diff --git a/backport-SAX2-Ignore-namespaces-in-HTML-documents.patch b/backport-SAX2-Ignore-namespaces-in-HTML-documents.patch new file mode 100644 index 0000000000000000000000000000000000000000..9214562b6cc26a0977bfc0a8625a413b5de60db4 --- /dev/null +++ b/backport-SAX2-Ignore-namespaces-in-HTML-documents.patch @@ -0,0 +1,114 @@ +From d7d0bc6581e332f49c9ff628f548eced03c65189 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 31 Mar 2023 16:47:48 +0200 +Subject: [PATCH] SAX2: Ignore namespaces in HTML documents + +In commit 21ca8829, we started to ignore namespaces in HTML element +names but we still called xmlSplitQName, effectively stripping the +namespace prefix. This would cause elements like being parsed +as

. Now we leave the name untouched. + +Fixes #508. + +Reference:https://github.com/GNOME/libxml2/commit/d7d0bc6581e332f49c9ff628f548eced03c65189 +Conflict:NA + +--- + SAX2.c | 15 +++++++++------ + result/HTML/names.html | 6 ++++++ + result/HTML/names.html.err | 3 +++ + result/HTML/names.html.sax | 20 ++++++++++++++++++++ + test/HTML/names.html | 5 +++++ + 5 files changed, 43 insertions(+), 6 deletions(-) + create mode 100644 result/HTML/names.html + create mode 100644 result/HTML/names.html.err + create mode 100644 result/HTML/names.html.sax + create mode 100644 test/HTML/names.html + +diff --git a/SAX2.c b/SAX2.c +index 3984bed..f8bc7c2 100644 +--- a/SAX2.c ++++ b/SAX2.c +@@ -1589,12 +1589,15 @@ xmlSAX2StartElement(void *ctx, const xmlChar *fullname, const xmlChar **atts) + ctxt->validate = 0; + } + +- +- /* +- * Split the full name into a namespace prefix and the tag name +- */ +- name = xmlSplitQName(ctxt, fullname, &prefix); +- ++ if (ctxt->html) { ++ prefix = NULL; ++ name = xmlStrdup(fullname); ++ } else { ++ /* ++ * Split the full name into a namespace prefix and the tag name ++ */ ++ name = xmlSplitQName(ctxt, fullname, &prefix); ++ } + + /* + * Note : the namespace resolution is deferred until the end of the +diff --git a/result/HTML/names.html b/result/HTML/names.html +new file mode 100644 +index 0000000..dd7dcc2 +--- /dev/null ++++ b/result/HTML/names.html +@@ -0,0 +1,6 @@ ++ ++ ++ ++ ++ ++ +diff --git a/result/HTML/names.html.err b/result/HTML/names.html.err +new file mode 100644 +index 0000000..4d91a5d +--- /dev/null ++++ b/result/HTML/names.html.err +@@ -0,0 +1,3 @@ ++./test/HTML/names.html:3: HTML parser error : Tag o:p invalid ++ ++ ^ +diff --git a/result/HTML/names.html.sax b/result/HTML/names.html.sax +new file mode 100644 +index 0000000..12a107f +--- /dev/null ++++ b/result/HTML/names.html.sax +@@ -0,0 +1,20 @@ ++SAX.setDocumentLocator() ++SAX.startDocument() ++SAX.startElement(html) ++SAX.characters( ++, 1) ++SAX.startElement(body) ++SAX.characters( ++ , 3) ++SAX.startElement(o:p) ++SAX.error: Tag o:p invalid ++SAX.endElement(o:p) ++SAX.characters( ++, 1) ++SAX.endElement(body) ++SAX.characters( ++, 1) ++SAX.endElement(html) ++SAX.characters( ++, 1) ++SAX.endDocument() +diff --git a/test/HTML/names.html b/test/HTML/names.html +new file mode 100644 +index 0000000..0dac7a4 +--- /dev/null ++++ b/test/HTML/names.html +@@ -0,0 +1,5 @@ ++ ++ ++ ++ ++ +-- +2.33.0 + diff --git a/backport-buf-Also-reset-input-in-error-case.patch b/backport-buf-Also-reset-input-in-error-case.patch new file mode 100644 index 0000000000000000000000000000000000000000..9a2ed21ce0e1fa23007af9d3cf145bdcb315f026 --- /dev/null +++ b/backport-buf-Also-reset-input-in-error-case.patch @@ -0,0 +1,34 @@ +From fef12ed81619c79729bf66a906701308a02d6b2b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 11 Oct 2023 13:32:54 +0200 +Subject: [PATCH] buf: Also reset input in error case + +Avoid dangling pointers if memory allocation failed. This could cause +a use-after-free after recent changes. + +Found by OSS-Fuzz. + +Reference:https://github.com/GNOME/libxml2/commit/fef12ed81619c79729bf66a906701308a02d6b2b +Conflict:NA +--- + buf.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/buf.c b/buf.c +index e0afd798c..266395f48 100644 +--- a/buf.c ++++ b/buf.c +@@ -1017,8 +1017,12 @@ xmlBufMergeBuffer(xmlBufPtr buf, xmlBufferPtr buffer) { + */ + int + xmlBufResetInput(xmlBufPtr buf, xmlParserInputPtr input) { +- if ((input == NULL) || (buf == NULL) || (buf->error)) ++ if (input == NULL) + return(-1); ++ if ((buf == NULL) || (buf->error)) { ++ input->base = input->cur = input->end = BAD_CAST ""; ++ return(-1); ++ } + CHECK_COMPAT(buf) + input->base = input->cur = buf->content; + input->end = &buf->content[buf->use]; diff --git a/backport-dict-Fix-integer-overflow-in-xmlDictAddString.patch b/backport-dict-Fix-integer-overflow-in-xmlDictAddString.patch new file mode 100644 index 0000000000000000000000000000000000000000..93c78017b0c04e2ad603f93f4531c3afbfd3c86f --- /dev/null +++ b/backport-dict-Fix-integer-overflow-in-xmlDictAddString.patch @@ -0,0 +1,50 @@ +From 7dfcea03c37d17ca0d05d7a54f9245a8fde735cc Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 11 Oct 2023 14:19:04 +0200 +Subject: [PATCH] dict: Fix integer overflow in xmlDictAddString + +Short-lived regression. + +Older versions didn't check for integer overflow, but limited name +length to INT_MAX / 2. Reintroduce this limit. + +Found by OSS-Fuzz. + +Reference:https://github.com/GNOME/libxml2/commit/7dfcea03c37d17ca0d05d7a54f9245a8fde735cc +Conflict:xmlDictLookupInternal function does not exist, Therefore, the function is not incorporated. +--- + dict.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/dict.c b/dict.c +index 4de231f..af3e71a 100644 +--- a/dict.c ++++ b/dict.c +@@ -264,10 +264,20 @@ xmlDictAddString(xmlDictPtr dict, const xmlChar *name, unsigned int namelen) { + return(NULL); + } + +- if (size == 0) size = 1000; +- else size *= 4; /* exponential growth */ +- if (size < 4 * namelen) +- size = 4 * namelen; /* just in case ! */ ++ if (size == 0) { ++ size = 1000; ++ } else { ++ if (size < (SIZE_MAX - sizeof(xmlDictStrings)) / 4) ++ size *= 4; /* exponential growth */ ++ else ++ size = SIZE_MAX - sizeof(xmlDictStrings); ++ } ++ if (size / 4 < namelen) { ++ if ((size_t) namelen + 0 < (SIZE_MAX - sizeof(xmlDictStrings)) / 4) ++ size = 4 * (size_t) namelen; /* just in case ! */ ++ else ++ return(NULL); ++ } + pool = (xmlDictStringsPtr) xmlMalloc(sizeof(xmlDictStrings) + size); + if (pool == NULL) + return(NULL); +-- +2.33.0 + diff --git a/backport-dict-Fix-integer-overflow-of-string-lengths.patch b/backport-dict-Fix-integer-overflow-of-string-lengths.patch new file mode 100644 index 0000000000000000000000000000000000000000..4680224e6f671e7f859eeff4df6edf2218ca7dfe --- /dev/null +++ b/backport-dict-Fix-integer-overflow-of-string-lengths.patch @@ -0,0 +1,65 @@ +From f45abbd3e561d25743053236a401cea49e6bdb24 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 4 Sep 2023 15:31:04 +0200 +Subject: [PATCH] dict: Fix integer overflow of string lengths + +Reference:https://github.com/GNOME/libxml2/commit/f45abbd3e561d25743053236a401cea49e6bdb24 +Conflict:NA + +Fixes #546. +--- + dict.