diff --git a/Fix-Null-deref-in-xmlSchemaGetComponentTargetNs.patch b/Fix-Null-deref-in-xmlSchemaGetComponentTargetNs.patch deleted file mode 100644 index 8e059273ee221b2c926a560fa7eb2dbbc56b506f..0000000000000000000000000000000000000000 --- a/Fix-Null-deref-in-xmlSchemaGetComponentTargetNs.patch +++ /dev/null @@ -1,36 +0,0 @@ -From c3ae53279a37369d8b100b016126136dea05b44b Mon Sep 17 00:00:00 2001 -From: huangduirong -Date: Sat, 30 Oct 2021 15:21:01 +0800 -Subject: [PATCH] fix null-deref in xmlSchemaGetComponentTargetNs - ---- - xmlschemas.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/xmlschemas.c b/xmlschemas.c -index 5387c8e..17aa6df 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -1329,6 +1329,9 @@ xmlSchemaFormatQNameNs(xmlChar **buf, xmlNsPtr ns, const xmlChar *localName) - static const xmlChar * - xmlSchemaGetComponentName(xmlSchemaBasicItemPtr item) - { -+ if (item == NULL) { -+ return (NULL); -+ } - switch (item->type) { - case XML_SCHEMA_TYPE_ELEMENT: - return (((xmlSchemaElementPtr) item)->name); -@@ -1384,6 +1387,9 @@ xmlSchemaGetQNameRefTargetNs(void *ref) - static const xmlChar * - xmlSchemaGetComponentTargetNs(xmlSchemaBasicItemPtr item) - { -+ if (item == NULL) { -+ return (NULL); -+ } - switch (item->type) { - case XML_SCHEMA_TYPE_ELEMENT: - return (((xmlSchemaElementPtr) item)->targetNamespace); --- -1.8.3.1 - diff --git a/Fix-XPath-recursion-limit.patch b/Fix-XPath-recursion-limit.patch deleted file mode 100644 index 0f47ad583916a941b4aa7bee43f6d173a1d172b7..0000000000000000000000000000000000000000 --- a/Fix-XPath-recursion-limit.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 3e1aad4fe584747fd7d17cc7b2863a78e2d21a77 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 2 Jun 2021 17:31:49 +0200 -Subject: [PATCH] Fix XPath recursion limit - -Fix accounting of recursion depth when parsing XPath expressions. - -This silly bug introduced in commit 804c5297 could lead to spurious -errors when parsing larger expressions or XSLT documents. - -Should fix #264. ---- - xpath.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xpath.c b/xpath.c -index 7497ba0..1aa2f1a 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -10983,7 +10983,7 @@ xmlXPathCompileExpr(xmlXPathParserContextPtr ctxt, int sort) { - } - - if (xpctxt != NULL) -- xpctxt->depth -= 1; -+ xpctxt->depth -= 10; - } - - /** --- -1.8.3.1 - diff --git a/Fix-buffering-in-xmlOutputBufferWrite.patch b/Fix-buffering-in-xmlOutputBufferWrite.patch deleted file mode 100644 index eb81c72c1f73d3e7f37d23c9c81b81251de43fbc..0000000000000000000000000000000000000000 --- a/Fix-buffering-in-xmlOutputBufferWrite.patch +++ /dev/null @@ -1,63 +0,0 @@ -From dea91c97debeac7c1aaf9c19f79029809e23a353 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 27 Jul 2021 16:12:54 +0200 -Subject: [PATCH] Fix buffering in xmlOutputBufferWrite - -Fix a regression introduced with commit a697ed1e which caused -xmlOutputBufferWrite to flush internal buffers too late. - -Fixes #296. ---- - xmlIO.c | 20 ++++++++++++++++---- - 1 file changed, 16 insertions(+), 4 deletions(-) - -diff --git a/xmlIO.c b/xmlIO.c -index 57312b9..f20c0fa 100644 ---- a/xmlIO.c -+++ b/xmlIO.c -@@ -3401,12 +3401,18 @@ xmlOutputBufferWrite(xmlOutputBufferPtr out, int len, const char *buf) { - out->error = XML_IO_ENCODER; - return(-1); - } -- nbchars = ret >= 0 ? ret : 0; -+ if (out->writecallback) -+ nbchars = xmlBufUse(out->conv); -+ else -+ nbchars = ret >= 0 ? ret : 0; - } else { - ret = xmlBufAdd(out->buffer, (const xmlChar *) buf, chunk); - if (ret != 0) - return(-1); -- nbchars = chunk; -+ if (out->writecallback) -+ nbchars = xmlBufUse(out->buffer); -+ else -+ nbchars = chunk; - } - buf += chunk; - len -= chunk; -@@ -3593,13 +3599,19 @@ xmlOutputBufferWriteEscape(xmlOutputBufferPtr out, const xmlChar *str, - out->error = XML_IO_ENCODER; - return(-1); - } -- nbchars = ret >= 0 ? ret : 0; -+ if (out->writecallback) -+ nbchars = xmlBufUse(out->conv); -+ else -+ nbchars = ret >= 0 ? ret : 0; - } else { - ret = escaping(xmlBufEnd(out->buffer), &chunk, str, &cons); - if ((ret < 0) || (chunk == 0)) /* chunk==0 => nothing done */ - return(-1); - xmlBufAddLen(out->buffer, chunk); -- nbchars = chunk; -+ if (out->writecallback) -+ nbchars = xmlBufUse(out->buffer); -+ else -+ nbchars = chunk; - } - str += cons; - len -= cons; --- -1.8.3.1 - diff --git a/Fix-regression-in-xmlNodeDumpOutputInternal.patch b/Fix-regression-in-xmlNodeDumpOutputInternal.patch deleted file mode 100644 index c3c2bc14a38d324b4aa0207087cd6ff059e786cc..0000000000000000000000000000000000000000 --- a/Fix-regression-in-xmlNodeDumpOutputInternal.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 13ad8736d294536da4cbcd70a96b0a2fbf47070c Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 25 May 2021 10:55:25 +0200 -Subject: [PATCH] Fix regression in xmlNodeDumpOutputInternal - -Commit 85b1792e could cause additional whitespace if xmlNodeDump was -called with a non-zero starting level. ---- - xmlsave.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/xmlsave.c b/xmlsave.c -index aedbd5e..489505f 100644 ---- a/xmlsave.c -+++ b/xmlsave.c -@@ -890,6 +890,13 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { - break; - - case XML_ELEMENT_NODE: -+ if ((cur != root) && (ctxt->format == 1) && -+ (xmlIndentTreeOutput)) -+ xmlOutputBufferWrite(buf, ctxt->indent_size * -+ (ctxt->level > ctxt->indent_nr ? -+ ctxt->indent_nr : ctxt->level), -+ ctxt->indent); -+ - /* - * Some users like lxml are known to pass nodes with a corrupted - * tree structure. Fall back to a recursive call to handle this -@@ -900,13 +907,6 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { - break; - } - -- if ((ctxt->level > 0) && (ctxt->format == 1) && -- (xmlIndentTreeOutput)) -- xmlOutputBufferWrite(buf, ctxt->indent_size * -- (ctxt->level > ctxt->indent_nr ? -- ctxt->indent_nr : ctxt->level), -- ctxt->indent); -- - xmlOutputBufferWrite(buf, 1, "<"); - if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) { - xmlOutputBufferWriteString(buf, (const char *)cur->ns->prefix); --- -1.8.3.1 - diff --git a/Fix-whitespace-when-serializing-empty-HTML-documents.patch b/Fix-whitespace-when-serializing-empty-HTML-documents.patch deleted file mode 100644 index 2041f991f9a9631effa973fef6a56c511122b5be..0000000000000000000000000000000000000000 --- a/Fix-whitespace-when-serializing-empty-HTML-documents.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 92d9ab4c28842a09ca2b76d3ff2f933e01b6cd6f Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 7 Jun 2021 15:09:53 +0200 -Subject: [PATCH] Fix whitespace when serializing empty HTML documents - -The old, non-recursive HTML serialization code would always terminate -the output with a newline. The new implementation omitted the newline -if the document node had no children. Readd the newline when -serializing empty documents. - -Fixes #266. ---- - HTMLtree.c | 14 +++++++++----- - 1 file changed, 9 insertions(+), 5 deletions(-) - -diff --git a/HTMLtree.c b/HTMLtree.c -index bdd639c..7a2b855 100644 ---- a/HTMLtree.c -+++ b/HTMLtree.c -@@ -763,11 +763,15 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, - if (((xmlDocPtr) cur)->intSubset != NULL) { - htmlDtdDumpOutput(buf, (xmlDocPtr) cur, NULL); - } -- /* Always validate cur->parent when descending. */ -- if ((cur->parent == parent) && (cur->children != NULL)) { -- parent = cur; -- cur = cur->children; -- continue; -+ if (cur->children != NULL) { -+ /* Always