From a56ae8498b920b1de2e250537fa49bd268ab783f Mon Sep 17 00:00:00 2001 From: zou_lin77 <422351577@qq.com> Date: Sat, 29 May 2021 17:41:53 +0800 Subject: [PATCH] add patches from upstream (cherry picked from commit 5329b9f9e55ea71b819e7db850aefd8fe89b814b) --- ...angling-pointer-with-xmllint-dropdtd.patch | 25 +++ ...xmlStrEqual-calls-in-htmlParseEndTag.patch | 33 ++++ ...ial-behavior-with-recursive-entities.patch | 48 ++++++ ...of-unexpected-EOF-in-xmlParseContent.patch | 125 ++++++++++++++ ...-in-error-messages-for-mismatched-ta.patch | 162 ++++++++++++++++++ Fix-null-deref-in-legacy-SAX1-parser.patch | 54 ++++++ ...havior-when-looking-up-xml-attribute.patch | 44 +++++ ...se-after-free-with-xmllint-html-push.patch | 31 ++++ ...lGetNodePath-with-invalid-node-types.patch | 35 ++++ ...ecking-attributes-for-UTF-8-validity.patch | 54 ++++++ libxml2.spec | 30 +++- update-for-xsd-language-type-check.patch | 72 ++++++++ 12 files changed, 712 insertions(+), 1 deletion(-) create mode 100644 Fix-dangling-pointer-with-xmllint-dropdtd.patch create mode 100644 Fix-duplicate-xmlStrEqual-calls-in-htmlParseEndTag.patch create mode 100644 Fix-exponential-behavior-with-recursive-entities.patch create mode 100644 Fix-handling-of-unexpected-EOF-in-xmlParseContent.patch create mode 100644 Fix-line-numbers-in-error-messages-for-mismatched-ta.patch create mode 100644 Fix-null-deref-in-legacy-SAX1-parser.patch create mode 100644 Fix-quadratic-behavior-when-looking-up-xml-attribute.patch create mode 100644 Fix-use-after-free-with-xmllint-html-push.patch create mode 100644 Fix-xmlGetNodePath-with-invalid-node-types.patch create mode 100644 Stop-checking-attributes-for-UTF-8-validity.patch create mode 100644 update-for-xsd-language-type-check.patch diff --git a/Fix-dangling-pointer-with-xmllint-dropdtd.patch b/Fix-dangling-pointer-with-xmllint-dropdtd.patch new file mode 100644 index 0000000..9dc5dd6 --- /dev/null +++ b/Fix-dangling-pointer-with-xmllint-dropdtd.patch @@ -0,0 +1,25 @@ +From 72b3c067cedbb80dbbac755cca79ff502c858ad5 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 22 Apr 2021 19:24:50 +0200 +Subject: [PATCH] Fix dangling pointer with `xmllint --dropdtd` + +Reset doc->intSubset when dropping the DTD. +--- + xmllint.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xmllint.c b/xmllint.c +index dbef273..a3fe10a 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -2426,6 +2426,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) { + dtd = xmlGetIntSubset(doc); + if (dtd != NULL) { + xmlUnlinkNode((xmlNodePtr)dtd); ++ doc->intSubset = NULL; + xmlFreeDtd(dtd); + } + } +-- +1.8.3.1 + diff --git a/Fix-duplicate-xmlStrEqual-calls-in-htmlParseEndTag.patch b/Fix-duplicate-xmlStrEqual-calls-in-htmlParseEndTag.patch new file mode 100644 index 0000000..291bc96 --- /dev/null +++ b/Fix-duplicate-xmlStrEqual-calls-in-htmlParseEndTag.patch @@ -0,0 +1,33 @@ +From 683de7efe4a4178d62fab85d8c5f4c3bed36b984 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 4 Mar 2021 19:06:04 +0100 +Subject: [PATCH] Fix duplicate xmlStrEqual calls in htmlParseEndTag + +--- + HTMLparser.