Attachment #225669 for bug #256436




# Created by: Yukihiro Nakai <Nakai@technologist.com>

PORTNAME=	libxml2
DISTVERSION=	2.9.12
#PORTREVISION?=	0
CATEGORIES?=	textproc gnome
MASTER_SITES=	http://xmlsoft.org/sources/
DIST_SUBDIR=	gnome2

LICENSE_FILE_TRIO=	${FILESDIR}/LICENSE.TRIO
LICENSE_PERMS_TRIO=	dist-mirror dist-sell pkg-mirror pkg-sell auto-accept

GNU_CONFIGURE=	yes
USES+=		compiler cpe iconv libtool pathfix pkgconfig shebangfix
GNU_CONFIGURE=	yes
CPE_VENDOR=	xmlsoft
SHEBANG_FILES=	*.py */*.py */*/*.py
USE_LDCONFIG=	yes

INSTALL_TARGET=	install-strip
TEST_TARGET=	check

CONFIGURE_ARGS?=--with-iconv=${ICONV_PREFIX} \
		--with-html-dir=${PREFIX}/share/doc \
		--with-html-subdir=${PORTNAME} \
		--without-icu \
		--with-lzma=/usr \
		--without-python
INSTALL_TARGET=	install-strip
SHEBANG_FILES=	*.py */*.py */*/*.py

PLIST_SUB+=	LIBVERSION=${DISTVERSION}

.if !defined(MASTERDIR)

OPTIONS_DEFINE=		MEM_DEBUG SCHEMA THREAD_ALLOC THREADS VALIDATION \
			XMLLINT_HIST
OPTIONS_DEFAULT=	SCHEMA VALIDATION THREADS

MEM_DEBUG_DESC=		Memory debugging (DEVELOPERS ONLY!)
SCHEMA_DESC=		XML schema support
THREAD_ALLOC_DESC=	Per-thread memory (DEVELOPERS ONLY!)
VALIDATION_DESC=	Validation support
VALIDATION_CONFIGURE_OFF=	--without-valid
THREADS_DESC=	Threads support
THREADS_CONFIGURE_WITH=	threads
MEM_DEBUG_DESC=	Memory debugging (DEVELOPERS ONLY!)
MEM_DEBUG_CONFIGURE_WITH=	mem-debug
XMLLINT_HIST_DESC=	History for xmllint

MEM_DEBUG_CONFIGURE_WITH=	mem-debug
SCHEMA_CONFIGURE_WITH=		schemas
THREAD_ALLOC_CONFIGURE_WITH=	thread-alloc
THREADS_CONFIGURE_WITH=		threads
VALIDATION_CONFIGURE_OFF=	--without-valid
XMLLINT_HIST_CONFIGURE_WITH=	history

.endif # !defined(MASTERDIR)


Lines 1-11 Link Here

(-)b/textproc/libxml2/distinfo (-11 / +3 lines)
1	TIMESTAMP = 1602549798	1	TIMESTAMP = 1622963062
2	SHA256 (gnome2/libxml2-2.9.10.tar.gz) = aafee193ffb8fe0c82d4afef6ef91972cbaf5feea100edc2f262750611b4be1f	2	SHA256 (gnome2/libxml2-2.9.12.tar.gz) = c8d6681e38c56f172892c85ddc0852e1fd4b53b4209e7f4ebf17f7e2eae71d92
3	SIZE (gnome2/libxml2-2.9.10.tar.gz) = 5624761	3	SIZE (gnome2/libxml2-2.9.12.tar.gz) = 5681632
4	SHA256 (gnome2/7ffcd44d7e6c46704f8af0321d9314cd26e0e18a.patch) = 8bab1a7fcc22a8f9a3f89648660bbca424196d82967e213bd27c1dcc9a9544a5
5	SIZE (gnome2/7ffcd44d7e6c46704f8af0321d9314cd26e0e18a.patch) = 1015
6	SHA256 (gnome2/0e1a49c8907645d2e155f0d89d4d9895ac5112b5.patch) = 4a1dca36e762a0e2affb0779918fbf1665a00d984ffbd3efa45d3d202f87ea8c
7	SIZE (gnome2/0e1a49c8907645d2e155f0d89d4d9895ac5112b5.patch) = 996
8	SHA256 (gnome2/50f06b3efb638efb0abd95dc62dca05ae67882c2.patch) = 701048e726e2f3f7f2a71a7054030fc154b5edace72e23c5934ecd9ee09ad811
9	SIZE (gnome2/50f06b3efb638efb0abd95dc62dca05ae67882c2.patch) = 1052
10	SHA256 (gnome2/edc7b6abb0c125eeb888748c334897f60aab0854.patch) = eac708cc0bcb19c59c63874e5518f9084b177c8a10981539d90ba41d9e8414a1
11	SIZE (gnome2/edc7b6abb0c125eeb888748c334897f60aab0854.patch) = 3019




From 7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Mon Sep 17 00:00:00 2001
From: Zhipeng Xie <xiezhipeng1@huawei.com>
Date: Tue, 20 Aug 2019 16:33:06 +0800
Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream

When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun
alloc a new schema for ctxt->schema and set vctxt->xsiAssemble
to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize
vctxt->xsiAssemble to 0 again which cause the alloced schema
can not be freed anymore.

Found with libFuzzer.

Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
---
 xmlschemas.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/xmlschemas.c b/xmlschemas.c
index 301c8449..39d92182 100644
--- xmlschemas.c
+++ xmlschemas.c
@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) {
     vctxt->nberrors = 0;
     vctxt->depth = -1;
     vctxt->skipDepth = -1;
-    vctxt->xsiAssemble = 0;
     vctxt->hasKeyrefs = 0;
 #ifdef ENABLE_IDC_NODE_TABLES_TEST
     vctxt->createIDCNodeTables = 1;
-- 
GitLab





From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 7 Aug 2020 21:54:27 +0200
Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout'

Make sure that truncated UTF-8 sequences don't cause an out-of-bounds
array access.

Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for
the report.

Fixes #178.
---
 xmllint.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/xmllint.c b/xmllint.c
index f6a8e463..c647486f 100644
--- xmllint.c
+++ xmllint.c
@@ -528,6 +528,12 @@ static void
 xmlHTMLEncodeSend(void) {
     char *result;
 
+    /*
+     * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might
+     * end with a truncated UTF-8 sequence. This is a hack to at least avoid
+     * an out-of-bounds read.
+     */
+    memset(&buffer[sizeof(buffer)-4], 0, 4);
     result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer);
     if (result) {
 	xmlGenericError(xmlGenericErrorContext, "%s", result);
-- 
GitLab





From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001
From: Zhipeng Xie <xiezhipeng1@huawei.com>
Date: Thu, 12 Dec 2019 17:30:55 +0800
Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities

When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
return NULL which cause a infinite loop in xmlStringLenDecodeEntities

Found with libFuzzer.

Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
---
 parser.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/parser.c b/parser.c
index d1c31963..a34bb6cd 100644
--- parser.c
+++ parser.c
@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
     else
         c = 0;
     while ((c != 0) && (c != end) && /* non input consuming loop */
-	   (c != end2) && (c != end3)) {
+           (c != end2) && (c != end3) &&
+           (ctxt->instate != XML_PARSER_EOF)) {
 
 	if (c == 0) break;
         if ((c == '&') && (str[1] == '#')) {
-- 
GitLab





From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Thu, 13 May 2021 14:55:12 +0200
Subject: [PATCH] Patch for security issue CVE-2021-3541

This is relapted to parameter entities expansion and following
the line of the billion laugh attack. Somehow in that path the
counting of parameters was missed and the normal algorithm based
on entities "density" was useless.
---
 parser.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git parser.c parser.c
index f5e5e169..c9312fa4 100644
--- parser.c
+++ parser.c
@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
                      xmlEntityPtr ent, size_t replacement)
 {
     size_t consumed = 0;
+    int i;
 
     if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
         return (0);
@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
 	    rep = NULL;
 	}
     }
+
+    /*
+     * Prevent entity exponential check, not just replacement while
+     * parsing the DTD
+     * The check is potentially costly so do that only once in a thousand
+     */
+    if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
+        (ctxt->nbentities % 1024 == 0)) {
+	for (i = 0;i < ctxt->inputNr;i++) {
+	    consumed += ctxt->inputTab[i]->consumed +
+	               (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
+	}
+	if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
+	    xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+	    ctxt->instate = XML_PARSER_EOF;
+	    return (1);
+	}
+	consumed = 0;
+    }
+
+
+
     if (replacement != 0) {
 	if (replacement < XML_MAX_TEXT_LENGTH)
 	    return(0);
@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
             xmlChar start[4];
             xmlCharEncoding enc;
 
+	    if (xmlParserEntityCheck(ctxt, 0, entity, 0))
+	        return;
+
 	    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
 	        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
 		((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
-- 
2.31.1





--- Makefile.in.orig	2021-06-09 19:53:33 UTC
+++ Makefile.in
@@ -760,7 +760,7 @@ man_MANS = xml2-config.1 libxml.3
 m4datadir = $(datadir)/aclocal
 m4data_DATA = libxml.m4
 runtest_SOURCES = runtest.c
-runtest_LDFLAGS = 
+runtest_LDFLAGS = -pthread
 runtest_DEPENDENCIES = $(DEPS)
 runtest_LDADD = $(BASE_THREAD_LIBS) $(RDL_LIBS) $(LDADDS)
 testrecurse_SOURCES = testrecurse.c
@@ -808,7 +808,7 @@ testC14N_LDFLAGS = 
 testC14N_DEPENDENCIES = $(DEPS)
 testC14N_LDADD = $(LDADDS)
 testThreads_SOURCES = testThreads.c
-testThreads_LDFLAGS = 
+testThreads_LDFLAGS = -pthread
 testThreads_DEPENDENCIES = $(DEPS)
 testThreads_LDADD = $(BASE_THREAD_LIBS) $(LDADDS)
 testURI_SOURCES = testURI.c
@@ -1285,7 +1285,7 @@ am--depfiles: $(am__depfiles_remade)
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
 
 .c.lo:

 @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@@ -1774,7 +1774,7 @@ check-am: all-am
 	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
 check: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) check-recursive

 		config.h
 install-binPROGRAMS: install-libLTLIBRARIES
 
@@ -1911,7 +1911,7 @@ info: info-recursive
 
 info-am:
 




From edc7b6abb0c125eeb888748c334897f60aab0854 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
Date: Fri, 28 Feb 2020 12:48:14 +0100
Subject: [PATCH] Parenthesize Py<type>_Check() in ifs

In C, if expressions should be parenthesized.
PyLong_Check, PyUnicode_Check etc. happened to expand to a parenthesized
expression before, but that's not API to rely on.

Since Python 3.9.0a4 it needs to be parenthesized explicitly.

Fixes https://gitlab.gnome.org/GNOME/libxml2/issues/149
---
 python/libxml.c |  4 ++--
 python/types.c  | 12 ++++++------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/python/libxml.c b/python/libxml.c
index bc676c4e..81e709f3 100644
--- python/libxml.c
+++ python/libxml.c
@@ -294,7 +294,7 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
 	lenread = PyBytes_Size(ret);
 	data = PyBytes_AsString(ret);
 #ifdef PyUnicode_Check
-    } else if PyUnicode_Check (ret) {
+    } else if (PyUnicode_Check (ret)) {
 #if PY_VERSION_HEX >= 0x03030000
         Py_ssize_t size;
 	const char *tmp;
@@ -359,7 +359,7 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
 	lenread = PyBytes_Size(ret);
 	data = PyBytes_AsString(ret);
 #ifdef PyUnicode_Check
-    } else if PyUnicode_Check (ret) {
+    } else if (PyUnicode_Check (ret)) {
 #if PY_VERSION_HEX >= 0x03030000
         Py_ssize_t size;
 	const char *tmp;
diff --git a/python/types.c b/python/types.c
index c2bafeb1..ed284ec7 100644
--- python/types.c
+++ python/types.c
@@ -602,16 +602,16 @@ libxml_xmlXPathObjectPtrConvert(PyObject *obj)
     if (obj == NULL) {
         return (NULL);
     }
-    if PyFloat_Check (obj) {
+    if (PyFloat_Check (obj)) {
         ret = xmlXPathNewFloat((double) PyFloat_AS_DOUBLE(obj));
-    } else if PyLong_Check(obj) {
+    } else if (PyLong_Check(obj)) {
 #ifdef PyLong_AS_LONG
         ret = xmlXPathNewFloat((double) PyLong_AS_LONG(obj));
 #else
         ret = xmlXPathNewFloat((double) PyInt_AS_LONG(obj));
 #endif
 #ifdef PyBool_Check
-    } else if PyBool_Check (obj) {
+    } else if (PyBool_Check (obj)) {
 