validate cur->parent when descending. */ -+ if (cur->parent == parent) { -+ parent = cur; -+ cur = cur->children; -+ continue; -+ } -+ } else { -+ xmlOutputBufferWriteString(buf, "\n"); - } - break; - --- -1.8.3.1 - diff --git a/Patch-to-forbid-epsilon-reduction-of-final-states.patch b/Patch-to-forbid-epsilon-reduction-of-final-states.patch deleted file mode 100644 index a9b1c0b007faa1f49bd8bb7c1fbe51ebb749ac9a..0000000000000000000000000000000000000000 --- a/Patch-to-forbid-epsilon-reduction-of-final-states.patch +++ /dev/null @@ -1,60 +0,0 @@ -From ec6e3efb06d7b15cf5a2328fabd3845acea4c815 Mon Sep 17 00:00:00 2001 -From: Arne Becker -Date: Tue, 6 Jul 2021 21:56:04 +0200 -Subject: [PATCH] Patch to forbid epsilon-reduction of final states - -When building the internal representation of a regexp, it is possible -that a lot of empty transitions are created. Therefore there is a step -to reduce them in the function xmlFAEliminateSimpleEpsilonTransitions. - -There is an error there for this case: - -* State 1 has a transition with an atom (in this case "a") to state 2. -* State 2 is final and has an epsilon transition to state 1. - -After reduction it looked like: -* State 1 has a transition with an atom (in this case "a") to itself - and is final. - -In other words, the empty string is accepted when it shouldn't be. - -The attached patch skips the reduction step for final states. -An alternative would be to insert or increment counters when reducing a -final state, but this seemed error prone and unnecessary, since there -aren't that many final states. - -Fixes #282 ---- - xmlregexp.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/xmlregexp.c b/xmlregexp.c -index 40dabb2..8d01c2b 100644 ---- a/xmlregexp.c -+++ b/xmlregexp.c -@@ -1892,6 +1892,12 @@ xmlFAReduceEpsilonTransitions(xmlRegParserCtxtPtr ctxt, int fromnr, - * then X and Y are semantically equivalent and X can be eliminated - * If X is the start state then make Y the start state, else replace the - * target of all transitions to X by transitions to Y. -+ * -+ * If X is a final state, skip it. -+ * Otherwise it would be necessary to manipulate counters for this case when -+ * eliminating state 2: -+ * State 1 has a transition with an atom to state 2. -+ * State 2 is final and has an epsilon transition to state 1. - */ - static void - xmlFAEliminateSimpleEpsilonTransitions(xmlRegParserCtxtPtr ctxt) { -@@ -1904,7 +1910,8 @@ xmlFAEliminateSimpleEpsilonTransitions(xmlRegParserCtxtPtr ctxt) { - continue; - if (state->nbTrans != 1) - continue; -- if (state->type == XML_REGEXP_UNREACH_STATE) -+ if (state->type == XML_REGEXP_UNREACH_STATE || -+ state->type == XML_REGEXP_FINAL_STATE) - continue; - /* is the only transition out a basic transition */ - if ((state->trans[0].atom == NULL) && --- -1.8.3.1 - diff --git a/Work-around-lxml-API-abuse.patch b/Work-around-lxml-API-abuse.patch deleted file mode 100644 index 8bb91b443405021e2def8536f8b85b3441a4fe43..0000000000000000000000000000000000000000 --- a/Work-around-lxml-API-abuse.patch +++ /dev/null @@ -1,212 +0,0 @@ -From 85b1792e37b131e7a51af98a37f92472e8de5f3f Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 18 May 2021 20:08:28 +0200 -Subject: [PATCH] Work around lxml API abuse - -Make xmlNodeDumpOutput and htmlNodeDumpFormatOutput work with corrupted -parent pointers. This used to work with the old recursive code but the -non-recursive rewrite required parent pointers to be set correctly. - -Unfortunately, lxml relies on the old behavior and passes subtrees with -a corrupted structure. Fall back to a recursive function call if an -invalid parent pointer is detected. - -Fixes #255. ---- - HTMLtree.c | 46 ++++++++++++++++++++++++++++------------------ - xmlsave.c | 31 +++++++++++++++++++++---------- - 2 files changed, 49 insertions(+), 28 deletions(-) - -diff --git a/HTMLtree.c b/HTMLtree.c -index 24434d4..bdd639c 100644 ---- a/HTMLtree.c -+++ b/HTMLtree.c -@@ -744,7 +744,7 @@ void - htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, - xmlNodePtr cur, const char *encoding ATTRIBUTE_UNUSED, - int format) { -- xmlNodePtr root; -+ xmlNodePtr root, parent; - xmlAttrPtr attr; - const htmlElemDesc * info; - -@@ -755,6 +755,7 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, - } - - root = cur; -+ parent = cur->parent; - while (1) { - switch (cur->type) { - case XML_HTML_DOCUMENT_NODE: -@@ -762,7 +763,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, - if (((xmlDocPtr) cur)->intSubset != NULL) { - htmlDtdDumpOutput(buf, (xmlDocPtr) cur, NULL); - } -- if (cur->children != NULL) { -+ /* Always validate cur->parent when descending. */ -+ if ((cur->parent == parent) && (cur->children != NULL)) { -+ parent = cur; - cur = cur->children; - continue; - } -@@ -770,6 +773,16 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, - - case XML_ELEMENT_NODE: - /* -+ * Some users like lxml are known to pass nodes with a corrupted -+ * tree structure. Fall back to a recursive call to handle this -+ * case. -+ */ -+ if ((cur->parent != parent) && (cur->children != NULL)) { -+ htmlNodeDumpFormatOutput(buf, doc, cur, encoding, format); -+ break; -+ } -+ -+ /* - * Get specific HTML info for that node. - */ - if (cur->ns == NULL) -@@ -817,6 +830,7 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, - (cur->name != NULL) && - (cur->name[0] != 'p')) /* p, pre, param */ - xmlOutputBufferWriteString(buf, "\n"); -+ parent = cur; - cur = cur->children; - continue; - } -@@ -825,9 +839,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, - (info != NULL) && (!info->isinline)) { - if ((cur->next->type != HTML_TEXT_NODE) && - (cur->next->type != HTML_ENTITY_REF_NODE) && -- (cur->parent != NULL) && -- (cur->parent->name != NULL) && -- (cur->parent->name[0] != 'p')) /* p, pre, param */ -+ (parent != NULL) && -+ (parent->name != NULL) && -+ (parent->name[0] != 'p')) /* p, pre, param */ - xmlOutputBufferWriteString(buf, "\n"); - } - -@@ -842,9 +856,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, - break; - if (((cur->name == (const xmlChar *)xmlStringText) || - (cur->name != (const xmlChar *)xmlStringTextNoenc)) && -- ((cur->parent == NULL) || -- ((xmlStrcasecmp(cur->parent->name, BAD_CAST "script")) && -- (xmlStrcasecmp(cur->parent->name, BAD_CAST "style"))))) { -+ ((parent == NULL) || -+ ((xmlStrcasecmp(parent->name, BAD_CAST "script")) && -+ (xmlStrcasecmp(parent->name, BAD_CAST "style"))))) { - xmlChar *buffer; - - buffer = xmlEncodeEntitiesReentrant(doc, cur->content); -@@ -902,13 +916,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, - break; - } - -- /* -- * The parent should never be NULL here but we want to handle -- * corrupted documents gracefully. -- */ -- if (cur->parent == NULL) -- return; -- cur = cur->parent; -+ cur = parent; -+ /* cur->parent was validated when descending. */ -+ parent = cur->parent; - - if ((cur->type == XML_HTML_DOCUMENT_NODE) || - (cur->type == XML_DOCUMENT_NODE)) { -@@ -939,9 +949,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, - (cur->next != NULL)) { - if ((cur->next->type != HTML_TEXT_NODE) && - (cur->next->type != HTML_ENTITY_REF_NODE) && -- (cur->parent != NULL) && -- (cur->parent->name != NULL) && -- (cur->parent->name[0] != 'p')) /* p, pre, param */ -+ (parent != NULL) && -+ (parent->name != NULL) && -+ (parent->name[0] != 'p')) /* p, pre, param */ - xmlOutputBufferWriteString(buf, "\n"); - } - } -diff --git a/xmlsave.c b/xmlsave.c -index 61a4045..aedbd5e 100644 ---- a/xmlsave.c -+++ b/xmlsave.c -@@ -847,7 +847,7 @@ htmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { - static void - xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { - int format = ctxt->format; -- xmlNodePtr tmp, root, unformattedNode = NULL; -+ xmlNodePtr tmp, root, unformattedNode = NULL, parent; - xmlAttrPtr attr; - xmlChar *start, *end; - xmlOutputBufferPtr buf; -@@ -856,6 +856,7 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { - buf = ctxt->buf; - - root = cur; -+ parent = cur->parent; - while (1) { - switch (cur->type) { - case XML_DOCUMENT_NODE: -@@ -868,7 +869,9 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { - break; - - case XML_DOCUMENT_FRAG_NODE: -- if (cur->children != NULL) { -+ /* Always validate cur->parent when descending. */ -+ if ((cur->parent == parent) && (cur->children != NULL)) { -+ parent = cur; - cur = cur->children; - continue; - } -@@ -887,7 +890,18 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { - break; - - case XML_ELEMENT_NODE: -- if ((cur != root) && (ctxt->format == 1) && (xmlIndentTreeOutput)) -+ /* -+ * Some users like lxml are known to pass nodes with a corrupted -+ * tree structure. Fall back to a recursive call to handle this -+ * case. -+ */ -+ if ((cur->parent != parent) && (cur->children != NULL)) { -+ xmlNodeDumpOutputInternal(ctxt, cur); -+ break; -+ } -+ -+ if ((ctxt->level > 0) && (ctxt->format == 1) && -+ (xmlIndentTreeOutput)) - xmlOutputBufferWrite(buf, ctxt->indent_size * - (ctxt->level > ctxt->indent_nr ? - ctxt->indent_nr : ctxt->level), -@@ -942,6 +956,7 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { - xmlOutputBufferWrite(buf, 1, ">"); - if (ctxt->format == 1) xmlOutputBufferWrite(buf, 1, "\n"); - if (ctxt->level >= 0) ctxt->level++; -+ parent = cur; - cur = cur->children; - continue; - } -@@ -1058,13 +1073,9 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { - break; - } - -- /* -- * The parent should never be NULL here but we want to handle -- * corrupted documents gracefully. -- */ -- if (cur->parent == NULL) -- return; -- cur = cur->parent; -+ cur = parent; -+ /* cur->parent was validated when descending. */ -+ parent = cur->parent; - - if (cur->type == XML_ELEMENT_NODE) { - if (ctxt->level > 0) ctxt->level--; --- -1.8.3.1 - diff --git a/backport-CVE-2022-23308-Use-after-free-of-ID-and-IDREF-attrib.patch b/backport-CVE-2022-23308-Use-after-free-of-ID-and-IDREF-attrib.patch deleted file mode 100644 index 5a9b10f36f0be655fbcd966fe218ecd73ce215f7..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-23308-Use-after-free-of-ID-and-IDREF-attrib.patch +++ /dev/null @@ -1,210 +0,0 @@ -From 652dd12a858989b14eed4e84e453059cd3ba340e Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 8 Feb 2022 03:29:24 +0100 -Subject: [PATCH] [CVE-2022-23308] Use-after-free of ID and IDREF attributes - -If a document is parsed with XML_PARSE_DTDVALID and without -XML_PARSE_NOENT, the value of ID attributes has to be normalized after -potentially expanding entities in xmlRemoveID. Otherwise, later calls -to xmlGetID can return a pointer to previously freed memory. - -ID attributes which are empty or contain only whitespace after -entity expansion are affected in a similar way. This is fixed by -not storing such attributes in the ID table. - -The test to detect streaming mode when validating against a DTD was -broken. In connection with the defects above, this could result in a -use-after-free when using the xmlReader interface with validation. -Fix detection of streaming mode to avoid similar issues. (This changes -the expected result of a test case. But as far as I can tell, using the -XML reader with XIncludes referencing the root document never worked -properly, anyway.) - -All of these