From 4f2d7949f03e1c198bc888f2d05f421d35c57e21 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Mon, 9 Oct 2017 18:53:29 +0100 Subject: reinit the tree, so we can have metadata --- .../libxml2/files/libxml2-2.7.1-catalog_path.patch | 66 +++++ .../libxml2/files/libxml2-2.8.0_rc1-winnt.patch | 91 ++++++ .../files/libxml2-2.9.2-disable-tests.patch | 68 +++++ .../files/libxml2-2.9.2-python-ABIFLAG.patch | 16 ++ .../files/libxml2-2.9.4-CVE-2016-4658.patch | 249 ++++++++++++++++ .../files/libxml2-2.9.4-CVE-2016-5131.patch | 174 ++++++++++++ .../files/libxml2-2.9.4-CVE-2016-9318.patch | 202 +++++++++++++ .../files/libxml2-2.9.4-CVE-2017-0663.patch | 43 +++ .../files/libxml2-2.9.4-CVE-2017-5969.patch | 63 ++++ .../files/libxml2-2.9.4-CVE-2017-7375.patch | 35 +++ .../files/libxml2-2.9.4-CVE-2017-7376.patch | 31 ++ .../files/libxml2-2.9.4-CVE-2017-9047-9048.patch | 116 ++++++++ .../files/libxml2-2.9.4-CVE-2017-9049-9050.patch | 316 +++++++++++++++++++++ .../files/libxml2-2.9.4-fix-root-node-cmp.patch | 34 +++ .../files/libxml2-2.9.4-heap-buffer-overflow.patch | 32 +++ .../libxml2/files/libxml2-2.9.4-nullptrderef.patch | 50 ++++ .../files/libxml2-2.9.4-nullptrderef2.patch | 57 ++++ .../files/libxml2-2.9.4-osd-validation.patch | 66 +++++ 18 files changed, 1709 insertions(+) create mode 100644 dev-libs/libxml2/files/libxml2-2.7.1-catalog_path.patch create mode 100644 dev-libs/libxml2/files/libxml2-2.8.0_rc1-winnt.patch create mode 100644 dev-libs/libxml2/files/libxml2-2.9.2-disable-tests.patch create mode 100644 dev-libs/libxml2/files/libxml2-2.9.2-python-ABIFLAG.patch create mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-4658.patch create mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-5131.patch create mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-9318.patch create mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-0663.patch create mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-5969.patch create mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7375.patch create mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7376.patch create mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9047-9048.patch create mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9049-9050.patch create mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-fix-root-node-cmp.patch create mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch create mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-nullptrderef.patch create mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-nullptrderef2.patch create mode 100644 dev-libs/libxml2/files/libxml2-2.9.4-osd-validation.patch (limited to 'dev-libs/libxml2/files') diff --git a/dev-libs/libxml2/files/libxml2-2.7.1-catalog_path.patch b/dev-libs/libxml2/files/libxml2-2.7.1-catalog_path.patch new file mode 100644 index 000000000000..3f69ec2a4d88 --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.7.1-catalog_path.patch @@ -0,0 +1,66 @@ +--- a/catalog.c ++++ b/catalog.c +@@ -68,10 +68,10 @@ + #define XML_URN_PUBID "urn:publicid:" + #define XML_CATAL_BREAK ((xmlChar *) -1) + #ifndef XML_XML_DEFAULT_CATALOG +-#define XML_XML_DEFAULT_CATALOG "file:///etc/xml/catalog" ++#define XML_XML_DEFAULT_CATALOG "file://@GENTOO_PORTAGE_EPREFIX@/etc/xml/catalog" + #endif + #ifndef XML_SGML_DEFAULT_CATALOG +-#define XML_SGML_DEFAULT_CATALOG "file:///etc/sgml/catalog" ++#define XML_SGML_DEFAULT_CATALOG "file://@GENTOO_PORTAGE_EPREFIX@/etc/sgml/catalog" + #endif + + #if defined(_WIN32) && defined(_MSC_VER) +@@ -76,7 +76,7 @@ + + #if defined(_WIN32) && defined(_MSC_VER) + #undef XML_XML_DEFAULT_CATALOG +-static char XML_XML_DEFAULT_CATALOG[256] = "file:///etc/xml/catalog"; ++static char XML_XML_DEFAULT_CATALOG[256] = "file://@GENTOO_PORTAGE_EPREFIX@/etc/xml/catalog"; + #if defined(_WIN32_WCE) + /* Windows CE don't have a A variant */ + #define GetModuleHandleA GetModuleHandle +--- a/xmlcatalog.c ++++ b/xmlcatalog.c +@@ -43,7 +43,7 @@ + + + #ifndef XML_SGML_DEFAULT_CATALOG +-#define XML_SGML_DEFAULT_CATALOG "/etc/sgml/catalog" ++#define XML_SGML_DEFAULT_CATALOG "@GENTOO_PORTAGE_EPREFIX@/etc/sgml/catalog" + #endif + + /************************************************************************ +--- a/runtest.c ++++ b/runtest.c +@@ -2747,7 +2747,7 @@ + */ + static int + uripMatch(const char * URI) { +- if ((URI == NULL) || (!strcmp(URI, "file:///etc/xml/catalog"))) ++ if ((URI == NULL) || (!strcmp(URI, "file://@GENTOO_PORTAGE_EPREFIX@/etc/xml/catalog"))) + return(0); + /* Verify we received the escaped URL */ + if (strcmp(urip_rcvsURLs[urip_current], URI)) +@@ -2766,7 +2766,7 @@ + */ + static void * + uripOpen(const char * URI) { +- if ((URI == NULL) || (!strcmp(URI, "file:///etc/xml/catalog"))) ++ if ((URI == NULL) || (!strcmp(URI, "file://@GENTOO_PORTAGE_EPREFIX@/etc/xml/catalog"))) + return(NULL); + /* Verify we received the escaped URL */ + if (strcmp(urip_rcvsURLs[urip_current], URI)) +--- a/xmllint.c ++++ b/xmllint.c +@@ -103,7 +103,7 @@ + #endif + + #ifndef XML_XML_DEFAULT_CATALOG +-#define XML_XML_DEFAULT_CATALOG "file:///etc/xml/catalog" ++#define XML_XML_DEFAULT_CATALOG "file://@GENTOO_PORTAGE_EPREFIX@/etc/xml/catalog" + #endif + + typedef enum { diff --git a/dev-libs/libxml2/files/libxml2-2.8.0_rc1-winnt.patch b/dev-libs/libxml2/files/libxml2-2.8.0_rc1-winnt.patch new file mode 100644 index 000000000000..cce3ecb058ae --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.8.0_rc1-winnt.patch @@ -0,0 +1,91 @@ +From 168e20836fe9614dd2dd4b42006c17a783f11c48 Mon Sep 17 00:00:00 2001 +From: Markus Duft +Date: Thu, 20 Nov 2008 11:04:33 -0500 +Subject: [PATCH] Fix for ~x86-winnt + +[Alexandre Rostovtsev : port to 2.8.0-rc1] +--- + dict.c | 2 +- + include/wsockcompat.h | 2 +- + nanohttp.c | 2 +- + xmlIO.c | 4 ++++ + 4 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/dict.c b/dict.c +index 3579f64..71e7bc6 100644 +--- a/dict.c ++++ b/dict.c +@@ -47,7 +47,7 @@ + #else + #ifdef HAVE_INTTYPES_H + #include +-#elif defined(WIN32) ++#elif defined(WIN32) || defined (__PARITY__) + typedef unsigned __int32 uint32_t; + #endif + #endif +diff --git a/include/wsockcompat.h b/include/wsockcompat.h +index c762a64..1ed822b 100644 +--- a/include/wsockcompat.h ++++ b/include/wsockcompat.h +@@ -27,7 +27,7 @@ + #endif + #endif + +-#if defined( __MINGW32__ ) || defined( _MSC_VER ) ++#if defined( __MINGW32__ ) || defined( _MSC_VER ) || defined(__PARITY__) + /* Include here to ensure that it doesn't get included later + * (e.g. by iconv.h) and overwrites the definition of EWOULDBLOCK. */ + #include +diff --git a/nanohttp.c b/nanohttp.c +index 2437fed..dbe97a7 100644 +--- a/nanohttp.c ++++ b/nanohttp.c +@@ -74,7 +74,7 @@ + #define XML_SOCKLEN_T unsigned int + #endif + +-#if defined(__MINGW32__) || defined(_WIN32_WCE) ++#if defined(__MINGW32__) || defined(_WIN32_WCE) || defined(__PARITY__) + #ifndef _WINSOCKAPI_ + #define _WINSOCKAPI_ + #endif +diff --git a/xmlIO.c b/xmlIO.c +index 73a995d..99562f6 100644 +--- a/xmlIO.c ++++ b/xmlIO.c +@@ -47,6 +47,7 @@ + #include /* for CP_UTF8 */ + #endif + ++#ifndef __PARITY__ + /* Figure a