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index e63e9b7..adefb3b 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -4207,12 +4207,10 @@ htmlParseEndTag(htmlParserCtxtPtr ctxt) + * With the exception that the autoclose may have popped stuff out + * of the stack. + */ +- if (!xmlStrEqual(name, ctxt->name)) { +- if ((ctxt->name != NULL) && (!xmlStrEqual(ctxt->name, name))) { +- htmlParseErr(ctxt, XML_ERR_TAG_NAME_MISMATCH, +- "Opening and ending tag mismatch: %s and %s\n", +- name, ctxt->name); +- } ++ if ((ctxt->name != NULL) && (!xmlStrEqual(ctxt->name, name))) { ++ htmlParseErr(ctxt, XML_ERR_TAG_NAME_MISMATCH, ++ "Opening and ending tag mismatch: %s and %s\n", ++ name, ctxt->name); + } + + /* +-- +1.8.3.1 + diff --git a/Fix-exponential-behavior-with-recursive-entities.patch b/Fix-exponential-behavior-with-recursive-entities.patch new file mode 100644 index 0000000..769e45a --- /dev/null +++ b/Fix-exponential-behavior-with-recursive-entities.patch @@ -0,0 +1,48 @@ +From c3fd8c429591e06eb847c11bc9273d13b3450d53 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 13 Mar 2021 17:19:32 +0100 +Subject: [PATCH] Fix exponential behavior with recursive entities + +Fix another case where only recursion depth was limited, but entities +would still be expanded over and over again. + +The test case discovered by fuzzing only affected parsing in recovery +mode with XML_PARSE_RECOVER. + +Found by OSS-Fuzz. +--- + parser.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/parser.c b/parser.c +index efde672..b42e604 100644 +--- a/parser.c ++++ b/parser.c +@@ -2684,8 +2684,10 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + rep = xmlStringDecodeEntities(ctxt, ent->content, what, + 0, 0, 0); + ctxt->depth--; +- if (rep == NULL) ++ if (rep == NULL) { ++ ent->content[0] = 0; + goto int_error; ++ } + + current = rep; + while (*current != 0) { /* non input consuming loop */ +@@ -2740,8 +2742,11 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + rep = xmlStringDecodeEntities(ctxt, ent->content, what, + 0, 0, 0); + ctxt->depth--; +- if (rep == NULL) ++ if (rep == NULL) { ++ if (ent->content != NULL) ++ ent->content[0] = 0; + goto int_error; ++ } + current = rep; + while (*current != 0) { /* non input consuming loop */ + buffer[nbchars++] = *current++; +-- +1.8.3.1 + diff --git a/Fix-handling-of-unexpected-EOF-in-xmlParseContent.patch b/Fix-handling-of-unexpected-EOF-in-xmlParseContent.patch new file mode 100644 index 0000000..a8484a7 --- /dev/null +++ b/Fix-handling-of-unexpected-EOF-in-xmlParseContent.patch @@ -0,0 +1,125 @@ +From de5b624f10e9d29ff1b3bbc07358774a3725898e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 8 May 2021 20:21:29 +0200 +Subject: [PATCH] Fix handling of unexpected EOF in xmlParseContent + +Readd the XML_ERR_TAG_NOT_FINISHED error on unexpected EOF which was +removed in commit 62150ed2. + +This commit also introduced a regression for direct users of +xmlParseContent. Unclosed tags weren't checked. +--- + parser.c | 48 +++++++++++++++++++++++++++++++++++++------- + python/tests/tstLastError.py | 4 ++-- + result/errors/754947.xml.err | 2 +- + 3 files changed, 44 insertions(+), 10 deletions(-) + +diff --git a/parser.c b/parser.c +index c2948ca..dd58282 100644 +--- a/parser.c ++++ b/parser.c +@@ -9837,16 +9837,15 