issues can result in denial of service. Using xmlReader -with validation could result in disclosure of memory via the error -channel, typically stderr. The security impact of xmlGetID returning -a pointer to freed memory depends on the application. The typical use -case of calling xmlGetID on an unmodified document is not affected. ---- - result/XInclude/ns1.xml.rdr | 2 +- - valid.c | 88 ++++++++++++++++++++++++++++----------------- - 2 files changed, 56 insertions(+), 34 deletions(-) - -diff --git a/result/XInclude/ns1.xml.rdr b/result/XInclude/ns1.xml.rdr -index f23702f..9a3a5e7 100644 ---- a/result/XInclude/ns1.xml.rdr -+++ b/result/XInclude/ns1.xml.rdr -@@ -1,7 +1,7 @@ - 0 1 doc 0 0 - 1 14 #text 0 1 - --1 1 ns:elem 1 0 -+1 1 xi:include 1 0 - 1 14 #text 0 1 - - 1 1 elem 0 0 -diff --git a/valid.c b/valid.c -index 5ee391c..8e596f1 100644 ---- a/valid.c -+++ b/valid.c -@@ -479,6 +479,35 @@ nodeVPop(xmlValidCtxtPtr ctxt) - return (ret); - } - -+/** -+ * xmlValidNormalizeString: -+ * @str: a string -+ * -+ * Normalize a string in-place. -+ */ -+static void -+xmlValidNormalizeString(xmlChar *str) { -+ xmlChar *dst; -+ const xmlChar *src; -+ -+ if (str == NULL) -+ return; -+ src = str; -+ dst = str; -+ -+ while (*src == 0x20) src++; -+ while (*src != 0) { -+ if (*src == 0x20) { -+ while (*src == 0x20) src++; -+ if (*src != 0) -+ *dst++ = 0x20; -+ } else { -+ *dst++ = *src++; -+ } -+ } -+ *dst = 0; -+} -+ - #ifdef DEBUG_VALID_ALGO - static void - xmlValidPrintNode(xmlNodePtr cur) { -@@ -2607,6 +2636,24 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) { - (xmlDictOwns(dict, (const xmlChar *)(str)) == 0))) \ - xmlFree((char *)(str)); - -+static int -+xmlIsStreaming(xmlValidCtxtPtr ctxt) { -+ xmlParserCtxtPtr pctxt; -+ -+ if (ctxt == NULL) -+ return(0); -+ /* -+ * These magic values are also abused to detect whether we're validating -+ * while parsing a document. In this case, userData points to the parser -+ * context. -+ */ -+ if ((ctxt->finishDtd != XML_CTXT_FINISH_DTD_0) && -+ (ctxt->finishDtd != XML_CTXT_FINISH_DTD_1)) -+ return(0); -+ pctxt = ctxt->userData; -+ return(pctxt->parseMode == XML_PARSE_READER); -+} -+ - /** - * xmlFreeID: - * @not: A id -@@ -2650,7 +2697,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value, - if (doc == NULL) { - return(NULL); - } -- if (value == NULL) { -+ if ((value == NULL) || (value[0] == 0)) { - return(NULL); - } - if (attr == NULL) { -@@ -2681,7 +2728,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value, - */ - ret->value = xmlStrdup(value); - ret->doc = doc; -- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) { -+ if (xmlIsStreaming(ctxt)) { - /* - * Operating in streaming mode, attr is gonna disappear - */ -@@ -2820,6 +2867,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr attr) { - ID = xmlNodeListGetString(doc, attr->children, 1); - if (ID == NULL) - return(-1); -+ xmlValidNormalizeString(ID); - - id = xmlHashLookup(table, ID); - if (id == NULL || id->attr != attr) { -@@ -3009,7 +3057,7 @@ xmlAddRef(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value, - * fill the structure. - */ - ret->value = xmlStrdup(value); -- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) { -+ if (xmlIsStreaming(ctxt)) { - /* - * Operating in streaming mode, attr is gonna disappear - */ -@@ -4028,8 +4076,7 @@ xmlValidateAttributeValue2(xmlValidCtxtPtr ctxt, xmlDocPtr doc, - xmlChar * - xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc, - xmlNodePtr elem, const xmlChar *name, const xmlChar *value) { -- xmlChar *ret, *dst; -- const xmlChar *src; -+ xmlChar *ret; - xmlAttributePtr attrDecl = NULL; - int extsubset = 0; - -@@ -4070,19 +4117,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc, - ret = xmlStrdup(value); - if (ret == NULL) - return(NULL); -- src = value; -- dst = ret; -- while (*src == 0x20) src++; -- while (*src != 0) { -- if (*src == 0x20) { -- while (*src == 0x20) src++; -- if (*src != 0) -- *dst++ = 0x20; -- } else { -- *dst++ = *src++; -- } -- } -- *dst = 0; -+ xmlValidNormalizeString(ret); - if ((doc->standalone) && (extsubset == 1) && (!xmlStrEqual(value, ret))) { - xmlErrValidNode(ctxt, elem, XML_DTD_NOT_STANDALONE, - "standalone: %s on %s value had to be normalized based on external subset declaration\n", -@@ -4114,8 +4149,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc, - xmlChar * - xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem, - const xmlChar *name, const xmlChar *value) { -- xmlChar *ret, *dst; -- const xmlChar *src; -+ xmlChar *ret; - xmlAttributePtr attrDecl = NULL; - - if (doc == NULL) return(NULL); -@@ -4145,19 +4179,7 @@ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem, - ret = xmlStrdup(value); - if (ret == NULL) - return(NULL); -- src = value; -- dst = ret; -- while (*src == 0x20) src++; -- while (*src != 0) { -- if (*src == 0x20) { -- while (*src == 0x20) src++; -- if (*src != 0) -- *dst++ = 0x20; -- } else { -- *dst++ = *src++; -- } -- } -- *dst = 0; -+ xmlValidNormalizeString(ret); - return(ret); - } - --- -1.8.3.1 - diff --git a/libxml2-2.9.12.tar.gz b/libxml2-2.9.12.tar.gz deleted file mode 100644 index 7fac0da6bb82e857a371573b9380869db723d9c0..0000000000000000000000000000000000000000 Binary files a/libxml2-2.9.12.tar.gz and /dev/null differ diff --git a/libxml2-2.9.13.tar.xz b/libxml2-2.9.13.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..56d733d36c17f63533cee7bf70673bcd359bfa78 Binary files /dev/null and b/libxml2-2.9.13.tar.xz differ diff --git a/libxml2.spec b/libxml2.spec index 7b7685017f03f9c358c7d9073fe87e8b055ac18b..76309b33f19b9dfb23cd390abefe7bfd271de54d 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,25 +1,16 @@ Summary: Library providing XML and HTML support Name: libxml2 -Version: 2.9.12 -Release: 8 +Version: 2.9.13 +Release: 1 License: MIT Group: Development/Libraries -Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz +Source: https://download.gnome.org/sources/%{name}/2.9/%{name}-%{version}.tar.xz Patch0: libxml2-multilib.patch -Patch1: Fix-XPath-recursion-limit.patch -Patch2: Fix-Null-deref-in-xmlSchemaGetComponentTargetNs.patch -Patch3: Fix-memleaks-in-xmlXIncludeProcessFlags.patch -Patch4: xmlAddChild-and-xmlAddNextSibling-may-not-attach-the.patch -Patch5: Work-around-lxml-API-abuse.patch -Patch6: Fix-regression-in-xmlNodeDumpOutputInternal.patch -Patch7: Fix-whitespace-when-serializing-empty-HTML-documents.patch -Patch8: Patch-to-forbid-epsilon-reduction-of-final-states.patch -Patch9: Fix-buffering-in-xmlOutputBufferWrite.patch -Patch10:backport-CVE-2022-23308-Use-after-free-of-ID-and-IDREF-attrib.patch -Patch11:backport-CVE-2022-29824-Fix-integer-overflows-in-xmlBuf-and-xmlBuffer.patch -Patch12:Fix-memory-leaks-for-xmlACatalogAdd.patch -Patch13:Fix-memory-leaks-in-xmlACatalogAdd-when-xmlHashAddEntry-failed.patch +Patch1: Fix-memleaks-in-xmlXIncludeProcessFlags.patch +Patch2: backport-CVE-2022-29824-Fix-integer-overflows-in-xmlBuf-and-xmlBuffer.patch +Patch3: Fix-memory-leaks-for-xmlACatalogAdd.patch +Patch4: Fix-memory-leaks-in-xmlACatalogAdd-when-xmlHashAddEntry-failed.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python3-devel @@ -102,14 +93,9 @@ sed -i 's|#!/usr/bin/python |#!%{__python3} |' py3doc/*.py find doc -type f -exec chmod 0644 \{\} \; %install -%make_install - -make clean -# for python3 %configure --with-python=%{__python3} %make_install - rm -f $RPM_BUILD_ROOT%{_libdir}/*.la rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.a rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.la @@ -131,7 +117,8 @@ rm -fr %{buildroot} %files %defattr(-, root, root) -%doc AUTHORS NEWS README Copyright TODO +%doc NEWS README.md Copyright TODO +%doc %{_datadir}/doc/libxml2 %{_libdir}/lib*.so.