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/dict.c b/dict.c +index e39e8a4..4de231f 100644 +--- a/dict.c ++++ b/dict.c +@@ -384,7 +384,7 @@ xmlDictComputeBigKey(const xmlChar* data, int namelen, int seed) { + + hash = seed; + +- for (i = 0;i < namelen; i++) { ++ for (i = 0; i < namelen; i++) { + hash += data[i]; + hash += (hash << 10); + hash ^= (hash >> 6); +@@ -868,7 +868,7 @@ xmlDictLookup(xmlDictPtr dict, const xmlChar *name, int len) { + xmlDictEntryPtr entry; + xmlDictEntryPtr insert; + const xmlChar *ret; +- unsigned int l; ++ size_t l; + + if ((dict == NULL) || (name == NULL)) + return(NULL); +@@ -1006,7 +1006,7 @@ const xmlChar * + xmlDictExists(xmlDictPtr dict, const xmlChar *name, int len) { + unsigned long key, okey, nbi = 0; + xmlDictEntryPtr insert; +- unsigned int l; ++ size_t l; + + if ((dict == NULL) || (name == NULL)) + return(NULL); +@@ -1116,7 +1116,7 @@ xmlDictQLookup(xmlDictPtr dict, const xmlChar *prefix, const xmlChar *name) { + xmlDictEntryPtr entry; + xmlDictEntryPtr insert; + const xmlChar *ret; +- unsigned int len, plen, l; ++ size_t len, plen, l; + + if ((dict == NULL) || (name == NULL)) + return(NULL); +@@ -1125,6 +1125,8 @@ xmlDictQLookup(xmlDictPtr dict, const xmlChar *prefix, const xmlChar *name) { + + l = len = strlen((const char *) name); + plen = strlen((const char *) prefix); ++ if ((len > INT_MAX / 2) || (plen > INT_MAX / 2)) ++ return(NULL); + len += 1 + plen; + + /* +-- +2.33.0 + diff --git a/backport-entities-Don-t-allow-null-name-in-xmlNewEntity.patch b/backport-entities-Don-t-allow-null-name-in-xmlNewEntity.patch new file mode 100644 index 0000000000000000000000000000000000000000..071caaf5a2efce39a077724cf00b72becf70ce08 --- /dev/null +++ b/backport-entities-Don-t-allow-null-name-in-xmlNewEntity.patch @@ -0,0 +1,28 @@ +From edbf1eb63befa14417ec5b0b588444498a086f88 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 5 Mar 2024 18:07:13 +0100 +Subject: [PATCH] entities: Don't allow null name in xmlNewEntity + +Reference: https://github.com/GNOME/libxml2/commit/edbf1eb63befa14417ec5b0b588444498a086f88 +Conflict: adapt xmlNewEntity + +--- + entities.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/entities.c b/entities.c +index ec1b9a7..5a56690 100644 +--- a/entities.c ++++ b/entities.c +@@ -429,6 +429,8 @@ xmlNewEntity(xmlDocPtr doc, const xmlChar *name, int type, + if ((doc != NULL) && (doc->intSubset != NULL)) { + return(xmlAddDocEntity(doc, name, type, ExternalID, SystemID, content)); + } ++ if (name == NULL) ++ return(NULL); + if (doc != NULL) + dict = doc->dict; + else +-- +2.33.0 + diff --git a/backport-hash-Fix-integer-overflow-of-nbElems.patch b/backport-hash-Fix-integer-overflow-of-nbElems.patch new file mode 100644 index 0000000000000000000000000000000000000000..296eeca195ed9ad62ed2a15351e0f27d0110255e --- /dev/null +++ b/backport-hash-Fix-integer-overflow-of-nbElems.patch @@ -0,0 +1,35 @@ +From 4b8f7cf05def7192928c6a023300ee55ef2a9cfe Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 1 Sep 2023 13:07:27 +0200 +Subject: [PATCH] hash: Fix integer overflow of nbElems + +Reference:https://github.com/GNOME/libxml2/commit/4b8f7cf05def7192928c6a023300ee55ef2a9cfe +Conflict:NA +--- + hash.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hash.c b/hash.c +index cbcc4293..45635857 100644 +--- a/hash.c ++++ b/hash.c +@@ -541,7 +541,7 @@ xmlHashAddEntry3(xmlHashTablePtr table, const xmlChar *name, + xmlHashEntryPtr entry; + xmlHashEntryPtr insert; + +- if ((table == NULL) || (name == NULL)) ++ if ((table == NULL) || (name == NULL) || (table->nbElems == INT_MAX)) + return(-1); + + /* +@@ -680,7 +680,7 @@ xmlHashUpdateEntry3(xmlHashTablePtr table, const xmlChar *name, + xmlHashEntryPtr entry; + xmlHashEntryPtr insert; + +- if ((table == NULL) || name == NULL) ++ if ((table == NULL) || (name == NULL) || (table->nbElems == INT_MAX)) + return(-1); + + /* +-- +2.23.0 diff --git a/backport-html-Don-t-close-fd-in-htmlCtxtReadFd.patch b/backport-html-Don-t-close-fd-in-htmlCtxtReadFd.patch new file mode 100644 index 0000000000000000000000000000000000000000..1905d6463dd6c285d2b505da7734a9901e4630ed --- /dev/null +++ b/backport-html-Don-t-close-fd-in-htmlCtxtReadFd.patch @@ -0,0 +1,29 @@ +From 8cd563174ad17b82f807640f478f613f22238336 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 21 Dec 2023 02:32:01 +0100 +Subject: [PATCH] html: Don't close fd in htmlCtxtReadFd + +Long-standing bug. The XML fix from 2003 was never ported to the HTML +parser. htmlReadFd was fixed with fe6890e2. + +Reference: https://github.com/GNOME/libxml2/commit/8cd563174ad17b82f807640f478f613f22238336 +Conflict: NA +--- + HTMLparser.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 5228b601..c0b54e69 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -6755,6 +6755,7 @@ htmlCtxtReadFd(htmlParserCtxtPtr ctxt, int fd, + input = xmlParserInputBufferCreateFd(fd, XML_CHAR_ENCODING_NONE); + if (input == NULL) + return (NULL); ++ input->closecallback = NULL; + stream = xmlNewIOInputStream(ctxt, input, XML_CHAR_ENCODING_NONE); + if (stream == NULL) { + xmlFreeParserInputBuffer(input); +-- +2.33.0 + diff --git a/backport-malloc-fail-Fix-memory-leak-in-xmlCompileAttributeTe.patch b/backport-malloc-fail-Fix-memory-leak-in-xmlCompileAttributeTe.patch new file mode 100644 index 0000000000000000000000000000000000000000..d3e487fb6b218fb4425adb6b6dd090c037c2f9f1 --- /dev/null +++ b/backport-malloc-fail-Fix-memory-leak-in-xmlCompileAttributeTe.patch @@ -0,0 +1,53 @@ +From 75693281389aab047b424d46df944b35ab4a3263 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 21 Jul 2023 14:50:30 +0200 +Subject: [PATCH] malloc-fail: Fix memory leak in xmlCompileAttributeTest + +Found by OSS-Fuzz, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/75693281389aab047b424d46df944b35ab4a3263 +Conflict:NA + +--- + pattern.