         if (obj == Py_True) {
           ret = xmlXPathNewBoolean(1);
@@ -620,14 +620,14 @@ libxml_xmlXPathObjectPtrConvert(PyObject *obj)
           ret = xmlXPathNewBoolean(0);
         }
 #endif
-    } else if PyBytes_Check (obj) {
+    } else if (PyBytes_Check (obj)) {
         xmlChar *str;
 
         str = xmlStrndup((const xmlChar *) PyBytes_AS_STRING(obj),
                          PyBytes_GET_SIZE(obj));
         ret = xmlXPathWrapString(str);
 #ifdef PyUnicode_Check
-    } else if PyUnicode_Check (obj) {
+    } else if (PyUnicode_Check (obj)) {
 #if PY_VERSION_HEX >= 0x03030000
         xmlChar *str;
 	const char *tmp;
@@ -650,7 +650,7 @@ libxml_xmlXPathObjectPtrConvert(PyObject *obj)
 	ret = xmlXPathWrapString(str);
 #endif
 #endif
-    } else if PyList_Check (obj) {
+    } else if (PyList_Check (obj)) {
         int i;
         PyObject *node;
         xmlNodePtr cur;
-- 
GitLab





From 85b1792e37b131e7a51af98a37f92472e8de5f3f Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 18 May 2021 20:08:28 +0200
Subject: [PATCH] Work around lxml API abuse

Make xmlNodeDumpOutput and htmlNodeDumpFormatOutput work with corrupted
parent pointers. This used to work with the old recursive code but the
non-recursive rewrite required parent pointers to be set correctly.

Unfortunately, lxml relies on the old behavior and passes subtrees with
a corrupted structure. Fall back to a recursive function call if an
invalid parent pointer is detected.

Fixes #255.
---
 HTMLtree.c | 46 ++++++++++++++++++++++++++++------------------
 xmlsave.c  | 31 +++++++++++++++++++++----------
 2 files changed, 49 insertions(+), 28 deletions(-)

diff --git a/HTMLtree.c b/HTMLtree.c
index 24434d45..bdd639c7 100644
--- HTMLtree.c
+++ HTMLtree.c
@@ -744,7 +744,7 @@ void
 htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
 	                 xmlNodePtr cur, const char *encoding ATTRIBUTE_UNUSED,
                          int format) {
-    xmlNodePtr root;
+    xmlNodePtr root, parent;
     xmlAttrPtr attr;
     const htmlElemDesc * info;
 
@@ -755,6 +755,7 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
     }
 
     root = cur;
+    parent = cur->parent;
     while (1) {
         switch (cur->type) {
         case XML_HTML_DOCUMENT_NODE:
@@ -762,13 +763,25 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
             if (((xmlDocPtr) cur)->intSubset != NULL) {
                 htmlDtdDumpOutput(buf, (xmlDocPtr) cur, NULL);
             }
-            if (cur->children != NULL) {
+            /* Always validate cur->parent when descending. */
+            if ((cur->parent == parent) && (cur->children != NULL)) {
+                parent = cur;
                 cur = cur->children;
                 continue;
             }
             break;
 
         case XML_ELEMENT_NODE:
+            /*
+             * Some users like lxml are known to pass nodes with a corrupted
+             * tree structure. Fall back to a recursive call to handle this
+             * case.
+             */
+            if ((cur->parent != parent) && (cur->children != NULL)) {
+                htmlNodeDumpFormatOutput(buf, doc, cur, encoding, format);
+                break;
+            }
+
             /*
              * Get specific HTML info for that node.
              */
@@ -817,6 +830,7 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
                     (cur->name != NULL) &&
                     (cur->name[0] != 'p')) /* p, pre, param */
                     xmlOutputBufferWriteString(buf, "\n");
+                parent = cur;
                 cur = cur->children;
                 continue;
             }
@@ -825,9 +839,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
                 (info != NULL) && (!info->isinline)) {
                 if ((cur->next->type != HTML_TEXT_NODE) &&
                     (cur->next->type != HTML_ENTITY_REF_NODE) &&
-                    (cur->parent != NULL) &&
-                    (cur->parent->name != NULL) &&
-                    (cur->parent->name[0] != 'p')) /* p, pre, param */
+                    (parent != NULL) &&
+                    (parent->name != NULL) &&
+                    (parent->name[0] != 'p')) /* p, pre, param */
                     xmlOutputBufferWriteString(buf, "\n");
             }
 
@@ -842,9 +856,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
                 break;
             if (((cur->name == (const xmlChar *)xmlStringText) ||
                  (cur->name != (const xmlChar *)xmlStringTextNoenc)) &&
-                ((cur->parent == NULL) ||
-                 ((xmlStrcasecmp(cur->parent->name, BAD_CAST "script")) &&
-                  (xmlStrcasecmp(cur->parent->name, BAD_CAST "style"))))) {
+                ((parent == NULL) ||
+                 ((xmlStrcasecmp(parent->name, BAD_CAST "script")) &&
+                  (xmlStrcasecmp(parent->name, BAD_CAST "style"))))) {
                 xmlChar *buffer;
 
                 buffer = xmlEncodeEntitiesReentrant(doc, cur->content);
@@ -902,13 +916,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
                 break;
             }
 
