packages/libxml2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add patches from upstream

Browse Source
This commit is contained in:
zou_lin77 2021-05-29 17:19:39 +08:00
parent 4d6824339e
commit f344b07742
12 changed files with 712 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
Fix-dangling-pointer-with-xmllint-dropdtd.patch Normal file
View File

@ -0,0 +1,25 @@
From 72b3c067cedbb80dbbac755cca79ff502c858ad5 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 22 Apr 2021 19:24:50 +0200
Subject: [PATCH] Fix dangling pointer with `xmllint --dropdtd`
Reset doc->intSubset when dropping the DTD.
---
xmllint.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/xmllint.c b/xmllint.c
index dbef273..a3fe10a 100644
--- a/xmllint.c
+++ b/xmllint.c
@@ -2426,6 +2426,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) {
dtd = xmlGetIntSubset(doc);
if (dtd != NULL) {
xmlUnlinkNode((xmlNodePtr)dtd);
+ doc->intSubset = NULL;
xmlFreeDtd(dtd);
}
}
--
1.8.3.1

33
Fix-duplicate-xmlStrEqual-calls-in-htmlParseEndTag.patch Normal file
View File

@ -0,0 +1,33 @@
From 683de7efe4a4178d62fab85d8c5f4c3bed36b984 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 4 Mar 2021 19:06:04 +0100
Subject: [PATCH] Fix duplicate xmlStrEqual calls in htmlParseEndTag
---
HTMLparser.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/HTMLparser.c b/HTMLparser.c
index e63e9b7..adefb3b 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -4207,12 +4207,10 @@ htmlParseEndTag(htmlParserCtxtPtr ctxt)
* With the exception that the autoclose may have popped stuff out
* of the stack.
*/
- if (!xmlStrEqual(name, ctxt->name)) {
- if ((ctxt->name != NULL) && (!xmlStrEqual(ctxt->name, name))) {
- htmlParseErr(ctxt, XML_ERR_TAG_NAME_MISMATCH,
- "Opening and ending tag mismatch: %s and %s\n",
- name, ctxt->name);
- }
+ if ((ctxt->name != NULL) && (!xmlStrEqual(ctxt->name, name))) {
+ htmlParseErr(ctxt, XML_ERR_TAG_NAME_MISMATCH,
+ "Opening and ending tag mismatch: %s and %s\n",
+ name, ctxt->name);
}
/*
--
1.8.3.1

48
Fix-exponential-behavior-with-recursive-entities.patch Normal file
View File

@ -0,0 +1,48 @@
From c3fd8c429591e06eb847c11bc9273d13b3450d53 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 13 Mar 2021 17:19:32 +0100
Subject: [PATCH] Fix exponential behavior with recursive entities
Fix another case where only recursion depth was limited, but entities
would still be expanded over and over again.
The test case discovered by fuzzing only affected parsing in recovery
mode with XML_PARSE_RECOVER.
Found by OSS-Fuzz.
---
parser.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/parser.c b/parser.c
index efde672..b42e604 100644
--- a/parser.c
+++ b/parser.c
@@ -2684,8 +2684,10 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
rep = xmlStringDecodeEntities(ctxt, ent->content, what,
0, 0, 0);
ctxt->depth--;
- if (rep == NULL)
+ if (rep == NULL) {
+ ent->content[0] = 0;
goto int_error;
+ }
current = rep;
while (*current != 0) { /* non input consuming loop */
@@ -2740,8 +2742,11 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
rep = xmlStringDecodeEntities(ctxt, ent->content, what,
0, 0, 0);
ctxt->depth--;
- if (rep == NULL)
+ if (rep == NULL) {
+ if (ent->content != NULL)
+ ent->content[0] = 0;
goto int_error;
+ }
current = rep;
while (*current != 0) { /* non input consuming loop */
buffer[nbchars++] = *current++;
--
1.8.3.1

