+++ /dev/null
-From 292be65a52ab9e0eb3a53b4e0be5a57bc6de59d3 Mon Sep 17 00:00:00 2001
-From: Doran Moppert <dmoppert@redhat.com>
-Date: Fri, 7 Apr 2017 16:45:56 +0200
-Subject: [PATCH 6/7] Add an XML_PARSE_NOXXE flag to block all entities loading
- even local
-
-For https://bugzilla.gnome.org/show_bug.cgi?id=772726
-
-* include/libxml/parser.h: Add a new parser flag XML_PARSE_NOXXE
-* elfgcchack.h, xmlIO.h, xmlIO.c: associated loading routine
-* include/libxml/xmlerror.h: new error raised
-* xmllint.c: adds --noxxe flag to activate the option
----
- elfgcchack.h | 10 ++++++++++
- include/libxml/parser.h | 3 ++-
- include/libxml/xmlIO.h | 8 ++++++++
- include/libxml/xmlerror.h | 1 +
- parser.c | 4 ++++
- xmlIO.c | 40 +++++++++++++++++++++++++++++++++++-----
- xmllint.c | 5 +++++
- 7 files changed, 65 insertions(+), 6 deletions(-)
-
-diff --git a/elfgcchack.h b/elfgcchack.h
-index 8c52884a..1b81dcde 100644
---- a/elfgcchack.h
-+++ b/elfgcchack.h
-@@ -6547,6 +6547,16 @@ extern __typeof (xmlNoNetExternalEntityLoader) xmlNoNetExternalEntityLoader__int
- #endif
- #endif
-
-+#ifdef bottom_xmlIO
-+#undef xmlNoXxeExternalEntityLoader
-+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader __attribute((alias("xmlNoXxeExternalEntityLoader__internal_alias")));
-+#else
-+#ifndef xmlNoXxeExternalEntityLoader
-+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader__internal_alias __attribute((visibility("hidden")));
-+#define xmlNoXxeExternalEntityLoader xmlNoXxeExternalEntityLoader__internal_alias
-+#endif
-+#endif
-+
- #ifdef bottom_tree
- #undef xmlNodeAddContent
- extern __typeof (xmlNodeAddContent) xmlNodeAddContent __attribute((alias("xmlNodeAddContent__internal_alias")));
-diff --git a/include/libxml/parser.h b/include/libxml/parser.h
-index 47fbec03..63ca1b97 100644
---- a/include/libxml/parser.h
-+++ b/include/libxml/parser.h
-@@ -1111,7 +1111,8 @@ typedef enum {
- XML_PARSE_HUGE = 1<<19,/* relax any hardcoded limit from the parser */
- XML_PARSE_OLDSAX = 1<<20,/* parse using SAX2 interface before 2.7.0 */
- XML_PARSE_IGNORE_ENC= 1<<21,/* ignore internal document encoding hint */
-- XML_PARSE_BIG_LINES = 1<<22 /* Store big lines numbers in text PSVI field */
-+ XML_PARSE_BIG_LINES = 1<<22,/* Store big lines numbers in text PSVI field */
-+ XML_PARSE_NOXXE = 1<<23 /* Forbid any external entity loading */
- } xmlParserOption;
-
- XMLPUBFUN void XMLCALL
-diff --git a/include/libxml/xmlIO.h b/include/libxml/xmlIO.h
-index 3e41744d..8d3fdef5 100644
---- a/include/libxml/xmlIO.h
-+++ b/include/libxml/xmlIO.h
-@@ -299,6 +299,14 @@ XMLPUBFUN xmlParserInputPtr XMLCALL
- const char *ID,
- xmlParserCtxtPtr ctxt);
-
-+/*
-+ * A predefined entity loader external entity expansion
-+ */
-+XMLPUBFUN xmlParserInputPtr XMLCALL
-+ xmlNoXxeExternalEntityLoader (const char *URL,
-+ const char *ID,
-+ xmlParserCtxtPtr ctxt);
-+
- /*
- * xmlNormalizeWindowsPath is obsolete, don't use it.
- * Check xmlCanonicPath in uri.h for a better alternative.
