gnu: libxml2: Add fixes for CVE-2015-{1819,7941,7942,8035} and other bugs.
* gnu/packages/patches/libxml2-CVE-2015-1819.patch, gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch, gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch, gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch, gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch, gnu/packages/patches/libxml2-CVE-2015-8035.patch, gnu/packages/patches/libxml2-bug-737840.patch, gnu/packages/patches/libxml2-bug-738805.patch, gnu/packages/patches/libxml2-bug-746048.patch, gnu/packages/patches/libxml2-bug-747437.patch, gnu/packages/patches/libxml2-bug-751603.patch, gnu/packages/patches/libxml2-bug-751631.patch, gnu/packages/patches/libxml2-bug-754946.patch, gnu/packages/patches/libxml2-bug-754947.patch, gnu/packages/patches/libxml2-bug-755857.patch, gnu/packages/patches/libxml2-fix-catalog-corruption.patch, gnu/packages/patches/libxml2-id-attrs-in-xmlSetTreeDoc.patch, gnu/packages/patches/libxml2-node-sort-order-pt1.patch, gnu/packages/patches/libxml2-node-sort-order-pt2.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/xml.scm (libxml2)[source]: Add patches.
This commit is contained in:
parent
328a14e869
commit
ee6bb0cc76
|
@ -571,6 +571,25 @@ dist_patch_DATA = \
|
|||
gnu/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \
|
||||
gnu/packages/patches/libwmf-CVE-2015-4695.patch \
|
||||
gnu/packages/patches/libwmf-CVE-2015-4696.patch \
|
||||
gnu/packages/patches/libxml2-CVE-2015-1819.patch \
|
||||
gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch \
|
||||
gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch \
|
||||
gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch \
|
||||
gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch \
|
||||
gnu/packages/patches/libxml2-CVE-2015-8035.patch \
|
||||
gnu/packages/patches/libxml2-bug-737840.patch \
|
||||
gnu/packages/patches/libxml2-bug-738805.patch \
|
||||
gnu/packages/patches/libxml2-bug-746048.patch \
|
||||
gnu/packages/patches/libxml2-bug-747437.patch \
|
||||
gnu/packages/patches/libxml2-bug-751603.patch \
|
||||
gnu/packages/patches/libxml2-bug-751631.patch \
|
||||
gnu/packages/patches/libxml2-bug-754946.patch \
|
||||
gnu/packages/patches/libxml2-bug-754947.patch \
|
||||
gnu/packages/patches/libxml2-bug-755857.patch \
|
||||
gnu/packages/patches/libxml2-fix-catalog-corruption.patch \
|
||||
gnu/packages/patches/libxml2-id-attrs-in-xmlSetTreeDoc.patch \
|
||||
gnu/packages/patches/libxml2-node-sort-order-pt1.patch \
|
||||
gnu/packages/patches/libxml2-node-sort-order-pt2.patch \
|
||||
gnu/packages/patches/lirc-localstatedir.patch \
|
||||
gnu/packages/patches/libpthread-glibc-preparation.patch \
|
||||
gnu/packages/patches/lm-sensors-hwmon-attrs.patch \
|
||||
|
|
|
@ -0,0 +1,176 @@
|
|||
From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Veillard <veillard@redhat.com>
|
||||
Date: Tue, 14 Apr 2015 17:41:48 +0800
|
||||
Subject: [PATCH] CVE-2015-1819 Enforce the reader to run in constant memory
|
||||
|
||||
One of the operation on the reader could resolve entities
|
||||
leading to the classic expansion issue. Make sure the
|
||||
buffer used for xmlreader operation is bounded.
|
||||
Introduce a new allocation type for the buffers for this effect.
|
||||
---
|
||||
buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++-
|
||||
include/libxml/tree.h | 3 ++-
|
||||
xmlreader.c | 20 +++++++++++++++++++-
|
||||
3 files changed, 63 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/buf.c b/buf.c
|
||||
index 6efc7b6..07922ff 100644
|
||||
--- a/buf.c
|
||||
+++ b/buf.c
|
||||
@@ -27,6 +27,7 @@
|
||||
#include <libxml/tree.h>
|
||||
#include <libxml/globals.h>
|
||||
#include <libxml/tree.h>
|
||||
+#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
|
||||
#include "buf.h"
|
||||
|
||||
#define WITH_BUFFER_COMPAT
|
||||
@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,
|
||||
if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
|
||||
(scheme == XML_BUFFER_ALLOC_EXACT) ||
|
||||
(scheme == XML_BUFFER_ALLOC_HYBRID) ||
|
||||
- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {
|
||||
+ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||
|
||||
+ (scheme == XML_BUFFER_ALLOC_BOUNDED)) {
|
||||
buf->alloc = scheme;
|
||||
if (buf->buffer)
|
||||
buf->buffer->alloc = scheme;
|
||||
@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
|
||||
size = buf->use + len + 100;
|
||||
#endif
|
||||
|
||||
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
|
||||
+ /*
|
||||
+ * Used to provide parsing limits
|
||||
+ */
|
||||
+ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
|
||||
+ (buf->size >= XML_MAX_TEXT_LENGTH)) {
|
||||
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
|
||||
+ return(0);
|
||||
+ }
|
||||
+ if (size >= XML_MAX_TEXT_LENGTH)
|
||||
+ size = XML_MAX_TEXT_LENGTH;
|
||||
+ }
|
||||
if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
|
||||
size_t start_buf = buf->content - buf->contentIO;
|
||||
|
||||
@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
|
||||
CHECK_COMPAT(buf)
|
||||
|
||||
if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
|
||||
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
|
||||
+ /*
|
||||
+ * Used to provide parsing limits
|
||||
+ */
|
||||
+ if (size >= XML_MAX_TEXT_LENGTH) {
|
||||
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
|
||||
+ return(0);
|
||||
+ }
|
||||
+ }
|
||||
|
||||
/* Don't resize if we don't have to */