-            /*
-             * The parent should never be NULL here but we want to handle
-             * corrupted documents gracefully.
-             */
-            if (cur->parent == NULL)
-                return;
-            cur = cur->parent;
+            cur = parent;
+            /* cur->parent was validated when descending. */
+            parent = cur->parent;
 
             if ((cur->type == XML_HTML_DOCUMENT_NODE) ||
                 (cur->type == XML_DOCUMENT_NODE)) {
@@ -939,9 +949,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
                     (cur->next != NULL)) {
                     if ((cur->next->type != HTML_TEXT_NODE) &&
                         (cur->next->type != HTML_ENTITY_REF_NODE) &&
-                        (cur->parent != NULL) &&
-                        (cur->parent->name != NULL) &&
-                        (cur->parent->name[0] != 'p')) /* p, pre, param */
+                        (parent != NULL) &&
+                        (parent->name != NULL) &&
+                        (parent->name[0] != 'p')) /* p, pre, param */
                         xmlOutputBufferWriteString(buf, "\n");
                 }
             }
diff --git a/xmlsave.c b/xmlsave.c
index 61a40459..aedbd5e7 100644
--- xmlsave.c
+++ xmlsave.c
@@ -847,7 +847,7 @@ htmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
 static void
 xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
     int format = ctxt->format;
-    xmlNodePtr tmp, root, unformattedNode = NULL;
+    xmlNodePtr tmp, root, unformattedNode = NULL, parent;
     xmlAttrPtr attr;
     xmlChar *start, *end;
     xmlOutputBufferPtr buf;
@@ -856,6 +856,7 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
     buf = ctxt->buf;
 
     root = cur;
+    parent = cur->parent;
     while (1) {
         switch (cur->type) {
         case XML_DOCUMENT_NODE:
@@ -868,7 +869,9 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
             break;
 
         case XML_DOCUMENT_FRAG_NODE:
-            if (cur->children != NULL) {
+            /* Always validate cur->parent when descending. */
+            if ((cur->parent == parent) && (cur->children != NULL)) {
+                parent = cur;
                 cur = cur->children;
                 continue;
             }
@@ -887,7 +890,18 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
             break;
 
         case XML_ELEMENT_NODE:
-	    if ((cur != root) && (ctxt->format == 1) && (xmlIndentTreeOutput))
+            /*
+             * Some users like lxml are known to pass nodes with a corrupted
+             * tree structure. Fall back to a recursive call to handle this
+             * case.
+             */
+            if ((cur->parent != parent) && (cur->children != NULL)) {
+                xmlNodeDumpOutputInternal(ctxt, cur);
+                break;
+            }
+
+	    if ((ctxt->level > 0) && (ctxt->format == 1) &&
+                (xmlIndentTreeOutput))
 		xmlOutputBufferWrite(buf, ctxt->indent_size *
 				     (ctxt->level > ctxt->indent_nr ?
 				      ctxt->indent_nr : ctxt->level),
@@ -942,6 +956,7 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
                 xmlOutputBufferWrite(buf, 1, ">");
                 if (ctxt->format == 1) xmlOutputBufferWrite(buf, 1, "\n");
                 if (ctxt->level >= 0) ctxt->level++;
+                parent = cur;
                 cur = cur->children;
                 continue;
             }
@@ -1058,13 +1073,9 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
                 break;
             }
 
-            /*
-             * The parent should never be NULL here but we want to handle
-             * corrupted documents gracefully.
-             */
-            if (cur->parent == NULL)
-                return;
-            cur = cur->parent;
+            cur = parent;
+            /* cur->parent was validated when descending. */
+            parent = cur->parent;
 
             if (cur->type == XML_ELEMENT_NODE) {
                 if (ctxt->level > 0) ctxt->level--;
-- 
GitLab





From 13ad8736d294536da4cbcd70a96b0a2fbf47070c Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 25 May 2021 10:55:25 +0200
Subject: [PATCH] Fix regression in xmlNodeDumpOutputInternal

Commit 85b1792e could cause additional whitespace if xmlNodeDump was
called with a non-zero starting level.
---
 xmlsave.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/xmlsave.c b/xmlsave.c
index aedbd5e7..489505f4 100644
--- xmlsave.c
+++ xmlsave.c
@@ -890,6 +890,13 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
             break;
 
         case XML_ELEMENT_NODE:
+	    if ((cur != root) && (ctxt->format == 1) &&
+                (xmlIndentTreeOutput))
+		xmlOutputBufferWrite(buf, ctxt->indent_size *
+				     (ctxt->level > ctxt->indent_nr ?
+				      ctxt->indent_nr : ctxt->level),
+				     ctxt->indent);
+
             /*
              * Some users like lxml are known to pass nodes with a corrupted
              * tree structure. Fall back to a recursive call to handle this
@@ -900,13 +907,6 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
                 break;
             }
 
-	    if ((ctxt->level > 0) && (ctxt->format == 1) &&
-                (xmlIndentTreeOutput))
-		xmlOutputBufferWrite(buf, ctxt->indent_size *
-				     (ctxt->level > ctxt->indent_nr ?
-				      ctxt->indent_nr : ctxt->level),
-				     ctxt->indent);
-
             xmlOutputBufferWrite(buf, 1, "<");
             if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) {
                 xmlOutputBufferWriteString(buf, (const char *)cur->ns->prefix);
-- 
GitLab





From 3e1aad4fe584747fd7d17cc7b2863a78e2d21a77 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 2 Jun 2021 17:31:49 +0200
Subject: [PATCH] Fix XPath recursion limit

Fix accounting of recursion depth when parsing XPath expressions.

This silly bug introduced in commit 804c5297 could lead to spurious
errors when parsing larger expressions or XSLT documents.