125
Fix-handling-of-unexpected-EOF-in-xmlParseContent.patch Normal file
View File

@ -0,0 +1,125 @@
From de5b624f10e9d29ff1b3bbc07358774a3725898e Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 8 May 2021 20:21:29 +0200
Subject: [PATCH] Fix handling of unexpected EOF in xmlParseContent
Readd the XML_ERR_TAG_NOT_FINISHED error on unexpected EOF which was
removed in commit 62150ed2.
This commit also introduced a regression for direct users of
xmlParseContent. Unclosed tags weren't checked.
---
parser.c | 48 +++++++++++++++++++++++++++++++++++++-------
python/tests/tstLastError.py | 4 ++--
result/errors/754947.xml.err | 2 +-
3 files changed, 44 insertions(+), 10 deletions(-)
diff --git a/parser.c b/parser.c
index c2948ca..dd58282 100644
--- a/parser.c
+++ b/parser.c
@@ -9837,16 +9837,15 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
}
/**
- * xmlParseContent:
+ * xmlParseContentInternal:
* @ctxt: an XML parser context
*
- * Parse a content:
- *
- * [43] content ::= (element | CharData | Reference | CDSect | PI | Comment)*
+ * Parse a content sequence. Stops at EOF or '</'. Leaves checking of
+ * unexpected EOF to the caller.
*/
-void
-xmlParseContent(xmlParserCtxtPtr ctxt) {
+static void
+xmlParseContentInternal(xmlParserCtxtPtr ctxt) {
int nameNr = ctxt->nameNr;
GROW;
@@ -9922,6 +9921,30 @@ xmlParseContent(xmlParserCtxtPtr ctxt) {
}
/**
+ * xmlParseContent:
+ * @ctxt: an XML parser context
+ *
+ * Parse a content sequence. Stops at EOF or '</'.
+ *
+ * [43] content ::= (element | CharData | Reference | CDSect | PI | Comment)*
+ */
+
+void
+xmlParseContent(xmlParserCtxtPtr ctxt) {
+ int nameNr = ctxt->nameNr;
+
+ xmlParseContentInternal(ctxt);
+
+ if ((ctxt->instate != XML_PARSER_EOF) && (ctxt->nameNr > nameNr)) {
+ const xmlChar *name = ctxt->nameTab[ctxt->nameNr - 1];
+ int line = (ptrdiff_t) ctxt->pushTab[ctxt->nameNr * 4 - 2];
+ xmlFatalErrMsgStrIntStr(ctxt, XML_ERR_TAG_NOT_FINISHED,
+ "Premature end of data in tag %s line %d\n",
+ name, line, NULL);
+ }
+}
+
+/**
* xmlParseElement:
* @ctxt: an XML parser context
*
@@ -9939,9 +9962,20 @@ void
xmlParseElement(xmlParserCtxtPtr ctxt) {
if (xmlParseElementStart(ctxt) != 0)
return;
- xmlParseContent(ctxt);
+
+ xmlParseContentInternal(ctxt);
if (ctxt->instate == XML_PARSER_EOF)
return;
+
+ if (CUR == 0) {
+ const xmlChar *name = ctxt->nameTab[ctxt->nameNr - 1];
+ int line = (ptrdiff_t) ctxt->pushTab[ctxt->nameNr * 4 - 2];
+ xmlFatalErrMsgStrIntStr(ctxt, XML_ERR_TAG_NOT_FINISHED,
+ "Premature end of data in tag %s line %d\n",
+ name, line, NULL);
+ return;
+ }
+
xmlParseElementEnd(ctxt);
}
diff --git a/python/tests/tstLastError.py b/python/tests/tstLastError.py
index 1758a9f..36ffe5f 100755
--- a/python/tests/tstLastError.py
+++ b/python/tests/tstLastError.py
@@ -71,8 +71,8 @@ class TestCase(unittest.TestCase):
(s,len(s),"dummy.xml",None,0),
libxml2.treeError,
domain=libxml2.XML_FROM_PARSER,
- code=libxml2.XML_ERR_LTSLASH_REQUIRED,
- message='EndTag: \'</\' not found\n',
+ code=libxml2.XML_ERR_TAG_NOT_FINISHED,
+ message='Premature end of data in tag x line 1\n',
level=libxml2.XML_ERR_FATAL,
file='dummy.xml',
line=3)
diff --git a/result/errors/754947.xml.err b/result/errors/754947.xml.err
index 51e9b4e..f45cb5a 100644
--- a/result/errors/754947.xml.err
+++ b/result/errors/754947.xml.err
@@ -2,6 +2,6 @@
Bytes: 0xEE 0x5D 0x5D 0x3E
<d><![CDATA[0000000000000î]]>
^
-./test/errors/754947.xml:1: parser error : EndTag: '</' not found
+./test/errors/754947.xml:1: parser error : Premature end of data in tag d line 1
<d><![CDATA[0000000000000î]]>
^
--
1.8.3.1

