packages/libxml2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport upstream patches

Browse Source
This commit is contained in:
zhuofeng 2024-05-06 16:07:19 +08:00
parent f42ee66f6c
commit 46e839105d
31 changed files with 1402 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
backport-SAX2-Ignore-namespaces-in-HTML-documents.patch Normal file
View File

@ -0,0 +1,114 @@
From d7d0bc6581e332f49c9ff628f548eced03c65189 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 31 Mar 2023 16:47:48 +0200
Subject: [PATCH] SAX2: Ignore namespaces in HTML documents
In commit 21ca8829, we started to ignore namespaces in HTML element
names but we still called xmlSplitQName, effectively stripping the
namespace prefix. This would cause elements like <o:p> being parsed
as <p>. Now we leave the name untouched.
Fixes #508.
Reference:https://github.com/GNOME/libxml2/commit/d7d0bc6581e332f49c9ff628f548eced03c65189
Conflict:NA
---
SAX2.c | 15 +++++++++------
result/HTML/names.html | 6 ++++++
result/HTML/names.html.err | 3 +++
result/HTML/names.html.sax | 20 ++++++++++++++++++++
test/HTML/names.html | 5 +++++
5 files changed, 43 insertions(+), 6 deletions(-)
create mode 100644 result/HTML/names.html
create mode 100644 result/HTML/names.html.err
create mode 100644 result/HTML/names.html.sax
create mode 100644 test/HTML/names.html
diff --git a/SAX2.c b/SAX2.c
index 3984bed..f8bc7c2 100644
--- a/SAX2.c
+++ b/SAX2.c
@@ -1589,12 +1589,15 @@ xmlSAX2StartElement(void *ctx, const xmlChar *fullname, const xmlChar **atts)
ctxt->validate = 0;
}
-
- /*
- * Split the full name into a namespace prefix and the tag name
- */
- name = xmlSplitQName(ctxt, fullname, &prefix);
-
+ if (ctxt->html) {
+ prefix = NULL;
+ name = xmlStrdup(fullname);
+ } else {
+ /*
+ * Split the full name into a namespace prefix and the tag name
+ */
+ name = xmlSplitQName(ctxt, fullname, &prefix);
+ }
/*
* Note : the namespace resolution is deferred until the end of the
diff --git a/result/HTML/names.html b/result/HTML/names.html
new file mode 100644
index 0000000..dd7dcc2
--- /dev/null
+++ b/result/HTML/names.html
@@ -0,0 +1,6 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
+<html>
+<body>
+ <o:p></o:p>
+</body>
+</html>
diff --git a/result/HTML/names.html.err b/result/HTML/names.html.err
new file mode 100644
index 0000000..4d91a5d
--- /dev/null
+++ b/result/HTML/names.html.err
@@ -0,0 +1,3 @@
+./test/HTML/names.html:3: HTML parser error : Tag o:p invalid
+ <o:p></o:p>
+ ^
diff --git a/result/HTML/names.html.sax b/result/HTML/names.html.sax
new file mode 100644
index 0000000..12a107f
--- /dev/null
+++ b/result/HTML/names.html.sax
@@ -0,0 +1,20 @@
+SAX.setDocumentLocator()
+SAX.startDocument()
+SAX.startElement(html)
+SAX.characters(
+, 1)
+SAX.startElement(body)
+SAX.characters(
+ , 3)
+SAX.startElement(o:p)
+SAX.error: Tag o:p invalid
+SAX.endElement(o:p)
+SAX.characters(
+, 1)
+SAX.endElement(body)
+SAX.characters(
+, 1)
+SAX.endElement(html)
+SAX.characters(
+, 1)
+SAX.endDocument()
diff --git a/test/HTML/names.html b/test/HTML/names.html
new file mode 100644
index 0000000..0dac7a4
--- /dev/null
+++ b/test/HTML/names.html
@@ -0,0 +1,5 @@
+<html>
+<body>
+ <o:p></o:p>
+</body>
+</html>
--
2.33.0

34
backport-buf-Also-reset-input-in-error-case.patch Normal file
View File

@ -0,0 +1,34 @@
From fef12ed81619c79729bf66a906701308a02d6b2b Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 11 Oct 2023 13:32:54 +0200
Subject: [PATCH] buf: Also reset input in error case
Avoid dangling pointers if memory allocation failed. This could cause
a use-after-free after recent changes.
Found by OSS-Fuzz.
Reference:https://github.com/GNOME/libxml2/commit/fef12ed81619c79729bf66a906701308a02d6b2b
Conflict:NA
---
buf.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/buf.c b/buf.c
index e0afd798c..266395f48 100644
--- a/buf.c
+++ b/buf.c
@@ -1017,8 +1017,12 @@ xmlBufMergeBuffer(xmlBufPtr buf, xmlBufferPtr buffer) {
*/
int
xmlBufResetInput(xmlBufPtr buf, xmlParserInputPtr input) {
- if ((input == NULL) || (buf == NULL) || (buf->error))
+ if (input == NULL)
return(-1);
+ if ((buf == NULL) || (buf->error)) {
+ input->base = input->cur = input->end = BAD_CAST "";
+ return(-1);
+ }
CHECK_COMPAT(buf)
input->base = input->cur = buf->content;
input->end = &buf->content[buf->use];

50
backport-dict-Fix-integer-overflow-in-xmlDictAddString.patch Normal file
View File

@ -0,0 +1,50 @@
From 7dfcea03c37d17ca0d05d7a54f9245a8fde735cc Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 11 Oct 2023 14:19:04 +0200
Subject: [PATCH] dict: Fix integer overflow in xmlDictAddString
Short-lived regression.
Older versions didn't check for integer overflow, but limited name
length to INT_MAX / 2. Reintroduce this limit.
Found by OSS-Fuzz.
Reference:https://github.com/GNOME/libxml2/commit/7dfcea03c37d17ca0d05d7a54f9245a8fde735cc
Conflict:xmlDictLookupInternal function does not exist, Therefore, the function is not incorporated.
---
dict.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/dict.c b/dict.c
index 4de231f..af3e71a 100644
--- a/dict.c
+++ b/dict.c
@@ -264,10 +264,20 @@ xmlDictAddString(xmlDictPtr dict, const xmlChar *name, unsigned int namelen) {
return(NULL);
}
- if (size == 0) size = 1000;
- else size *= 4; /* exponential growth */
- if (size < 4 * namelen)
- size = 4 * namelen; /* just in case ! */
+ if (size == 0) {
+ size = 1000;
+ } else {
+ if (size < (SIZE_MAX - sizeof(xmlDictStrings)) / 4)
+ size *= 4; /* exponential growth */
+ else
+ size = SIZE_MAX - sizeof(xmlDictStrings);
+ }
+ if (size / 4 < namelen) {
+ if ((size_t) namelen + 0 < (SIZE_MAX - sizeof(xmlDictStrings)) / 4)
+ size = 4 * (size_t) namelen; /* just in case ! */
+ else
+ return(NULL);
+ }
pool = (xmlDictStringsPtr) xmlMalloc(sizeof(xmlDictStrings) + size);
if (pool == NULL)
return(NULL);
--
2.33.0