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/pattern.c b/pattern.c +index 27e9694..64231a2 100644 +--- a/pattern.c ++++ b/pattern.c +@@ -947,7 +947,6 @@ xmlCompileAttributeTest(xmlPatParserContextPtr ctxt) { + + if (IS_BLANK_CH(CUR)) { + ERROR5(NULL, NULL, NULL, "Invalid QName.\n", NULL); +- XML_PAT_FREE_STRING(ctxt, prefix); + ctxt->error = 1; + goto error; + } +@@ -972,12 +971,12 @@ xmlCompileAttributeTest(xmlPatParserContextPtr ctxt) { + ERROR5(NULL, NULL, NULL, + "xmlCompileAttributeTest : no namespace bound to prefix %s\n", + prefix); +- XML_PAT_FREE_STRING(ctxt, prefix); + ctxt->error = 1; + goto error; + } + } +- XML_PAT_FREE_STRING(ctxt, prefix); ++ XML_PAT_FREE_STRING(ctxt, name); ++ name = NULL; + if (token == NULL) { + if (CUR == '*') { + NEXT; +@@ -996,6 +995,8 @@ xmlCompileAttributeTest(xmlPatParserContextPtr ctxt) { + } + return; + error: ++ if (name != NULL) ++ XML_PAT_FREE_STRING(ctxt, name); + if (URL != NULL) + XML_PAT_FREE_STRING(ctxt, URL) + if (token != NULL) +-- +2.33.0 + diff --git a/backport-malloc-fail-Fix-null-deref-in-xmlXPathTranslateFunct.patch b/backport-malloc-fail-Fix-null-deref-in-xmlXPathTranslateFunct.patch new file mode 100644 index 0000000000000000000000000000000000000000..f5cbd75189b2f1399884d1d374ab6c99954ed63d --- /dev/null +++ b/backport-malloc-fail-Fix-null-deref-in-xmlXPathTranslateFunct.patch @@ -0,0 +1,51 @@ +From 8583b9f1cdb966315b3caae328f5d9f2c8b65292 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 12 Dec 2023 15:00:44 +0100 +Subject: [PATCH] malloc-fail: Fix null deref in xmlXPathTranslateFunction + +Short-lived regression. + +Reference: https://github.com/GNOME/libxml2/commit/8583b9f1cdb966315b3caae328f5d9f2c8b65292 +Conflict: adpat error: + +--- + xpath.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 3128efb..a832722 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -9330,9 +9330,9 @@ xmlXPathNormalizeFunction(xmlXPathParserContextPtr ctxt, int nargs) { + */ + void + xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) { +- xmlXPathObjectPtr str; +- xmlXPathObjectPtr from; +- xmlXPathObjectPtr to; ++ xmlXPathObjectPtr str = NULL; ++ xmlXPathObjectPtr from = NULL; ++ xmlXPathObjectPtr to = NULL; + xmlBufPtr target; + int offset, max; + int ch; +@@ -9347,6 +9347,8 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) { + from = valuePop(ctxt); + CAST_TO_STRING; + str = valuePop(ctxt); ++ if (ctxt->error != 0) ++ goto error; + + target = xmlBufCreate(); + if (target) { +@@ -9388,6 +9390,7 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) { + valuePush(ctxt, xmlXPathCacheNewString(ctxt->context, + xmlBufContent(target))); + xmlBufFree(target); ++error: + xmlXPathReleaseObject(ctxt->context, str); + xmlXPathReleaseObject(ctxt->context, from); + xmlXPathReleaseObject(ctxt->context, to); +-- +2.33.0 + diff --git a/backport-malloc-fail-Fix-null-deref-with-xmllint-copy.patch b/backport-malloc-fail-Fix-null-deref-with-xmllint-copy.patch new file mode 100644 index 0000000000000000000000000000000000000000..f8a71ff9c245ba64de43ce56f7bd0e37dfd6551d --- /dev/null +++ b/backport-malloc-fail-Fix-null-deref-with-xmllint-copy.patch @@ -0,0 +1,33 @@ +From 305a75ccbec4e4b14ab6c05d581d82bd9801b19f Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 6 Jun 2023 13:15:46 +0200 +Subject: [PATCH] malloc-fail: Fix null-deref with xmllint --copy + +See #344. Fixes #552. + +Reference:https://github.com/GNOME/libxml2/commit/305a75ccbec4e4b14ab6c05d581d82bd9801b19f +Conflict:NA + +--- + xmllint.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/xmllint.c b/xmllint.c +index 4093b4c..084c24a 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -2483,6 +2483,11 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) { + startTimer(); + } + doc = xmlCopyDoc(doc, 1); ++ if (doc == NULL) { ++ progresult = XMLLINT_ERR_MEM; ++ xmlFreeDoc(tmp); ++ return; ++ } + if (timing) { + endTimer("Copying"); + } +-- +2.33.0 + diff --git a/backport-malloc-fail-Fix-unsigned-integer-overflow-in-xmlText.patch b/backport-malloc-fail-Fix-unsigned-integer-overflow-in-xmlText.patch new file mode 100644 index 0000000000000000000000000000000000000000..0897811b3e2209635019c9ea061277f74df4ee01 --- /dev/null +++ b/backport-malloc-fail-Fix-unsigned-integer-overflow-in-xmlText.patch @@ -0,0 +1,35 @@ +From e2ab48b9b5f5a97da76d6c90f0630ad0486bac6e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 14 Aug 2023 15:05:30 +0200 +Subject: [PATCH] malloc-fail: Fix unsigned integer overflow in + xmlTextReaderPushData + +Return immediately if xmlParserInputBufferRead fails. + +Found by OSS-Fuzz, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/e2ab48b9b5f5a97da76d6c90f0630ad0486bac6e +Conflict:NA + +--- + xmlreader.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/xmlreader.c b/xmlreader.c +index 193a5d4..d34f294 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -928,9 +928,7 @@ xmlTextReaderPushData(xmlTextReaderPtr reader) { + } else if (val < 0) { + reader->mode = XML_TEXTREADER_MODE_EOF; + reader->state = oldstate; +- if ((oldstate != XML_TEXTREADER_START) || +- (reader->ctxt->myDoc != NULL)) +- return(val); ++ return(val); + } else if (val == 0) { + /* mark the end of the stream and process the remains */ + reader->mode = XML_TEXTREADER_MODE_EOF; +-- +2.33.0 + diff --git a/backport-malloc-fail-Fix-use-after-free-in-xmlBufBackToBuffer.patch b/backport-malloc-fail-Fix-use-after-free-in-xmlBufBackToBuffer.patch new file mode 100644 index 0000000000000000000000000000000000000000..cfd8c821383a6a2d7d32c346dc3f8a63fb1ecb05 --- /dev/null +++ b/backport-malloc-fail-Fix-use-after-free-in-xmlBufBackToBuffer.patch @@ -0,0 +1,41 @@ +From 9c2d451c0275dfbf859c321058584ec98382542f Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 4 Mar 2024 01:25:46 +0100 +Subject: [PATCH] malloc-fail: Fix use-after-free in xmlBufBackToBuffer + +Reference: https://github.com/GNOME/libxml2/commit/9c2d451c0275dfbf859c321058584ec98382542f +Conflict: NA + +--- + buf.