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/encoding.c b/encoding.c +index d43361a..9a7a611 100644 +--- a/encoding.c ++++ b/encoding.c +@@ -193,7 +193,7 @@ asciiToUTF8(unsigned char* out, int *outlen, + } else { + *outlen = out - outstart; + *inlen = processed - base; +- return(-1); ++ return(-2); + } + + processed = (const unsigned char*) in; +-- +2.27.0 + diff --git a/backport-error-Don-t-move-past-current-position.patch b/backport-error-Don-t-move-past-current-position.patch new file mode 100644 index 0000000..cbb6f2e --- /dev/null +++ b/backport-error-Don-t-move-past-current-position.patch @@ -0,0 +1,39 @@ +From d9a8dab3a3ba980f1efc1366c1b9a3a2434dcabd Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 22 Jan 2023 12:00:59 +0100 +Subject: [PATCH] error: Don't move past current position + +Make sure that we never move past the current position in +xmlParserPrintFileContextInternal. + +Found with libFuzzer and -fsanitize=implicit-conversion. + +Reference:https://github.com/GNOME/libxml2/commit/d9a8dab3a3ba980f1efc1366c1b9a3a2434dcabd +Conflict:NA +--- + error.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/error.c b/error.c +index fe9a7e2..5eee72a 100644 +--- a/error.c ++++ b/error.c +@@ -188,10 +188,12 @@ xmlParserPrintFileContextInternal(xmlParserInputPtr input , + } + n = 0; + /* search backwards for beginning-of-line (to max buff size) */ +- while ((n++ < (sizeof(content)-1)) && (cur > base) && +- (*(cur) != '\n') && (*(cur) != '\r')) ++ while ((n < sizeof(content) - 1) && (cur > base) && ++ (*cur != '\n') && (*cur != '\r')) { + cur--; +- if ((*(cur) == '\n') || (*(cur) == '\r')) { ++ n++; ++ } ++ if ((n > 0) && ((*cur == '\n') || (*cur == '\r'))) { + cur++; + } else { + /* skip over continuation bytes */ +-- +2.27.0 + diff --git a/backport-error-Make-sure-that-error-messages-are-valid-UTF-8.patch b/backport-error-Make-sure-that-error-messages-are-valid-UTF-8.patch new file mode 100644 index 0000000..b30e6d7 --- /dev/null +++ b/backport-error-Make-sure-that-error-messages-are-valid-UTF-8.patch @@ -0,0 +1,78 @@ +From 9a0aec423d158a9e3d8e5cb6df0d5ce032be3524 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 4 Dec 2022 23:01:00 +0100 +Subject: [PATCH 28/28] error: Make sure that error messages are valid UTF-8 + +This has caused issues with the Python bindings for a long time. + +Should fix #64. + +Reference: https://github.com/GNOME/libxml2/commit/76c6da420923f2721a2e16adfcef8707a2454a1b +Conflict: result/,runtest.c,test/ +--- + error.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +diff --git a/error.c b/error.c +index 9ff1c2b..fe9a7e2 100644 +--- a/error.c ++++ b/error.c +@@ -163,7 +163,7 @@ xmlParserPrintFileInfo(xmlParserInputPtr input) { + } + + /** +- * xmlParserPrintFileContext: ++ * xmlParserPrintFileContextInternal: + * @input: an xmlParserInputPtr input + * + * Displays current context within the input content for error tracking +@@ -172,7 +172,7 @@ xmlParserPrintFileInfo(xmlParserInputPtr input) { + static void + xmlParserPrintFileContextInternal(xmlParserInputPtr input , + xmlGenericErrorFunc channel, void *data ) { +- const xmlChar *cur, *base; ++ const xmlChar *cur, *base, *start; + unsigned int n, col; /* GCC warns if signed, because compared with sizeof() */ + xmlChar content[81]; /* space for 80 chars + line terminator */ + xmlChar *ctnt; +@@ -191,19 +191,30 @@ xmlParserPrintFileContextInternal(xmlParserInputPtr input , + while ((n++ < (sizeof(content)-1)) && (cur > base) && + (*(cur) != '\n') && (*(cur) != '\r')) + cur--; +- if ((*(cur) == '\n') || (*(cur) == '\r')) cur++; ++ if ((*(cur) == '\n') || (*(cur) == '\r')) { ++ cur++; ++ } else { ++ /* skip over continuation bytes */ ++ while ((cur < input->cur) && ((*cur & 0xC0) == 0x80)) ++ cur++; ++ } + /* calculate the error position in terms of the current position */ + col = input->cur - cur; + /* search forward for end-of-line (to max buff size) */ + n = 0; +- ctnt = content; ++ start = cur; + /* copy selected text to our buffer */ +- while ((*cur != 0) && (*(cur) != '\n') && +- (*(cur) != '\r') && (n < sizeof(content)-1)) { +- *ctnt++ = *cur++; +- n++; ++ while ((*cur != 0) && (*(cur) != '\n') && (*(cur) != '\r')) { ++ int len = input->end - cur; ++ int c = xmlGetUTF8Char(cur, &len); ++ ++ if ((c < 0) || (n + len > sizeof(content)-1)) ++ break; ++ cur += len; ++ n += len; + } +- *ctnt = 0; ++ memcpy(content, start, n); ++ content[n] = 0; + /* print out the selected text */ + channel(data ,"%s\n", content); + /* create blank line with problem pointer */ +-- +2.27.0 + diff --git a/backport-fix-xmlXPathParserContext-could-be-double-delete-in-.patch b/backport-fix-xmlXPathParserContext-could-be-double-delete-in-.patch new file mode 100644 index 0000000..62129a8 --- /dev/null +++ b/backport-fix-xmlXPathParserContext-could-be-double-delete-in-.patch @@ -0,0 +1,29 @@ +From 74263eff5f6212afa2196022ecd2fbc39c6d3c36 Mon Sep 17 00:00:00 2001 +From: jinsub ahn +Date: Wed, 30 Mar 2022 06:02:31 +0000 +Subject: [PATCH 206/300] fix: xmlXPathParserContext could be double-delete in + OOM case. + +Reference:https://github.com/GNOME/libxml2/commit/74263eff5f6212afa2196022ecd2fbc39c6d3c36 +Conflict:NA +--- + xpath.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xpath.c b/xpath.c +index c2d8458..e79dcec 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -13895,7 +13895,7 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool) + xmlMalloc(10 * sizeof(xmlXPathObjectPtr)); + if (ctxt->valueTab == NULL) { + xmlXPathPErrMemory(ctxt, "creating evaluation context\n"); +- xmlFree(ctxt); ++ return(-1); + } + ctxt->valueNr = 0; + ctxt->valueMax = 10; +-- +2.27.0 + + diff --git a/backport-hash-Fix-possible-startup-crash-with-old-libxslt-ver.patch b/backport-hash-Fix-possible-startup-crash-with-old-libxslt-ver.patch new file mode 100644 index 0000000..22409fd --- /dev/null +++ b/backport-hash-Fix-possible-startup-crash-with-old-libxslt-ver.patch @@ -0,0 +1,36 @@ +From 06a2c251a18d8cc93bcae82270997b27cbc9aaea Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 6 May 2023 15:28:13 +0200 +Subject: [PATCH] hash: Fix possible startup crash with old libxslt versions + +Call xmlInitParser in xmlHashCreate to make it work if the library +wasn't initialized yet. + +Otherwise, exsltRegisterAll from libxslt 1.1.24 or older might cause +a crash. + +See #534. + +Reference:https://github.com/GNOME/libxml2/commit/06a2c251a18d8cc93bcae82270997b27cbc9aaea +Conflict:NA + +--- + hash.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/hash.c b/hash.c +index 00250ba..ac868ff 100644 +--- a/hash.c ++++ b/hash.c +@@ -181,6 +181,8 @@ xmlHashTablePtr + xmlHashCreate(int size) { + xmlHashTablePtr table; + ++ xmlInitParser(); ++ + if (size <= 0) + size = 256; + +-- +2.27.0 + diff --git a/backport-html-Fix-check-for-end-of-comment-in-push-parser.patch b/backport-html-Fix-check-for-end-of-comment-in-push-parser.patch new file mode 100644 index 0000000..89102ad --- /dev/null +++ b/backport-html-Fix-check-for-end-of-comment-in-push-parser.patch @@ -0,0 +1,66 @@ +From 63fa7b922a169ed6b86a4c6678140795c28657f5 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 20 Nov 2022 19:54:34 +0100 +Subject: [PATCH 20/28] html: Fix check for end of comment in push parser + +Make sure to reset checkIndex. Handle case where "--" or "--!" is at the +end of the buffer. Fix "avail" check in htmlParseOrTryFinish. + +Reference: https://github.com/GNOME/libxml2/commit/c93679381c565f4c110c7a6110372bd6d0610308 +Conflict: HTMLparser.c:, +--- + HTMLparser.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index e0b32fe..746edf6 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -5405,14 +5405,22 @@ static int + htmlParseLookupCommentEnd(htmlParserCtxtPtr ctxt) + { + int mark = 0; ++ int offset; + int cur = CUR_PTR - BASE_PTR; + +- while (mark >= 0) { ++ while (1) { + mark = htmlParseLookupSequence(ctxt, '-', '-', 0, 0); +- if ((mark < 0) || +- (NXT(mark+2) == '>') || ++ if (mark < 0) ++ break; ++ if ((NXT(mark+2) == '>') || + ((NXT(mark+2) == '!') && (NXT(mark+3) == '>'))) { +- return mark; ++ ctxt->checkIndex = 0; ++ break; ++ } ++ offset = (NXT(mark+2) == '!') ? 3 : 2; ++ if (mark + offset >= ctxt->input->end - ctxt->input->cur) { ++ ctxt->checkIndex = mark; ++ return(-1); + } + ctxt->checkIndex = cur + mark + 1; + } +@@ -5949,6 +5957,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) { + break; + } + } else { ++ if ((cur == '<') && (next == '!') && (avail < 4)) ++ goto done; + /* + * Sometimes DOCTYPE arrives in the middle of the document + */ +@@ -5984,8 +5994,6 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) { + #endif + htmlParsePI(ctxt); + ctxt->instate = XML_PARSER_CONTENT; +- } else if ((cur == '<') && (next == '!') && (avail < 4)) { +- goto done; + } else if ((cur == '<') && (next == '/')) { + ctxt->instate = XML_PARSER_END_TAG; + ctxt->checkIndex = 0; +-- +2.27.0 + diff --git a/backport-html-Fix-quadratic-behavior-in-htmlParseTryOrFinish.patch b/backport-html-Fix-quadratic-behavior-in-htmlParseTryOrFinish.patch new file mode 100644 index 0000000..cf89ab5 --- /dev/null +++ b/backport-html-Fix-quadratic-behavior-in-htmlParseTryOrFinish.patch @@ -0,0 +1,39 @@ +From 4b3452d17123631ec43d532b83dc182c1a638fed Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 15 Mar 2023 16:56:36 +0100 +Subject: [PATCH] html: Fix quadratic behavior in htmlParseTryOrFinish + +Fix check for end of script content. + +Found by OSS-Fuzz. + +Reference:https://github.com/GNOME/libxml2/commit/4b3452d17123631ec43d532b83dc182c1a638fed +Conflict:NA + +--- + HTMLparser.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index b76218c..6c8f180 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -5984,8 +5984,14 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) { + if (idx < 0) + goto done; + val = in->cur[idx + 2]; +- if (val == 0) /* bad cut of input */ ++ if (val == 0) { /* bad cut of input */ ++ /* ++ * FIXME: htmlParseScript checks for additional ++ * characters after 'checkIndex = idx; + goto done; ++ } + } + htmlParseScript(ctxt); + if ((cur == '<') && (next == '/')) { +-- +2.27.0 + diff --git a/backport-io-Check-for-memory-buffer-early-in-xmlParserInputGrow.patch b/backport-io-Check-for-memory-buffer-early-in-xmlParserInputGrow.patch new file mode 100644 index 0000000..b0b19e2 --- /dev/null +++ b/backport-io-Check-for-memory-buffer-early-in-xmlParserInputGrow.patch @@ -0,0 +1,40 @@ +From 9feafbc5c5cce13852062a527d719ecce6b54661 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 13 Nov 2022 16:56:10 +0100 +Subject: [PATCH] io: Check for memory buffer early in xmlParserInputGrow + +Reference:https://github.com/GNOME/libxml2/commit/9feafbc5c5cce13852062a527d719ecce6b54661 +Conflict:NA +--- + parserInternals.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/parserInternals.c b/parserInternals.c +index b8eab4b..0ef44fe 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -310,6 +310,9 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) { + if (in->cur == NULL) return(-1); + if (in->buf->buffer == NULL) return(-1); + ++ /* Don't grow memory buffers. */ ++ if (in->buf->readcallback == NULL) return(0); ++ + CHECK_BUFFER(in); + + indx = in->cur - in->base; +@@ -319,10 +322,7 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) { + + return(0); + } +- if (in->buf->readcallback != NULL) { +- ret = xmlParserInputBufferGrow(in->buf, len); +- } else +- return(0); ++ ret = xmlParserInputBufferGrow(in->buf, len); + + in->base = xmlBufContent(in->buf->buffer); + in->cur = in->base + indx; +-- +2.27.0 + diff --git a/backport-io-Fix-buffer-full-error-with-certain-buffer-sizes.patch b/backport-io-Fix-buffer-full-error-with-certain-buffer-sizes.patch new file mode 100644 index 0000000..2c97fb4 --- /dev/null +++ b/backport-io-Fix-buffer-full-error-with-certain-buffer-sizes.patch @@ -0,0 +1,36 @@ +From cc645b439f54040b424bcb6c9b4c2c3f51cf2f9e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 13 Nov 2022 15:08:44 +0100 +Subject: [PATCH 14/28] io: Fix "buffer full" error with certain buffer sizes + +Remove a useless check in xmlParserInputBufferGrow that could be +triggered after changing xmlBufAvail in c14cac8b. + +Fixes #438. + +Reference: https://github.com/GNOME/libxml2/commit/22d879bf0ab3ef14177a6388e28bb264bd36e64b +Conflict: NA +--- + xmlIO.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/xmlIO.c b/xmlIO.c +index 3f5307f..0762034 100644 +--- a/xmlIO.c ++++ b/xmlIO.c +@@ -3247,12 +3247,6 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) { + if ((len <= MINLEN) && (len != 4)) + len = MINLEN; + +- if (xmlBufAvail(in->buffer) <= 0) { +- xmlIOErr(XML_IO_BUFFER_FULL, NULL); +- in->error = XML_IO_BUFFER_FULL; +- return(-1); +- } +- + if (xmlBufGrow(in->buffer, len + 1) < 0) { + xmlIOErrMemory("growing input buffer"); + in->error = XML_ERR_NO_MEMORY; +-- +2.27.0 + diff --git a/backport-malloc-fail-Add-error-check-in-htmlParseHTMLAttribut.patch b/backport-malloc-fail-Add-error-check-in-htmlParseHTMLAttribut.patch new file mode 100644 index 0000000..c9c201c --- /dev/null +++ b/backport-malloc-fail-Add-error-check-in-htmlParseHTMLAttribut.patch @@ -0,0 +1,34 @@ +From 62f199ed7d1c99999030810495bd12fd5b86fee1 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 17 Mar 2023 12:40:46 +0100 +Subject: [PATCH] malloc-fail: Add error check in htmlParseHTMLAttribute + +This function must return NULL is an error occurs. + +Found by OSS-Fuzz, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/62f199ed7d1c99999030810495bd12fd5b86fee1 +Conflict:NA + +--- + HTMLparser.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 3682807..42d1b29 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -2846,6 +2846,10 @@ htmlParseHTMLAttribute(htmlParserCtxtPtr ctxt, const xmlChar stop) { + out = &buffer[indx]; + } + c = CUR_CHAR(l); ++ if (ctxt->instate == XML_PARSER_EOF) { ++ xmlFree(buffer); ++ return(NULL); ++ } + if (c < 0x80) + { *out++ = c; bits= -6; } + else if (c < 0x800) +-- +2.27.0 + diff --git a/backport-malloc-fail-Add-error-check-in-xmlXPathEqualNodeSetFloat.patch b/backport-malloc-fail-Add-error-check-in-xmlXPathEqualNodeSetFloat.patch new file mode 100644 index 0000000..c4acf5e --- /dev/null +++ b/backport-malloc-fail-Add-error-check-in-xmlXPathEqualNodeSetFloat.patch @@ -0,0 +1,30 @@ +From 08695683dbd78301aa95bf3042871256479bc6a6 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jan 2023 15:52:00 +0100 +Subject: [PATCH] malloc-fail: Add error check in xmlXPathEqualNodeSetFloat + +Avoid null deref. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/08695683dbd78301aa95bf3042871256479bc6a6 +Conflict:NA +--- + xpath.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xpath.c b/xpath.c +index 6d76e43..77d5434 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -6799,6 +6799,7 @@ xmlXPathEqualNodeSetFloat(xmlXPathParserContextPtr ctxt, + xmlFree(str2); + xmlXPathNumberFunction(ctxt, 1); + val = valuePop(ctxt); ++ CHECK_ERROR0; + v = val->floatval; + xmlXPathReleaseObject(ctxt->context, val); + if (!xmlXPathIsNaN(v)) { +-- +2.27.0 + diff --git a/backport-malloc-fail-Add-error-checks-in-xmlXPathEqualValuesCommon.patch b/backport-malloc-fail-Add-error-checks-in-xmlXPathEqualValuesCommon.patch new file mode 100644 index 0000000..943098e --- /dev/null +++ b/backport-malloc-fail-Add-error-checks-in-xmlXPathEqualValuesCommon.patch @@ -0,0 +1,38 @@ +From 7ec314efcd8b3df1d05d793812e54656bf539af8 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jan 2023 15:59:55 +0100 +Subject: [PATCH] malloc-fail: Add error checks in xmlXPathEqualValuesCommon + +Avoid null deref. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/7ec314efcd8b3df1d05d793812e54656bf539af8 +Conflict:NA +--- + xpath.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xpath.c b/xpath.c +index fbec21b..6d76e43 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -7011,6 +7011,7 @@ xmlXPathEqualValuesCommon(xmlXPathParserContextPtr ctxt, + valuePush(ctxt, arg2); + xmlXPathNumberFunction(ctxt, 1); + arg2 = valuePop(ctxt); ++ CHECK_ERROR0; + /* Falls through. */ + case XPATH_NUMBER: + /* Hand check NaN and Infinity equalities */ +@@ -7074,6 +7075,7 @@ xmlXPathEqualValuesCommon(xmlXPathParserContextPtr ctxt, + valuePush(ctxt, arg1); + xmlXPathNumberFunction(ctxt, 1); + arg1 = valuePop(ctxt); ++ CHECK_ERROR0; + /* Hand check NaN and Infinity equalities */ + if (xmlXPathIsNaN(arg1->floatval) || + xmlXPathIsNaN(arg2->floatval)) { +-- +2.27.0 + diff --git a/backport-malloc-fail-Add-more-error-checks-when-parsing-names.patch b/backport-malloc-fail-Add-more-error-checks-when-parsing-names.patch new file mode 100644 index 0000000..7d50afe --- /dev/null +++ b/backport-malloc-fail-Add-more-error-checks-when-parsing-names.patch @@ -0,0 +1,59 @@ +From c81d0d04bfbdbccea0c5199bced95a6af961885a Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 17 Mar 2023 12:39:35 +0100 +Subject: [PATCH] malloc-fail: Add more error checks when parsing names + +xmlParseName and similar functions must return NULL if an error occurs. + +Found by OSS-Fuzz, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/c81d0d04bfbdbccea0c5199bced95a6af961885a +Conflict:NA + +--- + parser.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/parser.c b/parser.c +index 75bd27f..b872d34 100644 +--- a/parser.c ++++ b/parser.c +@@ -3355,6 +3355,8 @@ xmlParseName(xmlParserCtxtPtr ctxt) { + XML_MAX_NAME_LENGTH; + + GROW; ++ if (ctxt->instate == XML_PARSER_EOF) ++ return(NULL); + + #ifdef DEBUG + nbParseName++; +@@ -3410,6 +3412,8 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + * Handler for more complex cases + */ + GROW; ++ if (ctxt->instate == XML_PARSER_EOF) ++ return(NULL); + startPosition = CUR_PTR - BASE_PTR; + c = CUR_CHAR(l); + if ((c == ' ') || (c == '>') || (c == '/') || /* accelerators */ +@@ -3686,6 +3690,8 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + if (count++ > XML_PARSER_CHUNK_SIZE) { + count = 0; + GROW; ++ if (ctxt->instate == XML_PARSER_EOF) ++ return(NULL); + } + COPY_BUF(l,buf,len,c); + NEXTL(l); +@@ -8791,6 +8797,8 @@ xmlParseQName(xmlParserCtxtPtr ctxt, const xmlChar **prefix) { + const xmlChar *l, *p; + + GROW; ++ if (ctxt->instate == XML_PARSER_EOF) ++ return(NULL); + + l = xmlParseNCName(ctxt); + if (l == NULL) { +-- +2.27.0 + diff --git a/backport-malloc-fail-Check-for-malloc-failure-in-xmlFindCharEncodingHandler.patch b/backport-malloc-fail-Check-for-malloc-failure-in-xmlFindCharEncodingHandler.patch new file mode 100644 index 0000000..8e0b923 --- /dev/null +++ b/backport-malloc-fail-Check-for-malloc-failure-in-xmlFindCharEncodingHandler.patch @@ -0,0 +1,49 @@ +From 1c5e1fc194a661783d4bffbfd4b4424a7d74881f Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 14 Feb 2023 13:56:21 +0100 +Subject: [PATCH] malloc-fail: Check for malloc failure in + xmlFindCharEncodingHandler + +Don't return encoding handlers with a NULL name. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/1c5e1fc194a661783d4bffbfd4b4424a7d74881f +Conflict:NA +--- + encoding.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/encoding.c b/encoding.c +index c073a9c..400e860 100644 +--- a/encoding.c ++++ b/encoding.c +@@ -1726,6 +1726,12 @@ xmlFindCharEncodingHandler(const char *name) { + } + memset(enc, 0, sizeof(xmlCharEncodingHandler)); + enc->name = xmlMemStrdup(name); ++ if (enc->name == NULL) { ++ xmlFree(enc); ++ iconv_close(icv_in); ++ iconv_close(icv_out); ++ return(NULL); ++ } + enc->input = NULL; + enc->output = NULL; + enc->iconv_in = icv_in; +@@ -1758,6 +1764,12 @@ xmlFindCharEncodingHandler(const char *name) { + } + memset(encu, 0, sizeof(xmlCharEncodingHandler)); + encu->name = xmlMemStrdup(name); ++ if (encu->name == NULL) { ++ xmlFree(encu); ++ closeIcuConverter(ucv_in); ++ closeIcuConverter(ucv_out); ++ return(NULL); ++ } + encu->input = NULL; + encu->output = NULL; + encu->uconv_in = ucv_in; +-- +2.27.0 + diff --git a/backport-malloc-fail-Check-for-malloc-failure-in-xmlHashAddEn.patch b/backport-malloc-fail-Check-for-malloc-failure-in-xmlHashAddEn.patch new file mode 100644 index 0000000..a6c26d1 --- /dev/null +++ b/backport-malloc-fail-Check-for-malloc-failure-in-xmlHashAddEn.patch @@ -0,0 +1,102 @@ +From 4499143a8737148b9be4e3c05e71bc60c5b52e4f Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 26 Feb 2023 15:43:50 +0100 +Subject: [PATCH] malloc-fail: Check for malloc failure in xmlHashAddEntry + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/4499143a8737148b9be4e3c05e71bc60c5b52e4f +Conflict:NA +--- + hash.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 50 insertions(+), 4 deletions(-) + +diff --git a/hash.c b/hash.c +index 7b82d2f..00250ba 100644 +--- a/hash.c ++++ b/hash.c +@@ -614,8 +614,24 @@ xmlHashAddEntry3(xmlHashTablePtr table, const xmlChar *name, + entry->name3 = (xmlChar *) name3; + } else { + entry->name = xmlStrdup(name); +- entry->name2 = xmlStrdup(name2); +- entry->name3 = xmlStrdup(name3); ++ if (entry->name == NULL) { ++ entry->name2 = NULL; ++ goto error; ++ } ++ if (name2 == NULL) { ++ entry->name2 = NULL; ++ } else { ++ entry->name2 = xmlStrdup(name2); ++ if (entry->name2 == NULL) ++ goto error; ++ } ++ if (name3 == NULL) { ++ entry->name3 = NULL; ++ } else { ++ entry->name3 = xmlStrdup(name3); ++ if (entry->name3 == NULL) ++ goto error; ++ } + } + entry->payload = userdata; + entry->next = NULL; +@@ -631,6 +647,13 @@ xmlHashAddEntry3(xmlHashTablePtr table, const xmlChar *name, + xmlHashGrow(table, MAX_HASH_LEN * table->size); + + return(0); ++ ++error: ++ xmlFree(entry->name2); ++ xmlFree(entry->name); ++ if (insert != NULL) ++ xmlFree(entry); ++ return(-1); + } + + /** +@@ -744,8 +767,24 @@ xmlHashUpdateEntry3(xmlHashTablePtr table, const xmlChar *name, + entry->name3 = (xmlChar *) name3; + } else { + entry->name = xmlStrdup(name); +- entry->name2 = xmlStrdup(name2); +- entry->name3 = xmlStrdup(name3); ++ if (entry->name == NULL) { ++ entry->name2 = NULL; ++ goto error; ++ } ++ if (name2 == NULL) { ++ entry->name2 = NULL; ++ } else { ++ entry->name2 = xmlStrdup(name2); ++ if (entry->name2 == NULL) ++ goto error; ++ } ++ if (name3 == NULL) { ++ entry->name3 = NULL; ++ } else { ++ entry->name3 = xmlStrdup(name3); ++ if (entry->name3 == NULL) ++ goto error; ++ } + } + entry->payload = userdata; + entry->next = NULL; +@@ -757,6 +796,13 @@ xmlHashUpdateEntry3(xmlHashTablePtr table, const xmlChar *name, + insert->next = entry; + } + return(0); ++ ++error: ++ xmlFree(entry->name2); ++ xmlFree(entry->name); ++ if (insert != NULL) ++ xmlFree(entry); ++ return(-1); + } + + /** +-- +2.27.0 + diff --git a/backport-malloc-fail-Check-for-malloc-failures-when-creating.patch b/backport-malloc-fail-Check-for-malloc-failures-when-creating.patch new file mode 100644 index 0000000..30ce4f2 --- /dev/null +++ b/backport-malloc-fail-Check-for-malloc-failures-when-creating.patch @@ -0,0 +1,210 @@ +From b1319c902f6e44d08f8cb33f1fc28847f2bc8aeb Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 18 Mar 2023 16:34:01 +0100 +Subject: [PATCH] malloc-fail: Check for malloc failures when creating XPath + strings + +Prevent null derefs. + +Found by OSS-Fuzz, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/b1319c902f6e44d08f8cb33f1fc28847f2bc8aeb +Conflict:xpath.c + +--- + xpath.c | 111 +++++++++++++++++++++----------------------------------- + 1 file changed, 42 insertions(+), 69 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 005a6a2..2eceb5b 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -2476,17 +2476,17 @@ xmlXPathCacheNewNodeSet(xmlXPathContextPtr ctxt, xmlNodePtr val) + } + + /** +- * xmlXPathCacheNewCString: ++ * xmlXPathCacheNewString: + * @ctxt: the XPath context +- * @val: the char * value ++ * @val: the xmlChar * value + * +- * This is the cached version of xmlXPathNewCString(). ++ * This is the cached version of xmlXPathNewString(). + * Acquire an xmlXPathObjectPtr of type string and of value @val + * + * Returns the created or reused object. + */ + static xmlXPathObjectPtr +-xmlXPathCacheNewCString(xmlXPathContextPtr ctxt, const char *val) ++xmlXPathCacheNewString(xmlXPathContextPtr ctxt, const xmlChar *val) + { + if ((ctxt != NULL) && (ctxt->cache)) { + xmlXPathContextCachePtr cache = (xmlXPathContextCachePtr) ctxt->cache; +@@ -2495,12 +2495,20 @@ xmlXPathCacheNewCString(xmlXPathContextPtr ctxt, const char *val) + (cache->stringObjs->number != 0)) + { + xmlXPathObjectPtr ret; ++ xmlChar *copy; ++ ++ if (val == NULL) ++ val = BAD_CAST ""; ++ copy = xmlStrdup(val); ++ if (copy == NULL) { ++ xmlXPathErrMemory(ctxt, NULL); ++ return(NULL); ++ } + + ret = (xmlXPathObjectPtr) + cache->stringObjs->items[--cache->stringObjs->number]; +- + ret->type = XPATH_STRING; +- ret->stringval = xmlStrdup(BAD_CAST val); ++ ret->stringval = copy; + #ifdef XP_DEBUG_OBJ_USAGE + xmlXPathDebugObjUsageRequested(ctxt, XPATH_STRING); + #endif +@@ -2509,73 +2517,44 @@ xmlXPathCacheNewCString(xmlXPathContextPtr ctxt, const char *val) + (cache->miscObjs->number != 0)) + { + xmlXPathObjectPtr ret; ++ xmlChar *copy; ++ ++ if (val == NULL) ++ val = BAD_CAST ""; ++ copy = xmlStrdup(val); ++ if (copy == NULL) { ++ xmlXPathErrMemory(ctxt, NULL); ++ return(NULL); ++ } + + ret = (xmlXPathObjectPtr) + cache->miscObjs->items[--cache->miscObjs->number]; + + ret->type = XPATH_STRING; +- ret->stringval = xmlStrdup(BAD_CAST val); ++ ret->stringval = copy; + #ifdef XP_DEBUG_OBJ_USAGE + xmlXPathDebugObjUsageRequested(ctxt, XPATH_STRING); + #endif + return(ret); + } + } +- return(xmlXPathNewCString(val)); ++ return(xmlXPathNewString(val)); + } + + /** +- * xmlXPathCacheNewString: ++ * xmlXPathCacheNewCString: + * @ctxt: the XPath context +- * @val: the xmlChar * value ++ * @val: the char * value + * +- * This is the cached version of xmlXPathNewString(). ++ * This is the cached version of xmlXPathNewCString(). + * Acquire an xmlXPathObjectPtr of type string and of value @val + * + * Returns the created or reused object. + */ + static xmlXPathObjectPtr +-xmlXPathCacheNewString(xmlXPathContextPtr ctxt, const xmlChar *val) ++xmlXPathCacheNewCString(xmlXPathContextPtr ctxt, const char *val) + { +- if ((ctxt != NULL) && (ctxt->cache)) { +- xmlXPathContextCachePtr cache = (xmlXPathContextCachePtr) ctxt->cache; +- +- if ((cache->stringObjs != NULL) && +- (cache->stringObjs->number != 0)) +- { +- xmlXPathObjectPtr ret; +- +- ret = (xmlXPathObjectPtr) +- cache->stringObjs->items[--cache->stringObjs->number]; +- ret->type = XPATH_STRING; +- if (val != NULL) +- ret->stringval = xmlStrdup(val); +- else +- ret->stringval = xmlStrdup((const xmlChar *)""); +-#ifdef XP_DEBUG_OBJ_USAGE +- xmlXPathDebugObjUsageRequested(ctxt, XPATH_STRING); +-#endif +- return(ret); +- } else if ((cache->miscObjs != NULL) && +- (cache->miscObjs->number != 0)) +- { +- xmlXPathObjectPtr ret; +- +- ret = (xmlXPathObjectPtr) +- cache->miscObjs->items[--cache->miscObjs->number]; +- +- ret->type = XPATH_STRING; +- if (val != NULL) +- ret->stringval = xmlStrdup(val); +- else +- ret->stringval = xmlStrdup((const xmlChar *)""); +-#ifdef XP_DEBUG_OBJ_USAGE +- xmlXPathDebugObjUsageRequested(ctxt, XPATH_STRING); +-#endif +- return(ret); +- } +- } +- return(xmlXPathNewString(val)); ++ return xmlXPathCacheNewString(ctxt, BAD_CAST val); + } + + /** +@@ -5291,10 +5270,13 @@ xmlXPathNewString(const xmlChar *val) { + } + memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); + ret->type = XPATH_STRING; +- if (val != NULL) +- ret->stringval = xmlStrdup(val); +- else +- ret->stringval = xmlStrdup((const xmlChar *)""); ++ if (val == NULL) ++ val = BAD_CAST ""; ++ ret->stringval = xmlStrdup(val); ++ if (ret->stringval == NULL) { ++ xmlFree(ret); ++ return(NULL); ++ } + #ifdef XP_DEBUG_OBJ_USAGE + xmlXPathDebugObjUsageRequested(NULL, XPATH_STRING); + #endif +@@ -5340,20 +5322,7 @@ xmlXPathWrapString (xmlChar *val) { + */ + xmlXPathObjectPtr + xmlXPathNewCString(const char *val) { +- xmlXPathObjectPtr ret; +- +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPathErrMemory(NULL, "creating string object\n"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_STRING; +- ret->stringval = xmlStrdup(BAD_CAST val); +-#ifdef XP_DEBUG_OBJ_USAGE +- xmlXPathDebugObjUsageRequested(NULL, XPATH_STRING); +-#endif +- return(ret); ++ return(xmlXPathNewString(BAD_CAST val)); + } + + /** +@@ -5427,6 +5396,10 @@ xmlXPathObjectCopy(xmlXPathObjectPtr val) { + break; + case XPATH_STRING: + ret->stringval = xmlStrdup(val->stringval); ++ if (ret->stringval == NULL) { ++ xmlFree(ret); ++ return(NULL); ++ } + break; + case XPATH_XSLT_TREE: + #if 0 +-- +2.27.0 + diff --git a/backport-malloc-fail-Check-return-value-of-xmlXPathNodeSetDupNs.patch b/backport-malloc-fail-Check-return-value-of-xmlXPathNodeSetDupNs.patch new file mode 100644 index 0000000..dadd851 --- /dev/null +++ b/backport-malloc-fail-Check-return-value-of-xmlXPathNodeSetDupNs.patch @@ -0,0 +1,106 @@ +From 0e4421e793e52e2025297f9252c4dc76b72674c7 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jan 2023 15:05:58 +0100 +Subject: [PATCH] malloc-fail: Check return value of xmlXPathNodeSetDupNs + +Avoid null deref if allocation fails. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/0e4421e793e52e2025297f9252c4dc76b72674c7 +Conflict:NA +--- + xpath.c | 38 +++++++++++++++++++++++--------------- + 1 file changed, 23 insertions(+), 15 deletions(-) + +diff --git a/xpath.c b/xpath.c +index fe0e1e2..212a4e0 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -3588,10 +3588,13 @@ xmlXPathNodeSetCreate(xmlNodePtr val) { + ret->nodeMax = XML_NODESET_DEFAULT; + if (val->type == XML_NAMESPACE_DECL) { + xmlNsPtr ns = (xmlNsPtr) val; ++ xmlNodePtr nsNode = xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); + +- /* TODO: Check memory error. */ +- ret->nodeTab[ret->nodeNr++] = +- xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); ++ if (nsNode == NULL) { ++ xmlXPathFreeNodeSet(ret); ++ return(NULL); ++ } ++ ret->nodeTab[ret->nodeNr++] = nsNode; + } else + ret->nodeTab[ret->nodeNr++] = val; + } +@@ -3648,7 +3651,7 @@ xmlXPathNodeSetContains (xmlNodeSetPtr cur, xmlNodePtr val) { + int + xmlXPathNodeSetAddNs(xmlNodeSetPtr cur, xmlNodePtr node, xmlNsPtr ns) { + int i; +- ++ xmlNodePtr nsNode; + + if ((cur == NULL) || (ns == NULL) || (node == NULL) || + (ns->type != XML_NAMESPACE_DECL) || +@@ -3696,8 +3699,10 @@ xmlXPathNodeSetAddNs(xmlNodeSetPtr cur, xmlNodePtr node, xmlNsPtr ns) { + cur->nodeMax *= 2; + cur->nodeTab = temp; + } +- /* TODO: Check memory error. */ +- cur->nodeTab[cur->nodeNr++] = xmlXPathNodeSetDupNs(node, ns); ++ nsNode = xmlXPathNodeSetDupNs(node, ns); ++ if(nsNode == NULL) ++ return(-1); ++ cur->nodeTab[cur->nodeNr++] = nsNode; + return(0); + } + +@@ -3754,10 +3759,11 @@ xmlXPathNodeSetAdd(xmlNodeSetPtr cur, xmlNodePtr val) { + } + if (val->type == XML_NAMESPACE_DECL) { + xmlNsPtr ns = (xmlNsPtr) val; ++ xmlNodePtr nsNode = xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); + +- /* TODO: Check memory error. */ +- cur->nodeTab[cur->nodeNr++] = +- xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); ++ if (nsNode == NULL) ++ return(-1); ++ cur->nodeTab[cur->nodeNr++] = nsNode; + } else + cur->nodeTab[cur->nodeNr++] = val; + return(0); +@@ -3809,10 +3815,11 @@ xmlXPathNodeSetAddUnique(xmlNodeSetPtr cur, xmlNodePtr val) { + } + if (val->type == XML_NAMESPACE_DECL) { + xmlNsPtr ns = (xmlNsPtr) val; ++ xmlNodePtr nsNode = xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); + +- /* TODO: Check memory error. */ +- cur->nodeTab[cur->nodeNr++] = +- xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); ++ if (nsNode == NULL) ++ return(-1); ++ cur->nodeTab[cur->nodeNr++] = nsNode; + } else + cur->nodeTab[cur->nodeNr++] = val; + return(0); +@@ -3926,10 +3933,11 @@ xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) { + } + if (n2->type == XML_NAMESPACE_DECL) { + xmlNsPtr ns = (xmlNsPtr) n2; ++ xmlNodePtr nsNode = xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); + +- /* TODO: Check memory error. */ +- val1->nodeTab[val1->nodeNr++] = +- xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); ++ if (nsNode == NULL) ++ return(NULL); ++ val1->nodeTab[val1->nodeNr++] = nsNode; + } else + val1->nodeTab[val1->nodeNr++] = n2; + } +-- +2.27.0 + diff --git a/backport-malloc-fail-Don-t-call-xmlErrMemory-in-xmlstring.c.patch b/backport-malloc-fail-Don-t-call-xmlErrMemory-in-xmlstring.c.patch new file mode 100644 index 0000000..1e65237 --- /dev/null +++ b/backport-malloc-fail-Don-t-call-xmlErrMemory-in-xmlstring.c.patch @@ -0,0 +1,66 @@ +From c7260a47f19e01f4f663b6a56fbdc2dafd8a6e7e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 23 Jan 2023 10:19:59 +0100 +Subject: [PATCH] malloc-fail: Don't call xmlErrMemory in xmlstring.c + +Functions like xmlStrdup are called in the error handling code +(__xmlRaiseError) which can cause problems like use-after-free or +infinite loops when invoked recursively. + +Calling xmlErrMemory without a context argument isn't helpful anyway. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/c7260a47f19e01f4f663b6a56fbdc2dafd8a6e7e +Conflict:xmlstring.c +--- + xmlstring.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/xmlstring.c b/xmlstring.c +index 5a6875f..9709545 100644 +--- a/xmlstring.c ++++ b/xmlstring.c +@@ -45,7 +45,6 @@ xmlStrndup(const xmlChar *cur, int len) { + if ((cur == NULL) || (len < 0)) return(NULL); + ret = (xmlChar *) xmlMallocAtomic(((size_t) len + 1) * sizeof(xmlChar)); + if (ret == NULL) { +- xmlErrMemory(NULL, NULL); + return(NULL); + } + memcpy(ret, cur, len * sizeof(xmlChar)); +@@ -90,7 +89,6 @@ xmlCharStrndup(const char *cur, int len) { + if ((cur == NULL) || (len < 0)) return(NULL); + ret = (xmlChar *) xmlMallocAtomic(((size_t) len + 1) * sizeof(xmlChar)); + if (ret == NULL) { +- xmlErrMemory(NULL, NULL); + return(NULL); + } + for (i = 0;i < len;i++) { +@@ -465,7 +463,6 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) { + return(NULL); + ret = (xmlChar *) xmlRealloc(cur, ((size_t) size + len + 1) * sizeof(xmlChar)); + if (ret == NULL) { +- xmlErrMemory(NULL, NULL); + return(cur); + } + memcpy(&ret[size], add, len * sizeof(xmlChar)); +@@ -505,7 +502,6 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) { + return(NULL); + ret = (xmlChar *) xmlMalloc(((size_t) size + len + 1) * sizeof(xmlChar)); + if (ret == NULL) { +- xmlErrMemory(NULL, NULL); + return(xmlStrndup(str1, size)); + } + memcpy(ret, str1, size * sizeof(xmlChar)); +@@ -1034,7 +1030,6 @@ xmlEscapeFormatString(xmlChar **msg) + out-of-memory situations. */ + xmlFree(*msg); + *msg = NULL; +- xmlErrMemory(NULL, NULL); + return(NULL); + } + +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-OOB-read-after-xmlRegGetCounter.patch b/backport-malloc-fail-Fix-OOB-read-after-xmlRegGetCounter.patch new file mode 100644 index 0000000..05be61a --- /dev/null +++ b/backport-malloc-fail-Fix-OOB-read-after-xmlRegGetCounter.patch @@ -0,0 +1,75 @@ +From d08fd8306e224c48dedc1a9b549376ae1d4c7f6c Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 17 Feb 2023 15:53:07 +0100 +Subject: [PATCH] malloc-fail: Fix OOB read after xmlRegGetCounter + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/1743c4c3fc58cf38ecce68db9de51d0f3651e033 +Conflict:xmlregexp.c + +--- + xmlregexp.