portable way to know if a file is a directory. */ + #ifndef HAVE_STAT + # ifdef HAVE__STAT +@@ -82,6 +83,7 @@ + # endif + # endif + #endif ++#endif /* __PARITY__ */ + + #include + #include +@@ -657,6 +659,7 @@ xmlWrapStatUtf8(const char *path,struct stat *info) + { + #ifdef HAVE_STAT + int retval = -1; ++#ifndef __PARITY__ + wchar_t *wPath; + + wPath = __xmlIOWin32UTF8ToWChar(path); +@@ -665,6 +668,7 @@ xmlWrapStatUtf8(const char *path,struct stat *info) + retval = _wstat(wPath,info); + xmlFree(wPath); + } ++#endif + /* maybe path in native encoding */ + if(retval < 0) + retval = stat(path,info); +-- +1.7.8.6 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.2-disable-tests.patch b/dev-libs/libxml2/files/libxml2-2.9.2-disable-tests.patch new file mode 100644 index 000000000000..a231269b4b8a --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.2-disable-tests.patch @@ -0,0 +1,68 @@ +do not build test programs as we don't install them + +--- a/Makefile.am ++++ b/Makefile.am +@@ -10,7 +10,7 @@ + + AM_CFLAGS = $(THREAD_CFLAGS) $(Z_CFLAGS) $(LZMA_CFLAGS) + +-noinst_PROGRAMS=testSchemas testRelax testSAX testHTML testXPath testURI \ ++check_PROGRAMS=testSchemas testRelax testSAX testHTML testXPath testURI \ + testThreads testC14N testAutomata testRegexp \ + testReader testapi testModule runtest runsuite testchar \ + testdict runxmlconf testrecurse testlimits +@@ -170,7 +170,7 @@ + testModule_DEPENDENCIES = $(DEPS) + testModule_LDADD= $(LDADDS) + +-noinst_LTLIBRARIES = testdso.la ++check_LTLIBRARIES = testdso.la + testdso_la_SOURCES = testdso.c + testdso_la_LDFLAGS = -module -no-undefined -avoid-version -rpath $(libdir) + +@@ -202,7 +202,7 @@ runxmlconf_LDADD= $(LDADDS) + #testOOM_DEPENDENCIES = $(DEPS) + #testOOM_LDADD= $(LDADDS) + +-runtests: ++runtests: $(check_PROGRAMS) + [ -d test ] || $(LN_S) $(srcdir)/test . + [ -d result ] || $(LN_S) $(srcdir)/result . + $(CHECKER) ./runtest$(EXEEXT) && $(CHECKER) ./testrecurse$(EXEEXT) &&$(CHECKER) ./testapi$(EXEEXT) && $(CHECKER) ./testchar$(EXEEXT)&& $(CHECKER) ./testdict$(EXEEXT) && $(CHECKER) ./runxmlconf$(EXEEXT) +--- a/doc/examples/Makefile.am ++++ b/doc/examples/Makefile.am +@@ -13,7 +13,7 @@ + rebuild: examples.xml index.html + .PHONY: rebuild + +-examples.xml: index.py $(noinst_PROGRAMS:=.c) ++examples.xml: index.py $(check_PROGRAMS:=.c) + cd $(srcdir) && $(PYTHON) index.py + $(MAKE) Makefile + +@@ -49,7 +49,7 @@ + xpath1.res \ + xpath2.res + +-noinst_PROGRAMS = \ ++check_PROGRAMS = \ + io1 \ + io2 \ + parse1 \ +@@ -99,7 +99,7 @@ + valgrind: + $(MAKE) CHECKER='valgrind' tests + +-tests: $(noinst_PROGRAMS) ++tests: $(check_PROGRAMS) + test -f Makefile.am || test -f test1.xml || $(LN_S) $(srcdir)/test?.xml . + @(echo '## examples regression tests') + @(echo > .memdump) +--- a/example/Makefile.am ++++ b/example/Makefile.am +@@ -1,4 +1,4 @@ +-noinst_PROGRAMS = gjobread ++check_PROGRAMS = gjobread + + AM_CPPFLAGS = -I$(top_builddir)/include -I$(top_srcdir)/include -I$(srcdir)/include + AM_CFLAGS = $(THREAD_CFLAGS) $(Z_CFLAGS) diff --git a/dev-libs/libxml2/files/libxml2-2.9.2-python-ABIFLAG.patch b/dev-libs/libxml2/files/libxml2-2.9.2-python-ABIFLAG.patch new file mode 100644 index 000000000000..14dd5bc7342e --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.2-python-ABIFLAG.patch @@ -0,0 +1,16 @@ + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 14ac0a8..f787b12 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -844,7 +844,7 @@ if test "$with_python" != "no" ; then + fi + if test "$PYTHON" != "" + then +- PYTHON_VERSION=`$PYTHON -c "from distutils import sysconfig; print(sysconfig.get_python_version())"` ++ PYTHON_VERSION=`$PYTHON -c "import sysconfig; print(sysconfig.get_config_var('LDVERSION') or sysconfig.get_config_var('py_version_short'))"` + PYTHON_INCLUDES=`$PYTHON -c "from distutils import sysconfig; print(sysconfig.get_python_inc())"` + # does not work as it produce a /usr/lib/python path instead of/usr/lib64/python + # diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-4658.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-4658.patch new file mode 100644 index 000000000000..2ef22ce7a0d1 --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-4658.patch @@ -0,0 +1,249 @@ +From c1d1f7121194036608bf555f08d3062a36fd344b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 28 Jun 2016 18:34:52 +0200 +Subject: Disallow namespace nodes in XPointer ranges + +Namespace nodes must be copied to avoid use-after-free errors. +But they don't necessarily have a physical representation in a +document, so simply disallow them in XPointer ranges. + +Found with afl-fuzz. + +Fixes CVE-2016-4658. +--- + xpointer.c | 149 +++++++++++++++++++++++-------------------------------------- + 1 file changed, 56 insertions(+), 93 deletions(-) + +diff --git a/xpointer.c b/xpointer.c +index a7b03fb..694d120 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -320,6 +320,45 @@ xmlXPtrRangesEqual(xmlXPathObjectPtr range1, xmlXPathObjectPtr range2) { + } + + /** ++ * xmlXPtrNewRangeInternal: ++ * @start: the starting node ++ * @startindex: the start index ++ * @end: the ending point ++ * @endindex: the ending index ++ * ++ * Internal function to create a new xmlXPathObjectPtr of type range ++ * ++ * Returns the newly created object. ++ */ ++static xmlXPathObjectPtr ++xmlXPtrNewRangeInternal(xmlNodePtr start, int startindex, ++ xmlNodePtr end, int endindex) { ++ xmlXPathObjectPtr ret; ++ ++ /* ++ * Namespace nodes must be copied (see xmlXPathNodeSetDupNs). ++ * Disallow them for now. ++ */ ++ if ((start != NULL) && (start->type == XML_NAMESPACE_DECL)) ++ return(NULL); ++ if ((end != NULL) && (end->type == XML_NAMESPACE_DECL)) ++ return(NULL); ++ ++ ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); ++ if (ret == NULL) { ++ xmlXPtrErrMemory("allocating range"); ++ return(NULL); ++ } ++ memset(ret, 0, sizeof(xmlXPathObject)); ++ ret->type = XPATH_RANGE; ++ ret->user = start; ++ ret->index = startindex; ++ ret->user2 = end; ++ ret->index2 = endindex; ++ return(ret); ++} ++ ++/** + * xmlXPtrNewRange: + * @start: the starting node + * @startindex: the start index +@@ -344,17 +383,7 @@ xmlXPtrNewRange(xmlNodePtr start, int startindex, + if (endindex < 0) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = startindex; +- ret->user2 = end; +- ret->index2 = endindex; ++ ret = xmlXPtrNewRangeInternal(start, startindex, end, endindex); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -381,17 +410,8 @@ xmlXPtrNewRangePoints(xmlXPathObjectPtr start, xmlXPathObjectPtr end) { + if (end->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start->user; +- ret->index = start->index; +- ret->user2 = end->user; +- ret->index2 = end->index; ++ ret = xmlXPtrNewRangeInternal(start->user, start->index, end->user, ++ end->index); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -416,17 +436,7 @@ xmlXPtrNewRangePointNode(xmlXPathObjectPtr start, xmlNodePtr end) { + if (start->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start->user; +- ret->index = start->index; +- ret->user2 = end; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start->user, start->index, end, -1); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -453,17 +463,7 @@ xmlXPtrNewRangeNodePoint(xmlNodePtr start, xmlXPathObjectPtr end) { + if (end->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = end->user; +- ret->index2 = end->index; ++ ret = xmlXPtrNewRangeInternal(start, -1, end->user, end->index); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -486,17 +486,7 @@ xmlXPtrNewRangeNodes(xmlNodePtr start, xmlNodePtr end) { + if (end == NULL) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = end; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start, -1, end, -1); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -516,17 +506,7 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) { + if (start == NULL) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = NULL; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start, -1, NULL, -1); + return(ret); + } + +@@ -541,6 +521,8 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) { + */ + xmlXPathObjectPtr + xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { ++ xmlNodePtr endNode; ++ int endIndex; + xmlXPathObjectPtr ret; + + if (start == NULL) +@@ -549,7 +531,12 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { + return(NULL); + switch (end->type) { + case XPATH_POINT: ++ endNode = end->user; ++ endIndex = end->index; ++ break; + case XPATH_RANGE: ++ endNode = end->user2; ++ endIndex = end->index2; + break; + case XPATH_NODESET: + /* +@@ -557,39 +544,15 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { + */ + if (end->nodesetval->nodeNr <= 0) + return(NULL); ++ endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1]; ++ endIndex = -1; + break; + default: + /* TODO */ + return(NULL); + } + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- switch (end->type) { +- case XPATH_POINT: +- ret->user2 = end->user; +- ret->index2 = end->index; +- break; +- case XPATH_RANGE: +- ret->user2 = end->user2; +- ret->index2 = end->index2; +- break; +- case XPATH_NODESET: { +- ret->user2 = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1]; +- ret->index2 = -1; +- break; +- } +- default: +- STRANGE +- return(NULL); +- } ++ ret = xmlXPtrNewRangeInternal(start, -1, endNode, endIndex); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +-- +cgit v0.12 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-5131.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-5131.patch new file mode 100644 index 000000000000..9ce3fb9d8717 --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-5131.patch @@ -0,0 +1,174 @@ +From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 28 Jun 2016 14:22:23 +0200 +Subject: Fix XPointer paths beginning with range-to + +The old code would invoke the broken xmlXPtrRangeToFunction. range-to +isn't really a function but a special kind of location step. Remove +this function and always handle range-to in the XPath code. + +The old xmlXPtrRangeToFunction could also be abused to trigger a +use-after-free error with the potential for remote code execution. + +Found with afl-fuzz. + +Fixes CVE-2016-5131. +--- + result/XPath/xptr/vidbase | 13 ++++++++ + test/XPath/xptr/vidbase | 1 + + xpath.c | 7 ++++- + xpointer.c | 76 ++++------------------------------------------- + 4 files changed, 26 insertions(+), 71 deletions(-) + +diff --git a/result/XPath/xptr/vidbase b/result/XPath/xptr/vidbase +index 8b9e92d..f19193e 100644 +--- a/result/XPath/xptr/vidbase ++++ b/result/XPath/xptr/vidbase +@@ -17,3 +17,16 @@ Object is a Location Set: + To node + ELEMENT p + ++ ++======================== ++Expression: xpointer(range-to(id('chapter2'))) ++Object is a Location Set: ++1 : Object is a range : ++ From node ++ / ++ To node ++ ELEMENT chapter ++ ATTRIBUTE id ++ TEXT ++ content=chapter2 ++ +diff --git a/test/XPath/xptr/vidbase b/test/XPath/xptr/vidbase +index b146383..884b106 100644 +--- a/test/XPath/xptr/vidbase ++++ b/test/XPath/xptr/vidbase +@@ -1,2 +1,3 @@ + xpointer(id('chapter1')/p) + xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2])) ++xpointer(range-to(id('chapter2'))) +diff --git a/xpath.c b/xpath.c +index d992841..5a01b1b 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) { + lc = 1; + break; + } else if ((NXT(len) == '(')) { +- /* Note Type or Function */ ++ /* Node Type or Function */ + if (xmlXPathIsNodeType(name)) { + #ifdef DEBUG_STEP + xmlGenericError(xmlGenericErrorContext, + "PathExpr: Type search\n"); + #endif + lc = 1; ++#ifdef LIBXML_XPTR_ENABLED ++ } else if (ctxt->xptr && ++ xmlStrEqual(name, BAD_CAST "range-to")) { ++ lc = 1; ++#endif + } else { + #ifdef DEBUG_STEP + xmlGenericError(xmlGenericErrorContext, +diff --git a/xpointer.c b/xpointer.c +index 676c510..d74174a 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) { + ret->here = here; + ret->origin = origin; + +- xmlXPathRegisterFunc(ret, (xmlChar *)"range-to", +- xmlXPtrRangeToFunction); + xmlXPathRegisterFunc(ret, (xmlChar *)"range", + xmlXPtrRangeFunction); + xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside", +@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) { + * @nargs: the number of args + * + * Implement the range-to() XPointer function ++ * ++ * Obsolete. range-to is not a real function but a special type of location ++ * step which is handled in xpath.c. + */ + void +-xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) { +- xmlXPathObjectPtr range; +- const xmlChar *cur; +- xmlXPathObjectPtr res, obj; +- xmlXPathObjectPtr tmp; +- xmlLocationSetPtr newset = NULL; +- xmlNodeSetPtr oldset; +- int i; +- +- if (ctxt == NULL) return; +- CHECK_ARITY(1); +- /* +- * Save the expression pointer since we will have to evaluate +- * it multiple times. Initialize the new set. +- */ +- CHECK_TYPE(XPATH_NODESET); +- obj = valuePop(ctxt); +- oldset = obj->nodesetval; +- ctxt->context->node = NULL; +- +- cur = ctxt->cur; +- newset = xmlXPtrLocationSetCreate(NULL); +- +- for (i = 0; i < oldset->nodeNr; i++) { +- ctxt->cur = cur; +- +- /* +- * Run the evaluation with a node list made of a single item +- * in the nodeset. +- */ +- ctxt->context->node = oldset->nodeTab[i]; +- tmp = xmlXPathNewNodeSet(ctxt->context->node); +- valuePush(ctxt, tmp); +- +- xmlXPathEvalExpr(ctxt); +- CHECK_ERROR; +- +- /* +- * The result of the evaluation need to be tested to +- * decided whether the filter succeeded or not +- */ +- res = valuePop(ctxt); +- range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res); +- if (range != NULL) { +- xmlXPtrLocationSetAdd(newset, range); +- } +- +- /* +- * Cleanup +- */ +- if (res != NULL) +- xmlXPathFreeObject(res); +- if (ctxt->value == tmp) { +- res = valuePop(ctxt); +- xmlXPathFreeObject(res); +- } +- +- ctxt->context->node = NULL; +- } +- +- /* +- * The result is used as the new evaluation set. +- */ +- xmlXPathFreeObject(obj); +- ctxt->context->node = NULL; +- ctxt->context->contextSize = -1; +- ctxt->context->proximityPosition = -1; +- valuePush(ctxt, xmlXPtrWrapLocationSet(newset)); ++xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, ++ int nargs ATTRIBUTE_UNUSED) { ++ XP_ERROR(XPATH_EXPR_ERROR); + } + + /** +-- +cgit v0.12 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-9318.