|
||||
if (size < buf->size)
|
||||
@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
|
||||
|
||||
needSize = buf->use + len + 2;
|
||||
if (needSize > buf->size){
|
||||
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
|
||||
+ /*
|
||||
+ * Used to provide parsing limits
|
||||
+ */
|
||||
+ if (needSize >= XML_MAX_TEXT_LENGTH) {
|
||||
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
|
||||
+ return(-1);
|
||||
+ }
|
||||
+ }
|
||||
if (!xmlBufResize(buf, needSize)){
|
||||
xmlBufMemoryError(buf, "growing buffer");
|
||||
return XML_ERR_NO_MEMORY;
|
||||
@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {
|
||||
}
|
||||
needSize = buf->use + len + 2;
|
||||
if (needSize > buf->size){
|
||||
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
|
||||
+ /*
|
||||
+ * Used to provide parsing limits
|
||||
+ */
|
||||
+ if (needSize >= XML_MAX_TEXT_LENGTH) {
|
||||
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
|
||||
+ return(-1);
|
||||
+ }
|
||||
+ }
|
||||
if (!xmlBufResize(buf, needSize)){
|
||||
xmlBufMemoryError(buf, "growing buffer");
|
||||
return XML_ERR_NO_MEMORY;
|
||||
diff --git a/include/libxml/tree.h b/include/libxml/tree.h
|
||||
index 2f90717..4a9b3bc 100644
|
||||
--- a/include/libxml/tree.h
|
||||
+++ b/include/libxml/tree.h
|
||||
@@ -76,7 +76,8 @@ typedef enum {
|
||||
XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */
|
||||
XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
|
||||
XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */
|
||||
- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */
|
||||
+ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */
|
||||
+ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */
|
||||
} xmlBufferAllocationScheme;
|
||||
|
||||
/**
|
||||
diff --git a/xmlreader.c b/xmlreader.c
|
||||
index f19e123..471e7e2 100644
|
||||
--- a/xmlreader.c
|
||||
+++ b/xmlreader.c
|
||||
@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {
|
||||
"xmlNewTextReader : malloc failed\n");
|
||||
return(NULL);
|
||||
}
|
||||
+ /* no operation on a reader should require a huge buffer */
|
||||
+ xmlBufSetAllocationScheme(ret->buffer,
|
||||
+ XML_BUFFER_ALLOC_BOUNDED);
|
||||
ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
|
||||
if (ret->sax == NULL) {
|
||||
xmlBufFree(ret->buffer);
|
||||
@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
|
||||
return(((xmlNsPtr) node)->href);
|
||||
case XML_ATTRIBUTE_NODE:{
|
||||
xmlAttrPtr attr = (xmlAttrPtr) node;
|
||||
+ const xmlChar *ret;
|
||||
|
||||
if ((attr->children != NULL) &&
|
||||
(attr->children->type == XML_TEXT_NODE) &&
|
||||
@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
|
||||
"xmlTextReaderSetup : malloc failed\n");
|
||||
return (NULL);
|
||||
}
|
||||
+ xmlBufSetAllocationScheme(reader->buffer,
|
||||
+ XML_BUFFER_ALLOC_BOUNDED);
|
||||
} else
|
||||
xmlBufEmpty(reader->buffer);
|
||||
xmlBufGetNodeContent(reader->buffer, node);
|
||||
- return(xmlBufContent(reader->buffer));
|
||||
+ ret = xmlBufContent(reader->buffer);
|
||||
+ if (ret == NULL) {
|
||||
+ /* error on the buffer best to reallocate */
|
||||
+ xmlBufFree(reader->buffer);
|
||||
+ reader->buffer = xmlBufCreateSize(100);
|
||||
+ xmlBufSetAllocationScheme(reader->buffer,
|
||||
+ XML_BUFFER_ALLOC_BOUNDED);
|
||||
+ ret = BAD_CAST "";
|
||||
+ }
|
||||
+ return(ret);
|
||||
}
|
||||
break;
|
||||
}
|
||||
@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,
|
||||
"xmlTextReaderSetup : malloc failed\n");
|
||||
return (-1);
|
||||
}
|
||||
+ /* no operation on a reader should require a huge buffer */
|
||||
+ xmlBufSetAllocationScheme(reader->buffer,
|
||||
+ XML_BUFFER_ALLOC_BOUNDED);
|
||||
if (reader->sax == NULL)
|
||||
reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
|
||||
if (reader->sax == NULL) {
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Veillard <veillard@redhat.com>
|
||||
Date: Mon, 23 Feb 2015 11:17:35 +0800
|
||||
Subject: [PATCH] Stop parsing on entities boundaries errors
|
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=744980
|
||||
|
||||
There are times, like on unterminated entities that it's preferable to
|
||||
stop parsing, even if that means less error reporting. Entities are
|
||||
feeding the parser on further processing, and if they are ill defined
|
||||
then it's possible to get the parser to bug. Also do the same on
|
||||
Conditional Sections if the input is broken, as the structure of
|
||||
the document can't be guessed.
|
||||
---
|
||||
parser.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index a8d1b67..bbe97eb 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
|
||||
if (RAW != '>') {
|
||||
xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
|
||||
"xmlParseEntityDecl: entity %s not terminated\n", name);
|
||||
+ xmlStopParser(ctxt);
|
||||
} else {
|
||||
if (input != ctxt->input) {
|
||||
xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -0,0 +1,49 @@
|
|||
From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Veillard <veillard@redhat.com>
|
||||
Date: Mon, 23 Feb 2015 11:29:20 +0800
|
||||
Subject: [PATCH] Cleanup conditional section error handling
|
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=744980
|
||||
|
||||
The error handling of Conditional Section also need to be
|
||||
straightened as the structure of the document can't be
|
||||
guessed on a failure there and it's better to stop parsing
|
||||
as further errors are likely to be irrelevant.