162
Fix-line-numbers-in-error-messages-for-mismatched-ta.patch Normal file
View File

@ -0,0 +1,162 @@
From 3e80560d4bbf2768c90b9a017743ec45f26c3c1c Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 7 May 2021 10:51:38 +0200
Subject: [PATCH] Fix line numbers in error messages for mismatched tags
Commit 62150ed2 introduced a small regression in the error messages for
mismatched tags. This typically only affected messages after the first
mismatch, but with custom SAX handlers all line numbers would be off.
This also fixes line numbers in the SAX push parser which were never
handled correctly.
---
parser.c | 38 +++++++++++++++++++++++---------------
python/tests/ctxterror.py | 2 +-
result/errors/759398.xml.err | 4 ++--
3 files changed, 26 insertions(+), 18 deletions(-)
diff --git a/parser.c b/parser.c
index 73c27ed..c2948ca 100644
--- a/parser.c
+++ b/parser.c
@@ -1838,6 +1838,8 @@ nodePop(xmlParserCtxtPtr ctxt)
* @value: the element name
* @prefix: the element prefix
* @URI: the element namespace name
+ * @line: the current line number for error messages
+ * @nsNr: the number of namespaces pushed on the namespace table
*
* Pushes a new element name/prefix/URL on top of the name stack
*
@@ -1845,7 +1847,7 @@ nodePop(xmlParserCtxtPtr ctxt)
*/
static int
nameNsPush(xmlParserCtxtPtr ctxt, const xmlChar * value,
- const xmlChar *prefix, const xmlChar *URI, int nsNr)
+ const xmlChar *prefix, const xmlChar *URI, int line, int nsNr)
{
if (ctxt->nameNr >= ctxt->nameMax) {
const xmlChar * *tmp;
@@ -1860,7 +1862,7 @@ nameNsPush(xmlParserCtxtPtr ctxt, const xmlChar * value,
}
ctxt->nameTab = tmp;
tmp2 = (void **) xmlRealloc((void * *)ctxt->pushTab,
- ctxt->nameMax * 3 *
+ ctxt->nameMax * 4 *
sizeof(ctxt->pushTab[0]));
if (tmp2 == NULL) {
ctxt->nameMax /= 2;
@@ -1868,16 +1870,17 @@ nameNsPush(xmlParserCtxtPtr ctxt, const xmlChar * value,
}
ctxt->pushTab = tmp2;
} else if (ctxt->pushTab == NULL) {
- ctxt->pushTab = (void **) xmlMalloc(ctxt->nameMax * 3 *
+ ctxt->pushTab = (void **) xmlMalloc(ctxt->nameMax * 4 *
sizeof(ctxt->pushTab[0]));
if (ctxt->pushTab == NULL)
goto mem_error;
}
ctxt->nameTab[ctxt->nameNr] = value;
ctxt->name = value;
- ctxt->pushTab[ctxt->nameNr * 3] = (void *) prefix;
- ctxt->pushTab[ctxt->nameNr * 3 + 1] = (void *) URI;
- ctxt->pushTab[ctxt->nameNr * 3 + 2] = (void *) (ptrdiff_t) nsNr;
+ ctxt->pushTab[ctxt->nameNr * 4] = (void *) prefix;
+ ctxt->pushTab[ctxt->nameNr * 4 + 1] = (void *) URI;
+ ctxt->pushTab[ctxt->nameNr * 4 + 2] = (void *) (ptrdiff_t) line;
+ ctxt->pushTab[ctxt->nameNr * 4 + 3] = (void *) (ptrdiff_t) nsNr;
return (ctxt->nameNr++);
mem_error:
xmlErrMemory(ctxt, NULL);
@@ -9998,7 +10001,7 @@ xmlParseElementStart(xmlParserCtxtPtr ctxt) {
return(-1);
}
if (ctxt->sax2)
- nameNsPush(ctxt, name, prefix, URI, ctxt->nsNr - nsNr);
+ nameNsPush(ctxt, name, prefix, URI, line, ctxt->nsNr - nsNr);
#ifdef LIBXML_SAX1_ENABLED
else
namePush(ctxt, name);
@@ -10095,10 +10098,11 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt) {
* parse the end of tag: '</' should be here.
*/
if (ctxt->sax2) {
