backport upstream patches

Signed-off-by: Wentao Fan <fanwentao@huawei.com>

Don-t-add-IDs-containing-unexpanded-entity-reference.patch

@@ -0,0 +1,104 @@
+From e03590c9adfed2856866b5b1edaaf339b4523913 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 8 Feb 2022 02:42:30 +0100
+Subject: [PATCH 3/3] Don't add IDs containing unexpanded entity references
+
+When parsing without entity substitution, IDs or IDREFs containing
+unexpanded entity reference like "abc&x;def" could be created. We could
+try to expand these entities like in validation mode, but it seems
+safer to honor the request not to expand entities. We silently ignore
+such IDs for now.
+---
+ SAX2.c | 41 ++++++++++++++++++++++-------------------
+ 1 file changed, 22 insertions(+), 19 deletions(-)
+
+diff --git a/SAX2.c b/SAX2.c
+index edfb06f3..ae6181c4 100644
+--- a/SAX2.c
++++ b/SAX2.c
+@@ -1368,7 +1368,12 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname,
+ #endif /* LIBXML_VALID_ENABLED */
+            if (((ctxt->loadsubset & XML_SKIP_IDS) == 0) &&
+ 	       (((ctxt->replaceEntities == 0) && (ctxt->external != 2)) ||
+-	        ((ctxt->replaceEntities != 0) && (ctxt->inSubset == 0)))) {
++	        ((ctxt->replaceEntities != 0) && (ctxt->inSubset == 0))) &&
++               /* Don't create IDs containing entity references */
++               (ret->children != NULL) &&
++               (ret->children->type == XML_TEXT_NODE) &&
++               (ret->children->next == NULL)) {
++        xmlChar *content = ret->children->content;
+         /*
+ 	 * when validating, the ID registration is done at the attribute
+ 	 * validation level. Otherwise we have to do specific handling here.
+@@ -1379,16 +1384,16 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname,
+ 	     *
+ 	     * Open issue: normalization of the value.
+ 	     */
+-	    if (xmlValidateNCName(value, 1) != 0) {
++	    if (xmlValidateNCName(content, 1) != 0) {
+ 	        xmlErrValid(ctxt, XML_DTD_XMLID_VALUE,
+ 		      "xml:id : attribute value %s is not an NCName\n",
+-			    (const char *) value, NULL);
++			    (const char *) content, NULL);
+ 	    }
+-	    xmlAddID(&ctxt->vctxt, ctxt->myDoc, value, ret);
++	    xmlAddID(&ctxt->vctxt, ctxt->myDoc, content, ret);
+ 	} else if (xmlIsID(ctxt->myDoc, ctxt->node, ret))
+-	    xmlAddID(&ctxt->vctxt, ctxt->myDoc, value, ret);
++	    xmlAddID(&ctxt->vctxt, ctxt->myDoc, content, ret);
+ 	else if (xmlIsRef(ctxt->myDoc, ctxt->node, ret))
+-	    xmlAddRef(&ctxt->vctxt, ctxt->myDoc, value, ret);
++	    xmlAddRef(&ctxt->vctxt, ctxt->myDoc, content, ret);
+     }
+ 
+ error:
+@@ -2121,7 +2126,12 @@ xmlSAX2AttributeNs(xmlParserCtxtPtr ctxt,
+ #endif /* LIBXML_VALID_ENABLED */
+            if (((ctxt->loadsubset & XML_SKIP_IDS) == 0) &&
+ 	       (((ctxt->replaceEntities == 0) && (ctxt->external != 2)) ||
+-	        ((ctxt->replaceEntities != 0) && (ctxt->inSubset == 0)))) {
++	        ((ctxt->replaceEntities != 0) && (ctxt->inSubset == 0))) &&
++               /* Don't create IDs containing entity references */
++               (ret->children != NULL) &&
++               (ret->children->type == XML_TEXT_NODE) &&
++               (ret->children->next == NULL)) {
++        xmlChar *content = ret->children->content;
+         /*
+ 	 * when validating, the ID registration is done at the attribute
+ 	 * validation level. Otherwise we have to do specific handling here.