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + } + + /** +- * xmlParseContent: ++ * xmlParseContentInternal: + * @ctxt: an XML parser context + * +- * Parse a content: +- * +- * [43] content ::= (element | CharData | Reference | CDSect | PI | Comment)* ++ * Parse a content sequence. Stops at EOF or 'nameNr; + + GROW; +@@ -9922,6 +9921,30 @@ xmlParseContent(xmlParserCtxtPtr ctxt) { + } + + /** ++ * xmlParseContent: ++ * @ctxt: an XML parser context ++ * ++ * Parse a content sequence. Stops at EOF or 'nameNr; ++ ++ xmlParseContentInternal(ctxt); ++ ++ if ((ctxt->instate != XML_PARSER_EOF) && (ctxt->nameNr > nameNr)) { ++ const xmlChar *name = ctxt->nameTab[ctxt->nameNr - 1]; ++ int line = (ptrdiff_t) ctxt->pushTab[ctxt->nameNr * 4 - 2]; ++ xmlFatalErrMsgStrIntStr(ctxt, XML_ERR_TAG_NOT_FINISHED, ++ "Premature end of data in tag %s line %d\n", ++ name, line, NULL); ++ } ++} ++ ++/** + * xmlParseElement: + * @ctxt: an XML parser context + * +@@ -9939,9 +9962,20 @@ void + xmlParseElement(xmlParserCtxtPtr ctxt) { + if (xmlParseElementStart(ctxt) != 0) + return; +- xmlParseContent(ctxt); ++ ++ xmlParseContentInternal(ctxt); + if (ctxt->instate == XML_PARSER_EOF) + return; ++ ++ if (CUR == 0) { ++ const xmlChar *name = ctxt->nameTab[ctxt->nameNr - 1]; ++ int line = (ptrdiff_t) ctxt->pushTab[ctxt->nameNr * 4 - 2]; ++ xmlFatalErrMsgStrIntStr(ctxt, XML_ERR_TAG_NOT_FINISHED, ++ "Premature end of data in tag %s line %d\n", ++ name, line, NULL); ++ return; ++ } ++ + xmlParseElementEnd(ctxt); + } + +diff --git a/python/tests/tstLastError.py b/python/tests/tstLastError.py +index 1758a9f..36ffe5f 100755 +--- a/python/tests/tstLastError.py ++++ b/python/tests/tstLastError.py +@@ -71,8 +71,8 @@ class TestCase(unittest.TestCase): + (s,len(s),"dummy.xml",None,0), + libxml2.treeError, + domain=libxml2.XML_FROM_PARSER, +- code=libxml2.XML_ERR_LTSLASH_REQUIRED, +- message='EndTag: \' + ^ +-./test/errors/754947.xml:1: parser error : EndTag: ' + ^ +-- +1.8.3.1 + diff --git a/Fix-line-numbers-in-error-messages-for-mismatched-ta.patch b/Fix-line-numbers-in-error-messages-for-mismatched-ta.patch new file mode 100644 index 0000000..163b809 --- /dev/null +++ b/Fix-line-numbers-in-error-messages-for-mismatched-ta.patch @@ -0,0 +1,162 @@ +From 3e80560d4bbf2768c90b9a017743ec45f26c3c1c Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 7 May 2021 10:51:38 +0200 +Subject: [PATCH] Fix line numbers in error messages for mismatched tags + +Commit 62150ed2 introduced a small regression in the error messages for +mismatched tags. This typically only affected messages after the first +mismatch, but with custom SAX handlers all line numbers would be off. + +This also fixes line numbers in the SAX push parser which were never +handled correctly. +--- + parser.c | 38 +++++++++++++++++++++++--------------- + python/tests/ctxterror.py | 2 +- + result/errors/759398.xml.err | 4 ++-- + 3 files changed, 26 insertions(+), 18 deletions(-) + +diff --git a/parser.c b/parser.c +index 73c27ed..c2948ca 100644 +--- a/parser.c ++++ b/parser.c +@@ -1838,6 +1838,8 @@ nodePop(xmlParserCtxtPtr ctxt) + * @value: the element name + * @prefix: the element prefix + * @URI: the element namespace name ++ * @line: the current line number for error messages ++ * @nsNr: the number of namespaces pushed on the namespace table + * + * Pushes a new element name/prefix/URL on top of the name stack + * +@@ -1845,7 +1847,7 @@ nodePop(xmlParserCtxtPtr ctxt) + */ + static int + nameNsPush(xmlParserCtxtPtr ctxt, const xmlChar * value, +- const xmlChar *prefix, const xmlChar *URI, int nsNr) ++ const xmlChar *prefix, const xmlChar *URI, int line, int nsNr) + { + if (ctxt->nameNr >= ctxt->nameMax) { + const xmlChar * *tmp; +@@ -1860,7 +1862,7 @@ nameNsPush(xmlParserCtxtPtr ctxt, const xmlChar * value, + } + ctxt->nameTab = tmp; + tmp2 = (void **) xmlRealloc((void * *)ctxt->pushTab, +- ctxt->nameMax * 3 * ++ ctxt->nameMax * 4 * + sizeof(ctxt->pushTab[0])); + if (tmp2 == NULL) { + ctxt->nameMax /= 2; +@@ -1868,16 +1870,17 @@ nameNsPush(xmlParserCtxtPtr ctxt, const xmlChar * value, + } + ctxt->pushTab = tmp2; + } else if (ctxt->pushTab == NULL) { +- ctxt->pushTab = (void **) xmlMalloc(ctxt->nameMax * 3 * ++ ctxt->pushTab = (void **) xmlMalloc(ctxt->nameMax * 4 * + sizeof(ctxt->pushTab[0])); + if (ctxt->pushTab == NULL) + goto mem_error; + } + ctxt->nameTab[ctxt->nameNr] = value; + ctxt->name = value; +- ctxt->pushTab[ctxt->nameNr * 3] = (void *) prefix; +- ctxt->pushTab[ctxt->nameNr * 3 + 1] = (void *) URI; +- ctxt->pushTab[ctxt->nameNr * 3 + 2] = (void *) (ptrdiff_t) nsNr; ++ ctxt->pushTab[ctxt->nameNr * 4] = (void *) prefix; ++ ctxt->pushTab[ctxt->nameNr * 4 + 1] = (void *) URI; ++ ctxt->pushTab[ctxt->nameNr * 4 + 2] = (void *) (ptrdiff_t) line; ++ ctxt->pushTab[ctxt->nameNr * 4 + 3] = (void *) (ptrdiff_t) nsNr; + return (ctxt->nameNr++); + mem_error: + xmlErrMemory(ctxt, NULL); +@@ -9998,7 +10001,7 @@ xmlParseElementStart(xmlParserCtxtPtr ctxt) { + return(-1); + } + if (ctxt->sax2) +- nameNsPush(ctxt, name, prefix, URI, ctxt->nsNr - nsNr); ++ nameNsPush(ctxt, name, prefix, URI, line, ctxt->nsNr - nsNr); + #ifdef LIBXML_SAX1_ENABLED + else + namePush(ctxt, name); +@@ -10095,10 +10098,11 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt) { + * parse the end of tag: 'sax2) { +- const xmlChar *prefix = ctxt->pushTab[ctxt->nameNr * 3 - 3]; +- const xmlChar *URI = ctxt->pushTab[ctxt->nameNr * 3 - 2]; +- int nsNr = (ptrdiff_t) ctxt->pushTab[ctxt->nameNr * 3 - 1]; +- xmlParseEndTag2(ctxt, prefix, URI, 0, nsNr, 0); ++ const xmlChar *prefix = ctxt->pushTab[ctxt->nameNr * 4 - 4]; ++ const xmlChar *URI = ctxt->pushTab[ctxt->nameNr * 4 - 3]; ++ int line = (ptrdiff_t) ctxt->pushTab[ctxt->nameNr * 4 - 2]; ++ int nsNr = (ptrdiff_t) ctxt->pushTab[ctxt->nameNr * 4 - 1]; ++ xmlParseEndTag2(ctxt, prefix, URI, line, nsNr, 0); + namePop(ctxt); + } + #ifdef LIBXML_SAX1_ENABLED +@@ -11373,6 +11377,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) { + const xmlChar *name; + const xmlChar *prefix = NULL; + const xmlChar *URI = NULL; ++ int line = ctxt->input->line; + int nsNr = ctxt->nsNr; + + if ((avail < 2) && (ctxt->inputNr == 1)) +@@ -11471,7 +11476,8 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) { + spacePop(ctxt); + } + if (ctxt->sax2) +- nameNsPush(ctxt, name, prefix, URI, ctxt->nsNr - nsNr); ++ nameNsPush(ctxt, name, prefix, URI, line, ++ ctxt->nsNr - nsNr); + #ifdef