- const xmlChar *prefix = ctxt->pushTab[ctxt->nameNr * 3 - 3];
- const xmlChar *URI = ctxt->pushTab[ctxt->nameNr * 3 - 2];
- int nsNr = (ptrdiff_t) ctxt->pushTab[ctxt->nameNr * 3 - 1];
- xmlParseEndTag2(ctxt, prefix, URI, 0, nsNr, 0);
+ const xmlChar *prefix = ctxt->pushTab[ctxt->nameNr * 4 - 4];
+ const xmlChar *URI = ctxt->pushTab[ctxt->nameNr * 4 - 3];
+ int line = (ptrdiff_t) ctxt->pushTab[ctxt->nameNr * 4 - 2];
+ int nsNr = (ptrdiff_t) ctxt->pushTab[ctxt->nameNr * 4 - 1];
+ xmlParseEndTag2(ctxt, prefix, URI, line, nsNr, 0);
namePop(ctxt);
}
#ifdef LIBXML_SAX1_ENABLED
@@ -11373,6 +11377,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
const xmlChar *name;
const xmlChar *prefix = NULL;
const xmlChar *URI = NULL;
+ int line = ctxt->input->line;
int nsNr = ctxt->nsNr;
if ((avail < 2) && (ctxt->inputNr == 1))
@@ -11471,7 +11476,8 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
spacePop(ctxt);
}
if (ctxt->sax2)
- nameNsPush(ctxt, name, prefix, URI, ctxt->nsNr - nsNr);
+ nameNsPush(ctxt, name, prefix, URI, line,
+ ctxt->nsNr - nsNr);
#ifdef LIBXML_SAX1_ENABLED
else
namePush(ctxt, name);
@@ -11593,10 +11599,12 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
}
if (ctxt->sax2) {
xmlParseEndTag2(ctxt,
- (void *) ctxt->pushTab[ctxt->nameNr * 3 - 3],
- (void *) ctxt->pushTab[ctxt->nameNr * 3 - 2], 0,
+ (void *) ctxt->pushTab[ctxt->nameNr * 4 - 4],
+ (void *) ctxt->pushTab[ctxt->nameNr * 4 - 3],
+ (int) (ptrdiff_t)
+ ctxt->pushTab[ctxt->nameNr * 4 - 2],
(int) (ptrdiff_t)
- ctxt->pushTab[ctxt->nameNr * 3 - 1], 0);
+ ctxt->pushTab[ctxt->nameNr * 4 - 1], 0);
nameNsPop(ctxt);
}
#ifdef LIBXML_SAX1_ENABLED
diff --git a/python/tests/ctxterror.py b/python/tests/ctxterror.py
index 416e384..ac64624 100755
--- a/python/tests/ctxterror.py
+++ b/python/tests/ctxterror.py
@@ -10,7 +10,7 @@ import libxml2
libxml2.debugMemory(1)
expect="""--> (3) xmlns: URI foo is not absolute
---> (4) Opening and ending tag mismatch: x line 0 and y
+--> (4) Opening and ending tag mismatch: x line 1 and y
"""
err=""
diff --git a/result/errors/759398.xml.err b/result/errors/759398.xml.err
index bc9e5e0..f6036a3 100644
--- a/result/errors/759398.xml.err
+++ b/result/errors/759398.xml.err
@@ -1,10 +1,10 @@
./test/errors/759398.xml:210: parser error : StartTag: invalid element name
need to worry about parsers whi<! don't expand PErefs finding
^
-./test/errors/759398.xml:309: parser error : Opening and ending tag mismatch: №№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№m line 205 and termdef
+./test/errors/759398.xml:309: parser error : Opening and ending tag mismatch: №№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№№m line 308 and termdef
and provide access to their content and structure.</termdef> <termdef
^
-./test/errors/759398.xml:314: parser error : Opening and ending tag mismatch: spec line 205 and p
+./test/errors/759398.xml:314: parser error : Opening and ending tag mismatch: spec line 50 and p
data and the information it must provide to the application.</p>
^
./test/errors/759398.xml:316: parser error : Extra content at the end of the document
--
1.8.3.1