-diff --git a/include/libxml/xmlerror.h b/include/libxml/xmlerror.h
-index 037c16d5..3036062d 100644
---- a/include/libxml/xmlerror.h
-+++ b/include/libxml/xmlerror.h
-@@ -470,6 +470,7 @@ typedef enum {
- XML_IO_EADDRINUSE, /* 1554 */
- XML_IO_EALREADY, /* 1555 */
- XML_IO_EAFNOSUPPORT, /* 1556 */
-+ XML_IO_ILLEGAL_XXE, /* 1557 */
- XML_XINCLUDE_RECURSION=1600,
- XML_XINCLUDE_PARSE_VALUE, /* 1601 */
- XML_XINCLUDE_ENTITY_DEF_MISMATCH, /* 1602 */
-diff --git a/parser.c b/parser.c
-index b832406a..8e11c127 100644
---- a/parser.c
-+++ b/parser.c
-@@ -15352,6 +15352,10 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi
- ctxt->options |= XML_PARSE_NONET;
- options -= XML_PARSE_NONET;
- }
-+ if (options & XML_PARSE_NOXXE) {
-+ ctxt->options |= XML_PARSE_NOXXE;
-+ options -= XML_PARSE_NOXXE;
-+ }
- if (options & XML_PARSE_COMPACT) {
- ctxt->options |= XML_PARSE_COMPACT;
- options -= XML_PARSE_COMPACT;
-diff --git a/xmlIO.c b/xmlIO.c
-index 6e61f45a..34881461 100644
---- a/xmlIO.c
-+++ b/xmlIO.c
-@@ -212,6 +212,7 @@ static const char *IOerr[] = {
- "adddress in use", /* EADDRINUSE */
- "already in use", /* EALREADY */
- "unknown address familly", /* EAFNOSUPPORT */
-+ "Attempt to load external entity %s", /* XML_IO_ILLEGAL_XXE */
- };
-
- #if defined(_WIN32) || defined (__DJGPP__) && !defined (__CYGWIN__)
-@@ -4057,13 +4058,22 @@ xmlDefaultExternalEntityLoader(const char *URL, const char *ID,
- xmlGenericError(xmlGenericErrorContext,
- "xmlDefaultExternalEntityLoader(%s, xxx)\n", URL);
- #endif
-- if ((ctxt != NULL) && (ctxt->options & XML_PARSE_NONET)) {
-+ if (ctxt != NULL) {
- int options = ctxt->options;
-
-- ctxt->options -= XML_PARSE_NONET;
-- ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
-- ctxt->options = options;
-- return(ret);
-+ if (options & XML_PARSE_NOXXE) {
-+ ctxt->options -= XML_PARSE_NOXXE;
-+ ret = xmlNoXxeExternalEntityLoader(URL, ID, ctxt);
-+ ctxt->options = options;
-+ return(ret);
-+ }
-+
-+ if (options & XML_PARSE_NONET) {
-+ ctxt->options -= XML_PARSE_NONET;
-+ ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);
-+ ctxt->options = options;
-+ return(ret);
-+ }
- }
- #ifdef LIBXML_CATALOG_ENABLED
- resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
-@@ -4164,6 +4174,13 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID,
- xmlParserInputPtr input = NULL;
- xmlChar *resource = NULL;
-
-+ if (ctxt == NULL) {
-+ return(NULL);
-+ }
-+ if (ctxt->input_id == 1) {
-+ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
-+ }
-+
- #ifdef LIBXML_CATALOG_ENABLED
- resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);
- #endif
-@@ -4186,5 +4203,18 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID,
- return(input);
- }
-
-+xmlParserInputPtr
-+xmlNoXxeExternalEntityLoader(const char *URL, const char *ID,
-+ xmlParserCtxtPtr ctxt) {
-+ if (ctxt == NULL) {
-+ return(NULL);
-+ }
-+ if (ctxt->input_id == 1) {
-+ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);
-+ }
-+ xmlIOErr(XML_IO_ILLEGAL_XXE, (const char *) URL);
-+ return(NULL);
-+}
-+
- #define bottom_xmlIO
- #include "elfgcchack.h"
-diff --git a/xmllint.c b/xmllint.c
-index f8eb7ec4..8f304cda 100644
---- a/xmllint.c
-+++ b/xmllint.c
-@@ -3019,6 +3019,7 @@ static void usage(const char *name) {
- printf("\t--path 'paths': provide a set of paths for resources\n");
- printf("\t--load-trace : print trace of all external entities loaded\n");
- printf("\t--nonet : refuse to fetch DTDs or entities over network\n");
-+ printf("\t--noxxe : forbid any external entity loading\n");
- printf("\t--nocompact : do not generate compact text nodes\n");
- printf("\t--htmlout : output results as HTML\n");
- printf("\t--nowrap : do not put HTML doc wrapper\n");
-@@ -3461,6 +3462,10 @@ main(int argc, char **argv) {
- (!strcmp(argv[i], "--nonet"))) {
- options |= XML_PARSE_NONET;
- xmlSetExternalEntityLoader(xmlNoNetExternalEntityLoader);
-+ } else if ((!strcmp(argv[i], "-noxxe")) ||
-+ (!strcmp(argv[i], "--noxxe"))) {
-+ options |= XML_PARSE_NOXXE;
-+ xmlSetExternalEntityLoader(xmlNoXxeExternalEntityLoader);
- } else if ((!strcmp(argv[i], "-nocompact")) ||
- (!strcmp(argv[i], "--nocompact"))) {
- options &= ~XML_PARSE_COMPACT;
---
-2.14.1
-
+++ /dev/null
-From d815758b6a8c9dee8155268e49b5ef3b80135a14 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 6 Jun 2017 12:56:28 +0200
-Subject: [PATCH 1/3] Fix type confusion in xmlValidateOneNamespace