65
backport-dict-Fix-integer-overflow-of-string-lengths.patch Normal file
View File

@ -0,0 +1,65 @@
From f45abbd3e561d25743053236a401cea49e6bdb24 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 4 Sep 2023 15:31:04 +0200
Subject: [PATCH] dict: Fix integer overflow of string lengths
Reference:https://github.com/GNOME/libxml2/commit/f45abbd3e561d25743053236a401cea49e6bdb24
Conflict:NA
Fixes #546.
---
dict.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/dict.c b/dict.c
index e39e8a4..4de231f 100644
--- a/dict.c
+++ b/dict.c
@@ -384,7 +384,7 @@ xmlDictComputeBigKey(const xmlChar* data, int namelen, int seed) {
hash = seed;
- for (i = 0;i < namelen; i++) {
+ for (i = 0; i < namelen; i++) {
hash += data[i];
hash += (hash << 10);
hash ^= (hash >> 6);
@@ -868,7 +868,7 @@ xmlDictLookup(xmlDictPtr dict, const xmlChar *name, int len) {
xmlDictEntryPtr entry;
xmlDictEntryPtr insert;
const xmlChar *ret;
- unsigned int l;
+ size_t l;
if ((dict == NULL) || (name == NULL))
return(NULL);
@@ -1006,7 +1006,7 @@ const xmlChar *
xmlDictExists(xmlDictPtr dict, const xmlChar *name, int len) {
unsigned long key, okey, nbi = 0;
xmlDictEntryPtr insert;
- unsigned int l;
+ size_t l;
if ((dict == NULL) || (name == NULL))
return(NULL);
@@ -1116,7 +1116,7 @@ xmlDictQLookup(xmlDictPtr dict, const xmlChar *prefix, const xmlChar *name) {
xmlDictEntryPtr entry;
xmlDictEntryPtr insert;
const xmlChar *ret;
- unsigned int len, plen, l;
+ size_t len, plen, l;
if ((dict == NULL) || (name == NULL))
return(NULL);
@@ -1125,6 +1125,8 @@ xmlDictQLookup(xmlDictPtr dict, const xmlChar *prefix, const xmlChar *name) {
l = len = strlen((const char *) name);
plen = strlen((const char *) prefix);
+ if ((len > INT_MAX / 2) || (plen > INT_MAX / 2))
+ return(NULL);
len += 1 + plen;
/*
--
2.33.0

28
backport-entities-Don-t-allow-null-name-in-xmlNewEntity.patch Normal file
View File

@ -0,0 +1,28 @@
From edbf1eb63befa14417ec5b0b588444498a086f88 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 5 Mar 2024 18:07:13 +0100
Subject: [PATCH] entities: Don't allow null name in xmlNewEntity
Reference: https://github.com/GNOME/libxml2/commit/edbf1eb63befa14417ec5b0b588444498a086f88
Conflict: adapt xmlNewEntity
---
entities.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/entities.c b/entities.c
index ec1b9a7..5a56690 100644
--- a/entities.c
+++ b/entities.c
@@ -429,6 +429,8 @@ xmlNewEntity(xmlDocPtr doc, const xmlChar *name, int type,
if ((doc != NULL) && (doc->intSubset != NULL)) {
return(xmlAddDocEntity(doc, name, type, ExternalID, SystemID, content));
}
+ if (name == NULL)
+ return(NULL);
if (doc != NULL)
dict = doc->dict;
else
--
2.33.0

35
backport-hash-Fix-integer-overflow-of-nbElems.patch Normal file
View File

@ -0,0 +1,35 @@
From 4b8f7cf05def7192928c6a023300ee55ef2a9cfe Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 1 Sep 2023 13:07:27 +0200
Subject: [PATCH] hash: Fix integer overflow of nbElems
Reference:https://github.com/GNOME/libxml2/commit/4b8f7cf05def7192928c6a023300ee55ef2a9cfe
Conflict:NA
---
hash.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hash.c b/hash.c
index cbcc4293..45635857 100644
--- a/hash.c
+++ b/hash.c
@@ -541,7 +541,7 @@ xmlHashAddEntry3(xmlHashTablePtr table, const xmlChar *name,
xmlHashEntryPtr entry;
xmlHashEntryPtr insert;
- if ((table == NULL) || (name == NULL))
+ if ((table == NULL) || (name == NULL) || (table->nbElems == INT_MAX))
return(-1);
/*
@@ -680,7 +680,7 @@ xmlHashUpdateEntry3(xmlHashTablePtr table, const xmlChar *name,
xmlHashEntryPtr entry;
xmlHashEntryPtr insert;
- if ((table == NULL) || name == NULL)
+ if ((table == NULL) || (name == NULL) || (table->nbElems == INT_MAX))
return(-1);
/*
--
2.23.0

29
backport-html-Don-t-close-fd-in-htmlCtxtReadFd.patch Normal file
View File

@ -0,0 +1,29 @@
From 8cd563174ad17b82f807640f478f613f22238336 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 21 Dec 2023 02:32:01 +0100
Subject: [PATCH] html: Don't close fd in htmlCtxtReadFd
Long-standing bug. The XML fix from 2003 was never ported to the HTML
parser. htmlReadFd was fixed with fe6890e2.
Reference: https://github.com/GNOME/libxml2/commit/8cd563174ad17b82f807640f478f613f22238336
Conflict: NA
---
HTMLparser.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/HTMLparser.c b/HTMLparser.c
index 5228b601..c0b54e69 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -6755,6 +6755,7 @@ htmlCtxtReadFd(htmlParserCtxtPtr ctxt, int fd,
input = xmlParserInputBufferCreateFd(fd, XML_CHAR_ENCODING_NONE);
if (input == NULL)
return (NULL);
+ input->closecallback = NULL;
stream = xmlNewIOInputStream(ctxt, input, XML_CHAR_ENCODING_NONE);
if (stream == NULL) {
xmlFreeParserInputBuffer(input);
--
2.33.0

53
backport-malloc-fail-Fix-memory-leak-in-xmlCompileAttributeTe.patch Normal file
View File