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/buf.c b/buf.c +index 90224c5..8779a16 100644 +--- a/buf.c ++++ b/buf.c +@@ -1185,12 +1185,19 @@ xmlBufBackToBuffer(xmlBufPtr buf) { + if (buf == NULL) + return(NULL); + CHECK_COMPAT(buf) +- if ((buf->error) || (buf->buffer == NULL)) { ++ ret = buf->buffer; ++ ++ if ((buf->error) || (ret == NULL)) { + xmlBufFree(buf); ++ if (ret != NULL) { ++ ret->content = NULL; ++ ret->contentIO = NULL; ++ ret->use = 0; ++ ret->size = 0; ++ } + return(NULL); + } + +- ret = buf->buffer; + /* + * What to do in case of error in the buffer ??? + */ +-- +2.33.0 + diff --git a/backport-malloc-fail-Handle-malloc-failures-in-xmlAddEncoding.patch b/backport-malloc-fail-Handle-malloc-failures-in-xmlAddEncoding.patch new file mode 100644 index 0000000000000000000000000000000000000000..b1b2f8c426ca0f33211c691a198fbf9b715cb294 --- /dev/null +++ b/backport-malloc-fail-Handle-malloc-failures-in-xmlAddEncoding.patch @@ -0,0 +1,96 @@ +From db21cd5db9c8f0fdb041febc66aef889375aae32 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 6 Jun 2023 14:25:30 +0200 +Subject: [PATCH] malloc-fail: Handle malloc failures in xmlAddEncodingAlias + +Avoid memory errors if an allocation fails. + +See #344. Fixes #553. + +Reference:https://github.com/GNOME/libxml2/commit/db21cd5db9c8f0fdb041febc66aef889375aae32 +Conflict:NA + +--- + encoding.c | 44 +++++++++++++++++++++++++++++--------------- + 1 file changed, 29 insertions(+), 15 deletions(-) + +diff --git a/encoding.c b/encoding.c +index 9a7a611..c84e71c 100644 +--- a/encoding.c ++++ b/encoding.c +@@ -1068,6 +1068,7 @@ int + xmlAddEncodingAlias(const char *name, const char *alias) { + int i; + char upper[100]; ++ char *nameCopy, *aliasCopy; + + if ((name == NULL) || (alias == NULL)) + return(-1); +@@ -1078,19 +1079,21 @@ xmlAddEncodingAlias(const char *name, const char *alias) { + } + upper[i] = 0; + +- if (xmlCharEncodingAliases == NULL) { +- xmlCharEncodingAliasesNb = 0; +- xmlCharEncodingAliasesMax = 20; +- xmlCharEncodingAliases = (xmlCharEncodingAliasPtr) +- xmlMalloc(xmlCharEncodingAliasesMax * sizeof(xmlCharEncodingAlias)); +- if (xmlCharEncodingAliases == NULL) +- return(-1); +- } else if (xmlCharEncodingAliasesNb >= xmlCharEncodingAliasesMax) { +- xmlCharEncodingAliasesMax *= 2; +- xmlCharEncodingAliases = (xmlCharEncodingAliasPtr) +- xmlRealloc(xmlCharEncodingAliases, +- xmlCharEncodingAliasesMax * sizeof(xmlCharEncodingAlias)); ++ if (xmlCharEncodingAliasesNb >= xmlCharEncodingAliasesMax) { ++ xmlCharEncodingAliasPtr tmp; ++ size_t newSize = xmlCharEncodingAliasesMax ? ++ xmlCharEncodingAliasesMax * 2 : ++ 20; ++ ++ tmp = (xmlCharEncodingAliasPtr) ++ xmlRealloc(xmlCharEncodingAliases, ++ newSize * sizeof(xmlCharEncodingAlias)); ++ if (tmp == NULL) ++ return(-1); ++ xmlCharEncodingAliases = tmp; ++ xmlCharEncodingAliasesMax = newSize; + } ++ + /* + * Walk down the list looking for a definition of the alias + */ +@@ -1099,16 +1102,27 @@ xmlAddEncodingAlias(const char *name, const char *alias) { + /* + * Replace the definition. + */ ++ nameCopy = xmlMemStrdup(name); ++ if (nameCopy == NULL) ++ return(-1); + xmlFree((char *) xmlCharEncodingAliases[i].name); +- xmlCharEncodingAliases[i].name = xmlMemStrdup(name); ++ xmlCharEncodingAliases[i].name = nameCopy; + return(0); + } + } + /* + * Add the definition + */ +- xmlCharEncodingAliases[xmlCharEncodingAliasesNb].name = xmlMemStrdup(name); +- xmlCharEncodingAliases[xmlCharEncodingAliasesNb].alias = xmlMemStrdup(upper); ++ nameCopy = xmlMemStrdup(name); ++ if (nameCopy == NULL) ++ return(-1); ++ aliasCopy = xmlMemStrdup(upper); ++ if (aliasCopy == NULL) { ++ xmlFree(nameCopy); ++ return(-1); ++ } ++ xmlCharEncodingAliases[xmlCharEncodingAliasesNb].name = nameCopy; ++ xmlCharEncodingAliases[xmlCharEncodingAliasesNb].alias = aliasCopy; + xmlCharEncodingAliasesNb++; + return(0); + } +-- +2.33.0 + diff --git a/backport-malloc-fail-Handle-memory-errors-in-xmlTextReaderEntPush.patch b/backport-malloc-fail-Handle-memory-errors-in-xmlTextReaderEntPush.patch index 12825d33750c4e647f491cebb3fcacbedd0887c4..d87de292db13735f003b306de2bd6389fdb8b980 100644 --- a/backport-malloc-fail-Handle-memory-errors-in-xmlTextReaderEntPush.patch +++ b/backport-malloc-fail-Handle-memory-errors-in-xmlTextReaderEntPush.patch @@ -1,3 +1,14 @@ +From c266a220232d1a9cc9f7fe87116299269822a06a Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 22 Jan 2023 18:18:00 +0100 +Subject: [PATCH] malloc-fail: Handle memory errors in xmlTextReaderEntPush + +Unfortunately, there's no way to properly report memory errors. + +Found with libFuzzer, see #344. + +Reference:https://github.com/GNOME/libxml2/commit/c266a220232d1a9cc9f7fe87116299269822a06a +Conflict:NA --- xmlreader.c | 36 +++++++++++++++++------------------- 1 file changed, 17 insertions(+), 19 deletions(-) diff --git a/backport-malloc-fail-Report-malloc-failure-in-xmlFARegExec.patch b/backport-malloc-fail-Report-malloc-failure-in-xmlFARegExec.patch new file mode 100644 index 0000000000000000000000000000000000000000..e9c6c9f15b80bc6cf27ab2f366d442033a97d773 --- /dev/null +++ b/backport-malloc-fail-Report-malloc-failure-in-xmlFARegExec.patch @@ -0,0 +1,80 @@ +From 3e7673bc2de35345ccdd91d0821dbe35fc5a7753 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 23 Sep 2023 17:31:55 +0200 +Subject: [PATCH] malloc-fail: Report malloc failure in xmlFARegExec + +Reference:https://github.com/GNOME/libxml2/commit/3e7673bc2de35345ccdd91d0821dbe35fc5a7753 +Conflict:NA + +--- + xmlregexp.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/xmlregexp.c b/xmlregexp.c +index 22534a7..34167a5 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -3234,6 +3234,7 @@ xmlFARegExecSave(xmlRegExecCtxtPtr exec) { + if (exec->rollbacks == NULL) { + xmlRegexpErrMemory(NULL, "saving regexp"); + exec->maxRollbacks = 0; ++ exec->status = XML_REGEXP_OUT_OF_MEMORY; + return; + } + memset(exec->rollbacks, 0, +@@ -3248,6 +3249,7 @@ xmlFARegExecSave(xmlRegExecCtxtPtr exec) { + if (tmp == NULL) { + xmlRegexpErrMemory(NULL, "saving regexp"); + exec->maxRollbacks /= 2; ++ exec->status = XML_REGEXP_OUT_OF_MEMORY; + return; + } + exec->rollbacks = tmp; +@@ -3275,6 +3277,8 @@ xmlFARegExecSave(xmlRegExecCtxtPtr exec) { + + static void + xmlFARegExecRollBack(xmlRegExecCtxtPtr exec) { ++ if (exec->status != XML_REGEXP_OK) ++ return; + if (exec->nbRollbacks <= 0) { + exec->status = -1; + #ifdef DEBUG_REGEXP_EXEC +@@ -3334,7 +3338,7 @@ xmlFARegExec(xmlRegexpPtr comp, const xmlChar *content) { + exec->counts = (int *) xmlMalloc(comp->nbCounters * sizeof(int)); + if (exec->counts == NULL) { + xmlRegexpErrMemory(NULL, "running regexp"); +- return(-1); ++ return(XML_REGEXP_OUT_OF_MEMORY); + } + memset(exec->counts, 0, comp->nbCounters * sizeof(int)); + } else +@@ -3431,6 +3435,8 @@ xmlFARegExec(xmlRegexpPtr comp, const xmlChar *content) { + /* Save before incrementing */ + if (exec->state->nbTrans > exec->transno + 1) { + xmlFARegExecSave(exec); ++ if (exec->status != XML_REGEXP_OK) ++ goto error; + } + if (trans->counter >= 0) { + #ifdef DEBUG_REGEXP_EXEC +@@ -3464,6 +3470,8 @@ xmlFARegExec(xmlRegexpPtr comp, const xmlChar *content) { + exec->transno = -1; /* trick */ + exec->state = to; + xmlFARegExecSave(exec); ++ if (exec->status != XML_REGEXP_OK) ++ goto error; + exec->transno = transno; + exec->state = state; + } +@@ -3523,6 +3531,8 @@ xmlFARegExec(xmlRegexpPtr comp, const xmlChar *content) { + trans->count, codepoint, exec->index); + #endif + xmlFARegExecSave(exec); ++ if (exec->status != XML_REGEXP_OK) ++ goto error; + } + if (trans->counter >= 0) { + xmlRegCounterPtr counter; +-- +2.33.0 + diff --git a/backport-malloc-fail-Report-malloc-failure-in-xmlRegEpxFromPa.patch b/backport-malloc-fail-Report-malloc-failure-in-xmlRegEpxFromPa.patch new file mode 100644 index 0000000000000000000000000000000000000000..5e596118160879fba1ea210ee0a0611c4c16c232 --- /dev/null +++ b/backport-malloc-fail-Report-malloc-failure-in-xmlRegEpxFromPa.patch @@ -0,0 +1,34 @@ +From b7d56ef7f158813816a31fa05ce0e48b98bead82 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 22 Sep 2023 17:03:56 +0200 +Subject: [PATCH] malloc-fail: Report malloc failure in xmlRegEpxFromParse + +Reference:https://github.com/GNOME/libxml2/commit/b7d56ef7f158813816a31fa05ce0e48b98bead82 +Conflict:Don't change fuzz/*, the related code does not exist. For details, see Submission: +https://github.com/GNOME/libxml2/commit/42322eba820022eaebb9b6e7c083a8aadddea286 + +Also check whether malloc failures are reported when fuzzing. +--- + xmlregexp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/xmlregexp.c b/xmlregexp.c +index b0111e2..22534a7 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -481,7 +481,11 @@ xmlRegEpxFromParse(xmlRegParserCtxtPtr ctxt) { + ret->determinist = ctxt->determinist; + ret->flags = ctxt->flags; + if (ret->determinist == -1) { +- xmlRegexpIsDeterminist(ret); ++ if (xmlRegexpIsDeterminist(ret) < 0) { ++ xmlRegexpErrMemory(ctxt, "checking determinism"); ++ xmlFree(ret); ++ return(NULL); ++ } + } + + if ((ret->determinist != 0) && +-- +2.33.0 + diff --git a/backport-parser-Dont-overwrite-error-state-in-xmlParseTextDecl.patch b/backport-parser-Dont-overwrite-error-state-in-xmlParseTextDecl.patch new file mode 100644 index 0000000000000000000000000000000000000000..37b9bf9e57c5d1d9a132f8dee94f23b9151c1acd --- /dev/null +++ b/backport-parser-Dont-overwrite-error-state-in-xmlParseTextDecl.patch @@ -0,0 +1,33 @@ +From 514ab399550a9bfcd4a5eb60e921d06a1d38af9e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 11 Oct 2023 13:25:49 +0200 +Subject: [PATCH] parser: Don't overwrite error state in xmlParseTextDecl + +If a memory allocation fails, this could cause a null deref after +recent changes. + +Found by OSS-Fuzz. + +Reference:https://github.com/GNOME/libxml2/commit/514ab399550a9bfcd4a5eb60e921d06a1d38af9e +Conflict:xmlParseTextDecl + +--- + parser.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/parser.c b/parser.c +index 54947aa..29524d2 100644 +--- a/parser.c ++++ b/parser.c +@@ -6987,6 +6987,8 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) { + xmlFatalErr(ctxt, XML_ERR_XMLDECL_NOT_FINISHED, NULL); + MOVETO_ENDTAG(CUR_PTR); + NEXT; ++ if (ctxt->instate == XML_PARSER_EOF) ++ return; + } + + ctxt->instate = oldstate; +-- +2.33.0 + diff --git a/backport-parser-Fix-crash-in-xmlParseInNodeContext-with-HTML-.patch b/backport-parser-Fix-crash-in-xmlParseInNodeContext-with-HTML-.patch new file mode 100644 index 0000000000000000000000000000000000000000..21320fbfa8248d2d255566aa58f6c756b024df84 --- /dev/null +++ b/backport-parser-Fix-crash-in-xmlParseInNodeContext-with-HTML-.patch @@ -0,0 +1,36 @@ +From 95f2a17440568694a6df6a326c5b411e77597be2 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 30 Jan 2024 13:25:17 +0100 +Subject: [PATCH] parser: Fix crash in xmlParseInNodeContext with HTML + documents + +Ignore namespaces if we have an HTML document with namespaces added +manually. + +Fixes #672. + +Reference: https://github.com/GNOME/libxml2/commit/95f2a17440568694a6df6a326c5b411e77597be2 +Conflict: NA +--- + parser.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 1038d71b..f7842ed1 100644 +--- a/parser.c ++++ b/parser.c +@@ -12415,8 +12415,10 @@ xmlParseInNodeContext(xmlNodePtr node, const char *data, int datalen, + } + xmlAddChild(node, fake); + +- if (node->type == XML_ELEMENT_NODE) { ++ if (node->type == XML_ELEMENT_NODE) + nodePush(ctxt, node); ++ ++ if ((ctxt->html == 0) && (node->type == XML_ELEMENT_NODE)) { + /* + * initialize the SAX2 namespaces stack + */ +-- +2.33.0 + diff --git a/backport-parser-Fix-potential-use-after-free-in-xmlParseCharD.patch b/backport-parser-Fix-potential-use-after-free-in-xmlParseCharD.patch new file mode 100644 index 0000000000000000000000000000000000000000..0295812d718c1fc8befe8e99dc60d4aa383a2497 --- /dev/null +++ b/backport-parser-Fix-potential-use-after-free-in-xmlParseCharD.patch @@ -0,0 +1,33 @@ +From 90bcbcfcc72f0647233c0ae85f8dc0e31098530a Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 20 Jul 2023 21:08:01 +0200 +Subject: [PATCH] parser: Fix potential use-after-free in + xmlParseCharDataInternal + +Return immediately if a SAX handler stops the parser. + +Fixes #569. + +Reference:https://github.com/GNOME/libxml2/commit/90bcbcfcc72f0647233c0ae85f8dc0e31098530a +Conflict:xmlParseCharData + +--- + parser.