-
-Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on
-namespace declarations make no practical sense anyway.
-
-Fixes bug 780228.
-
-Found with libFuzzer and ASan.
----
- valid.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/valid.c b/valid.c
-index 8075d3a0..c51ea290 100644
---- a/valid.c
-+++ b/valid.c
-@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
- }
- }
-
-+ /*
-+ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
-+ * xmlAddID and xmlAddRef for namespace declarations, but it makes
-+ * no practical sense to use ID types anyway.
-+ */
-+#if 0
- /* Validity Constraint: ID uniqueness */
- if (attrDecl->atype == XML_ATTRIBUTE_ID) {
- if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
-@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
- if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
- ret = 0;
- }
-+#endif
-
- /* Validity Constraint: Notation Attributes */
- if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
---
-2.14.1
-
+++ /dev/null
-From 8952ce48a5fa1d3de1f087f10e8b6e47bb59f4e3 Mon Sep 17 00:00:00 2001
-From: Daniel Veillard <veillard@redhat.com>
-Date: Wed, 7 Jun 2017 16:47:36 +0200
-Subject: [PATCH 1/7] Fix NULL pointer deref in xmlDumpElementContent
-
-Can only be triggered in recovery mode.
-
-Fixes bug 758422 (CVE-2017-5969).
----
- valid.c | 24 ++++++++++++++----------
- 1 file changed, 14 insertions(+), 10 deletions(-)
-
-diff --git a/valid.c b/valid.c
-index 19f84b82..0a8e58ab 100644
---- a/valid.c
-+++ b/valid.c
-@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
- xmlBufferWriteCHAR(buf, content->name);
- break;
- case XML_ELEMENT_CONTENT_SEQ:
-- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
-- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
-+ if ((content->c1 != NULL) &&
-+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
-+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
- xmlDumpElementContent(buf, content->c1, 1);
- else
- xmlDumpElementContent(buf, content->c1, 0);
- xmlBufferWriteChar(buf, " , ");
-- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
-- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
-- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
-+ if ((content->c2 != NULL) &&
-+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
-+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
-+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
- xmlDumpElementContent(buf, content->c2, 1);
- else
- xmlDumpElementContent(buf, content->c2, 0);
- break;
- case XML_ELEMENT_CONTENT_OR:
-- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
-- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
-+ if ((content->c1 != NULL) &&
-+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
-+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
- xmlDumpElementContent(buf, content->c1, 1);
- else
- xmlDumpElementContent(buf, content->c1, 0);
- xmlBufferWriteChar(buf, " | ");
-- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
-- ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
-- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
-+ if ((content->c2 != NULL) &&
-+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
-+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
-+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
- xmlDumpElementContent(buf, content->c2, 1);
- else
- xmlDumpElementContent(buf, content->c2, 0);
---
-2.14.1
-
+++ /dev/null
-From 9ea49a06b9421b6a3a9c243fb1ec23b19bd6b049 Mon Sep 17 00:00:00 2001
-From: Neel Mehta <nmehta@google.com>
-Date: Fri, 7 Apr 2017 17:43:02 +0200
-Subject: [PATCH 7/7] Prevent unwanted external entity reference
-
-For https://bugzilla.gnome.org/show_bug.cgi?id=780691
-
-* parser.c: add a specific check to avoid PE reference
----
- parser.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/parser.c b/parser.c
-index 8e11c127..e8e962bb 100644
---- a/parser.c
-+++ b/parser.c
-@@ -8125,6 +8125,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
- if (xmlPushInput(ctxt, input) < 0)
- return;
- } else {
-+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
-+ ((ctxt->options & XML_PARSE_NOENT) == 0) &&
-+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
-+ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
-+ ((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
-+ (ctxt->replaceEntities == 0) &&
-+ (ctxt->validate == 0))
-+ return;
-+
- /*
- * TODO !!!