@ -0,0 +1,53 @@
From 75693281389aab047b424d46df944b35ab4a3263 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 21 Jul 2023 14:50:30 +0200
Subject: [PATCH] malloc-fail: Fix memory leak in xmlCompileAttributeTest
Found by OSS-Fuzz, see #344.
Reference:https://github.com/GNOME/libxml2/commit/75693281389aab047b424d46df944b35ab4a3263
Conflict:NA
---
pattern.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/pattern.c b/pattern.c
index 27e9694..64231a2 100644
--- a/pattern.c
+++ b/pattern.c
@@ -947,7 +947,6 @@ xmlCompileAttributeTest(xmlPatParserContextPtr ctxt) {
if (IS_BLANK_CH(CUR)) {
ERROR5(NULL, NULL, NULL, "Invalid QName.\n", NULL);
- XML_PAT_FREE_STRING(ctxt, prefix);
ctxt->error = 1;
goto error;
}
@@ -972,12 +971,12 @@ xmlCompileAttributeTest(xmlPatParserContextPtr ctxt) {
ERROR5(NULL, NULL, NULL,
"xmlCompileAttributeTest : no namespace bound to prefix %s\n",
prefix);
- XML_PAT_FREE_STRING(ctxt, prefix);
ctxt->error = 1;
goto error;
}
}
- XML_PAT_FREE_STRING(ctxt, prefix);
+ XML_PAT_FREE_STRING(ctxt, name);
+ name = NULL;
if (token == NULL) {
if (CUR == '*') {
NEXT;
@@ -996,6 +995,8 @@ xmlCompileAttributeTest(xmlPatParserContextPtr ctxt) {
}
return;
error:
+ if (name != NULL)
+ XML_PAT_FREE_STRING(ctxt, name);
if (URL != NULL)
XML_PAT_FREE_STRING(ctxt, URL)
if (token != NULL)
--
2.33.0

51
backport-malloc-fail-Fix-null-deref-in-xmlXPathTranslateFunct.patch Normal file
View File

@ -0,0 +1,51 @@
From 8583b9f1cdb966315b3caae328f5d9f2c8b65292 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 12 Dec 2023 15:00:44 +0100
Subject: [PATCH] malloc-fail: Fix null deref in xmlXPathTranslateFunction
Short-lived regression.
Reference: https://github.com/GNOME/libxml2/commit/8583b9f1cdb966315b3caae328f5d9f2c8b65292
Conflict: adpat error:
---
xpath.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/xpath.c b/xpath.c
index 3128efb..a832722 100644
--- a/xpath.c
+++ b/xpath.c
@@ -9330,9 +9330,9 @@ xmlXPathNormalizeFunction(xmlXPathParserContextPtr ctxt, int nargs) {
*/
void
xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) {
- xmlXPathObjectPtr str;
- xmlXPathObjectPtr from;
- xmlXPathObjectPtr to;
+ xmlXPathObjectPtr str = NULL;
+ xmlXPathObjectPtr from = NULL;
+ xmlXPathObjectPtr to = NULL;
xmlBufPtr target;
int offset, max;
int ch;
@@ -9347,6 +9347,8 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) {
from = valuePop(ctxt);
CAST_TO_STRING;
str = valuePop(ctxt);
+ if (ctxt->error != 0)
+ goto error;
target = xmlBufCreate();
if (target) {
@@ -9388,6 +9390,7 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) {
valuePush(ctxt, xmlXPathCacheNewString(ctxt->context,
xmlBufContent(target)));
xmlBufFree(target);
+error:
xmlXPathReleaseObject(ctxt->context, str);
xmlXPathReleaseObject(ctxt->context, from);
xmlXPathReleaseObject(ctxt->context, to);
--
2.33.0

33
backport-malloc-fail-Fix-null-deref-with-xmllint-copy.patch Normal file
View File

@ -0,0 +1,33 @@
From 305a75ccbec4e4b14ab6c05d581d82bd9801b19f Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 6 Jun 2023 13:15:46 +0200
Subject: [PATCH] malloc-fail: Fix null-deref with xmllint --copy
See #344. Fixes #552.
Reference:https://github.com/GNOME/libxml2/commit/305a75ccbec4e4b14ab6c05d581d82bd9801b19f
Conflict:NA
---
xmllint.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/xmllint.c b/xmllint.c
index 4093b4c..084c24a 100644
--- a/xmllint.c
+++ b/xmllint.c
@@ -2483,6 +2483,11 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) {
startTimer();
}
doc = xmlCopyDoc(doc, 1);
+ if (doc == NULL) {
+ progresult = XMLLINT_ERR_MEM;
+ xmlFreeDoc(tmp);
+ return;
+ }
if (timing) {
endTimer("Copying");
}
--
2.33.0

35
backport-malloc-fail-Fix-unsigned-integer-overflow-in-xmlText.patch Normal file
View File

@ -0,0 +1,35 @@
From e2ab48b9b5f5a97da76d6c90f0630ad0486bac6e Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 14 Aug 2023 15:05:30 +0200
Subject: [PATCH] malloc-fail: Fix unsigned integer overflow in
xmlTextReaderPushData
Return immediately if xmlParserInputBufferRead fails.
Found by OSS-Fuzz, see #344.
Reference:https://github.com/GNOME/libxml2/commit/e2ab48b9b5f5a97da76d6c90f0630ad0486bac6e
Conflict:NA
---
xmlreader.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/xmlreader.c b/xmlreader.c
index 193a5d4..d34f294 100644
--- a/xmlreader.c
+++ b/xmlreader.c
@@ -928,9 +928,7 @@ xmlTextReaderPushData(xmlTextReaderPtr reader) {
} else if (val < 0) {
reader->mode = XML_TEXTREADER_MODE_EOF;
reader->state = oldstate;
- if ((oldstate != XML_TEXTREADER_START) ||
- (reader->ctxt->myDoc != NULL))
- return(val);
+ return(val);
} else if (val == 0) {
/* mark the end of the stream and process the remains */
reader->mode = XML_TEXTREADER_MODE_EOF;
--
2.33.0

41
backport-malloc-fail-Fix-use-after-free-in-xmlBufBackToBuffer.patch Normal file
View File