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-9318.patch new file mode 100644 index 000000000000..5d1adb014a0e --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2016-9318.patch @@ -0,0 +1,202 @@ +From 292be65a52ab9e0eb3a53b4e0be5a57bc6de59d3 Mon Sep 17 00:00:00 2001 +From: Doran Moppert +Date: Fri, 7 Apr 2017 16:45:56 +0200 +Subject: [PATCH 6/7] Add an XML_PARSE_NOXXE flag to block all entities loading + even local + +For https://bugzilla.gnome.org/show_bug.cgi?id=772726 + +* include/libxml/parser.h: Add a new parser flag XML_PARSE_NOXXE +* elfgcchack.h, xmlIO.h, xmlIO.c: associated loading routine +* include/libxml/xmlerror.h: new error raised +* xmllint.c: adds --noxxe flag to activate the option +--- + elfgcchack.h | 10 ++++++++++ + include/libxml/parser.h | 3 ++- + include/libxml/xmlIO.h | 8 ++++++++ + include/libxml/xmlerror.h | 1 + + parser.c | 4 ++++ + xmlIO.c | 40 +++++++++++++++++++++++++++++++++++----- + xmllint.c | 5 +++++ + 7 files changed, 65 insertions(+), 6 deletions(-) + +diff --git a/elfgcchack.h b/elfgcchack.h +index 8c52884a..1b81dcde 100644 +--- a/elfgcchack.h ++++ b/elfgcchack.h +@@ -6547,6 +6547,16 @@ extern __typeof (xmlNoNetExternalEntityLoader) xmlNoNetExternalEntityLoader__int + #endif + #endif + ++#ifdef bottom_xmlIO ++#undef xmlNoXxeExternalEntityLoader ++extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader __attribute((alias("xmlNoXxeExternalEntityLoader__internal_alias"))); ++#else ++#ifndef xmlNoXxeExternalEntityLoader ++extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader__internal_alias __attribute((visibility("hidden"))); ++#define xmlNoXxeExternalEntityLoader xmlNoXxeExternalEntityLoader__internal_alias ++#endif ++#endif ++ + #ifdef bottom_tree + #undef xmlNodeAddContent + extern __typeof (xmlNodeAddContent) xmlNodeAddContent __attribute((alias("xmlNodeAddContent__internal_alias"))); +diff --git a/include/libxml/parser.h b/include/libxml/parser.h +index 47fbec03..63ca1b97 100644 +--- a/include/libxml/parser.h ++++ b/include/libxml/parser.h +@@ -1111,7 +1111,8 @@ typedef enum { + XML_PARSE_HUGE = 1<<19,/* relax any hardcoded limit from the parser */ + XML_PARSE_OLDSAX = 1<<20,/* parse using SAX2 interface before 2.7.0 */ + XML_PARSE_IGNORE_ENC= 1<<21,/* ignore internal document encoding hint */ +- XML_PARSE_BIG_LINES = 1<<22 /* Store big lines numbers in text PSVI field */ ++ XML_PARSE_BIG_LINES = 1<<22,/* Store big lines numbers in text PSVI field */ ++ XML_PARSE_NOXXE = 1<<23 /* Forbid any external entity loading */ + } xmlParserOption; + + XMLPUBFUN void XMLCALL +diff --git a/include/libxml/xmlIO.h b/include/libxml/xmlIO.h +index 3e41744d..8d3fdef5 100644 +--- a/include/libxml/xmlIO.h ++++ b/include/libxml/xmlIO.h +@@ -299,6 +299,14 @@ XMLPUBFUN xmlParserInputPtr XMLCALL + const char *ID, + xmlParserCtxtPtr ctxt); + ++/* ++ * A predefined entity loader external entity expansion ++ */ ++XMLPUBFUN xmlParserInputPtr XMLCALL ++ xmlNoXxeExternalEntityLoader (const char *URL, ++ const char *ID, ++ xmlParserCtxtPtr ctxt); ++ + /* + * xmlNormalizeWindowsPath is obsolete, don't use it. + * Check xmlCanonicPath in uri.h for a better alternative. +diff --git a/include/libxml/xmlerror.h b/include/libxml/xmlerror.h +index 037c16d5..3036062d 100644 +--- a/include/libxml/xmlerror.h ++++ b/include/libxml/xmlerror.h +@@ -470,6 +470,7 @@ typedef enum { + XML_IO_EADDRINUSE, /* 1554 */ + XML_IO_EALREADY, /* 1555 */ + XML_IO_EAFNOSUPPORT, /* 1556 */ ++ XML_IO_ILLEGAL_XXE, /* 1557 */ + XML_XINCLUDE_RECURSION=1600, + XML_XINCLUDE_PARSE_VALUE, /* 1601 */ + XML_XINCLUDE_ENTITY_DEF_MISMATCH, /* 1602 */ +diff --git a/parser.c b/parser.c +index b832406a..8e11c127 100644 +--- a/parser.c ++++ b/parser.c +@@ -15352,6 +15352,10 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi + ctxt->options |= XML_PARSE_NONET; + options -= XML_PARSE_NONET; + } ++ if (options & XML_PARSE_NOXXE) { ++ ctxt->options |= XML_PARSE_NOXXE; ++ options -= XML_PARSE_NOXXE; ++ } + if (options & XML_PARSE_COMPACT) { + ctxt->options |= XML_PARSE_COMPACT; + options -= XML_PARSE_COMPACT; +diff --git a/xmlIO.c b/xmlIO.c +index 6e61f45a..34881461 100644 +--- a/xmlIO.c ++++ b/xmlIO.c +@@ -212,6 +212,7 @@ static const char *IOerr[] = { + "adddress in use", /* EADDRINUSE */ + "already in use", /* EALREADY */ + "unknown address familly", /* EAFNOSUPPORT */ ++ "Attempt to load external entity %s", /* XML_IO_ILLEGAL_XXE */ + }; + + #if defined(_WIN32) || defined (__DJGPP__) && !defined (__CYGWIN__) +@@ -4057,13 +4058,22 @@ xmlDefaultExternalEntityLoader(const char *URL, const char *ID, + xmlGenericError(xmlGenericErrorContext, + "xmlDefaultExternalEntityLoader(%s, xxx)\n", URL); + #endif +- if ((ctxt != NULL) && (ctxt->options & XML_PARSE_NONET)) { ++ if (ctxt != NULL) { + int options = ctxt->options; + +- ctxt->options -= XML_PARSE_NONET; +- ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt); +- ctxt->options = options; +- return(ret); ++ if (options & XML_PARSE_NOXXE) { ++ ctxt->options -= XML_PARSE_NOXXE; ++ ret = xmlNoXxeExternalEntityLoader(URL, ID, ctxt); ++ ctxt->options = options; ++ return(ret); ++ } ++ ++ if (options & XML_PARSE_NONET) { ++ ctxt->options -= XML_PARSE_NONET; ++ ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt); ++ ctxt->options = options; ++ return(ret); ++ } + } + #ifdef LIBXML_CATALOG_ENABLED + resource = xmlResolveResourceFromCatalog(URL, ID, ctxt); +@@ -4164,6 +4174,13 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID, + xmlParserInputPtr input = NULL; + xmlChar *resource = NULL; + ++ if (ctxt == NULL) { ++ return(NULL); ++ } ++ if (ctxt->input_id == 1) { ++ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt); ++ } ++ + #ifdef LIBXML_CATALOG_ENABLED + resource = xmlResolveResourceFromCatalog(URL, ID, ctxt); + #endif +@@ -4186,5 +4203,18 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID, + return(input); + } + ++xmlParserInputPtr ++xmlNoXxeExternalEntityLoader(const char *URL, const char *ID, ++ xmlParserCtxtPtr ctxt) { ++ if (ctxt == NULL) { ++ return(NULL); ++ } ++ if (ctxt->input_id == 1) { ++ return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt); ++ } ++ xmlIOErr(XML_IO_ILLEGAL_XXE, (const char *) URL); ++ return(NULL); ++} ++ + #define bottom_xmlIO + #include "elfgcchack.h" +diff --git a/xmllint.c b/xmllint.c +index f8eb7ec4..8f304cda 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -3019,6 +3019,7 @@ static void usage(const char *name) { + printf("\t--path 'paths': provide a set of paths for resources\n"); + printf("\t--load-trace : print trace of all external entities loaded\n"); + printf("\t--nonet : refuse to fetch DTDs or entities over network\n"); ++ printf("\t--noxxe : forbid any external entity loading\n"); + printf("\t--nocompact : do not generate compact text nodes\n"); + printf("\t--htmlout : output results as HTML\n"); + printf("\t--nowrap : do not put HTML doc wrapper\n"); +@@ -3461,6 +3462,10 @@ main(int argc, char **argv) { + (!strcmp(argv[i], "--nonet"))) { + options |= XML_PARSE_NONET; + xmlSetExternalEntityLoader(xmlNoNetExternalEntityLoader); ++ } else if ((!strcmp(argv[i], "-noxxe")) || ++ (!strcmp(argv[i], "--noxxe"))) { ++ options |= XML_PARSE_NOXXE; ++ xmlSetExternalEntityLoader(xmlNoXxeExternalEntityLoader); + } else if ((!strcmp(argv[i], "-nocompact")) || + (!strcmp(argv[i], "--nocompact"))) { + options &= ~XML_PARSE_COMPACT; +-- +2.14.1 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-0663.