- * handle the extra spaces added before and after
---
-2.14.1
-
+++ /dev/null
-From 43cd3b6222bda2332e963eb1c9ead78f29912b0a Mon Sep 17 00:00:00 2001
-From: Daniel Veillard <veillard@redhat.com>
-Date: Fri, 7 Apr 2017 17:13:28 +0200
-Subject: [PATCH 2/3] Increase buffer space for port in HTTP redirect support
-
-For https://bugzilla.gnome.org/show_bug.cgi?id=780690
-
-nanohttp.c: the code wrongly assumed a short int port value.
----
- nanohttp.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/nanohttp.c b/nanohttp.c
-index 26e4290e..9c17530e 100644
---- a/nanohttp.c
-+++ b/nanohttp.c
-@@ -1423,9 +1423,9 @@ retry:
- if (ctxt->port != 80) {
- /* reserve space for ':xxxxx', incl. potential proxy */
- if (proxy)
-- blen += 12;
-+ blen += 17;
- else
-- blen += 6;
-+ blen += 11;
- }
- bp = (char*)xmlMallocAtomic(blen);
- if ( bp == NULL ) {
---
-2.14.1
-
+++ /dev/null
-From 839b89e678b5265a0e6b0477410e64fac669d578 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Sat, 3 Jun 2017 02:01:29 +0200
-Subject: [PATCH 4/7] Fix buffer size checks in xmlSnprintfElementContent
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-xmlSnprintfElementContent failed to correctly check the available
-buffer space in two locations.
-
-Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
-
-Thanks to Marcel Böhme and Thuan Pham for the report.
----
- result/valid/781333.xml | 5 +++++
- result/valid/781333.xml.err | 3 +++
- result/valid/781333.xml.err.rdr | 6 ++++++
- test/valid/781333.xml | 4 ++++
- valid.c | 20 +++++++++++---------
- 5 files changed, 29 insertions(+), 9 deletions(-)
- create mode 100644 result/valid/781333.xml
- create mode 100644 result/valid/781333.xml.err
- create mode 100644 result/valid/781333.xml.err.rdr
- create mode 100644 test/valid/781333.xml
-
-diff --git a/result/valid/781333.xml b/result/valid/781333.xml
-new file mode 100644
-index 00000000..45dc451d
---- /dev/null
-+++ b/result/valid/781333.xml
-@@ -0,0 +1,5 @@
-+<?xml version="1.0"?>
-+<!DOCTYPE a [
-+<!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)>
-+]>
-+<a/>
-diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err
-new file mode 100644
-index 00000000..b401b49a
---- /dev/null
-+++ b/result/valid/781333.xml.err
-@@ -0,0 +1,3 @@
-+./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got
-+<a/>
-+ ^
-diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr
-new file mode 100644
-index 00000000..5ff56992
---- /dev/null
-+++ b/result/valid/781333.xml.err.rdr
-@@ -0,0 +1,6 @@
-+./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got
-+<a/>
-+ ^
-+./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child
-+
-+^
-diff --git a/test/valid/781333.xml b/test/valid/781333.xml
-new file mode 100644
-index 00000000..b29e5a68
---- /dev/null
-+++ b/test/valid/781333.xml
-@@ -0,0 +1,4 @@
-+<!DOCTYPE a [
-+ <!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)>
-+]>
-+<a/>
-diff --git a/valid.c b/valid.c
-index 0a8e58ab..8075d3a0 100644
---- a/valid.c
-+++ b/valid.c
-@@ -1266,22 +1266,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
- case XML_ELEMENT_CONTENT_PCDATA:
- strcat(buf, "#PCDATA");
- break;
-- case XML_ELEMENT_CONTENT_ELEMENT:
-+ case XML_ELEMENT_CONTENT_ELEMENT: {
-+ int qnameLen = xmlStrlen(content->name);
-+
-+ if (content->prefix != NULL)
-+ qnameLen += xmlStrlen(content->prefix) + 1;
-+ if (size - len < qnameLen + 10) {
-+ strcat(buf, " ...");
-+ return;
-+ }