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/parser.c b/parser.c +index 204073e..b4fb58c 100644 +--- a/parser.c ++++ b/parser.c +@@ -4538,6 +4538,8 @@ get_more: + line = ctxt->input->line; + col = ctxt->input->col; + } ++ if (ctxt->instate == XML_PARSER_EOF) ++ return; + } + ctxt->input->cur = in; + if (*in == 0xD) { +-- +2.33.0 + diff --git a/backport-regexp-Fix-status-codes-and-handle-invalid-UTF-8.patch b/backport-regexp-Fix-status-codes-and-handle-invalid-UTF-8.patch new file mode 100644 index 0000000000000000000000000000000000000000..ecb9f9d2d5ea9b5dd0b3b2a5e3a8d60a276d6114 --- /dev/null +++ b/backport-regexp-Fix-status-codes-and-handle-invalid-UTF-8.patch @@ -0,0 +1,37 @@ +From f98fa86318d52f6057f60a02e31066c646fb998b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 22 Sep 2023 15:25:40 +0200 +Subject: [PATCH] regexp: Fix status codes and handle invalid UTF-8 + +Reference:https://github.com/GNOME/libxml2/commit/f98fa86318d52f6057f60a02e31066c646fb998b +Conflict:only add define macros. + +Fixes #561. +--- + xmlregexp.c | 74 ++++++++++++++++++++++++++++++----------------------- + 1 file changed, 42 insertions(+), 32 deletions(-) + +diff --git a/xmlregexp.c b/xmlregexp.c +index 34167a5..89e2ebf 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -50,6 +50,16 @@ + + #define MAX_PUSH 10000000 + ++/* ++ * -2 and -3 are used by xmlValidateElementType for other things. ++ */ ++#define XML_REGEXP_OK 0 ++#define XML_REGEXP_NOT_FOUND (-1) ++#define XML_REGEXP_INTERNAL_ERROR (-4) ++#define XML_REGEXP_OUT_OF_MEMORY (-5) ++#define XML_REGEXP_INTERNAL_LIMIT (-6) ++#define XML_REGEXP_INVALID_UTF8 (-7) ++ + #ifdef ERROR + #undef ERROR + #endif +-- +2.33.0 + diff --git a/backport-save-Check-for-NULL-node-name-in-xhtmlIsEmpty.patch b/backport-save-Check-for-NULL-node-name-in-xhtmlIsEmpty.patch new file mode 100644 index 0000000000000000000000000000000000000000..235a0b65a1b91c8ce6c08d3b62e46b1d9b4b36de --- /dev/null +++ b/backport-save-Check-for-NULL-node-name-in-xhtmlIsEmpty.patch @@ -0,0 +1,28 @@ +From fb1e63025bab4e1f33a3fa6a916c66753ae873a0 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 17 Mar 2024 19:24:06 +0100 +Subject: [PATCH] save: Check for NULL node->name in xhtmlIsEmpty + +Reference: https://github.com/GNOME/libxml2/commit/fb1e63025bab4e1f33a3fa6a916c66753ae873a0 +Conflict: NA + +--- + xmlsave.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmlsave.c b/xmlsave.c +index 90e1856..fad0869 100644 +--- a/xmlsave.c ++++ b/xmlsave.c +@@ -1288,7 +1288,7 @@ xhtmlIsEmpty(xmlNodePtr node) { + return(0); + if (node->children != NULL) + return(0); +- switch (node->name[0]) { ++ switch (node->name ? node->name[0] : 0) { + case 'a': + if (xmlStrEqual(node->name, BAD_CAST "area")) + return(1); +-- +2.33.0 + diff --git a/backport-schemas-Fix-memory-leak-of-annotations-in-notations.patch b/backport-schemas-Fix-memory-leak-of-annotations-in-notations.patch new file mode 100644 index 0000000000000000000000000000000000000000..94a5319c3eef16ad0c526f4d19af3fb308114942 --- /dev/null +++ b/backport-schemas-Fix-memory-leak-of-annotations-in-notations.patch @@ -0,0 +1,29 @@ +From 90d5b79958fb576c3ffbd5e07b60d5ff20d36d66 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 14 Sep 2023 15:30:38 +0200 +Subject: [PATCH] schemas: Fix memory leak of annotations in notations + +Reference:https://github.com/GNOME/libxml2/commit/90d5b79958fb576c3ffbd5e07b60d5ff20d36d66 +Conflict:NA + +Found by OSS-Fuzz. +--- + xmlschemas.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 7199d23..f53e7e6 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -3800,6 +3800,8 @@ xmlSchemaFreeNotation(xmlSchemaNotationPtr nota) + { + if (nota == NULL) + return; ++ if (nota->annot != NULL) ++ xmlSchemaFreeAnnot(nota->annot); + xmlFree(nota); + } + +-- +2.33.0 + diff --git a/backport-tree-Check-for-integer-overflow-in-xmlStringGetNodeL.patch b/backport-tree-Check-for-integer-overflow-in-xmlStringGetNodeL.patch new file mode 100644 index 0000000000000000000000000000000000000000..e287116eb0b2992d2246a0dd635a4fe9ec5ca5b7 --- /dev/null +++ b/backport-tree-Check-for-integer-overflow-in-xmlStringGetNodeL.patch @@ -0,0 +1,91 @@ +From a581f65194212f183dcbe77da44657d477a4758d Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 21 Feb 2024 12:09:10 +0100 +Subject: [PATCH] tree: Check for integer overflow in xmlStringGetNodeList + +This function is called with unvalidated strings from functions like +xmlNewDocProp, xmlNewDocNode or xmlNodeSetContent, so we have to check +for integer overflow after all. + +Reference:https://github.com/GNOME/libxml2/commit/a581f65194212f183dcbe77da44657d477a4758d +Conflict:remove comment + +--- + tree.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/tree.c b/tree.c +index 8039ca6..496a531 100644 +--- a/tree.c ++++ b/tree.c +@@ -1332,6 +1332,8 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) { + charval = 0; + break; + } ++ if (charval > 0x110000) ++ charval = 0x110000; + cur++; + if (cur < end) + tmp = *cur; +@@ -1357,6 +1359,8 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) { + charval = 0; + break; + } ++ if (charval > 0x110000) ++ charval = 0x110000; + cur++; + if (cur < end) + tmp = *cur; +@@ -1447,12 +1451,14 @@ xmlStringLenGetNodeList(const xmlDoc *doc, const xmlChar *value, int len) { + xmlChar buffer[10]; + int l; + ++ if (charval >= 0x110000) ++ charval = 0xFFFD; /* replacement character */ ++ + l = xmlCopyCharMultiByte(buffer, charval); + buffer[l] = 0; + + if (xmlBufCat(buf, buffer)) + goto out; +- charval = 0; + } + } else + cur++; +@@ -1541,6 +1547,8 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { + charval = 0; + break; + } ++ if (charval > 0x110000) ++ charval = 0x110000; + cur++; + tmp = *cur; + } +@@ -1560,6 +1568,8 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { + charval = 0; + break; + } ++ if (charval > 0x110000) ++ charval = 0x110000; + cur++; + tmp = *cur; + } +@@ -1644,12 +1654,14 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { + xmlChar buffer[10]; + int len; + ++ if (charval >= 0x110000) ++ charval = 0xFFFD; /* replacement character */ ++ + len = xmlCopyCharMultiByte(buffer, charval); + buffer[len] = 0; + + if (xmlBufCat(buf, buffer)) + goto out; +- charval = 0; + } + } else + cur++; +-- +2.33.0 + diff --git a/backport-tree-Don-t-allow-NULL-name-in-xmlSetNsProp.patch b/backport-tree-Don-t-allow-NULL-name-in-xmlSetNsProp.patch new file mode 100644 index 0000000000000000000000000000000000000000..fdd04b02f46fbfe30a6bf3531edb968de5beedb5 --- /dev/null +++ b/backport-tree-Don-t-allow-NULL-name-in-xmlSetNsProp.patch @@ -0,0 +1,28 @@ +From d1cc6f7df2492eac3d689a5632fff74d99a575b9 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 5 Mar 2024 04:34:59 +0100 +Subject: [PATCH] tree: Don't allow NULL name in xmlSetNsProp + +Reference: https://github.com/GNOME/libxml2/commit/d1cc6f7df2492eac3d689a5632fff74d99a575b9 +Conflict: adapt xmlSetNsProp + +--- + tree.