+@@ -2134,27 +2144,20 @@ xmlSAX2AttributeNs(xmlParserCtxtPtr ctxt,
+ 	     *
+ 	     * Open issue: normalization of the value.
+ 	     */
+-	    if (dup == NULL)
+-	        dup = xmlStrndup(value, valueend - value);
+ #if defined(LIBXML_SAX1_ENABLED) || defined(LIBXML_HTML_ENABLED) || defined(LIBXML_WRITER_ENABLED) || defined(LIBXML_DOCB_ENABLED) || defined(LIBXML_LEGACY_ENABLED)
+ #ifdef LIBXML_VALID_ENABLED
+-	    if (xmlValidateNCName(dup, 1) != 0) {
++	    if (xmlValidateNCName(content, 1) != 0) {
+ 	        xmlErrValid(ctxt, XML_DTD_XMLID_VALUE,
+ 		      "xml:id : attribute value %s is not an NCName\n",
+-			    (const char *) dup, NULL);
++			    (const char *) content, NULL);
+ 	    }
+ #endif
+ #endif
+-	    xmlAddID(&ctxt->vctxt, ctxt->myDoc, dup, ret);
++	    xmlAddID(&ctxt->vctxt, ctxt->myDoc, content, ret);
+ 	} else if (xmlIsID(ctxt->myDoc, ctxt->node, ret)) {
+-	    /* might be worth duplicate entry points and not copy */
+-	    if (dup == NULL)
+-	        dup = xmlStrndup(value, valueend - value);
+-	    xmlAddID(&ctxt->vctxt, ctxt->myDoc, dup, ret);
++	    xmlAddID(&ctxt->vctxt, ctxt->myDoc, content, ret);
+ 	} else if (xmlIsRef(ctxt->myDoc, ctxt->node, ret)) {
+-	    if (dup == NULL)
+-	        dup = xmlStrndup(value, valueend - value);
+-	    xmlAddRef(&ctxt->vctxt, ctxt->myDoc, dup, ret);
++	    xmlAddRef(&ctxt->vctxt, ctxt->myDoc, content, ret);
+ 	}
+     }
+     if (dup != NULL)
+-- 
+2.27.0
+

Remove-unneeded-code-in-xmlreader.c.patch

@@ -0,0 +1,186 @@
+From 274a1b5bec980ababa23e267a8fdcd8b71a5b2b7 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 20 Feb 2022 16:05:53 +0100
+Subject: [PATCH 2/3] Remove unneeded code in xmlreader.c
+
+Now that no references to ID and IDREF attributes are stored in
+streaming validation mode, there's no need to try and remove them.
+
+Also remove xmlTextReaderFreeIDTable which was identical to
+xmlFreeIDTable.
+---
+ xmlreader.c | 137 +---------------------------------------------------
+ 1 file changed, 1 insertion(+), 136 deletions(-)
+
+diff --git a/xmlreader.c b/xmlreader.c
+index 72e40b03..b20c70ad 100644
+--- a/xmlreader.c
++++ b/xmlreader.c
+@@ -228,116 +228,6 @@ static int xmlTextReaderNextTree(xmlTextReaderPtr reader);
+ static void xmlTextReaderFreeNode(xmlTextReaderPtr reader, xmlNodePtr cur);
+ static void xmlTextReaderFreeNodeList(xmlTextReaderPtr reader, xmlNodePtr cur);
+ 
+-/**
+- * xmlFreeID:
+- * @not:  A id
+- *
+- * Deallocate the memory used by an id definition
+- */
+-static void
+-xmlFreeID(xmlIDPtr id) {
+-    xmlDictPtr dict = NULL;
+-
+-    if (id == NULL) return;
+-
+-    if (id->doc != NULL)
+-        dict = id->doc->dict;
+-
+-    if (id->value != NULL)
+-	DICT_FREE(id->value)
+-    if (id->name != NULL)
+-	DICT_FREE(id->name)
+-    xmlFree(id);
+-}
+-
+-/**
+- * xmlTextReaderRemoveID:
+- * @doc:  the document
+- * @attr:  the attribute
+- *
+- * Remove the given attribute from the ID table maintained internally.