- if (content->prefix != NULL) {
-- if (size - len < xmlStrlen(content->prefix) + 10) {
-- strcat(buf, " ...");
-- return;
-- }
- strcat(buf, (char *) content->prefix);
- strcat(buf, ":");
- }
-- if (size - len < xmlStrlen(content->name) + 10) {
-- strcat(buf, " ...");
-- return;
-- }
- if (content->name != NULL)
- strcat(buf, (char *) content->name);
- break;
-+ }
- case XML_ELEMENT_CONTENT_SEQ:
- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
-@@ -1323,6 +1324,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
- xmlSnprintfElementContent(buf, size, content->c2, 0);
- break;
- }
-+ if (size - strlen(buf) <= 2) return;
- if (englob)
- strcat(buf, ")");
- switch (content->ocur) {
---
-2.14.1
-
+++ /dev/null
-From 9c95d1b7f3951efe09df66ec41d7b19d6283084d Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Mon, 5 Jun 2017 15:37:17 +0200
-Subject: [PATCH 3/7] Fix handling of parameter-entity references
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-There were two bugs where parameter-entity references could lead to an
-unexpected change of the input buffer in xmlParseNameComplex and
-xmlDictLookup being called with an invalid pointer.
-
-Percent sign in DTD Names
-=========================
-
-The NEXTL macro used to call xmlParserHandlePEReference. When parsing
-"complex" names inside the DTD, this could result in entity expansion
-which created a new input buffer. The fix is to simply remove the call
-to xmlParserHandlePEReference from the NEXTL macro. This is safe because
-no users of the macro require expansion of parameter entities.
-
-- xmlParseNameComplex
-- xmlParseNCNameComplex
-- xmlParseNmtoken
-
-The percent sign is not allowed in names, which are grammatical tokens.
-
-- xmlParseEntityValue
-
-Parameter-entity references in entity values are expanded but this
-happens in a separate step in this function.
-
-- xmlParseSystemLiteral
-
-Parameter-entity references are ignored in the system literal.
-
-- xmlParseAttValueComplex
-- xmlParseCharDataComplex
-- xmlParseCommentComplex
-- xmlParsePI
-- xmlParseCDSect
-
-Parameter-entity references are ignored outside the DTD.
-
-- xmlLoadEntityContent
-
-This function is only called from xmlStringLenDecodeEntities and
-entities are replaced in a separate step immediately after the function
-call.
-
-This bug could also be triggered with an internal subset and double
-entity expansion.
-
-This fixes bug 766956 initially reported by Wei Lei and independently by
-Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
-involved.
-
-xmlParseNameComplex with XML_PARSE_OLD10
-========================================
-
-When parsing Names inside an expanded parameter entity with the
-XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the
-GROW macro if the input buffer was exhausted. At the end of the
-parameter entity's replacement text, this function would then call
-xmlPopInput which invalidated the input buffer.
-
-There should be no need to invoke GROW in this situation because the
-buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,
-at least for UTF-8, in xmlCurrentChar. This also matches the code path
-executed when XML_PARSE_OLD10 is not set.
-
-This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
-Thanks to Marcel Böhme and Thuan Pham for the report.
-
-Additional hardening
-====================
-
-A separate check was added in xmlParseNameComplex to validate the
-buffer size.