@ -0,0 +1,41 @@
From 9c2d451c0275dfbf859c321058584ec98382542f Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 4 Mar 2024 01:25:46 +0100
Subject: [PATCH] malloc-fail: Fix use-after-free in xmlBufBackToBuffer
Reference: https://github.com/GNOME/libxml2/commit/9c2d451c0275dfbf859c321058584ec98382542f
Conflict: NA
---
buf.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/buf.c b/buf.c
index 90224c5..8779a16 100644
--- a/buf.c
+++ b/buf.c
@@ -1185,12 +1185,19 @@ xmlBufBackToBuffer(xmlBufPtr buf) {
if (buf == NULL)
return(NULL);
CHECK_COMPAT(buf)
- if ((buf->error) || (buf->buffer == NULL)) {
+ ret = buf->buffer;
+
+ if ((buf->error) || (ret == NULL)) {
xmlBufFree(buf);
+ if (ret != NULL) {
+ ret->content = NULL;
+ ret->contentIO = NULL;
+ ret->use = 0;
+ ret->size = 0;
+ }
return(NULL);
}
- ret = buf->buffer;
/*
* What to do in case of error in the buffer ???
*/
--
2.33.0

96
backport-malloc-fail-Handle-malloc-failures-in-xmlAddEncoding.patch Normal file
View File

@ -0,0 +1,96 @@
From db21cd5db9c8f0fdb041febc66aef889375aae32 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 6 Jun 2023 14:25:30 +0200
Subject: [PATCH] malloc-fail: Handle malloc failures in xmlAddEncodingAlias
Avoid memory errors if an allocation fails.
See #344. Fixes #553.
Reference:https://github.com/GNOME/libxml2/commit/db21cd5db9c8f0fdb041febc66aef889375aae32
Conflict:NA
---
encoding.c | 44 +++++++++++++++++++++++++++++---------------
1 file changed, 29 insertions(+), 15 deletions(-)
diff --git a/encoding.c b/encoding.c
index 9a7a611..c84e71c 100644
--- a/encoding.c
+++ b/encoding.c
@@ -1068,6 +1068,7 @@ int
xmlAddEncodingAlias(const char *name, const char *alias) {
int i;
char upper[100];
+ char *nameCopy, *aliasCopy;
if ((name == NULL) || (alias == NULL))
return(-1);
@@ -1078,19 +1079,21 @@ xmlAddEncodingAlias(const char *name, const char *alias) {
}
upper[i] = 0;
- if (xmlCharEncodingAliases == NULL) {
- xmlCharEncodingAliasesNb = 0;
- xmlCharEncodingAliasesMax = 20;
- xmlCharEncodingAliases = (xmlCharEncodingAliasPtr)
- xmlMalloc(xmlCharEncodingAliasesMax * sizeof(xmlCharEncodingAlias));
- if (xmlCharEncodingAliases == NULL)
- return(-1);
- } else if (xmlCharEncodingAliasesNb >= xmlCharEncodingAliasesMax) {
- xmlCharEncodingAliasesMax *= 2;
- xmlCharEncodingAliases = (xmlCharEncodingAliasPtr)
- xmlRealloc(xmlCharEncodingAliases,
- xmlCharEncodingAliasesMax * sizeof(xmlCharEncodingAlias));
+ if (xmlCharEncodingAliasesNb >= xmlCharEncodingAliasesMax) {
+ xmlCharEncodingAliasPtr tmp;
+ size_t newSize = xmlCharEncodingAliasesMax ?
+ xmlCharEncodingAliasesMax * 2 :
+ 20;
+
+ tmp = (xmlCharEncodingAliasPtr)
+ xmlRealloc(xmlCharEncodingAliases,
+ newSize * sizeof(xmlCharEncodingAlias));
+ if (tmp == NULL)
+ return(-1);
+ xmlCharEncodingAliases = tmp;
+ xmlCharEncodingAliasesMax = newSize;
}
+
/*
* Walk down the list looking for a definition of the alias
*/
@@ -1099,16 +1102,27 @@ xmlAddEncodingAlias(const char *name, const char *alias) {
/*
* Replace the definition.
*/
+ nameCopy = xmlMemStrdup(name);
+ if (nameCopy == NULL)
+ return(-1);
xmlFree((char *) xmlCharEncodingAliases[i].name);
- xmlCharEncodingAliases[i].name = xmlMemStrdup(name);
+ xmlCharEncodingAliases[i].name = nameCopy;
return(0);
}
}
/*
* Add the definition
*/
- xmlCharEncodingAliases[xmlCharEncodingAliasesNb].name = xmlMemStrdup(name);
- xmlCharEncodingAliases[xmlCharEncodingAliasesNb].alias = xmlMemStrdup(upper);
+ nameCopy = xmlMemStrdup(name);
+ if (nameCopy == NULL)
+ return(-1);
+ aliasCopy = xmlMemStrdup(upper);
+ if (aliasCopy == NULL) {
+ xmlFree(nameCopy);
+ return(-1);
+ }
+ xmlCharEncodingAliases[xmlCharEncodingAliasesNb].name = nameCopy;
+ xmlCharEncodingAliases[xmlCharEncodingAliasesNb].alias = aliasCopy;
xmlCharEncodingAliasesNb++;
return(0);
}
--
2.33.0

11
backport-malloc-fail-Handle-memory-errors-in-xmlTextReaderEntPush.patch
View File

@ -1,3 +1,14 @@
From c266a220232d1a9cc9f7fe87116299269822a06a Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 22 Jan 2023 18:18:00 +0100
Subject: [PATCH] malloc-fail: Handle memory errors in xmlTextReaderEntPush
Unfortunately, there's no way to properly report memory errors.
Found with libFuzzer, see #344.
Reference:https://github.com/GNOME/libxml2/commit/c266a220232d1a9cc9f7fe87116299269822a06a
Conflict:NA
---
xmlreader.c | 36 +++++++++++++++++-------------------
1 file changed, 17 insertions(+), 19 deletions(-)

80
backport-malloc-fail-Report-malloc-failure-in-xmlFARegExec.patch Normal file
View File