Should fix #264.
---
 xpath.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xpath.c b/xpath.c
index 7497ba07..1aa2f1ab 100644
--- xpath.c
+++ xpath.c
@@ -10983,7 +10983,7 @@ xmlXPathCompileExpr(xmlXPathParserContextPtr ctxt, int sort) {
     }
 
     if (xpctxt != NULL)
-        xpctxt->depth -= 1;
+        xpctxt->depth -= 10;
 }
 
 /**
-- 
GitLab





commit 106757e8c1e26ad9b8c924c7f304074b79e082c5
Author: Daniel Cheng <dcheng@google.com>
Date:   Fri Apr 10 14:52:03 2020 -0700

    Guard new calls to xmlValidatePopElement in xml_reader.c
    
    Closes #154.

commit 386fb27654b93d9fb2880e03fb508d618a2e66f1
Author: Łukasz Wojniłowicz <lukasz.wojnilowicz@gmail.com>
Date:   Tue Apr 28 17:00:37 2020 +0200

    Add LIBXML_VALID_ENABLED to xmlreader
    
    There are already LIBXML_VALID_ENABLED in this file to guard against
    "--without-valid" at "./configure" step, but here they were missing.
diff --git xmlreader.c xmlreader.c
index 687c8b3c..3fd9aa4c 100644
--- xmlreader.c
+++ xmlreader.c
@@ -2260,14 +2260,18 @@ xmlFreeTextReader(xmlTextReaderPtr reader) {
     if (reader->ctxt != NULL) {
         if (reader->dict == reader->ctxt->dict)
 	    reader->dict = NULL;
+#ifdef LIBXML_VALID_ENABLED
 	if ((reader->ctxt->vctxt.vstateTab != NULL) &&
 	    (reader->ctxt->vctxt.vstateMax > 0)){
+#ifdef LIBXML_REGEXP_ENABLED
             while (reader->ctxt->vctxt.vstateNr > 0)
                 xmlValidatePopElement(&reader->ctxt->vctxt, NULL, NULL, NULL);
+#endif /* LIBXML_REGEXP_ENABLED */
 	    xmlFree(reader->ctxt->vctxt.vstateTab);
 	    reader->ctxt->vctxt.vstateTab = NULL;
 	    reader->ctxt->vctxt.vstateMax = 0;
 	}
+#endif /* LIBXML_VALID_ENABLED */
 	if (reader->ctxt->myDoc != NULL) {
 	    if (reader->preserve == 0)
 		xmlTextReaderFreeDoc(reader, reader->ctxt->myDoc);

Return to bug 256436

Lines 1-8 Link Here

(-)b/textproc/libxml2/Makefile (-17 / +22 lines)
1	# Created by: Yukihiro Nakai <Nakai@technologist.com>	1	# Created by: Yukihiro Nakai <Nakai@technologist.com>
2		2
3	PORTNAME= libxml2	3	PORTNAME= libxml2
4	DISTVERSION= 2.9.10	4	DISTVERSION= 2.9.12
5	PORTREVISION?= 4	5	#PORTREVISION?= 0
6	CATEGORIES?= textproc gnome	6	CATEGORIES?= textproc gnome
7	MASTER_SITES= http://xmlsoft.org/sources/	7	MASTER_SITES= http://xmlsoft.org/sources/
8	DIST_SUBDIR= gnome2	8	DIST_SUBDIR= gnome2
Lines 17-53 LICENSE_FILE_MIT= ${WRKSRC}/COPYING Link Here
17	LICENSE_FILE_TRIO= ${FILESDIR}/LICENSE.TRIO	17	LICENSE_FILE_TRIO= ${FILESDIR}/LICENSE.TRIO
18	LICENSE_PERMS_TRIO= dist-mirror dist-sell pkg-mirror pkg-sell auto-accept	18	LICENSE_PERMS_TRIO= dist-mirror dist-sell pkg-mirror pkg-sell auto-accept
19		19
20	GNU_CONFIGURE= yes
21	USES+= compiler cpe iconv libtool pathfix pkgconfig shebangfix	20	USES+= compiler cpe iconv libtool pathfix pkgconfig shebangfix
		21	GNU_CONFIGURE= yes
22	CPE_VENDOR= xmlsoft	22	CPE_VENDOR= xmlsoft
		23	SHEBANG_FILES= .py /.py //.py
23	USE_LDCONFIG= yes	24	USE_LDCONFIG= yes
		25
		26	INSTALL_TARGET= install-strip
		27	TEST_TARGET= check
		28
24	CONFIGURE_ARGS?=--with-iconv=${ICONV_PREFIX} \	29	CONFIGURE_ARGS?=--with-iconv=${ICONV_PREFIX} \
25	--with-html-dir=${PREFIX}/share/doc \	30	--with-html-dir=${PREFIX}/share/doc \
26	--with-html-subdir=${PORTNAME} \	31	--with-html-subdir=${PORTNAME} \
27	--without-icu \	32	--without-icu \
28	--with-lzma=/usr \	33	--with-lzma=/usr \
29	--without-python	34	--without-python
30	INSTALL_TARGET= install-strip
31	SHEBANG_FILES= .py /.py //.py
32		35
33	PLIST_SUB+= LIBVERSION=${PORTVERSION}	36	PLIST_SUB+= LIBVERSION=${DISTVERSION}
34		37
35	.if !defined(MASTERDIR)	38	.if !defined(MASTERDIR)
36		39
37	OPTIONS_DEFINE= SCHEMA VALIDATION THREADS MEM_DEBUG XMLLINT_HIST THREAD_ALLOC	40	OPTIONS_DEFINE= MEM_DEBUG SCHEMA THREAD_ALLOC THREADS VALIDATION \
38	OPTIONS_DEFAULT=SCHEMA VALIDATION THREADS	41	XMLLINT_HIST
39	SCHEMA_DESC= XML schema support	42	OPTIONS_DEFAULT= SCHEMA VALIDATION THREADS
40	SCHEMA_CONFIGURE_WITH= schemas	43
		44	MEM_DEBUG_DESC= Memory debugging (DEVELOPERS ONLY!)
		45	SCHEMA_DESC= XML schema support
		46	THREAD_ALLOC_DESC= Per-thread memory (DEVELOPERS ONLY!)
41	VALIDATION_DESC= Validation support	47	VALIDATION_DESC= Validation support
42	VALIDATION_CONFIGURE_OFF= --without-valid
43	THREADS_DESC= Threads support
44	THREADS_CONFIGURE_WITH= threads
45	MEM_DEBUG_DESC= Memory debugging (DEVELOPERS ONLY!)
46	MEM_DEBUG_CONFIGURE_WITH= mem-debug
47	XMLLINT_HIST_DESC= History for xmllint	48	XMLLINT_HIST_DESC= History for xmllint
48	XMLLINT_HIST_CONFIGURE_WITH= history	49
49	THREAD_ALLOC_DESC= Per-thread memory (DEVELOPERS ONLY!)	50	MEM_DEBUG_CONFIGURE_WITH= mem-debug
		51	SCHEMA_CONFIGURE_WITH= schemas
50	THREAD_ALLOC_CONFIGURE_WITH= thread-alloc	52	THREAD_ALLOC_CONFIGURE_WITH= thread-alloc
		53	THREADS_CONFIGURE_WITH= threads
		54	VALIDATION_CONFIGURE_OFF= --without-valid
		55	XMLLINT_HIST_CONFIGURE_WITH= history
51		56
52	.endif # !defined(MASTERDIR)	57	.endif # !defined(MASTERDIR)
53		58