----
- Makefile.am | 18 ++++++++++++++++++
- parser.c | 18 ++++++++++--------
- result/errors10/781205.xml | 0
- result/errors10/781205.xml.err | 21 +++++++++++++++++++++
- result/errors10/781361.xml | 0
- result/errors10/781361.xml.err | 13 +++++++++++++
- result/valid/766956.xml | 0
- result/valid/766956.xml.err | 9 +++++++++
- result/valid/766956.xml.err.rdr | 10 ++++++++++
- runtest.c | 3 +++
- test/errors10/781205.xml | 3 +++
- test/errors10/781361.xml | 3 +++
- test/valid/766956.xml | 2 ++
- test/valid/dtds/766956.dtd | 2 ++
- 14 files changed, 94 insertions(+), 8 deletions(-)
- create mode 100644 result/errors10/781205.xml
- create mode 100644 result/errors10/781205.xml.err
- create mode 100644 result/errors10/781361.xml
- create mode 100644 result/errors10/781361.xml.err
- create mode 100644 result/valid/766956.xml
- create mode 100644 result/valid/766956.xml.err
- create mode 100644 result/valid/766956.xml.err.rdr
- create mode 100644 test/errors10/781205.xml
- create mode 100644 test/errors10/781361.xml
- create mode 100644 test/valid/766956.xml
- create mode 100644 test/valid/dtds/766956.dtd
-
-diff --git a/Makefile.am b/Makefile.am
-index 3b52bae7..bf20124e 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -422,6 +422,24 @@ Errtests : xmllint$(EXEEXT)
- if [ -n "$$log" ] ; then echo $$name result ; echo $$log ; fi ; \
- rm result.$$name error.$$name ; \
- fi ; fi ; done)
-+ @echo "## Error cases regression tests (old 1.0)"
-+ -@(for i in $(srcdir)/test/errors10/*.xml ; do \
-+ name=`basename $$i`; \
-+ if [ ! -d $$i ] ; then \
-+ if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \
-+ echo New test file $$name ; \
-+ $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \
-+ 2> $(srcdir)/result/errors10/$$name.err \
-+ > $(srcdir)/result/errors10/$$name ; \
-+ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \
-+ else \
-+ log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \
-+ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \
-+ diff $(srcdir)/result/errors10/$$name result.$$name ; \
-+ diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \
-+ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
-+ rm result.$$name error.$$name ; \
-+ fi ; fi ; done)
- @echo "## Error cases stream regression tests"
- -@(for i in $(srcdir)/test/errors/*.xml ; do \
- name=`basename $$i`; \
-diff --git a/parser.c b/parser.c
-index 53a6b7f0..b832406a 100644
---- a/parser.c
-+++ b/parser.c
-@@ -2115,7 +2115,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
- ctxt->input->line++; ctxt->input->col = 1; \
- } else ctxt->input->col++; \
- ctxt->input->cur += l; \
-- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \
- } while (0)
-
- #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
-@@ -3406,13 +3405,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
- len += l;
- NEXTL(l);
- c = CUR_CHAR(l);
-- if (c == 0) {
-- count = 0;
-- GROW;
-- if (ctxt->instate == XML_PARSER_EOF)
-- return(NULL);
-- c = CUR_CHAR(l);
-- }
- }
- }
- if ((len > XML_MAX_NAME_LENGTH) &&
-@@ -3420,6 +3412,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
- return(NULL);
- }
-+ if (ctxt->input->cur - ctxt->input->base < len) {
-+ /*
-+ * There were a couple of bugs where PERefs lead to to a change
-+ * of the buffer. Check the buffer size to avoid passing an invalid
-+ * pointer to xmlDictLookup.