|
||||
---
|
||||
parser.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index bbe97eb..fe603ac 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
|
||||
SKIP_BLANKS;
|
||||
if (RAW != '[') {
|
||||
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
|
||||
+ xmlStopParser(ctxt);
|
||||
+ return;
|
||||
} else {
|
||||
if (ctxt->input->id != id) {
|
||||
xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
|
||||
@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
|
||||
SKIP_BLANKS;
|
||||
if (RAW != '[') {
|
||||
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
|
||||
+ xmlStopParser(ctxt);
|
||||
+ return;
|
||||
} else {
|
||||
if (ctxt->input->id != id) {
|
||||
xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
|
||||
@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
|
||||
|
||||
} else {
|
||||
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
|
||||
+ xmlStopParser(ctxt);
|
||||
+ return;
|
||||
}
|
||||
|
||||
if (RAW == 0)
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Veillard <veillard@redhat.com>
|
||||
Date: Fri, 23 Oct 2015 19:02:28 +0800
|
||||
Subject: [PATCH] Another variation of overflow in Conditional sections
|
||||
|
||||
Which happen after the previous fix to
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=756456
|
||||
|
||||
But stopping the parser and exiting we didn't pop the intermediary entities
|
||||
and doing the SKIP there applies on an input which may be too small
|
||||
---
|
||||
parser.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index a65e4cc..b9217ff 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
|
||||
"All markup of the conditional section is not in the same entity\n",
|
||||
NULL, NULL);
|
||||
}
|
||||
- SKIP(3);
|
||||
+ if ((ctxt-> instate != XML_PARSER_EOF) &&
|
||||
+ ((ctxt->input->cur + 3) < ctxt->input->end))
|
||||
+ SKIP(3);
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
From 41ac9049a27f52e7a1f3b341f8714149fc88d450 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Veillard <veillard@redhat.com>
|
||||
Date: Tue, 27 Oct 2015 10:53:44 +0800
|
||||
Subject: [PATCH] Fix an error in previous Conditional section patch
|
||||
|
||||
an off by one mistake in the change, led to error on correct
|
||||
document where the end of the included entity was exactly
|
||||
the end of the conditional section, leading to regtest failure
|
||||
---
|
||||
parser.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index b9217ff..d67b300 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -6916,7 +6916,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
|
||||
NULL, NULL);
|
||||
}
|
||||
if ((ctxt-> instate != XML_PARSER_EOF) &&
|
||||
- ((ctxt->input->cur + 3) < ctxt->input->end))
|
||||
+ ((ctxt->input->cur + 3) <= ctxt->input->end))
|
||||
SKIP(3);
|
||||
}
|
||||
}
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Veillard <veillard@redhat.com>
|
||||
Date: Tue, 3 Nov 2015 15:31:25 +0800
|
||||
Subject: [PATCH] CVE-2015-8035 Fix XZ compression support loop
|
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=757466
|
||||
DoS when parsing specially crafted XML document if XZ support
|
||||
is compiled in (which wasn't the case for 2.9.2 and master since
|
||||
Nov 2013, fixed in next commit !)
|
||||
---
|
||||
xzlib.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/xzlib.c b/xzlib.c
|
||||
index 0dcb9f4..1fab546 100644
|
||||
--- a/xzlib.c
|
||||
+++ b/xzlib.c
|
||||
@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
|
||||
xz_error(state, LZMA_DATA_ERROR, "compressed data error");
|
||||
return -1;
|
||||
}
|
||||
+ if (ret == LZMA_PROG_ERROR) {
|
||||
+ xz_error(state, LZMA_PROG_ERROR, "compression error");
|
||||
+ return -1;
|
||||
+ }
|
||||
} while (strm->avail_out && ret != LZMA_STREAM_END);
|
||||
|
||||
/* update available output and crc check value */
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -0,0 +1,88 @@
|
|||
From ef709ce2f7b792d5fb69ed142796d743fb1eb388 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Veillard <veillard@redhat.com>
|
||||
Date: Thu, 10 Sep 2015 19:41:41 +0800
|
||||
Subject: [PATCH] Fix the spurious ID already defined error
|
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=737840
|
||||
the fix for 724903 introduced a regression on external entities carrying
|
||||
IDs, revert that patch in part and add a specific test to avoid readding it
|
||||
---
|
||||
result/valid/737840.xml | 10 ++++++++++
|
||||
result/valid/737840.xml.err | 0
|
||||
result/valid/737840.xml.err.rdr | 0
|
||||
test/valid/737840.xml | 10 ++++++++++
|
||||
test/valid/dtds/737840.ent | 1 +
|
||||
valid.c | 6 ++++--
|
||||
6 files changed, 25 insertions(+), 2 deletions(-)
|
||||
create mode 100644 result/valid/737840.xml
|
||||
create mode 100644 result/valid/737840.xml.err
|
||||
create mode 100644 result/valid/737840.xml.err.rdr
|
||||
create mode 100644 test/valid/737840.xml
|
||||
create mode 100644 test/valid/dtds/737840.ent
|
||||
|
||||
diff --git a/result/valid/737840.xml b/result/valid/737840.xml
|
||||
new file mode 100644
|
||||
index 0000000..433c6d6
|
||||
--- /dev/null
|
||||
+++ b/result/valid/737840.xml
|
||||
@@ -0,0 +1,10 @@
|
||||
+<?xml version="1.0"?>
|
||||
+<!DOCTYPE root [
|
||||
+<!ELEMENT root (elem)>
|
||||
+<!ELEMENT elem (#PCDATA)>
|
||||
+<!ATTLIST elem id ID #IMPLIED>
|
||||
+<!ENTITY target SYSTEM "dtds/737840.ent">
|
||||
+]>
|
||||
+<root>
|
||||
+ ⌖
|
||||
+</root>
|
||||
diff --git a/result/valid/737840.xml.err b/result/valid/737840.xml.err
|
||||
new file mode 100644
|
||||
index 0000000..e69de29
|
||||
diff --git a/result/valid/737840.xml.err.rdr b/result/valid/737840.xml.err.rdr
|
||||
new file mode 100644
|
||||
index 0000000..e69de29
|
||||
diff --git a/test/valid/737840.xml b/test/valid/737840.xml
|
||||
new file mode 100644
|
||||
index 0000000..2d27b73
|
||||
--- /dev/null
|
||||
+++ b/test/valid/737840.xml
|
||||
@@ -0,0 +1,10 @@
|
||||
+<!DOCTYPE root [
|
||||
+<!ELEMENT root (elem)>
|
||||
+<!ELEMENT elem (#PCDATA)>
|
||||
+<!ATTLIST elem id ID #IMPLIED>
|
||||
+<!ENTITY target SYSTEM "dtds/737840.ent">
|
||||
+]>
|
||||
+
|
||||
+<root>
|
||||
+ ⌖
|
||||
+</root>
|
||||
diff --git a/test/valid/dtds/737840.ent b/test/valid/dtds/737840.ent
|
||||
new file mode 100644
|
||||
index 0000000..e972132
|
||||
--- /dev/null
|
||||
+++ b/test/valid/dtds/737840.ent
|
||||
@@ -0,0 +1 @@
|
||||
+<elem id="id0"/>
|
||||
\ No newline at end of file
|
||||
diff --git a/valid.c b/valid.c
|
||||
index 409aa81..45a3f70 100644
|
||||
--- a/valid.c
|
||||
+++ b/valid.c
|
||||
@@ -2634,8 +2634,10 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
|
||||
/*
|
||||
* The id is already defined in this DTD.