Removed Link Here

(-)a/textproc/libxml2/files/patch-CVE-2019-20388 (-33 lines)
1	From 7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Mon Sep 17 00:00:00 2001
2	From: Zhipeng Xie <xiezhipeng1@huawei.com>
3	Date: Tue, 20 Aug 2019 16:33:06 +0800
4	Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream
5
6	When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun
7	alloc a new schema for ctxt->schema and set vctxt->xsiAssemble
8	to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize
9	vctxt->xsiAssemble to 0 again which cause the alloced schema
10	can not be freed anymore.
11
12	Found with libFuzzer.
13
14	Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
15	---
16	xmlschemas.c \| 1 -
17	1 file changed, 1 deletion(-)
18
19	diff --git a/xmlschemas.c b/xmlschemas.c
20	index 301c8449..39d92182 100644
21	--- xmlschemas.c
22	+++ xmlschemas.c
23	@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) {
24	vctxt->nberrors = 0;
25	vctxt->depth = -1;
26	vctxt->skipDepth = -1;
27	- vctxt->xsiAssemble = 0;
28	vctxt->hasKeyrefs = 0;
29	#ifdef ENABLE_IDC_NODE_TABLES_TEST
30	vctxt->createIDCNodeTables = 1;
31	--
32	GitLab
33

Removed Link Here

(-)a/textproc/libxml2/files/patch-CVE-2020-24977 (-36 lines)
1	From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001
2	From: Nick Wellnhofer <wellnhofer@aevum.de>
3	Date: Fri, 7 Aug 2020 21:54:27 +0200
4	Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout'
5
6	Make sure that truncated UTF-8 sequences don't cause an out-of-bounds
7	array access.
8
9	Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for
10	the report.
11
12	Fixes #178.
13	---
14	xmllint.c \| 6 ++++++
15	1 file changed, 6 insertions(+)
16
17	diff --git a/xmllint.c b/xmllint.c
18	index f6a8e463..c647486f 100644
19	--- xmllint.c
20	+++ xmllint.c
21	@@ -528,6 +528,12 @@ static void
22	xmlHTMLEncodeSend(void) {
23	char *result;
24
25	+ /*
26	+ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might
27	+ * end with a truncated UTF-8 sequence. This is a hack to at least avoid
28	+ * an out-of-bounds read.
29	+ */
30	+ memset(&buffer[sizeof(buffer)-4], 0, 4);
31	result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer);
32	if (result) {
33	xmlGenericError(xmlGenericErrorContext, "%s", result);
34	--
35	GitLab
36

Removed Link Here

(-)a/textproc/libxml2/files/patch-CVE-2020-7595 (-32 lines)
1	From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001
2	From: Zhipeng Xie <xiezhipeng1@huawei.com>
3	Date: Thu, 12 Dec 2019 17:30:55 +0800
4	Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities
5
6	When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
7	return NULL which cause a infinite loop in xmlStringLenDecodeEntities
8
9	Found with libFuzzer.
10
11	Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
12	---
13	parser.c \| 3 ++-
14	1 file changed, 2 insertions(+), 1 deletion(-)
15
16	diff --git a/parser.c b/parser.c
17	index d1c31963..a34bb6cd 100644
18	--- parser.c
19	+++ parser.c
20	@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
21	else
22	c = 0;
23	while ((c != 0) && (c != end) && /* non input consuming loop */
24	- (c != end2) && (c != end3)) {
25	+ (c != end2) && (c != end3) &&
26	+ (ctxt->instate != XML_PARSER_EOF)) {
27
28	if (c == 0) break;
29	if ((c == '&') && (str[1] == '#')) {
30	--
31	GitLab
32

