From 81c0c9002b0fbdd3ae20543a7217e047e9869bfd Mon Sep 17 00:00:00 2001
From: liningjie <liningjie@xfusion.com>
Date: Fri, 1 Sep 2023 18:40:33 +0800
Subject: [PATCH] parser: Fix old SAX1 parser with custom callbacks

---
 ...ays-initialize-SAX1-element-handlers.patch | 67 +++++++++++++++++++
 ...ld-SAX1-parser-with-custom-callbacks.patch | 32 +++++++++
 libxml2.spec                                  |  7 +-
 3 files changed, 105 insertions(+), 1 deletion(-)
 create mode 100644 backport-Always-initialize-SAX1-element-handlers.patch
 create mode 100644 backport-Fix-old-SAX1-parser-with-custom-callbacks.patch

diff --git a/backport-Always-initialize-SAX1-element-handlers.patch b/backport-Always-initialize-SAX1-element-handlers.patch
new file mode 100644
index 0000000..1f91b55
--- /dev/null
+++ b/backport-Always-initialize-SAX1-element-handlers.patch
@@ -0,0 +1,67 @@
+From ada244838be435acac2fd0f18c6a2282f1efe504 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 26 Sep 2023 13:59:01 +0800
+Subject: [PATCH] SAX: Always initialize SAX1 element handlers
+
+Follow-up to commit d0c3f01e. A parser context will be initialized to
+SAX version 2, but this can be overridden with XML_PARSE_SAX1 later,
+so we must initialize the SAX1 element handlers as well.
+
+Change the check in xmlDetectSAX2 to only look for XML_SAX2_MAGIC, so
+we don't switch to SAX1 if the SAX2 element handlers are NULL.
+---
+ SAX2.c   | 11 +++++++----
+ parser.c |  5 ++---
+ 2 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/SAX2.c b/SAX2.c
+index 6045ca1..10bc0a9 100644
+--- a/SAX2.c
++++ b/SAX2.c
+@@ -2839,20 +2839,23 @@ xmlSAXVersion(xmlSAXHandler *hdlr, int version)
+ {
+     if (hdlr == NULL) return(-1);
+     if (version == 2) {
+-	hdlr->startElement = NULL;
+-	hdlr->endElement = NULL;
+ 	hdlr->startElementNs = xmlSAX2StartElementNs;
+ 	hdlr->endElementNs = xmlSAX2EndElementNs;
+ 	hdlr->serror = NULL;
+ 	hdlr->initialized = XML_SAX2_MAGIC;
+ #ifdef LIBXML_SAX1_ENABLED
+     } else if (version == 1) {
+-	hdlr->startElement = xmlSAX2StartElement;
+-	hdlr->endElement = xmlSAX2EndElement;
+ 	hdlr->initialized = 1;
+ #endif /* LIBXML_SAX1_ENABLED */
+     } else
+         return(-1);
++#ifdef LIBXML_SAX1_ENABLED
++    hdlr->startElement = xmlSAX2StartElement;
++    hdlr->endElement = xmlSAX2EndElement;
++#else
++    hdlr->startElement = NULL;
++    hdlr->endElement = NULL;
++#endif /* LIBXML_SAX1_ENABLED */
+     hdlr->internalSubset = xmlSAX2InternalSubset;
+     hdlr->externalSubset = xmlSAX2ExternalSubset;
+     hdlr->isStandalone = xmlSAX2IsStandalone;
+diff --git a/parser.c b/parser.c
+index 93f89be..28170ac 100644
+--- a/parser.c
++++ b/parser.c
+@@ -1100,9 +1100,8 @@ static void
+ xmlDetectSAX2(xmlParserCtxtPtr ctxt) {
+     if (ctxt == NULL) return;
+ #ifdef LIBXML_SAX1_ENABLED
+-    if ((ctxt->sax) &&  (ctxt->sax->initialized == XML_SAX2_MAGIC) &&
+-        ((ctxt->sax->startElementNs != NULL) ||
+-         (ctxt->sax->endElementNs != NULL))) ctxt->sax2 = 1;
++    if ((ctxt->sax) &&  (ctxt->sax->initialized == XML_SAX2_MAGIC))
++        ctxt->sax2 = 1;
+ #else
+     ctxt->sax2 = 1;
+ #endif /* LIBXML_SAX1_ENABLED */
+-- 
+2.27.0
+
diff --git a/backport-Fix-old-SAX1-parser-with-custom-callbacks.patch b/backport-Fix-old-SAX1-parser-with-custom-callbacks.patch
new file mode 100644
index 0000000..50fba55
--- /dev/null
+++ b/backport-Fix-old-SAX1-parser-with-custom-callbacks.patch
@@ -0,0 +1,32 @@
+From d0c3f01e110d54415611c5fa0040cdf4a56053f9 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 6 May 2023 17:47:37 +0200
+Subject: [PATCH] parser: Fix old SAX1 parser with custom callbacks
+
+For some reason, xmlCtxtUseOptionsInternal set the start and end element
+SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1
+was specified. This means that custom SAX handlers could never work with
+that flag because these functions would receive the wrong user data
+argument and crash immediately.
+
+Fixes #535.
+---
+ parser.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index bb05791d3..0c8bed129 100644
+--- a/parser.c
++++ b/parser.c
+@@ -14479,8 +14479,6 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi
+     }
+ #ifdef LIBXML_SAX1_ENABLED
+     if (options & XML_PARSE_SAX1) {
+-        ctxt->sax->startElement = xmlSAX2StartElement;
+-        ctxt->sax->endElement = xmlSAX2EndElement;
+         ctxt->sax->startElementNs = NULL;
+         ctxt->sax->endElementNs = NULL;
+         ctxt->sax->initialized = 1;
+-- 
+GitLab
+
diff --git a/libxml2.spec b/libxml2.spec
index 208e4f1..5042e1d 100644
--- a/libxml2.spec
+++ b/libxml2.spec
@@ -1,7 +1,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.9.10
-Release: 34
+Release: 35
 License: MIT
 Group: Development/Libraries
 Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@@ -131,6 +131,8 @@ Patch117:backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
 Patch118:backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch
 Patch119:backport-CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
 Patch120:backport-CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch
+Patch121:backport-Fix-old-SAX1-parser-with-custom-callbacks.patch
+Patch122:backport-Always-initialize-SAX1-element-handlers.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python2-devel
@@ -322,6 +324,9 @@ rm -fr %{buildroot}
 
 
 %changelog
+* Fri Sep 01 2023 liningjie <liningjie@xfusion.com> - 2.9.10-35
+- Fix old SAX1 parser with custom callbacks
+
 * Thu Apr 20 2023 BruceGW <gyl93216@163.com> - 2.9.10-34
 - Type:CVE
 - CVE:CVE-2023-28484 CVE-2023-29469
-- 
Gitee