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-0663.patch new file mode 100644 index 000000000000..517e178a533e --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-0663.patch @@ -0,0 +1,43 @@ +From d815758b6a8c9dee8155268e49b5ef3b80135a14 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 6 Jun 2017 12:56:28 +0200 +Subject: [PATCH 1/3] Fix type confusion in xmlValidateOneNamespace + +Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on +namespace declarations make no practical sense anyway. + +Fixes bug 780228. + +Found with libFuzzer and ASan. +--- + valid.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/valid.c b/valid.c +index 8075d3a0..c51ea290 100644 +--- a/valid.c ++++ b/valid.c +@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) { + } + } + ++ /* ++ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions ++ * xmlAddID and xmlAddRef for namespace declarations, but it makes ++ * no practical sense to use ID types anyway. ++ */ ++#if 0 + /* Validity Constraint: ID uniqueness */ + if (attrDecl->atype == XML_ATTRIBUTE_ID) { + if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL) +@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) { + if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL) + ret = 0; + } ++#endif + + /* Validity Constraint: Notation Attributes */ + if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) { +-- +2.14.1 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-5969.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-5969.patch new file mode 100644 index 000000000000..4d1362f2f934 --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-5969.patch @@ -0,0 +1,63 @@ +From 8952ce48a5fa1d3de1f087f10e8b6e47bb59f4e3 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Wed, 7 Jun 2017 16:47:36 +0200 +Subject: [PATCH 1/7] Fix NULL pointer deref in xmlDumpElementContent + +Can only be triggered in recovery mode. + +Fixes bug 758422 (CVE-2017-5969). +--- + valid.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/valid.c b/valid.c +index 19f84b82..0a8e58ab 100644 +--- a/valid.c ++++ b/valid.c +@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob) + xmlBufferWriteCHAR(buf, content->name); + break; + case XML_ELEMENT_CONTENT_SEQ: +- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || +- (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) ++ if ((content->c1 != NULL) && ++ ((content->c1->type == XML_ELEMENT_CONTENT_OR) || ++ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) + xmlDumpElementContent(buf, content->c1, 1); + else + xmlDumpElementContent(buf, content->c1, 0); + xmlBufferWriteChar(buf, " , "); +- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) || +- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && +- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) ++ if ((content->c2 != NULL) && ++ ((content->c2->type == XML_ELEMENT_CONTENT_OR) || ++ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && ++ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) + xmlDumpElementContent(buf, content->c2, 1); + else + xmlDumpElementContent(buf, content->c2, 0); + break; + case XML_ELEMENT_CONTENT_OR: +- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || +- (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) ++ if ((content->c1 != NULL) && ++ ((content->c1->type == XML_ELEMENT_CONTENT_OR) || ++ (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) + xmlDumpElementContent(buf, content->c1, 1); + else + xmlDumpElementContent(buf, content->c1, 0); + xmlBufferWriteChar(buf, " | "); +- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || +- ((content->c2->type == XML_ELEMENT_CONTENT_OR) && +- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) ++ if ((content->c2 != NULL) && ++ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || ++ ((content->c2->type == XML_ELEMENT_CONTENT_OR) && ++ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) + xmlDumpElementContent(buf, content->c2, 1); + else + xmlDumpElementContent(buf, content->c2, 0); +-- +2.14.1 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7375.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7375.patch new file mode 100644 index 000000000000..db9d597ad73e --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7375.patch @@ -0,0 +1,35 @@ +From 9ea49a06b9421b6a3a9c243fb1ec23b19bd6b049 Mon Sep 17 00:00:00 2001 +From: Neel Mehta +Date: Fri, 7 Apr 2017 17:43:02 +0200 +Subject: [PATCH 7/7] Prevent unwanted external entity reference + +For https://bugzilla.gnome.org/show_bug.cgi?id=780691 + +* parser.c: add a specific check to avoid PE reference +--- + parser.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/parser.c b/parser.c +index 8e11c127..e8e962bb 100644 +--- a/parser.c ++++ b/parser.c +@@ -8125,6 +8125,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + if (xmlPushInput(ctxt, input) < 0) + return; + } else { ++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && ++ ((ctxt->options & XML_PARSE_NOENT) == 0) && ++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && ++ ((ctxt->options & XML_PARSE_DTDATTR) == 0) && ++ (ctxt->replaceEntities == 0) && ++ (ctxt->validate == 0)) ++ return; ++ + /* + * TODO !!! + * handle the extra spaces added before and after +-- +2.14.1 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7376.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7376.patch new file mode 100644 index 000000000000..14ec773608b6 --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7376.patch @@ -0,0 +1,31 @@ +From 43cd3b6222bda2332e963eb1c9ead78f29912b0a Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 7 Apr 2017 17:13:28 +0200 +Subject: [PATCH 2/3] Increase buffer space for port in HTTP redirect support + +For https://bugzilla.gnome.org/show_bug.cgi?id=780690 + +nanohttp.c: the code wrongly assumed a short int port value. +--- + nanohttp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/nanohttp.c b/nanohttp.c +index 26e4290e..9c17530e 100644 +--- a/nanohttp.c ++++ b/nanohttp.c +@@ -1423,9 +1423,9 @@ retry: + if (ctxt->port != 80) { + /* reserve space for ':xxxxx', incl. potential proxy */ + if (proxy) +- blen += 12; ++ blen += 17; + else +- blen += 6; ++ blen += 11; + } + bp = (char*)xmlMallocAtomic(blen); + if ( bp == NULL ) { +-- +2.14.1 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9047-9048.