-+ */
-+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
-+ "unexpected change of input buffer");
-+ return (NULL);
-+ }
- if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
- return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
- return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
-diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml
-new file mode 100644
-index 00000000..e69de29b
-diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err
-new file mode 100644
-index 00000000..da15c3f7
---- /dev/null
-+++ b/result/errors10/781205.xml.err
-@@ -0,0 +1,21 @@
-+Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
-+
-+ %a;
-+ ^
-+Entity: line 1:
-+<:0000
-+^
-+Entity: line 1: parser error : DOCTYPE improperly terminated
-+ %a;
-+ ^
-+Entity: line 1:
-+<:0000
-+^
-+namespace error : Failed to parse QName ':0000'
-+ %a;
-+ ^
-+<:0000
-+ ^
-+./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1
-+
-+^
-diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml
-new file mode 100644
-index 00000000..e69de29b
-diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err
-new file mode 100644
-index 00000000..655f41a2
---- /dev/null
-+++ b/result/errors10/781361.xml.err
-@@ -0,0 +1,13 @@
-+./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected
-+
-+^
-+./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
-+
-+
-+^
-+./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated
-+
-+^
-+./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found
-+
-+^
-diff --git a/result/valid/766956.xml b/result/valid/766956.xml
-new file mode 100644
-index 00000000..e69de29b
-diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err
-new file mode 100644
-index 00000000..34b1dae6
---- /dev/null
-+++ b/result/valid/766956.xml.err
-@@ -0,0 +1,9 @@
-+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
-+%ä%ent;
-+ ^
-+Entity: line 1: parser error : Content error in the external subset
-+ %ent;
-+ ^
-+Entity: line 1:
-+value
-+^
-diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr
-new file mode 100644
-index 00000000..77603462
---- /dev/null
-+++ b/result/valid/766956.xml.err.rdr
-@@ -0,0 +1,10 @@
-+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
-+%ä%ent;
-+ ^
-+Entity: line 1: parser error : Content error in the external subset
-+ %ent;
-+ ^
-+Entity: line 1:
-+value
-+^
-+./test/valid/766956.xml : failed to parse
-diff --git a/runtest.c b/runtest.c
-index 7d030bdc..cd233da9 100644
---- a/runtest.c
-+++ b/runtest.c
-@@ -4202,6 +4202,9 @@ testDesc testDescriptions[] = {
- { "Error cases regression tests",
- errParseTest, "./test/errors/*.xml", "result/errors/", "", ".err",
- 0 },
-+ { "Error cases regression tests (old 1.0)",
-+ errParseTest, "./test/errors10/*.xml", "result/errors10/", "", ".err",
-+ XML_PARSE_OLD10 },
- #ifdef LIBXML_READER_ENABLED
- { "Error cases stream regression tests",
- streamParseTest, "./test/errors/*.xml", "result/errors/", NULL, ".str",
-diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml
-new file mode 100644
-index 00000000..d9e9e839
---- /dev/null
-+++ b/test/errors10/781205.xml
-@@ -0,0 +1,3 @@
-+<!DOCTYPE D [
-+ <!ENTITY % a "<:0000">
-+ %a;
-diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml
-new file mode 100644
-index 00000000..67476bcb
---- /dev/null
-+++ b/test/errors10/781361.xml
-@@ -0,0 +1,3 @@
-+<!DOCTYPE doc [
-+ <!ENTITY % elem "<!ELEMENT e0000000000">
-+ %elem;
-diff --git a/test/valid/766956.xml b/test/valid/766956.xml
-new file mode 100644
-index 00000000..19a95a0e
---- /dev/null
-+++ b/test/valid/766956.xml
-@@ -0,0 +1,2 @@
-+<!DOCTYPE test SYSTEM "dtds/766956.dtd">
-+<test/>
-diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd
-new file mode 100644
-index 00000000..dddde68b
---- /dev/null
-+++ b/test/valid/dtds/766956.dtd
-@@ -0,0 +1,2 @@
-+<!ENTITY % ent "value">
-+%ä%ent;
---
-2.14.1
-
+++ /dev/null
-From a1fb9a4f511d89f0738b62cabd6d92bfd9eb94a9 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 28 Jun 2016 14:19:58 +0200
-Subject: [PATCH 3/3] Fix comparison with root node in xmlXPathCmpNodes
-
-This change has already been made in xmlXPathCmpNodesExt but not in
-xmlXPathCmpNodes.