@ -0,0 +1,80 @@
From 3e7673bc2de35345ccdd91d0821dbe35fc5a7753 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 23 Sep 2023 17:31:55 +0200
Subject: [PATCH] malloc-fail: Report malloc failure in xmlFARegExec
Reference:https://github.com/GNOME/libxml2/commit/3e7673bc2de35345ccdd91d0821dbe35fc5a7753
Conflict:NA
---
xmlregexp.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/xmlregexp.c b/xmlregexp.c
index 22534a7..34167a5 100644
--- a/xmlregexp.c
+++ b/xmlregexp.c
@@ -3234,6 +3234,7 @@ xmlFARegExecSave(xmlRegExecCtxtPtr exec) {
if (exec->rollbacks == NULL) {
xmlRegexpErrMemory(NULL, "saving regexp");
exec->maxRollbacks = 0;
+ exec->status = XML_REGEXP_OUT_OF_MEMORY;
return;
}
memset(exec->rollbacks, 0,
@@ -3248,6 +3249,7 @@ xmlFARegExecSave(xmlRegExecCtxtPtr exec) {
if (tmp == NULL) {
xmlRegexpErrMemory(NULL, "saving regexp");
exec->maxRollbacks /= 2;
+ exec->status = XML_REGEXP_OUT_OF_MEMORY;
return;
}
exec->rollbacks = tmp;
@@ -3275,6 +3277,8 @@ xmlFARegExecSave(xmlRegExecCtxtPtr exec) {
static void
xmlFARegExecRollBack(xmlRegExecCtxtPtr exec) {
+ if (exec->status != XML_REGEXP_OK)
+ return;
if (exec->nbRollbacks <= 0) {
exec->status = -1;
#ifdef DEBUG_REGEXP_EXEC
@@ -3334,7 +3338,7 @@ xmlFARegExec(xmlRegexpPtr comp, const xmlChar *content) {
exec->counts = (int *) xmlMalloc(comp->nbCounters * sizeof(int));
if (exec->counts == NULL) {
xmlRegexpErrMemory(NULL, "running regexp");
- return(-1);
+ return(XML_REGEXP_OUT_OF_MEMORY);
}
memset(exec->counts, 0, comp->nbCounters * sizeof(int));
} else
@@ -3431,6 +3435,8 @@ xmlFARegExec(xmlRegexpPtr comp, const xmlChar *content) {
/* Save before incrementing */
if (exec->state->nbTrans > exec->transno + 1) {
xmlFARegExecSave(exec);
+ if (exec->status != XML_REGEXP_OK)
+ goto error;
}
if (trans->counter >= 0) {
#ifdef DEBUG_REGEXP_EXEC
@@ -3464,6 +3470,8 @@ xmlFARegExec(xmlRegexpPtr comp, const xmlChar *content) {
exec->transno = -1; /* trick */
exec->state = to;
xmlFARegExecSave(exec);
+ if (exec->status != XML_REGEXP_OK)
+ goto error;
exec->transno = transno;
exec->state = state;
}
@@ -3523,6 +3531,8 @@ xmlFARegExec(xmlRegexpPtr comp, const xmlChar *content) {
trans->count, codepoint, exec->index);
#endif
xmlFARegExecSave(exec);
+ if (exec->status != XML_REGEXP_OK)
+ goto error;
}
if (trans->counter >= 0) {
xmlRegCounterPtr counter;
--
2.33.0

34
backport-malloc-fail-Report-malloc-failure-in-xmlRegEpxFromPa.patch Normal file
View File

@ -0,0 +1,34 @@
From b7d56ef7f158813816a31fa05ce0e48b98bead82 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 22 Sep 2023 17:03:56 +0200
Subject: [PATCH] malloc-fail: Report malloc failure in xmlRegEpxFromParse
Reference:https://github.com/GNOME/libxml2/commit/b7d56ef7f158813816a31fa05ce0e48b98bead82
Conflict:Don't change fuzz/*, the related code does not exist. For details, see Submission:
https://github.com/GNOME/libxml2/commit/42322eba820022eaebb9b6e7c083a8aadddea286
Also check whether malloc failures are reported when fuzzing.
---
xmlregexp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/xmlregexp.c b/xmlregexp.c
index b0111e2..22534a7 100644
--- a/xmlregexp.c
+++ b/xmlregexp.c
@@ -481,7 +481,11 @@ xmlRegEpxFromParse(xmlRegParserCtxtPtr ctxt) {
ret->determinist = ctxt->determinist;
ret->flags = ctxt->flags;
if (ret->determinist == -1) {
- xmlRegexpIsDeterminist(ret);
+ if (xmlRegexpIsDeterminist(ret) < 0) {
+ xmlRegexpErrMemory(ctxt, "checking determinism");
+ xmlFree(ret);
+ return(NULL);
+ }
}
if ((ret->determinist != 0) &&
--
2.33.0

33
backport-parser-Dont-overwrite-error-state-in-xmlParseTextDecl.patch Normal file
View File

@ -0,0 +1,33 @@
From 514ab399550a9bfcd4a5eb60e921d06a1d38af9e Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 11 Oct 2023 13:25:49 +0200
Subject: [PATCH] parser: Don't overwrite error state in xmlParseTextDecl
If a memory allocation fails, this could cause a null deref after
recent changes.
Found by OSS-Fuzz.
Reference:https://github.com/GNOME/libxml2/commit/514ab399550a9bfcd4a5eb60e921d06a1d38af9e
Conflict:xmlParseTextDecl
---
parser.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/parser.c b/parser.c
index 54947aa..29524d2 100644
--- a/parser.c
+++ b/parser.c
@@ -6987,6 +6987,8 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) {
xmlFatalErr(ctxt, XML_ERR_XMLDECL_NOT_FINISHED, NULL);
MOVETO_ENDTAG(CUR_PTR);
NEXT;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return;
}
ctxt->instate = oldstate;
--
2.33.0

36
backport-parser-Fix-crash-in-xmlParseInNodeContext-with-HTML-.patch Normal file
View File

@ -0,0 +1,36 @@
From 95f2a17440568694a6df6a326c5b411e77597be2 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 30 Jan 2024 13:25:17 +0100
Subject: [PATCH] parser: Fix crash in xmlParseInNodeContext with HTML
documents
Ignore namespaces if we have an HTML document with namespaces added
manually.
Fixes #672.
Reference: https://github.com/GNOME/libxml2/commit/95f2a17440568694a6df6a326c5b411e77597be2
Conflict: NA
---
parser.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/parser.c b/parser.c
index 1038d71b..f7842ed1 100644
--- a/parser.c
+++ b/parser.c
@@ -12415,8 +12415,10 @@ xmlParseInNodeContext(xmlNodePtr node, const char *data, int datalen,
}
xmlAddChild(node, fake);
- if (node->type == XML_ELEMENT_NODE) {
+ if (node->type == XML_ELEMENT_NODE)
nodePush(ctxt, node);
+
+ if ((ctxt->html == 0) && (node->type == XML_ELEMENT_NODE)) {
/*
* initialize the SAX2 namespaces stack
*/
--
2.33.0

33
backport-parser-Fix-potential-use-after-free-in-xmlParseCharD.patch Normal file
View File

@ -0,0 +1,33 @@
From 90bcbcfcc72f0647233c0ae85f8dc0e31098530a Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 20 Jul 2023 21:08:01 +0200
Subject: [PATCH] parser: Fix potential use-after-free in
xmlParseCharDataInternal
Return immediately if a SAX handler stops the parser.
Fixes #569.
Reference:https://github.com/GNOME/libxml2/commit/90bcbcfcc72f0647233c0ae85f8dc0e31098530a
Conflict:xmlParseCharData
---
parser.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/parser.c b/parser.c
index 204073e..b4fb58c 100644
--- a/parser.c
+++ b/parser.c
@@ -4538,6 +4538,8 @@ get_more:
line = ctxt->input->line;
col = ctxt->input->col;
}
+ if (ctxt->instate == XML_PARSER_EOF)
+ return;
}
ctxt->input->cur = in;
if (*in == 0xD) {
--
2.33.0