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tree.c b/tree.c +index 496a531..be84324 100644 +--- a/tree.c ++++ b/tree.c +@@ -6963,6 +6963,8 @@ xmlSetNsProp(xmlNodePtr node, xmlNsPtr ns, const xmlChar *name, + + if (ns && (ns->href == NULL)) + return(NULL); ++ if (name == NULL) ++ return(NULL); + prop = xmlGetPropNodeInternal(node, name, (ns != NULL) ? ns->href : NULL, 0); + if (prop != NULL) { + /* +-- +2.33.0 + diff --git a/backport-tree-Fix-583-again.patch b/backport-tree-Fix-583-again.patch new file mode 100644 index 0000000000000000000000000000000000000000..d6d3c1ff467e651f9de00567b53f7b38acda9663 --- /dev/null +++ b/backport-tree-Fix-583-again.patch @@ -0,0 +1,53 @@ +From 8707838e69f9c6e729c1d1d46bb3681d9e622be5 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 28 Nov 2023 13:27:25 +0100 +Subject: [PATCH] tree: Fix #583 again + +Only set doc->intSubset after successful copy to avoid dangling pointers +in error case. + +Reference: https://github.com/GNOME/libxml2/commit/8707838e69f9c6e729c1d1d46bb3681d9e622be5 +Conflict: NA +--- + tree.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tree.c b/tree.c +index 5a9c24d1..35dabb97 100644 +--- a/tree.c ++++ b/tree.c +@@ -4301,6 +4301,7 @@ xmlNodePtr + xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + xmlNodePtr ret = NULL; + xmlNodePtr p = NULL,q; ++ xmlDtdPtr newSubset = NULL; + + while (node != NULL) { + #ifdef LIBXML_TREE_ENABLED +@@ -4309,12 +4310,12 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + node = node->next; + continue; + } +- if (doc->intSubset == NULL) { ++ if ((doc->intSubset == NULL) && (newSubset == NULL)) { + q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); + if (q == NULL) goto error; + q->doc = doc; + q->parent = parent; +- doc->intSubset = (xmlDtdPtr) q; ++ newSubset = (xmlDtdPtr) q; + xmlAddChild(parent, q); + } else { + q = (xmlNodePtr) doc->intSubset; +@@ -4335,6 +4336,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + } + node = node->next; + } ++ if ((doc != NULL) && (newSubset != NULL)) ++ doc->intSubset = newSubset; + return(ret); + error: + xmlFreeNodeList(ret); +-- +2.33.0 + diff --git a/backport-tree-Fix-regression-when-copying-DTDs.patch b/backport-tree-Fix-regression-when-copying-DTDs.patch new file mode 100644 index 0000000000000000000000000000000000000000..f7880aa6b05c6ecfe4bb6b75aa6ec2d2ffe47083 --- /dev/null +++ b/backport-tree-Fix-regression-when-copying-DTDs.patch @@ -0,0 +1,76 @@ +From de3f70146dc531a1f2c0976dc1c2bff84529f161 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 28 Nov 2023 13:01:38 +0100 +Subject: [PATCH] tree: Fix regression when copying DTDs + +This reverts commit d39f78069dff496ec865c73aa44d7110e429bce9. + +Fixes #634. + +Reference: https://github.com/GNOME/libxml2/commit/de3f70146dc531a1f2c0976dc1c2bff84529f161 +Conflict: NA + +--- + tree.c | 31 +++++++++++++++---------------- + 1 file changed, 15 insertions(+), 16 deletions(-) + +diff --git a/tree.c b/tree.c +index a6264e8b..5a9c24d1 100644 +--- a/tree.c ++++ b/tree.c +@@ -4301,28 +4301,29 @@ xmlNodePtr + xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + xmlNodePtr ret = NULL; + xmlNodePtr p = NULL,q; +- xmlDtdPtr newSubset = NULL; + + while (node != NULL) { +- if (node->type == XML_DTD_NODE ) { + #ifdef LIBXML_TREE_ENABLED +- if ((doc == NULL) || (doc->intSubset != NULL)) { ++ if (node->type == XML_DTD_NODE ) { ++ if (doc == NULL) { + node = node->next; + continue; + } +- q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); +- if (q == NULL) goto error; +- q->doc = doc; +- q->parent = parent; +- newSubset = (xmlDtdPtr) q; +-#else +- node = node->next; +- continue; ++ if (doc->intSubset == NULL) { ++ q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); ++ if (q == NULL) goto error; ++ q->doc = doc; ++ q->parent = parent; ++ doc->intSubset = (xmlDtdPtr) q; ++ xmlAddChild(parent, q); ++ } else { ++ q = (xmlNodePtr) doc->intSubset; ++ xmlAddChild(parent, q); ++ } ++ } else + #endif /* LIBXML_TREE_ENABLED */ +- } else { + q = xmlStaticCopyNode(node, doc, parent, 1); +- if (q == NULL) goto error; +- } ++ if (q == NULL) goto error; + if (ret == NULL) { + q->prev = NULL; + ret = p = q; +@@ -4334,8 +4335,6 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + } + node = node->next; + } +- if (newSubset != NULL) +- doc->intSubset = newSubset; + return(ret); + error: + xmlFreeNodeList(ret); +-- +2.33.0 + diff --git a/backport-valid-Check-for-NULL-node-name-in-xmlSnprintfElement.patch b/backport-valid-Check-for-NULL-node-name-in-xmlSnprintfElement.patch new file mode 100644 index 0000000000000000000000000000000000000000..1abaace1c6c9f478bc0056d556c5e08cb8b661bb --- /dev/null +++ b/backport-valid-Check-for-NULL-node-name-in-xmlSnprintfElement.patch @@ -0,0 +1,31 @@ +From 577e2516d0ed3669c7e9879ba9f04214658bfd1b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 19 Mar 2024 17:06:07 +0100 +Subject: [PATCH] valid: Check for NULL node->name in xmlSnprintfElements + +Unfortunately, we can have NULL element names if xmlSetTreeDoc fails. + +Reference: https://github.com/GNOME/libxml2/commit/577e2516d0ed3669c7e9879ba9f04214658bfd1b +Conflict: NA + +--- + valid.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/valid.c b/valid.c +index bfb8a77..975b706 100644 +--- a/valid.c ++++ b/valid.c +@@ -5283,7 +5283,8 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) { + strcat(buf, " ..."); + return; + } +- strcat(buf, (char *) cur->name); ++ if (cur->name != NULL) ++ strcat(buf, (char *) cur->name); + if (cur->next != NULL) + strcat(buf, " "); + break; +-- +2.33.0 + diff --git a/backport-valid-Check-for-NULL-text-content-in-xmlValidateOneE.patch b/backport-valid-Check-for-NULL-text-content-in-xmlValidateOneE.patch new file mode 100644 index 0000000000000000000000000000000000000000..567f779bb43daef2ddb8e16e9bcf898e4de57793 --- /dev/null +++ b/backport-valid-Check-for-NULL-text-content-in-xmlValidateOneE.patch @@ -0,0 +1,32 @@ +From 3061b56a1ee395618f84fc1c2bb0cba7c5b068fe Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 15 Mar 2024 02:23:08 +0100 +Subject: [PATCH] valid: Check for NULL text content in xmlValidateOneElement + +Shouldn't occur in parsed documents but you can create text nodes with +NULL content through the API. + +Reference: https://github.com/GNOME/libxml2/commit/3061b56a1ee395618f84fc1c2bb0cba7c5b068fe +Conflict: NA + +--- + valid.