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/xmlregexp.c b/xmlregexp.c +index 360916f..e7c48a4 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -1681,6 +1681,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, + } + inter = ctxt->state; + counter = xmlRegGetCounter(ctxt); ++ if (counter < 0) ++ return(-1); + ctxt->counters[counter].min = atom->min - 1; + ctxt->counters[counter].max = atom->max - 1; + /* count the number of times we see it again */ +@@ -1699,6 +1701,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, + * epsilon transition. + */ + counter = xmlRegGetCounter(ctxt); ++ if (counter < 0) ++ return(-1); + ctxt->counters[counter].min = atom->min - 1; + ctxt->counters[counter].max = atom->max - 1; + /* allow a way out based on the count */ +@@ -6025,6 +6029,8 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, + * associate a counter to the transition. + */ + counter = xmlRegGetCounter(am); ++ if (counter < 0) ++ goto error; + am->counters[counter].min = min; + am->counters[counter].max = max; + +@@ -6099,6 +6105,8 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, + * associate a counter to the transition. + */ + counter = xmlRegGetCounter(am); ++ if (counter < 0) ++ goto error; + am->counters[counter].min = min; + am->counters[counter].max = max; + +@@ -6191,6 +6199,8 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, + * associate a counter to the transition. + */ + counter = xmlRegGetCounter(am); ++ if (counter < 0) ++ goto error; + am->counters[counter].min = 1; + am->counters[counter].max = 1; + +@@ -6256,6 +6266,8 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, + * associate a counter to the transition. + */ + counter = xmlRegGetCounter(am); ++ if (counter < 0) ++ goto error; + am->counters[counter].min = 1; + am->counters[counter].max = 1; + +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-another-memory-leak-in-xmlSchemaBuck.patch b/backport-malloc-fail-Fix-another-memory-leak-in-xmlSchemaBuck.patch new file mode 100644 index 0000000..2390106 --- /dev/null +++ b/backport-malloc-fail-Fix-another-memory-leak-in-xmlSchemaBuck.patch @@ -0,0 +1,32 @@ +From 260d6b8d77d11a20a2614eef99e88e68eaca6550 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 5 Mar 2023 14:10:26 +0100 +Subject: [PATCH] malloc-fail: Fix another memory leak in xmlSchemaBucketCreate + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/260d6b8d77d11a20a2614eef99e88e68eaca6550 +Conflict:NA +--- + xmlschemas.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index fa9d113..06bf664 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -3742,7 +3742,10 @@ xmlSchemaBucketCreate(xmlSchemaParserCtxtPtr pctxt, + return(NULL); + } + } +- xmlSchemaItemListAdd(mainSchema->includes, ret); ++ if (xmlSchemaItemListAdd(mainSchema->includes, ret) < 0) { ++ xmlSchemaBucketFree(ret); ++ return(NULL); ++ } + } + /* + * Add to list of all buckets; this is used for lookup +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-buffer-overread-after-htmlParseScrip.patch b/backport-malloc-fail-Fix-buffer-overread-after-htmlParseScrip.patch new file mode 100644 index 0000000..f937414 --- /dev/null +++ b/backport-malloc-fail-Fix-buffer-overread-after-htmlParseScrip.patch @@ -0,0 +1,37 @@ +From 44ecefc8cc299a66ac21ffec141eb261e92638da Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 20 Mar 2023 15:52:38 +0100 +Subject: [PATCH] malloc-fail: Fix buffer overread after htmlParseScript + +Found by OSS-Fuzz, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/44ecefc8cc299a66ac21ffec141eb261e92638da +Conflict:HTMLparser.c + +--- + HTMLparser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 0cc9824..4f1a3d8 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -3137,6 +3137,7 @@ htmlParseScript(htmlParserCtxtPtr ctxt) { + htmlParseErrInt(ctxt, XML_ERR_INVALID_CHAR, + "Invalid char in CDATA 0x%X\n", cur); + } ++ NEXTL(l); + if (nbchar >= HTML_PARSER_BIG_BUFFER_SIZE) { + buf[nbchar] = 0; + if (ctxt->sax->cdataBlock!= NULL) { +@@ -3149,7 +3150,6 @@ htmlParseScript(htmlParserCtxtPtr ctxt) { + } + nbchar = 0; + } +- NEXTL(l); + GROW; + cur = CUR_CHAR(l); + } +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-buffer-overread-in-htmlParseScript.patch b/backport-malloc-fail-Fix-buffer-overread-in-htmlParseScript.patch new file mode 100644 index 0000000..8d28f9d --- /dev/null +++ b/backport-malloc-fail-Fix-buffer-overread-in-htmlParseScript.patch @@ -0,0 +1,31 @@ +From 8090e5856465c0b8e26e2a080f4b498f37fa83ab Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 17 Mar 2023 12:27:07 +0100 +Subject: [PATCH] malloc-fail: Fix buffer overread in htmlParseScript + +Found by OSS-Fuzz, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/8090e5856465c0b8e26e2a080f4b498f37fa83ab +Conflict:NA + +--- + HTMLparser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 6c8f180..3682807 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -3145,8 +3145,8 @@ htmlParseScript(htmlParserCtxtPtr ctxt) { + } + nbchar = 0; + } +- GROW; + NEXTL(l); ++ GROW; + cur = CUR_CHAR(l); + } + +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-buffer-overread-with-HTML-doctype-de.patch b/backport-malloc-fail-Fix-buffer-overread-with-HTML-doctype-de.patch new file mode 100644 index 0000000..b363e6e --- /dev/null +++ b/backport-malloc-fail-Fix-buffer-overread-with-HTML-doctype-de.patch @@ -0,0 +1,44 @@ +From 1061537efdf3874c91fd50d18f98c4b8a3518e52 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 26 Mar 2023 22:40:54 +0200 +Subject: [PATCH] malloc-fail: Fix buffer overread with HTML doctype + declarations + +Found by OSS-Fuzz, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/1061537efdf3874c91fd50d18f98c4b8a3518e52 +Conflict:NA + +--- + HTMLparser.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 42d1b29..5e4f289 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -3008,9 +3008,9 @@ htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) { + htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, + "Unfinished SystemLiteral\n", NULL, NULL); + } else { +- NEXT; + if (err == 0) + ret = xmlStrndup((BASE_PTR+startPosition), len); ++ NEXT; + } + + return(ret); +@@ -3063,9 +3063,9 @@ htmlParsePubidLiteral(htmlParserCtxtPtr ctxt) { + htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, + "Unfinished PubidLiteral\n", NULL, NULL); + } else { +- NEXT; + if (err == 0) + ret = xmlStrndup((BASE_PTR + startPosition), len); ++ NEXT; + } + + return(ret); +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-error-check-in-xmlXPathCompareValues.patch b/backport-malloc-fail-Fix-error-check-in-xmlXPathCompareValues.patch new file mode 100644 index 0000000..d1d25b9 --- /dev/null +++ b/backport-malloc-fail-Fix-error-check-in-xmlXPathCompareValues.patch @@ -0,0 +1,46 @@ +From 621c222efe87946ad8e53f59e28c782979d340c8 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jan 2023 15:48:11 +0100 +Subject: [PATCH] malloc-fail: Fix error check in xmlXPathCompareValues + +Avoid null deref. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/621c222efe87946ad8e53f59e28c782979d340c8 +Conflict:NA +--- + xpath.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 77d5434..fcbc7e3 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -7367,21 +7367,13 @@ xmlXPathCompareValues(xmlXPathParserContextPtr ctxt, int inf, int strict) { + valuePush(ctxt, arg1); + xmlXPathNumberFunction(ctxt, 1); + arg1 = valuePop(ctxt); +- } +- if (arg1->type != XPATH_NUMBER) { +- xmlXPathFreeObject(arg1); +- xmlXPathFreeObject(arg2); +- XP_ERROR0(XPATH_INVALID_OPERAND); ++ CHECK_ERROR0; + } + if (arg2->type != XPATH_NUMBER) { + valuePush(ctxt, arg2); + xmlXPathNumberFunction(ctxt, 1); + arg2 = valuePop(ctxt); +- } +- if (arg2->type != XPATH_NUMBER) { +- xmlXPathReleaseObject(ctxt->context, arg1); +- xmlXPathReleaseObject(ctxt->context, arg2); +- XP_ERROR0(XPATH_INVALID_OPERAND); ++ CHECK_ERROR0; + } + /* + * Add tests for infinity and nan +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-error-code-in-htmlParseChunk.patch b/backport-malloc-fail-Fix-error-code-in-htmlParseChunk.patch new file mode 100644 index 0000000..8092d2d --- /dev/null +++ b/backport-malloc-fail-Fix-error-code-in-htmlParseChunk.patch @@ -0,0 +1,32 @@ +From 53d1cc98cf08c789087a92fd57da70811abe7d60 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 16 Feb 2023 15:09:32 +0100 +Subject: [PATCH] malloc-fail: Fix error code in htmlParseChunk + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/53d1cc98cf08c789087a92fd57da70811abe7d60 +Conflict:NA +--- + HTMLparser.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 457b2a3..72ede56 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -6276,9 +6276,8 @@ htmlParseChunk(htmlParserCtxtPtr ctxt, const char *chunk, int size, + res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk); + xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur); + if (res < 0) { +- ctxt->errNo = XML_PARSER_EOF; +- ctxt->disableSAX = 1; +- return (XML_PARSER_EOF); ++ htmlErrMemory(ctxt, NULL); ++ return (ctxt->errNo); + } + #ifdef DEBUG_PUSH + xmlGenericError(xmlGenericErrorContext, "HPP: pushed %d\n", size); +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-infinite-loop-in-htmlParseContentInternal.patch b/backport-malloc-fail-Fix-infinite-loop-in-htmlParseContentInternal.patch new file mode 100644 index 0000000..3d5c32f --- /dev/null +++ b/backport-malloc-fail-Fix-infinite-loop-in-htmlParseContentInternal.patch @@ -0,0 +1,90 @@ +From 04c2955197b53eb106037bc1d422bb80b39abbf6 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 16 Feb 2023 14:53:29 +0100 +Subject: [PATCH] malloc-fail: Fix infinite loop in htmlParseContentInternal + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/04c2955197b53eb106037bc1d422bb80b39abbf6 +Conflict:NA +--- + HTMLparser.c | 32 ++++++++++++++++++++++++++++++-- + 1 file changed, 30 insertions(+), 2 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 5272c25..f90053a 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -4718,8 +4718,16 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { + int depth; + const xmlChar *name; + +- currentNode = xmlStrdup(ctxt->name); + depth = ctxt->nameNr; ++ if (depth <= 0) { ++ currentNode = NULL; ++ } else { ++ currentNode = xmlStrdup(ctxt->name); ++ if (currentNode == NULL) { ++ htmlErrMemory(ctxt, NULL); ++ return; ++ } ++ } + while (1) { + GROW; + +@@ -4735,8 +4743,16 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { + if (currentNode != NULL) + xmlFree(currentNode); + +- currentNode = xmlStrdup(ctxt->name); + depth = ctxt->nameNr; ++ if (depth <= 0) { ++ currentNode = NULL; ++ } else { ++ currentNode = xmlStrdup(ctxt->name); ++ if (currentNode == NULL) { ++ htmlErrMemory(ctxt, NULL); ++ break; ++ } ++ } + } + continue; /* while */ + } +@@ -4758,6 +4774,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { + xmlFree(currentNode); + + currentNode = xmlStrdup(ctxt->name); ++ if (currentNode == NULL) { ++ htmlErrMemory(ctxt, NULL); ++ break; ++ } + depth = ctxt->nameNr; + continue; + } +@@ -4781,6 +4801,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { + if (currentNode != NULL) xmlFree(currentNode); + + currentNode = xmlStrdup(ctxt->name); ++ if (currentNode == NULL) { ++ htmlErrMemory(ctxt, NULL); ++ break; ++ } + depth = ctxt->nameNr; + continue; + } +@@ -4829,6 +4853,10 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) { + if (currentNode != NULL) xmlFree(currentNode); + + currentNode = xmlStrdup(ctxt->name); ++ if (currentNode == NULL) { ++ htmlErrMemory(ctxt, NULL); ++ break; ++ } + depth = ctxt->nameNr; + } + else if (CUR == '<') { +-- +2.27.0 + + diff --git a/backport-malloc-fail-Fix-infinite-loop-in-htmlParseDocTypeDecl.patch b/backport-malloc-fail-Fix-infinite-loop-in-htmlParseDocTypeDecl.patch new file mode 100644 index 0000000..8454ecf --- /dev/null +++ b/backport-malloc-fail-Fix-infinite-loop-in-htmlParseDocTypeDecl.patch @@ -0,0 +1,31 @@ +From 15b0ed0815d48ac48c7b95a28b8332a298ed7072 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 16 Feb 2023 15:09:02 +0100 +Subject: [PATCH] malloc-fail: Fix infinite loop in htmlParseDocTypeDecl + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/15b0ed0815d48ac48c7b95a28b8332a298ed7072 +Conflict:NA +--- + HTMLparser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index e02a142..457b2a3 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -3695,7 +3695,8 @@ htmlParseDocTypeDecl(htmlParserCtxtPtr ctxt) { + htmlParseErr(ctxt, XML_ERR_DOCTYPE_NOT_FINISHED, + "DOCTYPE improperly terminated\n", NULL, NULL); + /* Ignore bogus content */ +- while ((CUR != 0) && (CUR != '>')) ++ while ((CUR != 0) && (CUR != '>') && ++ (ctxt->instate != XML_PARSER_EOF)) + NEXT; + } + if (CUR == '>') +-- +2.27.0 + + diff --git a/backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag1.patch b/backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag1.patch new file mode 100644 index 0000000..ba98aee --- /dev/null +++ b/backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag1.patch @@ -0,0 +1,51 @@ +From 643b4e90ebf619432b0287010b593edd8c0c0f8e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 16 Feb 2023 14:45:06 +0100 +Subject: [PATCH] malloc-fail: Fix infinite loop in htmlParseStartTag + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/643b4e90ebf619432b0287010b593edd8c0c0f8e +Conflict:NA +--- + HTMLparser.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 60dea30..0ccd6e8 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -2570,6 +2570,7 @@ static const xmlChar * htmlParseNameComplex(xmlParserCtxtPtr ctxt); + + static const xmlChar * + htmlParseHTMLName(htmlParserCtxtPtr ctxt) { ++ const xmlChar *ret; + int i = 0; + xmlChar loc[HTML_PARSER_BUFFER_SIZE]; + +@@ -2587,7 +2588,11 @@ htmlParseHTMLName(htmlParserCtxtPtr ctxt) { + NEXT; + } + +- return(xmlDictLookup(ctxt->dict, loc, i)); ++ ret = xmlDictLookup(ctxt->dict, loc, i); ++ if (ret == NULL) ++ htmlErrMemory(ctxt, NULL); ++ ++ return(ret); + } + + +@@ -4020,7 +4025,8 @@ htmlParseStartTag(htmlParserCtxtPtr ctxt) { + SKIP_BLANKS; + while ((CUR != 0) && + (CUR != '>') && +- ((CUR != '/') || (NXT(1) != '>'))) { ++ ((CUR != '/') || (NXT(1) != '>')) && ++ (ctxt->instate != XML_PARSER_EOF)) { + GROW; + attname = htmlParseAttribute(ctxt, &attvalue); + if (attname != NULL) { +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag2.patch b/backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag2.patch new file mode 100644 index 0000000..4013143 --- /dev/null +++ b/backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag2.patch @@ -0,0 +1,30 @@ +From 0ec9c91064a58ce2932498a55ae63a85f43975f5 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 16 Feb 2023 14:57:24 +0100 +Subject: [PATCH] malloc-fail: Fix infinite loop in htmlParseStartTag + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/0ec9c91064a58ce2932498a55ae63a85f43975f5 +Conflict:NA +--- + HTMLparser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index f90053a..ca551d9 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -4087,7 +4087,8 @@ htmlParseStartTag(htmlParserCtxtPtr ctxt) { + * the end of the tag. */ + while ((CUR != 0) && + !(IS_BLANK_CH(CUR)) && (CUR != '>') && +- ((CUR != '/') || (NXT(1) != '>'))) ++ ((CUR != '/') || (NXT(1) != '>')) && ++ (ctxt->instate != XML_PARSER_EOF)) + NEXT; + } + +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-infinite-loop-in-xmlParseTextDecl.patch b/backport-malloc-fail-Fix-infinite-loop-in-xmlParseTextDecl.patch new file mode 100644 index 0000000..56d84a5 --- /dev/null +++ b/backport-malloc-fail-Fix-infinite-loop-in-xmlParseTextDecl.patch @@ -0,0 +1,32 @@ +From d1b87856931797c5c527cee16d96e482a45b99ed Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 22 Jan 2023 17:42:09 +0100 +Subject: [PATCH] malloc-fail: Fix infinite loop in xmlParseTextDecl + +Memory errors can set `instate` to `XML_PARSER_EOF` which results in +`NEXT` making no progress. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/d1b87856931797c5c527cee16d96e482a45b99ed +Conflict:NA +--- + parser.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/parser.c b/parser.c +index 9127deb..fafae15 100644 +--- a/parser.c ++++ b/parser.c +@@ -6957,6 +6957,8 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) { + * We must have the encoding declaration + */ + encoding = xmlParseEncodingDecl(ctxt); ++ if (ctxt->instate == XML_PARSER_EOF) ++ return; + if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { + /* + * The XML REC instructs us to stop parsing right here +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-infinite-loop-in-xmlSkipBlankChars.patch b/backport-malloc-fail-Fix-infinite-loop-in-xmlSkipBlankChars.patch new file mode 100644 index 0000000..f6b4b3d --- /dev/null +++ b/backport-malloc-fail-Fix-infinite-loop-in-xmlSkipBlankChars.patch @@ -0,0 +1,29 @@ +From 71e81a4ce7946c43ca61124b142d86066590aeb0 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 2 Nov 2022 16:02:39 +0100 +Subject: [PATCH 08/28] malloc-fail: Fix infinite loop in xmlSkipBlankChars + +Found with libFuzzer, see #344. + +Reference: https://github.com/GNOME/libxml2/commit/e129c1d1a27abdeaab44f4d59eb0cb5052df7c6f +Conflict: NA +--- + parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 443a216..780a8b3 100644 +--- a/parser.c ++++ b/parser.c +@@ -2220,7 +2220,7 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) { + } else { + int expandPE = ((ctxt->external != 0) || (ctxt->inputNr != 1)); + +- while (1) { ++ while (ctxt->instate != XML_PARSER_EOF) { + if (IS_BLANK_CH(CUR)) { /* CHECKED tstblanks.xml */ + NEXT; + } else if (CUR == '%') { +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-leak-of-xmlCharEncodingHandler.patch b/backport-malloc-fail-Fix-leak-of-xmlCharEncodingHandler.patch new file mode 100644 index 0000000..39be0b0 --- /dev/null +++ b/backport-malloc-fail-Fix-leak-of-xmlCharEncodingHandler.patch @@ -0,0 +1,31 @@ +From d18f9c1102a45b401039dd899ce7069da7a73124 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 14 Feb 2023 13:50:46 +0100 +Subject: [PATCH] malloc-fail: Fix leak of xmlCharEncodingHandler + +Also free handler if its name is NULL. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/d18f9c1102a45b401039dd899ce7069da7a73124 +Conflict:encoding.c + +--- + encoding.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/encoding.c b/encoding.c +index 400e860..8b98f7d 100644 +--- a/encoding.c ++++ b/encoding.c +@@ -2792,7 +2792,6 @@ xmlCharEncCloseFunc(xmlCharEncodingHandler *handler) { + int i, handler_in_list = 0; + + if (handler == NULL) return(-1); +- if (handler->name == NULL) return(-1); + if (handlers != NULL) { + for (i = 0;i < nbCharEncodingHandler; i++) { + if (handler == handlers[i]) { +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-leak-of-xmlRegAtom.patch b/backport-malloc-fail-Fix-leak-of-xmlRegAtom.patch new file mode 100644 index 0000000..d76459d --- /dev/null +++ b/backport-malloc-fail-Fix-leak-of-xmlRegAtom.patch @@ -0,0 +1,241 @@ +From e64653c0e7975594e27d7de2ed4be062c1e4ad03 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 17 Feb 2023 15:20:33 +0100 +Subject: [PATCH] malloc-fail: Fix leak of xmlRegAtom + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/e64653c0e7975594e27d7de2ed4be062c1e4ad03 +Conflict:NA +--- + xmlregexp.c | 81 ++++++++++++++++++++++++++++++++++++----------------- + 1 file changed, 55 insertions(+), 26 deletions(-) + +diff --git a/xmlregexp.c b/xmlregexp.c +index 8c2ea81..11c684a 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -1594,9 +1594,6 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, + * this is a subexpression handling one should not need to + * create a new node except for XML_REGEXP_QUANT_RANGE. + */ +- if (xmlRegAtomPush(ctxt, atom) < 0) { +- return(-1); +- } + if ((to != NULL) && (atom->stop != to) && + (atom->quant != XML_REGEXP_QUANT_RANGE)) { + /* +@@ -1678,8 +1675,10 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, + copy->max = 0; + + if (xmlFAGenerateTransitions(ctxt, atom->start, NULL, copy) +- < 0) ++ < 0) { ++ xmlRegFreeAtom(copy); + return(-1); ++ } + inter = ctxt->state; + counter = xmlRegGetCounter(ctxt); + ctxt->counters[counter].min = atom->min - 1; +@@ -1722,6 +1721,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, + default: + break; + } ++ if (xmlRegAtomPush(ctxt, atom) < 0) ++ return(-1); + return(0); + } + if ((atom->min == 0) && (atom->max == 0) && +@@ -1760,9 +1761,6 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, + xmlFAGenerateEpsilonTransition(ctxt, tmp, to); + to = tmp; + } +- if (xmlRegAtomPush(ctxt, atom) < 0) { +- return(-1); +- } + if ((atom->quant == XML_REGEXP_QUANT_RANGE) && + (atom->min == 0) && (atom->max > 0)) { + nullable = 1; +@@ -1793,6 +1791,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, + default: + break; + } ++ if (xmlRegAtomPush(ctxt, atom) < 0) ++ return(-1); + return(0); + } + +@@ -5447,8 +5447,12 @@ xmlFAParseBranch(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr to) { + xmlFAGenerateEpsilonTransition(ctxt, previous, to); + } else { + if (xmlFAGenerateTransitions(ctxt, previous, +- (CUR=='|' || CUR==')' || CUR==0) ? to : NULL, ctxt->atom) < 0) ++ (CUR=='|' || CUR==')' || CUR==0) ? to : NULL, ++ ctxt->atom) < 0) { ++ xmlRegFreeAtom(ctxt->atom); ++ ctxt->atom = NULL; + return(-1); ++ } + previous = ctxt->state; + ctxt->atom = NULL; + } +@@ -5457,8 +5461,11 @@ xmlFAParseBranch(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr to) { + if (ret != 0) { + if (xmlFAGenerateTransitions(ctxt, previous, + (CUR=='|' || CUR==')' || CUR==0) ? to : NULL, +- ctxt->atom) < 0) +- return(-1); ++ ctxt->atom) < 0) { ++ xmlRegFreeAtom(ctxt->atom); ++ ctxt->atom = NULL; ++ return(-1); ++ } + previous = ctxt->state; + ctxt->atom = NULL; + } +@@ -5990,6 +5997,8 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, + return(NULL); + if ((token2 == NULL) || (*token2 == 0)) { + atom->valuep = xmlStrdup(token); ++ if (atom->valuep == NULL) ++ goto error; + } else { + int lenn, lenp; + xmlChar *str; +@@ -5998,10 +6007,8 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, + lenp = strlen((char *) token); + + str = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2); +- if (str == NULL) { +- xmlRegFreeAtom(atom); +- return(NULL); +- } ++ if (str == NULL) ++ goto error; + memcpy(&str[0], token, lenp); + str[lenp] = '|'; + memcpy(&str[lenp + 1], token2, lenn); +@@ -6027,10 +6034,11 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, + if (to == NULL) { + to = xmlRegStatePush(am); + if (to == NULL) +- return(NULL); ++ goto error; + } + xmlRegStateAddTrans(am, from, atom, to, counter, -1); +- xmlRegAtomPush(am, atom); ++ if (xmlRegAtomPush(am, atom) < 0) ++ goto error; + am->state = to; + + if (to == NULL) +@@ -6040,6 +6048,10 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, + if (min == 0) + xmlFAGenerateEpsilonTransition(am, from, to); + return(to); ++ ++error: ++ xmlRegFreeAtom(atom); ++ return(NULL); + } + + /** +@@ -6076,6 +6088,8 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, + if (atom == NULL) + return(NULL); + atom->valuep = xmlStrdup(token); ++ if (atom->valuep == NULL) ++ goto error; + atom->data = data; + if (min == 0) + atom->min = 1; +@@ -6094,10 +6108,11 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, + if (to == NULL) { + to = xmlRegStatePush(am); + if (to == NULL) +- return(NULL); ++ goto error; + } + xmlRegStateAddTrans(am, from, atom, to, counter, -1); +- xmlRegAtomPush(am, atom); ++ if (xmlRegAtomPush(am, atom) < 0) ++ goto error; + am->state = to; + + if (to == NULL) +@@ -6107,6 +6122,10 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, + if (min == 0) + xmlFAGenerateEpsilonTransition(am, from, to); + return(to); ++ ++error: ++ xmlRegFreeAtom(atom); ++ return(NULL); + } + + /** +@@ -6147,6 +6166,8 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, + return(NULL); + if ((token2 == NULL) || (*token2 == 0)) { + atom->valuep = xmlStrdup(token); ++ if (atom->valuep == NULL) ++ goto error; + } else { + int lenn, lenp; + xmlChar *str; +@@ -6155,10 +6176,8 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, + lenp = strlen((char *) token); + + str = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2); +- if (str == NULL) { +- xmlRegFreeAtom(atom); +- return(NULL); +- } ++ if (str == NULL) ++ goto error; + memcpy(&str[0], token, lenp); + str[lenp] = '|'; + memcpy(&str[lenp + 1], token2, lenn); +@@ -6181,12 +6200,17 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, + if (to == NULL) { + to = xmlRegStatePush(am); + if (to == NULL) +- return(NULL); ++ goto error; + } + xmlRegStateAddTrans(am, from, atom, to, counter, -1); +- xmlRegAtomPush(am, atom); ++ if (xmlRegAtomPush(am, atom) < 0) ++ goto error; + am->state = to; + return(to); ++ ++error: ++ xmlRegFreeAtom(atom); ++ return(NULL); + } + + +@@ -6241,12 +6265,17 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, + if (to == NULL) { + to = xmlRegStatePush(am); + if (to == NULL) +- return(NULL); ++ goto error; + } + xmlRegStateAddTrans(am, from, atom, to, counter, -1); +- xmlRegAtomPush(am, atom); ++ if (xmlRegAtomPush(am, atom) < 0) ++ goto error; + am->state = to; + return(to); ++ ++error: ++ xmlRegFreeAtom(atom); ++ return(NULL); + } + + /** +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-after-calling-valuePush.patch b/backport-malloc-fail-Fix-memory-leak-after-calling-valuePush.patch new file mode 100644 index 0000000..3fc3db4 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-after-calling-valuePush.patch @@ -0,0 +1,48 @@ +From 85bc313e7996c06d52b6f6f5c6a467ff3a148e75 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 15 Feb 2023 13:49:28 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak after calling valuePush + +Destroy the object in valuePush if the function fails. This is somewhat +dangerous but matches the expectations of users. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/85bc313e7996c06d52b6f6f5c6a467ff3a148e75 +Conflict:NA +--- + xpath.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/xpath.c b/xpath.c +index 7833870..dc99e63 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -2881,6 +2881,8 @@ valuePop(xmlXPathParserContextPtr ctxt) + * a memory error is recorded in the parser context. + * + * Returns the number of items on the value stack, or -1 in case of error. ++ * ++ * The object is destroyed in case of error. + */ + int + valuePush(xmlXPathParserContextPtr ctxt, xmlXPathObjectPtr value) +@@ -2899,6 +2901,7 @@ valuePush(xmlXPathParserContextPtr ctxt, xmlXPathObjectPtr value) + + if (ctxt->valueMax >= XPATH_MAX_STACK_DEPTH) { + xmlXPathPErrMemory(ctxt, "XPath stack depth limit reached\n"); ++ xmlXPathFreeObject(value); + return (-1); + } + tmp = (xmlXPathObjectPtr *) xmlRealloc(ctxt->valueTab, +@@ -2906,6 +2909,7 @@ valuePush(xmlXPathParserContextPtr ctxt, xmlXPathObjectPtr value) + sizeof(ctxt->valueTab[0])); + if (tmp == NULL) { + xmlXPathPErrMemory(ctxt, "pushing value\n"); ++ xmlXPathFreeObject(value); + return (-1); + } + ctxt->valueMax *= 2; +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathNodeSetMerge.patch b/backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathNodeSetMerge.patch new file mode 100644 index 0000000..e0e66a2 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathNodeSetMerge.patch @@ -0,0 +1,233 @@ +From 8d22e065888942b8c1b5be8994c6887b5a687246 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 15 Feb 2023 14:41:11 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak after calling + xmlXPathNodeSetMerge + +Destroy the first argument in xmlXPathNodeSetMerge if the function +fails. This is somewhat dangerous but matches the expectations of users. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/8d22e065888942b8c1b5be8994c6887b5a687246 +Conflict:xpath.c +--- + xpath.c | 78 +++++++++++++++++++++++++++------------------------------ + 1 file changed, 37 insertions(+), 41 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 9ead497..5a6d762 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -153,6 +153,9 @@ + * any use of the macros IS_ASCII_CHARACTER and IS_ASCII_DIGIT) + */ + ++static void ++xmlXPathNodeSetClear(xmlNodeSetPtr set, int hasNsNodes); ++ + #ifdef XP_OPTIMIZED_NON_ELEM_COMPARISON + /** + * xmlXPathCmpNodesExt: +@@ -3840,6 +3843,8 @@ xmlXPathNodeSetAddUnique(xmlNodeSetPtr cur, xmlNodePtr val) { + * if @val1 is NULL, a new set is created and copied from @val2 + * + * Returns @val1 once extended or NULL in case of error. ++ * ++ * Frees @val1 in case of error. + */ + xmlNodeSetPtr + xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) { +@@ -3849,35 +3854,8 @@ xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) { + if (val2 == NULL) return(val1); + if (val1 == NULL) { + val1 = xmlXPathNodeSetCreate(NULL); +- if (val1 == NULL) +- return (NULL); +-#if 0 +- /* +- * TODO: The optimization won't work in every case, since +- * those nasty namespace nodes need to be added with +- * xmlXPathNodeSetDupNs() to the set; thus a pure +- * memcpy is not possible. +- * If there was a flag on the nodesetval, indicating that +- * some temporary nodes are in, that would be helpful. +- */ +- /* +- * Optimization: Create an equally sized node-set +- * and memcpy the content. +- */ +- val1 = xmlXPathNodeSetCreateSize(val2->nodeNr); +- if (val1 == NULL) +- return(NULL); +- if (val2->nodeNr != 0) { +- if (val2->nodeNr == 1) +- *(val1->nodeTab) = *(val2->nodeTab); +- else { +- memcpy(val1->nodeTab, val2->nodeTab, +- val2->nodeNr * sizeof(xmlNodePtr)); +- } +- val1->nodeNr = val2->nodeNr; +- } +- return(val1); +-#endif ++ if (val1 == NULL) ++ return (NULL); + } + + /* @@ with_ns to check whether namespace nodes should be looked at @@ */ +@@ -3916,7 +3894,7 @@ xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) { + sizeof(xmlNodePtr)); + if (val1->nodeTab == NULL) { + xmlXPathErrMemory(NULL, "merging nodeset\n"); +- return(NULL); ++ goto error; + } + memset(val1->nodeTab, 0 , + XML_NODESET_DEFAULT * (size_t) sizeof(xmlNodePtr)); +@@ -3926,13 +3904,13 @@ xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) { + + if (val1->nodeMax >= XPATH_MAX_NODESET_LENGTH) { + xmlXPathErrMemory(NULL, "merging nodeset hit limit\n"); +- return(NULL); ++ goto error; + } + temp = (xmlNodePtr *) xmlRealloc(val1->nodeTab, val1->nodeMax * 2 * + sizeof(xmlNodePtr)); + if (temp == NULL) { + xmlXPathErrMemory(NULL, "merging nodeset\n"); +- return(NULL); ++ goto error; + } + val1->nodeTab = temp; + val1->nodeMax *= 2; +@@ -3942,13 +3920,17 @@ xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) { + xmlNodePtr nsNode = xmlXPathNodeSetDupNs((xmlNodePtr) ns->next, ns); + + if (nsNode == NULL) +- return(NULL); ++ goto error; + val1->nodeTab[val1->nodeNr++] = nsNode; + } else + val1->nodeTab[val1->nodeNr++] = n2; + } + + return(val1); ++ ++error: ++ xmlXPathFreeNodeSet(val1); ++ return(NULL); + } + + +@@ -3961,6 +3943,8 @@ xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) { + * Checks for duplicate nodes. Clears set2. + * + * Returns @set1 once extended or NULL in case of error. ++ * ++ * Frees @set1 in case of error. + */ + static xmlNodeSetPtr + xmlXPathNodeSetMergeAndClear(xmlNodeSetPtr set1, xmlNodeSetPtr set2) +@@ -3989,7 +3973,6 @@ xmlXPathNodeSetMergeAndClear(xmlNodeSetPtr set1, xmlNodeSetPtr set2) + /* + * Free the namespace node. + */ +- set2->nodeTab[i] = NULL; + xmlXPathNodeSetFreeNs((xmlNsPtr) n2); + goto skip_node; + } +@@ -4003,7 +3986,7 @@ xmlXPathNodeSetMergeAndClear(xmlNodeSetPtr set1, xmlNodeSetPtr set2) + XML_NODESET_DEFAULT * sizeof(xmlNodePtr)); + if (set1->nodeTab == NULL) { + xmlXPathErrMemory(NULL, "merging nodeset\n"); +- return(NULL); ++ goto error; + } + memset(set1->nodeTab, 0, + XML_NODESET_DEFAULT * (size_t) sizeof(xmlNodePtr)); +@@ -4013,24 +3996,29 @@ xmlXPathNodeSetMergeAndClear(xmlNodeSetPtr set1, xmlNodeSetPtr set2) + + if (set1->nodeMax >= XPATH_MAX_NODESET_LENGTH) { + xmlXPathErrMemory(NULL, "merging nodeset hit limit\n"); +- return(NULL); ++ goto error; + } + temp = (xmlNodePtr *) xmlRealloc( + set1->nodeTab, set1->nodeMax * 2 * sizeof(xmlNodePtr)); + if (temp == NULL) { + xmlXPathErrMemory(NULL, "merging nodeset\n"); +- return(NULL); ++ goto error; + } + set1->nodeTab = temp; + set1->nodeMax *= 2; + } + set1->nodeTab[set1->nodeNr++] = n2; + skip_node: +- {} ++ set2->nodeTab[i] = NULL; + } + } + set2->nodeNr = 0; + return(set1); ++ ++error: ++ xmlXPathFreeNodeSet(set1); ++ xmlXPathNodeSetClear(set2, 1); ++ return(NULL); + } + + /** +@@ -4042,6 +4030,8 @@ skip_node: + * Doesn't check for duplicate nodes. Clears set2. + * + * Returns @set1 once extended or NULL in case of error. ++ * ++ * Frees @set1 in case of error. + */ + static xmlNodeSetPtr + xmlXPathNodeSetMergeAndClearNoDupls(xmlNodeSetPtr set1, xmlNodeSetPtr set2) +@@ -4057,7 +4047,7 @@ xmlXPathNodeSetMergeAndClearNoDupls(xmlNodeSetPtr set1, xmlNodeSetPtr set2) + XML_NODESET_DEFAULT * sizeof(xmlNodePtr)); + if (set1->nodeTab == NULL) { + xmlXPathErrMemory(NULL, "merging nodeset\n"); +- return(NULL); ++ goto error; + } + memset(set1->nodeTab, 0, + XML_NODESET_DEFAULT * (size_t) sizeof(xmlNodePtr)); +@@ -4067,22 +4057,28 @@ xmlXPathNodeSetMergeAndClearNoDupls(xmlNodeSetPtr set1, xmlNodeSetPtr set2) + + if (set1->nodeMax >= XPATH_MAX_NODESET_LENGTH) { + xmlXPathErrMemory(NULL, "merging nodeset hit limit\n"); +- return(NULL); ++ goto error; + } + temp = (xmlNodePtr *) xmlRealloc( + set1->nodeTab, set1->nodeMax * 2 * sizeof(xmlNodePtr)); + if (temp == NULL) { + xmlXPathErrMemory(NULL, "merging nodeset\n"); +- return(NULL); ++ goto error; + } + set1->nodeTab = temp; + set1->nodeMax *= 2; + } + set1->nodeTab[set1->nodeNr++] = n2; ++ set2->nodeTab[i] = NULL; + } + } + set2->nodeNr = 0; + return(set1); ++ ++error: ++ xmlXPathFreeNodeSet(set1); ++ xmlXPathNodeSetClear(set2, 1); ++ return(NULL); + } + + /** +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapNodeSet.patch b/backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapNodeSet.patch new file mode 100644 index 0000000..1de4149 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapNodeSet.patch @@ -0,0 +1,50 @@ +From f5e1174933c65556b5d1c0b3a8f13a27f37a1638 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 15 Feb 2023 13:48:18 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak after calling + xmlXPathWrapNodeSet + +Destroy the node set in xmlXPathWrapNodeSet if the function fails. +This is somewhat dangerous but matches the expectations of users. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/f5e1174933c65556b5d1c0b3a8f13a27f37a1638 +Conflict:xpath.c +--- + xpath.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/xpath.c b/xpath.c +index dc99e63..9ead497 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -2319,6 +2319,8 @@ xmlXPathContextSetCache(xmlXPathContextPtr ctxt, + * Wrap the Nodeset @val in a new xmlXPathObjectPtr + * + * Returns the created or reused object. ++ * ++ * In case of error the node set is destroyed and NULL is returned. + */ + static xmlXPathObjectPtr + xmlXPathCacheWrapNodeSet(xmlXPathContextPtr ctxt, xmlNodeSetPtr val) +@@ -4398,6 +4400,8 @@ xmlXPathNewNodeSetList(xmlNodeSetPtr val) + * Wrap the Nodeset @val in a new xmlXPathObjectPtr + * + * Returns the newly created object. ++ * ++ * In case of error the node set is destroyed and NULL is returned. + */ + xmlXPathObjectPtr + xmlXPathWrapNodeSet(xmlNodeSetPtr val) { +@@ -4406,6 +4410,7 @@ xmlXPathWrapNodeSet(xmlNodeSetPtr val) { + ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); + if (ret == NULL) { + xmlXPathErrMemory(NULL, "creating node set object\n"); ++ xmlXPathFreeNodeSet(val); + return(NULL); + } + memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapString.patch b/backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapString.patch new file mode 100644 index 0000000..3f1b50b --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapString.patch @@ -0,0 +1,41 @@ +From d31a0e8e7599bfb691616f7c59ff8d39b982aa55 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 15 Feb 2023 14:47:29 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak after calling xmlXPathWrapString + +Destroy the string in xmlXPathWrapString if the function fails. This is +somewhat dangerous but matches the expectations of users. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/d31a0e8e7599bfb691616f7c59ff8d39b982aa55 +Conflict:xpath.c +--- + xpath.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/xpath.c b/xpath.c +index 5a6d762..cf74030 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -5289,6 +5289,8 @@ xmlXPathNewString(const xmlChar *val) { + * Wraps the @val string into an XPath object. + * + * Returns the newly created object. ++ * ++ * Frees @val in case of error. + */ + xmlXPathObjectPtr + xmlXPathWrapString (xmlChar *val) { +@@ -5297,6 +5299,7 @@ xmlXPathWrapString (xmlChar *val) { + ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); + if (ret == NULL) { + xmlXPathErrMemory(NULL, "creating string object\n"); ++ xmlFree(val); + return(NULL); + } + memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +-- +2.27.0 + + diff --git a/backport-malloc-fail-Fix-memory-leak-after-xmlRegNewState.patch b/backport-malloc-fail-Fix-memory-leak-after-xmlRegNewState.patch new file mode 100644 index 0000000..1b21c6b --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-after-xmlRegNewState.patch @@ -0,0 +1,331 @@ +From e60c9f4c4b76da72772bfb6bb1f705e02fbb5324 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 15 Feb 2023 01:00:03 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak after xmlRegNewState + +Invoke xmlRegNewState from xmlRegStatePush to simplify error handling. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/e60c9f4c4b76da72772bfb6bb1f705e02fbb5324 +Conflict:NA +--- + xmlregexp.c | 144 ++++++++++++++++++++++++++-------------------------- + 1 file changed, 71 insertions(+), 73 deletions(-) + +diff --git a/xmlregexp.c b/xmlregexp.c +index 657912e..fb2eadc 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -1455,33 +1455,31 @@ xmlRegStateAddTrans(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr state, + xmlRegStateAddTransTo(ctxt, target, state->no); + } + +-static int +-xmlRegStatePush(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr state) { +- if (state == NULL) return(-1); +- if (ctxt->maxStates == 0) { +- ctxt->maxStates = 4; +- ctxt->states = (xmlRegStatePtr *) xmlMalloc(ctxt->maxStates * +- sizeof(xmlRegStatePtr)); +- if (ctxt->states == NULL) { +- xmlRegexpErrMemory(ctxt, "adding state"); +- ctxt->maxStates = 0; +- return(-1); +- } +- } else if (ctxt->nbStates >= ctxt->maxStates) { ++static xmlRegStatePtr ++xmlRegStatePush(xmlRegParserCtxtPtr ctxt) { ++ xmlRegStatePtr state; ++ ++ if (ctxt->nbStates >= ctxt->maxStates) { ++ size_t newSize = ctxt->maxStates ? ctxt->maxStates * 2 : 4; + xmlRegStatePtr *tmp; +- ctxt->maxStates *= 2; +- tmp = (xmlRegStatePtr *) xmlRealloc(ctxt->states, ctxt->maxStates * +- sizeof(xmlRegStatePtr)); ++ ++ tmp = xmlRealloc(ctxt->states, newSize * sizeof(tmp[0])); + if (tmp == NULL) { + xmlRegexpErrMemory(ctxt, "adding state"); +- ctxt->maxStates /= 2; +- return(-1); ++ return(NULL); + } + ctxt->states = tmp; ++ ctxt->maxStates = newSize; + } ++ ++ state = xmlRegNewState(ctxt); ++ if (state == NULL) ++ return(NULL); ++ + state->no = ctxt->nbStates; + ctxt->states[ctxt->nbStates++] = state; +- return(0); ++ ++ return(state); + } + + /** +@@ -1492,19 +1490,21 @@ xmlRegStatePush(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr state) { + * @lax: + * + */ +-static void ++static int + xmlFAGenerateAllTransition(xmlRegParserCtxtPtr ctxt, + xmlRegStatePtr from, xmlRegStatePtr to, + int lax) { + if (to == NULL) { +- to = xmlRegNewState(ctxt); +- xmlRegStatePush(ctxt, to); ++ to = xmlRegStatePush(ctxt); ++ if (to == NULL) ++ return(-1); + ctxt->state = to; + } + if (lax) + xmlRegStateAddTrans(ctxt, from, NULL, to, -1, REGEXP_ALL_LAX_COUNTER); + else + xmlRegStateAddTrans(ctxt, from, NULL, to, -1, REGEXP_ALL_COUNTER); ++ return(0); + } + + /** +@@ -1514,15 +1514,17 @@ xmlFAGenerateAllTransition(xmlRegParserCtxtPtr ctxt, + * @to: the target state or NULL for building a new one + * + */ +-static void ++static int + xmlFAGenerateEpsilonTransition(xmlRegParserCtxtPtr ctxt, + xmlRegStatePtr from, xmlRegStatePtr to) { + if (to == NULL) { +- to = xmlRegNewState(ctxt); +- xmlRegStatePush(ctxt, to); ++ to = xmlRegStatePush(ctxt); ++ if (to == NULL) ++ return(-1); + ctxt->state = to; + } + xmlRegStateAddTrans(ctxt, from, NULL, to, -1, -1); ++ return(0); + } + + /** +@@ -1533,15 +1535,17 @@ xmlFAGenerateEpsilonTransition(xmlRegParserCtxtPtr ctxt, + * counter: the counter for that transition + * + */ +-static void ++static int + xmlFAGenerateCountedEpsilonTransition(xmlRegParserCtxtPtr ctxt, + xmlRegStatePtr from, xmlRegStatePtr to, int counter) { + if (to == NULL) { +- to = xmlRegNewState(ctxt); +- xmlRegStatePush(ctxt, to); ++ to = xmlRegStatePush(ctxt); ++ if (to == NULL) ++ return(-1); + ctxt->state = to; + } + xmlRegStateAddTrans(ctxt, from, NULL, to, counter, -1); ++ return(0); + } + + /** +@@ -1552,15 +1556,17 @@ xmlFAGenerateCountedEpsilonTransition(xmlRegParserCtxtPtr ctxt, + * counter: the counter for that transition + * + */ +-static void ++static int + xmlFAGenerateCountedTransition(xmlRegParserCtxtPtr ctxt, + xmlRegStatePtr from, xmlRegStatePtr to, int counter) { + if (to == NULL) { +- to = xmlRegNewState(ctxt); +- xmlRegStatePush(ctxt, to); ++ to = xmlRegStatePush(ctxt); ++ if (to == NULL) ++ return(-1); + ctxt->state = to; + } + xmlRegStateAddTrans(ctxt, from, NULL, to, -1, counter); ++ return(0); + } + + /** +@@ -1599,8 +1605,9 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, + #ifdef DV + } else if ((to == NULL) && (atom->quant != XML_REGEXP_QUANT_RANGE) && + (atom->quant != XML_REGEXP_QUANT_ONCE)) { +- to = xmlRegNewState(ctxt); +- xmlRegStatePush(ctxt, to); ++ to = xmlRegStatePush(ctxt, to); ++ if (to == NULL) ++ return(-1); + ctxt->state = to; + xmlFAGenerateEpsilonTransition(ctxt, atom->stop, to); + #endif +@@ -1640,8 +1647,9 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, + if (to != NULL) { + newstate = to; + } else { +- newstate = xmlRegNewState(ctxt); +- xmlRegStatePush(ctxt, newstate); ++ newstate = xmlRegStatePush(ctxt); ++ if (newstate == NULL) ++ return(-1); + } + + /* +@@ -1721,12 +1729,9 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, + * we can discard the atom and generate an epsilon transition instead + */ + if (to == NULL) { +- to = xmlRegNewState(ctxt); +- if (to != NULL) +- xmlRegStatePush(ctxt, to); +- else { ++ to = xmlRegStatePush(ctxt); ++ if (to == NULL) + return(-1); +- } + } + xmlFAGenerateEpsilonTransition(ctxt, from, to); + ctxt->state = to; +@@ -1734,12 +1739,9 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, + return(0); + } + if (to == NULL) { +- to = xmlRegNewState(ctxt); +- if (to != NULL) +- xmlRegStatePush(ctxt, to); +- else { ++ to = xmlRegStatePush(ctxt); ++ if (to == NULL) + return(-1); +- } + } + end = to; + if ((atom->quant == XML_REGEXP_QUANT_MULT) || +@@ -1751,12 +1753,9 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, + */ + xmlRegStatePtr tmp; + +- tmp = xmlRegNewState(ctxt); +- if (tmp != NULL) +- xmlRegStatePush(ctxt, tmp); +- else { ++ tmp = xmlRegStatePush(ctxt); ++ if (tmp == NULL) + return(-1); +- } + xmlFAGenerateEpsilonTransition(ctxt, tmp, to); + to = tmp; + } +@@ -5562,9 +5561,11 @@ xmlRegexpCompile(const xmlChar *regexp) { + return(NULL); + + /* initialize the parser */ ++ ctxt->state = xmlRegStatePush(ctxt); ++ if (ctxt->state == NULL) ++ return(NULL); ++ ctxt->start = ctxt->state; + ctxt->end = NULL; +- ctxt->start = ctxt->state = xmlRegNewState(ctxt); +- xmlRegStatePush(ctxt, ctxt->start); + + /* parse the expression building an automata */ + xmlFAParseRegExp(ctxt, 1); +@@ -5712,18 +5713,15 @@ xmlNewAutomata(void) { + return(NULL); + + /* initialize the parser */ +- ctxt->end = NULL; +- ctxt->start = ctxt->state = xmlRegNewState(ctxt); +- if (ctxt->start == NULL) { ++ ctxt->state = xmlRegStatePush(ctxt); ++ if (ctxt->state == NULL) { + xmlFreeAutomata(ctxt); + return(NULL); + } ++ ctxt->start = ctxt->state; ++ ctxt->end = NULL; ++ + ctxt->start->type = XML_REGEXP_START_STATE; +- if (xmlRegStatePush(ctxt, ctxt->start) < 0) { +- xmlRegFreeState(ctxt->start); +- xmlFreeAutomata(ctxt); +- return(NULL); +- } + ctxt->flags = 0; + + return(ctxt); +@@ -6021,8 +6019,9 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, + + /* xmlFAGenerateTransitions(am, from, to, atom); */ + if (to == NULL) { +- to = xmlRegNewState(am); +- xmlRegStatePush(am, to); ++ to = xmlRegStatePush(am); ++ if (to == NULL) ++ return(NULL); + } + xmlRegStateAddTrans(am, from, atom, to, counter, -1); + xmlRegAtomPush(am, atom); +@@ -6087,8 +6086,9 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, + + /* xmlFAGenerateTransitions(am, from, to, atom); */ + if (to == NULL) { +- to = xmlRegNewState(am); +- xmlRegStatePush(am, to); ++ to = xmlRegStatePush(am); ++ if (to == NULL) ++ return(NULL); + } + xmlRegStateAddTrans(am, from, atom, to, counter, -1); + xmlRegAtomPush(am, atom); +@@ -6173,8 +6173,9 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, + + /* xmlFAGenerateTransitions(am, from, to, atom); */ + if (to == NULL) { +- to = xmlRegNewState(am); +- xmlRegStatePush(am, to); ++ to = xmlRegStatePush(am); ++ if (to == NULL) ++ return(NULL); + } + xmlRegStateAddTrans(am, from, atom, to, counter, -1); + xmlRegAtomPush(am, atom); +@@ -6232,8 +6233,9 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, + + /* xmlFAGenerateTransitions(am, from, to, atom); */ + if (to == NULL) { +- to = xmlRegNewState(am); +- xmlRegStatePush(am, to); ++ to = xmlRegStatePush(am); ++ if (to == NULL) ++ return(NULL); + } + xmlRegStateAddTrans(am, from, atom, to, counter, -1); + xmlRegAtomPush(am, atom); +@@ -6251,13 +6253,9 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, + */ + xmlAutomataStatePtr + xmlAutomataNewState(xmlAutomataPtr am) { +- xmlAutomataStatePtr to; +- + if (am == NULL) + return(NULL); +- to = xmlRegNewState(am); +- xmlRegStatePush(am, to); +- return(to); ++ return(xmlRegStatePush(am)); + } + + /** +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-WXS_ADD_-LOCAL-GLOBAL.patch b/backport-malloc-fail-Fix-memory-leak-in-WXS_ADD_-LOCAL-GLOBAL.patch new file mode 100644 index 0000000..1847740 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-WXS_ADD_-LOCAL-GLOBAL.patch @@ -0,0 +1,56 @@ +From 9afb6c5fb86a0dca167b6ae60aa05211a25e435f Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 5 Mar 2023 14:09:49 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in WXS_ADD_{LOCAL,GLOBAL} + +It's somewhat dangerous to add the cleanup code to a macro, but +otherwise we'd have to fix all the call sites. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/9afb6c5fb86a0dca167b6ae60aa05211a25e435f +Conflict:NA +--- + xmlschemas.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 5b93937..724920b 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -305,10 +305,20 @@ static const xmlChar *xmlNamespaceNs = (const xmlChar *) + #define WXS_SCHEMA(ctx) (ctx)->schema + + #define WXS_ADD_LOCAL(ctx, item) \ +- xmlSchemaAddItemSize(&(WXS_BUCKET(ctx)->locals), 10, item) ++ do { \ ++ if (xmlSchemaAddItemSize(&(WXS_BUCKET(ctx)->locals), 10, item) < 0) { \ ++ xmlFree(item); \ ++ item = NULL; \ ++ } \ ++ } while (0) + + #define WXS_ADD_GLOBAL(ctx, item) \ +- xmlSchemaAddItemSize(&(WXS_BUCKET(ctx)->globals), 5, item) ++ do { \ ++ if (xmlSchemaAddItemSize(&(WXS_BUCKET(ctx)->globals), 5, item) < 0) { \ ++ xmlFree(item); \ ++ item = NULL; \ ++ } \ ++ } while (0) + + #define WXS_ADD_PENDING(ctx, item) \ + xmlSchemaAddItemSize(&((ctx)->constructor->pending), 10, item) +@@ -3764,8 +3774,7 @@ xmlSchemaAddItemSize(xmlSchemaItemListPtr *list, int initialSize, void *item) + if (*list == NULL) + return(-1); + } +- xmlSchemaItemListAddSize(*list, initialSize, item); +- return(0); ++ return(xmlSchemaItemListAddSize(*list, initialSize, item)); + } + + /** +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-htmlCreateMemoryParserCtxt.patch b/backport-malloc-fail-Fix-memory-leak-in-htmlCreateMemoryParserCtxt.patch new file mode 100644 index 0000000..1baad07 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-htmlCreateMemoryParserCtxt.patch @@ -0,0 +1,31 @@ +From fc256953d29698ba5918c32d14fc69ea69d7e64e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 16 Feb 2023 14:47:41 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in htmlCreateMemoryParserCtxt + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/fc256953d29698ba5918c32d14fc69ea69d7e64e +Conflict:NA +--- + HTMLparser.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 0ccd6e8..7ea2e62 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -5191,7 +5191,10 @@ htmlCreateMemoryParserCtxt(const char *buffer, int size) { + return(NULL); + + buf = xmlParserInputBufferCreateMem(buffer, size, XML_CHAR_ENCODING_NONE); +- if (buf == NULL) return(NULL); ++ if (buf == NULL) { ++ xmlFreeParserCtxt(ctxt); ++ return(NULL); ++ } + + input = xmlNewInputStream(ctxt); + if (input == NULL) { +-- +2.27.0 -- Gitee From 23ca0b3536b19ab1abe7fed1b621946e31a3c687 Mon Sep 17 00:00:00 2001 From: zhuofeng Date: Thu, 8 Jun 2023 15:57:42 +0800 Subject: [PATCH 5/6] 4 --- ...ory-leak-in-htmlCreatePushParserCtxt.patch | 28 +++ ...-memory-leak-in-xmlCopyNamespaceList.patch | 31 ++++ ...l-Fix-memory-leak-in-xmlCopyPropList.patch | 32 ++++ ...memory-leak-in-xmlCreatePushParserCt.patch | 28 +++ ...ry-leak-in-xmlDocDumpFormatMemoryEnc.patch | 29 ++++ ...ix-memory-leak-in-xmlFAParseCharProp.patch | 93 ++++++++++ ...memory-leak-in-xmlGetDtdElementDesc2.patch | 87 ++++++++++ ...fail-Fix-memory-leak-in-xmlGetNsList.patch | 70 ++++++++ ...-memory-leak-in-xmlNewDocNodeEatName.patch | 32 ++++ ...ix-memory-leak-in-xmlNewPropInternal.patch | 39 +++++ ...ix-memory-leak-in-xmlParseEntityDecl.patch | 38 ++++ ...Fix-memory-leak-in-xmlParseReference.patch | 30 ++++ ...eak-in-xmlParserInputBufferCreateMem.patch | 30 ++++ ...-Fix-memory-leak-in-xmlRegexpCompile.patch | 67 +++++++ ...memory-leak-in-xmlSAX2ExternalSubset.patch | 28 +++ ...memory-leak-in-xmlSAX2StartElementNs.patch | 28 +++ ...memory-leak-in-xmlSchemaBucketCreate.patch | 35 ++++ ...memory-leak-in-xmlSchemaItemListAddS.patch | 41 +++++ ...il-Fix-memory-leak-in-xmlSchemaParse.patch | 29 ++++ ...x-memory-leak-in-xmlSchemaParseUnion.patch | 42 +++++ ...memory-leak-in-xmlStaticCopyNodeList.patch | 48 +++++ ...-memory-leak-in-xmlStringGetNodeList.patch | 120 +++++++++++++ ...ix-memory-leak-in-xmlXIncludeAddNode.patch | 29 ++++ ...ix-memory-leak-in-xmlXIncludeLoadTxt.patch | 164 ++++++++++++++++++ ...memory-leak-in-xmlXPathCacheNewNodeS.patch | 51 ++++++ ...memory-leak-in-xmlXPathCompareValues.patch | 45 +++++ ...memory-leak-in-xmlXPathDistinctSorte.patch | 47 +++++ ...memory-leak-in-xmlXPathEqualNodeSetF.patch | 30 ++++ ...ry-leak-in-xmlXPathEqualValuesCommon.patch | 41 +++++ ...-memory-leak-in-xmlXPathNameFunction.patch | 32 ++++ ...ix-memory-leak-in-xmlXPathRegisterNs.patch | 49 ++++++ ...ory-leak-in-xmlXPathTryStreamCompile.patch | 27 +++ ...null-deref-after-xmlPointerListAddSi.patch | 72 ++++++++ ...null-deref-after-xmlSchemaCompareDat.patch | 93 ++++++++++ ...null-deref-after-xmlSchemaItemList-A.patch | 85 +++++++++ ...x-null-deref-after-xmlXIncludeNewRef.patch | 51 ++++++ ...-deref-if-growing-input-buffer-fails.patch | 51 ++++++ ...-fail-Fix-null-deref-in-htmlnamePush.patch | 54 ++++++ ...ail-Fix-null-deref-in-xmlAddDefAttrs.patch | 29 ++++ ...-fail-Fix-null-deref-in-xmlBufResize.patch | 30 ++++ ...-null-deref-in-xmlGet-Min-Max-Occurs.patch | 49 ++++++ ...x-null-deref-in-xmlParserInputShrink.patch | 35 ++++ ...ll-deref-in-xmlSAX2AttributeInternal.patch | 64 +++++++ ...Fix-null-deref-in-xmlSchemaInitTypes.patch | 31 ++++ ...ix-null-deref-in-xmlSchemaParseUnion.patch | 29 ++++ ...null-deref-in-xmlSchemaParseWildcard.patch | 29 ++++ ...null-deref-in-xmlSchemaValAtomicType.patch | 29 ++++ ...Fix-null-deref-in-xmlXIncludeLoadTxt.patch | 33 ++++ ...null-deref-in-xmlXPathCompiledEvalIn.patch | 29 ++++ ...c-fail-Fix-reallocation-in-inputPush.patch | 48 +++++ ...ix-reallocation-in-xmlXIncludeNewRef.patch | 45 +++++ ...type-confusion-after-xmlSchemaFixupT.patch | 37 ++++ ...-use-after-free-in-xmlParseStartTag2.patch | 59 +++++++ ...use-after-free-in-xmlXIncludeAddNode.patch | 37 ++++ ...use-after-free-related-to-xmlXPathNo.patch | 80 +++++++++ ...emory-errors-in-xmlTextReaderEntPush.patch | 84 +++++++++ 56 files changed, 2703 insertions(+) create mode 100644 backport-malloc-fail-Fix-memory-leak-in-htmlCreatePushParserCtxt.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlCopyNamespaceList.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlCopyPropList.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlCreatePushParserCt.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlDocDumpFormatMemoryEnc.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlFAParseCharProp.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlGetDtdElementDesc2.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlGetNsList.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlNewDocNodeEatName.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlNewPropInternal.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlParseEntityDecl.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlParseReference.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlParserInputBufferCreateMem.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlRegexpCompile.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlSAX2ExternalSubset.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlSAX2StartElementNs.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlSchemaBucketCreate.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlSchemaItemListAddS.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParse.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParseUnion.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlStaticCopyNodeList.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlStringGetNodeList.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeAddNode.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeLoadTxt.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlXPathCacheNewNodeS.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlXPathCompareValues.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlXPathDistinctSorte.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualNodeSetF.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualValuesCommon.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlXPathNameFunction.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlXPathRegisterNs.patch create mode 100644 backport-malloc-fail-Fix-memory-leak-in-xmlXPathTryStreamCompile.patch create mode 100644 backport-malloc-fail-Fix-null-deref-after-xmlPointerListAddSi.patch create mode 100644 backport-malloc-fail-Fix-null-deref-after-xmlSchemaCompareDat.patch create mode 100644 backport-malloc-fail-Fix-null-deref-after-xmlSchemaItemList-A.patch create mode 100644 backport-malloc-fail-Fix-null-deref-after-xmlXIncludeNewRef.patch create mode 100644 backport-malloc-fail-Fix-null-deref-if-growing-input-buffer-fails.patch create mode 100644 backport-malloc-fail-Fix-null-deref-in-htmlnamePush.patch create mode 100644 backport-malloc-fail-Fix-null-deref-in-xmlAddDefAttrs.patch create mode 100644 backport-malloc-fail-Fix-null-deref-in-xmlBufResize.patch create mode 100644 backport-malloc-fail-Fix-null-deref-in-xmlGet-Min-Max-Occurs.patch create mode 100644 backport-malloc-fail-Fix-null-deref-in-xmlParserInputShrink.patch create mode 100644 backport-malloc-fail-Fix-null-deref-in-xmlSAX2AttributeInternal.patch create mode 100644 backport-malloc-fail-Fix-null-deref-in-xmlSchemaInitTypes.patch create mode 100644 backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseUnion.patch create mode 100644 backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseWildcard.patch create mode 100644 backport-malloc-fail-Fix-null-deref-in-xmlSchemaValAtomicType.patch create mode 100644 backport-malloc-fail-Fix-null-deref-in-xmlXIncludeLoadTxt.patch create mode 100644 backport-malloc-fail-Fix-null-deref-in-xmlXPathCompiledEvalIn.patch create mode 100644 backport-malloc-fail-Fix-reallocation-in-inputPush.patch create mode 100644 backport-malloc-fail-Fix-reallocation-in-xmlXIncludeNewRef.patch create mode 100644 backport-malloc-fail-Fix-type-confusion-after-xmlSchemaFixupT.patch create mode 100644 backport-malloc-fail-Fix-use-after-free-in-xmlParseStartTag2.patch create mode 100644 backport-malloc-fail-Fix-use-after-free-in-xmlXIncludeAddNode.patch create mode 100644 backport-malloc-fail-Fix-use-after-free-related-to-xmlXPathNo.patch create mode 100644 backport-malloc-fail-Handle-memory-errors-in-xmlTextReaderEntPush.patch diff --git a/backport-malloc-fail-Fix-memory-leak-in-htmlCreatePushParserCtxt.patch b/backport-malloc-fail-Fix-memory-leak-in-htmlCreatePushParserCtxt.patch new file mode 100644 index 0000000..f9bec23 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-htmlCreatePushParserCtxt.patch @@ -0,0 +1,28 @@ +From f3e62035d8b80a6dba92639f2470f02258822a0a Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 16 Feb 2023 14:49:06 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in htmlCreatePushParserCtxt + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/f3e62035d8b80a6dba92639f2470f02258822a0a +Conflict:NA +--- + HTMLparser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 7ea2e62..5272c25 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -6355,7 +6355,7 @@ htmlCreatePushParserCtxt(htmlSAXHandlerPtr sax, void *user_data, + inputStream = htmlNewInputStream(ctxt); + if (inputStream == NULL) { + xmlFreeParserCtxt(ctxt); +- xmlFree(buf); ++ xmlFreeParserInputBuffer(buf); + return(NULL); + } + +-- +2.27.0 diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlCopyNamespaceList.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlCopyNamespaceList.patch new file mode 100644 index 0000000..3699fb7 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlCopyNamespaceList.patch @@ -0,0 +1,31 @@ +From dbc893f5885cf60f9ebed89c363ff810bde3ebb5 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 3 Mar 2023 13:02:11 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlCopyNamespaceList + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/dbc893f5885cf60f9ebed89c363ff810bde3ebb5 +Conflict:NA +--- + tree.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tree.c b/tree.c +index 4a80e28..14d5247 100644 +--- a/tree.c ++++ b/tree.c +@@ -4046,6 +4046,10 @@ xmlCopyNamespaceList(xmlNsPtr cur) { + + while (cur != NULL) { + q = xmlCopyNamespace(cur); ++ if (q == NULL) { ++ xmlFreeNsList(ret); ++ return(NULL); ++ } + if (p == NULL) { + ret = p = q; + } else { +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlCopyPropList.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlCopyPropList.patch new file mode 100644 index 0000000..4282a12 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlCopyPropList.patch @@ -0,0 +1,32 @@ +From bc7740b3c30e1517dcf53a084766c74d25db222f Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 16 Feb 2023 11:45:58 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlCopyPropList + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/bc7740b3c30e1517dcf53a084766c74d25db222f +Conflict:NA +--- + tree.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tree.c b/tree.c +index ac156e1..35bd948 100644 +--- a/tree.c ++++ b/tree.c +@@ -4190,8 +4190,10 @@ xmlCopyPropList(xmlNodePtr target, xmlAttrPtr cur) { + return(NULL); + while (cur != NULL) { + q = xmlCopyProp(target, cur); +- if (q == NULL) ++ if (q == NULL) { ++ xmlFreePropList(ret); + return(NULL); ++ } + if (p == NULL) { + ret = p = q; + } else { +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlCreatePushParserCt.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlCreatePushParserCt.patch new file mode 100644 index 0000000..e7bc8d4 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlCreatePushParserCt.patch @@ -0,0 +1,28 @@ +From 7de8005c52c1fc4289b737c8d12c0c4efd72b605 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 2 Nov 2022 15:46:11 +0100 +Subject: [PATCH 04/28] malloc-fail: Fix memory leak in xmlCreatePushParserCtxt + +Found with libFuzzer, see #344. + +Reference: https://github.com/GNOME/libxml2/commit/865e142c4188d892705a62f9ce9df896e7b4543d +Conflict: NA +--- + parser.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/parser.c b/parser.c +index 23b031d..443a216 100644 +--- a/parser.c ++++ b/parser.c +@@ -12508,6 +12508,7 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr sax, void *user_data, + inputStream->filename = (char *) + xmlCanonicPath((const xmlChar *) filename); + if (inputStream->filename == NULL) { ++ xmlFreeInputStream(inputStream); + xmlFreeParserCtxt(ctxt); + xmlFreeParserInputBuffer(buf); + return(NULL); +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlDocDumpFormatMemoryEnc.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlDocDumpFormatMemoryEnc.patch new file mode 100644 index 0000000..4a4c347 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlDocDumpFormatMemoryEnc.patch @@ -0,0 +1,29 @@ +From c82701ff0b24bc56c6814e690198599cfc8c273a Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 14 Feb 2023 15:13:06 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlDocDumpFormatMemoryEnc + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/c82701ff0b24bc56c6814e690198599cfc8c273a +Conflict:NA +--- + xmlsave.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xmlsave.c b/xmlsave.c +index 489505f..90e1856 100644 +--- a/xmlsave.c ++++ b/xmlsave.c +@@ -2402,6 +2402,7 @@ xmlDocDumpFormatMemoryEnc(xmlDocPtr out_doc, xmlChar **doc_txt_ptr, + + if ((out_buff = xmlAllocOutputBuffer(conv_hdlr)) == NULL ) { + xmlSaveErrMemory("creating buffer"); ++ xmlCharEncCloseFunc(conv_hdlr); + return; + } + +-- +2.27.0 + + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlFAParseCharProp.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlFAParseCharProp.patch new file mode 100644 index 0000000..2898b95 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlFAParseCharProp.patch @@ -0,0 +1,93 @@ +From 40bc1c699a7999626d3384be43684f2a68dad6c4 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 17 Feb 2023 15:40:32 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlFAParseCharProp + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/40bc1c699a7999626d3384be43684f2a68dad6c4 +Conflict:NA +--- + xmlregexp.c | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +diff --git a/xmlregexp.c b/xmlregexp.c +index fb2eadc..8c2ea81 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -1245,7 +1245,7 @@ xmlRegPrintCtxt(FILE *output, xmlRegParserCtxtPtr ctxt) { + * * + ************************************************************************/ + +-static void ++static xmlRegRangePtr + xmlRegAtomAddRange(xmlRegParserCtxtPtr ctxt, xmlRegAtomPtr atom, + int neg, xmlRegAtomType type, int start, int end, + xmlChar *blockName) { +@@ -1253,11 +1253,11 @@ xmlRegAtomAddRange(xmlRegParserCtxtPtr ctxt, xmlRegAtomPtr atom, + + if (atom == NULL) { + ERROR("add range: atom is NULL"); +- return; ++ return(NULL); + } + if (atom->type != XML_REGEXP_RANGES) { + ERROR("add range: atom is not ranges"); +- return; ++ return(NULL); + } + if (atom->maxRanges == 0) { + atom->maxRanges = 4; +@@ -1266,7 +1266,7 @@ xmlRegAtomAddRange(xmlRegParserCtxtPtr ctxt, xmlRegAtomPtr atom, + if (atom->ranges == NULL) { + xmlRegexpErrMemory(ctxt, "adding ranges"); + atom->maxRanges = 0; +- return; ++ return(NULL); + } + } else if (atom->nbRanges >= atom->maxRanges) { + xmlRegRangePtr *tmp; +@@ -1276,16 +1276,17 @@ xmlRegAtomAddRange(xmlRegParserCtxtPtr ctxt, xmlRegAtomPtr atom, + if (tmp == NULL) { + xmlRegexpErrMemory(ctxt, "adding ranges"); + atom->maxRanges /= 2; +- return; ++ return(NULL); + } + atom->ranges = tmp; + } + range = xmlRegNewRange(ctxt, neg, type, start, end); + if (range == NULL) +- return; ++ return(NULL); + range->blockName = blockName; + atom->ranges[atom->nbRanges++] = range; + ++ return(range); + } + + static int +@@ -4899,11 +4900,16 @@ xmlFAParseCharProp(xmlRegParserCtxtPtr ctxt) { + } + if (ctxt->atom == NULL) { + ctxt->atom = xmlRegNewAtom(ctxt, type); +- if (ctxt->atom != NULL) +- ctxt->atom->valuep = blockName; ++ if (ctxt->atom == NULL) { ++ xmlFree(blockName); ++ return; ++ } ++ ctxt->atom->valuep = blockName; + } else if (ctxt->atom->type == XML_REGEXP_RANGES) { +- xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg, +- type, 0, 0, blockName); ++ if (xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg, ++ type, 0, 0, blockName) == NULL) { ++ xmlFree(blockName); ++ } + } + } + +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlGetDtdElementDesc2.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlGetDtdElementDesc2.patch new file mode 100644 index 0000000..d08e53e --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlGetDtdElementDesc2.patch @@ -0,0 +1,87 @@ +From 9fa1b228a5d60fab92a79c6c01c39e37454da1b3 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 14 Feb 2023 16:43:35 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlGetDtdElementDesc2 + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/9fa1b228a5d60fab92a79c6c01c39e37454da1b3 +Conflict:valid.c + +--- + valid.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/valid.c b/valid.c +index ed3c850..b7b92fe 100644 +--- a/valid.c ++++ b/valid.c +@@ -26,8 +26,9 @@ + #include + #include + +-static xmlElementPtr xmlGetDtdElementDesc2(xmlDtdPtr dtd, const xmlChar *name, +- int create); ++static xmlElementPtr ++xmlGetDtdElementDesc2(xmlValidCtxtPtr ctxt, xmlDtdPtr dtd, const xmlChar *name, ++ int create); + /* #define DEBUG_VALID_ALGO */ + /* #define DEBUG_REGEXP_ALGO */ + +@@ -2135,7 +2136,7 @@ xmlAddAttributeDecl(xmlValidCtxtPtr ctxt, + * Validity Check: + * Multiple ID per element + */ +- elemDef = xmlGetDtdElementDesc2(dtd, elem, 1); ++ elemDef = xmlGetDtdElementDesc2(ctxt, dtd, elem, 1); + if (elemDef != NULL) { + + #ifdef LIBXML_VALID_ENABLED +@@ -3295,7 +3296,8 @@ xmlGetDtdElementDesc(xmlDtdPtr dtd, const xmlChar *name) { + */ + + static xmlElementPtr +-xmlGetDtdElementDesc2(xmlDtdPtr dtd, const xmlChar *name, int create) { ++xmlGetDtdElementDesc2(xmlValidCtxtPtr ctxt, xmlDtdPtr dtd, const xmlChar *name, ++ int create) { + xmlElementTablePtr table; + xmlElementPtr cur; + xmlChar *uqname = NULL, *prefix = NULL; +@@ -3318,7 +3320,7 @@ xmlGetDtdElementDesc2(xmlDtdPtr dtd, const xmlChar *name, int create) { + dtd->elements = (void *) table; + } + if (table == NULL) { +- xmlVErrMemory(NULL, "element table allocation failed"); ++ xmlVErrMemory(ctxt, "element table allocation failed"); + return(NULL); + } + } +@@ -3331,8 +3333,8 @@ xmlGetDtdElementDesc2(xmlDtdPtr dtd, const xmlChar *name, int create) { + if ((cur == NULL) && (create)) { + cur = (xmlElementPtr) xmlMalloc(sizeof(xmlElement)); + if (cur == NULL) { +- xmlVErrMemory(NULL, "malloc failed"); +- return(NULL); ++ xmlVErrMemory(ctxt, "malloc failed"); ++ goto error; + } + memset(cur, 0, sizeof(xmlElement)); + cur->type = XML_ELEMENT_DECL; +@@ -3344,8 +3346,13 @@ xmlGetDtdElementDesc2(xmlDtdPtr dtd, const xmlChar *name, int create) { + cur->prefix = xmlStrdup(prefix); + cur->etype = XML_ELEMENT_TYPE_UNDEFINED; + +- xmlHashAddEntry2(table, name, prefix, cur); ++ if (xmlHashAddEntry2(table, name, prefix, cur) < 0) { ++ xmlVErrMemory(ctxt, "adding entry failed"); ++ xmlFreeElement(cur); ++ cur = NULL; ++ } + } ++error: + if (prefix != NULL) xmlFree(prefix); + if (uqname != NULL) xmlFree(uqname); + return(cur); +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlGetNsList.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlGetNsList.patch new file mode 100644 index 0000000..ba6eeb6 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlGetNsList.patch @@ -0,0 +1,70 @@ +From a442d16a5fe61626f00f33abe547da9379a37d89 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 26 Feb 2023 14:48:23 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlGetNsList + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/a442d16a5fe61626f00f33abe547da9379a37d89 +Conflict:NA +--- + tree.c | 25 +++++++++---------------- + 1 file changed, 9 insertions(+), 16 deletions(-) + +diff --git a/tree.c b/tree.c +index 35bd948..4a80e28 100644 +--- a/tree.c ++++ b/tree.c +@@ -5971,7 +5971,7 @@ xmlGetNsList(const xmlDoc *doc ATTRIBUTE_UNUSED, const xmlNode *node) + xmlNsPtr cur; + xmlNsPtr *ret = NULL; + int nbns = 0; +- int maxns = 10; ++ int maxns = 0; + int i; + + if ((node == NULL) || (node->type == XML_NAMESPACE_DECL)) +@@ -5981,16 +5981,6 @@ xmlGetNsList(const xmlDoc *doc ATTRIBUTE_UNUSED, const xmlNode *node) + if (node->type == XML_ELEMENT_NODE) { + cur = node->nsDef; + while (cur != NULL) { +- if (ret == NULL) { +- ret = +- (xmlNsPtr *) xmlMalloc((maxns + 1) * +- sizeof(xmlNsPtr)); +- if (ret == NULL) { +- xmlTreeErrMemory("getting namespace list"); +- return (NULL); +- } +- ret[nbns] = NULL; +- } + for (i = 0; i < nbns; i++) { + if ((cur->prefix == ret[i]->prefix) || + (xmlStrEqual(cur->prefix, ret[i]->prefix))) +@@ -5998,15 +5988,18 @@ xmlGetNsList(const xmlDoc *doc ATTRIBUTE_UNUSED, const xmlNode *node) + } + if (i >= nbns) { + if (nbns >= maxns) { +- maxns *= 2; +- ret = (xmlNsPtr *) xmlRealloc(ret, +- (maxns + +- 1) * ++ xmlNsPtr *tmp; ++ ++ maxns = maxns ? maxns * 2 : 10; ++ tmp = (xmlNsPtr *) xmlRealloc(ret, ++ (maxns + 1) * + sizeof(xmlNsPtr)); +- if (ret == NULL) { ++ if (tmp == NULL) { + xmlTreeErrMemory("getting namespace list"); ++ xmlFree(ret); + return (NULL); + } ++ ret = tmp; + } + ret[nbns++] = cur; + ret[nbns] = NULL; +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlNewDocNodeEatName.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlNewDocNodeEatName.patch new file mode 100644 index 0000000..df38268 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlNewDocNodeEatName.patch @@ -0,0 +1,32 @@ +From ec471ee3202d4434b695e652e1fd5e0dfc592d1b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 2 Nov 2022 15:58:31 +0100 +Subject: [PATCH 07/28] malloc-fail: Fix memory leak in xmlNewDocNodeEatName + +Found with libFuzzer, see #344. + +Reference: https://github.com/GNOME/libxml2/commit/dd50cfeb61c4f74ffc1dca1e818e01cf478e366d +Conflict: NA +--- + tree.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tree.c b/tree.c +index 6a8c2ea..bb85220 100644 +--- a/tree.c ++++ b/tree.c +@@ -2385,8 +2385,9 @@ xmlNewDocNodeEatName(xmlDocPtr doc, xmlNsPtr ns, + } + } else { + /* if name don't come from the doc dictionary free it here */ +- if ((name != NULL) && (doc != NULL) && +- (!(xmlDictOwns(doc->dict, name)))) ++ if ((name != NULL) && ++ ((doc == NULL) || (doc->dict == NULL) || ++ (!(xmlDictOwns(doc->dict, name))))) + xmlFree(name); + } + return(cur); +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlNewPropInternal.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlNewPropInternal.patch new file mode 100644 index 0000000..22a2f97 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlNewPropInternal.patch @@ -0,0 +1,39 @@ +From dee436cd010d7144730526914193bd9fe6c74821 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 2 Nov 2022 15:53:52 +0100 +Subject: [PATCH 06/28] malloc-fail: Fix memory leak in xmlNewPropInternal + +Also fixes a memory leak if called with a non-element node. + +Found with libFuzzer, see #344. + +Reference: https://github.com/GNOME/libxml2/commit/fa361de0b759f045c5f6f7f9c09a133abcc074c9 +Conflict: NA +--- + tree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tree.c b/tree.c +index b32561d..6a8c2ea 100644 +--- a/tree.c ++++ b/tree.c +@@ -1866,7 +1866,7 @@ xmlNewPropInternal(xmlNodePtr node, xmlNsPtr ns, + + if ((node != NULL) && (node->type != XML_ELEMENT_NODE)) { + if ((eatname == 1) && +- ((node->doc == NULL) || ++ ((node->doc == NULL) || (node->doc->dict == NULL) || + (!(xmlDictOwns(node->doc->dict, name))))) + xmlFree((xmlChar *) name); + return (NULL); +@@ -1879,6 +1879,7 @@ xmlNewPropInternal(xmlNodePtr node, xmlNsPtr ns, + if (cur == NULL) { + if ((eatname == 1) && + ((node == NULL) || (node->doc == NULL) || ++ (node->doc->dict == NULL) || + (!(xmlDictOwns(node->doc->dict, name))))) + xmlFree((xmlChar *) name); + xmlTreeErrMemory("building attribute"); +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlParseEntityDecl.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlParseEntityDecl.patch new file mode 100644 index 0000000..c444997 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlParseEntityDecl.patch @@ -0,0 +1,38 @@ +From f8852184a111f6c4abb38ea3d2b2b91f45347a7a Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 14 Feb 2023 13:03:13 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlParseEntityDecl + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/f8852184a111f6c4abb38ea3d2b2b91f45347a7a +Conflict:NA +--- + parser.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/parser.c b/parser.c +index 3aea3e2..37d7dec 100644 +--- a/parser.c ++++ b/parser.c +@@ -5518,7 +5518,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) { + ctxt->myDoc = xmlNewDoc(SAX_COMPAT_MODE); + if (ctxt->myDoc == NULL) { + xmlErrMemory(ctxt, "New Doc failed"); +- return; ++ goto done; + } + ctxt->myDoc->properties = XML_DOC_INTERNAL; + } +@@ -5589,7 +5589,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) { + ctxt->myDoc = xmlNewDoc(SAX_COMPAT_MODE); + if (ctxt->myDoc == NULL) { + xmlErrMemory(ctxt, "New Doc failed"); +- return; ++ goto done; + } + ctxt->myDoc->properties = XML_DOC_INTERNAL; + } +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlParseReference.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlParseReference.patch new file mode 100644 index 0000000..bebb645 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlParseReference.patch @@ -0,0 +1,30 @@ +From 33264f08a089667a6b69f9ba019e8c3f0bb36d39 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 2 Nov 2022 16:11:00 +0100 +Subject: [PATCH 10/28] malloc-fail: Fix memory leak in xmlParseReference + +Found with libFuzzer, see #344. + +Reference: https://github.com/GNOME/libxml2/commit/afc7e3a7f41e2e29ac36d4d7cbd0c0755558fa5d +Conflict: NA +--- + parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 780a8b3..334a0aa 100644 +--- a/parser.c ++++ b/parser.c +@@ -7463,8 +7463,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + firstChild = cur; + } + xmlAddChild((xmlNodePtr) ent, nw); +- xmlAddChild(ctxt->node, cur); + } ++ xmlAddChild(ctxt->node, cur); + if (cur == last) + break; + cur = next; +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlParserInputBufferCreateMem.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlParserInputBufferCreateMem.patch new file mode 100644 index 0000000..2747ed5 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlParserInputBufferCreateMem.patch @@ -0,0 +1,30 @@ +From 97086fd76b21fee6e41c13921c450411442d9da6 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 14 Feb 2023 14:45:58 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlParserInputBufferCreateMem + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/97086fd76b21fee6e41c13921c450411442d9da6 +Conflict:NA +--- + xmlIO.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmlIO.c b/xmlIO.c +index 71c9fbf..edf31e8 100644 +--- a/xmlIO.c ++++ b/xmlIO.c +@@ -2953,7 +2953,7 @@ xmlParserInputBufferCreateMem(const char *mem, int size, xmlCharEncoding enc) { + ret->closecallback = NULL; + errcode = xmlBufAdd(ret->buffer, (const xmlChar *) mem, size); + if (errcode != 0) { +- xmlFree(ret); ++ xmlFreeParserInputBuffer(ret); + return(NULL); + } + } +-- +2.27.0 + + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlRegexpCompile.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlRegexpCompile.patch new file mode 100644 index 0000000..f9fb551 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlRegexpCompile.patch @@ -0,0 +1,67 @@ +From ed615967dfeba615218826bb4ef0c87877cb53cd Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 17 Feb 2023 15:23:42 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlRegexpCompile + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/ed615967dfeba615218826bb4ef0c87877cb53cd +Conflict:NA +--- + xmlregexp.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/xmlregexp.c b/xmlregexp.c +index 11c684a..360916f 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -5566,7 +5566,7 @@ xmlRegexpPrint(FILE *output, xmlRegexpPtr regexp) { + */ + xmlRegexpPtr + xmlRegexpCompile(const xmlChar *regexp) { +- xmlRegexpPtr ret; ++ xmlRegexpPtr ret = NULL; + xmlRegParserCtxtPtr ctxt; + + ctxt = xmlRegNewParserCtxt(regexp); +@@ -5576,7 +5576,7 @@ xmlRegexpCompile(const xmlChar *regexp) { + /* initialize the parser */ + ctxt->state = xmlRegStatePush(ctxt); + if (ctxt->state == NULL) +- return(NULL); ++ goto error; + ctxt->start = ctxt->state; + ctxt->end = NULL; + +@@ -5585,10 +5585,8 @@ xmlRegexpCompile(const xmlChar *regexp) { + if (CUR != 0) { + ERROR("xmlFAParseRegExp: extra characters"); + } +- if (ctxt->error != 0) { +- xmlRegFreeParserCtxt(ctxt); +- return(NULL); +- } ++ if (ctxt->error != 0) ++ goto error; + ctxt->end = ctxt->state; + ctxt->start->type = XML_REGEXP_START_STATE; + ctxt->end->type = XML_REGEXP_FINAL_STATE; +@@ -5597,11 +5595,11 @@ xmlRegexpCompile(const xmlChar *regexp) { + xmlFAEliminateEpsilonTransitions(ctxt); + + +- if (ctxt->error != 0) { +- xmlRegFreeParserCtxt(ctxt); +- return(NULL); +- } ++ if (ctxt->error != 0) ++ goto error; + ret = xmlRegEpxFromParse(ctxt); ++ ++error: + xmlRegFreeParserCtxt(ctxt); + return(ret); + } +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlSAX2ExternalSubset.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlSAX2ExternalSubset.patch new file mode 100644 index 0000000..d581b50 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlSAX2ExternalSubset.patch @@ -0,0 +1,28 @@ +From 1a90087543485763d8e6124a1818e10637e512ae Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 2 Nov 2022 16:05:05 +0100 +Subject: [PATCH 09/28] malloc-fail: Fix memory leak in xmlSAX2ExternalSubset + +Found with libFuzzer, see #344. + +Reference: https://github.com/GNOME/libxml2/commit/7ceaee9430ca24bda7f2480f387dbebfc259002a +Conflict: NA +--- + SAX2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/SAX2.c b/SAX2.c +index 9801393..96bbcb3 100644 +--- a/SAX2.c ++++ b/SAX2.c +@@ -436,6 +436,7 @@ xmlSAX2ExternalSubset(void *ctx, const xmlChar *name, + xmlMalloc(5 * sizeof(xmlParserInputPtr)); + if (ctxt->inputTab == NULL) { + xmlSAX2ErrMemory(ctxt, "xmlSAX2ExternalSubset"); ++ xmlFreeInputStream(input); + ctxt->input = oldinput; + ctxt->inputNr = oldinputNr; + ctxt->inputMax = oldinputMax; +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlSAX2StartElementNs.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlSAX2StartElementNs.patch new file mode 100644 index 0000000..7e6f360 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlSAX2StartElementNs.patch @@ -0,0 +1,28 @@ +From cb4334b7abf265f55d1a41f435fedd67494eeb18 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 14 Feb 2023 18:10:14 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlSAX2StartElementNs + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/cb4334b7abf265f55d1a41f435fedd67494eeb18 +Conflict:NA +--- + SAX2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/SAX2.c b/SAX2.c +index 2426e93..916e974 100644 +--- a/SAX2.c ++++ b/SAX2.c +@@ -2242,6 +2242,7 @@ xmlSAX2StartElementNs(void *ctx, + ret->name = lname; + if (ret->name == NULL) { + xmlSAX2ErrMemory(ctxt, "xmlSAX2StartElementNs"); ++ xmlFree(ret); + return; + } + } +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaBucketCreate.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaBucketCreate.patch new file mode 100644 index 0000000..e81ed3e --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaBucketCreate.patch @@ -0,0 +1,35 @@ +From a5787229e5c53d522364cd68397cdc61094ac51a Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 5 Mar 2023 14:09:34 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlSchemaBucketCreate + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/260d6b8d77d11a20a2614eef99e88e68eaca6550 +Conflict:NA +--- + xmlschemas.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 724920b..9ace2b7 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -3658,12 +3658,12 @@ xmlSchemaBucketCreate(xmlSchemaParserCtxtPtr pctxt, + ret->type = type; + ret->globals = xmlSchemaItemListCreate(); + if (ret->globals == NULL) { +- xmlFree(ret); ++ xmlSchemaBucketFree(ret); + return(NULL); + } + ret->locals = xmlSchemaItemListCreate(); + if (ret->locals == NULL) { +- xmlFree(ret); ++ xmlSchemaBucketFree(ret); + return(NULL); + } + /* +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaItemListAddS.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaItemListAddS.patch new file mode 100644 index 0000000..d6ae204 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaItemListAddS.patch @@ -0,0 +1,41 @@ +From ba290a86639a6a9fc8af81936ad2d3a4d22d502f Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 5 Mar 2023 14:08:57 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlSchemaItemListAddSize + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/ba290a86639a6a9fc8af81936ad2d3a4d22d502f +Conflict:NA +--- + xmlschemas.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 4a767ac..9be7999 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -3445,14 +3445,17 @@ xmlSchemaItemListAddSize(xmlSchemaItemListPtr list, + } + list->sizeItems = initialSize; + } else if (list->sizeItems <= list->nbItems) { ++ void **tmp; ++ + list->sizeItems *= 2; +- list->items = (void **) xmlRealloc(list->items, ++ tmp = (void **) xmlRealloc(list->items, + list->sizeItems * sizeof(void *)); +- if (list->items == NULL) { ++ if (tmp == NULL) { + xmlSchemaPErrMemory(NULL, "growing item list", NULL); +- list->sizeItems = 0; ++ list->sizeItems /= 2; + return(-1); + } ++ list->items = tmp; + } + list->items[list->nbItems++] = item; + return(0); +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParse.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParse.patch new file mode 100644 index 0000000..c9e7fce --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParse.patch @@ -0,0 +1,29 @@ +From cfbc1f48ee6259efaedcdc485d86b90e252da970 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 5 Mar 2023 14:06:51 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlSchemaParse + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/cfbc1f48ee6259efaedcdc485d86b90e252da970 +Conflict:NA +--- + xmlschemas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index c68103c..fa9d113 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -21473,7 +21473,7 @@ xmlSchemaParse(xmlSchemaParserCtxtPtr ctxt) + if (ctxt->constructor == NULL) { + ctxt->constructor = xmlSchemaConstructionCtxtCreate(ctxt->dict); + if (ctxt->constructor == NULL) +- return(NULL); ++ goto exit_failure; + /* Take ownership of the constructor to be able to free it. */ + ctxt->ownsConstructor = 1; + } +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParseUnion.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParseUnion.patch new file mode 100644 index 0000000..107357f --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParseUnion.patch @@ -0,0 +1,42 @@ +From 961a4f35bfcbe3f2b0ca0932e880ea73cbb2ab2c Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 5 Mar 2023 14:10:41 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlSchemaParseUnion + +Also report malloc failure from xmlStrndup. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/961a4f35bfcbe3f2b0ca0932e880ea73cbb2ab2c +Conflict:NA +--- + xmlschemas.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/xmlschemas.c b/xmlschemas.c +index d2f8bf1..4dbee37 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -9017,6 +9017,11 @@ xmlSchemaParseUnion(xmlSchemaParserCtxtPtr ctxt, xmlSchemaPtr schema, + if (end == cur) + break; + tmp = xmlStrndup(cur, end - cur); ++ if (tmp == NULL) { ++ xmlSchemaPErrMemory(ctxt, "xmlSchemaParseUnion, " ++ "duplicating type name", NULL); ++ return (-1); ++ } + if (xmlSchemaPValAttrNodeQNameValue(ctxt, schema, + NULL, attr, BAD_CAST tmp, &nsName, &localName) == 0) { + /* +@@ -9027,6 +9032,7 @@ xmlSchemaParseUnion(xmlSchemaParserCtxtPtr ctxt, xmlSchemaPtr schema, + if (link == NULL) { + xmlSchemaPErrMemory(ctxt, "xmlSchemaParseUnion, " + "allocating a type link", NULL); ++ FREE_AND_NULL(tmp) + return (-1); + } + link->type = NULL; +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlStaticCopyNodeList.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlStaticCopyNodeList.patch new file mode 100644 index 0000000..6cd04d8 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlStaticCopyNodeList.patch @@ -0,0 +1,48 @@ +From f0b5515c26a65c218dcab95b411f25f2e57328d0 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 2 Nov 2022 15:44:42 +0100 +Subject: [PATCH 05/28] malloc-fail: Fix memory leak in xmlStaticCopyNodeList + +Found with libFuzzer, see #344. + +Reference: https://github.com/GNOME/libxml2/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce +Conflict: NA +--- + tree.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tree.c b/tree.c +index 84da156..b32561d 100644 +--- a/tree.c ++++ b/tree.c +@@ -4388,7 +4388,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + } + if (doc->intSubset == NULL) { + q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); +- if (q == NULL) return(NULL); ++ if (q == NULL) goto error; + q->doc = doc; + q->parent = parent; + doc->intSubset = (xmlDtdPtr) q; +@@ -4400,7 +4400,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + } else + #endif /* LIBXML_TREE_ENABLED */ + q = xmlStaticCopyNode(node, doc, parent, 1); +- if (q == NULL) return(NULL); ++ if (q == NULL) goto error; + if (ret == NULL) { + q->prev = NULL; + ret = p = q; +@@ -4413,6 +4413,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + node = node->next; + } + return(ret); ++error: ++ xmlFreeNodeList(ret); ++ return(NULL); + } + + /** +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlStringGetNodeList.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlStringGetNodeList.patch new file mode 100644 index 0000000..661afc5 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlStringGetNodeList.patch @@ -0,0 +1,120 @@ +From 2fbf7876510dd9c5996151e2569078146e869697 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 2 Nov 2022 16:22:54 +0100 +Subject: [PATCH 12/28] malloc-fail: Fix memory leak in xmlStringGetNodeList + +Also make sure to return NULL on error instead of a partial node list. + +Found with libFuzzer, see #344. + +Reference: https://github.com/GNOME/libxml2/commit/b45927095e0c857b68a96466e3075d60a6a5dd9e +Conflict: NA +--- + tree.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/tree.c b/tree.c +index bb85220..ac156e1 100644 +--- a/tree.c ++++ b/tree.c +@@ -1496,9 +1496,9 @@ out: + */ + xmlNodePtr + xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { +- xmlNodePtr ret = NULL, last = NULL; ++ xmlNodePtr ret = NULL, head = NULL, last = NULL; + xmlNodePtr node; +- xmlChar *val; ++ xmlChar *val = NULL; + const xmlChar *cur = value; + const xmlChar *q; + xmlEntityPtr ent; +@@ -1596,14 +1596,12 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { + */ + if (!xmlBufIsEmpty(buf)) { + node = xmlNewDocText(doc, NULL); +- if (node == NULL) { +- if (val != NULL) xmlFree(val); +- goto out; +- } ++ if (node == NULL) ++ goto out; + node->content = xmlBufDetach(buf); + + if (last == NULL) { +- last = ret = node; ++ last = head = node; + } else { + last = xmlAddNextSibling(last, node); + } +@@ -1613,11 +1611,9 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { + * Create a new REFERENCE_REF node + */ + node = xmlNewReference(doc, val); +- if (node == NULL) { +- if (val != NULL) xmlFree(val); ++ if (node == NULL) + goto out; +- } +- else if ((ent != NULL) && (ent->children == NULL)) { ++ if ((ent != NULL) && (ent->children == NULL)) { + xmlNodePtr temp; + + /* Set to non-NULL value to avoid recursion. */ +@@ -1633,12 +1629,13 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { + } + } + if (last == NULL) { +- last = ret = node; ++ last = head = node; + } else { + last = xmlAddNextSibling(last, node); + } + } + xmlFree(val); ++ val = NULL; + } + cur++; + q = cur; +@@ -1657,7 +1654,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { + } else + cur++; + } +- if ((cur != q) || (ret == NULL)) { ++ if ((cur != q) || (head == NULL)) { + /* + * Handle the last piece of text. + */ +@@ -1666,21 +1663,24 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { + + if (!xmlBufIsEmpty(buf)) { + node = xmlNewDocText(doc, NULL); +- if (node == NULL) { +- xmlBufFree(buf); +- return(NULL); +- } ++ if (node == NULL) ++ goto out; + node->content = xmlBufDetach(buf); + + if (last == NULL) { +- ret = node; ++ head = node; + } else { + xmlAddNextSibling(last, node); + } + } + ++ ret = head; ++ head = NULL; ++ + out: + xmlBufFree(buf); ++ if (val != NULL) xmlFree(val); ++ if (head != NULL) xmlFreeNodeList(head); + return(ret); + } + +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeAddNode.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeAddNode.patch new file mode 100644 index 0000000..4abe279 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeAddNode.patch @@ -0,0 +1,29 @@ +From 3b59fdf001f030e1b2180d3303347119e05d8dcb Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 15 Feb 2023 13:28:24 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlXIncludeAddNode + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/3b59fdf001f030e1b2180d3303347119e05d8dcb +Conflict:xinclude.c + +--- + xinclude.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xinclude.c b/xinclude.c +index 6e5b61d..cc22848 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -660,6 +660,7 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) { + ref = xmlXIncludeNewRef(ctxt, URL, cur); + xmlFree(URL); + if (ref == NULL) { ++ xmlFree(fragment); + return(-1); + } + ref->fragment = fragment; +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeLoadTxt.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeLoadTxt.patch new file mode 100644 index 0000000..93173ae --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeLoadTxt.patch @@ -0,0 +1,164 @@ +From ec05f04d8b5a0a60515235f65ed1256644a77741 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 16 Feb 2023 12:40:02 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlXIncludeLoadTxt + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/ec05f04d8b5a0a60515235f65ed1256644a77741 +Conflict:xinclude.c + +--- + xinclude.c | 67 +++++++++++++++++++++++------------------------------- + 1 file changed, 28 insertions(+), 39 deletions(-) + +diff --git a/xinclude.c b/xinclude.c +index cc22848..c0b4439 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -1791,14 +1791,15 @@ error: + static int + xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { + xmlParserInputBufferPtr buf; +- xmlNodePtr node; +- xmlURIPtr uri; +- xmlChar *URL; ++ xmlNodePtr node = NULL; ++ xmlURIPtr uri = NULL; ++ xmlChar *URL = NULL; + int i; ++ int ret = -1; + xmlChar *encoding = NULL; + xmlCharEncoding enc = (xmlCharEncoding) 0; +- xmlParserCtxtPtr pctxt; +- xmlParserInputPtr inputStream; ++ xmlParserCtxtPtr pctxt = NULL; ++ xmlParserInputPtr inputStream = NULL; + int len; + const xmlChar *content; + +@@ -1814,21 +1815,19 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { + if (uri == NULL) { + xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, XML_XINCLUDE_HREF_URI, + "invalid value URI %s\n", url); +- return(-1); ++ goto error; + } + if (uri->fragment != NULL) { + xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, XML_XINCLUDE_TEXT_FRAGMENT, + "fragment identifier forbidden for text: %s\n", + (const xmlChar *) uri->fragment); +- xmlFreeURI(uri); +- return(-1); ++ goto error; + } + URL = xmlSaveUri(uri); +- xmlFreeURI(uri); + if (URL == NULL) { + xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, XML_XINCLUDE_HREF_URI, + "invalid value URI %s\n", url); +- return(-1); ++ goto error; + } + + /* +@@ -1839,8 +1838,7 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { + xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, + XML_XINCLUDE_TEXT_DOCUMENT, + "text serialization of document not available\n", NULL); +- xmlFree(URL); +- return(-1); ++ goto error; + } + + /* +@@ -1870,11 +1868,8 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { + xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, + XML_XINCLUDE_UNKNOWN_ENCODING, + "encoding %s not supported\n", encoding); +- xmlFree(encoding); +- xmlFree(URL); +- return(-1); ++ goto error; + } +- xmlFree(encoding); + } + + /* +@@ -1882,27 +1877,18 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { + */ + pctxt = xmlNewParserCtxt(); + inputStream = xmlLoadExternalEntity((const char*)URL, NULL, pctxt); +- if(inputStream == NULL) { +- xmlFreeParserCtxt(pctxt); +- xmlFree(URL); +- return(-1); +- } ++ if(inputStream == NULL) ++ goto error; + buf = inputStream->buf; +- if (buf == NULL) { +- xmlFreeInputStream (inputStream); +- xmlFreeParserCtxt(pctxt); +- xmlFree(URL); +- return(-1); +- } ++ if (buf == NULL) ++ goto error; + if (buf->encoder) + xmlCharEncCloseFunc(buf->encoder); + buf->encoder = xmlGetCharEncodingHandler(enc); + node = xmlNewText(NULL); + if (node == NULL) { +- xmlFreeInputStream(inputStream); +- xmlFreeParserCtxt(pctxt); +- xmlFree(URL); +- return(-1); ++ xmlXIncludeErrMemory(ctxt, ctxt->incTab[nr]->ref, NULL); ++ goto error; + } + + /* +@@ -1921,28 +1907,31 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { + if (!IS_CHAR(cur)) { + xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, XML_XINCLUDE_INVALID_CHAR, + "%s contains invalid char\n", URL); +- xmlFreeNode(node); +- xmlFreeInputStream(inputStream); +- xmlFreeParserCtxt(pctxt); +- xmlFree(URL); +- return(-1); ++ goto error; + } + + i += l; + } + + xmlNodeAddContentLen(node, content, len); +- xmlFreeParserCtxt(pctxt); + xmlXIncludeAddTxt(ctxt, node->content, URL); +- xmlFreeInputStream(inputStream); + + loaded: + /* + * Add the element as the replacement copy. + */ + ctxt->incTab[nr]->inc = node; ++ node = NULL; ++ ret = 0; ++ ++error: ++ xmlFreeNode(node); ++ xmlFreeInputStream(inputStream); ++ xmlFreeParserCtxt(pctxt); ++ xmlFree(encoding); ++ xmlFreeURI(uri); + xmlFree(URL); +- return(0); ++ return(ret); + } + + /** +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathCacheNewNodeS.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathCacheNewNodeS.patch new file mode 100644 index 0000000..752cbcb --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathCacheNewNodeS.patch @@ -0,0 +1,51 @@ +From 6f9604f0e3e52e96881ab3b662f35fbe04cd49ac Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 26 Feb 2023 16:09:50 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlXPathCacheNewNodeSet + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/6f9604f0e3e52e96881ab3b662f35fbe04cd49ac +Conflict:NA +--- + xpath.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 84b139d..1f358e3 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -2448,21 +2448,24 @@ xmlXPathCacheNewNodeSet(xmlXPathContextPtr ctxt, xmlNodePtr val) + (cache->miscObjs->number != 0)) + { + xmlXPathObjectPtr ret; ++ xmlNodeSetPtr set; + /* + * Fallback to misc-cache. + */ + ++ set = xmlXPathNodeSetCreate(val); ++ if (set == NULL) { ++ ctxt->lastError.domain = XML_FROM_XPATH; ++ ctxt->lastError.code = XML_ERR_NO_MEMORY; ++ return(NULL); ++ } ++ + ret = (xmlXPathObjectPtr) + cache->miscObjs->items[--cache->miscObjs->number]; + + ret->type = XPATH_NODESET; + ret->boolval = 0; +- ret->nodesetval = xmlXPathNodeSetCreate(val); +- if (ret->nodesetval == NULL) { +- ctxt->lastError.domain = XML_FROM_XPATH; +- ctxt->lastError.code = XML_ERR_NO_MEMORY; +- return(NULL); +- } ++ ret->nodesetval = set; + #ifdef XP_DEBUG_OBJ_USAGE + xmlXPathDebugObjUsageRequested(ctxt, XPATH_NODESET); + #endif +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathCompareValues.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathCompareValues.patch new file mode 100644 index 0000000..91e4bf7 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathCompareValues.patch @@ -0,0 +1,45 @@ +From 691f7eb44dd82a3de79e492bbe6c5426c96cbdde Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 15 Feb 2023 14:05:13 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlXPathCompareValues + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/691f7eb44dd82a3de79e492bbe6c5426c96cbdde +Conflict:NA +--- + xpath.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 212a4e0..c1d119b 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -7375,14 +7375,14 @@ xmlXPathCompareValues(xmlXPathParserContextPtr ctxt, int inf, int strict) { + valuePush(ctxt, arg1); + xmlXPathNumberFunction(ctxt, 1); + arg1 = valuePop(ctxt); +- CHECK_ERROR0; + } + if (arg2->type != XPATH_NUMBER) { + valuePush(ctxt, arg2); + xmlXPathNumberFunction(ctxt, 1); + arg2 = valuePop(ctxt); +- CHECK_ERROR0; + } ++ if (ctxt->error) ++ goto error; + /* + * Add tests for infinity and nan + * => feedback on 3.4 for Inf and NaN +@@ -7432,6 +7432,7 @@ xmlXPathCompareValues(xmlXPathParserContextPtr ctxt, int inf, int strict) { + } + } + } ++error: + xmlXPathReleaseObject(ctxt->context, arg1); + xmlXPathReleaseObject(ctxt->context, arg2); + return(ret); +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathDistinctSorte.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathDistinctSorte.patch new file mode 100644 index 0000000..ccbcb90 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathDistinctSorte.patch @@ -0,0 +1,47 @@ +From bc9f372c1001ff64353400edf489fb0ce4ab17fc Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 26 Feb 2023 18:00:30 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlXPathDistinctSorted + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/bc9f372c1001ff64353400edf489fb0ce4ab17fc +Conflict:NA +--- + xpath.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 1f358e3..b6a3983 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -4540,16 +4540,23 @@ xmlXPathDistinctSorted (xmlNodeSetPtr nodes) { + cur = xmlXPathNodeSetItem(nodes, i); + strval = xmlXPathCastNodeToString(cur); + if (xmlHashLookup(hash, strval) == NULL) { +- xmlHashAddEntry(hash, strval, strval); +- /* TODO: Propagate memory error. */ ++ if (xmlHashAddEntry(hash, strval, strval) < 0) { ++ xmlFree(strval); ++ goto error; ++ } + if (xmlXPathNodeSetAddUnique(ret, cur) < 0) +- break; ++ goto error; + } else { + xmlFree(strval); + } + } + xmlHashFree(hash, xmlHashDefaultDeallocator); + return(ret); ++ ++error: ++ xmlHashFree(hash, xmlHashDefaultDeallocator); ++ xmlXPathFreeNodeSet(ret); ++ return(NULL); + } + + /** +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualNodeSetF.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualNodeSetF.patch new file mode 100644 index 0000000..bd9f6a9 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualNodeSetF.patch @@ -0,0 +1,30 @@ +From a3e11b385c04f2d0dc7d8c51635e5deb5b867261 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 25 Feb 2023 16:05:24 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlXPathEqualNodeSetFloat + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/a3e11b385c04f2d0dc7d8c51635e5deb5b867261 +Conflict:NA +--- + xpath.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xpath.c b/xpath.c +index ef9f517..7f2c92a 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -6814,8 +6814,8 @@ xmlXPathEqualNodeSetFloat(xmlXPathParserContextPtr ctxt, + valuePush(ctxt, xmlXPathCacheNewString(ctxt->context, str2)); + xmlFree(str2); + xmlXPathNumberFunction(ctxt, 1); +- val = valuePop(ctxt); + CHECK_ERROR0; ++ val = valuePop(ctxt); + v = val->floatval; + xmlXPathReleaseObject(ctxt->context, val); + if (!xmlXPathIsNaN(v)) { +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualValuesCommon.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualValuesCommon.patch new file mode 100644 index 0000000..d652995 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualValuesCommon.patch @@ -0,0 +1,41 @@ +From 3dc645227ed1ac463c9d333c6eb92d1b6bb26ae9 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 15 Feb 2023 14:30:40 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlXPathEqualValuesCommon + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/3dc645227ed1ac463c9d333c6eb92d1b6bb26ae9 +Conflict:NA +--- + xpath.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/xpath.c b/xpath.c +index cf74030..ef9f517 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -7028,7 +7028,8 @@ xmlXPathEqualValuesCommon(xmlXPathParserContextPtr ctxt, + valuePush(ctxt, arg2); + xmlXPathNumberFunction(ctxt, 1); + arg2 = valuePop(ctxt); +- CHECK_ERROR0; ++ if (ctxt->error) ++ break; + /* Falls through. */ + case XPATH_NUMBER: + /* Hand check NaN and Infinity equalities */ +@@ -7092,7 +7093,8 @@ xmlXPathEqualValuesCommon(xmlXPathParserContextPtr ctxt, + valuePush(ctxt, arg1); + xmlXPathNumberFunction(ctxt, 1); + arg1 = valuePop(ctxt); +- CHECK_ERROR0; ++ if (ctxt->error) ++ break; + /* Hand check NaN and Infinity equalities */ + if (xmlXPathIsNaN(arg1->floatval) || + xmlXPathIsNaN(arg2->floatval)) { +-- +2.27.0 + + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathNameFunction.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathNameFunction.patch new file mode 100644 index 0000000..d85e89e --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathNameFunction.patch @@ -0,0 +1,32 @@ +From 282b75f1108e81e483d95a08397da282233f9667 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 28 Feb 2023 12:14:33 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlXPathNameFunction + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/282b75f1108e81e483d95a08397da282233f9667 +Conflict:NA +--- + xpath.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/xpath.c b/xpath.c +index d17ad5e..56a59c1 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -8857,9 +8857,8 @@ xmlXPathNameFunction(xmlXPathParserContextPtr ctxt, int nargs) + NULL, 0); + if (fullname == cur->nodesetval->nodeTab[i]->name) + fullname = xmlStrdup(cur->nodesetval->nodeTab[i]->name); +- if (fullname == NULL) { +- XP_ERROR(XPATH_MEMORY_ERROR); +- } ++ if (fullname == NULL) ++ xmlXPathPErrMemory(ctxt, NULL); + valuePush(ctxt, xmlXPathCacheWrapString( + ctxt->context, fullname)); + } +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathRegisterNs.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathRegisterNs.patch new file mode 100644 index 0000000..cda925e --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathRegisterNs.patch @@ -0,0 +1,49 @@ +From bd6fa2c1d5c163ab94edaf2e62d18cdfee33f913 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 9 Mar 2023 22:33:19 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlXPathRegisterNs + +Found by OSS-Fuzz. + +Reference:https://github.com/GNOME/libxml2/commit/bd6fa2c1d5c163ab94edaf2e62d18cdfee33f913 +Conflict:NA +--- + xpath.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 56a59c1..e3a8c14 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -5133,6 +5133,8 @@ xmlXPathRegisteredVariablesCleanup(xmlXPathContextPtr ctxt) { + int + xmlXPathRegisterNs(xmlXPathContextPtr ctxt, const xmlChar *prefix, + const xmlChar *ns_uri) { ++ xmlChar *copy; ++ + if (ctxt == NULL) + return(-1); + if (prefix == NULL) +@@ -5147,8 +5149,17 @@ xmlXPathRegisterNs(xmlXPathContextPtr ctxt, const xmlChar *prefix, + if (ns_uri == NULL) + return(xmlHashRemoveEntry(ctxt->nsHash, prefix, + xmlHashDefaultDeallocator)); +- return(xmlHashUpdateEntry(ctxt->nsHash, prefix, (void *) xmlStrdup(ns_uri), +- xmlHashDefaultDeallocator)); ++ ++ copy = xmlStrdup(ns_uri); ++ if (copy == NULL) ++ return(-1); ++ if (xmlHashUpdateEntry(ctxt->nsHash, prefix, copy, ++ xmlHashDefaultDeallocator) < 0) { ++ xmlFree(copy); ++ return(-1); ++ } ++ ++ return(0); + } + + /** +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlXPathTryStreamCompile.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathTryStreamCompile.patch new file mode 100644 index 0000000..8716948 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlXPathTryStreamCompile.patch @@ -0,0 +1,27 @@ +From ac746afd33a938b6704ba32824e076af939665fb Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 15 Feb 2023 13:54:55 +0100 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlXPathTryStreamCompile + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/ac746afd33a938b6704ba32824e076af939665fb +Conflict:NA +--- + xpath.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xpath.c b/xpath.c +index c1d119b..7833870 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -14121,6 +14121,7 @@ xmlXPathTryStreamCompile(xmlXPathContextPtr ctxt, const xmlChar *str) { + comp = xmlXPathNewCompExpr(); + if (comp == NULL) { + xmlXPathErrMemory(ctxt, "allocating streamable expression\n"); ++ xmlFreePattern(stream); + return(NULL); + } + comp->stream = stream; +-- +2.27.0 diff --git a/backport-malloc-fail-Fix-null-deref-after-xmlPointerListAddSi.patch b/backport-malloc-fail-Fix-null-deref-after-xmlPointerListAddSi.patch new file mode 100644 index 0000000..6b5ec32 --- /dev/null +++ b/backport-malloc-fail-Fix-null-deref-after-xmlPointerListAddSi.patch @@ -0,0 +1,72 @@ +From 44947afba0ded433c6f4ffc10ee646c4b267f2b7 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 26 Feb 2023 14:41:35 +0100 +Subject: [PATCH] malloc-fail: Fix null deref after xmlPointerListAddSize + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/44947afba0ded433c6f4ffc10ee646c4b267f2b7 +Conflict:NA +--- + xpath.c | 40 +++++++++++++++++++--------------------- + 1 file changed, 19 insertions(+), 21 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 54d9c58..84b139d 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -812,32 +812,30 @@ xmlPointerListAddSize(xmlPointerListPtr list, + void *item, + int initialSize) + { +- if (list->items == NULL) { +- if (initialSize <= 0) +- initialSize = 1; +- list->items = (void **) xmlMalloc(initialSize * sizeof(void *)); +- if (list->items == NULL) { +- xmlXPathErrMemory(NULL, +- "xmlPointerListCreate: allocating item\n"); +- return(-1); +- } +- list->number = 0; +- list->size = initialSize; +- } else if (list->size <= list->number) { +- if (list->size > 50000000) { +- xmlXPathErrMemory(NULL, +- "xmlPointerListAddSize: re-allocating item\n"); +- return(-1); ++ if (list->size <= list->number) { ++ void **tmp; ++ size_t newSize; ++ ++ if (list->size == 0) { ++ if (initialSize <= 0) ++ initialSize = 1; ++ newSize = initialSize; ++ } else { ++ if (list->size > 50000000) { ++ xmlXPathErrMemory(NULL, ++ "xmlPointerListAddSize: re-allocating item\n"); ++ return(-1); ++ } ++ newSize = list->size * 2; + } +- list->size *= 2; +- list->items = (void **) xmlRealloc(list->items, +- list->size * sizeof(void *)); +- if (list->items == NULL) { ++ tmp = (void **) xmlRealloc(list->items, newSize * sizeof(void *)); ++ if (tmp == NULL) { + xmlXPathErrMemory(NULL, + "xmlPointerListAddSize: re-allocating item\n"); +- list->size = 0; + return(-1); + } ++ list->items = tmp; ++ list->size = newSize; + } + list->items[list->number++] = item; + return(0); +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-null-deref-after-xmlSchemaCompareDat.patch b/backport-malloc-fail-Fix-null-deref-after-xmlSchemaCompareDat.patch new file mode 100644 index 0000000..716d684 --- /dev/null +++ b/backport-malloc-fail-Fix-null-deref-after-xmlSchemaCompareDat.patch @@ -0,0 +1,93 @@ +From 19b197b61646fd2ad7e584b739500876681c4e3d Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 5 Mar 2023 14:10:56 +0100 +Subject: [PATCH] malloc-fail: Fix null deref after xmlSchemaCompareDates + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/19b197b61646fd2ad7e584b739500876681c4e3d +Conflict:NA +--- + xmlschemastypes.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/xmlschemastypes.c b/xmlschemastypes.c +index 160777f..d5c7790 100644 +--- a/xmlschemastypes.c ++++ b/xmlschemastypes.c +@@ -4146,9 +4146,15 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) + + if (!y->value.date.tz_flag) { + p1 = xmlSchemaDateNormalize(x, 0); ++ if (p1 == NULL) ++ return -2; + p1d = _xmlSchemaDateCastYMToDays(p1) + p1->value.date.day; + /* normalize y + 14:00 */ + q1 = xmlSchemaDateNormalize(y, (14 * SECS_PER_HOUR)); ++ if (q1 == NULL) { ++ xmlSchemaFreeValue(p1); ++ return -2; ++ } + + q1d = _xmlSchemaDateCastYMToDays(q1) + q1->value.date.day; + if (p1d < q1d) { +@@ -4167,6 +4173,11 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) + int ret = 0; + /* normalize y - 14:00 */ + q2 = xmlSchemaDateNormalize(y, -(14 * SECS_PER_HOUR)); ++ if (q2 == NULL) { ++ xmlSchemaFreeValue(p1); ++ xmlSchemaFreeValue(q1); ++ return -2; ++ } + q2d = _xmlSchemaDateCastYMToDays(q2) + q2->value.date.day; + if (p1d > q2d) + ret = 1; +@@ -4190,10 +4201,16 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) + } + } else if (y->value.date.tz_flag) { + q1 = xmlSchemaDateNormalize(y, 0); ++ if (q1 == NULL) ++ return -2; + q1d = _xmlSchemaDateCastYMToDays(q1) + q1->value.date.day; + + /* normalize x - 14:00 */ + p1 = xmlSchemaDateNormalize(x, -(14 * SECS_PER_HOUR)); ++ if (p1 == NULL) { ++ xmlSchemaFreeValue(q1); ++ return -2; ++ } + p1d = _xmlSchemaDateCastYMToDays(p1) + p1->value.date.day; + + if (p1d < q1d) { +@@ -4212,6 +4229,11 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) + int ret = 0; + /* normalize x + 14:00 */ + p2 = xmlSchemaDateNormalize(x, (14 * SECS_PER_HOUR)); ++ if (p2 == NULL) { ++ xmlSchemaFreeValue(p1); ++ xmlSchemaFreeValue(q1); ++ return -2; ++ } + p2d = _xmlSchemaDateCastYMToDays(p2) + p2->value.date.day; + + if (p2d > q1d) { +@@ -4241,9 +4263,15 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) + if (x->type == y->type) { + int ret = 0; + q1 = xmlSchemaDateNormalize(y, 0); ++ if (q1 == NULL) ++ return -2; + q1d = _xmlSchemaDateCastYMToDays(q1) + q1->value.date.day; + + p1 = xmlSchemaDateNormalize(x, 0); ++ if (p1 == NULL) { ++ xmlSchemaFreeValue(q1); ++ return -2; ++ } + p1d = _xmlSchemaDateCastYMToDays(p1) + p1->value.date.day; + + if (p1d < q1d) { +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-null-deref-after-xmlSchemaItemList-A.patch b/backport-malloc-fail-Fix-null-deref-after-xmlSchemaItemList-A.patch new file mode 100644 index 0000000..e22c223 --- /dev/null +++ b/backport-malloc-fail-Fix-null-deref-after-xmlSchemaItemList-A.patch @@ -0,0 +1,85 @@ +From 767ae50bc9e94a35bfede3af291cf0060893db0f Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 5 Mar 2023 14:11:24 +0100 +Subject: [PATCH] malloc-fail: Fix null deref after + xmlSchemaItemList{Add,Insert} + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/767ae50bc9e94a35bfede3af291cf0060893db0f +Conflict:NA +--- + xmlschemas.c | 44 ++++++++++++++++---------------------------- + 1 file changed, 16 insertions(+), 28 deletions(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 46cbe0f..d2f8bf1 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -3417,23 +3417,17 @@ xmlSchemaItemListClear(xmlSchemaItemListPtr list) + static int + xmlSchemaItemListAdd(xmlSchemaItemListPtr list, void *item) + { +- if (list->items == NULL) { +- list->items = (void **) xmlMalloc( +- 20 * sizeof(void *)); +- if (list->items == NULL) { +- xmlSchemaPErrMemory(NULL, "allocating new item list", NULL); +- return(-1); +- } +- list->sizeItems = 20; +- } else if (list->sizeItems <= list->nbItems) { +- list->sizeItems *= 2; +- list->items = (void **) xmlRealloc(list->items, +- list->sizeItems * sizeof(void *)); +- if (list->items == NULL) { ++ if (list->sizeItems <= list->nbItems) { ++ void **tmp; ++ size_t newSize = list->sizeItems == 0 ? 20 : list->sizeItems * 2; ++ ++ tmp = (void **) xmlRealloc(list->items, newSize * sizeof(void *)); ++ if (tmp == NULL) { + xmlSchemaPErrMemory(NULL, "growing item list", NULL); +- list->sizeItems = 0; + return(-1); + } ++ list->items = tmp; ++ list->sizeItems = newSize; + } + list->items[list->nbItems++] = item; + return(0); +@@ -3474,23 +3468,17 @@ xmlSchemaItemListAddSize(xmlSchemaItemListPtr list, + static int + xmlSchemaItemListInsert(xmlSchemaItemListPtr list, void *item, int idx) + { +- if (list->items == NULL) { +- list->items = (void **) xmlMalloc( +- 20 * sizeof(void *)); +- if (list->items == NULL) { +- xmlSchemaPErrMemory(NULL, "allocating new item list", NULL); +- return(-1); +- } +- list->sizeItems = 20; +- } else if (list->sizeItems <= list->nbItems) { +- list->sizeItems *= 2; +- list->items = (void **) xmlRealloc(list->items, +- list->sizeItems * sizeof(void *)); +- if (list->items == NULL) { ++ if (list->sizeItems <= list->nbItems) { ++ void **tmp; ++ size_t newSize = list->sizeItems == 0 ? 20 : list->sizeItems * 2; ++ ++ tmp = (void **) xmlRealloc(list->items, newSize * sizeof(void *)); ++ if (tmp == NULL) { + xmlSchemaPErrMemory(NULL, "growing item list", NULL); +- list->sizeItems = 0; + return(-1); + } ++ list->items = tmp; ++ list->sizeItems = newSize; + } + /* + * Just append if the index is greater/equal than the item count. +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-null-deref-after-xmlXIncludeNewRef.patch b/backport-malloc-fail-Fix-null-deref-after-xmlXIncludeNewRef.patch new file mode 100644 index 0000000..a9d7498 --- /dev/null +++ b/backport-malloc-fail-Fix-null-deref-after-xmlXIncludeNewRef.patch @@ -0,0 +1,51 @@ +From c40cbf07a30c264846ad1135a3670535942441f6 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 8 May 2023 17:03:00 +0200 +Subject: [PATCH] malloc-fail: Fix null deref after xmlXIncludeNewRef + +See #344. + +Reference:https://github.com/GNOME/libxml2/commit/c40cbf07a30c264846ad1135a3670535942441f6 +Conflict:xinclude.c + +--- + xinclude.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +diff --git a/xinclude.c b/xinclude.c +index c0b4439..a9da439 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -246,19 +246,9 @@ xmlXIncludeNewRef(xmlXIncludeCtxtPtr ctxt, const xmlChar *URI, + ret->count = 0; + ret->xml = 0; + ret->inc = NULL; +- if (ctxt->incMax == 0) { +- ctxt->incMax = 4; +- ctxt->incTab = (xmlXIncludeRefPtr *) xmlMalloc(ctxt->incMax * +- sizeof(ctxt->incTab[0])); +- if (ctxt->incTab == NULL) { +- xmlXIncludeErrMemory(ctxt, ref, "growing XInclude context"); +- xmlXIncludeFreeRef(ret); +- return(NULL); +- } +- } + if (ctxt->incNr >= ctxt->incMax) { + xmlXIncludeRefPtr *tmp; +- size_t newSize = ctxt->incMax * 2; ++ size_t newSize = ctxt->incMax ? ctxt->incMax * 2 : 4; + + tmp = (xmlXIncludeRefPtr *) xmlRealloc(ctxt->incTab, + newSize * sizeof(ctxt->incTab[0])); +@@ -268,7 +258,7 @@ xmlXIncludeNewRef(xmlXIncludeCtxtPtr ctxt, const xmlChar *URI, + return(NULL); + } + ctxt->incTab = tmp; +- ctxt->incMax *= 2; ++ ctxt->incMax = newSize; + } + ctxt->incTab[ctxt->incNr++] = ret; + return(ret); +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-null-deref-if-growing-input-buffer-fails.patch b/backport-malloc-fail-Fix-null-deref-if-growing-input-buffer-fails.patch new file mode 100644 index 0000000..39e0b4c --- /dev/null +++ b/backport-malloc-fail-Fix-null-deref-if-growing-input-buffer-fails.patch @@ -0,0 +1,51 @@ +From 2355eac59e91e1465696150cf0efc9029ba4f9b2 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 22 Jan 2023 14:52:06 +0100 +Subject: [PATCH] malloc-fail: Fix null deref if growing input buffer fails + +Also add some error checks. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/2355eac59e91e1465696150cf0efc9029ba4f9b2 +Conflict:xmlIO.c +--- + encoding.c | 3 ++- + parserInternals.c | 6 ++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/encoding.c b/encoding.c +index 8ce407f..c073a9c 100644 +--- a/encoding.c ++++ b/encoding.c +@@ -2288,7 +2288,8 @@ xmlCharEncInput(xmlParserInputBufferPtr input, int flush) + toconv = 64 * 1024; + written = xmlBufAvail(out); + if (toconv * 2 >= written) { +- xmlBufGrow(out, toconv * 2); ++ if (xmlBufGrow(out, toconv * 2) < 0) ++ return (-1); + written = xmlBufAvail(out); + } + if ((written > 128 * 1024) && (flush == 0)) +diff --git a/parserInternals.c b/parserInternals.c +index cee4cd9..dd1dc9c 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -326,6 +326,12 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) { + ret = xmlParserInputBufferGrow(in->buf, len); + + in->base = xmlBufContent(in->buf->buffer); ++ if (in->base == NULL) { ++ in->base = BAD_CAST ""; ++ in->cur = in->base; ++ in->end = in->base; ++ return(-1); ++ } + in->cur = in->base + indx; + in->end = xmlBufEnd(in->buf->buffer); + +-- +2.27.0 + + diff --git a/backport-malloc-fail-Fix-null-deref-in-htmlnamePush.patch b/backport-malloc-fail-Fix-null-deref-in-htmlnamePush.patch new file mode 100644 index 0000000..61bada7 --- /dev/null +++ b/backport-malloc-fail-Fix-null-deref-in-htmlnamePush.patch @@ -0,0 +1,54 @@ +From 041789d9ec5a0f592e200bcb7313d88ff14707e4 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 16 Feb 2023 15:02:08 +0100 +Subject: [PATCH] malloc-fail: Fix null deref in htmlnamePush + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/041789d9ec5a0f592e200bcb7313d88ff14707e4 +Conflict:NA +--- + HTMLparser.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index ca551d9..e02a142 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -161,7 +161,7 @@ htmlParseErrInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Pushes a new element name on top of the name stack + * +- * Returns 0 in case of error, the index in the stack otherwise ++ * Returns -1 in case of error, the index in the stack otherwise + */ + static int + htmlnamePush(htmlParserCtxtPtr ctxt, const xmlChar * value) +@@ -171,15 +171,17 @@ htmlnamePush(htmlParserCtxtPtr ctxt, const xmlChar * value) + if ((ctxt->html < 10) && (xmlStrEqual(value, BAD_CAST "body"))) + ctxt->html = 10; + if (ctxt->nameNr >= ctxt->nameMax) { +- ctxt->nameMax *= 2; +- ctxt->nameTab = (const xmlChar * *) +- xmlRealloc((xmlChar * *)ctxt->nameTab, +- ctxt->nameMax * +- sizeof(ctxt->nameTab[0])); +- if (ctxt->nameTab == NULL) { ++ size_t newSize = ctxt->nameMax * 2; ++ const xmlChar **tmp; ++ ++ tmp = xmlRealloc((xmlChar **) ctxt->nameTab, ++ newSize * sizeof(ctxt->nameTab[0])); ++ if (tmp == NULL) { + htmlErrMemory(ctxt, NULL); +- return (0); ++ return (-1); + } ++ ctxt->nameTab = tmp; ++ ctxt->nameMax = newSize; + } + ctxt->nameTab[ctxt->nameNr] = value; + ctxt->name = value; +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlAddDefAttrs.patch b/backport-malloc-fail-Fix-null-deref-in-xmlAddDefAttrs.patch new file mode 100644 index 0000000..c5f945c --- /dev/null +++ b/backport-malloc-fail-Fix-null-deref-in-xmlAddDefAttrs.patch @@ -0,0 +1,29 @@ +From bd9de3a31f66bbf38b2e90cc9efb1374cc1314da Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 22 Jan 2023 16:52:39 +0100 +Subject: [PATCH] malloc-fail: Fix null deref in xmlAddDefAttrs + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/bd9de3a31f66bbf38b2e90cc9efb1374cc1314da +Conflict:NA +--- + parser.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/parser.c b/parser.c +index fafae15..3c06439 100644 +--- a/parser.c ++++ b/parser.c +@@ -1334,6 +1334,8 @@ xmlAddDefAttrs(xmlParserCtxtPtr ctxt, + /* intern the string and precompute the end */ + len = xmlStrlen(value); + value = xmlDictLookup(ctxt->dict, value, len); ++ if (value == NULL) ++ goto mem_error; + defaults->values[5 * defaults->nbAttrs + 2] = value; + defaults->values[5 * defaults->nbAttrs + 3] = value + len; + if (ctxt->external) +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlBufResize.patch b/backport-malloc-fail-Fix-null-deref-in-xmlBufResize.patch new file mode 100644 index 0000000..3b6f603 --- /dev/null +++ b/backport-malloc-fail-Fix-null-deref-in-xmlBufResize.patch @@ -0,0 +1,30 @@ +From 1aabc9db40dc5ec1f8f22c09e74c63dda53f7ed6 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 22 Jan 2023 13:20:15 +0100 +Subject: [PATCH] malloc-fail: Fix null deref in xmlBufResize + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/1aabc9db40dc5ec1f8f22c09e74c63dda53f7ed6 +Conflict:NA +--- + buf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/buf.c b/buf.c +index e851364..69370b7 100644 +--- a/buf.c ++++ b/buf.c +@@ -821,7 +821,8 @@ xmlBufResize(xmlBufPtr buf, size_t size) + if (buf->content == NULL) { + rebuf = (xmlChar *) xmlMallocAtomic(newSize); + buf->use = 0; +- rebuf[buf->use] = 0; ++ if (rebuf != NULL) ++ rebuf[buf->use] = 0; + } else if (buf->size - buf->use < 100) { + rebuf = (xmlChar *) xmlRealloc(buf->content, newSize); + } else { +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlGet-Min-Max-Occurs.patch b/backport-malloc-fail-Fix-null-deref-in-xmlGet-Min-Max-Occurs.patch new file mode 100644 index 0000000..391b422 --- /dev/null +++ b/backport-malloc-fail-Fix-null-deref-in-xmlGet-Min-Max-Occurs.patch @@ -0,0 +1,49 @@ +From 0263b357567870c20de26c90dbc962aec81c5a19 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 5 Mar 2023 14:08:35 +0100 +Subject: [PATCH] malloc-fail: Fix null deref in xmlGet{Min,Max}Occurs + +Also report memory error in xmlSchemaGetNodeContent. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/0263b357567870c20de26c90dbc962aec81c5a19 +Conflict:NA +--- + xmlschemas.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 9be7999..c68103c 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -4760,6 +4760,8 @@ xmlSchemaGetNodeContent(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node) + val = xmlStrdup((xmlChar *)""); + ret = xmlDictLookup(ctxt->dict, val, -1); + xmlFree(val); ++ if (ret == NULL) ++ xmlSchemaPErrMemory(ctxt, "getting node content", node); + return(ret); + } + +@@ -6103,6 +6105,8 @@ xmlGetMaxOccurs(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, + if (attr == NULL) + return (def); + val = xmlSchemaGetNodeContent(ctxt, (xmlNodePtr) attr); ++ if (val == NULL) ++ return (def); + + if (xmlStrEqual(val, (const xmlChar *) "unbounded")) { + if (max != UNBOUNDED) { +@@ -6177,6 +6181,8 @@ xmlGetMinOccurs(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, + if (attr == NULL) + return (def); + val = xmlSchemaGetNodeContent(ctxt, (xmlNodePtr) attr); ++ if (val == NULL) ++ return (def); + cur = val; + while (IS_BLANK_CH(*cur)) + cur++; +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlParserInputShrink.patch b/backport-malloc-fail-Fix-null-deref-in-xmlParserInputShrink.patch new file mode 100644 index 0000000..2e11c36 --- /dev/null +++ b/backport-malloc-fail-Fix-null-deref-in-xmlParserInputShrink.patch @@ -0,0 +1,35 @@ +From 457fc622d5e8e3734d9c294c81d6c1babb9c5dd5 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 13 Mar 2023 16:51:14 +0100 +Subject: [PATCH] malloc-fail: Fix null deref in xmlParserInputShrink + +Found by OSS-Fuzz. + +Reference:https://github.com/GNOME/libxml2/commit/457fc622d5e8e3734d9c294c81d6c1babb9c5dd5 +Conflict:NA + +--- + parserInternals.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/parserInternals.c b/parserInternals.c +index dd1dc9c..08d8d55 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -380,6 +380,13 @@ xmlParserInputShrink(xmlParserInputPtr in) { + } + + in->base = xmlBufContent(in->buf->buffer); ++ if (in->base == NULL) { ++ /* TODO: raise error */ ++ in->base = BAD_CAST ""; ++ in->cur = in->base; ++ in->end = in->base; ++ return; ++ } + in->cur = in->base + used; + in->end = xmlBufEnd(in->buf->buffer); + +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlSAX2AttributeInternal.patch b/backport-malloc-fail-Fix-null-deref-in-xmlSAX2AttributeInternal.patch new file mode 100644 index 0000000..4b6f67d --- /dev/null +++ b/backport-malloc-fail-Fix-null-deref-in-xmlSAX2AttributeInternal.patch @@ -0,0 +1,64 @@ +From 0c5f40b788410753eb73e3040be4f50b608923e1 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 22 Jan 2023 13:27:41 +0100 +Subject: [PATCH] malloc-fail: Fix null deref in xmlSAX2AttributeInternal + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/0c5f40b788410753eb73e3040be4f50b608923e1 +Conflict:NA +--- + SAX2.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/SAX2.c b/SAX2.c +index 3eebd2b..2426e93 100644 +--- a/SAX2.c ++++ b/SAX2.c +@@ -1297,25 +1297,25 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname, + + /* !!!!!! */ + ret = xmlNewNsPropEatName(ctxt->node, namespace, name, NULL); ++ if (ret == NULL) ++ goto error; + +- if (ret != NULL) { +- if ((ctxt->replaceEntities == 0) && (!ctxt->html)) { +- xmlNodePtr tmp; +- +- ret->children = xmlStringGetNodeList(ctxt->myDoc, value); +- tmp = ret->children; +- while (tmp != NULL) { +- tmp->parent = (xmlNodePtr) ret; +- if (tmp->next == NULL) +- ret->last = tmp; +- tmp = tmp->next; +- } +- } else if (value != NULL) { +- ret->children = xmlNewDocText(ctxt->myDoc, value); +- ret->last = ret->children; +- if (ret->children != NULL) +- ret->children->parent = (xmlNodePtr) ret; +- } ++ if ((ctxt->replaceEntities == 0) && (!ctxt->html)) { ++ xmlNodePtr tmp; ++ ++ ret->children = xmlStringGetNodeList(ctxt->myDoc, value); ++ tmp = ret->children; ++ while (tmp != NULL) { ++ tmp->parent = (xmlNodePtr) ret; ++ if (tmp->next == NULL) ++ ret->last = tmp; ++ tmp = tmp->next; ++ } ++ } else if (value != NULL) { ++ ret->children = xmlNewDocText(ctxt->myDoc, value); ++ ret->last = ret->children; ++ if (ret->children != NULL) ++ ret->children->parent = (xmlNodePtr) ret; + } + + #ifdef LIBXML_VALID_ENABLED +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlSchemaInitTypes.patch b/backport-malloc-fail-Fix-null-deref-in-xmlSchemaInitTypes.patch new file mode 100644 index 0000000..a73b4c4 --- /dev/null +++ b/backport-malloc-fail-Fix-null-deref-in-xmlSchemaInitTypes.patch @@ -0,0 +1,31 @@ +From 112340c6c0d6554865220d61f169074aae64da57 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 5 Mar 2023 14:07:57 +0100 +Subject: [PATCH] malloc-fail: Fix null deref in xmlSchemaInitTypes + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/112340c6c0d6554865220d61f169074aae64da57 +Conflict:NA +--- + xmlschemastypes.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/xmlschemastypes.c b/xmlschemastypes.c +index d4864b7..160777f 100644 +--- a/xmlschemastypes.c ++++ b/xmlschemastypes.c +@@ -406,6 +406,10 @@ xmlSchemaInitTypes(void) + xmlSchemaTypeAnyTypeDef = xmlSchemaInitBasicType("anyType", + XML_SCHEMAS_ANYTYPE, + NULL); ++ if (xmlSchemaTypeAnyTypeDef == NULL) { ++ xmlSchemaTypeErrMemory(NULL, NULL); ++ return; ++ } + xmlSchemaTypeAnyTypeDef->baseType = xmlSchemaTypeAnyTypeDef; + xmlSchemaTypeAnyTypeDef->contentType = XML_SCHEMA_CONTENT_MIXED; + /* +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseUnion.patch b/backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseUnion.patch new file mode 100644 index 0000000..9dcd9c7 --- /dev/null +++ b/backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseUnion.patch @@ -0,0 +1,29 @@ +From 31844c74df39c3b88735ef884c33c41da9d52795 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 5 Mar 2023 14:10:08 +0100 +Subject: [PATCH] malloc-fail: Fix null deref in xmlSchemaParseUnion + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/31844c74df39c3b88735ef884c33c41da9d52795 +Conflict:NA +--- + xmlschemas.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 06bf664..5b93937 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -9006,6 +9006,8 @@ xmlSchemaParseUnion(xmlSchemaParserCtxtPtr ctxt, xmlSchemaPtr schema, + xmlSchemaQNameRefPtr ref; + + cur = xmlSchemaGetNodeContent(ctxt, (xmlNodePtr) attr); ++ if (cur == NULL) ++ return (-1); + type->base = cur; + do { + while (IS_BLANK_CH(*cur)) +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseWildcard.patch b/backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseWildcard.patch new file mode 100644 index 0000000..bac2142 --- /dev/null +++ b/backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseWildcard.patch @@ -0,0 +1,29 @@ +From e15838ab5454514e53981585c71cd20bb1537d01 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 5 Mar 2023 14:09:14 +0100 +Subject: [PATCH] malloc-fail: Fix null deref in xmlSchemaParseWildcardNs + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/e15838ab5454514e53981585c71cd20bb1537d01 +Conflict:NA +--- + xmlschemas.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 9ace2b7..dd79d2e 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -6867,6 +6867,8 @@ xmlSchemaParseWildcardNs(xmlSchemaParserCtxtPtr ctxt, + */ + attr = xmlSchemaGetPropNode(node, "namespace"); + ns = xmlSchemaGetNodeContent(ctxt, (xmlNodePtr) attr); ++ if (ns == NULL) ++ return (-1); + if ((attr == NULL) || (xmlStrEqual(ns, BAD_CAST "##any"))) + wildc->any = 1; + else if (xmlStrEqual(ns, BAD_CAST "##other")) { +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlSchemaValAtomicType.patch b/backport-malloc-fail-Fix-null-deref-in-xmlSchemaValAtomicType.patch new file mode 100644 index 0000000..bcc63b3 --- /dev/null +++ b/backport-malloc-fail-Fix-null-deref-in-xmlSchemaValAtomicType.patch @@ -0,0 +1,29 @@ +From 7762e8eda184bc755dcc3c2d4aed259f95670ccd Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 5 Mar 2023 14:08:15 +0100 +Subject: [PATCH] malloc-fail: Fix null deref in xmlSchemaValAtomicType + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/7762e8eda184bc755dcc3c2d4aed259f95670ccd +Conflict:NA +--- + xmlschemastypes.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xmlschemastypes.c b/xmlschemastypes.c +index ebb0219..d4864b7 100644 +--- a/xmlschemastypes.c ++++ b/xmlschemastypes.c +@@ -3033,6 +3033,8 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value, + value = norm; + } + tmpval = xmlStrdup(value); ++ if (tmpval == NULL) ++ goto error; + for (cur = tmpval; *cur; ++cur) { + if (*cur < 32 || *cur >= 127 || *cur == ' ' || + *cur == '<' || *cur == '>' || *cur == '"' || +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlXIncludeLoadTxt.patch b/backport-malloc-fail-Fix-null-deref-in-xmlXIncludeLoadTxt.patch new file mode 100644 index 0000000..c1e9a57 --- /dev/null +++ b/backport-malloc-fail-Fix-null-deref-in-xmlXIncludeLoadTxt.patch @@ -0,0 +1,33 @@ +From dc2dde1ab92e50766df654fa9445456adb007605 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 4 Feb 2023 15:00:54 +0100 +Subject: [PATCH] malloc-fail: Fix null deref in xmlXIncludeLoadTxt + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/dc2dde1ab92e50766df654fa9445456adb007605 +Conflict:xinclude.c +--- + xinclude.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/xinclude.c b/xinclude.c +index e5e3b16..60a0d7b 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -1891,6 +1891,12 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { + xmlCharEncCloseFunc(buf->encoder); + buf->encoder = xmlGetCharEncodingHandler(enc); + node = xmlNewText(NULL); ++ if (node == NULL) { ++ xmlFreeInputStream(inputStream); ++ xmlFreeParserCtxt(pctxt); ++ xmlFree(URL); ++ return(-1); ++ } + + /* + * Scan all chars from the resource and add the to the node +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlXPathCompiledEvalIn.patch b/backport-malloc-fail-Fix-null-deref-in-xmlXPathCompiledEvalIn.patch new file mode 100644 index 0000000..510c1db --- /dev/null +++ b/backport-malloc-fail-Fix-null-deref-in-xmlXPathCompiledEvalIn.patch @@ -0,0 +1,29 @@ +From 70b21c9f2a31b3ecfe8aa624c01da3ebba9e06c8 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 26 Feb 2023 14:33:16 +0100 +Subject: [PATCH] malloc-fail: Fix null deref in xmlXPathCompiledEvalInternal + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/70b21c9f2a31b3ecfe8aa624c01da3ebba9e06c8 +Conflict:NA +--- + xpath.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xpath.c b/xpath.c +index d63bdd7..54d9c58 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -14370,6 +14370,8 @@ xmlXPathCompiledEvalInternal(xmlXPathCompExprPtr comp, + } + #endif + pctxt = xmlXPathCompParserContext(comp, ctxt); ++ if (pctxt == NULL) ++ return(-1); + res = xmlXPathRunEval(pctxt, toBool); + + if (pctxt->error != XPATH_EXPRESSION_OK) { +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-reallocation-in-inputPush.patch b/backport-malloc-fail-Fix-reallocation-in-inputPush.patch new file mode 100644 index 0000000..ccb9da4 --- /dev/null +++ b/backport-malloc-fail-Fix-reallocation-in-inputPush.patch @@ -0,0 +1,48 @@ +From e6d22f925ad65ce93312815aa20c7eeea58640fe Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 23 Jan 2023 01:48:37 +0100 +Subject: [PATCH] malloc-fail: Fix reallocation in inputPush + +Store xmlRealloc result in temporary variable to avoid null deref in +error handler. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/e6d22f925ad65ce93312815aa20c7eeea58640fe +Conflict:NA +--- + parser.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/parser.c b/parser.c +index 3c06439..88f04e4 100644 +--- a/parser.c ++++ b/parser.c +@@ -1758,16 +1758,17 @@ inputPush(xmlParserCtxtPtr ctxt, xmlParserInputPtr value) + if ((ctxt == NULL) || (value == NULL)) + return(-1); + if (ctxt->inputNr >= ctxt->inputMax) { +- ctxt->inputMax *= 2; +- ctxt->inputTab = +- (xmlParserInputPtr *) xmlRealloc(ctxt->inputTab, +- ctxt->inputMax * +- sizeof(ctxt->inputTab[0])); +- if (ctxt->inputTab == NULL) { ++ size_t newSize = ctxt->inputMax * 2; ++ xmlParserInputPtr *tmp; ++ ++ tmp = (xmlParserInputPtr *) xmlRealloc(ctxt->inputTab, ++ newSize * sizeof(*tmp)); ++ if (tmp == NULL) { + xmlErrMemory(ctxt, NULL); +- ctxt->inputMax /= 2; + return (-1); + } ++ ctxt->inputTab = tmp; ++ ctxt->inputMax = newSize; + } + ctxt->inputTab[ctxt->inputNr] = value; + ctxt->input = value; +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-reallocation-in-xmlXIncludeNewRef.patch b/backport-malloc-fail-Fix-reallocation-in-xmlXIncludeNewRef.patch new file mode 100644 index 0000000..65fd47f --- /dev/null +++ b/backport-malloc-fail-Fix-reallocation-in-xmlXIncludeNewRef.patch @@ -0,0 +1,45 @@ +From a3749551e65a8caf146ea2bccf610e718d90bde0 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 3 Feb 2023 14:00:13 +0100 +Subject: [PATCH] malloc-fail: Fix reallocation in xmlXIncludeNewRef + +Avoid null deref. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/a3749551e65a8caf146ea2bccf610e718d90bde0 +Conflict:xinclude.c +--- + xinclude.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/xinclude.c b/xinclude.c +index 60a0d7b..cc486f5 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -257,14 +257,18 @@ xmlXIncludeNewRef(xmlXIncludeCtxtPtr ctxt, const xmlChar *URI, + } + } + if (ctxt->incNr >= ctxt->incMax) { +- ctxt->incMax *= 2; +- ctxt->incTab = (xmlXIncludeRefPtr *) xmlRealloc(ctxt->incTab, +- ctxt->incMax * sizeof(ctxt->incTab[0])); +- if (ctxt->incTab == NULL) { ++ xmlXIncludeRefPtr *tmp; ++ size_t newSize = ctxt->incMax * 2; ++ ++ tmp = (xmlXIncludeRefPtr *) xmlRealloc(ctxt->incTab, ++ newSize * sizeof(ctxt->incTab[0])); ++ if (tmp == NULL) { + xmlXIncludeErrMemory(ctxt, ref, "growing XInclude context"); + xmlXIncludeFreeRef(ret); + return(NULL); + } ++ ctxt->incTab = tmp; ++ ctxt->incMax *= 2; + } + ctxt->incTab[ctxt->incNr++] = ret; + return(ret); +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-type-confusion-after-xmlSchemaFixupT.patch b/backport-malloc-fail-Fix-type-confusion-after-xmlSchemaFixupT.patch new file mode 100644 index 0000000..d84890d --- /dev/null +++ b/backport-malloc-fail-Fix-type-confusion-after-xmlSchemaFixupT.patch @@ -0,0 +1,37 @@ +From 73bd5d52ae314a17a6b60f7c0ab893c812e714e7 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 5 Mar 2023 14:11:55 +0100 +Subject: [PATCH] malloc-fail: Fix type confusion after + xmlSchemaFixupTypeAttributeUses + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/73bd5d52ae314a17a6b60f7c0ab893c812e714e7 +Conflict:NA +--- + xmlschemas.