LIBXML_SAX1_ENABLED + else + namePush(ctxt, name); +@@ -11593,10 +11599,12 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) { + } + if (ctxt->sax2) { + xmlParseEndTag2(ctxt, +- (void *) ctxt->pushTab[ctxt->nameNr * 3 - 3], +- (void *) ctxt->pushTab[ctxt->nameNr * 3 - 2], 0, ++ (void *) ctxt->pushTab[ctxt->nameNr * 4 - 4], ++ (void *) ctxt->pushTab[ctxt->nameNr * 4 - 3], ++ (int) (ptrdiff_t) ++ ctxt->pushTab[ctxt->nameNr * 4 - 2], + (int) (ptrdiff_t) +- ctxt->pushTab[ctxt->nameNr * 3 - 1], 0); ++ ctxt->pushTab[ctxt->nameNr * 4 - 1], 0); + nameNsPop(ctxt); + } + #ifdef LIBXML_SAX1_ENABLED +diff --git a/python/tests/ctxterror.py b/python/tests/ctxterror.py +index 416e384..ac64624 100755 +--- a/python/tests/ctxterror.py ++++ b/python/tests/ctxterror.py +@@ -10,7 +10,7 @@ import libxml2 + libxml2.debugMemory(1) + + expect="""--> (3) xmlns: URI foo is not absolute +---> (4) Opening and ending tag mismatch: x line 0 and y ++--> (4) Opening and ending tag mismatch: x line 1 and y + """ + + err="" +diff --git a/result/errors/759398.xml.err b/result/errors/759398.xml.err +index bc9e5e0..f6036a3 100644 +--- a/result/errors/759398.xml.err ++++ b/result/errors/759398.xml.err +@@ -1,10 +1,10 @@ + ./test/errors/759398.xml:210: parser error : StartTag: invalid element name + need to worry about parsers whi + ^ + ./test/errors/759398.xml:316: parser error : Extra content at the end of the document +-- +1.8.3.1 + diff --git a/Fix-null-deref-in-legacy-SAX1-parser.patch b/Fix-null-deref-in-legacy-SAX1-parser.patch new file mode 100644 index 0000000..f28f1b7 --- /dev/null +++ b/Fix-null-deref-in-legacy-SAX1-parser.patch @@ -0,0 +1,54 @@ +From bfd2f4300fb348a0fb8265a17546a0eb8bdec719 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 9 May 2021 18:56:57 +0200 +Subject: [PATCH] Fix null deref in legacy SAX1 parser + +Always call nameNsPush instead of namePush. The latter is unused now +and should probably be removed from the public API. I can't see how +it could be used reasonably from client code and the unprefixed name +has always polluted the global namespace. + +Fixes a null pointer dereference introduced with de5b624f when parsing +in SAX1 mode. + +Found by OSS-Fuzz. +--- + parser.c | 15 ++------------- + 1 file changed, 2 insertions(+), 13 deletions(-) + +diff --git a/parser.c b/parser.c +index 9bda945..f5e5e16 100644 +--- a/parser.c ++++ b/parser.c +@@ -10025,12 +10025,7 @@ xmlParseElementStart(xmlParserCtxtPtr ctxt) { + spacePop(ctxt); + return(-1); + } +- if (ctxt->sax2) +- nameNsPush(ctxt, name, prefix, URI, line, ctxt->nsNr - nsNr); +-#ifdef LIBXML_SAX1_ENABLED +- else +- namePush(ctxt, name); +-#endif /* LIBXML_SAX1_ENABLED */ ++ nameNsPush(ctxt, name, prefix, URI, line, ctxt->nsNr - nsNr); + ret = ctxt->node; + + #ifdef LIBXML_VALID_ENABLED +@@ -11496,13 +11491,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) { + nodePop(ctxt); + spacePop(ctxt); + } +- if (ctxt->sax2) +- nameNsPush(ctxt, name, prefix, URI, line, +- ctxt->nsNr - nsNr); +-#ifdef LIBXML_SAX1_ENABLED +- else +- namePush(ctxt, name); +-#endif /* LIBXML_SAX1_ENABLED */ ++ nameNsPush(ctxt, name, prefix, URI, line, ctxt->nsNr - nsNr); + + ctxt->instate = XML_PARSER_CONTENT; + ctxt->progressive = 1; +-- +1.8.3.1 + diff --git a/Fix-quadratic-behavior-when-looking-up-xml-attribute.patch b/Fix-quadratic-behavior-when-looking-up-xml-attribute.patch new file mode 100644 index 0000000..e967627 --- /dev/null +++ b/Fix-quadratic-behavior-when-looking-up-xml-attribute.patch @@ -0,0 +1,44 @@ +From 688b41a0fb06cf1ab5173308f6a8db5089ba6e14 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 1 Mar 2021 14:17:42 +0100 +Subject: [PATCH] Fix quadratic behavior when looking up xml:* attributes + +Add a special case for the predefined XML namespace when looking up DTD +attribute defaults in xmlGetPropNodeInternal to avoid calling +xmlGetNsList. + +This fixes quadratic behavior in + +- xmlNodeGetBase +- xmlNodeGetLang +- xmlNodeGetSpacePreserve + +Found by OSS-Fuzz. +--- + tree.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/tree.c b/tree.c +index d6ea704..617e818 100644 +--- a/tree.c ++++ b/tree.c +@@ -6589,6 +6589,16 @@ xmlGetPropNodeInternal(const xmlNode *node, const xmlChar *name, + attrDecl = xmlGetDtdQAttrDesc(doc->extSubset, + elemQName, name, NULL); + } ++ } else if (xmlStrEqual(nsName, XML_XML_NAMESPACE)) { ++ /* ++ * The XML namespace must be bound to prefix 'xml'. ++ */ ++ attrDecl = xmlGetDtdQAttrDesc(doc->intSubset, ++ elemQName, name, BAD_CAST "xml"); ++ if ((attrDecl == NULL) && (doc->extSubset != NULL)) { ++ attrDecl = xmlGetDtdQAttrDesc(doc->extSubset, ++ elemQName, name, BAD_CAST "xml"); ++ } + } else { + xmlNsPtr *nsList, *cur; + +-- +1.8.3.1 + diff --git a/Fix-use-after-free-with-xmllint-html-push.patch b/Fix-use-after-free-with-xmllint-html-push.patch new file mode 100644 index 0000000..c70c5a6 --- /dev/null +++ b/Fix-use-after-free-with-xmllint-html-push.patch @@ -0,0 +1,31 @@ +From 1358d157d0bd83be1dfe356a69213df9fac0b539 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 21 Apr 2021 13:23:27 +0200 +Subject: [PATCH] Fix use-after-free with `xmllint --html --push` + +Call htmlCtxtUseOptions to make sure that names aren't stored in +dictionaries. + +Note that this issue only affects xmllint using the HTML push parser. + +Fixes #230. +--- + xmllint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmllint.c b/xmllint.c +index 6ca1bf5..dbef273 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -2213,7 +2213,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) { + if (res > 0) { + ctxt = htmlCreatePushParserCtxt(NULL, NULL, + chars, res, filename, XML_CHAR_ENCODING_NONE); +- xmlCtxtUseOptions(ctxt, options); ++ htmlCtxtUseOptions(ctxt, options); + while ((res = fread(chars, 1, pushsize, f)) > 0) { + htmlParseChunk(ctxt, chars, res, 0); + } +-- +1.8.3.1 + diff --git a/Fix-xmlGetNodePath-with-invalid-node-types.patch b/Fix-xmlGetNodePath-with-invalid-node-types.patch new file mode 100644 index 0000000..214719c --- /dev/null +++ b/Fix-xmlGetNodePath-with-invalid-node-types.patch @@ -0,0 +1,35 @@ +From e20c9c148c725e2933efa143ee6a543a5cae4204 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 13 Mar 2021 18:41:47 +0100 +Subject: [PATCH] Fix xmlGetNodePath with invalid node types + +Make xmlGetNodePath return NULL instead of invalid XPath when hitting +unsupported node types like DTD content. + +Reported here: +https://mail.gnome.org/archives/xml/2021-January/msg00012.html + +Original report: +https://bugs.php.net/bug.php?id=80680 +--- + tree.