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/valid.c b/valid.c +index 3c342c3..bfb8a77 100644 +--- a/valid.c ++++ b/valid.c +@@ -6244,7 +6244,8 @@ child_ok: + */ + child = elem->children; + while (child != NULL) { +- if (child->type == XML_TEXT_NODE) { ++ if ((child->type == XML_TEXT_NODE) && ++ (child->content != NULL)) { + const xmlChar *content = child->content; + + while (IS_BLANK_CH(*content)) +-- +2.33.0 + diff --git a/backport-valid-Fix-c1-parent-pointer-in-xmlCopyDocElementCont.patch b/backport-valid-Fix-c1-parent-pointer-in-xmlCopyDocElementCont.patch new file mode 100644 index 0000000000000000000000000000000000000000..df095c7b209d37a46463d64594b8d3cb9039f70f --- /dev/null +++ b/backport-valid-Fix-c1-parent-pointer-in-xmlCopyDocElementCont.patch @@ -0,0 +1,30 @@ +From 58de9d31da4d0e8cb6bcf7f5e99714f9df2c4411 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 3 Aug 2023 12:00:55 +0200 +Subject: [PATCH] valid: Fix c1->parent pointer in xmlCopyDocElementContent + +Fixes #572. + +Reference:https://github.com/GNOME/libxml2/commit/58de9d31da4d0e8cb6bcf7f5e99714f9df2c4411 +Conflict:NA + +--- + valid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/valid.c b/valid.c +index 479fa628..67e1b1de 100644 +--- a/valid.c ++++ b/valid.c +@@ -1052,7 +1052,7 @@ xmlCopyDocElementContent(xmlDocPtr doc, xmlElementContentPtr cur) { + if (cur->c1 != NULL) + tmp->c1 = xmlCopyDocElementContent(doc,cur->c1); + if (tmp->c1 != NULL) +- tmp->c1->parent = ret; ++ tmp->c1->parent = tmp; + prev = tmp; + cur = cur->c2; + } +-- +2.33.0 + diff --git a/backport-xzlib-Fix-harmless-unsigned-integer-overflow.patch b/backport-xzlib-Fix-harmless-unsigned-integer-overflow.patch new file mode 100644 index 0000000000000000000000000000000000000000..5621dd9a86d9abcff69bb9f5bc42f8cd3fcf422b --- /dev/null +++ b/backport-xzlib-Fix-harmless-unsigned-integer-overflow.patch @@ -0,0 +1,33 @@ +From e62b0dbde57d58a2a475ff4f851618054ae0a63c Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 19 Dec 2023 19:47:07 +0100 +Subject: [PATCH] xzlib: Fix harmless unsigned integer overflow + +Reference: https://github.com/GNOME/libxml2/commit/e62b0dbde57d58a2a475ff4f851618054ae0a63c +Conflict: NA + +--- + xzlib.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/xzlib.c b/xzlib.c +index 1b50d757..724be7cc 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -321,8 +321,12 @@ is_format_lzma(xz_statep state) + * If someone complains, this will be reconsidered. + */ + if (dict_size != UINT32_MAX) { +- uint32_t d = dict_size - 1; ++ uint32_t d; + ++ if (dict_size == 0) ++ return 0; ++ ++ d = dict_size - 1; + d |= d >> 2; + d |= d >> 3; + d |= d >> 4; +-- +2.33.0 + diff --git a/libxml2.spec b/libxml2.spec index 269c92db7807d63f7e08c4c2ac34ad31b293c8ae..e321a21d593add5f85414235fa3a37c03d37606b 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.9.14 -Release: 10 +Release: 11 License: MIT Group: Development/Libraries Source: https://download.gnome.org/sources/%{name}/2.9/%{name}-%{version}.tar.xz @@ -186,10 +186,42 @@ Patch6165: backport-xmlValidatePopElement-can-return-invalid-value-1.patch Patch6166: backport-Fix-use-after-free-in-xmlParseContentInternal.patch Patch6167: backport-malloc-fail-Fix-null-deref-after-xmlXIncludeNewRef.patch -Patch6168: backport-xpath-Ignore-entity-ref-nodes-when-computing-node-ha.patch -Patch6169: backport-SAX-Always-initialize-SAX1-element-handlers.patch -Patch6170: backport-CVE-2023-45322.patch -Patch6171: backport-CVE-2024-25062.patch +Patch6168: backport-malloc-fail-Handle-malloc-failures-in-xmlAddEncoding.patch +Patch6169: backport-malloc-fail-Fix-null-deref-with-xmllint-copy.patch +Patch6170: backport-xpath-Ignore-entity-ref-nodes-when-computing-node-ha.patch +Patch6171: backport-SAX-Always-initialize-SAX1-element-handlers.patch + +Patch6172: backport-parser-Fix-potential-use-after-free-in-xmlParseCharD.patch +Patch6173: backport-malloc-fail-Fix-memory-leak-in-xmlCompileAttributeTe.patch +Patch6174: backport-SAX2-Ignore-namespaces-in-HTML-documents.patch +Patch6175: backport-valid-Fix-c1-parent-pointer-in-xmlCopyDocElementCont.patch +Patch6176: backport-malloc-fail-Fix-unsigned-integer-overflow-in-xmlText.patch +Patch6177: backport-CVE-2023-45322.patch +Patch6178: backport-dict-Fix-integer-overflow-of-string-lengths.patch +Patch6179: backport-schemas-Fix-memory-leak-of-annotations-in-notations.patch +Patch6180: backport-malloc-fail-Report-malloc-failure-in-xmlRegEpxFromPa.patch +Patch6181: backport-malloc-fail-Report-malloc-failure-in-xmlFARegExec.patch +Patch6182: backport-regexp-Fix-status-codes-and-handle-invalid-UTF-8.patch +Patch6183: backport-buf-Also-reset-input-in-error-case.patch +Patch6184: backport-hash-Fix-integer-overflow-of-nbElems.patch +Patch6185: backport-dict-Fix-integer-overflow-in-xmlDictAddString.patch +Patch6186: backport-parser-Dont-overwrite-error-state-in-xmlParseTextDecl.patch +Patch6187: backport-CVE-2024-25062.patch + +Patch6188: backport-tree-Fix-regression-when-copying-DTDs.patch +Patch6189: backport-tree-Fix-583-again.patch +Patch6190: backport-html-Don-t-close-fd-in-htmlCtxtReadFd.patch +Patch6191: backport-xzlib-Fix-harmless-unsigned-integer-overflow.patch +Patch6192: backport-parser-Fix-crash-in-xmlParseInNodeContext-with-HTML-.patch +Patch6193: backport-malloc-fail-Fix-null-deref-in-xmlXPathTranslateFunct.patch +Patch6194: backport-tree-Check-for-integer-overflow-in-xmlStringGetNodeL.patch + +Patch6195: backport-tree-Don-t-allow-NULL-name-in-xmlSetNsProp.patch +Patch6196: backport-valid-Check-for-NULL-text-content-in-xmlValidateOneE.patch +Patch6197: backport-malloc-fail-Fix-use-after-free-in-xmlBufBackToBuffer.patch +Patch6198: backport-entities-Don-t-allow-null-name-in-xmlNewEntity.patch +Patch6199: backport-save-Check-for-NULL-node-name-in-xhtmlIsEmpty.patch +Patch6200: backport-valid-Check-for-NULL-node-name-in-xmlSnprintfElement.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python3-devel @@ -345,6 +377,12 @@ rm -fr %{buildroot} %changelog +* Mon May 06 2024 zhuofeng - 2.9.14-11 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:backport upstream patches + * Sun Feb 18 2024 BruceGW - 2.9.14-10 - Type:CVE - SUG:NA