37
backport-regexp-Fix-status-codes-and-handle-invalid-UTF-8.patch Normal file
View File

@ -0,0 +1,37 @@
From f98fa86318d52f6057f60a02e31066c646fb998b Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 22 Sep 2023 15:25:40 +0200
Subject: [PATCH] regexp: Fix status codes and handle invalid UTF-8
Reference:https://github.com/GNOME/libxml2/commit/f98fa86318d52f6057f60a02e31066c646fb998b
Conflict:only add define macros.
Fixes #561.
---
xmlregexp.c | 74 ++++++++++++++++++++++++++++++-----------------------
1 file changed, 42 insertions(+), 32 deletions(-)
diff --git a/xmlregexp.c b/xmlregexp.c
index 34167a5..89e2ebf 100644
--- a/xmlregexp.c
+++ b/xmlregexp.c
@@ -50,6 +50,16 @@
#define MAX_PUSH 10000000
+/*
+ * -2 and -3 are used by xmlValidateElementType for other things.
+ */
+#define XML_REGEXP_OK 0
+#define XML_REGEXP_NOT_FOUND (-1)
+#define XML_REGEXP_INTERNAL_ERROR (-4)
+#define XML_REGEXP_OUT_OF_MEMORY (-5)
+#define XML_REGEXP_INTERNAL_LIMIT (-6)
+#define XML_REGEXP_INVALID_UTF8 (-7)
+
#ifdef ERROR
#undef ERROR
#endif
--
2.33.0

28
backport-save-Check-for-NULL-node-name-in-xhtmlIsEmpty.patch Normal file
View File

@ -0,0 +1,28 @@
From fb1e63025bab4e1f33a3fa6a916c66753ae873a0 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 17 Mar 2024 19:24:06 +0100
Subject: [PATCH] save: Check for NULL node->name in xhtmlIsEmpty
Reference: https://github.com/GNOME/libxml2/commit/fb1e63025bab4e1f33a3fa6a916c66753ae873a0
Conflict: NA
---
xmlsave.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xmlsave.c b/xmlsave.c
index 90e1856..fad0869 100644
--- a/xmlsave.c
+++ b/xmlsave.c
@@ -1288,7 +1288,7 @@ xhtmlIsEmpty(xmlNodePtr node) {
return(0);
if (node->children != NULL)
return(0);
- switch (node->name[0]) {
+ switch (node->name ? node->name[0] : 0) {
case 'a':
if (xmlStrEqual(node->name, BAD_CAST "area"))
return(1);
--
2.33.0

29
backport-schemas-Fix-memory-leak-of-annotations-in-notations.patch Normal file
View File

@ -0,0 +1,29 @@
From 90d5b79958fb576c3ffbd5e07b60d5ff20d36d66 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 14 Sep 2023 15:30:38 +0200
Subject: [PATCH] schemas: Fix memory leak of annotations in notations
Reference:https://github.com/GNOME/libxml2/commit/90d5b79958fb576c3ffbd5e07b60d5ff20d36d66
Conflict:NA
Found by OSS-Fuzz.
---
xmlschemas.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/xmlschemas.c b/xmlschemas.c
index 7199d23..f53e7e6 100644
--- a/xmlschemas.c
+++ b/xmlschemas.c
@@ -3800,6 +3800,8 @@ xmlSchemaFreeNotation(xmlSchemaNotationPtr nota)
{
if (nota == NULL)
return;
+ if (nota->annot != NULL)
+ xmlSchemaFreeAnnot(nota->annot);
xmlFree(nota);
}
--
2.33.0

91
backport-tree-Check-for-integer-overflow-in-xmlStringGetNodeL.patch Normal file
View File

@ -0,0 +1,91 @@
From a581f65194212f183dcbe77da44657d477a4758d Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 21 Feb 2024 12:09:10 +0100
Subject: [PATCH] tree: Check for integer overflow in xmlStringGetNodeList
This function is called with unvalidated strings from functions like
xmlNewDocProp, xmlNewDocNode or xmlNodeSetContent, so we have to check
for integer overflow after all.
Reference:https://github.com/GNOME/libxml2/commit/a581f65194212f183dcbe77da44657d477a4758d
Conflict:remove comment
---
tree.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/tree.c b/tree.c
index 8039ca6..496a531 100644
--- a/tree.c
+++ b/tree.c
@@ -1332,6 +1332,8 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) {
charval = 0;
break;
}
+ if (charval > 0x110000)
+ charval = 0x110000;
cur++;
if (cur < end)
tmp = *cur;
@@ -1357,6 +1359,8 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) {
charval = 0;
break;
}
+ if (charval > 0x110000)
+ charval = 0x110000;
cur++;
if (cur < end)
tmp = *cur;
@@ -1447,12 +1451,14 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) {
xmlChar buffer[10];
int l;
+ if (charval >= 0x110000)
+ charval = 0xFFFD; /* replacement character */
+
l = xmlCopyCharMultiByte(buffer, charval);
buffer[l] = 0;
if (xmlBufCat(buf, buffer))
goto out;
- charval = 0;
}
} else
cur++;
@@ -1541,6 +1547,8 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
charval = 0;
break;
}
+ if (charval > 0x110000)
+ charval = 0x110000;
cur++;
tmp = *cur;
}
@@ -1560,6 +1568,8 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
charval = 0;
break;
}
+ if (charval > 0x110000)
+ charval = 0x110000;
cur++;
tmp = *cur;
}
@@ -1644,12 +1654,14 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
xmlChar buffer[10];
int len;
+ if (charval >= 0x110000)
+ charval = 0xFFFD; /* replacement character */
+
len = xmlCopyCharMultiByte(buffer, charval);
buffer[len] = 0;
if (xmlBufCat(buf, buffer))
goto out;
- charval = 0;
}
} else
cur++;
--
2.33.0

28
backport-tree-Don-t-allow-NULL-name-in-xmlSetNsProp.patch Normal file
View File