54
Fix-null-deref-in-legacy-SAX1-parser.patch Normal file
View File

@ -0,0 +1,54 @@
From bfd2f4300fb348a0fb8265a17546a0eb8bdec719 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 9 May 2021 18:56:57 +0200
Subject: [PATCH] Fix null deref in legacy SAX1 parser
Always call nameNsPush instead of namePush. The latter is unused now
and should probably be removed from the public API. I can't see how
it could be used reasonably from client code and the unprefixed name
has always polluted the global namespace.
Fixes a null pointer dereference introduced with de5b624f when parsing
in SAX1 mode.
Found by OSS-Fuzz.
---
parser.c | 15 ++-------------
1 file changed, 2 insertions(+), 13 deletions(-)
diff --git a/parser.c b/parser.c
index 9bda945..f5e5e16 100644
--- a/parser.c
+++ b/parser.c
@@ -10025,12 +10025,7 @@ xmlParseElementStart(xmlParserCtxtPtr ctxt) {
spacePop(ctxt);
return(-1);
}
- if (ctxt->sax2)
- nameNsPush(ctxt, name, prefix, URI, line, ctxt->nsNr - nsNr);
-#ifdef LIBXML_SAX1_ENABLED
- else
- namePush(ctxt, name);
-#endif /* LIBXML_SAX1_ENABLED */
+ nameNsPush(ctxt, name, prefix, URI, line, ctxt->nsNr - nsNr);
ret = ctxt->node;
#ifdef LIBXML_VALID_ENABLED
@@ -11496,13 +11491,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
nodePop(ctxt);
spacePop(ctxt);
}
- if (ctxt->sax2)
- nameNsPush(ctxt, name, prefix, URI, line,
- ctxt->nsNr - nsNr);
-#ifdef LIBXML_SAX1_ENABLED
- else
- namePush(ctxt, name);
-#endif /* LIBXML_SAX1_ENABLED */
+ nameNsPush(ctxt, name, prefix, URI, line, ctxt->nsNr - nsNr);
ctxt->instate = XML_PARSER_CONTENT;
ctxt->progressive = 1;
--
1.8.3.1

44
Fix-quadratic-behavior-when-looking-up-xml-attribute.patch Normal file
View File

@ -0,0 +1,44 @@
From 688b41a0fb06cf1ab5173308f6a8db5089ba6e14 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 1 Mar 2021 14:17:42 +0100
Subject: [PATCH] Fix quadratic behavior when looking up xml:* attributes
Add a special case for the predefined XML namespace when looking up DTD
attribute defaults in xmlGetPropNodeInternal to avoid calling
xmlGetNsList.
This fixes quadratic behavior in
- xmlNodeGetBase
- xmlNodeGetLang
- xmlNodeGetSpacePreserve
Found by OSS-Fuzz.
---
tree.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/tree.c b/tree.c
index d6ea704..617e818 100644
--- a/tree.c
+++ b/tree.c
@@ -6589,6 +6589,16 @@ xmlGetPropNodeInternal(const xmlNode *node, const xmlChar *name,
attrDecl = xmlGetDtdQAttrDesc(doc->extSubset,
elemQName, name, NULL);
}
+ } else if (xmlStrEqual(nsName, XML_XML_NAMESPACE)) {
+ /*
+ * The XML namespace must be bound to prefix 'xml'.
+ */
+ attrDecl = xmlGetDtdQAttrDesc(doc->intSubset,
+ elemQName, name, BAD_CAST "xml");
+ if ((attrDecl == NULL) && (doc->extSubset != NULL)) {
+ attrDecl = xmlGetDtdQAttrDesc(doc->extSubset,
+ elemQName, name, BAD_CAST "xml");
+ }
} else {
xmlNsPtr *nsList, *cur;
--
1.8.3.1

31
Fix-use-after-free-with-xmllint-html-push.patch Normal file
View File

@ -0,0 +1,31 @@
From 1358d157d0bd83be1dfe356a69213df9fac0b539 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 21 Apr 2021 13:23:27 +0200
Subject: [PATCH] Fix use-after-free with `xmllint --html --push`
Call htmlCtxtUseOptions to make sure that names aren't stored in
dictionaries.
Note that this issue only affects xmllint using the HTML push parser.
Fixes #230.
---
xmllint.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xmllint.c b/xmllint.c
index 6ca1bf5..dbef273 100644
--- a/xmllint.c
+++ b/xmllint.c
@@ -2213,7 +2213,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) {
if (res > 0) {
ctxt = htmlCreatePushParserCtxt(NULL, NULL,
chars, res, filename, XML_CHAR_ENCODING_NONE);
- xmlCtxtUseOptions(ctxt, options);
+ htmlCtxtUseOptions(ctxt, options);
while ((res = fread(chars, 1, pushsize, f)) > 0) {
htmlParseChunk(ctxt, chars, res, 0);
}
--
1.8.3.1

