backport upstream patches

backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch

@@ -0,0 +1,42 @@
+From 1a2d8ddc066143d256fdb8cc554707fe141dd2f6 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 11 Oct 2022 13:02:47 +0200
+Subject: [PATCH] parser: Fix potential memory leak in xmlParseAttValueInternal
+
+Fix memory leak in case xmlParseAttValueInternal is called with a NULL
+`len` a non-NULL `alloc` argument. This static function is never called
+with such arguments internally, but the misleading code should be fixed
+nevertheless.
+
+Fixes #422.
+
+Reference:https://github.com/GNOME/libxml2/commit/1a2d8ddc066143d256fdb8cc554707fe141dd2f6
+Conflict:NA
+
+---
+ parser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 7bb47366..337e62f6 100644
+--- a/parser.c
++++ b/parser.c
+@@ -9155,6 +9155,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+     in++;
+     col++;
+     if (len != NULL) {
++        if (alloc) *alloc = 0;
+         *len = last - start;
+         ret = (xmlChar *) start;
+     } else {
+@@ -9164,7 +9165,6 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+     CUR_PTR = in;
+     ctxt->input->line = line;
+     ctxt->input->col = col;
+-    if (alloc) *alloc = 0;
+     return ret;
+ need_complex:
+     if (alloc) *alloc = 1;
+-- 
+2.27.0
+

backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch

@@ -0,0 +1,75 @@
+From 1d4f5d24ac3976012ab1f5b811385e7b00caaecf Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 13 Sep 2022 16:40:31 +0200
+Subject: [PATCH] schemas: Fix null-pointer-deref in
+ xmlSchemaCheckCOSSTDerivedOK
+
+Found by OSS-Fuzz.
+
+Reference:https://github.com/GNOME/libxml2/commit/1d4f5d24ac3976012ab1f5b811385e7b00caaecf
+Conflict:NA
+
+---
+ result/schemas/oss-fuzz-51295_0_0.err |  2 ++
+ test/schemas/oss-fuzz-51295_0.xml     |  1 +
+ test/schemas/oss-fuzz-51295_0.xsd     |  4 ++++
+ xmlschemas.c                          | 15 +++++++++++++--
+ 4 files changed, 20 insertions(+), 2 deletions(-)
+ create mode 100644 result/schemas/oss-fuzz-51295_0_0.err
+ create mode 100644 test/schemas/oss-fuzz-51295_0.xml
+ create mode 100644 test/schemas/oss-fuzz-51295_0.xsd
+
+diff --git a/result/schemas/oss-fuzz-51295_0_0.err b/result/schemas/oss-fuzz-51295_0_0.err
+new file mode 100644
+index 00000000..1e89524f
+--- /dev/null
++++ b/result/schemas/oss-fuzz-51295_0_0.err
+@@ -0,0 +1,2 @@
++./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
++./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
+diff --git a/test/schemas/oss-fuzz-51295_0.xml b/test/schemas/oss-fuzz-51295_0.xml
+new file mode 100644
+index 00000000..10a7e703
+--- /dev/null
++++ b/test/schemas/oss-fuzz-51295_0.xml
+@@ -0,0 +1 @@
++<e/>
+diff --git a/test/schemas/oss-fuzz-51295_0.xsd b/test/schemas/oss-fuzz-51295_0.xsd
+new file mode 100644
+index 00000000..fde96af5
+--- /dev/null
++++ b/test/schemas/oss-fuzz-51295_0.xsd
+@@ -0,0 +1,4 @@
++<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
++    <xs:element name="e" substitutionGroup="e"/>
++    <xs:element name="t" substitutionGroup="e" type='xs:decimal'/>
++</xs:schema>
+diff --git a/xmlschemas.c b/xmlschemas.c
+index ade10f78..de6ea2b0 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -13348,8 +13348,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr elemDecl,
+ 	    * declaration `resolved` to by the `actual value`
+ 	    * of the substitutionGroup [attribute], if present"
+ 	    */
+-	    if (elemDecl->subtypes == NULL)
+-		elemDecl->subtypes = substHead->subtypes;
++	    if (elemDecl->subtypes == NULL) {
++                if (substHead->subtypes == NULL) {
++                    /*
++                     * This can happen with self-referencing substitution
++                     * groups. The cycle will be detected later, but we have
++                     * to set subtypes to avoid null-pointer dereferences.
++                     */
++	            elemDecl->subtypes = xmlSchemaGetBuiltInType(
++                            XML_SCHEMAS_ANYTYPE);
++                } else {
++		    elemDecl->subtypes = substHead->subtypes;
++                }
++            }
+ 	}
+     }
+     /*
+-- 
+2.27.0
+

libxml2.spec

@@ -1,7 +1,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.9.14
-Release: 3
+Release: 4
 License: MIT
 Group: Development/Libraries
 Source: https://download.gnome.org/sources/%{name}/2.9/%{name}-%{version}.tar.xz
@@ -12,6 +12,8 @@ Patch2: Fix-memory-leaks-for-xmlACatalogAdd.patch
 Patch3: Fix-memory-leaks-in-xmlACatalogAdd-when-xmlHashAddEntry-failed.patch
 Patch4: backport-CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_.patch
 Patch5: backport-CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch
+Patch6: backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
+Patch7: backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python3-devel
@@ -167,6 +169,12 @@ rm -fr %{buildroot}
 
 
 %changelog
+* Mon Nov 21 2022 fuanan <fuanan3@h-partners.com> - 2.9.14-4
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:backport upstream patches
+
 * Tue Nov 08 2022 fuanan <fuanan3@h-partners.com> - 2.9.14-3
 - fix CVE-2022-40303 CVE-2022-40304