@ -0,0 +1,28 @@
From d1cc6f7df2492eac3d689a5632fff74d99a575b9 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 5 Mar 2024 04:34:59 +0100
Subject: [PATCH] tree: Don't allow NULL name in xmlSetNsProp
Reference: https://github.com/GNOME/libxml2/commit/d1cc6f7df2492eac3d689a5632fff74d99a575b9
Conflict: adapt xmlSetNsProp
---
tree.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tree.c b/tree.c
index 496a531..be84324 100644
--- a/tree.c
+++ b/tree.c
@@ -6963,6 +6963,8 @@ xmlSetNsProp(xmlNodePtr node, xmlNsPtr ns, const xmlChar *name,
if (ns && (ns->href == NULL))
return(NULL);
+ if (name == NULL)
+ return(NULL);
prop = xmlGetPropNodeInternal(node, name, (ns != NULL) ? ns->href : NULL, 0);
if (prop != NULL) {
/*
--
2.33.0

53
backport-tree-Fix-583-again.patch Normal file
View File

@ -0,0 +1,53 @@
From 8707838e69f9c6e729c1d1d46bb3681d9e622be5 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 28 Nov 2023 13:27:25 +0100
Subject: [PATCH] tree: Fix #583 again
Only set doc->intSubset after successful copy to avoid dangling pointers
in error case.
Reference: https://github.com/GNOME/libxml2/commit/8707838e69f9c6e729c1d1d46bb3681d9e622be5
Conflict: NA
---
tree.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/tree.c b/tree.c
index 5a9c24d1..35dabb97 100644
--- a/tree.c
+++ b/tree.c
@@ -4301,6 +4301,7 @@ xmlNodePtr
xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
xmlNodePtr ret = NULL;
xmlNodePtr p = NULL,q;
+ xmlDtdPtr newSubset = NULL;
while (node != NULL) {
#ifdef LIBXML_TREE_ENABLED
@@ -4309,12 +4310,12 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
node = node->next;
continue;
}
- if (doc->intSubset == NULL) {
+ if ((doc->intSubset == NULL) && (newSubset == NULL)) {
q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
if (q == NULL) goto error;
q->doc = doc;
q->parent = parent;
- doc->intSubset = (xmlDtdPtr) q;
+ newSubset = (xmlDtdPtr) q;
xmlAddChild(parent, q);
} else {
q = (xmlNodePtr) doc->intSubset;
@@ -4335,6 +4336,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
}
node = node->next;
}
+ if ((doc != NULL) && (newSubset != NULL))
+ doc->intSubset = newSubset;
return(ret);
error:
xmlFreeNodeList(ret);
--
2.33.0

76
backport-tree-Fix-regression-when-copying-DTDs.patch Normal file
View File

@ -0,0 +1,76 @@
From de3f70146dc531a1f2c0976dc1c2bff84529f161 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 28 Nov 2023 13:01:38 +0100
Subject: [PATCH] tree: Fix regression when copying DTDs
This reverts commit d39f78069dff496ec865c73aa44d7110e429bce9.
Fixes #634.
Reference: https://github.com/GNOME/libxml2/commit/de3f70146dc531a1f2c0976dc1c2bff84529f161
Conflict: NA
---
tree.c | 31 +++++++++++++++----------------
1 file changed, 15 insertions(+), 16 deletions(-)
diff --git a/tree.c b/tree.c
index a6264e8b..5a9c24d1 100644
--- a/tree.c
+++ b/tree.c
@@ -4301,28 +4301,29 @@ xmlNodePtr
xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
xmlNodePtr ret = NULL;
xmlNodePtr p = NULL,q;
- xmlDtdPtr newSubset = NULL;
while (node != NULL) {
- if (node->type == XML_DTD_NODE ) {
#ifdef LIBXML_TREE_ENABLED
- if ((doc == NULL) || (doc->intSubset != NULL)) {
+ if (node->type == XML_DTD_NODE ) {
+ if (doc == NULL) {
node = node->next;
continue;
}
- q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
- if (q == NULL) goto error;
- q->doc = doc;
- q->parent = parent;
- newSubset = (xmlDtdPtr) q;
-#else
- node = node->next;
- continue;
+ if (doc->intSubset == NULL) {
+ q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+ if (q == NULL) goto error;
+ q->doc = doc;
+ q->parent = parent;
+ doc->intSubset = (xmlDtdPtr) q;
+ xmlAddChild(parent, q);
+ } else {
+ q = (xmlNodePtr) doc->intSubset;
+ xmlAddChild(parent, q);
+ }
+ } else
#endif /* LIBXML_TREE_ENABLED */
- } else {
q = xmlStaticCopyNode(node, doc, parent, 1);
- if (q == NULL) goto error;
- }
+ if (q == NULL) goto error;
if (ret == NULL) {
q->prev = NULL;
ret = p = q;
@@ -4334,8 +4335,6 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
}
node = node->next;
}
- if (newSubset != NULL)
- doc->intSubset = newSubset;
return(ret);
error:
xmlFreeNodeList(ret);
--
2.33.0

31
backport-valid-Check-for-NULL-node-name-in-xmlSnprintfElement.patch Normal file
View File

@ -0,0 +1,31 @@
From 577e2516d0ed3669c7e9879ba9f04214658bfd1b Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 19 Mar 2024 17:06:07 +0100
Subject: [PATCH] valid: Check for NULL node->name in xmlSnprintfElements
Unfortunately, we can have NULL element names if xmlSetTreeDoc fails.
Reference: https://github.com/GNOME/libxml2/commit/577e2516d0ed3669c7e9879ba9f04214658bfd1b
Conflict: NA
---
valid.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/valid.c b/valid.c
index bfb8a77..975b706 100644
--- a/valid.c
+++ b/valid.c
@@ -5283,7 +5283,8 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) {
strcat(buf, " ...");
return;
}
- strcat(buf, (char *) cur->name);
+ if (cur->name != NULL)
+ strcat(buf, (char *) cur->name);
if (cur->next != NULL)
strcat(buf, " ");
break;
--
2.33.0

32
backport-valid-Check-for-NULL-text-content-in-xmlValidateOneE.patch Normal file
View File

@ -0,0 +1,32 @@
From 3061b56a1ee395618f84fc1c2bb0cba7c5b068fe Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 15 Mar 2024 02:23:08 +0100
Subject: [PATCH] valid: Check for NULL text content in xmlValidateOneElement
Shouldn't occur in parsed documents but you can create text nodes with
NULL content through the API.
Reference: https://github.com/GNOME/libxml2/commit/3061b56a1ee395618f84fc1c2bb0cba7c5b068fe
Conflict: NA
---
valid.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/valid.c b/valid.c
index 3c342c3..bfb8a77 100644
--- a/valid.c
+++ b/valid.c
@@ -6244,7 +6244,8 @@ child_ok:
*/
child = elem->children;
while (child != NULL) {
- if (child->type == XML_TEXT_NODE) {
+ if ((child->type == XML_TEXT_NODE) &&
+ (child->content != NULL)) {
const xmlChar *content = child->content;
while (IS_BLANK_CH(*content))
--
2.33.0