|
||||
*/
|
||||
- xmlErrValidNode(ctxt, attr->parent, XML_DTD_ID_REDEFINED,
|
||||
- "ID %s already defined\n", value, NULL, NULL);
|
||||
+ if (ctxt != NULL) {
|
||||
+ xmlErrValidNode(ctxt, attr->parent, XML_DTD_ID_REDEFINED,
|
||||
+ "ID %s already defined\n", value, NULL, NULL);
|
||||
+ }
|
||||
#endif /* LIBXML_VALID_ENABLED */
|
||||
xmlFreeID(ret);
|
||||
return(NULL);
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
From 72a46a519ce7326d9a00f0b6a7f2a8e958cd1675 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Veillard <veillard@redhat.com>
|
||||
Date: Thu, 23 Oct 2014 11:35:36 +0800
|
||||
Subject: [PATCH] Fix missing entities after CVE-2014-3660 fix
|
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=738805
|
||||
|
||||
The fix for CVE-2014-3660 introduced a regression in some case
|
||||
where entity substitution is required and the entity is used
|
||||
first in anotther entity referenced from an attribute value
|
||||
---
|
||||
parser.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index 67c9dfd..a8d1b67 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -7235,7 +7235,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
|
||||
* far more secure as the parser will only process data coming from
|
||||
* the document entity by default.
|
||||
*/
|
||||
- if ((ent->checked == 0) &&
|
||||
+ if (((ent->checked == 0) ||
|
||||
+ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) &&
|
||||
((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) ||
|
||||
(ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) {
|
||||
unsigned long oldnbent = ctxt->nbentities;
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -0,0 +1,65 @@
|
|||
From e724879d964d774df9b7969fc846605aa1bac54c Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Veillard <veillard@redhat.com>
|
||||
Date: Fri, 30 Oct 2015 21:14:55 +0800
|
||||
Subject: [PATCH] Fix parsing short unclosed comment uninitialized access
|
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=746048
|
||||
The HTML parser was too optimistic when processing comments and
|
||||
didn't check for the end of the stream on the first 2 characters
|
||||
---
|
||||
HTMLparser.c | 21 ++++++++++++++-------
|
||||
1 file changed, 14 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/HTMLparser.c b/HTMLparser.c
|
||||
index 19c10c3..bdf7807 100644
|
||||
--- a/HTMLparser.c
|
||||
+++ b/HTMLparser.c
|
||||
@@ -3264,12 +3264,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
|
||||
ctxt->instate = state;
|
||||
return;
|
||||
}
|
||||
+ len = 0;
|
||||
+ buf[len] = 0;
|
||||
q = CUR_CHAR(ql);
|
||||
+ if (!IS_CHAR(q))
|
||||
+ goto unfinished;
|
||||
NEXTL(ql);
|
||||
r = CUR_CHAR(rl);
|
||||
+ if (!IS_CHAR(r))
|
||||
+ goto unfinished;
|
||||
NEXTL(rl);
|
||||
cur = CUR_CHAR(l);
|
||||
- len = 0;
|
||||
while (IS_CHAR(cur) &&
|
||||
((cur != '>') ||
|
||||
(r != '-') || (q != '-'))) {
|
||||
@@ -3300,18 +3305,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
|
||||
}
|
||||
}
|
||||
buf[len] = 0;
|
||||
- if (!IS_CHAR(cur)) {
|
||||
- htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
|
||||
- "Comment not terminated \n<!--%.50s\n", buf, NULL);
|
||||
- xmlFree(buf);
|
||||
- } else {
|
||||
+ if (IS_CHAR(cur)) {
|
||||
NEXT;
|
||||
if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) &&
|
||||
(!ctxt->disableSAX))
|
||||
ctxt->sax->comment(ctxt->userData, buf);
|
||||
xmlFree(buf);
|
||||
+ ctxt->instate = state;
|
||||
+ return;
|
||||
}
|
||||
- ctxt->instate = state;
|
||||
+
|
||||
+unfinished:
|
||||
+ htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
|
||||
+ "Comment not terminated \n<!--%.50s\n", buf, NULL);
|
||||
+ xmlFree(buf);
|
||||
}
|
||||
|
||||
/**
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -0,0 +1,46 @@
|
|||
From 8985cde70901c62d3f0f04da225e73b7344a52d7 Mon Sep 17 00:00:00 2001
|
||||
From: Martin von Gagern <Martin.vGagern@gmx.net>
|
||||
Date: Mon, 13 Apr 2015 16:32:14 +0800
|
||||
Subject: [PATCH] xmlMemUsed is not thread-safe
|
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=747437
|
||||
just use the mutex to protect access to those variables
|
||||
---
|
||||
xmlmemory.c | 14 ++++++++++++--
|
||||
1 file changed, 12 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/xmlmemory.c b/xmlmemory.c
|
||||
index a3dc737..f24fd6d 100644
|
||||
--- a/xmlmemory.c
|
||||
+++ b/xmlmemory.c
|
||||
@@ -554,7 +554,12 @@ xmlMemoryStrdup(const char *str) {
|
||||
|
||||
int
|
||||
xmlMemUsed(void) {
|
||||
- return(debugMemSize);
|
||||
+ int res;
|
||||
+
|
||||
+ xmlMutexLock(xmlMemMutex);
|
||||
+ res = debugMemSize;
|
||||
+ xmlMutexUnlock(xmlMemMutex);
|
||||
+ return(res);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -567,7 +572,12 @@ xmlMemUsed(void) {
|
||||
|
||||
int
|
||||
xmlMemBlocks(void) {
|
||||
- return(debugMemBlocks);
|
||||
+ int res;
|
||||
+
|
||||
+ xmlMutexLock(xmlMemMutex);
|
||||
+ res = debugMemBlocks;
|
||||
+ xmlMutexUnlock(xmlMemMutex);
|
||||
+ return(res);
|
||||
}
|
||||
|
||||
#ifdef MEM_LIST
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
From 9aa37588ee78a06ca1379a9d9356eab16686099c Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Veillard <veillard@redhat.com>
|
||||
Date: Mon, 29 Jun 2015 09:08:25 +0800
|
||||
Subject: [PATCH] Do not process encoding values if the declaration if broken
|
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=751603
|
||||
|
||||
If the string is not properly terminated do not try to convert
|
||||
to the given encoding.