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9047-9048.patch new file mode 100644 index 000000000000..f7c48cd877d7 --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9047-9048.patch @@ -0,0 +1,116 @@ +From 839b89e678b5265a0e6b0477410e64fac669d578 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 3 Jun 2017 02:01:29 +0200 +Subject: [PATCH 4/7] Fix buffer size checks in xmlSnprintfElementContent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +xmlSnprintfElementContent failed to correctly check the available +buffer space in two locations. + +Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048). + +Thanks to Marcel Böhme and Thuan Pham for the report. +--- + result/valid/781333.xml | 5 +++++ + result/valid/781333.xml.err | 3 +++ + result/valid/781333.xml.err.rdr | 6 ++++++ + test/valid/781333.xml | 4 ++++ + valid.c | 20 +++++++++++--------- + 5 files changed, 29 insertions(+), 9 deletions(-) + create mode 100644 result/valid/781333.xml + create mode 100644 result/valid/781333.xml.err + create mode 100644 result/valid/781333.xml.err.rdr + create mode 100644 test/valid/781333.xml + +diff --git a/result/valid/781333.xml b/result/valid/781333.xml +new file mode 100644 +index 00000000..45dc451d +--- /dev/null ++++ b/result/valid/781333.xml +@@ -0,0 +1,5 @@ ++ ++ ++]> ++ +diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err +new file mode 100644 +index 00000000..b401b49a +--- /dev/null ++++ b/result/valid/781333.xml.err +@@ -0,0 +1,3 @@ ++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got ++ ++ ^ +diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr +new file mode 100644 +index 00000000..5ff56992 +--- /dev/null ++++ b/result/valid/781333.xml.err.rdr +@@ -0,0 +1,6 @@ ++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got ++ ++ ^ ++./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child ++ ++^ +diff --git a/test/valid/781333.xml b/test/valid/781333.xml +new file mode 100644 +index 00000000..b29e5a68 +--- /dev/null ++++ b/test/valid/781333.xml +@@ -0,0 +1,4 @@ ++ ++]> ++ +diff --git a/valid.c b/valid.c +index 0a8e58ab..8075d3a0 100644 +--- a/valid.c ++++ b/valid.c +@@ -1266,22 +1266,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int + case XML_ELEMENT_CONTENT_PCDATA: + strcat(buf, "#PCDATA"); + break; +- case XML_ELEMENT_CONTENT_ELEMENT: ++ case XML_ELEMENT_CONTENT_ELEMENT: { ++ int qnameLen = xmlStrlen(content->name); ++ ++ if (content->prefix != NULL) ++ qnameLen += xmlStrlen(content->prefix) + 1; ++ if (size - len < qnameLen + 10) { ++ strcat(buf, " ..."); ++ return; ++ } + if (content->prefix != NULL) { +- if (size - len < xmlStrlen(content->prefix) + 10) { +- strcat(buf, " ..."); +- return; +- } + strcat(buf, (char *) content->prefix); + strcat(buf, ":"); + } +- if (size - len < xmlStrlen(content->name) + 10) { +- strcat(buf, " ..."); +- return; +- } + if (content->name != NULL) + strcat(buf, (char *) content->name); + break; ++ } + case XML_ELEMENT_CONTENT_SEQ: + if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || + (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) +@@ -1323,6 +1324,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int + xmlSnprintfElementContent(buf, size, content->c2, 0); + break; + } ++ if (size - strlen(buf) <= 2) return; + if (englob) + strcat(buf, ")"); + switch (content->ocur) { +-- +2.14.1 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9049-9050.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9049-9050.patch new file mode 100644 index 000000000000..abf43ef9815d --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-9049-9050.patch @@ -0,0 +1,316 @@ +From 9c95d1b7f3951efe09df66ec41d7b19d6283084d Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 5 Jun 2017 15:37:17 +0200 +Subject: [PATCH 3/7] Fix handling of parameter-entity references +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There were two bugs where parameter-entity references could lead to an +unexpected change of the input buffer in xmlParseNameComplex and +xmlDictLookup being called with an invalid pointer. + +Percent sign in DTD Names +========================= + +The NEXTL macro used to call xmlParserHandlePEReference. When parsing +"complex" names inside the DTD, this could result in entity expansion +which created a new input buffer. The fix is to simply remove the call +to xmlParserHandlePEReference from the NEXTL macro. This is safe because +no users of the macro require expansion of parameter entities. + +- xmlParseNameComplex +- xmlParseNCNameComplex +- xmlParseNmtoken + +The percent sign is not allowed in names, which are grammatical tokens. + +- xmlParseEntityValue + +Parameter-entity references in entity values are expanded but this +happens in a separate step in this function. + +- xmlParseSystemLiteral + +Parameter-entity references are ignored in the system literal. + +- xmlParseAttValueComplex +- xmlParseCharDataComplex +- xmlParseCommentComplex +- xmlParsePI +- xmlParseCDSect + +Parameter-entity references are ignored outside the DTD. + +- xmlLoadEntityContent + +This function is only called from xmlStringLenDecodeEntities and +entities are replaced in a separate step immediately after the function +call. + +This bug could also be triggered with an internal subset and double +entity expansion. + +This fixes bug 766956 initially reported by Wei Lei and independently by +Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone +involved. + +xmlParseNameComplex with XML_PARSE_OLD10 +======================================== + +When parsing Names inside an expanded parameter entity with the +XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the +GROW macro if the input buffer was exhausted. At the end of the +parameter entity's replacement text, this function would then call +xmlPopInput which invalidated the input buffer. + +There should be no need to invoke GROW in this situation because the +buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and, +at least for UTF-8, in xmlCurrentChar. This also matches the code path +executed when XML_PARSE_OLD10 is not set. + +This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050). +Thanks to Marcel Böhme and Thuan Pham for the report. + +Additional hardening +==================== + +A separate check was added in xmlParseNameComplex to validate the +buffer size. +--- + Makefile.am | 18 ++++++++++++++++++ + parser.c | 18 ++++++++++-------- + result/errors10/781205.xml | 0 + result/errors10/781205.xml.err | 21 +++++++++++++++++++++ + result/errors10/781361.xml | 0 + result/errors10/781361.xml.err | 13 +++++++++++++ + result/valid/766956.xml | 0 + result/valid/766956.xml.err | 9 +++++++++ + result/valid/766956.xml.err.rdr | 10 ++++++++++ + runtest.c | 3 +++ + test/errors10/781205.xml | 3 +++ + test/errors10/781361.xml | 3 +++ + test/valid/766956.xml | 2 ++ + test/valid/dtds/766956.dtd | 2 ++ + 14 files changed, 94 insertions(+), 8 deletions(-) + create mode 100644 result/errors10/781205.xml + create mode 100644 result/errors10/781205.xml.err + create mode 100644 result/errors10/781361.xml + create mode 100644 result/errors10/781361.xml.err + create mode 100644 result/valid/766956.xml + create mode 100644 result/valid/766956.xml.err + create mode 100644 result/valid/766956.xml.err.rdr + create mode 100644 test/errors10/781205.xml + create mode 100644 test/errors10/781361.xml + create mode 100644 test/valid/766956.xml + create mode 100644 test/valid/dtds/766956.dtd + +diff --git a/Makefile.am b/Makefile.am +index 3b52bae7..bf20124e 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -422,6 +422,24 @@ Errtests : xmllint$(EXEEXT) + if [ -n "$$log" ] ; then echo $$name result ; echo $$log ; fi ; \ + rm result.