30
backport-valid-Fix-c1-parent-pointer-in-xmlCopyDocElementCont.patch Normal file
View File

@ -0,0 +1,30 @@
From 58de9d31da4d0e8cb6bcf7f5e99714f9df2c4411 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 3 Aug 2023 12:00:55 +0200
Subject: [PATCH] valid: Fix c1->parent pointer in xmlCopyDocElementContent
Fixes #572.
Reference:https://github.com/GNOME/libxml2/commit/58de9d31da4d0e8cb6bcf7f5e99714f9df2c4411
Conflict:NA
---
valid.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/valid.c b/valid.c
index 479fa628..67e1b1de 100644
--- a/valid.c
+++ b/valid.c
@@ -1052,7 +1052,7 @@ xmlCopyDocElementContent(xmlDocPtr doc, xmlElementContentPtr cur) {
if (cur->c1 != NULL)
tmp->c1 = xmlCopyDocElementContent(doc,cur->c1);
if (tmp->c1 != NULL)
- tmp->c1->parent = ret;
+ tmp->c1->parent = tmp;
prev = tmp;
cur = cur->c2;
}
--
2.33.0

33
backport-xzlib-Fix-harmless-unsigned-integer-overflow.patch Normal file
View File

@ -0,0 +1,33 @@
From e62b0dbde57d58a2a475ff4f851618054ae0a63c Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 19 Dec 2023 19:47:07 +0100
Subject: [PATCH] xzlib: Fix harmless unsigned integer overflow
Reference: https://github.com/GNOME/libxml2/commit/e62b0dbde57d58a2a475ff4f851618054ae0a63c
Conflict: NA
---
xzlib.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/xzlib.c b/xzlib.c
index 1b50d757..724be7cc 100644
--- a/xzlib.c
+++ b/xzlib.c
@@ -321,8 +321,12 @@ is_format_lzma(xz_statep state)
* If someone complains, this will be reconsidered.
*/
if (dict_size != UINT32_MAX) {
- uint32_t d = dict_size - 1;
+ uint32_t d;
+ if (dict_size == 0)
+ return 0;
+
+ d = dict_size - 1;
d |= d >> 2;
d |= d >> 3;
d |= d >> 4;
--
2.33.0

48
libxml2.spec
View File

@ -1,7 +1,7 @@
Summary: Library providing XML and HTML support
Name: libxml2
Version: 2.9.14
Release: 10
Release: 11
License: MIT
Group: Development/Libraries
Source: https://download.gnome.org/sources/%{name}/2.9/%{name}-%{version}.tar.xz
@ -186,10 +186,42 @@ Patch6165: backport-xmlValidatePopElement-can-return-invalid-value-1.patch
Patch6166: backport-Fix-use-after-free-in-xmlParseContentInternal.patch
Patch6167: backport-malloc-fail-Fix-null-deref-after-xmlXIncludeNewRef.patch
Patch6168: backport-xpath-Ignore-entity-ref-nodes-when-computing-node-ha.patch
Patch6169: backport-SAX-Always-initialize-SAX1-element-handlers.patch
Patch6170: backport-CVE-2023-45322.patch
Patch6171: backport-CVE-2024-25062.patch
Patch6168: backport-malloc-fail-Handle-malloc-failures-in-xmlAddEncoding.patch
Patch6169: backport-malloc-fail-Fix-null-deref-with-xmllint-copy.patch
Patch6170: backport-xpath-Ignore-entity-ref-nodes-when-computing-node-ha.patch
Patch6171: backport-SAX-Always-initialize-SAX1-element-handlers.patch
Patch6172: backport-parser-Fix-potential-use-after-free-in-xmlParseCharD.patch
Patch6173: backport-malloc-fail-Fix-memory-leak-in-xmlCompileAttributeTe.patch
Patch6174: backport-SAX2-Ignore-namespaces-in-HTML-documents.patch
Patch6175: backport-valid-Fix-c1-parent-pointer-in-xmlCopyDocElementCont.patch
Patch6176: backport-malloc-fail-Fix-unsigned-integer-overflow-in-xmlText.patch
Patch6177: backport-CVE-2023-45322.patch
Patch6178: backport-dict-Fix-integer-overflow-of-string-lengths.patch
Patch6179: backport-schemas-Fix-memory-leak-of-annotations-in-notations.patch
Patch6180: backport-malloc-fail-Report-malloc-failure-in-xmlRegEpxFromPa.patch
Patch6181: backport-malloc-fail-Report-malloc-failure-in-xmlFARegExec.patch
Patch6182: backport-regexp-Fix-status-codes-and-handle-invalid-UTF-8.patch
Patch6183: backport-buf-Also-reset-input-in-error-case.patch
Patch6184: backport-hash-Fix-integer-overflow-of-nbElems.patch
Patch6185: backport-dict-Fix-integer-overflow-in-xmlDictAddString.patch
Patch6186: backport-parser-Dont-overwrite-error-state-in-xmlParseTextDecl.patch
Patch6187: backport-CVE-2024-25062.patch
Patch6188: backport-tree-Fix-regression-when-copying-DTDs.patch
Patch6189: backport-tree-Fix-583-again.patch
Patch6190: backport-html-Don-t-close-fd-in-htmlCtxtReadFd.patch
Patch6191: backport-xzlib-Fix-harmless-unsigned-integer-overflow.patch
Patch6192: backport-parser-Fix-crash-in-xmlParseInNodeContext-with-HTML-.patch
Patch6193: backport-malloc-fail-Fix-null-deref-in-xmlXPathTranslateFunct.patch
Patch6194: backport-tree-Check-for-integer-overflow-in-xmlStringGetNodeL.patch
Patch6195: backport-tree-Don-t-allow-NULL-name-in-xmlSetNsProp.patch
Patch6196: backport-valid-Check-for-NULL-text-content-in-xmlValidateOneE.patch
Patch6197: backport-malloc-fail-Fix-use-after-free-in-xmlBufBackToBuffer.patch
Patch6198: backport-entities-Don-t-allow-null-name-in-xmlNewEntity.patch
Patch6199: backport-save-Check-for-NULL-node-name-in-xhtmlIsEmpty.patch
Patch6200: backport-valid-Check-for-NULL-node-name-in-xmlSnprintfElement.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildRequires: python3-devel
@ -345,6 +377,12 @@ rm -fr %{buildroot}
%changelog
* Mon May 06 2024 zhuofeng <zhuofeng2@huawei.com> - 2.9.14-11
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:backport upstream patches
* Sun Feb 18 2024 BruceGW <gyl93216@163.com> - 2.9.14-10
- Type:CVE
- SUG:NA