35
Fix-xmlGetNodePath-with-invalid-node-types.patch Normal file
View File

@ -0,0 +1,35 @@
From e20c9c148c725e2933efa143ee6a543a5cae4204 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 13 Mar 2021 18:41:47 +0100
Subject: [PATCH] Fix xmlGetNodePath with invalid node types
Make xmlGetNodePath return NULL instead of invalid XPath when hitting
unsupported node types like DTD content.
Reported here:
https://mail.gnome.org/archives/xml/2021-January/msg00012.html
Original report:
https://bugs.php.net/bug.php?id=80680
---
tree.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tree.c b/tree.c
index dbc87aa..c707f59 100644
--- a/tree.c
+++ b/tree.c
@@ -4893,7 +4893,9 @@ xmlGetNodePath(const xmlNode *node)
}
next = ((xmlAttrPtr) cur)->parent;
} else {
- next = cur->parent;
+ xmlFree(buf);
+ xmlFree(buffer);
+ return (NULL);
}
/*
--
1.8.3.1

54
Stop-checking-attributes-for-UTF-8-validity.patch Normal file
View File

@ -0,0 +1,54 @@
From a6e6498fb1d11f08c394ecbf69add6cfff815db0 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 2 Mar 2021 13:09:06 +0100
Subject: [PATCH] Stop checking attributes for UTF-8 validity
I can't see a reason to check attribute content for UTF-8 validity.
Other parts of the API like xmlNewText have always assumed valid UTF-8
as extra checks only slow down processing.
Besides, setting doc->encoding to "ISO-8859-1" seems pointless, and not
freeing the old encoding would cause a memory leak.
Note that this was last changed in 2008 with commit 6f8611fd which
removed unnecessary encoding/decoding steps. Setting attributes should
be even faster now.
Found by OSS-Fuzz.
---
tree.c | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/tree.c b/tree.c
index 617e818..17db445 100644
--- a/tree.c
+++ b/tree.c
@@ -1901,12 +1901,6 @@ xmlNewPropInternal(xmlNodePtr node, xmlNsPtr ns,
if (value != NULL) {
xmlNodePtr tmp;
- if(!xmlCheckUTF8(value)) {
- xmlTreeErr(XML_TREE_NOT_UTF8, (xmlNodePtr) doc,
- NULL);
- if (doc != NULL)
- doc->encoding = xmlStrdup(BAD_CAST "ISO-8859-1");
- }
cur->children = xmlNewDocText(doc, value);
cur->last = NULL;
tmp = cur->children;
@@ -6945,12 +6939,6 @@ xmlSetNsProp(xmlNodePtr node, xmlNsPtr ns, const xmlChar *name,
if (value != NULL) {
xmlNodePtr tmp;
- if(!xmlCheckUTF8(value)) {
- xmlTreeErr(XML_TREE_NOT_UTF8, (xmlNodePtr) node->doc,
- NULL);
- if (node->doc != NULL)
- node->doc->encoding = xmlStrdup(BAD_CAST "ISO-8859-1");
- }
prop->children = xmlNewDocText(node->doc, value);
prop->last = NULL;
tmp = prop->children;
--
1.8.3.1