Removed Link Here

(-)a/textproc/libxml2/files/patch-CVE-2021-3541 (-67 lines)
1	From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
2	From: Daniel Veillard <veillard@redhat.com>
3	Date: Thu, 13 May 2021 14:55:12 +0200
4	Subject: [PATCH] Patch for security issue CVE-2021-3541
5
6	This is relapted to parameter entities expansion and following
7	the line of the billion laugh attack. Somehow in that path the
8	counting of parameters was missed and the normal algorithm based
9	on entities "density" was useless.
10	---
11	parser.c \| 26 ++++++++++++++++++++++++++
12	1 file changed, 26 insertions(+)
13
14	diff --git parser.c parser.c
15	index f5e5e169..c9312fa4 100644
16	--- parser.c
17	+++ parser.c
18	@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
19	xmlEntityPtr ent, size_t replacement)
20	{
21	size_t consumed = 0;
22	+ int i;
23
24	if ((ctxt == NULL) \|\| (ctxt->options & XML_PARSE_HUGE))
25	return (0);
26	@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
27	rep = NULL;
28	}
29	}
30	+
31	+ /*
32	+ * Prevent entity exponential check, not just replacement while
33	+ * parsing the DTD
34	+ * The check is potentially costly so do that only once in a thousand
35	+ */
36	+ if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
37	+ (ctxt->nbentities % 1024 == 0)) {
38	+ for (i = 0;i < ctxt->inputNr;i++) {
39	+ consumed += ctxt->inputTab[i]->consumed +
40	+ (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
41	+ }
42	+ if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
43	+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
44	+ ctxt->instate = XML_PARSER_EOF;
45	+ return (1);
46	+ }
47	+ consumed = 0;
48	+ }
49	+
50	+
51	+
52	if (replacement != 0) {
53	if (replacement < XML_MAX_TEXT_LENGTH)
54	return(0);
55	@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
56	xmlChar start[4];
57	xmlCharEncoding enc;
58
59	+ if (xmlParserEntityCheck(ctxt, 0, entity, 0))
60	+ return;
61	+
62	if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
63	((ctxt->options & XML_PARSE_NOENT) == 0) &&
64	((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
65	--
66	2.31.1
67

Lines 1-6 Link Here

(-)b/textproc/libxml2/files/patch-Makefile.in (-4 / +22 lines)
1	--- Makefile.in.orig 2019-11-16 14:42:34 UTC	1	--- Makefile.in.orig 2021-06-09 19:53:33 UTC
2	+++ Makefile.in	2	+++ Makefile.in
3	@@ -1284,7 +1284,7 @@ am--depfiles: $(am__depfiles_remade)	3	@@ -760,7 +760,7 @@ man_MANS = xml2-config.1 libxml.3
		4	m4datadir = $(datadir)/aclocal
		5	m4data_DATA = libxml.m4
		6	runtest_SOURCES = runtest.c
		7	-runtest_LDFLAGS =
		8	+runtest_LDFLAGS = -pthread
		9	runtest_DEPENDENCIES = $(DEPS)
		10	runtest_LDADD = $(BASE_THREAD_LIBS) $(RDL_LIBS) $(LDADDS)
		11	testrecurse_SOURCES = testrecurse.c
		12	@@ -808,7 +808,7 @@ testC14N_LDFLAGS =
		13	testC14N_DEPENDENCIES = $(DEPS)
		14	testC14N_LDADD = $(LDADDS)
		15	testThreads_SOURCES = testThreads.c
		16	-testThreads_LDFLAGS =
		17	+testThreads_LDFLAGS = -pthread
		18	testThreads_DEPENDENCIES = $(DEPS)
		19	testThreads_LDADD = $(BASE_THREAD_LIBS) $(LDADDS)
		20	testURI_SOURCES = testURI.c
		21	@@ -1285,7 +1285,7 @@ am--depfiles: $(am__depfiles_remade)
4	@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`	22	@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
5		23
6	.c.lo:	24	.c.lo:
Lines 9-15 Link Here
9	@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$.Tpo $(DEPDIR)/$.Plo	27	@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$.Tpo $(DEPDIR)/$.Plo
10	@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@	28	@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
11	@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@	29	@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
12	@@ -1773,7 +1773,7 @@ check-am: all-am	30	@@ -1774,7 +1774,7 @@ check-am: all-am
13	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)	31	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
14	check: $(BUILT_SOURCES)	32	check: $(BUILT_SOURCES)
15	$(MAKE) $(AM_MAKEFLAGS) check-recursive	33	$(MAKE) $(AM_MAKEFLAGS) check-recursive
Lines 18-24 Link Here
18	config.h	36	config.h
19	install-binPROGRAMS: install-libLTLIBRARIES	37	install-binPROGRAMS: install-libLTLIBRARIES
20		38
21	@@ -1910,7 +1910,7 @@ info: info-recursive	39	@@ -1911,7 +1911,7 @@ info: info-recursive
22		40
23	info-am:	41	info-am:
24		42