* %{_bindir}/xmllint @@ -140,7 +127,7 @@ rm -fr %{buildroot} %files devel %defattr(-, root, root) -%doc AUTHORS NEWS README Copyright +%doc NEWS README.md Copyright %doc doc/*.html doc/html doc/*.gif doc/*.png %doc doc/tutorial doc/libxml2-api.xml.gz %doc doc/examples @@ -178,8 +165,13 @@ rm -fr %{buildroot} %doc %{_mandir}/man1/xmlcatalog.1* %doc %{_mandir}/man3/libxml.3* - %changelog +* Tue Jul 12 2022 fuanan - 2.9.13-1 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:Upgrade to upstream v2.9.13 and Cleanup duplicate installation + * Fri Jun 24 2022 fuanan - 2.9.12-8 - Type:bugfix - ID:NA diff --git a/xmlAddChild-and-xmlAddNextSibling-may-not-attach-the.patch b/xmlAddChild-and-xmlAddNextSibling-may-not-attach-the.patch deleted file mode 100644 index fe5cfc8d512e633c0884413931c4a183b1a98d75..0000000000000000000000000000000000000000 --- a/xmlAddChild-and-xmlAddNextSibling-may-not-attach-the.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325 Mon Sep 17 00:00:00 2001 -From: David Kilzer -Date: Wed, 7 Jul 2021 19:24:36 -0700 -Subject: [PATCH] xmlAddChild() and xmlAddNextSibling() may not attach their - second argument - -Use the return value of xmlAddChild() and xmlAddNextSibling() -instead of the second argument directly. - -Found by OSS-Fuzz. - -Fixes #316 ---- - xinclude.c | 14 ++++++-------- - xpointer.c | 13 ++++++------- - 2 files changed, 12 insertions(+), 15 deletions(-) - -diff --git a/xinclude.c b/xinclude.c -index b2e6ea1..2a0614d 100644 ---- a/xinclude.c -+++ b/xinclude.c -@@ -1014,15 +1014,15 @@ xmlXIncludeCopyRange(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target, - if (list == NULL) { - list = tmp; - listParent = cur->parent; -+ last = tmp; - } else { - if (level == lastLevel) -- xmlAddNextSibling(last, tmp); -+ last = xmlAddNextSibling(last, tmp); - else { -- xmlAddChild(last, tmp); -+ last = xmlAddChild(last, tmp); - lastLevel = level; - } - } -- last = tmp; - - if (index2 > 1) { - end = xmlXIncludeGetNthChild(cur, index2 - 1); -@@ -1103,12 +1103,11 @@ xmlXIncludeCopyRange(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target, - } - if (tmp != NULL) { - if (level == lastLevel) -- xmlAddNextSibling(last, tmp); -+ last = xmlAddNextSibling(last, tmp); - else { -- xmlAddChild(last, tmp); -+ last = xmlAddChild(last, tmp); - lastLevel = level; - } -- last = tmp; - } - } - /* -@@ -1186,8 +1185,7 @@ xmlXIncludeCopyXPointer(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target, - if (last == NULL) { - list = last = tmp; - } else { -- xmlAddNextSibling(last, tmp); -- last = tmp; -+ last = xmlAddNextSibling(last, tmp); - } - cur = cur->next; - continue; -diff --git a/xpointer.c b/xpointer.c -index 27a6a8c..fe2fca5 100644 ---- a/xpointer.c -+++ b/xpointer.c -@@ -1483,16 +1483,16 @@ xmlXPtrBuildRangeNodeList(xmlXPathObjectPtr range) { - return(list); - } else { - tmp = xmlCopyNode(cur, 0); -- if (list == NULL) -+ if (list == NULL) { - list = tmp; -- else { -+ parent = tmp; -+ } else { - if (last != NULL) -- xmlAddNextSibling(last, tmp); -+ parent = xmlAddNextSibling(last, tmp); - else -- xmlAddChild(parent, tmp); -+ parent = xmlAddChild(parent, tmp); - } - last = NULL; -- parent = tmp; - - if (index2 > 1) { - end = xmlXPtrGetNthChild(cur, index2 - 1); -@@ -1574,8 +1574,7 @@ xmlXPtrBuildRangeNodeList(xmlXPathObjectPtr range) { - if (last != NULL) - xmlAddNextSibling(last, tmp); - else { -- xmlAddChild(parent, tmp); -- last = tmp; -+ last = xmlAddChild(parent, tmp); - } - } - } --- -1.8.3.1 -