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xmlschemas.c b/xmlschemas.c +index dd79d2e..46cbe0f 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -14572,6 +14572,7 @@ xmlSchemaFixupTypeAttributeUses(xmlSchemaParserCtxtPtr pctxt, + { + PERROR_INT("xmlSchemaFixupTypeAttributeUses", + "failed to expand attributes"); ++ return(-1); + } + if (pctxt->attrProhibs->nbItems != 0) + prohibs = pctxt->attrProhibs; +@@ -14582,6 +14583,7 @@ xmlSchemaFixupTypeAttributeUses(xmlSchemaParserCtxtPtr pctxt, + { + PERROR_INT("xmlSchemaFixupTypeAttributeUses", + "failed to expand attributes"); ++ return(-1); + } + } + } +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-use-after-free-in-xmlParseStartTag2.patch b/backport-malloc-fail-Fix-use-after-free-in-xmlParseStartTag2.patch new file mode 100644 index 0000000..129e151 --- /dev/null +++ b/backport-malloc-fail-Fix-use-after-free-in-xmlParseStartTag2.patch @@ -0,0 +1,59 @@ +From 6fd8904108f23810699d3a242e3612c4ec2f9cf2 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 22 Jan 2023 19:42:41 +0100 +Subject: [PATCH] malloc-fail: Fix use-after-free in xmlParseStartTag2 + +Fix error handling in xmlCtxtGrowAttrs. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/6fd8904108f23810699d3a242e3612c4ec2f9cf2 +Conflict:NA +--- + parser.c | 26 +++++++++++--------------- + 1 file changed, 11 insertions(+), 15 deletions(-) + +diff --git a/parser.c b/parser.c +index 88f04e4..3aea3e2 100644 +--- a/parser.c ++++ b/parser.c +@@ -1715,25 +1715,21 @@ xmlCtxtGrowAttrs(xmlParserCtxtPtr ctxt, int nr) { + int *attallocs; + int maxatts; + +- if (ctxt->atts == NULL) { +- maxatts = 55; /* allow for 10 attrs by default */ +- atts = (const xmlChar **) +- xmlMalloc(maxatts * sizeof(xmlChar *)); +- if (atts == NULL) goto mem_error; +- ctxt->atts = atts; +- attallocs = (int *) xmlMalloc((maxatts / 5) * sizeof(int)); +- if (attallocs == NULL) goto mem_error; +- ctxt->attallocs = attallocs; +- ctxt->maxatts = maxatts; +- } else if (nr + 5 > ctxt->maxatts) { +- maxatts = (nr + 5) * 2; +- atts = (const xmlChar **) xmlRealloc((void *) ctxt->atts, ++ if (nr + 5 > ctxt->maxatts) { ++ maxatts = ctxt->maxatts == 0 ? 55 : (nr + 5) * 2; ++ atts = (const xmlChar **) xmlMalloc( + maxatts * sizeof(const xmlChar *)); + if (atts == NULL) goto mem_error; +- ctxt->atts = atts; + attallocs = (int *) xmlRealloc((void *) ctxt->attallocs, + (maxatts / 5) * sizeof(int)); +- if (attallocs == NULL) goto mem_error; ++ if (attallocs == NULL) { ++ xmlFree(atts); ++ goto mem_error; ++ } ++ if (ctxt->maxatts > 0) ++ memcpy(atts, ctxt->atts, ctxt->maxatts * sizeof(const xmlChar *)); ++ xmlFree(ctxt->atts); ++ ctxt->atts = atts; + ctxt->attallocs = attallocs; + ctxt->maxatts = maxatts; + } +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-use-after-free-in-xmlXIncludeAddNode.patch b/backport-malloc-fail-Fix-use-after-free-in-xmlXIncludeAddNode.patch new file mode 100644 index 0000000..bd07d2a --- /dev/null +++ b/backport-malloc-fail-Fix-use-after-free-in-xmlXIncludeAddNode.patch @@ -0,0 +1,37 @@ +From ae6fa0521c34449b54f9cb3257a4df9b79f3212f Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 2 Nov 2022 16:13:27 +0100 +Subject: [PATCH 11/28] malloc-fail: Fix use-after-free in xmlXIncludeAddNode + +Found with libFuzzer, see #344. + +Reference: https://github.com/GNOME/libxml2/commit/5a19e21605398cef6a8b1452477a8705cb41562b +Conflict: xinclude.c: +--- + xinclude.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xinclude.c b/xinclude.c +index cd1e1b1..e5e3b16 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -612,14 +612,15 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) { + } + URL = xmlSaveUri(uri); + xmlFreeURI(uri); +- xmlFree(URI); + if (URL == NULL) { + xmlXIncludeErr(ctxt, cur, XML_XINCLUDE_HREF_URI, + "invalid value URI %s\n", URI); + if (fragment != NULL) + xmlFree(fragment); ++ xmlFree(URI); + return(-1); + } ++ xmlFree(URI); + + if (xmlStrEqual(URL, ctxt->doc->URL)) + local = 1; +-- +2.27.0 + diff --git a/backport-malloc-fail-Fix-use-after-free-related-to-xmlXPathNo.patch b/backport-malloc-fail-Fix-use-after-free-related-to-xmlXPathNo.patch new file mode 100644 index 0000000..dbd7e7a --- /dev/null +++ b/backport-malloc-fail-Fix-use-after-free-related-to-xmlXPathNo.patch @@ -0,0 +1,80 @@ +From 0f112d02890c218965235b8d1c42573fcaeec051 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 24 Feb 2023 18:00:03 +0100 +Subject: [PATCH] malloc-fail: Fix use-after-free related to + xmlXPathNodeSetFilter + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/0f112d02890c218965235b8d1c42573fcaeec051 +Conflict:xpath.c +--- + xpath.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 7f2c92a..d63bdd7 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -12876,6 +12876,7 @@ xmlXPathCompOpEvalFilterFirst(xmlXPathParserContextPtr ctxt, + { + int total = 0; + xmlXPathCompExprPtr comp; ++ xmlXPathObjectPtr obj; + xmlNodeSetPtr set; + + CHECK_ERROR0; +@@ -12943,13 +12944,20 @@ xmlXPathCompOpEvalFilterFirst(xmlXPathParserContextPtr ctxt, + } + #endif /* LIBXML_XPTR_ENABLED */ + ++ /* ++ * In case of errors, xmlXPathNodeSetFilter can pop additional nodes from ++ * the stack. We have to temporarily remove the nodeset object from the ++ * stack to avoid freeing it prematurely. ++ */ + CHECK_TYPE0(XPATH_NODESET); +- set = ctxt->value->nodesetval; ++ obj = valuePop(ctxt); ++ set = obj->nodesetval; + if (set != NULL) { + xmlXPathNodeSetFilter(ctxt, set, op->ch2, 1, 1, 1); + if (set->nodeNr > 0) + *first = set->nodeTab[0]; + } ++ valuePush(ctxt, obj); + + return (total); + } +@@ -13247,6 +13255,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + break; + case XPATH_OP_PREDICATE: + case XPATH_OP_FILTER:{ ++ xmlXPathObjectPtr obj; + xmlNodeSetPtr set; + + /* +@@ -13361,11 +13370,19 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + } + #endif /* LIBXML_XPTR_ENABLED */ + ++ /* ++ * In case of errors, xmlXPathNodeSetFilter can pop additional ++ * nodes from the stack. We have to temporarily remove the ++ * nodeset object from the stack to avoid freeing it ++ * prematurely. ++ */ + CHECK_TYPE0(XPATH_NODESET); +- set = ctxt->value->nodesetval; ++ obj = valuePop(ctxt); ++ set = obj->nodesetval; + if (set != NULL) + xmlXPathNodeSetFilter(ctxt, set, op->ch2, + 1, set->nodeNr, 1); ++ valuePush(ctxt, obj); + break; + } + case XPATH_OP_SORT: +-- +2.27.0 + diff --git a/backport-malloc-fail-Handle-memory-errors-in-xmlTextReaderEntPush.patch b/backport-malloc-fail-Handle-memory-errors-in-xmlTextReaderEntPush.patch new file mode 100644 index 0000000..12825d3 --- /dev/null +++ b/backport-malloc-fail-Handle-memory-errors-in-xmlTextReaderEntPush.patch @@ -0,0 +1,84 @@ +--- + xmlreader.c | 36 +++++++++++++++++------------------- + 1 file changed, 17 insertions(+), 19 deletions(-) + +diff --git a/xmlreader.c b/xmlreader.c +index ac97bde..193a5d4 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -676,30 +676,23 @@ xmlTextReaderDebug(xmlTextReaderPtr reader) { + * + * Pushes a new entity reference node on top of the entities stack + * +- * Returns 0 in case of error, the index in the stack otherwise ++ * Returns -1 in case of error, the index in the stack otherwise + */ + static int + xmlTextReaderEntPush(xmlTextReaderPtr reader, xmlNodePtr value) + { +- if (reader->entMax <= 0) { +- reader->entMax = 10; +- reader->entTab = (xmlNodePtr *) xmlMalloc(reader->entMax * +- sizeof(reader->entTab[0])); +- if (reader->entTab == NULL) { +- xmlGenericError(xmlGenericErrorContext, "xmlMalloc failed !\n"); +- return (0); +- } +- } + if (reader->entNr >= reader->entMax) { +- reader->entMax *= 2; +- reader->entTab = +- (xmlNodePtr *) xmlRealloc(reader->entTab, +- reader->entMax * +- sizeof(reader->entTab[0])); +- if (reader->entTab == NULL) { ++ size_t newSize = reader->entMax == 0 ? 10 : reader->entMax * 2; ++ xmlNodePtr *tmp; ++ ++ tmp = (xmlNodePtr *) xmlRealloc(reader->entTab, ++ newSize * sizeof(*tmp)); ++ if (tmp == NULL) { + xmlGenericError(xmlGenericErrorContext, "xmlRealloc failed !\n"); +- return (0); ++ return (-1); + } ++ reader->entTab = tmp; ++ reader->entMax = newSize; + } + reader->entTab[reader->entNr] = value; + reader->ent = value; +@@ -1174,7 +1167,11 @@ xmlTextReaderValidateEntity(xmlTextReaderPtr reader) { + if ((node->children != NULL) && + (node->children->type == XML_ENTITY_DECL) && + (node->children->children != NULL)) { +- xmlTextReaderEntPush(reader, node); ++ if (xmlTextReaderEntPush(reader, node) < 0) { ++ if (node == oldnode) ++ break; ++ goto skip_children; ++ } + node = node->children->children; + continue; + } else { +@@ -1621,7 +1618,8 @@ node_found: + if ((reader->node->children != NULL) && + (reader->node->children->type == XML_ENTITY_DECL) && + (reader->node->children->children != NULL)) { +- xmlTextReaderEntPush(reader, reader->node); ++ if (xmlTextReaderEntPush(reader, reader->node) < 0) ++ goto get_next_node; + reader->node = reader->node->children->children; + } + #ifdef LIBXML_REGEXP_ENABLED +-- +2.27.0 + +ush(reader, reader->node); ++ if (xmlTextReaderEntPush(reader, reader->node) < 0) ++ goto get_next_node; + reader->node = reader->node->children->children; + } + #ifdef LIBXML_REGEXP_ENABLED +-- +2.27.0 + -- Gitee From 8b6dc21d9e49f801d45f64e968273681b74a0922 Mon Sep 17 00:00:00 2001 From: zhuofeng Date: Thu, 8 Jun 2023 15:58:40 +0800 Subject: [PATCH 6/6] 5 --- ...alloc-failure-in-xmlXPathCompLiteral.patch | 34 ++++ ...l-DefaultSAXHandlerInit-from-xmlInit.patch | 90 +++++++++ ...se-depth-twice-when-parsing-internal.patch | 30 +++ ...B-read-when-formatting-error-message.patch | 35 ++++ ...med-accounting-when-switching-encodi.patch | 27 +++ ...or-message-in-xmlParseCommentComplex.patch | 29 +++ ...ser-Fix-integer-overflow-of-input-ID.patch | 65 +++++++ ...ld-SAX1-parser-with-custom-callbacks.patch | 36 ++++ ...ess-check-when-parsing-character-dat.patch | 43 +++++ ...h-parser-with-1-3-byte-initial-chunk.patch | 34 ++++ ...ssion-in-xmlParserNodeInfo-accountin.patch | 171 +++++++++++++++++ ...Limit-name-length-in-xmlParseEncName.patch | 49 +++++ ...-dangerous-check-in-xmlParseCharData.patch | 35 ++++ ...store-parser-state-in-xmlParseCDSect.patch | 98 ++++++++++ ...t-when-subtracting-input-buffer-poin.patch | 54 ++++++ ...tch-to-xmlParserInputBufferCreateMem.patch | 41 ++++ ...xp-Add-sanity-check-in-xmlRegCalloc2.patch | 33 ++++ ...ix-checks-for-eliminated-transitions.patch | 68 +++++++ ...-check-in-xmlFAReduceEpsilonTransiti.patch | 66 +++++++ backport-regexp-Fix-determinism-checks.patch | 121 ++++++++++++ ...egexp-Fix-mistake-in-previous-commit.patch | 31 ++++ ...deref-in-xmlFAFinishReduceEpsilonTra.patch | 30 +++ ...nite-loop-in-xmlSchemaCheckElemSubst.patch | 34 ++++ backport-uri-Allow-port-without-host.patch | 32 ++++ ...rt-valid-Allow-xmlFreeValidCtxt-NULL.patch | 29 +++ ...ake-xmlValidateElement-non-recursive.patch | 127 +++++++++++++ ...include-Fix-memory-leak-when-fuzzing.patch | 29 +++ ...e-memory-leaks-in-xmlXIncludeLoadDoc.patch | 126 +++++++++++++ ...dratic-behavior-in-xmlXIncludeLoadTx.patch | 147 +++++++++++++++ ...ld-return-length-without-including-a.patch | 136 ++++++++++++++ ...tains-typo-when-checking-for-default.patch | 35 ++++ ...opElement-can-return-invalid-value-1.patch | 122 ++++++++++++ ...-Fix-memory-leak-with-pattern-stream.patch | 37 ++++ ...ss-integer-overflow-in-xmlXPathTrans.patch | 29 +++ ...ity-ref-nodes-when-computing-node-ha.patch | 45 +++++ backport-xpath-number-should-return-NaN.patch | 66 +++++++ ...-Fix-implicit-sign-change-in-xz_open.patch | 42 +++++ libxml2.spec | 175 +++++++++++++++++- 38 files changed, 2428 insertions(+), 3 deletions(-) create mode 100644 backport-malloc-fail-Record-malloc-failure-in-xmlXPathCompLiteral.patch create mode 100644 backport-parser-Don-t-call-DefaultSAXHandlerInit-from-xmlInit.patch create mode 100644 backport-parser-Don-t-increase-depth-twice-when-parsing-internal.patch create mode 100644 backport-parser-Fix-OOB-read-when-formatting-error-message.patch create mode 100644 backport-parser-Fix-consumed-accounting-when-switching-encodi.patch create mode 100644 backport-parser-Fix-error-message-in-xmlParseCommentComplex.patch create mode 100644 backport-parser-Fix-integer-overflow-of-input-ID.patch create mode 100644 backport-parser-Fix-old-SAX1-parser-with-custom-callbacks.patch create mode 100644 backport-parser-Fix-progress-check-when-parsing-character-dat.patch create mode 100644 backport-parser-Fix-push-parser-with-1-3-byte-initial-chunk.patch create mode 100644 backport-parser-Fix-regression-in-xmlParserNodeInfo-accountin.patch create mode 100644 backport-parser-Limit-name-length-in-xmlParseEncName.patch create mode 100644 backport-parser-Remove-dangerous-check-in-xmlParseCharData.patch create mode 100644 backport-parser-Restore-parser-state-in-xmlParseCDSect.patch create mode 100644 backport-parser-Use-size_t-when-subtracting-input-buffer-poin.patch create mode 100644 backport-reader-Switch-to-xmlParserInputBufferCreateMem.patch create mode 100644 backport-regexp-Add-sanity-check-in-xmlRegCalloc2.patch create mode 100644 backport-regexp-Fix-checks-for-eliminated-transitions.patch create mode 100644 backport-regexp-Fix-cycle-check-in-xmlFAReduceEpsilonTransiti.patch create mode 100644 backport-regexp-Fix-determinism-checks.patch create mode 100644 backport-regexp-Fix-mistake-in-previous-commit.patch create mode 100644 backport-regexp-Fix-null-deref-in-xmlFAFinishReduceEpsilonTra.patch create mode 100644 backport-schemas-Fix-infinite-loop-in-xmlSchemaCheckElemSubst.patch create mode 100644 backport-uri-Allow-port-without-host.patch create mode 100644 backport-valid-Allow-xmlFreeValidCtxt-NULL.patch create mode 100644 backport-valid-Make-xmlValidateElement-non-recursive.patch create mode 100644 backport-xinclude-Fix-memory-leak-when-fuzzing.patch create mode 100644 backport-xinclude-Fix-more-memory-leaks-in-xmlXIncludeLoadDoc.patch create mode 100644 backport-xinclude-Fix-quadratic-behavior-in-xmlXIncludeLoadTx.patch create mode 100644 backport-xmlBufAvail-should-return-length-without-including-a.patch create mode 100644 backport-xmlParseStartTag2-contains-typo-when-checking-for-default.patch create mode 100644 backport-xmlValidatePopElement-can-return-invalid-value-1.patch create mode 100644 backport-xmllint-Fix-memory-leak-with-pattern-stream.patch create mode 100644 backport-xpath-Fix-harmless-integer-overflow-in-xmlXPathTrans.patch create mode 100644 backport-xpath-Ignore-entity-ref-nodes-when-computing-node-ha.patch create mode 100644 backport-xpath-number-should-return-NaN.patch create mode 100644 backport-xzlib-Fix-implicit-sign-change-in-xz_open.patch diff --git a/backport-malloc-fail-Record-malloc-failure-in-xmlXPathCompLiteral.patch b/backport-malloc-fail-Record-malloc-failure-in-xmlXPathCompLiteral.patch new file mode 100644 index 0000000..bae2ed1 --- /dev/null +++ b/backport-malloc-fail-Record-malloc-failure-in-xmlXPathCompLiteral.patch @@ -0,0 +1,34 @@ +From 755344013e161ab7c982290c6c78903bd9bd300e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jan 2023 15:40:23 +0100 +Subject: [PATCH] malloc-fail: Record malloc failure in xmlXPathCompLiteral + +Avoid OOB array access. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/755344013e161ab7c982290c6c78903bd9bd300e +Conflict:NA +--- + xpath.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/xpath.c b/xpath.c +index fcbc7e3..fe0e1e2 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -10245,7 +10245,10 @@ xmlXPathCompLiteral(xmlXPathParserContextPtr ctxt) { + } else { + XP_ERROR(XPATH_START_LITERAL_ERROR); + } +- if (ret == NULL) return; ++ if (ret == NULL) { ++ xmlXPathPErrMemory(ctxt, NULL); ++ return; ++ } + lit = xmlXPathCacheNewString(ctxt->context, ret); + if (lit == NULL) { + ctxt->error = XPATH_MEMORY_ERROR; +-- +2.27.0 + diff --git a/backport-parser-Don-t-call-DefaultSAXHandlerInit-from-xmlInit.patch b/backport-parser-Don-t-call-DefaultSAXHandlerInit-from-xmlInit.patch new file mode 100644 index 0000000..c04403f --- /dev/null +++ b/backport-parser-Don-t-call-DefaultSAXHandlerInit-from-xmlInit.patch @@ -0,0 +1,90 @@ +From 4adaddde0ce237da7e8eb5210f1f0eb529c39447 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 24 Nov 2022 16:38:47 +0100 +Subject: [PATCH 25/28] parser: Don't call *DefaultSAXHandlerInit from + xmlInitParser + +Change the default handler definitions to match the result after calling +the initialization functions. + +This makes sure that no thread-local variables are accessed when calling +xmlInitParser. + +Reference: https://github.com/GNOME/libxml2/commit/cecd364dd2f55810ab27eb0f44b35197a1a358d8 +Conflict: SAX2.c: parser.c: +--- + SAX2.c | 4 ---- + globals.c | 6 +++--- + parser.c | 2 -- + 3 files changed, 3 insertions(+), 9 deletions(-) + +diff --git a/SAX2.c b/SAX2.c +index 96bbcb3..3eebd2b 100644 +--- a/SAX2.c ++++ b/SAX2.c +@@ -2910,9 +2910,6 @@ xmlSAX2InitDefaultSAXHandler(xmlSAXHandler *hdlr, int warning) + void + xmlDefaultSAXHandlerInit(void) + { +-#ifdef LIBXML_SAX1_ENABLED +- xmlSAXVersion((xmlSAXHandlerPtr) &xmlDefaultSAXHandler, 1); +-#endif /* LIBXML_SAX1_ENABLED */ + } + + #ifdef LIBXML_HTML_ENABLED +@@ -2968,7 +2965,6 @@ xmlSAX2InitHtmlDefaultSAXHandler(xmlSAXHandler *hdlr) + void + htmlDefaultSAXHandlerInit(void) + { +- xmlSAX2InitHtmlDefaultSAXHandler((xmlSAXHandlerPtr) &htmlDefaultSAXHandler); + } + + #endif /* LIBXML_HTML_ENABLED */ +diff --git a/globals.c b/globals.c +index 893fb73..836bee1 100644 +--- a/globals.c ++++ b/globals.c +@@ -388,7 +388,7 @@ xmlSAXHandlerV1 xmlDefaultSAXHandler = { + xmlSAX2GetParameterEntity, + xmlSAX2CDataBlock, + xmlSAX2ExternalSubset, +- 0, ++ 1, + }; + #endif /* LIBXML_SAX1_ENABLED */ + +@@ -436,10 +436,10 @@ xmlSAXHandlerV1 htmlDefaultSAXHandler = { + xmlParserWarning, + xmlParserError, + xmlParserError, +- xmlSAX2GetParameterEntity, ++ NULL, + xmlSAX2CDataBlock, + NULL, +- 0, ++ 1, + }; + #endif /* LIBXML_HTML_ENABLED */ + +diff --git a/parser.c b/parser.c +index 4405a7e..9d50138 100644 +--- a/parser.c ++++ b/parser.c +@@ -14696,14 +14696,12 @@ xmlInitParser(void) { + xmlInitMemory(); + xmlInitializeDict(); + xmlInitCharEncodingHandlers(); +- xmlDefaultSAXHandlerInit(); + xmlRegisterDefaultInputCallbacks(); + #ifdef LIBXML_OUTPUT_ENABLED + xmlRegisterDefaultOutputCallbacks(); + #endif /* LIBXML_OUTPUT_ENABLED */ + #ifdef LIBXML_HTML_ENABLED + htmlInitAutoClose(); +- htmlDefaultSAXHandlerInit(); + #endif + #ifdef LIBXML_XPATH_ENABLED + xmlXPathInit(); +-- +2.27.0 + diff --git a/backport-parser-Don-t-increase-depth-twice-when-parsing-internal.patch b/backport-parser-Don-t-increase-depth-twice-when-parsing-internal.patch new file mode 100644 index 0000000..a55e2ae --- /dev/null +++ b/backport-parser-Don-t-increase-depth-twice-when-parsing-internal.patch @@ -0,0 +1,30 @@ +From dd62e541ecd142ebfb16cb7abe3d3ef4ee6617bd Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 23 Dec 2022 21:53:30 +0100 +Subject: [PATCH] parser: Don't increase depth twice when parsing internal + entities + +Fix xmlParseBalancedChunkMemoryInternal. + +Reference:https://github.com/GNOME/libxml2/commit/dd62e541ecd142ebfb16cb7abe3d3ef4ee6617bd +Conflict:NA +--- + parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 431851f..9127deb 100644 +--- a/parser.c ++++ b/parser.c +@@ -13388,7 +13388,7 @@ xmlParseBalancedChunkMemoryInternal(xmlParserCtxtPtr oldctxt, + xmlAddChild((xmlNodePtr) ctxt->myDoc, newRoot); + nodePush(ctxt, ctxt->myDoc->children); + ctxt->instate = XML_PARSER_CONTENT; +- ctxt->depth = oldctxt->depth + 1; ++ ctxt->depth = oldctxt->depth; + + ctxt->validate = 0; + ctxt->loadsubset = oldctxt->loadsubset; +-- +2.27.0 + diff --git a/backport-parser-Fix-OOB-read-when-formatting-error-message.patch b/backport-parser-Fix-OOB-read-when-formatting-error-message.patch new file mode 100644 index 0000000..7c7e897 --- /dev/null +++ b/backport-parser-Fix-OOB-read-when-formatting-error-message.patch @@ -0,0 +1,35 @@ +From 5d55315e32b34af7070d38060ccf9a60941b9696 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 18 Feb 2023 17:29:07 +0100 +Subject: [PATCH] parser: Fix OOB read when formatting error message + +Don't try to print characters beyond the end of the buffer. + +Found by OSS-Fuzz. + +Reference:https://github.com/GNOME/libxml2/commit/5d55315e32b34af7070d38060ccf9a60941b9696 +Conflict:NA +--- + parser.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 37d7dec..c276a1a 100644 +--- a/parser.c ++++ b/parser.c +@@ -12162,7 +12162,11 @@ done: + #endif + return(ret); + encoding_error: +- { ++ if (ctxt->input->end - ctxt->input->cur < 4) { ++ __xmlErrEncoding(ctxt, XML_ERR_INVALID_CHAR, ++ "Input is not proper UTF-8, indicate encoding !\n", ++ NULL, NULL); ++ } else { + char buffer[150]; + + snprintf(buffer, 149, "Bytes: 0x%02X 0x%02X 0x%02X 0x%02X\n", +-- +2.27.0 + diff --git a/backport-parser-Fix-consumed-accounting-when-switching-encodi.patch b/backport-parser-Fix-consumed-accounting-when-switching-encodi.patch new file mode 100644 index 0000000..84e48d0 --- /dev/null +++ b/backport-parser-Fix-consumed-accounting-when-switching-encodi.patch @@ -0,0 +1,27 @@ +From 0ab4b951f6906b341201dba46d4ebec05156cbe6 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 20 Nov 2022 19:55:12 +0100 +Subject: [PATCH 19/28] parser: Fix 'consumed' accounting when switching + encodings + +Reference: https://github.com/GNOME/libxml2/commit/691a7719566141bb5fbe6212498d1f0568c2610f +Conflict: parserInternals.c: +--- + parserInternals.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/parserInternals.c b/parserInternals.c +index 2b05dac..422dfc0 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -1178,6 +1178,7 @@ xmlSwitchInputEncodingInt(xmlParserCtxtPtr ctxt, xmlParserInputPtr input, + */ + processed = input->cur - input->base; + xmlBufShrink(input->buf->buffer, processed); ++ input->consumed += processed; + input->buf->raw = input->buf->buffer; + input->buf->buffer = xmlBufCreate(); + input->buf->rawconsumed = processed; +-- +2.27.0 + diff --git a/backport-parser-Fix-error-message-in-xmlParseCommentComplex.patch b/backport-parser-Fix-error-message-in-xmlParseCommentComplex.patch new file mode 100644 index 0000000..da44a2a --- /dev/null +++ b/backport-parser-Fix-error-message-in-xmlParseCommentComplex.patch @@ -0,0 +1,29 @@ +From 418e9677092d10bcf45fa3d8776a2c1277d76201 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 4 Nov 2022 14:03:31 +0100 +Subject: [PATCH 13/28] parser: Fix error message in xmlParseCommentComplex + +Fixes #421. + +Reference: https://github.com/GNOME/libxml2/commit/a70f7d47152a3b34b4c9932aaeedcdcb90039cd0 +Conflict: NA +--- + parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 334a0aa..7553f86 100644 +--- a/parser.c ++++ b/parser.c +@@ -4793,7 +4793,7 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, + if (!IS_CHAR(r)) { + xmlFatalErrMsgInt(ctxt, XML_ERR_INVALID_CHAR, + "xmlParseComment: invalid xmlChar value %d\n", +- q); ++ r); + xmlFree (buf); + return; + } +-- +2.27.0 + diff --git a/backport-parser-Fix-integer-overflow-of-input-ID.patch b/backport-parser-Fix-integer-overflow-of-input-ID.patch new file mode 100644 index 0000000..4608f54 --- /dev/null +++ b/backport-parser-Fix-integer-overflow-of-input-ID.patch @@ -0,0 +1,65 @@ +From 077df27eb1bdc2a3268f7596415fd91db76d29d4 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 22 Dec 2022 15:22:01 +0100 +Subject: [PATCH] parser: Fix integer overflow of input ID + +Applies a patch from Chromium. Also stop incrementing input ID of +subcontexts. This isn't necessary. + +Fixes #465. + +Reference:https://github.com/GNOME/libxml2/commit/077df27eb1bdc2a3268f7596415fd91db76d29d4 +Conflict:NA +--- + parser.c | 8 ++------ + parserInternals.c | 7 ++++++- + 2 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/parser.c b/parser.c +index 2207404..431851f 100644 +--- a/parser.c ++++ b/parser.c +@@ -13337,7 +13337,7 @@ xmlParseBalancedChunkMemoryInternal(xmlParserCtxtPtr oldctxt, + ctxt->userData = ctxt; + if (ctxt->dict != NULL) xmlDictFree(ctxt->dict); + ctxt->dict = oldctxt->dict; +- ctxt->input_id = oldctxt->input_id + 1; ++ ctxt->input_id = oldctxt->input_id; + ctxt->str_xml = xmlDictLookup(ctxt->dict, BAD_CAST "xml", 3); + ctxt->str_xmlns = xmlDictLookup(ctxt->dict, BAD_CAST "xmlns", 5); + ctxt->str_xml_ns = xmlDictLookup(ctxt->dict, XML_XML_NAMESPACE, 36); +@@ -13968,11 +13968,7 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, + if (pctx != NULL) { + ctxt->options = pctx->options; + ctxt->_private = pctx->_private; +- /* +- * this is a subparser of pctx, so the input_id should be +- * incremented to distinguish from main entity +- */ +- ctxt->input_id = pctx->input_id + 1; ++ ctxt->input_id = pctx->input_id; + } + + /* Don't read from stdin. */ +diff --git a/parserInternals.c b/parserInternals.c +index ef18ccf..cee4cd9 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -1352,8 +1352,13 @@ xmlNewInputStream(xmlParserCtxtPtr ctxt) { + * should not happen while parsing which is the situation where + * the id is actually needed. + */ +- if (ctxt != NULL) ++ if (ctxt != NULL) { ++ if (input->id >= INT_MAX) { ++ xmlErrMemory(ctxt, "Input ID overflow\n"); ++ return(NULL); ++ } + input->id = ctxt->input_id++; ++ } + + return(input); + } +-- +2.27.0 + diff --git a/backport-parser-Fix-old-SAX1-parser-with-custom-callbacks.patch b/backport-parser-Fix-old-SAX1-parser-with-custom-callbacks.patch new file mode 100644 index 0000000..3dc57a6 --- /dev/null +++ b/backport-parser-Fix-old-SAX1-parser-with-custom-callbacks.patch @@ -0,0 +1,36 @@ +From d0c3f01e110d54415611c5fa0040cdf4a56053f9 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 6 May 2023 17:47:37 +0200 +Subject: [PATCH] parser: Fix old SAX1 parser with custom callbacks + +For some reason, xmlCtxtUseOptionsInternal set the start and end element +SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1 +was specified. This means that custom SAX handlers could never work with +that flag because these functions would receive the wrong user data +argument and crash immediately. + +Fixes #535. + +Reference:https://github.com/GNOME/libxml2/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9 +Conflict:NA + +--- + parser.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/parser.c b/parser.c +index 94a6298..f9b4012 100644 +--- a/parser.c ++++ b/parser.c +@@ -15074,8 +15074,6 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi + } + #ifdef LIBXML_SAX1_ENABLED + if (options & XML_PARSE_SAX1) { +- ctxt->sax->startElement = xmlSAX2StartElement; +- ctxt->sax->endElement = xmlSAX2EndElement; + ctxt->sax->startElementNs = NULL; + ctxt->sax->endElementNs = NULL; + ctxt->sax->initialized = 1; +-- +2.27.0 + diff --git a/backport-parser-Fix-progress-check-when-parsing-character-dat.patch b/backport-parser-Fix-progress-check-when-parsing-character-dat.patch new file mode 100644 index 0000000..c217d62 --- /dev/null +++ b/backport-parser-Fix-progress-check-when-parsing-character-dat.patch @@ -0,0 +1,43 @@ +From 11f49efda51bfde64d341d7a475d480adfeeac79 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 21 Nov 2022 21:35:01 +0100 +Subject: [PATCH 22/28] parser: Fix progress check when parsing character data + +Skip over zero bytes to guarantee progress. Short-lived regression. + +Reference: https://github.com/GNOME/libxml2/commit/a8b31e68c2331a1289e860ce07c8b80b855b7bf4 +Conflict: parser.c: +--- + parser.c | 2 +- + parserInternals.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/parser.c b/parser.c +index 4615db0..6e55838 100644 +--- a/parser.c ++++ b/parser.c +@@ -4654,7 +4654,7 @@ xmlParseCharDataComplex(xmlParserCtxtPtr ctxt, int cdata) { + } + } + } +- if ((cur != 0) && (!IS_CHAR(cur))) { ++ if ((ctxt->input->cur < ctxt->input->end) && (!IS_CHAR(cur))) { + /* Generate the error and skip the offending character */ + xmlFatalErrMsgInt(ctxt, XML_ERR_INVALID_CHAR, + "PCDATA invalid Char value %d\n", +diff --git a/parserInternals.c b/parserInternals.c +index 422dfc0..b8eab4b 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -406,7 +406,7 @@ xmlNextChar(xmlParserCtxtPtr ctxt) + return; + } + +- if ((*ctxt->input->cur == 0) && ++ if ((ctxt->input->cur >= ctxt->input->end) && + (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) { + return; + } +-- +2.27.0 + diff --git a/backport-parser-Fix-push-parser-with-1-3-byte-initial-chunk.patch b/backport-parser-Fix-push-parser-with-1-3-byte-initial-chunk.patch new file mode 100644 index 0000000..963dc4c --- /dev/null +++ b/backport-parser-Fix-push-parser-with-1-3-byte-initial-chunk.patch @@ -0,0 +1,34 @@ +From e2d37972e41224b11ff76f3a9fd689207b6108a6 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 20 Nov 2022 15:35:49 +0100 +Subject: [PATCH 21/28] parser: Fix push parser with 1-3 byte initial chunk + +Make sure that ctxt->charset is initialized properly. + +Reference: https://github.com/GNOME/libxml2/commit/55fb8f72ac726b4f760136070e0d2093ffcdb3ac +Conflict: NA +--- + parser.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/parser.c b/parser.c +index 7553f86..4615db0 100644 +--- a/parser.c ++++ b/parser.c +@@ -12523,9 +12523,10 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr sax, void *user_data, + * the encoding, we set the context to XML_CHAR_ENCODING_NONE so + * that it can be automatically determined later + */ +- if ((size == 0) || (chunk == NULL)) { +- ctxt->charset = XML_CHAR_ENCODING_NONE; +- } else if ((ctxt->input != NULL) && (ctxt->input->buf != NULL)) { ++ ctxt->charset = XML_CHAR_ENCODING_NONE; ++ ++ if ((size != 0) && (chunk != NULL) && ++ (ctxt->input != NULL) && (ctxt->input->buf != NULL)) { + size_t base = xmlBufGetInputBase(ctxt->input->buf->buffer, ctxt->input); + size_t cur = ctxt->input->cur - ctxt->input->base; + +-- +2.27.0 + diff --git a/backport-parser-Fix-regression-in-xmlParserNodeInfo-accountin.patch b/backport-parser-Fix-regression-in-xmlParserNodeInfo-accountin.patch new file mode 100644 index 0000000..40befec --- /dev/null +++ b/backport-parser-Fix-regression-in-xmlParserNodeInfo-accountin.patch @@ -0,0 +1,171 @@ +From 250faf3c832d998baa559ca1a1c61935235aba20 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 20 Apr 2023 12:35:21 +0200 +Subject: [PATCH] parser: Fix regression in xmlParserNodeInfo accounting + +Commit 62150ed2 broke begin_pos and begin_line when extra node info was +recorded. + +Fixes #523. + +Reference:https://github.com/GNOME/libxml2/commit/250faf3c832d998baa559ca1a1c61935235aba20 +Conflict:NA + +--- + SAX2.c | 20 ++------------------ + parser.c | 53 +++++++++++++++++++++++++---------------------------- + 2 files changed, 27 insertions(+), 46 deletions(-) + +diff --git a/SAX2.c b/SAX2.c +index 916e974..822b975 100644 +--- a/SAX2.c ++++ b/SAX2.c +@@ -1783,13 +1783,6 @@ xmlSAX2EndElement(void *ctx, const xmlChar *name ATTRIBUTE_UNUSED) + xmlGenericError(xmlGenericErrorContext, "SAX.xmlSAX2EndElement(%s)\n", name); + #endif + +- /* Capture end position and add node */ +- if (cur != NULL && ctxt->record_info) { +- ctxt->nodeInfo->end_pos = ctxt->input->cur - ctxt->input->base; +- ctxt->nodeInfo->end_line = ctxt->input->line; +- ctxt->nodeInfo->node = cur; +- xmlParserAddNodeInfo(ctxt, ctxt->nodeInfo); +- } + ctxt->nodemem = -1; + + #ifdef LIBXML_VALID_ENABLED +@@ -2433,24 +2426,15 @@ xmlSAX2EndElementNs(void *ctx, + const xmlChar * URI ATTRIBUTE_UNUSED) + { + xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; +- xmlParserNodeInfo node_info; +- xmlNodePtr cur; + + if (ctx == NULL) return; +- cur = ctxt->node; +- /* Capture end position and add node */ +- if ((ctxt->record_info) && (cur != NULL)) { +- node_info.end_pos = ctxt->input->cur - ctxt->input->base; +- node_info.end_line = ctxt->input->line; +- node_info.node = cur; +- xmlParserAddNodeInfo(ctxt, &node_info); +- } + ctxt->nodemem = -1; + + #ifdef LIBXML_VALID_ENABLED + if (ctxt->validate && ctxt->wellFormed && + ctxt->myDoc && ctxt->myDoc->intSubset) +- ctxt->valid &= xmlValidateOneElement(&ctxt->vctxt, ctxt->myDoc, cur); ++ ctxt->valid &= xmlValidateOneElement(&ctxt->vctxt, ctxt->myDoc, ++ ctxt->node); + #endif /* LIBXML_VALID_ENABLED */ + + /* +diff --git a/parser.c b/parser.c +index a4c9fb2..94a6298 100644 +--- a/parser.c ++++ b/parser.c +@@ -10025,7 +10025,7 @@ xmlParseElementStart(xmlParserCtxtPtr ctxt) { + const xmlChar *URI = NULL; + xmlParserNodeInfo node_info; + int line, tlen = 0; +- xmlNodePtr ret; ++ xmlNodePtr cur; + int nsNr = ctxt->nsNr; + + if (((unsigned int) ctxt->nameNr > xmlParserMaxDepth) && +@@ -10067,7 +10067,7 @@ xmlParseElementStart(xmlParserCtxtPtr ctxt) { + return(-1); + } + nameNsPush(ctxt, name, prefix, URI, line, ctxt->nsNr - nsNr); +- ret = ctxt->node; ++ cur = ctxt->node; + + #ifdef LIBXML_VALID_ENABLED + /* +@@ -10100,17 +10100,23 @@ xmlParseElementStart(xmlParserCtxtPtr ctxt) { + spacePop(ctxt); + if (nsNr != ctxt->nsNr) + nsPop(ctxt, ctxt->nsNr - nsNr); +- if ( ret != NULL && ctxt->record_info ) { +- node_info.end_pos = ctxt->input->consumed + +- (CUR_PTR - ctxt->input->base); +- node_info.end_line = ctxt->input->line; +- node_info.node = ret; +- xmlParserAddNodeInfo(ctxt, &node_info); ++ if (cur != NULL && ctxt->record_info) { ++ node_info.node = cur; ++ node_info.end_pos = ctxt->input->consumed + ++ (CUR_PTR - ctxt->input->base); ++ node_info.end_line = ctxt->input->line; ++ xmlParserAddNodeInfo(ctxt, &node_info); + } + return(1); + } + if (RAW == '>') { + NEXT1; ++ if (cur != NULL && ctxt->record_info) { ++ node_info.node = cur; ++ node_info.end_pos = 0; ++ node_info.end_line = 0; ++ xmlParserAddNodeInfo(ctxt, &node_info); ++ } + } else { + xmlFatalErrMsgStrIntStr(ctxt, XML_ERR_GT_REQUIRED, + "Couldn't find end of Start Tag %s line %d\n", +@@ -10124,17 +10130,6 @@ xmlParseElementStart(xmlParserCtxtPtr ctxt) { + spacePop(ctxt); + if (nsNr != ctxt->nsNr) + nsPop(ctxt, ctxt->nsNr - nsNr); +- +- /* +- * Capture end position and add node +- */ +- if ( ret != NULL && ctxt->record_info ) { +- node_info.end_pos = ctxt->input->consumed + +- (CUR_PTR - ctxt->input->base); +- node_info.end_line = ctxt->input->line; +- node_info.node = ret; +- xmlParserAddNodeInfo(ctxt, &node_info); +- } + return(-1); + } + +@@ -10149,8 +10144,7 @@ xmlParseElementStart(xmlParserCtxtPtr ctxt) { + */ + static void + xmlParseElementEnd(xmlParserCtxtPtr ctxt) { +- xmlParserNodeInfo node_info; +- xmlNodePtr ret = ctxt->node; ++ xmlNodePtr cur = ctxt->node; + + if (ctxt->nameNr <= 0) + return; +@@ -10168,14 +10162,17 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt) { + #endif /* LIBXML_SAX1_ENABLED */ + + /* +- * Capture end position and add node ++ * Capture end position + */ +- if ( ret != NULL && ctxt->record_info ) { +- node_info.end_pos = ctxt->input->consumed + +- (CUR_PTR - ctxt->input->base); +- node_info.end_line = ctxt->input->line; +- node_info.node = ret; +- xmlParserAddNodeInfo(ctxt, &node_info); ++ if (cur != NULL && ctxt->record_info) { ++ xmlParserNodeInfoPtr node_info; ++ ++ node_info = (xmlParserNodeInfoPtr) xmlParserFindNodeInfo(ctxt, cur); ++ if (node_info != NULL) { ++ node_info->end_pos = ctxt->input->consumed + ++ (CUR_PTR - ctxt->input->base); ++ node_info->end_line = ctxt->input->line; ++ } + } + } + +-- +2.27.0 + diff --git a/backport-parser-Limit-name-length-in-xmlParseEncName.patch b/backport-parser-Limit-name-length-in-xmlParseEncName.patch new file mode 100644 index 0000000..189a53b --- /dev/null +++ b/backport-parser-Limit-name-length-in-xmlParseEncName.patch @@ -0,0 +1,49 @@ +From 3eb9f5ca4e6b0933ac1dc7fbcce38669ac002b7f Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 21 Mar 2023 13:19:31 +0100 +Subject: [PATCH] parser: Limit name length in xmlParseEncName + + +Reference:https://github.com/GNOME/libxml2/commit/3eb9f5ca4e6b0933ac1dc7fbcce38669ac002b7f +Conflict:NA + +--- + parser.