From 3f5c5a95519094f0d72f3ad44b9e1e88f9177d4a Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Sat, 29 May 2021 10:14:55 +0800
Subject: [PATCH] fix CVE-2021-3517 and CVE-2021-3518

---
 CVE-2021-3517.patch | 51 +++++++++++++++++++++++++++++++++++++++++++++
 CVE-2021-3518.patch | 40 +++++++++++++++++++++++++++++++++++
 libxml2.spec        | 10 ++++++++-
 3 files changed, 100 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2021-3517.patch
 create mode 100644 CVE-2021-3518.patch

diff --git a/CVE-2021-3517.patch b/CVE-2021-3517.patch
new file mode 100644
index 0000000..e790ed9
--- /dev/null
+++ b/CVE-2021-3517.patch
@@ -0,0 +1,51 @@
+From bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Mon Sep 17 00:00:00 2001
+From: Joel Hockey <joel.hockey@gmail.com>
+Date: Sun, 16 Aug 2020 17:19:35 -0700
+Subject: [PATCH] Validate UTF8 in xmlEncodeEntities
+
+Code is currently assuming UTF-8 without validating. Truncated UTF-8
+input can cause out-of-bounds array access.
+
+Adds further checks to partial fix in 50f06b3e.
+
+Fixes #178
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ entities.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/entities.c b/entities.c
+index 37b99a5..1a8f86f 100644
+--- a/entities.c
++++ b/entities.c
+@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
+ 	    } else {
+ 		/*
+ 		 * We assume we have UTF-8 input.
++		 * It must match either:
++		 *   110xxxxx 10xxxxxx
++		 *   1110xxxx 10xxxxxx 10xxxxxx
++		 *   11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
++		 * That is:
++		 *   cur[0] is 11xxxxxx
++		 *   cur[1] is 10xxxxxx
++		 *   cur[2] is 10xxxxxx if cur[0] is 111xxxxx
++		 *   cur[3] is 10xxxxxx if cur[0] is 1111xxxx
++		 *   cur[0] is not 11111xxx
+ 		 */
+ 		char buf[11], *ptr;
+ 		int val = 0, l = 1;
+ 
+-		if (*cur < 0xC0) {
++		if (((cur[0] & 0xC0) != 0xC0) ||
++		    ((cur[1] & 0xC0) != 0x80) ||
++		    (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) ||
++		    (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) ||
++		    (((cur[0] & 0xF8) == 0xF8))) {
+ 		    xmlEntitiesErr(XML_CHECK_NOT_UTF8,
+ 			    "xmlEncodeEntities: input not UTF-8");
+ 		    if (doc != NULL)
+-- 
+1.8.3.1
+
diff --git a/CVE-2021-3518.patch b/CVE-2021-3518.patch
new file mode 100644
index 0000000..54f272c
--- /dev/null
+++ b/CVE-2021-3518.patch
@@ -0,0 +1,40 @@
+From 1098c30a040e72a4654968547f415be4e4c40fe7 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 22 Apr 2021 19:26:28 +0200
+Subject: [PATCH] Fix user-after-free with `xmllint --xinclude --dropdtd`
+
+The --dropdtd option can leave dangling pointers in entity reference
+nodes. Make sure to skip these nodes when processing XIncludes.
+
+This also avoids scanning entity declarations and even modifying
+them inadvertently during XInclude processing.
+
+Move from a block list to an allow list approach to avoid descending
+into other node types that can't contain elements.
+
+Fixes #237.
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ xinclude.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/xinclude.c b/xinclude.c
+index 1636caf..b2e6ea1 100644
+--- a/xinclude.c
++++ b/xinclude.c
+@@ -2430,9 +2430,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree,
+             ctxt->incTotal++;
+             xmlXIncludePreProcessNode(ctxt, cur);
+         } else if ((cur->children != NULL) &&
+-                   (cur->children->type != XML_ENTITY_DECL) &&
+-                   (cur->children->type != XML_XINCLUDE_START) &&
+-                   (cur->children->type != XML_XINCLUDE_END)) {
++                   ((cur->type == XML_DOCUMENT_NODE) ||
++                    (cur->type == XML_ELEMENT_NODE))) {
+             cur = cur->children;
+             continue;
+         }
+-- 
+1.8.3.1
+
diff --git a/libxml2.spec b/libxml2.spec
index acb8371..10209a7 100644
--- a/libxml2.spec
+++ b/libxml2.spec
@@ -1,7 +1,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.9.10
-Release: 11
+Release: 12
 License: MIT
 Group: Development/Libraries
 Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@@ -70,6 +70,8 @@ Patch59: backport-Fix-infinite-loop-in-HTML-parser-introduced-with-rec.patch
 Patch60: backport-Fix-integer-overflow-in-xmlSchemaGetParticleTotalRan.patch
 
 Patch61: backport-CVE-2021-3537.patch
+Patch62: CVE-2021-3517.patch
+Patch63: CVE-2021-3518.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python2-devel
@@ -261,6 +263,12 @@ rm -fr %{buildroot}
 
 
 %changelog
+* Fri May 28 2021 guoxiaoqi <guoxiaoqi2@huawei.com> - 2.9.10-12
+- Type:CVE
+- ID:CVE-2021-3537, CVE-2021-3517
+- SUG:NA
+- DESC:fix CVE-2021-3517 and CVE-2021-3518
+
 * Thu May 27 2021 yangkang <yangkang90@huawei.com> - 2.9.10-11
 - Type:CVE
 - ID:CVE-2021-3537
-- 
Gitee