$$name error.$$name ; \ + fi ; fi ; done) ++ @echo "## Error cases regression tests (old 1.0)" ++ -@(for i in $(srcdir)/test/errors10/*.xml ; do \ ++ name=`basename $$i`; \ ++ if [ ! -d $$i ] ; then \ ++ if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \ ++ echo New test file $$name ; \ ++ $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \ ++ 2> $(srcdir)/result/errors10/$$name.err \ ++ > $(srcdir)/result/errors10/$$name ; \ ++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ ++ else \ ++ log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \ ++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ ++ diff $(srcdir)/result/errors10/$$name result.$$name ; \ ++ diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \ ++ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \ ++ rm result.$$name error.$$name ; \ ++ fi ; fi ; done) + @echo "## Error cases stream regression tests" + -@(for i in $(srcdir)/test/errors/*.xml ; do \ + name=`basename $$i`; \ +diff --git a/parser.c b/parser.c +index 53a6b7f0..b832406a 100644 +--- a/parser.c ++++ b/parser.c +@@ -2115,7 +2115,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { + ctxt->input->line++; ctxt->input->col = 1; \ + } else ctxt->input->col++; \ + ctxt->input->cur += l; \ +- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \ + } while (0) + + #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l) +@@ -3406,13 +3405,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + len += l; + NEXTL(l); + c = CUR_CHAR(l); +- if (c == 0) { +- count = 0; +- GROW; +- if (ctxt->instate == XML_PARSER_EOF) +- return(NULL); +- c = CUR_CHAR(l); +- } + } + } + if ((len > XML_MAX_NAME_LENGTH) && +@@ -3420,6 +3412,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); + return(NULL); + } ++ if (ctxt->input->cur - ctxt->input->base < len) { ++ /* ++ * There were a couple of bugs where PERefs lead to to a change ++ * of the buffer. Check the buffer size to avoid passing an invalid ++ * pointer to xmlDictLookup. ++ */ ++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, ++ "unexpected change of input buffer"); ++ return (NULL); ++ } + if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r')) + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len)); + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); +diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml +new file mode 100644 +index 00000000..e69de29b +diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err +new file mode 100644 +index 00000000..da15c3f7 +--- /dev/null ++++ b/result/errors10/781205.xml.err +@@ -0,0 +1,21 @@ ++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration ++ ++ %a; ++ ^ ++Entity: line 1: ++<:0000 ++^ ++Entity: line 1: parser error : DOCTYPE improperly terminated ++ %a; ++ ^ ++Entity: line 1: ++<:0000 ++^ ++namespace error : Failed to parse QName ':0000' ++ %a; ++ ^ ++<:0000 ++ ^ ++./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1 ++ ++^ +diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml +new file mode 100644 +index 00000000..e69de29b +diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err +new file mode 100644 +index 00000000..655f41a2 +--- /dev/null ++++ b/result/errors10/781361.xml.err +@@ -0,0 +1,13 @@ ++./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected ++ ++^ ++./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration ++ ++ ++^ ++./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated ++ ++^ ++./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found ++ ++^ +diff --git a/result/valid/766956.xml b/result/valid/766956.xml +new file mode 100644 +index 00000000..e69de29b +diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err +new file mode 100644 +index 00000000..34b1dae6 +--- /dev/null ++++ b/result/valid/766956.xml.err +@@ -0,0 +1,9 @@ ++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' ++%ä%ent; ++ ^ ++Entity: line 1: parser error : Content error in the external subset ++ %ent; ++ ^ ++Entity: line 1: ++value ++^ +diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr +new file mode 100644 +index 00000000..77603462 +--- /dev/null ++++ b/result/valid/766956.xml.err.rdr +@@ -0,0 +1,10 @@ ++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' ++%ä%ent; ++ ^ ++Entity: line 1: parser error : Content error in the external subset ++ %ent; ++ ^ ++Entity: line 1: ++value ++^ ++./test/valid/766956.xml : failed to parse +diff --git a/runtest.c b/runtest.c +index 7d030bdc..cd233da9 100644 +--- a/runtest.c ++++ b/runtest.c +@@ -4202,6 +4202,9 @@ testDesc testDescriptions[] = { + { "Error cases regression tests", + errParseTest, "./test/errors/*.xml", "result/errors/", "", ".err", + 0 }, ++ { "Error cases regression tests (old 1.0)", ++ errParseTest, "./test/errors10/*.xml", "result/errors10/", "", ".err", ++ XML_PARSE_OLD10 }, + #ifdef LIBXML_READER_ENABLED + { "Error cases stream regression tests", + streamParseTest, "./test/errors/*.xml", "result/errors/", NULL, ".str", +diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml +new file mode 100644 +index 00000000..d9e9e839 +--- /dev/null ++++ b/test/errors10/781205.xml +@@ -0,0 +1,3 @@ ++ ++ %a; +diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml +new file mode 100644 +index 00000000..67476bcb +--- /dev/null ++++ b/test/errors10/781361.xml +@@ -0,0 +1,3 @@ ++ ++ %elem; +diff --git a/test/valid/766956.xml b/test/valid/766956.xml +new file mode 100644 +index 00000000..19a95a0e +--- /dev/null ++++ b/test/valid/766956.xml +@@ -0,0 +1,2 @@ ++ ++ +diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd +new file mode 100644 +index 00000000..dddde68b +--- /dev/null ++++ b/test/valid/dtds/766956.dtd +@@ -0,0 +1,2 @@ ++ ++%ä%ent; +-- +2.14.1 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-fix-root-node-cmp.patch b/dev-libs/libxml2/files/libxml2-2.9.4-fix-root-node-cmp.patch new file mode 100644 index 000000000000..224d60ff052f --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-fix-root-node-cmp.patch @@ -0,0 +1,34 @@ +From a1fb9a4f511d89f0738b62cabd6d92bfd9eb94a9 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 28 Jun 2016 14:19:58 +0200 +Subject: [PATCH 3/3] Fix comparison with root node in xmlXPathCmpNodes + +This change has already been made in xmlXPathCmpNodesExt but not in +xmlXPathCmpNodes. +--- + xpath.