+- *
+- * Returns -1 if the lookup failed and 0 otherwise
+- */
+-static int
+-xmlTextReaderRemoveID(xmlDocPtr doc, xmlAttrPtr attr) {
+-    xmlIDTablePtr table;
+-    xmlIDPtr id;
+-    xmlChar *ID;
+-
+-    if (doc == NULL) return(-1);
+-    if (attr == NULL) return(-1);
+-    table = (xmlIDTablePtr) doc->ids;
+-    if (table == NULL)
+-        return(-1);
+-
+-    ID = xmlNodeListGetString(doc, attr->children, 1);
+-    if (ID == NULL)
+-	return(-1);
+-    id = xmlHashLookup(table, ID);
+-    xmlFree(ID);
+-    if (id == NULL || id->attr != attr) {
+-	return(-1);
+-    }
+-    id->name = attr->name;
+-    attr->name = NULL;
+-    id->attr = NULL;
+-    return(0);
+-}
+-
+-/**
+- * xmlTextReaderWalkRemoveRef:
+- * @data:  Contents of current link
+- * @user:  Value supplied by the user
+- *
+- * Returns 0 to abort the walk or 1 to continue
+- */
+-static int
+-xmlTextReaderWalkRemoveRef(const void *data, void *user)
+-{
+-    xmlRefPtr ref = (xmlRefPtr)data;
+-    xmlAttrPtr attr = (xmlAttrPtr)user;
+-
+-    if (ref->attr == attr) { /* Matched: remove and terminate walk */
+-        ref->name = xmlStrdup(attr->name);
+-        ref->attr = NULL;
+-        return 0;
+-    }
+-    return 1;
+-}
+-
+-/**
+- * xmlTextReaderRemoveRef:
+- * @doc:  the document
+- * @attr:  the attribute
+- *
+- * Remove the given attribute from the Ref table maintained internally.
+- *
+- * Returns -1 if the lookup failed and 0 otherwise
+- */
+-static int
+-xmlTextReaderRemoveRef(xmlDocPtr doc, xmlAttrPtr attr) {
+-    xmlListPtr ref_list;
+-    xmlRefTablePtr table;
+-    xmlChar *ID;
+-
+-    if (doc == NULL) return(-1);
+-    if (attr == NULL) return(-1);
+-    table = (xmlRefTablePtr) doc->refs;
+-    if (table == NULL)
+-        return(-1);
+-
+-    ID = xmlNodeListGetString(doc, attr->children, 1);
+-    if (ID == NULL)
+-        return(-1);
+-    ref_list = xmlHashLookup(table, ID);
+-    xmlFree(ID);
+-    if(ref_list == NULL)
+-        return (-1);
+-    xmlListWalk(ref_list, xmlTextReaderWalkRemoveRef, attr);
+-    return(0);
+-}
+-
+ /**
+  * xmlTextReaderFreeProp:
+  * @reader:  the xmlTextReaderPtr used
+@@ -358,15 +248,6 @@ xmlTextReaderFreeProp(xmlTextReaderPtr reader, xmlAttrPtr cur) {
+     if ((__xmlRegisterCallbacks) && (xmlDeregisterNodeDefaultValue))
+ 	xmlDeregisterNodeDefaultValue((xmlNodePtr) cur);
+ 
+-    /* Check for ID removal -> leading to invalid references ! */
+-    if ((cur->parent != NULL) && (cur->parent->doc != NULL)) {
+-        if (xmlIsID(cur->parent->doc, cur->parent, cur))
+-	    xmlTextReaderRemoveID(cur->parent->doc, cur);
+-	if (((cur->parent->doc->intSubset != NULL) ||
+-	     (cur->parent->doc->extSubset != NULL)) &&
+-            (xmlIsRef(cur->parent->doc, cur->parent, cur)))
+-            xmlTextReaderRemoveRef(cur->parent->doc, cur);
+-    }
+     if (cur->children != NULL)
+         xmlTextReaderFreeNodeList(reader, cur->children);
+ 
+@@ -570,22 +451,6 @@ xmlTextReaderFreeNode(xmlTextReaderPtr reader, xmlNodePtr cur) {
+     }
+ }
+ 
+-static void
+-xmlTextReaderFreeIDTableEntry(void *id, const xmlChar *name ATTRIBUTE_UNUSED) {
+-    xmlFreeID((xmlIDPtr) id);
+-}
+-
+-/**
+- * xmlTextReaderFreeIDTable:
+- * @table:  An id table
+- *
+- * Deallocate the memory used by an ID hash table.
