From 0d767bf257a7b8a7a43220fc39960e0c43fae93c Mon Sep 17 00:00:00 2001
From: yangkang <1515737100@qq.com>
Date: Thu, 27 May 2021 14:58:27 +0800
Subject: [PATCH] fix CVE-2021-3537

---
 backport-CVE-2021-3537.patch | 48 ++++++++++++++++++++++++++++++++++++
 libxml2.spec                 | 10 +++++++-
 2 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2021-3537.patch

diff --git a/backport-CVE-2021-3537.patch b/backport-CVE-2021-3537.patch
new file mode 100644
index 0000000..1da4354
--- /dev/null
+++ b/backport-CVE-2021-3537.patch
@@ -0,0 +1,48 @@
+From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 1 May 2021 16:53:33 +0200
+Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv
+
+Check return value of recursive calls to
+xmlParseElementChildrenContentDeclPriv and return immediately in case
+of errors. Otherwise, struct xmlElementContent could contain unexpected
+null pointers, leading to a null deref when post-validating documents
+which aren't well-formed and parsed in recovery mode.
+
+Fixes #243.
+
+Reference:https://github.com/GNOME/libxml2/commit/babe75030c7f64a37826bb3342317134568bef61
+Conflict:NA
+
+---
+ parser.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index b42e604..73c27ed 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
+ 	SKIP_BLANKS;
+         cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
+                                                            depth + 1);
++        if (cur == NULL)
++            return(NULL);
+ 	SKIP_BLANKS;
+ 	GROW;
+     } else {
+@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
+ 	    SKIP_BLANKS;
+ 	    last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
+                                                           depth + 1);
++            if (last == NULL) {
++		if (ret != NULL)
++		    xmlFreeDocElementContent(ctxt->myDoc, ret);
++		return(NULL);
++            }
+ 	    SKIP_BLANKS;
+ 	} else {
+ 	    elem = xmlParseName(ctxt);
+-- 
+1.8.3.1
+
diff --git a/libxml2.spec b/libxml2.spec
index 002b425..acb8371 100644
--- a/libxml2.spec
+++ b/libxml2.spec
@@ -1,7 +1,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.9.10
-Release: 10
+Release: 11
 License: MIT
 Group: Development/Libraries
 Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@@ -69,6 +69,8 @@ Patch58: backport-Fix-quadratic-runtime-in-HTML-push-parser-with-null-.patch
 Patch59: backport-Fix-infinite-loop-in-HTML-parser-introduced-with-rec.patch
 Patch60: backport-Fix-integer-overflow-in-xmlSchemaGetParticleTotalRan.patch
 
+Patch61: backport-CVE-2021-3537.patch
+
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python2-devel
 BuildRequires: python3-devel
@@ -259,6 +261,12 @@ rm -fr %{buildroot}
 
 
 %changelog
+* Thu May 27 2021 yangkang <yangkang90@huawei.com> - 2.9.10-11
+- Type:CVE
+- ID:CVE-2021-3537
+- SUG:NA
+- DESC:fix CVE-2021-3537
+
 * Tue Mar 2 2020 Lirui <lirui130@huawei.com> - 2.9.10-10
 - fix problems detected by oss-fuzz test
 
-- 
Gitee