|
||||
---
|
||||
parser.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index fe603ac..a3a9568 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -10404,6 +10404,8 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) {
|
||||
encoding = xmlParseEncName(ctxt);
|
||||
if (RAW != '"') {
|
||||
xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL);
|
||||
+ xmlFree((xmlChar *) encoding);
|
||||
+ return(NULL);
|
||||
} else
|
||||
NEXT;
|
||||
} else if (RAW == '\''){
|
||||
@@ -10411,6 +10413,8 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) {
|
||||
encoding = xmlParseEncName(ctxt);
|
||||
if (RAW != '\'') {
|
||||
xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL);
|
||||
+ xmlFree((xmlChar *) encoding);
|
||||
+ return(NULL);
|
||||
} else
|
||||
NEXT;
|
||||
} else {
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
From 709a952110e98621c9b78c4f26462a9d8333102e Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Veillard <veillard@redhat.com>
|
||||
Date: Mon, 29 Jun 2015 16:10:26 +0800
|
||||
Subject: [PATCH] Fail parsing early on if encoding conversion failed
|
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=751631
|
||||
|
||||
If we fail conversing the current input stream while
|
||||
processing the encoding declaration of the XMLDecl
|
||||
then it's safer to just abort there and not try to
|
||||
report further errors.
|
||||
---
|
||||
parser.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index a3a9568..0edd53b 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -10471,7 +10471,11 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) {
|
||||
|
||||
handler = xmlFindCharEncodingHandler((const char *) encoding);
|
||||
if (handler != NULL) {
|
||||
- xmlSwitchToEncoding(ctxt, handler);
|
||||
+ if (xmlSwitchToEncoding(ctxt, handler) < 0) {
|
||||
+ /* failed to convert */
|
||||
+ ctxt->errNo = XML_ERR_UNSUPPORTED_ENCODING;
|
||||
+ return(NULL);
|
||||
+ }
|
||||
} else {
|
||||
xmlFatalErrMsgStr(ctxt, XML_ERR_UNSUPPORTED_ENCODING,
|
||||
"Unsupported encoding %s\n", encoding);
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -0,0 +1,132 @@
|
|||
From 51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Veillard <veillard@redhat.com>
|
||||
Date: Tue, 15 Sep 2015 16:50:32 +0800
|
||||
Subject: [PATCH] Fix a bug on name parsing at the end of current input buffer
|
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=754946
|
||||
|
||||
When hitting the end of the current input buffer while parsing
|
||||
a name we could end up loosing the beginning of the name, which
|
||||
led to various issues.
|
||||
---
|
||||
parser.c | 29 ++++++++++++++++++++---------
|
||||
result/errors/754946.xml | 0
|
||||
result/errors/754946.xml.err | 16 ++++++++++++++++
|
||||
result/errors/754946.xml.str | 4 ++++
|
||||
test/errors/754946.xml | 1 +
|
||||
5 files changed, 41 insertions(+), 9 deletions(-)
|
||||
create mode 100644 result/errors/754946.xml
|
||||
create mode 100644 result/errors/754946.xml.err
|
||||
create mode 100644 result/errors/754946.xml.str
|
||||
create mode 100644 test/errors/754946.xml
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index 0edd53b..fd29a39 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -3491,7 +3491,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
|
||||
c = CUR_CHAR(l);
|
||||
if (c == 0) {
|
||||
count = 0;
|
||||
+ /*
|
||||
+ * when shrinking to extend the buffer we really need to preserve
|
||||
+ * the part of the name we already parsed. Hence rolling back
|
||||
+ * by current lenght.
|
||||
+ */
|
||||
+ ctxt->input->cur -= l;
|
||||
GROW;
|
||||
+ ctxt->input->cur += l;
|
||||
if (ctxt->instate == XML_PARSER_EOF)
|
||||
return(NULL);
|
||||
end = ctxt->input->cur;
|
||||
@@ -3523,7 +3530,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
|
||||
|
||||
static const xmlChar *
|
||||
xmlParseNCName(xmlParserCtxtPtr ctxt) {
|
||||
- const xmlChar *in;
|
||||
+ const xmlChar *in, *e;
|
||||
const xmlChar *ret;
|
||||
int count = 0;
|
||||
|
||||
@@ -3535,16 +3542,19 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
|
||||
* Accelerator for simple ASCII names
|
||||
*/
|
||||
in = ctxt->input->cur;
|
||||
- if (((*in >= 0x61) && (*in <= 0x7A)) ||
|
||||
- ((*in >= 0x41) && (*in <= 0x5A)) ||
|
||||
- (*in == '_')) {
|
||||
+ e = ctxt->input->end;
|
||||
+ if ((((*in >= 0x61) && (*in <= 0x7A)) ||
|
||||
+ ((*in >= 0x41) && (*in <= 0x5A)) ||
|
||||
+ (*in == '_')) && (in < e)) {
|
||||
in++;
|
||||
- while (((*in >= 0x61) && (*in <= 0x7A)) ||
|
||||
- ((*in >= 0x41) && (*in <= 0x5A)) ||
|
||||
- ((*in >= 0x30) && (*in <= 0x39)) ||
|
||||
- (*in == '_') || (*in == '-') ||
|
||||
- (*in == '.'))