+- */
+-static void
+-xmlTextReaderFreeIDTable(xmlIDTablePtr table) {
+-    xmlHashFree(table, xmlTextReaderFreeIDTableEntry);
+-}
+-
+ /**
+  * xmlTextReaderFreeDoc:
+  * @reader:  the xmlTextReaderPtr used
+@@ -605,7 +470,7 @@ xmlTextReaderFreeDoc(xmlTextReaderPtr reader, xmlDocPtr cur) {
+     /*
+      * Do this before freeing the children list to avoid ID lookups
+      */
+-    if (cur->ids != NULL) xmlTextReaderFreeIDTable((xmlIDTablePtr) cur->ids);
++    if (cur->ids != NULL) xmlFreeIDTable((xmlIDTablePtr) cur->ids);
+     cur->ids = NULL;
+     if (cur->refs != NULL) xmlFreeRefTable((xmlRefTablePtr) cur->refs);
+     cur->refs = NULL;
+-- 
+2.27.0
+

Rework-validation-context-flags.patch

@@ -0,0 +1,246 @@
+From d7cb33cf44aa688f24215c9cd398c1a26f0d25ff Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 13 Jan 2022 17:06:14 +0100
+Subject: [PATCH 1/3] Rework validation context flags
+
+Use a bitmask instead of magic values to
+
+- keep track whether the validation context is part of a parser context
+- keep track whether xmlValidateDtdFinal was called
+
+This allows to add addtional flags later.
+
+Note that this deliberately changes the name of a public struct member,
+assuming that this was always private data never to be used by client
+code.
+---
+ HTMLparser.c           |  2 +-
+ SAX2.c                 | 10 ++++++----
+ include/libxml/valid.h | 14 +++++++-------
+ parserInternals.c      |  2 +-
+ valid.c                | 43 +++++++++++++++---------------------------
+ 5 files changed, 30 insertions(+), 41 deletions(-)
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index 3e8a1657..eb3a820a 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+@@ -5118,7 +5118,7 @@ htmlInitParserCtxt(htmlParserCtxtPtr ctxt)
+     ctxt->linenumbers = xmlLineNumbersDefaultValue;
+     ctxt->keepBlanks = xmlKeepBlanksDefaultValue;
+     ctxt->html = 1;
+-    ctxt->vctxt.finishDtd = XML_CTXT_FINISH_DTD_0;
++    ctxt->vctxt.flags = XML_VCTXT_USE_PCTXT;
+     ctxt->vctxt.userData = ctxt;
+     ctxt->vctxt.error = xmlParserValidityError;
+     ctxt->vctxt.warning = xmlParserValidityWarning;
+diff --git a/SAX2.c b/SAX2.c
+index 03192465..edfb06f3 100644
+--- a/SAX2.c
++++ b/SAX2.c
+@@ -1747,7 +1747,8 @@ xmlSAX2StartElement(void *ctx, const xmlChar *fullname, const xmlChar **atts)
+      * If it's the Document root, finish the DTD validation and
+      * check the document root element for validity
+      */
+-    if ((ctxt->validate) && (ctxt->vctxt.finishDtd == XML_CTXT_FINISH_DTD_0)) {
++    if ((ctxt->validate) &&
++        ((ctxt->vctxt.flags & XML_VCTXT_DTD_VALIDATED) == 0)) {
+ 	int chk;
+ 
+ 	chk = xmlValidateDtdFinal(&ctxt->vctxt, ctxt->myDoc);
+@@ -1756,7 +1757,7 @@ xmlSAX2StartElement(void *ctx, const xmlChar *fullname, const xmlChar **atts)
+ 	if (chk < 0)
+ 	    ctxt->wellFormed = 0;
+ 	ctxt->valid &= xmlValidateRoot(&ctxt->vctxt, ctxt->myDoc);