30
libxml2.spec
View File

@ -1,7 +1,7 @@
Summary: Library providing XML and HTML support
Name: libxml2
Version: 2.9.10
Release: 13
Release: 14
License: MIT
Group: Development/Libraries
Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@ -72,6 +72,17 @@ Patch60: backport-Fix-integer-overflow-in-xmlSchemaGetParticleTotalRan.patch
Patch61: backport-CVE-2021-3537.patch
Patch62: CVE-2021-3517.patch
Patch63: CVE-2021-3518.patch
Patch64: Fix-handling-of-unexpected-EOF-in-xmlParseContent.patch
Patch65: Fix-line-numbers-in-error-messages-for-mismatched-ta.patch
Patch66: Fix-null-deref-in-legacy-SAX1-parser.patch
Patch67: update-for-xsd-language-type-check.patch
Patch68: Fix-dangling-pointer-with-xmllint-dropdtd.patch
Patch69: Fix-duplicate-xmlStrEqual-calls-in-htmlParseEndTag.patch
Patch70: Fix-exponential-behavior-with-recursive-entities.patch
Patch71: Fix-quadratic-behavior-when-looking-up-xml-attribute.patch
Patch72: Fix-use-after-free-with-xmllint-html-push.patch
Patch73: Fix-xmlGetNodePath-with-invalid-node-types.patch
Patch74: Stop-checking-attributes-for-UTF-8-validity.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildRequires: python3-devel
@ -232,6 +243,23 @@ rm -fr %{buildroot}
%changelog
* Sat May 29 2021 zoulin <zoulin13@huawei.com> - 2.9.10-14
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:[add] patches from upstream
Fix-handling-of-unexpected-EOF-in-xmlParseContent.patch
Fix-line-numbers-in-error-messages-for-mismatched-ta.patch
Fix-null-deref-in-legacy-SAX1-parser.patch
update-for-xsd-language-type-check.patch
Fix-dangling-pointer-with-xmllint-dropdtd.patch
Fix-duplicate-xmlStrEqual-calls-in-htmlParseEndTag.patch
Fix-exponential-behavior-with-recursive-entities.patch
Fix-quadratic-behavior-when-looking-up-xml-attribute.patch
Fix-use-after-free-with-xmllint-html-push.patch
Fix-xmlGetNodePath-with-invalid-node-types.patch
Stop-checking-attributes-for-UTF-8-validity.patch
* Fri May 28 2021 guoxiaoqi <guoxiaoqi2@huawei.com> - 2.9.10-13
- Type:CVE
- ID:CVE-2021-3537, CVE-2021-3517

72
update-for-xsd-language-type-check.patch Normal file
View File

@ -0,0 +1,72 @@
From 33468d7e7080e384ad703a2369003cf18b2ad91d Mon Sep 17 00:00:00 2001
From: PaulHiggs <paul_higgs@hotmail.com>
Date: Mon, 3 May 2021 16:09:44 +0100
Subject: [PATCH] update for xsd:language type check
Fixes #242.
---
xmlschemastypes.c | 41 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 40 insertions(+), 1 deletion(-)
diff --git a/xmlschemastypes.c b/xmlschemastypes.c
index 07b5fd7..9c2dff0 100644
--- a/xmlschemastypes.c
+++ b/xmlschemastypes.c
@@ -2187,6 +2187,44 @@ xmlSchemaParseUInt(const xmlChar **str, unsigned long *llo,
return(ret);
}
+/*
+ * xmlSchemaCheckLanguageType
+ * @value: the value to check
+ *
+ * Check that a value conforms to the lexical space of the language datatype.
+ * Must conform to [a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*
+ *
+ * Returns 1 if this validates, 0 otherwise.
+ */
+static int
+xmlSchemaCheckLanguageType(const xmlChar* value) {
+ int first = 1, len = 0;
+ const xmlChar* cur = value;
+
+ if (value == NULL)
+ return (0);
+
+ while (cur[0] != 0) {
+ if (!( ((cur[0] >= 'a') && (cur[0] <= 'z')) || ((cur[0] >= 'A') && (cur[0] <= 'Z'))
+ || (cur[0] == '-')
+ || ((first == 0) && (xmlIsDigit_ch(cur[0]))) ))
+ return (0);
+ if (cur[0] == '-') {
+ if ((len < 1) || (len > 8))
+ return (0);
+ len = 0;
+ first = 0;
+ }
+ else
+ len++;
+ cur++;
+ }
+ if ((len < 1) || (len > 8))
+ return (0);
+
+ return (1);
+}
+
/**
* xmlSchemaValAtomicType:
* @type: the predefined type
@@ -2704,7 +2742,8 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value,
if (norm != NULL)
value = norm;
}
- if (xmlCheckLanguageID(value) == 1) {
+
+ if (xmlSchemaCheckLanguageType(value) == 1) {
if (val != NULL) {
v = xmlSchemaNewValue(XML_SCHEMAS_LANGUAGE);
if (v != NULL) {
--
1.8.3.1