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 67afbca5..5a01b1b3 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) { + * compute depth to root + */ + for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) { +- if (cur == node1) ++ if (cur->parent == node1) + return(1); + depth2++; + } + root = cur; + for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) { +- if (cur == node2) ++ if (cur->parent == node2) + return(-1); + depth1++; + } +-- +2.14.1 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch b/dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch new file mode 100644 index 000000000000..770a1832b190 --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-heap-buffer-overflow.patch @@ -0,0 +1,32 @@ +From df4f9bdc7a37908ded8bd1fec4f75509eaa156de Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Tue, 4 Jul 2017 18:38:03 +0200 +Subject: [PATCH 5/7] Heap-buffer-overflow read of size 1 in + xmlFAParsePosCharGroup + +Credit to OSS-Fuzz. + +Add a check to xmlFAParseCharRange() for the end of the buffer +to prevent reading past the end of it. + +This fixes Bug 784017. +--- + xmlregexp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmlregexp.c b/xmlregexp.c +index ca3b4f46..6676c2a8 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -5051,7 +5051,7 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) { + return; + } + len = 1; +- } else if ((cur != 0x5B) && (cur != 0x5D)) { ++ } else if ((cur != '\0') && (cur != 0x5B) && (cur != 0x5D)) { + end = CUR_SCHAR(ctxt->cur, len); + } else { + ERROR("Expecting the end of a char range"); +-- +2.14.1 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-nullptrderef.patch b/dev-libs/libxml2/files/libxml2-2.9.4-nullptrderef.patch new file mode 100644 index 000000000000..d2a9c3e2add5 --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-nullptrderef.patch @@ -0,0 +1,50 @@ +From e905f08123e4a6e7731549e6f09dadff4cab65bd Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 26 Jun 2016 12:38:28 +0200 +Subject: Fix more NULL pointer derefs in xpointer.c + +Found with afl-fuzz. +--- + xpointer.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/xpointer.c b/xpointer.c +index 694d120..e643ee9 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -542,7 +542,7 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { + /* + * Empty set ... + */ +- if (end->nodesetval->nodeNr <= 0) ++ if ((end->nodesetval == NULL) || (end->nodesetval->nodeNr <= 0)) + return(NULL); + endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1]; + endIndex = -1; +@@ -1361,7 +1361,7 @@ xmlXPtrEval(const xmlChar *str, xmlXPathContextPtr ctx) { + */ + xmlNodeSetPtr set; + set = tmp->nodesetval; +- if ((set->nodeNr != 1) || ++ if ((set == NULL) || (set->nodeNr != 1) || + (set->nodeTab[0] != (xmlNodePtr) ctx->doc)) + stack++; + } else +@@ -2034,9 +2034,11 @@ xmlXPtrRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) { + xmlXPathFreeObject(set); + XP_ERROR(XPATH_MEMORY_ERROR); + } +- for (i = 0;i < oldset->locNr;i++) { +- xmlXPtrLocationSetAdd(newset, +- xmlXPtrCoveringRange(ctxt, oldset->locTab[i])); ++ if (oldset != NULL) { ++ for (i = 0;i < oldset->locNr;i++) { ++ xmlXPtrLocationSetAdd(newset, ++ xmlXPtrCoveringRange(ctxt, oldset->locTab[i])); ++ } + } + + /* +-- +cgit v0.12 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-nullptrderef2.patch b/dev-libs/libxml2/files/libxml2-2.9.4-nullptrderef2.patch new file mode 100644 index 000000000000..2484f76e7b0b --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-nullptrderef2.patch @@ -0,0 +1,57 @@ +From d8083bf77955b7879c1290f0c0a24ab8cc70f7fb Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 25 Jun 2016 12:35:50 +0200 +Subject: Fix NULL pointer deref in XPointer range-to + +- Check for errors after evaluating first operand. +- Add sanity check for empty stack. + +Found with afl-fuzz. +--- + result/XPath/xptr/viderror | 4 ++++ + test/XPath/xptr/viderror | 1 + + xpath.c | 7 ++++++- + 3 files changed, 11 insertions(+), 1 deletion(-) + create mode 100644 result/XPath/xptr/viderror + create mode 100644 test/XPath/xptr/viderror + +diff --git a/result/XPath/xptr/viderror b/result/XPath/xptr/viderror +new file mode 100644 +index 0000000..d589882 +--- /dev/null ++++ b/result/XPath/xptr/viderror +@@ -0,0 +1,4 @@ ++ ++======================== ++Expression: xpointer(non-existing-fn()/range-to(id('chapter2'))) ++Object is empty (NULL) +diff --git a/test/XPath/xptr/viderror b/test/XPath/xptr/viderror +new file mode 100644 +index 0000000..da8c53b +--- /dev/null ++++ b/test/XPath/xptr/viderror +@@ -0,0 +1 @@ ++xpointer(non-existing-fn()/range-to(id('chapter2'))) +diff --git a/xpath.c b/xpath.c +index 113bce6..751665b 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -14005,9 +14005,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + xmlNodeSetPtr oldset; + int i, j; + +- if (op->ch1 != -1) ++ if (op->ch1 != -1) { + total += + xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]); ++ CHECK_ERROR0; ++ } ++ if (ctxt->value == NULL) { ++ XP_ERROR0(XPATH_INVALID_OPERAND); ++ } + if (op->ch2 == -1) + return (total); + +-- +cgit v0.12 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-osd-validation.patch b/dev-libs/libxml2/files/libxml2-2.9.4-osd-validation.patch new file mode 100644 index 000000000000..9d1a03346f67 --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.4-osd-validation.patch @@ -0,0 +1,66 @@ +From 8bc6baccc7da291c2338b8d95953ea487b0b3ca1 Mon Sep 17 00:00:00 2001 +From: Alex Henrie +Date: Thu, 26 May 2016 17:38:35 -0600 +Subject: [PATCH 2/7] Fix attribute decoding during XML schema validation + +For https://bugzilla.gnome.org/show_bug.cgi?id=766834 + +vctxt->parserCtxt is always NULL in xmlSchemaSAXHandleStartElementNs, +so this function can't call xmlStringLenDecodeEntities to decode the +entities. +--- + xmlschemas.c | 30 +++++++++++++++++++++++++----- + 1 file changed, 25 insertions(+), 5 deletions(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index e1b3a4f0..59535e5c 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -27391,6 +27391,7 @@ xmlSchemaSAXHandleStartElementNs(void *ctx, + * attributes yet. + */ + if (nb_attributes != 0) { ++ int valueLen, k, l; + xmlChar *value; + + for (j = 0, i = 0; i < nb_attributes; i++, j += 5) { +@@ -27400,12 +27401,31 @@ xmlSchemaSAXHandleStartElementNs(void *ctx, + * libxml2 differs from normal SAX here in that it escapes all ampersands + * as & instead of delivering the raw converted string. Changing the + * behavior at this point would break applications that use this API, so +- * we are forced to work around it. There is no danger of accidentally +- * decoding some entity other than & in this step because without +- * unescaped ampersands there can be no other entities in the string. ++ * we are forced to work around it. + */ +- value = xmlStringLenDecodeEntities(vctxt->parserCtxt, attributes[j+3], +- attributes[j+4] - attributes[j+3], XML_SUBSTITUTE_REF, 0, 0, 0); ++ valueLen = attributes[j+4] - attributes[j+3]; ++ value = xmlMallocAtomic(valueLen + 1); ++ if (value == NULL) { ++ xmlSchemaVErrMemory(vctxt, ++ "allocating string for decoded attribute", ++ NULL); ++ goto internal_error; ++ } ++ for (k = 0, l = 0; k < valueLen; l++) { ++ if (k < valueLen - 4 && ++ attributes[j+3][k+0] == '&' && ++ attributes[j+3][k+1] == '#' && ++ attributes[j+3][k+2] == '3' && ++ attributes[j+3][k+3] == '8' && ++ attributes[j+3][k+4] == ';') { ++ value[l] = '&'; ++ k += 5; ++ } else { ++ value[l] = attributes[j+3][k]; ++ k++; ++ } ++ } ++ value[l] = '\0'; + /* + * TODO: Set the node line. + */ +-- +2.14.1 + -- cgit v1.2.3