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tree.c b/tree.c +index dbc87aa..c707f59 100644 +--- a/tree.c ++++ b/tree.c +@@ -4893,7 +4893,9 @@ xmlGetNodePath(const xmlNode *node) + } + next = ((xmlAttrPtr) cur)->parent; + } else { +- next = cur->parent; ++ xmlFree(buf); ++ xmlFree(buffer); ++ return (NULL); + } + + /* +-- +1.8.3.1 + diff --git a/Stop-checking-attributes-for-UTF-8-validity.patch b/Stop-checking-attributes-for-UTF-8-validity.patch new file mode 100644 index 0000000..0862115 --- /dev/null +++ b/Stop-checking-attributes-for-UTF-8-validity.patch @@ -0,0 +1,54 @@ +From a6e6498fb1d11f08c394ecbf69add6cfff815db0 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 2 Mar 2021 13:09:06 +0100 +Subject: [PATCH] Stop checking attributes for UTF-8 validity + +I can't see a reason to check attribute content for UTF-8 validity. +Other parts of the API like xmlNewText have always assumed valid UTF-8 +as extra checks only slow down processing. + +Besides, setting doc->encoding to "ISO-8859-1" seems pointless, and not +freeing the old encoding would cause a memory leak. + +Note that this was last changed in 2008 with commit 6f8611fd which +removed unnecessary encoding/decoding steps. Setting attributes should +be even faster now. + +Found by OSS-Fuzz. +--- + tree.c | 12 ------------ + 1 file changed, 12 deletions(-) + +diff --git a/tree.c b/tree.c +index 617e818..17db445 100644 +--- a/tree.c ++++ b/tree.c +@@ -1901,12 +1901,6 @@ xmlNewPropInternal(xmlNodePtr node, xmlNsPtr ns, + if (value != NULL) { + xmlNodePtr tmp; + +- if(!xmlCheckUTF8(value)) { +- xmlTreeErr(XML_TREE_NOT_UTF8, (xmlNodePtr) doc, +- NULL); +- if (doc != NULL) +- doc->encoding = xmlStrdup(BAD_CAST "ISO-8859-1"); +- } + cur->children = xmlNewDocText(doc, value); + cur->last = NULL; + tmp = cur->children; +@@ -6945,12 +6939,6 @@ xmlSetNsProp(xmlNodePtr node, xmlNsPtr ns, const xmlChar *name, + if (value != NULL) { + xmlNodePtr tmp; + +- if(!xmlCheckUTF8(value)) { +- xmlTreeErr(XML_TREE_NOT_UTF8, (xmlNodePtr) node->doc, +- NULL); +- if (node->doc != NULL) +- node->doc->encoding = xmlStrdup(BAD_CAST "ISO-8859-1"); +- } + prop->children = xmlNewDocText(node->doc, value); + prop->last = NULL; + tmp = prop->children; +-- +1.8.3.1 + diff --git a/libxml2.spec b/libxml2.spec index 97f69d5..fe4d98b 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.9.10 -Release: 14 +Release: 15 License: MIT Group: Development/Libraries Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz @@ -72,6 +72,17 @@ Patch60: backport-Fix-integer-overflow-in-xmlSchemaGetParticleTotalRan.patch Patch61: backport-CVE-2021-3537.patch Patch62: CVE-2021-3517.patch Patch63: CVE-2021-3518.patch +Patch64: Fix-handling-of-unexpected-EOF-in-xmlParseContent.patch +Patch65: Fix-line-numbers-in-error-messages-for-mismatched-ta.patch +Patch66: Fix-null-deref-in-legacy-SAX1-parser.patch +Patch67: update-for-xsd-language-type-check.patch +Patch68: Fix-dangling-pointer-with-xmllint-dropdtd.patch +Patch69: Fix-duplicate-xmlStrEqual-calls-in-htmlParseEndTag.patch +Patch70: Fix-exponential-behavior-with-recursive-entities.patch +Patch71: Fix-quadratic-behavior-when-looking-up-xml-attribute.patch +Patch72: Fix-use-after-free-with-xmllint-html-push.patch +Patch73: Fix-xmlGetNodePath-with-invalid-node-types.patch +Patch74: Stop-checking-attributes-for-UTF-8-validity.