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/parser.c b/parser.c +index b872d34..a4c9fb2 100644 +--- a/parser.c ++++ b/parser.c +@@ -10301,6 +10301,9 @@ xmlParseEncName(xmlParserCtxtPtr ctxt) { + xmlChar *buf = NULL; + int len = 0; + int size = 10; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + xmlChar cur; + + cur = CUR; +@@ -10333,13 +10336,13 @@ xmlParseEncName(xmlParserCtxtPtr ctxt) { + buf = tmp; + } + buf[len++] = cur; ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "EncName"); ++ xmlFree(buf); ++ return(NULL); ++ } + NEXT; + cur = CUR; +- if (cur == 0) { +- SHRINK; +- GROW; +- cur = CUR; +- } + } + buf[len] = 0; + } else { +-- +2.27.0 + diff --git a/backport-parser-Remove-dangerous-check-in-xmlParseCharData.patch b/backport-parser-Remove-dangerous-check-in-xmlParseCharData.patch new file mode 100644 index 0000000..2c97ddb --- /dev/null +++ b/backport-parser-Remove-dangerous-check-in-xmlParseCharData.patch @@ -0,0 +1,35 @@ +From c6c7068e995c00d978282e7103c04ffcffca9a23 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 21 Nov 2022 22:09:19 +0100 +Subject: [PATCH 24/28] parser: Remove dangerous check in xmlParseCharData + +If this check succeeds, xmlParseCharData could be called over and over +again without making progress, resulting in an infinite loop. + +It's only important to check for XML_PARSER_EOF which is done later. + +Related to #441. + +Reference: https://github.com/GNOME/libxml2/commit/0e193f0d61f6d6f29c31ac5f801975e810df7a04 +Conflict: NA +--- + parser.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/parser.c b/parser.c +index 4360479..4405a7e 100644 +--- a/parser.c ++++ b/parser.c +@@ -4535,9 +4535,6 @@ get_more: + line = ctxt->input->line; + col = ctxt->input->col; + } +- /* something really bad happened in the SAX callback */ +- if (ctxt->instate != XML_PARSER_CONTENT) +- return; + } + ctxt->input->cur = in; + if (*in == 0xD) { +-- +2.27.0 + diff --git a/backport-parser-Restore-parser-state-in-xmlParseCDSect.patch b/backport-parser-Restore-parser-state-in-xmlParseCDSect.patch new file mode 100644 index 0000000..368becc --- /dev/null +++ b/backport-parser-Restore-parser-state-in-xmlParseCDSect.patch @@ -0,0 +1,98 @@ +From 003d0baef83a3c694fba6f194cfc8c14bc035082 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 21 Nov 2022 22:07:11 +0100 +Subject: [PATCH 23/28] parser: Restore parser state in xmlParseCDSect + +Fixes #441. + +Reference: https://github.com/GNOME/libxml2/commit/94ca36c2c48ad3857175ea66a373e51e67b98f00 +Conflict: parser.c: +--- + parser.c | 25 +++++++++++-------------- + 1 file changed, 11 insertions(+), 14 deletions(-) + +diff --git a/parser.c b/parser.c +index 6e55838..4360479 100644 +--- a/parser.c ++++ b/parser.c +@@ -9788,22 +9788,20 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + r = CUR_CHAR(rl); + if (!IS_CHAR(r)) { + xmlFatalErr(ctxt, XML_ERR_CDATA_NOT_FINISHED, NULL); +- ctxt->instate = XML_PARSER_CONTENT; +- return; ++ goto out; + } + NEXTL(rl); + s = CUR_CHAR(sl); + if (!IS_CHAR(s)) { + xmlFatalErr(ctxt, XML_ERR_CDATA_NOT_FINISHED, NULL); +- ctxt->instate = XML_PARSER_CONTENT; +- return; ++ goto out; + } + NEXTL(sl); + cur = CUR_CHAR(l); + buf = (xmlChar *) xmlMallocAtomic(size * sizeof(xmlChar)); + if (buf == NULL) { + xmlErrMemory(ctxt, NULL); +- return; ++ goto out; + } + while (IS_CHAR(cur) && + ((r != ']') || (s != ']') || (cur != '>'))) { +@@ -9812,9 +9810,8 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + + tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar)); + if (tmp == NULL) { +- xmlFree(buf); + xmlErrMemory(ctxt, NULL); +- return; ++ goto out; + } + buf = tmp; + size *= 2; +@@ -9829,8 +9826,7 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + SHRINK; + GROW; + if (ctxt->instate == XML_PARSER_EOF) { +- xmlFree(buf); +- return; ++ goto out; + } + count = 0; + } +@@ -9839,17 +9835,14 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + if (len > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED, + "CData section too big found\n"); +- xmlFree(buf); +- return; ++ goto out; + } + } + buf[len] = 0; +- ctxt->instate = XML_PARSER_CONTENT; + if (cur != '>') { + xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED, + "CData section not finished\n%.50s\n", buf); +- xmlFree(buf); +- return; ++ goto out; + } + NEXTL(l); + +@@ -9862,6 +9855,10 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + else if (ctxt->sax->characters != NULL) + ctxt->sax->characters(ctxt->userData, buf, len); + } ++ ++out: ++ if (ctxt->instate != XML_PARSER_EOF) ++ ctxt->instate = XML_PARSER_CONTENT; + xmlFree(buf); + } + +-- +2.27.0 + diff --git a/backport-parser-Use-size_t-when-subtracting-input-buffer-poin.patch b/backport-parser-Use-size_t-when-subtracting-input-buffer-poin.patch new file mode 100644 index 0000000..9a7527e --- /dev/null +++ b/backport-parser-Use-size_t-when-subtracting-input-buffer-poin.patch @@ -0,0 +1,54 @@ +From b75976e02999c453ae80bb1ade72f704a78b95ce Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 12 Mar 2023 19:06:19 +0100 +Subject: [PATCH] parser: Use size_t when subtracting input buffer pointers + +Avoid integer overflows. + +Reference:https://github.com/GNOME/libxml2/commit/b75976e02999c453ae80bb1ade72f704a78b95ce +Conflict:NA + +--- + HTMLparser.c | 2 +- + parser.c | 5 +++-- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 72ede56..b76218c 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -3833,7 +3833,7 @@ htmlCheckEncodingDirect(htmlParserCtxtPtr ctxt, const xmlChar *encoding) { + (ctxt->input->buf->raw != NULL) && + (ctxt->input->buf->buffer != NULL)) { + int nbchars; +- int processed; ++ size_t processed; + + /* + * convert as much as possible to the parser reading buffer. +diff --git a/parser.c b/parser.c +index c276a1a..75bd27f 100644 +--- a/parser.c ++++ b/parser.c +@@ -9267,7 +9267,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref, + int maxatts = ctxt->maxatts; + int nratts, nbatts, nbdef, inputid; + int i, j, nbNs, attval; +- unsigned long cur; ++ size_t cur; + int nsNr = ctxt->nsNr; + + if (RAW != '<') return(NULL); +@@ -11202,7 +11202,8 @@ xmlCheckCdataPush(const xmlChar *utf, int len, int complete) { + static int + xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) { + int ret = 0; +- int avail, tlen; ++ int tlen; ++ size_t avail; + xmlChar cur, next; + const xmlChar *lastlt, *lastgt; + +-- +2.27.0 + diff --git a/backport-reader-Switch-to-xmlParserInputBufferCreateMem.patch b/backport-reader-Switch-to-xmlParserInputBufferCreateMem.patch new file mode 100644 index 0000000..995613d --- /dev/null +++ b/backport-reader-Switch-to-xmlParserInputBufferCreateMem.patch @@ -0,0 +1,41 @@ +From 800bb118a5cb30232a295b89df8cb749eece49af Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 14 Nov 2022 22:00:50 +0100 +Subject: [PATCH 16/28] reader: Switch to xmlParserInputBufferCreateMem + +This is less efficient but can't result in input buffer overreads. + +Fixes #326. + +Reference: https://github.com/GNOME/libxml2/commit/1ca0dfec351a089537127911607c5e89bc937840 +Conflict: NA +--- + xmlreader.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/xmlreader.c b/xmlreader.c +index 989b7c1..ac97bde 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -5508,8 +5508,7 @@ xmlReaderForMemory(const char *buffer, int size, const char *URL, + xmlTextReaderPtr reader; + xmlParserInputBufferPtr buf; + +- buf = xmlParserInputBufferCreateStatic(buffer, size, +- XML_CHAR_ENCODING_NONE); ++ buf = xmlParserInputBufferCreateMem(buffer, size, XML_CHAR_ENCODING_NONE); + if (buf == NULL) { + return (NULL); + } +@@ -5735,7 +5734,7 @@ xmlReaderNewMemory(xmlTextReaderPtr reader, const char *buffer, int size, + if (buffer == NULL) + return (-1); + +- input = xmlParserInputBufferCreateStatic(buffer, size, ++ input = xmlParserInputBufferCreateMem(buffer, size, + XML_CHAR_ENCODING_NONE); + if (input == NULL) { + return (-1); +-- +2.27.0 + diff --git a/backport-regexp-Add-sanity-check-in-xmlRegCalloc2.patch b/backport-regexp-Add-sanity-check-in-xmlRegCalloc2.patch new file mode 100644 index 0000000..c88ab7b --- /dev/null +++ b/backport-regexp-Add-sanity-check-in-xmlRegCalloc2.patch @@ -0,0 +1,33 @@ +From 85057e513111f69f5a8af94f3a82899d23d4c057 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 21 Feb 2023 15:24:19 +0100 +Subject: [PATCH] regexp: Add sanity check in xmlRegCalloc2 + +These arguments should be non-zero, but add a sanity check to avoid +division by zero. + +Fixes #450. + +Reference:https://github.com/GNOME/libxml2/commit/85057e513111f69f5a8af94f3a82899d23d4c057 +Conflict:NA +--- + xmlregexp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xmlregexp.c b/xmlregexp.c +index e7c48a4..cc4ae6f 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -443,7 +443,8 @@ xmlRegCalloc2(size_t dim1, size_t dim2, size_t elemSize) { + void *ret; + + /* Check for overflow */ +- if (dim1 > SIZE_MAX / dim2 / elemSize) ++ if ((dim2 == 0) || (elemSize == 0) || ++ (dim1 > SIZE_MAX / dim2 / elemSize)) + return (NULL); + totalSize = dim1 * dim2 * elemSize; + ret = xmlMalloc(totalSize); +-- +2.27.0 + diff --git a/backport-regexp-Fix-checks-for-eliminated-transitions.patch b/backport-regexp-Fix-checks-for-eliminated-transitions.patch new file mode 100644 index 0000000..949bea6 --- /dev/null +++ b/backport-regexp-Fix-checks-for-eliminated-transitions.patch @@ -0,0 +1,68 @@ +From e301865e69b9b834f7b777dc58a9cee40ae056b2 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 9 Mar 2023 05:34:38 +0100 +Subject: [PATCH] regexp: Fix checks for eliminated transitions + +'to' can be set to -1 or -2 when eliminating transitions, so check for +all negative values. + +Reference:https://github.com/GNOME/libxml2/commit/e301865e69b9b834f7b777dc58a9cee40ae056b2 +Conflict:NA + +--- + xmlregexp.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/xmlregexp.c b/xmlregexp.c +index 24f9fc0..df0626c 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -607,7 +607,7 @@ xmlRegEpxFromParse(xmlRegParserCtxtPtr ctxt) { + + for (j = 0;j < state->nbTrans;j++) { + trans = &(state->trans[j]); +- if ((trans->to == -1) || (trans->atom == NULL)) ++ if ((trans->to < 0) || (trans->atom == NULL)) + continue; + atomno = stringRemap[trans->atom->no]; + if ((trans->atom->data != NULL) && (transdata == NULL)) { +@@ -2783,11 +2783,11 @@ xmlFAComputesDeterminism(xmlRegParserCtxtPtr ctxt) { + /* t1->nd = 1; */ + continue; + } +- if (t1->to == -1) /* eliminated */ ++ if (t1->to < 0) /* eliminated */ + continue; + for (i = 0;i < transnr;i++) { + t2 = &(state->trans[i]); +- if (t2->to == -1) /* eliminated */ ++ if (t2->to < 0) /* eliminated */ + continue; + if (t2->atom != NULL) { + if (t1->to == t2->to) { +@@ -2825,11 +2825,11 @@ xmlFAComputesDeterminism(xmlRegParserCtxtPtr ctxt) { + if (t1->atom == NULL) { + continue; + } +- if (t1->to == -1) /* eliminated */ ++ if (t1->to < 0) /* eliminated */ + continue; + for (i = 0;i < transnr;i++) { + t2 = &(state->trans[i]); +- if (t2->to == -1) /* eliminated */ ++ if (t2->to < 0) /* eliminated */ + continue; + if (t2->atom != NULL) { + /* +@@ -2843,7 +2843,7 @@ xmlFAComputesDeterminism(xmlRegParserCtxtPtr ctxt) { + t2->nd = 1; + last = t1; + } +- } else if (t1->to != -1) { ++ } else { + /* + * do the closure in case of remaining specific + * epsilon transitions like choices or all +-- +2.27.0 + diff --git a/backport-regexp-Fix-cycle-check-in-xmlFAReduceEpsilonTransiti.patch b/backport-regexp-Fix-cycle-check-in-xmlFAReduceEpsilonTransiti.patch new file mode 100644 index 0000000..769b1c1 --- /dev/null +++ b/backport-regexp-Fix-cycle-check-in-xmlFAReduceEpsilonTransiti.patch @@ -0,0 +1,66 @@ +From 9f7b114232904a7d0e304bff30ed4b255f34a572 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 9 Mar 2023 05:25:09 +0100 +Subject: [PATCH] regexp: Fix cycle check in xmlFAReduceEpsilonTransitions + +The visited flag must only be reset after the first call to +xmlFAReduceEpsilonTransitions has finished. Visiting states multiple +times could lead to unnecessary processing of duplicate transitions. + +Similar to 68eadabd. + +Reference:https://github.com/GNOME/libxml2/commit/9f7b114232904a7d0e304bff30ed4b255f34a572 +Conflict:NA + +--- + xmlregexp.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/xmlregexp.c b/xmlregexp.c +index cc4ae6f..24f9fc0 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -1880,7 +1880,32 @@ xmlFAReduceEpsilonTransitions(xmlRegParserCtxtPtr ctxt, int fromnr, + } + } + } ++} ++ ++/** ++ * xmlFAFinishReduceEpsilonTransitions: ++ * @ctxt: a regexp parser context ++ * @fromnr: the from state ++ * @tonr: the to state ++ * @counter: should that transition be associated to a counted ++ * ++ */ ++static void ++xmlFAFinishReduceEpsilonTransitions(xmlRegParserCtxtPtr ctxt, int tonr) { ++ int transnr; ++ xmlRegStatePtr to; ++ ++ to = ctxt->states[tonr]; ++ if ((to->mark == XML_REGEXP_MARK_START) || ++ (to->mark == XML_REGEXP_MARK_NORMAL)) ++ return; ++ + to->mark = XML_REGEXP_MARK_NORMAL; ++ for (transnr = 0;transnr < to->nbTrans;transnr++) { ++ xmlRegTransPtr t1 = &to->trans[transnr]; ++ if ((t1->to >= 0) && (t1->atom == NULL)) ++ xmlFAFinishReduceEpsilonTransitions(ctxt, t1->to); ++ } + } + + /** +@@ -2032,6 +2057,7 @@ xmlFAEliminateEpsilonTransitions(xmlRegParserCtxtPtr ctxt) { + state->mark = XML_REGEXP_MARK_START; + xmlFAReduceEpsilonTransitions(ctxt, statenr, + newto, state->trans[transnr].counter); ++ xmlFAFinishReduceEpsilonTransitions(ctxt, newto); + state->mark = XML_REGEXP_MARK_NORMAL; + #ifdef DEBUG_REGEXP_GRAPH + } else { +-- +2.27.0 + diff --git a/backport-regexp-Fix-determinism-checks.patch b/backport-regexp-Fix-determinism-checks.patch new file mode 100644 index 0000000..a0d0159 --- /dev/null +++ b/backport-regexp-Fix-determinism-checks.patch @@ -0,0 +1,121 @@ +From a06eaa6119ca5b296b8105dc8c9a34ed5fc1f338 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 9 Mar 2023 06:58:24 +0100 +Subject: [PATCH] regexp: Fix determinism checks + +Swap arguments in initial call to xmlFARecurseDeterminism. + +Fix the check whether we revisit the initial state in +xmlFARecurseDeterminism. + +If there are transitions with equal atoms and targets but different +counters, treat the regex as deterministic but mark the transitions as +non-deterministic internally. + +Don't overwrite zero return value of xmlFAComputesDeterminism +with non-zero value from xmlFARecurseDeterminism. + +Most of these errors lead to non-deterministic regexes not being +detected which typically isn't an issue. The improved code may break +users who relied on buggy behavior or cause other bugs to become +visible. + +Fixes #469. + +Reference:https://github.com/GNOME/libxml2/commit/a06eaa6119ca5b296b8105dc8c9a34ed5fc1f338 +Conflict:NA + +--- + xmlregexp.c | 34 +++++++++++++++++++++++----------- + 1 file changed, 23 insertions(+), 11 deletions(-) + +diff --git a/xmlregexp.c b/xmlregexp.c +index df0626c..c89f0c7 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -2665,7 +2665,7 @@ not_determinist: + */ + static int + xmlFARecurseDeterminism(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr state, +- int to, xmlRegAtomPtr atom) { ++ int fromnr, int tonr, xmlRegAtomPtr atom) { + int ret = 1; + int res; + int transnr, nbTrans; +@@ -2690,21 +2690,23 @@ xmlFARecurseDeterminism(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr state, + /* + * check transitions conflicting with the one looked at + */ ++ if ((t1->to < 0) || (t1->to == fromnr)) ++ continue; + if (t1->atom == NULL) { +- if (t1->to < 0) +- continue; + state->markd = XML_REGEXP_MARK_VISITED; + res = xmlFARecurseDeterminism(ctxt, ctxt->states[t1->to], +- to, atom); ++ fromnr, tonr, atom); + if (res == 0) { + ret = 0; + /* t1->nd = 1; */ + } + continue; + } +- if (t1->to != to) +- continue; + if (xmlFACompareAtoms(t1->atom, atom, deep)) { ++ /* Treat equal transitions as deterministic. */ ++ if ((t1->to != tonr) || ++ (!xmlFAEqualAtoms(t1->atom, atom, deep))) ++ ret = 0; + ret = 0; + /* mark the transition as non-deterministic */ + t1->nd = 1; +@@ -2837,29 +2839,39 @@ xmlFAComputesDeterminism(xmlRegParserCtxtPtr ctxt) { + * find transitions which indicate a conflict + */ + if (xmlFACompareAtoms(t1->atom, t2->atom, 1)) { +- ret = 0; ++ /* ++ * Treat equal counter transitions that couldn't be ++ * eliminated as deterministic. ++ */ ++ if ((t1->to != t2->to) || ++ (t1->counter == t2->counter) || ++ (!xmlFAEqualAtoms(t1->atom, t2->atom, deep))) ++ ret = 0; + /* mark the transitions as non-deterministic ones */ + t1->nd = 1; + t2->nd = 1; + last = t1; + } + } else { ++ int res; ++ + /* + * do the closure in case of remaining specific + * epsilon transitions like choices or all + */ +- ret = xmlFARecurseDeterminism(ctxt, ctxt->states[t1->to], +- t2->to, t2->atom); +- xmlFAFinishRecurseDeterminism(ctxt, ctxt->states[t1->to]); ++ res = xmlFARecurseDeterminism(ctxt, ctxt->states[t2->to], ++ statenr, t1->to, t1->atom); ++ xmlFAFinishRecurseDeterminism(ctxt, ctxt->states[t2->to]); + /* don't shortcut the computation so all non deterministic + transition get marked down + if (ret == 0) + return(0); + */ +- if (ret == 0) { ++ if (res == 0) { + t1->nd = 1; + /* t2->nd = 1; */ + last = t1; ++ ret = 0; + } + } + } +-- +2.27.0 + diff --git a/backport-regexp-Fix-mistake-in-previous-commit.patch b/backport-regexp-Fix-mistake-in-previous-commit.patch new file mode 100644 index 0000000..43ad0d6 --- /dev/null +++ b/backport-regexp-Fix-mistake-in-previous-commit.patch @@ -0,0 +1,31 @@ +From c613ab14b85d5813ff834afe23adcab2cc82dc04 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 2 May 2023 00:32:50 +0200 +Subject: [PATCH] regexp: Fix mistake in previous commit + +The `ret = 0` line should have been deleted. + +Fixes #531. + +Reference:https://github.com/GNOME/libxml2/commit/c613ab14b85d5813ff834afe23adcab2cc82dc04 +Conflict:NA + +--- + xmlregexp.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/xmlregexp.c b/xmlregexp.c +index c89f0c7..185fcda 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -2707,7 +2707,6 @@ xmlFARecurseDeterminism(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr state, + if ((t1->to != tonr) || + (!xmlFAEqualAtoms(t1->atom, atom, deep))) + ret = 0; +- ret = 0; + /* mark the transition as non-deterministic */ + t1->nd = 1; + } +-- +2.27.0 + diff --git a/backport-regexp-Fix-null-deref-in-xmlFAFinishReduceEpsilonTra.patch b/backport-regexp-Fix-null-deref-in-xmlFAFinishReduceEpsilonTra.patch new file mode 100644 index 0000000..1e2b018 --- /dev/null +++ b/backport-regexp-Fix-null-deref-in-xmlFAFinishReduceEpsilonTra.patch @@ -0,0 +1,30 @@ +From a800b7e058b09031aba92949eecf2c76fa030635 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 4 May 2023 12:47:00 +0200 +Subject: [PATCH] regexp: Fix null deref in xmlFAFinishReduceEpsilonTransitions + +Short-lived regression found by OSS-Fuzz. + +Reference:https://github.com/GNOME/libxml2/commit/a800b7e058b09031aba92949eecf2c76fa030635 +Conflict:NA + +--- + xmlregexp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xmlregexp.c b/xmlregexp.c +index 185fcda..b0111e2 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -1896,6 +1896,8 @@ xmlFAFinishReduceEpsilonTransitions(xmlRegParserCtxtPtr ctxt, int tonr) { + xmlRegStatePtr to; + + to = ctxt->states[tonr]; ++ if (to == NULL) ++ return; + if ((to->mark == XML_REGEXP_MARK_START) || + (to->mark == XML_REGEXP_MARK_NORMAL)) + return; +-- +2.27.0 + diff --git a/backport-schemas-Fix-infinite-loop-in-xmlSchemaCheckElemSubst.patch b/backport-schemas-Fix-infinite-loop-in-xmlSchemaCheckElemSubst.patch new file mode 100644 index 0000000..8240017 --- /dev/null +++ b/backport-schemas-Fix-infinite-loop-in-xmlSchemaCheckElemSubst.patch @@ -0,0 +1,34 @@ +From 1813411ca9f9b60e62ef70e8be2e169af0831edb Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 2 Nov 2022 10:53:24 +0100 +Subject: [PATCH 03/28] schemas: Fix infinite loop in + xmlSchemaCheckElemSubstGroup + +Types like xmlSchemaTypeAnyTypeDef have a base type pointing to itself, +resulting in an infinite loop. + +Fixes #430. + +Reference: https://github.com/GNOME/libxml2/commit/abb5a93fed95cfd628db72e9e1a51fc3ced5c941 +Conflict: NA +--- + xmlschemas.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 9aa6acf..4a767ac 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -19957,7 +19957,8 @@ xmlSchemaCheckElemSubstGroup(xmlSchemaParserCtxtPtr ctxt, + /* + * The set of all {derivation method}s involved in the derivation + */ +- while ((type != NULL) && (type != headType)) { ++ while ((type != NULL) && (type != headType) && ++ (type != type->baseType)) { + if ((WXS_IS_EXTENSION(type)) && + ((methSet & XML_SCHEMAS_TYPE_BLOCK_RESTRICTION) == 0)) + methSet |= XML_SCHEMAS_TYPE_BLOCK_EXTENSION; +-- +2.27.0 + diff --git a/backport-uri-Allow-port-without-host.patch b/backport-uri-Allow-port-without-host.patch new file mode 100644 index 0000000..37a09f1 --- /dev/null +++ b/backport-uri-Allow-port-without-host.patch @@ -0,0 +1,32 @@ +From 7810d0e3f0bebe58cf6de877cbcb302f073c75e7 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 14 Nov 2022 21:05:32 +0100 +Subject: [PATCH 17/28] uri: Allow port without host + +Don't set port to -1 when host is missing. Host can be empty according +to spec. + +Fixes #71. + +Reference: https://github.com/GNOME/libxml2/commit/f30adb54f55e4e765d58195163f2a21f7ac759fb +Conflict: NA +--- + uri.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/uri.c b/uri.c +index ccc26aa..79dc48b 100644 +--- a/uri.c ++++ b/uri.c +@@ -768,8 +768,6 @@ xmlParse3986HierPart(xmlURIPtr uri, const char **str) + cur += 2; + ret = xmlParse3986Authority(uri, &cur); + if (ret != 0) return(ret); +- if (uri->server == NULL) +- uri->port = -1; + ret = xmlParse3986PathAbEmpty(uri, &cur); + if (ret != 0) return(ret); + *str = cur; +-- +2.27.0 + diff --git a/backport-valid-Allow-xmlFreeValidCtxt-NULL.patch b/backport-valid-Allow-xmlFreeValidCtxt-NULL.patch new file mode 100644 index 0000000..f0c7fba --- /dev/null +++ b/backport-valid-Allow-xmlFreeValidCtxt-NULL.patch @@ -0,0 +1,29 @@ +From a57a7549fabfb7112510a2ee80a874e988200c32 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 12 Mar 2023 16:06:19 +0100 +Subject: [PATCH] valid: Allow xmlFreeValidCtxt(NULL) + + +Reference:https://github.com/GNOME/libxml2/commit/a57a7549fabfb7112510a2ee80a874e988200c32 +Conflict:NA + +--- + valid.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/valid.c b/valid.c +index b7b92fe..9a2c708 100644 +--- a/valid.c ++++ b/valid.c +@@ -899,6 +899,8 @@ xmlValidCtxtPtr xmlNewValidCtxt(void) { + */ + void + xmlFreeValidCtxt(xmlValidCtxtPtr cur) { ++ if (cur == NULL) ++ return; + if (cur->vstateTab != NULL) + xmlFree(cur->vstateTab); + if (cur->nodeTab != NULL) +-- +2.27.0 + diff --git a/backport-valid-Make-xmlValidateElement-non-recursive.patch b/backport-valid-Make-xmlValidateElement-non-recursive.patch new file mode 100644 index 0000000..afb6d3c --- /dev/null +++ b/backport-valid-Make-xmlValidateElement-non-recursive.patch @@ -0,0 +1,127 @@ +From 08f9d319ebe99f41f71336ea01767b9c652ef34f Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 16 Mar 2023 17:01:05 +0100 +Subject: [PATCH] valid: Make xmlValidateElement non-recursive + +Fixes call stack overflows when validating deeply nested documents. + +Found by OSS-Fuzz. + +Reference:https://github.com/GNOME/libxml2/commit/08f9d319ebe99f41f71336ea01767b9c652ef34f +Conflict:NA + +--- + valid.c | 86 ++++++++++++++++++++++++++++----------------------------- + 1 file changed, 43 insertions(+), 43 deletions(-) + +diff --git a/valid.c b/valid.c +index 9a2c708..3c0a869 100644 +--- a/valid.c ++++ b/valid.c +@@ -6480,60 +6480,60 @@ name_ok: + */ + + int +-xmlValidateElement(xmlValidCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr elem) { +- xmlNodePtr child; ++xmlValidateElement(xmlValidCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr root) { ++ xmlNodePtr elem; + xmlAttrPtr attr; + xmlNsPtr ns; + const xmlChar *value; + int ret = 1; + +- if (elem == NULL) return(0); +- +- /* +- * XInclude elements were added after parsing in the infoset, +- * they don't really mean anything validation wise. +- */ +- if ((elem->type == XML_XINCLUDE_START) || +- (elem->type == XML_XINCLUDE_END) || +- (elem->type == XML_NAMESPACE_DECL)) +- return(1); ++ if (root == NULL) return(0); + + CHECK_DTD; + +- /* +- * Entities references have to be handled separately +- */ +- if (elem->type == XML_ENTITY_REF_NODE) { +- return(1); +- } ++ elem = root; ++ while (1) { ++ ret &= xmlValidateOneElement(ctxt, doc, elem); ++ ++ if (elem->type == XML_ELEMENT_NODE) { ++ attr = elem->properties; ++ while (attr != NULL) { ++ value = xmlNodeListGetString(doc, attr->children, 0); ++ ret &= xmlValidateOneAttribute(ctxt, doc, elem, attr, value); ++ if (value != NULL) ++ xmlFree((char *)value); ++ attr= attr->next; ++ } + +- ret &= xmlValidateOneElement(ctxt, doc, elem); +- if (elem->type == XML_ELEMENT_NODE) { +- attr = elem->properties; +- while (attr != NULL) { +- value = xmlNodeListGetString(doc, attr->children, 0); +- ret &= xmlValidateOneAttribute(ctxt, doc, elem, attr, value); +- if (value != NULL) +- xmlFree((char *)value); +- attr= attr->next; +- } +- ns = elem->nsDef; +- while (ns != NULL) { +- if (elem->ns == NULL) +- ret &= xmlValidateOneNamespace(ctxt, doc, elem, NULL, +- ns, ns->href); +- else +- ret &= xmlValidateOneNamespace(ctxt, doc, elem, +- elem->ns->prefix, ns, ns->href); +- ns = ns->next; +- } +- } +- child = elem->children; +- while (child != NULL) { +- ret &= xmlValidateElement(ctxt, doc, child); +- child = child->next; ++ ns = elem->nsDef; ++ while (ns != NULL) { ++ if (elem->ns == NULL) ++ ret &= xmlValidateOneNamespace(ctxt, doc, elem, NULL, ++ ns, ns->href); ++ else ++ ret &= xmlValidateOneNamespace(ctxt, doc, elem, ++ elem->ns->prefix, ns, ++ ns->href); ++ ns = ns->next; ++ } ++ ++ if (elem->children != NULL) { ++ elem = elem->children; ++ continue; ++ } ++ } ++ ++ while (1) { ++ if (elem == root) ++ goto done; ++ if (elem->next != NULL) ++ break; ++ elem = elem->parent; ++ } ++ elem = elem->next; + } + ++done: + return(ret); + } + +-- +2.27.0 + diff --git a/backport-xinclude-Fix-memory-leak-when-fuzzing.patch b/backport-xinclude-Fix-memory-leak-when-fuzzing.patch new file mode 100644 index 0000000..faa00e1 --- /dev/null +++ b/backport-xinclude-Fix-memory-leak-when-fuzzing.patch @@ -0,0 +1,29 @@ +From 48c13bd5203b325deb670d5b69015e9adc40990f Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 29 Oct 2022 15:38:16 +0200 +Subject: [PATCH 01/28] xinclude: Fix memory leak when fuzzing + +This only affects the fuzzing build mode. + +Reference: https://github.com/GNOME/libxml2/commit/075cee9e9f1bedb6b2ca87e73a952fb2e92da3c1 +Conflict: xinclude.c: +--- + xinclude.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xinclude.c b/xinclude.c +index 8c14a68..6ee58cb 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -2424,7 +2424,7 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree, + * of replacements. + */ + if (ctxt->incTotal >= 20) +- return(-1); ++ break; + #endif + ctxt->incTotal++; + xmlXIncludePreProcessNode(ctxt, cur); +-- +2.27.0 + diff --git a/backport-xinclude-Fix-more-memory-leaks-in-xmlXIncludeLoadDoc.patch b/backport-xinclude-Fix-more-memory-leaks-in-xmlXIncludeLoadDoc.patch new file mode 100644 index 0000000..9fc753c --- /dev/null +++ b/backport-xinclude-Fix-more-memory-leaks-in-xmlXIncludeLoadDoc.patch @@ -0,0 +1,126 @@ +From f442a3290626a522b6e71c902a971859b15566f3 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 30 Oct 2022 12:32:14 +0100 +Subject: [PATCH 02/28] xinclude: Fix more memory leaks in xmlXIncludeLoadDoc + +Reference: https://github.com/GNOME/libxml2/commit/f14529baf5315b3d77877fd1617b0e1f3df564d0 +Conflict: xinclude.c: +--- + xinclude.c | 37 ++++++++++++++----------------------- + 1 file changed, 14 insertions(+), 23 deletions(-) + +diff --git a/xinclude.c b/xinclude.c +index 6ee58cb..cd1e1b1 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -1417,9 +1417,10 @@ static int + xmlXIncludeLoadDoc(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { + xmlDocPtr doc; + xmlURIPtr uri; +- xmlChar *URL; ++ xmlChar *URL = NULL; + xmlChar *fragment = NULL; + int i = 0; ++ int ret = -1; + #ifdef LIBXML_XPTR_ENABLED + int saveFlags; + #endif +@@ -1435,7 +1436,7 @@ xmlXIncludeLoadDoc(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { + xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, + XML_XINCLUDE_HREF_URI, + "invalid value URI %s\n", url); +- return(-1); ++ goto error; + } + if (uri->fragment != NULL) { + fragment = (xmlChar *) uri->fragment; +@@ -1457,9 +1458,7 @@ xmlXIncludeLoadDoc(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { + xmlXIncludeErr(ctxt, NULL, + XML_XINCLUDE_HREF_URI, + "invalid value URI %s\n", url); +- if (fragment != NULL) +- xmlFree(fragment); +- return(-1); ++ goto error; + } + + /* +@@ -1509,10 +1508,7 @@ xmlXIncludeLoadDoc(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { + ctxt->parseFlags = saveFlags; + #endif + if (doc == NULL) { +- xmlFree(URL); +- if (fragment != NULL) +- xmlFree(fragment); +- return(-1); ++ goto error; + } + ctxt->incTab[nr]->doc = doc; + /* +@@ -1578,9 +1574,7 @@ loaded: + xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, + XML_XINCLUDE_XPTR_FAILED, + "could not create XPointer context\n", NULL); +- xmlFree(URL); +- xmlFree(fragment); +- return(-1); ++ goto error; + } + xptr = xmlXPtrEval(fragment, xptrctxt); + if (xptr == NULL) { +@@ -1589,9 +1583,7 @@ loaded: + "XPointer evaluation failed: #%s\n", + fragment); + xmlXPathFreeContext(xptrctxt); +- xmlFree(URL); +- xmlFree(fragment); +- return(-1); ++ goto error; + } + switch (xptr->type) { + case XPATH_UNDEFINED: +@@ -1607,17 +1599,13 @@ loaded: + fragment); + xmlXPathFreeObject(xptr); + xmlXPathFreeContext(xptrctxt); +- xmlFree(URL); +- xmlFree(fragment); +- return(-1); ++ goto error; + case XPATH_NODESET: + if ((xptr->nodesetval == NULL) || + (xptr->nodesetval->nodeNr <= 0)) { + xmlXPathFreeObject(xptr); + xmlXPathFreeContext(xptrctxt); +- xmlFree(URL); +- xmlFree(fragment); +- return(-1); ++ goto error; + } + + case XPATH_RANGE: +@@ -1681,7 +1669,6 @@ loaded: + xmlXIncludeCopyXPointer(ctxt, ctxt->doc, doc, xptr); + xmlXPathFreeObject(xptr); + xmlXPathFreeContext(xptrctxt); +- xmlFree(fragment); + } + #endif + +@@ -1777,8 +1764,12 @@ loaded: + xmlFreeDoc(ctxt->incTab[nr]->doc); + ctxt->incTab[nr]->doc = NULL; + } ++ ret = 0; ++ ++error: + xmlFree(URL); +- return(0); ++ xmlFree(fragment); ++ return(ret); + } + + /** +-- +2.27.0 + diff --git a/backport-xinclude-Fix-quadratic-behavior-in-xmlXIncludeLoadTx.patch b/backport-xinclude-Fix-quadratic-behavior-in-xmlXIncludeLoadTx.patch new file mode 100644 index 0000000..dc68467 --- /dev/null +++ b/backport-xinclude-Fix-quadratic-behavior-in-xmlXIncludeLoadTx.patch @@ -0,0 +1,147 @@ +From e20f4d7a656e47553f9da9d594e299e2fa2dbe41 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 13 Feb 2023 14:38:05 +0100 +Subject: [PATCH] xinclude: Fix quadratic behavior in xmlXIncludeLoadTxt + +Also make text inclusions work with memory buffers, for example when +using a custom entity loader, and fix a memory leak in case of invalid +characters. + +Fixes #483. + +Reference:https://github.com/GNOME/libxml2/commit/e20f4d7a656e47553f9da9d594e299e2fa2dbe41 +Conflict:NA + +--- + result/XInclude/invalid_char.xml.err | 2 + + result/XInclude/invalid_char.xml.rdr | 7 ++++ + test/XInclude/docs/invalid_char.xml | 3 ++ + test/XInclude/ents/invalid_char.txt | 1 + + xinclude.c | 61 ++++++++++++---------------- + 5 files changed, 39 insertions(+), 35 deletions(-) + create mode 100644 result/XInclude/invalid_char.xml.err + create mode 100644 result/XInclude/invalid_char.xml.rdr + create mode 100644 test/XInclude/docs/invalid_char.xml + create mode 100644 test/XInclude/ents/invalid_char.txt + +diff --git a/result/XInclude/invalid_char.xml.err b/result/XInclude/invalid_char.xml.err +new file mode 100644 +index 0000000..c28c109 +--- /dev/null ++++ b/result/XInclude/invalid_char.xml.err +@@ -0,0 +1,2 @@ ++./test/XInclude/docs/invalid_char.xml:2: element include: XInclude error : test/XInclude/ents/invalid_char.txt contains invalid char ++./test/XInclude/docs/invalid_char.xml:2: element include: XInclude error : could not load test/XInclude/ents/invalid_char.txt, and no fallback was found +diff --git a/result/XInclude/invalid_char.xml.rdr b/result/XInclude/invalid_char.xml.rdr +new file mode 100644 +index 0000000..1fb5774 +--- /dev/null ++++ b/result/XInclude/invalid_char.xml.rdr +@@ -0,0 +1,7 @@ ++0 1 x 0 0 ++1 14 #text 0 1 ++ ++1 1 xinclude:include 1 0 ++1 14 #text 0 1 ++ ++0 15 x 0 0 +diff --git a/test/XInclude/docs/invalid_char.xml b/test/XInclude/docs/invalid_char.xml +new file mode 100644 +index 0000000..28e5a48 +--- /dev/null ++++ b/test/XInclude/docs/invalid_char.xml +@@ -0,0 +1,3 @@ ++ ++ ++ +diff --git a/test/XInclude/ents/invalid_char.txt b/test/XInclude/ents/invalid_char.txt +new file mode 100644 +index 0000000..ae06618 +--- /dev/null ++++ b/test/XInclude/ents/invalid_char.txt +@@ -0,0 +1 @@ ++invalid: ÿ +\ No newline at end of file +diff --git a/xinclude.c b/xinclude.c +index cc486f5..6e5b61d 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -1798,7 +1798,9 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { + xmlCharEncoding enc = (xmlCharEncoding) 0; + xmlParserCtxtPtr pctxt; + xmlParserInputPtr inputStream; +- int xinclude_multibyte_fallback_used = 0; ++ int len; ++ const xmlChar *content; ++ + + /* Don't read from stdin. */ + if (xmlStrcmp(url, BAD_CAST "-") == 0) +@@ -1905,41 +1907,30 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, const xmlChar *url, int nr) { + /* + * Scan all chars from the resource and add the to the node + */ +-xinclude_multibyte_fallback: +- while (xmlParserInputBufferRead(buf, 128) > 0) { +- int len; +- const xmlChar *content; +- +- content = xmlBufContent(buf->buffer); +- len = xmlBufLength(buf->buffer); +- for (i = 0;i < len;) { +- int cur; +- int l; +- +- cur = xmlStringCurrentChar(NULL, &content[i], &l); +- if (!IS_CHAR(cur)) { +- /* Handle split multibyte char at buffer boundary */ +- if (((len - i) < 4) && (!xinclude_multibyte_fallback_used)) { +- xinclude_multibyte_fallback_used = 1; +- xmlBufShrink(buf->buffer, i); +- goto xinclude_multibyte_fallback; +- } else { +- xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, +- XML_XINCLUDE_INVALID_CHAR, +- "%s contains invalid char\n", URL); +- xmlFreeParserCtxt(pctxt); +- xmlFreeParserInputBuffer(buf); +- xmlFree(URL); +- return(-1); +- } +- } else { +- xinclude_multibyte_fallback_used = 0; +- xmlNodeAddContentLen(node, &content[i], l); +- } +- i += l; +- } +- xmlBufShrink(buf->buffer, len); ++ while (xmlParserInputBufferRead(buf, 4096) > 0) ++ ; ++ ++ content = xmlBufContent(buf->buffer); ++ len = xmlBufLength(buf->buffer); ++ for (i = 0; i < len;) { ++ int cur; ++ int l; ++ ++ cur = xmlStringCurrentChar(NULL, &content[i], &l); ++ if (!IS_CHAR(cur)) { ++ xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, XML_XINCLUDE_INVALID_CHAR, ++ "%s contains invalid char\n", URL); ++ xmlFreeNode(node); ++ xmlFreeInputStream(inputStream); ++ xmlFreeParserCtxt(pctxt); ++ xmlFree(URL); ++ return(-1); ++ } ++ ++ i += l; + } ++ ++ xmlNodeAddContentLen(node, content, len); + xmlFreeParserCtxt(pctxt); + xmlXIncludeAddTxt(ctxt, node->content, URL); + xmlFreeInputStream(inputStream); +-- +2.27.0 + diff --git a/backport-xmlBufAvail-should-return-length-without-including-a.patch b/backport-xmlBufAvail-should-return-length-without-including-a.patch new file mode 100644 index 0000000..edb67b1 --- /dev/null +++ b/backport-xmlBufAvail-should-return-length-without-including-a.patch @@ -0,0 +1,136 @@ +From c14cac8bbabdfbcd23b45dcb0901f1bd951159a4 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Wed, 25 May 2022 18:13:07 -0700 +Subject: [PATCH 295/300] xmlBufAvail() should return length without including + a byte for NUL terminator + +* buf.c: +(xmlBufAvail): +- Return the number of bytes available in the buffer, but do not + include a byte for the NUL terminator so that it is reserved. + +* encoding.c: +(xmlCharEncFirstLineInput): +(xmlCharEncInput): +(xmlCharEncOutput): +* xmlIO.c: +(xmlOutputBufferWriteEscape): +- Remove code that subtracts 1 from the return value of + xmlBufAvail(). It was implemented inconsistently anyway. + +Reference:https://github.com/GNOME/libxml2/commit/c14cac8bbabdfbcd23b45dcb0901f1bd951159a4 +Conflict:NA + +--- + buf.c | 9 +++++---- + encoding.c | 14 ++++---------- + xmlIO.c | 2 +- + 3 files changed, 10 insertions(+), 15 deletions(-) + +diff --git a/buf.c b/buf.c +index d341750..f896826 100644 +--- a/buf.c ++++ b/buf.c +@@ -689,10 +689,11 @@ xmlBufUse(const xmlBufPtr buf) + * @buf: the buffer + * + * Function to find how much free space is allocated but not +- * used in the buffer. It does not account for the terminating zero +- * usually needed ++ * used in the buffer. It reserves one byte for the NUL ++ * terminator character that is usually needed, so there is ++ * no need to subtract 1 from the result anymore. + * +- * Returns the amount or 0 if none or an error occurred ++ * Returns the amount, or 0 if none or if an error occurred. + */ + + size_t +@@ -702,7 +703,7 @@ xmlBufAvail(const xmlBufPtr buf) + return 0; + CHECK_COMPAT(buf) + +- return(buf->size - buf->use); ++ return((buf->size > buf->use) ? (buf->size - buf->use - 1) : 0); + } + + /** +diff --git a/encoding.c b/encoding.c +index c14c9ff..8ce407f 100644 +--- a/encoding.c ++++ b/encoding.c +@@ -2177,7 +2177,7 @@ xmlCharEncFirstLineInput(xmlParserInputBufferPtr input, int len) + toconv = xmlBufUse(in); + if (toconv == 0) + return (0); +- written = xmlBufAvail(out) - 1; /* count '\0' */ ++ written = xmlBufAvail(out); + /* + * echo '' | wc -c => 38 + * 45 chars should be sufficient to reach the end of the encoding +@@ -2195,7 +2195,7 @@ xmlCharEncFirstLineInput(xmlParserInputBufferPtr input, int len) + } + if (toconv * 2 >= written) { + xmlBufGrow(out, toconv * 2); +- written = xmlBufAvail(out) - 1; ++ written = xmlBufAvail(out); + } + if (written > 360) + written = 360; +@@ -2287,13 +2287,9 @@ xmlCharEncInput(xmlParserInputBufferPtr input, int flush) + if ((toconv > 64 * 1024) && (flush == 0)) + toconv = 64 * 1024; + written = xmlBufAvail(out); +- if (written > 0) +- written--; /* count '\0' */ + if (toconv * 2 >= written) { + xmlBufGrow(out, toconv * 2); + written = xmlBufAvail(out); +- if (written > 0) +- written--; /* count '\0' */ + } + if ((written > 128 * 1024) && (flush == 0)) + written = 128 * 1024; +@@ -2475,8 +2471,6 @@ xmlCharEncOutput(xmlOutputBufferPtr output, int init) + retry: + + written = xmlBufAvail(out); +- if (written > 0) +- written--; /* count '\0' */ + + /* + * First specific handling of the initialization call +@@ -2505,7 +2499,7 @@ retry: + toconv = 64 * 1024; + if (toconv * 4 >= written) { + xmlBufGrow(out, toconv * 4); +- written = xmlBufAvail(out) - 1; ++ written = xmlBufAvail(out); + } + if (written > 256 * 1024) + written = 256 * 1024; +@@ -2580,7 +2574,7 @@ retry: + "&#%d;", cur); + xmlBufShrink(in, len); + xmlBufGrow(out, charrefLen * 4); +- c_out = xmlBufAvail(out) - 1; ++ c_out = xmlBufAvail(out); + c_in = charrefLen; + ret = xmlEncOutputChunk(output->encoder, xmlBufEnd(out), &c_out, + charref, &c_in); +diff --git a/xmlIO.c b/xmlIO.c +index 007144c..3f5307f 100644 +--- a/xmlIO.c ++++ b/xmlIO.c +@@ -3560,7 +3560,7 @@ xmlOutputBufferWriteEscape(xmlOutputBufferPtr out, const xmlChar *str, + * how many bytes to consume and how many bytes to store. + */ + cons = len; +- chunk = xmlBufAvail(out->buffer) - 1; ++ chunk = xmlBufAvail(out->buffer); + + /* + * make sure we have enough room to save first, if this is +-- +2.27.0 + diff --git a/backport-xmlParseStartTag2-contains-typo-when-checking-for-default.patch b/backport-xmlParseStartTag2-contains-typo-when-checking-for-default.patch new file mode 100644 index 0000000..70325cd --- /dev/null +++ b/backport-xmlParseStartTag2-contains-typo-when-checking-for-default.patch @@ -0,0 +1,35 @@ +From 0bd4e4e032d57ecf982b57312eb6136efdd35d56 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Wed, 21 Dec 2022 19:21:30 -0800 +Subject: [PATCH] xmlParseStartTag2() contains typo when checking for default + definitions for an attribute in a namespace + +* parser.c: +(xmlParseStartTag2): +- Fix index into defaults->values. It is only correct the first + time through the loop when i == 0. + +Fixes #467.. + +Reference:https://github.com/GNOME/libxml2/commit/0bd4e4e032d57ecf982b57312eb6136efdd35d56 +Conflict:NA +--- + parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index f13287a..2207404 100644 +--- a/parser.c ++++ b/parser.c +@@ -9561,7 +9561,7 @@ next_attr: + if (j <= nbNs) continue; + + nsname = xmlGetNamespace(ctxt, attname); +- if (nsname != defaults->values[2]) { ++ if (nsname != defaults->values[5 * i + 2]) { + if (nsPush(ctxt, attname, + defaults->values[5 * i + 2]) > 0) + nbNs++; +-- +2.27.0 + diff --git a/backport-xmlValidatePopElement-can-return-invalid-value-1.patch b/backport-xmlValidatePopElement-can-return-invalid-value-1.patch new file mode 100644 index 0000000..2b1bb48 --- /dev/null +++ b/backport-xmlValidatePopElement-can-return-invalid-value-1.patch @@ -0,0 +1,122 @@ +From cb1b8b8516ade9add9f63fa0e39eaa3bc7034828 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Mon, 10 Apr 2023 13:06:18 -0700 +Subject: [PATCH] xmlValidatePopElement() can return invalid value (-1) + +Covered by: test/VC/ElementValid5 + +This only affects XML Reader API with LIBXML_REGEXP_ENABLED and +LIBXML_VALID_ENABLED turned on. + +* result/VC/ElementValid5.rdr: +- Update result to add missing error message. + +* python/tests/reader2.py: +* result/VC/ElementValid6.rdr: +* result/VC/ElementValid7.rdr: +* result/valid/781333.xml.err.rdr: +- Update result to fix grammar issue. + +* valid.c: +(xmlValidatePopElement): +- Check return value of xmlRegExecPushString() to handle -1, and + assign 'ret = 0;' to return 0 from xmlValidatePopElement(). + This change affects xmlTextReaderValidatePop() from + xmlreader.c. +- Fix grammar of error message by changing 'child' to + 'children'. + +Reference:https://github.com/GNOME/libxml2/commit/cb1b8b8516ade9add9f63fa0e39eaa3bc7034828 +Conflict:python/tests/reader2.py + +--- + python/tests/reader2.py | 2 +- + result/VC/ElementValid5.rdr | 3 +++ + result/VC/ElementValid6.rdr | 2 +- + result/VC/ElementValid7.rdr | 2 +- + result/valid/781333.xml.err.rdr | 2 +- + valid.c | 5 +++-- + 6 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/python/tests/reader2.py b/python/tests/reader2.py +index b50180d..b581674 100755 +--- a/python/tests/reader2.py ++++ b/python/tests/reader2.py +@@ -39,7 +39,7 @@ value + """../../test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got + + ^ +-../../test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child ++../../test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more children + + ^ + """, +diff --git a/result/VC/ElementValid5.rdr b/result/VC/ElementValid5.rdr +index 899d759..91eef9c 100644 +--- a/result/VC/ElementValid5.rdr ++++ b/result/VC/ElementValid5.rdr +@@ -4,3 +4,6 @@ + ./test/VC/ElementValid5:8: element doc: validity error : Element doc content does not follow the DTD, Misplaced b + + ^ ++./test/VC/ElementValid5:8: element doc: validity error : Element doc content does not follow the DTD, Expecting more children ++ ++^ +diff --git a/result/VC/ElementValid6.rdr b/result/VC/ElementValid6.rdr +index aeafd6b..3b51d1a 100644 +--- a/result/VC/ElementValid6.rdr ++++ b/result/VC/ElementValid6.rdr +@@ -1,6 +1,6 @@ + ./test/VC/ElementValid6:7: element doc: validity error : Element doc content does not follow the DTD, expecting (a , b? , c+)?, got (a b) + lacks c + ^ +-./test/VC/ElementValid6:8: element doc: validity error : Element doc content does not follow the DTD, Expecting more child ++./test/VC/ElementValid6:8: element doc: validity error : Element doc content does not follow the DTD, Expecting more children + + ^ +diff --git a/result/VC/ElementValid7.rdr b/result/VC/ElementValid7.rdr +index f001fd2..ecafd1d 100644 +--- a/result/VC/ElementValid7.rdr ++++ b/result/VC/ElementValid7.rdr +@@ -1,6 +1,6 @@ + ./test/VC/ElementValid7:7: element doc: validity error : Element doc content does not follow the DTD, expecting ((a | b)* , c+ , a , b? , c , a?), got (a b a c c a) + + ^ +-./test/VC/ElementValid7:8: element doc: validity error : Element doc content does not follow the DTD, Expecting more child ++./test/VC/ElementValid7:8: element doc: validity error : Element doc content does not follow the DTD, Expecting more children + + ^ +diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr +index 5ff5699..dd9df08 100644 +--- a/result/valid/781333.xml.err.rdr ++++ b/result/valid/781333.xml.err.rdr +@@ -1,6 +1,6 @@ + ./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got + + ^ +-./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child ++./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more children + + ^ +diff --git a/valid.c b/valid.c +index 3c0a869..92aaedb 100644 +--- a/valid.c ++++ b/valid.c +@@ -6012,11 +6012,12 @@ xmlValidatePopElement(xmlValidCtxtPtr ctxt, xmlDocPtr doc ATTRIBUTE_UNUSED, + if (elemDecl->etype == XML_ELEMENT_TYPE_ELEMENT) { + if (state->exec != NULL) { + ret = xmlRegExecPushString(state->exec, NULL, NULL); +- if (ret == 0) { ++ if (ret <= 0) { + xmlErrValidNode(ctxt, state->node, + XML_DTD_CONTENT_MODEL, +- "Element %s content does not follow the DTD, Expecting more child\n", ++ "Element %s content does not follow the DTD, Expecting more children\n", + state->node->name, NULL,NULL); ++ ret = 0; + } else { + /* + * previous validation errors should not generate +-- +2.27.0 + diff --git a/backport-xmllint-Fix-memory-leak-with-pattern-stream.patch b/backport-xmllint-Fix-memory-leak-with-pattern-stream.patch new file mode 100644 index 0000000..ee74c69 --- /dev/null +++ b/backport-xmllint-Fix-memory-leak-with-pattern-stream.patch @@ -0,0 +1,37 @@ +From 64b76f8163d3608f9881b4de23dcc06530ba9323 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 14 Mar 2023 13:17:20 +0100 +Subject: [PATCH] xmllint: Fix memory leak with --pattern --stream + +Fixes #499. + +Reference:https://github.com/GNOME/libxml2/commit/64b76f8163d3608f9881b4de23dcc06530ba9323 +Conflict:NA + +--- + xmllint.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/xmllint.c b/xmllint.c +index ee6bfdc..c79b8e9 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -1848,15 +1848,6 @@ static void streamFile(char *filename) { + #endif + reader = xmlReaderForFile(filename, NULL, options); + #ifdef LIBXML_PATTERN_ENABLED +- if (pattern != NULL) { +- patternc = xmlPatterncompile((const xmlChar *) pattern, NULL, 0, NULL); +- if (patternc == NULL) { +- xmlGenericError(xmlGenericErrorContext, +- "Pattern %s failed to compile\n", pattern); +- progresult = XMLLINT_ERR_SCHEMAPAT; +- pattern = NULL; +- } +- } + if (patternc != NULL) { + patstream = xmlPatternGetStreamCtxt(patternc); + if (patstream != NULL) { +-- +2.27.0 + diff --git a/backport-xpath-Fix-harmless-integer-overflow-in-xmlXPathTrans.patch b/backport-xpath-Fix-harmless-integer-overflow-in-xmlXPathTrans.patch new file mode 100644 index 0000000..a93ee72 --- /dev/null +++ b/backport-xpath-Fix-harmless-integer-overflow-in-xmlXPathTrans.patch @@ -0,0 +1,29 @@ +From 524654ed3c85e356261fc52533d86d43005a0420 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 26 Feb 2023 17:19:47 +0100 +Subject: [PATCH] xpath: Fix harmless integer overflow in + xmlXPathTranslateFunction + + +Reference:https://github.com/GNOME/libxml2/commit/524654ed3c85e356261fc52533d86d43005a0420 +Conflict:NA +--- + xpath.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xpath.c b/xpath.c +index b6a3983..d17ad5e 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -9351,7 +9351,7 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) { + xmlXPathObjectPtr to; + xmlBufPtr target; + int offset, max; +- xmlChar ch; ++ int ch; + const xmlChar *point; + xmlChar *cptr; + +-- +2.27.0 + diff --git a/backport-xpath-Ignore-entity-ref-nodes-when-computing-node-ha.patch b/backport-xpath-Ignore-entity-ref-nodes-when-computing-node-ha.patch new file mode 100644 index 0000000..e79886a --- /dev/null +++ b/backport-xpath-Ignore-entity-ref-nodes-when-computing-node-ha.patch @@ -0,0 +1,45 @@ +From 6273df6c6d84b6be8a62a62abf1d9b79cc2035f8 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 30 May 2023 12:30:27 +0200 +Subject: [PATCH] xpath: Ignore entity ref nodes when computing node hash + +XPath queries only work reliably if entities are substituted. +Nevertheless, it's possible to query a document with entity reference +nodes. xmllint even deletes entities when the `--dropdtd` option is +passed, resulting in dangling pointers, so it's best to skip entity +reference nodes to avoid a use-after-free. + +Fixes #550. + +Reference:https://github.com/GNOME/libxml2/commit/6273df6c6d84b6be8a62a62abf1d9b79cc2035f8 +Conflict:NA + +--- + xpath.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 3d1ca71..3128efb 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -6396,11 +6396,12 @@ xmlXPathNodeValHash(xmlNodePtr node) { + /* + * Skip to next node + */ +- if ((tmp->children != NULL) && (tmp->type != XML_DTD_NODE)) { +- if (tmp->children->type != XML_ENTITY_DECL) { +- tmp = tmp->children; +- continue; +- } ++ if ((tmp->children != NULL) && ++ (tmp->type != XML_DTD_NODE) && ++ (tmp->type != XML_ENTITY_REF_NODE) && ++ (tmp->children->type != XML_ENTITY_DECL)) { ++ tmp = tmp->children; ++ continue; + } + if (tmp == node) + break; +-- +2.27.0 + diff --git a/backport-xpath-number-should-return-NaN.patch b/backport-xpath-number-should-return-NaN.patch new file mode 100644 index 0000000..e964c36 --- /dev/null +++ b/backport-xpath-number-should-return-NaN.patch @@ -0,0 +1,66 @@ +From 608c65bb8ebfc12763aee1cc1f3778e17d71596e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 18 Jan 2023 15:15:41 +0100 +Subject: [PATCH] xpath: number('-') should return NaN + +Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/81 + +Reference:https://github.com/GNOME/libxml2/commit/608c65bb8ebfc12763aee1cc1f3778e17d71596e +Conflict:NA +--- + result/XPath/expr/functions | 4 ++++ + test/XPath/expr/functions | 1 + + xpath.c | 6 +++--- + 3 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/result/XPath/expr/functions b/result/XPath/expr/functions +index e09eb4a..4ff9c58 100644 +--- a/result/XPath/expr/functions ++++ b/result/XPath/expr/functions +@@ -19,6 +19,10 @@ Object is a number : NaN + Expression: -number('abc') + Object is a number : NaN + ++======================== ++Expression: number('-') ++Object is a number : NaN ++ + ======================== + Expression: floor(0.1) + Object is a number : 0 +diff --git a/test/XPath/expr/functions b/test/XPath/expr/functions +index 00b9461..6008a07 100644 +--- a/test/XPath/expr/functions ++++ b/test/XPath/expr/functions +@@ -3,6 +3,7 @@ false() + number("1.5") + number('abc') + -number('abc') ++number('-') + floor(0.1) + floor(-0.1) + floor(-0) +diff --git a/xpath.c b/xpath.c +index 85d7919..fbec21b 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -9987,13 +9987,13 @@ xmlXPathStringEvalNumber(const xmlChar *str) { + #endif + if (cur == NULL) return(0); + while (IS_BLANK_CH(*cur)) cur++; +- if ((*cur != '.') && ((*cur < '0') || (*cur > '9')) && (*cur != '-')) { +- return(xmlXPathNAN); +- } + if (*cur == '-') { + isneg = 1; + cur++; + } ++ if ((*cur != '.') && ((*cur < '0') || (*cur > '9'))) { ++ return(xmlXPathNAN); ++ } + + #ifdef __GNUC__ + /* +-- +2.27.0 + diff --git a/backport-xzlib-Fix-implicit-sign-change-in-xz_open.patch b/backport-xzlib-Fix-implicit-sign-change-in-xz_open.patch new file mode 100644 index 0000000..887dec0 --- /dev/null +++ b/backport-xzlib-Fix-implicit-sign-change-in-xz_open.patch @@ -0,0 +1,42 @@ +From 1a6a9d6878ed00265941939adc468a517cd5ef36 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 14 Mar 2023 14:19:03 +0100 +Subject: [PATCH] xzlib: Fix implicit sign change in xz_open + + +Reference:https://github.com/GNOME/libxml2/commit/1a6a9d6878ed00265941939adc468a517cd5ef36 +Conflict:NA + +--- + xzlib.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/xzlib.c b/xzlib.c +index 9a34738..8d75590 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -139,6 +139,7 @@ static xzFile + xz_open(const char *path, int fd, const char *mode ATTRIBUTE_UNUSED) + { + xz_statep state; ++ off_t offset; + + /* allocate xzFile structure to return */ + state = xmlMalloc(sizeof(xz_state)); +@@ -173,9 +174,11 @@ xz_open(const char *path, int fd, const char *mode ATTRIBUTE_UNUSED) + } + + /* save the current position for rewinding (only if reading) */ +- state->start = lseek(state->fd, 0, SEEK_CUR); +- if (state->start == (uint64_t) - 1) ++ offset = lseek(state->fd, 0, SEEK_CUR); ++ if (offset == -1) + state->start = 0; ++ else ++ state->start = offset; + + /* initialize stream */ + xz_reset(state); +-- +2.27.0 + diff --git a/libxml2.spec b/libxml2.spec index 9ddd684..ced3e41 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -14,10 +14,179 @@ Patch4: backport-CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_.patch Patch5: backport-CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch Patch6: backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch Patch7: backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch -Patch8: backport-CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch -Patch9: backport-CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch -Patch10: backport-xmllint-Fix-use-after-free-with-maxmem.patch +Patch6000: backport-Add-whitespace-folding-for-some-atomic-data-types-th.patch +Patch6001: backport-Properly-fold-whitespace-around-the-QName-value-when.patch +Patch6002: backport-Avoid-arithmetic-on-freed-pointers.patch +Patch6003: backport-fix-xmlXPathParserContext-could-be-double-delete-in-.patch +Patch6004: backport-Use-UPDATE_COMPAT-consistently-in-buf.c.patch +Patch6005: backport-Restore-behavior-of-htmlDocContentDumpFormatOutput.patch +Patch6006: backport-Fix-use-after-free-bugs-when-calling-xmlTextReaderCl.patch +Patch6007: backport-Use-xmlNewDocText-in-xmlXIncludeCopyRange.patch +Patch6008: backport-xmlBufAvail-should-return-length-without-including-a.patch +Patch6009: backport-Fix-integer-overflow-in-xmlBufferDump.patch +Patch6010: backport-Fix-missing-NUL-terminators-in-xmlBuf-and-xmlBuffer-.patch +Patch6011: backport-Reserve-byte-for-NUL-terminator-and-report-errors-co.patch +Patch6012: backport-Fix-unintended-fall-through-in-xmlNodeAddContentLen.patch +Patch6013: backport-Don-t-reset-nsDef-when-changing-node-content.patch +Patch6014: backport-Avoid-double-free-if-malloc-fails-in-inputPush.patch +Patch6015: backport-Fix-memory-leak-in-xmlLoadEntityContent-error-path.patch +Patch6016: backport-Reset-nsNr-in-xmlCtxtReset.patch +Patch6017: backport-Fix-htmlReadMemory-mixing-up-XML-and-HTML-functions.patch +Patch6018: backport-Don-t-initialize-SAX-handler-in-htmlReadMemory.patch +Patch6019: backport-Fix-HTML-parser-with-threads-and-without-legacy.patch +Patch6020: backport-Fix-xmlCtxtReadDoc-with-encoding.patch +Patch6021: backport-Use-xmlStrlen-in-CtxtReadDoc.patch +Patch6022: backport-Create-stream-with-buffer-in-xmlNewStringInputStream.patch +Patch6023: backport-Use-xmlStrlen-in-xmlNewStringInputStream.patch +Patch6024: backport-Fix-memory-leak-with-invalid-XSD.patch +Patch6025: backport-Make-XPath-depth-check-work-with-recursive-invocatio.patch +Patch6026: backport-Fix-overflow-check-in-SAX2.c.patch +Patch6027: backport-xinclude-Fix-memory-leak-when-fuzzing.patch +Patch6028: backport-xinclude-Fix-more-memory-leaks-in-xmlXIncludeLoadDoc.patch +Patch6029: backport-schemas-Fix-infinite-loop-in-xmlSchemaCheckElemSubst.patch +Patch6030: backport-malloc-fail-Fix-memory-leak-in-xmlCreatePushParserCt.patch +Patch6031: backport-malloc-fail-Fix-memory-leak-in-xmlStaticCopyNodeList.patch +Patch6032: backport-malloc-fail-Fix-memory-leak-in-xmlNewPropInternal.patch +Patch6033: backport-malloc-fail-Fix-memory-leak-in-xmlNewDocNodeEatName.patch +Patch6034: backport-malloc-fail-Fix-infinite-loop-in-xmlSkipBlankChars.patch +Patch6035: backport-malloc-fail-Fix-memory-leak-in-xmlSAX2ExternalSubset.patch +Patch6036: backport-malloc-fail-Fix-memory-leak-in-xmlParseReference.patch +Patch6037: backport-malloc-fail-Fix-use-after-free-in-xmlXIncludeAddNode.patch +Patch6038: backport-malloc-fail-Fix-memory-leak-in-xmlStringGetNodeList.patch +Patch6039: backport-parser-Fix-error-message-in-xmlParseCommentComplex.patch +Patch6040: backport-io-Fix-buffer-full-error-with-certain-buffer-sizes.patch +Patch6041: backport-reader-Switch-to-xmlParserInputBufferCreateMem.patch +Patch6042: backport-uri-Allow-port-without-host.patch +Patch6043: backport-parser-Fix-consumed-accounting-when-switching-encodi.patch +Patch6044: backport-html-Fix-check-for-end-of-comment-in-push-parser.patch +Patch6045: backport-parser-Fix-push-parser-with-1-3-byte-initial-chunk.patch +Patch6046: backport-parser-Fix-progress-check-when-parsing-character-dat.patch +Patch6047: backport-parser-Restore-parser-state-in-xmlParseCDSect.patch +Patch6048: backport-parser-Remove-dangerous-check-in-xmlParseCharData.patch +Patch6049: backport-parser-Don-t-call-DefaultSAXHandlerInit-from-xmlInit.patch +Patch6050: backport-Correctly-relocate-internal-pointers-after-realloc.patch +Patch6051: backport-Avoid-creating-an-out-of-bounds-pointer-by-rewriting.patch +Patch6052: backport-error-Make-sure-that-error-messages-are-valid-UTF-8.patch +Patch6053: backport-io-Check-for-memory-buffer-early-in-xmlParserInputGrow.patch +Patch6054: backport-io-Remove-xmlInputReadCallbackNop.patch +Patch6055: backport-Revert-uri-Allow-port-without-host.patch +Patch6056: backport-xmlParseStartTag2-contains-typo-when-checking-for-default.patch +Patch6057: backport-parser-Fix-integer-overflow-of-input-ID.patch +Patch6058: backport-parser-Don-t-increase-depth-twice-when-parsing-internal.patch +Patch6059: backport-xpath-number-should-return-NaN.patch +Patch6060: backport-error-Don-t-move-past-current-position.patch +Patch6061: backport-malloc-fail-Handle-memory-errors-in-xmlTextReaderEntPush.patch +Patch6062: backport-malloc-fail-Fix-infinite-loop-in-xmlParseTextDecl.patch +Patch6063: backport-malloc-fail-Fix-null-deref-in-xmlAddDefAttrs.patch +Patch6064: backport-malloc-fail-Fix-null-deref-if-growing-input-buffer-fails.patch +Patch6065: backport-malloc-fail-Fix-null-deref-in-xmlSAX2AttributeInternal.patch +Patch6066: backport-malloc-fail-Fix-null-deref-in-xmlBufResize.patch +Patch6067: backport-buf-Fix-return-value-of-xmlBufGetInputBase.patch +Patch6068: backport-malloc-fail-Don-t-call-xmlErrMemory-in-xmlstring.c.patch +Patch6069: backport-malloc-fail-Fix-reallocation-in-inputPush.patch +Patch6070: backport-malloc-fail-Fix-use-after-free-in-xmlParseStartTag2.patch +Patch6071: backport-malloc-fail-Add-error-checks-in-xmlXPathEqualValuesCommon.patch +Patch6072: backport-malloc-fail-Add-error-check-in-xmlXPathEqualNodeSetFloat.patch +Patch6073: backport-malloc-fail-Fix-error-check-in-xmlXPathCompareValues.patch +Patch6074: backport-malloc-fail-Record-malloc-failure-in-xmlXPathCompLiteral.patch +Patch6075: backport-malloc-fail-Check-return-value-of-xmlXPathNodeSetDupNs.patch +Patch6076: backport-malloc-fail-Fix-null-deref-in-xmlXIncludeLoadTxt.patch +Patch6077: backport-malloc-fail-Fix-reallocation-in-xmlXIncludeNewRef.patch +Patch6078: backport-xinclude-Fix-quadratic-behavior-in-xmlXIncludeLoadTx.patch +Patch6079: backport-malloc-fail-Fix-memory-leak-in-xmlParserInputBufferCreateMem.patch +Patch6080: backport-malloc-fail-Check-for-malloc-failure-in-xmlFindCharEncodingHandler.patch +Patch6081: backport-malloc-fail-Fix-leak-of-xmlCharEncodingHandler.patch +Patch6082: backport-malloc-fail-Fix-memory-leak-in-xmlParseEntityDecl.patch +Patch6083: backport-encoding-Cast-toupper-argument-to-unsigned-char.patch +Patch6084: backport-malloc-fail-Fix-memory-leak-in-xmlXPathCompareValues.patch +Patch6085: backport-malloc-fail-Fix-memory-leak-in-xmlXPathTryStreamCompile.patch +Patch6086: backport-malloc-fail-Fix-memory-leak-after-calling-valuePush.patch +Patch6087: backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapNodeSet.patch +Patch6088: backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeAddNode.patch +Patch6089: backport-malloc-fail-Fix-memory-leak-after-xmlRegNewState.patch +Patch6090: backport-malloc-fail-Fix-memory-leak-in-xmlSAX2StartElementNs.patch +Patch6091: backport-malloc-fail-Fix-memory-leak-in-xmlGetDtdElementDesc2.patch +Patch6092: backport-malloc-fail-Fix-memory-leak-in-xmlDocDumpFormatMemoryEnc.patch +Patch6093: backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag1.patch +Patch6094: backport-malloc-fail-Fix-memory-leak-in-xmlXIncludeLoadTxt.patch +Patch6095: backport-malloc-fail-Fix-memory-leak-in-xmlCopyPropList.patch +Patch6096: backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathNodeSetMerge.patch +Patch6097: backport-malloc-fail-Fix-memory-leak-after-calling-xmlXPathWrapString.patch +Patch6098: backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualValuesCommon.patch +Patch6099: backport-malloc-fail-Fix-memory-leak-in-htmlCreateMemoryParserCtxt.patch +Patch6100: backport-malloc-fail-Fix-memory-leak-in-htmlCreatePushParserCtxt.patch +Patch6101: backport-malloc-fail-Fix-infinite-loop-in-htmlParseContentInternal.patch +Patch6102: backport-malloc-fail-Fix-infinite-loop-in-htmlParseStartTag2.patch +Patch6103: backport-malloc-fail-Fix-null-deref-in-htmlnamePush.patch +Patch6104: backport-malloc-fail-Fix-infinite-loop-in-htmlParseDocTypeDecl.patch +Patch6105: backport-malloc-fail-Fix-error-code-in-htmlParseChunk.patch +Patch6106: backport-malloc-fail-Fix-memory-leak-in-xmlFAParseCharProp.patch +Patch6107: backport-malloc-fail-Fix-leak-of-xmlRegAtom.patch +Patch6108: backport-malloc-fail-Fix-memory-leak-in-xmlRegexpCompile.patch +Patch6109: backport-malloc-fail-Fix-OOB-read-after-xmlRegGetCounter.patch +Patch6110: backport-parser-Fix-OOB-read-when-formatting-error-message.patch +Patch6111: backport-malloc-fail-Fix-memory-leak-in-xmlXPathEqualNodeSetF.patch +Patch6112: backport-malloc-fail-Fix-use-after-free-related-to-xmlXPathNo.patch +Patch6113: backport-regexp-Add-sanity-check-in-xmlRegCalloc2.patch +Patch6114: backport-malloc-fail-Fix-null-deref-in-xmlXPathCompiledEvalIn.patch +Patch6115: backport-malloc-fail-Fix-null-deref-after-xmlPointerListAddSi.patch +Patch6116: backport-malloc-fail-Fix-memory-leak-in-xmlGetNsList.patch +Patch6117: backport-malloc-fail-Check-for-malloc-failure-in-xmlHashAddEn.patch +Patch6118: backport-malloc-fail-Fix-memory-leak-in-xmlXPathCacheNewNodeS.patch +Patch6119: backport-malloc-fail-Fix-memory-leak-in-xmlXPathDistinctSorte.patch +Patch6120: backport-xpath-Fix-harmless-integer-overflow-in-xmlXPathTrans.patch +Patch6121: backport-malloc-fail-Fix-memory-leak-in-xmlXPathNameFunction.patch +Patch6122: backport-malloc-fail-Fix-memory-leak-in-xmlSchemaItemListAddS.patch +Patch6123: backport-malloc-fail-Fix-null-deref-in-xmlGet-Min-Max-Occurs.patch +Patch6124: backport-malloc-fail-Fix-null-deref-in-xmlSchemaValAtomicType.patch +Patch6125: backport-malloc-fail-Fix-null-deref-in-xmlSchemaInitTypes.patch +Patch6126: backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParse.patch +Patch6127: backport-malloc-fail-Fix-memory-leak-in-xmlCopyNamespaceList.patch +Patch6128: backport-malloc-fail-Fix-another-memory-leak-in-xmlSchemaBuck.patch +Patch6129: backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseUnion.patch +Patch6130: backport-malloc-fail-Fix-memory-leak-in-WXS_ADD_-LOCAL-GLOBAL.patch +Patch6131: backport-malloc-fail-Fix-memory-leak-in-xmlSchemaBucketCreate.patch +Patch6132: backport-malloc-fail-Fix-null-deref-in-xmlSchemaParseWildcard.patch +Patch6133: backport-malloc-fail-Fix-type-confusion-after-xmlSchemaFixupT.patch +Patch6134: backport-malloc-fail-Fix-null-deref-after-xmlSchemaItemList-A.patch +Patch6135: backport-malloc-fail-Fix-null-deref-after-xmlSchemaCompareDat.patch +Patch6136: backport-malloc-fail-Fix-memory-leak-in-xmlSchemaParseUnion.patch +Patch6137: backport-malloc-fail-Fix-memory-leak-in-xmlXPathRegisterNs.patch +Patch6138: backport-catalog-Fix-memory-leaks.patch + +Patch6139: backport-CVE-2023-29469.patch +Patch6140: backport-CVE-2023-28484.patch + +Patch6141: backport-valid-Allow-xmlFreeValidCtxt-NULL.patch +Patch6142: backport-parser-Use-size_t-when-subtracting-input-buffer-poin.patch +Patch6143: backport-malloc-fail-Fix-null-deref-in-xmlParserInputShrink.patch +Patch6144: backport-xmllint-Fix-memory-leak-with-pattern-stream.patch +Patch6145: backport-xzlib-Fix-implicit-sign-change-in-xz_open.patch +Patch6146: backport-html-Fix-quadratic-behavior-in-htmlParseTryOrFinish.patch +Patch6147: backport-valid-Make-xmlValidateElement-non-recursive.patch +Patch6148: backport-malloc-fail-Fix-buffer-overread-in-htmlParseScript.patch +Patch6149: backport-malloc-fail-Add-more-error-checks-when-parsing-names.patch +Patch6150: backport-malloc-fail-Add-error-check-in-htmlParseHTMLAttribut.patch +Patch6151: backport-parser-Limit-name-length-in-xmlParseEncName.patch +Patch6152: backport-encoding-Fix-error-code-in-asciiToUTF8.patch +Patch6153: backport-malloc-fail-Fix-buffer-overread-with-HTML-doctype-de.patch +Patch6154: backport-parser-Fix-regression-in-xmlParserNodeInfo-accountin.patch +Patch6155: backport-regexp-Fix-cycle-check-in-xmlFAReduceEpsilonTransiti.patch +Patch6156: backport-regexp-Fix-checks-for-eliminated-transitions.patch +Patch6157: backport-regexp-Fix-determinism-checks.patch +Patch6158: backport-regexp-Fix-mistake-in-previous-commit.patch +Patch6159: backport-regexp-Fix-null-deref-in-xmlFAFinishReduceEpsilonTra.patch +Patch6160: backport-hash-Fix-possible-startup-crash-with-old-libxslt-ver.patch +Patch6161: backport-parser-Fix-old-SAX1-parser-with-custom-callbacks.patch +Patch6162: backport-xmllint-Fix-use-after-free-with-maxmem.patch +Patch6163: backport-malloc-fail-Check-for-malloc-failures-when-creating.patch +Patch6164: backport-malloc-fail-Fix-buffer-overread-after-htmlParseScrip.patch +Patch6165: backport-xmlValidatePopElement-can-return-invalid-value-1.patch +Patch6166: backport-Fix-use-after-free-in-xmlParseContentInternal.patch +Patch6167: backport-malloc-fail-Fix-null-deref-after-xmlXIncludeNewRef.patch + +Patch6168: backport-xpath-Ignore-entity-ref-nodes-when-computing-node-ha.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python3-devel -- Gitee