+-	ctxt->vctxt.finishDtd = XML_CTXT_FINISH_DTD_1;
++	ctxt->vctxt.flags |= XML_VCTXT_DTD_VALIDATED;
+     }
+ #endif /* LIBXML_VALID_ENABLED */
+ 
+@@ -2405,7 +2406,8 @@ xmlSAX2StartElementNs(void *ctx,
+      * If it's the Document root, finish the DTD validation and
+      * check the document root element for validity
+      */
+-    if ((ctxt->validate) && (ctxt->vctxt.finishDtd == XML_CTXT_FINISH_DTD_0)) {
++    if ((ctxt->validate) &&
++        ((ctxt->vctxt.flags & XML_VCTXT_DTD_VALIDATED) == 0)) {
+ 	int chk;
+ 
+ 	chk = xmlValidateDtdFinal(&ctxt->vctxt, ctxt->myDoc);
+@@ -2414,7 +2416,7 @@ xmlSAX2StartElementNs(void *ctx,
+ 	if (chk < 0)
+ 	    ctxt->wellFormed = 0;
+ 	ctxt->valid &= xmlValidateRoot(&ctxt->vctxt, ctxt->myDoc);
+-	ctxt->vctxt.finishDtd = XML_CTXT_FINISH_DTD_1;
++	ctxt->vctxt.flags |= XML_VCTXT_DTD_VALIDATED;
+     }
+ #endif /* LIBXML_VALID_ENABLED */
+ }
+diff --git a/include/libxml/valid.h b/include/libxml/valid.h
+index 2bc7b380..15c9772c 100644
+--- a/include/libxml/valid.h
++++ b/include/libxml/valid.h
+@@ -60,17 +60,17 @@ typedef void (XMLCDECL *xmlValidityWarningFunc) (void *ctx,
+ 
+ #ifdef IN_LIBXML
+ /**
+- * XML_CTXT_FINISH_DTD_0:
++ * XML_VCTXT_DTD_VALIDATED:
+  *
+- * Special value for finishDtd field when embedded in an xmlParserCtxt
++ * Set after xmlValidateDtdFinal was called.
+  */
+-#define XML_CTXT_FINISH_DTD_0 0xabcd1234
++#define XML_VCTXT_DTD_VALIDATED (1u << 0)
+ /**
+- * XML_CTXT_FINISH_DTD_1:
++ * XML_VCTXT_USE_PCTXT:
+  *
+- * Special value for finishDtd field when embedded in an xmlParserCtxt
++ * Set if the validation context is part of a parser context.
+  */
+-#define XML_CTXT_FINISH_DTD_1 0xabcd1235
++#define XML_VCTXT_USE_PCTXT (1u << 1)
+ #endif
+ 
+ /*
+@@ -90,7 +90,7 @@ struct _xmlValidCtxt {
+     int                nodeMax;       /* Max depth of the parsing stack */
+     xmlNodePtr        *nodeTab;       /* array of nodes */
+ 
+-    unsigned int     finishDtd;       /* finished validating the Dtd ? */
++    unsigned int         flags;       /* internal flags */
+     xmlDocPtr              doc;       /* the document */
+     int                  valid;       /* temporary validity check result */
+ 
+diff --git a/parserInternals.c b/parserInternals.c
+index c5c0b16d..cf5ad369 100644
+--- a/parserInternals.c
++++ b/parserInternals.c
+@@ -1733,7 +1733,7 @@ xmlInitParserCtxt(xmlParserCtxtPtr ctxt)
+ 	ctxt->options |= XML_PARSE_NOBLANKS;
+     }
+ 
+-    ctxt->vctxt.finishDtd = XML_CTXT_FINISH_DTD_0;
++    ctxt->vctxt.flags = XML_VCTXT_USE_PCTXT;
+     ctxt->vctxt.userData = ctxt;
+     ctxt->vctxt.error = xmlParserValidityError;
+     ctxt->vctxt.warning = xmlParserValidityWarning;
+diff --git a/valid.c b/valid.c
+index 8e596f1d..5cd1e676 100644
+--- a/valid.c
++++ b/valid.c
+@@ -64,10 +64,9 @@ xmlVErrMemory(xmlValidCtxtPtr ctxt, const char *extra)
+     if (ctxt != NULL) {
+         channel = ctxt->error;