|
||||
+ while ((((*in >= 0x61) && (*in <= 0x7A)) ||
|
||||
+ ((*in >= 0x41) && (*in <= 0x5A)) ||
|
||||
+ ((*in >= 0x30) && (*in <= 0x39)) ||
|
||||
+ (*in == '_') || (*in == '-') ||
|
||||
+ (*in == '.')) && (in < e))
|
||||
in++;
|
||||
+ if (in >= e)
|
||||
+ goto complex;
|
||||
if ((*in > 0) && (*in < 0x80)) {
|
||||
count = in - ctxt->input->cur;
|
||||
if ((count > XML_MAX_NAME_LENGTH) &&
|
||||
@@ -3562,6 +3572,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
|
||||
return(ret);
|
||||
}
|
||||
}
|
||||
+complex:
|
||||
return(xmlParseNCNameComplex(ctxt));
|
||||
}
|
||||
|
||||
diff --git a/result/errors/754946.xml b/result/errors/754946.xml
|
||||
new file mode 100644
|
||||
index 0000000..e69de29
|
||||
diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err
|
||||
new file mode 100644
|
||||
index 0000000..423dff5
|
||||
--- /dev/null
|
||||
+++ b/result/errors/754946.xml.err
|
||||
@@ -0,0 +1,16 @@
|
||||
+Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
|
||||
+
|
||||
+ %SYSTEM;
|
||||
+ ^
|
||||
+Entity: line 1:
|
||||
+A<lbbbbbbbbbbbbbbbbbbb_
|
||||
+^
|
||||
+Entity: line 1: parser error : DOCTYPE improperly terminated
|
||||
+ %SYSTEM;
|
||||
+ ^
|
||||
+Entity: line 1:
|
||||
+A<lbbbbbbbbbbbbbbbbbbb_
|
||||
+^
|
||||
+./test/errors/754946.xml:1: parser error : Extra content at the end of the document
|
||||
+<!DOCTYPEA[<!ENTITY %
|
||||
+ ^
|
||||
diff --git a/result/errors/754946.xml.str b/result/errors/754946.xml.str
|
||||
new file mode 100644
|
||||
index 0000000..3b748cc
|
||||
--- /dev/null
|
||||
+++ b/result/errors/754946.xml.str
|
||||
@@ -0,0 +1,4 @@
|
||||
+./test/errors/754946.xml:1: parser error : Extra content at the end of the document
|
||||
+<!DOCTYPEA[<!ENTITY %
|
||||
+ ^
|
||||
+./test/errors/754946.xml : failed to parse
|
||||
diff --git a/test/errors/754946.xml b/test/errors/754946.xml
|
||||
new file mode 100644
|
||||
index 0000000..6b5f9b0
|
||||
--- /dev/null
|
||||
+++ b/test/errors/754946.xml
|
||||
@@ -0,0 +1 @@
|
||||
+<!DOCTYPEA[<!ENTITY %
SYSTEM "A<lbbbbbbbbbbbbbbbbbbb_"
>%SYSTEM;<![
|
||||
\ No newline at end of file
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -0,0 +1,103 @@
|
|||
From 4a5d80aded1da94cd55294e7207109712201b75b Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Veillard <veillard@redhat.com>
|
||||
Date: Fri, 18 Sep 2015 15:06:46 +0800
|
||||
Subject: [PATCH] Fix a bug in CData error handling in the push parser
|
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=754947
|
||||
|
||||
The checking function was returning incorrect args in some cases
|
||||
Adds the test to teh reg suite and fix one of the existing test output
|
||||
---
|
||||
parser.c | 6 +++---
|
||||
result/errors/754947.xml | 0
|
||||
result/errors/754947.xml.err | 7 +++++++
|
||||
result/errors/754947.xml.str | 5 +++++
|
||||
result/errors/cdata.xml.str | 4 ++--
|
||||
test/errors/754947.xml | 1 +
|
||||
6 files changed, 18 insertions(+), 5 deletions(-)
|
||||
create mode 100644 result/errors/754947.xml
|
||||
create mode 100644 result/errors/754947.xml.err
|
||||
create mode 100644 result/errors/754947.xml.str
|
||||
create mode 100644 test/errors/754947.xml
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index fd29a39..f1724a9 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -11192,7 +11192,7 @@ xmlCheckCdataPush(const xmlChar *utf, int len) {
|
||||
else
|
||||
return(-ix);
|
||||
} else if ((c & 0xe0) == 0xc0) {/* 2-byte code, starts with 110 */
|
||||
- if (ix + 2 > len) return(ix);
|
||||
+ if (ix + 2 > len) return(-ix);
|
||||
if ((utf[ix+1] & 0xc0 ) != 0x80)
|
||||
return(-ix);
|
||||
codepoint = (utf[ix] & 0x1f) << 6;
|
||||
@@ -11201,7 +11201,7 @@ xmlCheckCdataPush(const xmlChar *utf, int len) {
|
||||
return(-ix);
|
||||
ix += 2;
|
||||
} else if ((c & 0xf0) == 0xe0) {/* 3-byte code, starts with 1110 */
|
||||
- if (ix + 3 > len) return(ix);
|
||||
+ if (ix + 3 > len) return(-ix);
|
||||
if (((utf[ix+1] & 0xc0) != 0x80) ||
|
||||
((utf[ix+2] & 0xc0) != 0x80))
|
||||
return(-ix);
|
||||
@@ -11212,7 +11212,7 @@ xmlCheckCdataPush(const xmlChar *utf, int len) {
|
||||
return(-ix);
|
||||
ix += 3;
|
||||
} else if ((c & 0xf8) == 0xf0) {/* 4-byte code, starts with 11110 */
|
||||
- if (ix + 4 > len) return(ix);
|
||||
+ if (ix + 4 > len) return(-ix);
|
||||
if (((utf[ix+1] & 0xc0) != 0x80) ||
|
||||
((utf[ix+2] & 0xc0) != 0x80) ||
|
||||
((utf[ix+3] & 0xc0) != 0x80))
|
||||
diff --git a/result/errors/754947.xml b/result/errors/754947.xml
|
||||
new file mode 100644
|
||||
index 0000000..e69de29
|
||||
diff --git a/result/errors/754947.xml.err b/result/errors/754947.xml.err
|
||||
new file mode 100644
|
||||
index 0000000..f45cb5a
|
||||
--- /dev/null
|
||||
+++ b/result/errors/754947.xml.err
|
||||
@@ -0,0 +1,7 @@
|
||||
+./test/errors/754947.xml:1: parser error : Input is not proper UTF-8, indicate encoding !