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python2-devel @@ -264,6 +275,23 @@ rm -fr %{buildroot} %changelog +* Sat May 29 2021 zoulin - 2.9.10-15 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:[add] patches from upstream + Fix-handling-of-unexpected-EOF-in-xmlParseContent.patch + Fix-line-numbers-in-error-messages-for-mismatched-ta.patch + Fix-null-deref-in-legacy-SAX1-parser.patch + update-for-xsd-language-type-check.patch + Fix-dangling-pointer-with-xmllint-dropdtd.patch + Fix-duplicate-xmlStrEqual-calls-in-htmlParseEndTag.patch + Fix-exponential-behavior-with-recursive-entities.patch + Fix-quadratic-behavior-when-looking-up-xml-attribute.patch + Fix-use-after-free-with-xmllint-html-push.patch + Fix-xmlGetNodePath-with-invalid-node-types.patch + Stop-checking-attributes-for-UTF-8-validity.patch + * Fri May 28 2021 guoxiaoqi - 2.9.10-14 - Type:CVE - ID:CVE-2021-3537, CVE-2021-3517 diff --git a/update-for-xsd-language-type-check.patch b/update-for-xsd-language-type-check.patch new file mode 100644 index 0000000..9cbdf6e --- /dev/null +++ b/update-for-xsd-language-type-check.patch @@ -0,0 +1,72 @@ +From 33468d7e7080e384ad703a2369003cf18b2ad91d Mon Sep 17 00:00:00 2001 +From: PaulHiggs +Date: Mon, 3 May 2021 16:09:44 +0100 +Subject: [PATCH] update for xsd:language type check + +Fixes #242. +--- + xmlschemastypes.c | 41 ++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 40 insertions(+), 1 deletion(-) + +diff --git a/xmlschemastypes.c b/xmlschemastypes.c +index 07b5fd7..9c2dff0 100644 +--- a/xmlschemastypes.c ++++ b/xmlschemastypes.c +@@ -2187,6 +2187,44 @@ xmlSchemaParseUInt(const xmlChar **str, unsigned long *llo, + return(ret); + } + ++/* ++ * xmlSchemaCheckLanguageType ++ * @value: the value to check ++ * ++ * Check that a value conforms to the lexical space of the language datatype. ++ * Must conform to [a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})* ++ * ++ * Returns 1 if this validates, 0 otherwise. ++ */ ++static int ++xmlSchemaCheckLanguageType(const xmlChar* value) { ++ int first = 1, len = 0; ++ const xmlChar* cur = value; ++ ++ if (value == NULL) ++ return (0); ++ ++ while (cur[0] != 0) { ++ if (!( ((cur[0] >= 'a') && (cur[0] <= 'z')) || ((cur[0] >= 'A') && (cur[0] <= 'Z')) ++ || (cur[0] == '-') ++ || ((first == 0) && (xmlIsDigit_ch(cur[0]))) )) ++ return (0); ++ if (cur[0] == '-') { ++ if ((len < 1) || (len > 8)) ++ return (0); ++ len = 0; ++ first = 0; ++ } ++ else ++ len++; ++ cur++; ++ } ++ if ((len < 1) || (len > 8)) ++ return (0); ++ ++ return (1); ++} ++ + /** + * xmlSchemaValAtomicType: + * @type: the predefined type +@@ -2704,7 +2742,8 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value, + if (norm != NULL) + value = norm; + } +- if (xmlCheckLanguageID(value) == 1) { ++ ++ if (xmlSchemaCheckLanguageType(value) == 1) { + if (val != NULL) { + v = xmlSchemaNewValue(XML_SCHEMAS_LANGUAGE); + if (v != NULL) { +-- +1.8.3.1 + -- Gitee