+         data = ctxt->userData;
+-	/* Use the special values to detect if it is part of a parsing
++	/* Look up flag to detect if it is part of a parsing
+ 	   context */
+-	if ((ctxt->finishDtd == XML_CTXT_FINISH_DTD_0) ||
+-	    (ctxt->finishDtd == XML_CTXT_FINISH_DTD_1)) {
++	if (ctxt->flags & XML_VCTXT_USE_PCTXT) {
+ 	    long delta = (char *) ctxt - (char *) ctxt->userData;
+ 	    if ((delta > 0) && (delta < 250))
+ 		pctxt = ctxt->userData;
+@@ -104,10 +103,9 @@ xmlErrValid(xmlValidCtxtPtr ctxt, xmlParserErrors error,
+     if (ctxt != NULL) {
+         channel = ctxt->error;
+         data = ctxt->userData;
+-	/* Use the special values to detect if it is part of a parsing
++	/* Look up flag to detect if it is part of a parsing
+ 	   context */
+-	if ((ctxt->finishDtd == XML_CTXT_FINISH_DTD_0) ||
+-	    (ctxt->finishDtd == XML_CTXT_FINISH_DTD_1)) {
++	if (ctxt->flags & XML_VCTXT_USE_PCTXT) {
+ 	    long delta = (char *) ctxt - (char *) ctxt->userData;
+ 	    if ((delta > 0) && (delta < 250))
+ 		pctxt = ctxt->userData;
+@@ -151,10 +149,9 @@ xmlErrValidNode(xmlValidCtxtPtr ctxt,
+     if (ctxt != NULL) {
+         channel = ctxt->error;
+         data = ctxt->userData;
+-	/* Use the special values to detect if it is part of a parsing
++	/* Look up flag to detect if it is part of a parsing
+ 	   context */
+-	if ((ctxt->finishDtd == XML_CTXT_FINISH_DTD_0) ||
+-	    (ctxt->finishDtd == XML_CTXT_FINISH_DTD_1)) {
++	if (ctxt->flags & XML_VCTXT_USE_PCTXT) {
+ 	    long delta = (char *) ctxt - (char *) ctxt->userData;
+ 	    if ((delta > 0) && (delta < 250))
+ 		pctxt = ctxt->userData;
+@@ -194,10 +191,9 @@ xmlErrValidNodeNr(xmlValidCtxtPtr ctxt,
+     if (ctxt != NULL) {
+         channel = ctxt->error;
+         data = ctxt->userData;
+-	/* Use the special values to detect if it is part of a parsing
++	/* Look up flag to detect if it is part of a parsing
+ 	   context */
+-	if ((ctxt->finishDtd == XML_CTXT_FINISH_DTD_0) ||
+-	    (ctxt->finishDtd == XML_CTXT_FINISH_DTD_1)) {
++	if (ctxt->flags & XML_VCTXT_USE_PCTXT) {
+ 	    long delta = (char *) ctxt - (char *) ctxt->userData;
+ 	    if ((delta > 0) && (delta < 250))
+ 		pctxt = ctxt->userData;
+@@ -235,10 +231,9 @@ xmlErrValidWarning(xmlValidCtxtPtr ctxt,
+     if (ctxt != NULL) {
+         channel = ctxt->warning;
+         data = ctxt->userData;
+-	/* Use the special values to detect if it is part of a parsing
++	/* Look up flag to detect if it is part of a parsing
+ 	   context */
+-	if ((ctxt->finishDtd == XML_CTXT_FINISH_DTD_0) ||
+-	    (ctxt->finishDtd == XML_CTXT_FINISH_DTD_1)) {
++	if (ctxt->flags & XML_VCTXT_USE_PCTXT) {
+ 	    long delta = (char *) ctxt - (char *) ctxt->userData;
+ 	    if ((delta > 0) && (delta < 250))
+ 		pctxt = ctxt->userData;
+@@ -1642,9 +1637,7 @@ xmlAddElementDecl(xmlValidCtxtPtr ctxt,
+      * and flag it by setting a special parent value
+      * so the parser doesn't unallocate it.