----
- xpath.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/xpath.c b/xpath.c
-index 67afbca5..5a01b1b3 100644
---- a/xpath.c
-+++ b/xpath.c
-@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) {
- * compute depth to root
- */
- for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {
-- if (cur == node1)
-+ if (cur->parent == node1)
- return(1);
- depth2++;
- }
- root = cur;
- for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {
-- if (cur == node2)
-+ if (cur->parent == node2)
- return(-1);
- depth1++;
- }
---
-2.14.1
-
+++ /dev/null
-From df4f9bdc7a37908ded8bd1fec4f75509eaa156de Mon Sep 17 00:00:00 2001
-From: David Kilzer <ddkilzer@apple.com>
-Date: Tue, 4 Jul 2017 18:38:03 +0200
-Subject: [PATCH 5/7] Heap-buffer-overflow read of size 1 in
- xmlFAParsePosCharGroup
-
-Credit to OSS-Fuzz.
-
-Add a check to xmlFAParseCharRange() for the end of the buffer
-to prevent reading past the end of it.
-
-This fixes Bug 784017.
----
- xmlregexp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/xmlregexp.c b/xmlregexp.c
-index ca3b4f46..6676c2a8 100644
---- a/xmlregexp.c
-+++ b/xmlregexp.c
-@@ -5051,7 +5051,7 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) {
- return;
- }
- len = 1;
-- } else if ((cur != 0x5B) && (cur != 0x5D)) {
-+ } else if ((cur != '\0') && (cur != 0x5B) && (cur != 0x5D)) {
- end = CUR_SCHAR(ctxt->cur, len);
- } else {
- ERROR("Expecting the end of a char range");
---
-2.14.1
-
+++ /dev/null
-From 8bc6baccc7da291c2338b8d95953ea487b0b3ca1 Mon Sep 17 00:00:00 2001
-From: Alex Henrie <alexhenrie24@gmail.com>
-Date: Thu, 26 May 2016 17:38:35 -0600
-Subject: [PATCH 2/7] Fix attribute decoding during XML schema validation
-
-For https://bugzilla.gnome.org/show_bug.cgi?id=766834
-
-vctxt->parserCtxt is always NULL in xmlSchemaSAXHandleStartElementNs,
-so this function can't call xmlStringLenDecodeEntities to decode the
-entities.
----
- xmlschemas.c | 30 +++++++++++++++++++++++++-----
- 1 file changed, 25 insertions(+), 5 deletions(-)
-
-diff --git a/xmlschemas.c b/xmlschemas.c
-index e1b3a4f0..59535e5c 100644
---- a/xmlschemas.c
-+++ b/xmlschemas.c
-@@ -27391,6 +27391,7 @@ xmlSchemaSAXHandleStartElementNs(void *ctx,
- * attributes yet.
- */
- if (nb_attributes != 0) {
-+ int valueLen, k, l;
- xmlChar *value;
-
- for (j = 0, i = 0; i < nb_attributes; i++, j += 5) {
-@@ -27400,12 +27401,31 @@ xmlSchemaSAXHandleStartElementNs(void *ctx,
- * libxml2 differs from normal SAX here in that it escapes all ampersands
- * as & instead of delivering the raw converted string. Changing the
- * behavior at this point would break applications that use this API, so
-- * we are forced to work around it. There is no danger of accidentally
-- * decoding some entity other than & in this step because without
-- * unescaped ampersands there can be no other entities in the string.
-+ * we are forced to work around it.
- */
-- value = xmlStringLenDecodeEntities(vctxt->parserCtxt, attributes[j+3],
-- attributes[j+4] - attributes[j+3], XML_SUBSTITUTE_REF, 0, 0, 0);
-+ valueLen = attributes[j+4] - attributes[j+3];
-+ value = xmlMallocAtomic(valueLen + 1);
-+ if (value == NULL) {
-+ xmlSchemaVErrMemory(vctxt,
-+ "allocating string for decoded attribute",
-+ NULL);
-+ goto internal_error;
-+ }
-+ for (k = 0, l = 0; k < valueLen; l++) {
-+ if (k < valueLen - 4 &&
-+ attributes[j+3][k+0] == '&' &&
-+ attributes[j+3][k+1] == '#' &&
-+ attributes[j+3][k+2] == '3' &&
-+ attributes[j+3][k+3] == '8' &&
-+ attributes[j+3][k+4] == ';') {
-+ value[l] = '&';
-+ k += 5;
-+ } else {
-+ value[l] = attributes[j+3][k];
-+ k++;
-+ }
-+ }
-+ value[l] = '\0';
- /*
- * TODO: Set the node line.
- */
---
-2.14.1
-
projects / gentoo.git / commitdiff