|
||||
+Bytes: 0xEE 0x5D 0x5D 0x3E
|
||||
+<d><![CDATA[0000000000000î]]>
|
||||
+ ^
|
||||
+./test/errors/754947.xml:1: parser error : Premature end of data in tag d line 1
|
||||
+<d><![CDATA[0000000000000î]]>
|
||||
+ ^
|
||||
diff --git a/result/errors/754947.xml.str b/result/errors/754947.xml.str
|
||||
new file mode 100644
|
||||
index 0000000..4d2f52e
|
||||
--- /dev/null
|
||||
+++ b/result/errors/754947.xml.str
|
||||
@@ -0,0 +1,5 @@
|
||||
+./test/errors/754947.xml:1: parser error : Input is not proper UTF-8, indicate encoding !
|
||||
+Bytes: 0xEE 0x5D 0x5D 0x3E
|
||||
+<d><![CDATA[0000000000000î]]>
|
||||
+ ^
|
||||
+./test/errors/754947.xml : failed to parse
|
||||
diff --git a/result/errors/cdata.xml.str b/result/errors/cdata.xml.str
|
||||
index e043441..cf83d2b 100644
|
||||
--- a/result/errors/cdata.xml.str
|
||||
+++ b/result/errors/cdata.xml.str
|
||||
@@ -1,5 +1,5 @@
|
||||
./test/errors/cdata.xml:2: parser error : Input is not proper UTF-8, indicate encoding !
|
||||
-Bytes: 0x5B 0x43 0xE1 0x72
|
||||
+Bytes: 0xE1 0x72 0x5D 0x5D
|
||||
<A><![CDATA[Cár]]></A>
|
||||
- ^
|
||||
+ ^
|
||||
./test/errors/cdata.xml : failed to parse
|
||||
diff --git a/test/errors/754947.xml b/test/errors/754947.xml
|
||||
new file mode 100644
|
||||
index 0000000..bd9997e
|
||||
--- /dev/null
|
||||
+++ b/test/errors/754947.xml
|
||||
@@ -0,0 +1 @@
|
||||
+<d><![CDATA[0000000000000î]]>
|
||||
\ No newline at end of file
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
From cf77e60515045bdd66f2c59c69a06e603b470eae Mon Sep 17 00:00:00 2001
|
||||
From: Gaurav Gupta <g.gupta@samsung.com>
|
||||
Date: Wed, 30 Sep 2015 14:46:29 +0200
|
||||
Subject: [PATCH] Add missing Null check in xmlParseExternalEntityPrivate
|
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=755857
|
||||
|
||||
a case where we check for NULL but not everywhere
|
||||
---
|
||||
parser.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index f1724a9..a65e4cc 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -13367,7 +13367,7 @@ xmlParseExternalEntityPrivate(xmlDocPtr doc, xmlParserCtxtPtr oldctxt,
|
||||
/*
|
||||
* Also record the size of the entity parsed
|
||||
*/
|
||||
- if (ctxt->input != NULL) {
|
||||
+ if (ctxt->input != NULL && oldctxt != NULL) {
|
||||
oldctxt->sizeentities += ctxt->input->consumed;
|
||||
oldctxt->sizeentities += (ctxt->input->cur - ctxt->input->base);
|
||||
}
|
||||
@@ -13379,9 +13379,11 @@ xmlParseExternalEntityPrivate(xmlDocPtr doc, xmlParserCtxtPtr oldctxt,
|
||||
|
||||
if (sax != NULL)
|
||||
ctxt->sax = oldsax;
|
||||
- oldctxt->node_seq.maximum = ctxt->node_seq.maximum;
|
||||
- oldctxt->node_seq.length = ctxt->node_seq.length;
|
||||
- oldctxt->node_seq.buffer = ctxt->node_seq.buffer;
|
||||
+ if (oldctxt != NULL) {
|
||||
+ oldctxt->node_seq.maximum = ctxt->node_seq.maximum;
|
||||
+ oldctxt->node_seq.length = ctxt->node_seq.length;
|
||||
+ oldctxt->node_seq.buffer = ctxt->node_seq.buffer;
|
||||
+ }
|
||||
ctxt->node_seq.maximum = 0;
|
||||
ctxt->node_seq.length = 0;
|
||||
ctxt->node_seq.buffer = NULL;
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
From f65128f38289d77ff322d63aef2858cc0a819c34 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Veillard <veillard@redhat.com>
|
||||
Date: Fri, 17 Oct 2014 17:13:41 +0800
|
||||
Subject: [PATCH] Revert "Missing initialization for the catalog module"
|
||||
|
||||
This reverts commit 054c716ea1bf001544127a4ab4f4346d1b9947e7.