+      */
+-    if ((ctxt != NULL) &&
+-        ((ctxt->finishDtd == XML_CTXT_FINISH_DTD_0) ||
+-         (ctxt->finishDtd == XML_CTXT_FINISH_DTD_1))) {
++    if ((ctxt != NULL) && (ctxt->flags & XML_VCTXT_USE_PCTXT)) {
+ 	ret->content = content;
+ 	if (content != NULL)
+ 	    content->parent = (xmlElementContentPtr) 1;
+@@ -2642,13 +2635,7 @@ xmlIsStreaming(xmlValidCtxtPtr ctxt) {
+ 
+     if (ctxt == NULL)
+         return(0);
+-    /*
+-     * These magic values are also abused to detect whether we're validating
+-     * while parsing a document. In this case, userData points to the parser
+-     * context.
+-     */
+-    if ((ctxt->finishDtd != XML_CTXT_FINISH_DTD_0) &&
+-        (ctxt->finishDtd != XML_CTXT_FINISH_DTD_1))
++    if ((ctxt->flags & XML_VCTXT_USE_PCTXT) == 0)
+         return(0);
+     pctxt = ctxt->userData;
+     return(pctxt->parseMode == XML_PARSE_READER);
+@@ -6677,8 +6664,8 @@ xmlValidateDocumentFinal(xmlValidCtxtPtr ctxt, xmlDocPtr doc) {
+     }
+ 
+     /* trick to get correct line id report */
+-    save = ctxt->finishDtd;
+-    ctxt->finishDtd = 0;
++    save = ctxt->flags;
++    ctxt->flags &= ~XML_VCTXT_USE_PCTXT;
+ 
+     /*
+      * Check all the NOTATION/NOTATIONS attributes
+@@ -6694,7 +6681,7 @@ xmlValidateDocumentFinal(xmlValidCtxtPtr ctxt, xmlDocPtr doc) {
+     ctxt->valid = 1;
+     xmlHashScan(table, xmlValidateCheckRefCallback, ctxt);
+ 
+-    ctxt->finishDtd = save;
++    ctxt->flags = save;
+     return(ctxt->valid);
+ }
+ 
+-- 
+2.27.0
+

libxml2.spec

@@ -1,19 +1,22 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.9.14
-Release: 4
+Release: 5
 License: MIT
 Group: Development/Libraries
 Source: https://download.gnome.org/sources/%{name}/2.9/%{name}-%{version}.tar.xz
 
 Patch0: libxml2-multilib.patch
-Patch1: Fix-memleaks-in-xmlXIncludeProcessFlags.patch
+Patch1: Rework-validation-context-flags.patch
-Patch2: Fix-memory-leaks-for-xmlACatalogAdd.patch
+Patch2: Remove-unneeded-code-in-xmlreader.c.patch
-Patch3: Fix-memory-leaks-in-xmlACatalogAdd-when-xmlHashAddEntry-failed.patch
+Patch3: Don-t-add-IDs-containing-unexpanded-entity-reference.patch
-Patch4: backport-CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_.patch
+Patch4: Fix-memleaks-in-xmlXIncludeProcessFlags.patch
-Patch5: backport-CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch
+Patch5: Fix-memory-leaks-for-xmlACatalogAdd.patch
-Patch6: backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
+Patch6: Fix-memory-leaks-in-xmlACatalogAdd-when-xmlHashAddEntry-failed.patch
-Patch7: backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch
+Patch7: backport-CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_.patch
+Patch8: backport-CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch
+Patch9: backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
+Patch10: backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python3-devel
@@ -169,6 +172,12 @@ rm -fr %{buildroot}
 
 
 %changelog
+* Tue Nov 29 2022 Wentao Fan <fanwentao@huawei.com> - 2.9.14-5
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:backport upstream patches
+
 * Mon Nov 21 2022 fuanan <fuanan3@h-partners.com> - 2.9.14-4
 - Type:bugfix
 - CVE:NA