|
||||
As this break xmlcatalog command
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1153753
|
||||
---
|
||||
parser.c | 3 ---
|
||||
1 file changed, 3 deletions(-)
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index 1d93967..67c9dfd 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -14830,9 +14830,6 @@ xmlInitParser(void) {
|
||||
#ifdef LIBXML_XPATH_ENABLED
|
||||
xmlXPathInit();
|
||||
#endif
|
||||
-#ifdef LIBXML_CATALOG_ENABLED
|
||||
- xmlInitializeCatalog();
|
||||
-#endif
|
||||
xmlParserInitialized = 1;
|
||||
#ifdef LIBXML_THREAD_ENABLED
|
||||
}
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
From f54d6a929af2a570396f0595a0e29064c908c12e Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Fri, 19 Dec 2014 00:08:35 +0100
|
||||
Subject: [PATCH] Account for ID attributes in xmlSetTreeDoc
|
||||
|
||||
---
|
||||
tree.c | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/tree.c b/tree.c
|
||||
index 6ec9223..c6323b4 100644
|
||||
--- a/tree.c
|
||||
+++ b/tree.c
|
||||
@@ -2799,8 +2799,19 @@ xmlSetTreeDoc(xmlNodePtr tree, xmlDocPtr doc) {
|
||||
if(tree->type == XML_ELEMENT_NODE) {
|
||||
prop = tree->properties;
|
||||
while (prop != NULL) {
|
||||
+ if (prop->atype == XML_ATTRIBUTE_ID) {
|
||||
+ xmlRemoveID(tree->doc, prop);
|
||||
+ }
|
||||
+
|
||||
prop->doc = doc;
|
||||
xmlSetListDoc(prop->children, doc);
|
||||
+
|
||||
+ if (xmlIsID(doc, tree, prop)) {
|
||||
+ xmlChar *idVal = xmlNodeListGetString(doc, prop->children,
|
||||
+ 1);
|
||||
+ xmlAddID(NULL, doc, idVal, prop);
|
||||
+ }
|
||||
+
|
||||
prop = prop->next;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
From ba58f23c60862f2158b457f4d30031761bf4dde1 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Sun, 8 Mar 2015 16:44:11 +0100
|
||||
Subject: [PATCH] Fix order of root nodes
|
||||
|
||||
Make sure root nodes are sorted before other nodes.
|
||||
---
|
||||
xpath.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/xpath.c b/xpath.c
|
||||
index ffd2a48..e9f5bf9 100644
|
||||
--- a/xpath.c
|
||||
+++ b/xpath.c
|
||||
@@ -361,13 +361,13 @@ turtle_comparison:
|
||||
/*
|
||||
* compute depth to root
|
||||
*/
|
||||
- for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {
|
||||
+ for (depth2 = 0, cur = node2; cur != NULL; cur = cur->parent) {
|
||||
if (cur == node1)
|
||||
return(1);
|
||||
depth2++;
|
||||
}
|
||||
root = cur;
|
||||
- for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {
|
||||
+ for (depth1 = 0, cur = node1; cur != NULL; cur = cur->parent) {
|
||||
if (cur == node2)
|
||||
return(-1);
|
||||
depth1++;
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
From 3eaedba1b64180668fdab7ad2eba549586017bf3 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Sat, 11 Jul 2015 14:27:34 +0200
|
||||
Subject: [PATCH] Fix previous change to node sort order
|
||||
|
||||
Commit ba58f23 broke comparison of nodes from different documents.
|
||||
Thanks to Olli Pottonen for the report.
|
||||
---
|
||||
xpath.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/xpath.c b/xpath.c
|
||||
index e9f5bf9..935fcff 100644
|
||||
--- a/xpath.c
|
||||
+++ b/xpath.c
|
||||
@@ -361,14 +361,14 @@ turtle_comparison:
|
||||
/*
|
||||
* compute depth to root
|
||||
*/
|
||||
- for (depth2 = 0, cur = node2; cur != NULL; cur = cur->parent) {
|
||||
- if (cur == node1)
|
||||
+ for (depth2 = 0, cur = node2; cur->parent != NULL; cur = cur->parent) {
|
||||
+ if (cur->parent == node1)
|
||||
return(1);
|
||||
depth2++;
|
||||
}
|
||||
root = cur;
|
||||
- for (depth1 = 0, cur = node1; cur != NULL; cur = cur->parent) {
|
||||
- if (cur == node2)
|
||||
+ for (depth1 = 0, cur = node1; cur->parent != NULL; cur = cur->parent) {
|
||||
+ if (cur->parent == node2)
|
||||
return(-1);
|
||||
depth1++;
|
||||
}
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -70,7 +70,28 @@ things the parser might find in the XML document (like start tags).")
|
|||
version ".tar.gz"))
|
||||
(sha256
|
||||
(base32
|
||||
"1g6mf03xcabmk5ing1lwqmasr803616gb2xhn7pll10x2l5w6y2i"))))
|
||||
"1g6mf03xcabmk5ing1lwqmasr803616gb2xhn7pll10x2l5w6y2i"))
|
||||
(patches
|
||||
(map search-patch
|
||||
'("libxml2-fix-catalog-corruption.patch"
|
||||
"libxml2-bug-738805.patch"
|
||||
"libxml2-id-attrs-in-xmlSetTreeDoc.patch"
|
||||
"libxml2-CVE-2015-7941-pt1.patch"
|
||||
"libxml2-CVE-2015-7941-pt2.patch"
|
||||
"libxml2-node-sort-order-pt1.patch"
|
||||
"libxml2-bug-747437.patch"
|
||||
"libxml2-CVE-2015-1819.patch"
|
||||
"libxml2-bug-751603.patch"
|
||||
"libxml2-bug-751631.patch"
|
||||
"libxml2-node-sort-order-pt2.patch"
|
||||
"libxml2-bug-737840.patch"
|
||||
"libxml2-bug-754946.patch"
|
||||
"libxml2-bug-754947.patch"
|
||||
"libxml2-bug-755857.patch"
|
||||
"libxml2-CVE-2015-7942-pt1.patch"
|
||||
"libxml2-CVE-2015-7942-pt2.patch"
|
||||
"libxml2-bug-746048.patch"
|
||||
"libxml2-CVE-2015-8035.patch")))))
|
||||
(build-system gnu-build-system)
|
||||
(home-page "http://www.xmlsoft.org/")
|
||||
(synopsis "C parser for XML")
|
||||
|
|
Loading…
Reference in New Issue