Removed Link Here

(-)a/textproc/libxml2/files/patch-Python-39-support (-92 lines)
1	From edc7b6abb0c125eeb888748c334897f60aab0854 Mon Sep 17 00:00:00 2001
2	From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
3	Date: Fri, 28 Feb 2020 12:48:14 +0100
4	Subject: [PATCH] Parenthesize Py<type>_Check() in ifs
5
6	In C, if expressions should be parenthesized.
7	PyLong_Check, PyUnicode_Check etc. happened to expand to a parenthesized
8	expression before, but that's not API to rely on.
9
10	Since Python 3.9.0a4 it needs to be parenthesized explicitly.
11
12	Fixes https://gitlab.gnome.org/GNOME/libxml2/issues/149
13	---
14	python/libxml.c \| 4 ++--
15	python/types.c \| 12 ++++++------
16	2 files changed, 8 insertions(+), 8 deletions(-)
17
18	diff --git a/python/libxml.c b/python/libxml.c
19	index bc676c4e..81e709f3 100644
20	--- python/libxml.c
21	+++ python/libxml.c
22	@@ -294,7 +294,7 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
23	lenread = PyBytes_Size(ret);
24	data = PyBytes_AsString(ret);
25	#ifdef PyUnicode_Check
26	- } else if PyUnicode_Check (ret) {
27	+ } else if (PyUnicode_Check (ret)) {
28	#if PY_VERSION_HEX >= 0x03030000
29	Py_ssize_t size;
30	const char *tmp;
31	@@ -359,7 +359,7 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
32	lenread = PyBytes_Size(ret);
33	data = PyBytes_AsString(ret);
34	#ifdef PyUnicode_Check
35	- } else if PyUnicode_Check (ret) {
36	+ } else if (PyUnicode_Check (ret)) {
37	#if PY_VERSION_HEX >= 0x03030000
38	Py_ssize_t size;
39	const char *tmp;
40	diff --git a/python/types.c b/python/types.c
41	index c2bafeb1..ed284ec7 100644
42	--- python/types.c
43	+++ python/types.c
44	@@ -602,16 +602,16 @@ libxml_xmlXPathObjectPtrConvert(PyObject *obj)
45	if (obj == NULL) {
46	return (NULL);
47	}
48	- if PyFloat_Check (obj) {
49	+ if (PyFloat_Check (obj)) {
50	ret = xmlXPathNewFloat((double) PyFloat_AS_DOUBLE(obj));
51	- } else if PyLong_Check(obj) {
52	+ } else if (PyLong_Check(obj)) {
53	#ifdef PyLong_AS_LONG
54	ret = xmlXPathNewFloat((double) PyLong_AS_LONG(obj));
55	#else
56	ret = xmlXPathNewFloat((double) PyInt_AS_LONG(obj));
57	#endif
58	#ifdef PyBool_Check
59	- } else if PyBool_Check (obj) {
60	+ } else if (PyBool_Check (obj)) {
61
62	if (obj == Py_True) {
63	ret = xmlXPathNewBoolean(1);
64	@@ -620,14 +620,14 @@ libxml_xmlXPathObjectPtrConvert(PyObject *obj)
65	ret = xmlXPathNewBoolean(0);
66	}
67	#endif
68	- } else if PyBytes_Check (obj) {
69	+ } else if (PyBytes_Check (obj)) {
70	xmlChar *str;
71
72	str = xmlStrndup((const xmlChar *) PyBytes_AS_STRING(obj),
73	PyBytes_GET_SIZE(obj));
74	ret = xmlXPathWrapString(str);
75	#ifdef PyUnicode_Check
76	- } else if PyUnicode_Check (obj) {
77	+ } else if (PyUnicode_Check (obj)) {
78	#if PY_VERSION_HEX >= 0x03030000
79	xmlChar *str;
80	const char *tmp;
81	@@ -650,7 +650,7 @@ libxml_xmlXPathObjectPtrConvert(PyObject *obj)
82	ret = xmlXPathWrapString(str);
83	#endif
84	#endif
85	- } else if PyList_Check (obj) {
86	+ } else if (PyList_Check (obj)) {
87	int i;
88	PyObject *node;
89	xmlNodePtr cur;
90	--
91	GitLab
92

Added Link Here

(-)b/textproc/libxml2/files/patch-git-01-85b1792e37b131e7a51af98a37f92472e8de5f3f (+211 lines)
1	From 85b1792e37b131e7a51af98a37f92472e8de5f3f Mon Sep 17 00:00:00 2001
2	From: Nick Wellnhofer <wellnhofer@aevum.de>
3	Date: Tue, 18 May 2021 20:08:28 +0200
4	Subject: [PATCH] Work around lxml API abuse
5
6	Make xmlNodeDumpOutput and htmlNodeDumpFormatOutput work with corrupted
7	parent pointers. This used to work with the old recursive code but the
8	non-recursive rewrite required parent pointers to be set correctly.
9
10	Unfortunately, lxml relies on the old behavior and passes subtrees with
11	a corrupted structure. Fall back to a recursive function call if an
12	invalid parent pointer is detected.
13
14	Fixes #255.
15	---
16	HTMLtree.c \| 46 ++++++++++++++++++++++++++++------------------
17	xmlsave.c \| 31 +++++++++++++++++++++----------
18	2 files changed, 49 insertions(+), 28 deletions(-)
19
20	diff --git a/HTMLtree.c b/HTMLtree.c
21	index 24434d45..bdd639c7 100644
22	--- HTMLtree.c
23	+++ HTMLtree.c
24	@@ -744,7 +744,7 @@ void
25	htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
26	xmlNodePtr cur, const char *encoding ATTRIBUTE_UNUSED,
27	int format) {
28	- xmlNodePtr root;
29	+ xmlNodePtr root, parent;
30	xmlAttrPtr attr;
31	const htmlElemDesc * info;
32
33	@@ -755,6 +755,7 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
34	}
35
36	root = cur;
37	+ parent = cur->parent;
38	while (1) {
39	switch (cur->type) {
40	case XML_HTML_DOCUMENT_NODE:
41	@@ -762,13 +763,25 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
42	if (((xmlDocPtr) cur)->intSubset != NULL) {
43	htmlDtdDumpOutput(buf, (xmlDocPtr) cur, NULL);
44	}
45	- if (cur->children != NULL) {
46	+ /* Always validate cur->parent when descending. */
47	+ if ((cur->parent == parent) && (cur->children != NULL)) {
48	+ parent = cur;
49	cur = cur->children;
50	continue;
51	}
52	break;
53
54	case XML_ELEMENT_NODE:
55	+ /*
56	+ * Some users like lxml are known to pass nodes with a corrupted
57	+ * tree structure. Fall back to a recursive call to handle this
58	+ * case.
59	+ */
60	+ if ((cur->parent != parent) && (cur->children != NULL)) {
61	+ htmlNodeDumpFormatOutput(buf, doc, cur, encoding, format);
62	+ break;
63	+ }
64	+
65	/*
66	* Get specific HTML info for that node.
67	*/
68	@@ -817,6 +830,7 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
69	(cur->name != NULL) &&
70	(cur->name[0] != 'p')) /* p, pre, param */
71	xmlOutputBufferWriteString(buf, "\n");
72	+ parent = cur;
73	cur = cur->children;
74	continue;
75	}
76	@@ -825,9 +839,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
77	(info != NULL) && (!info->isinline)) {
78	if ((cur->next->type != HTML_TEXT_NODE) &&
79	(cur->next->type != HTML_ENTITY_REF_NODE) &&
80	- (cur->parent != NULL) &&
81	- (cur->parent->name != NULL) &&
82	- (cur->parent->name[0] != 'p')) /* p, pre, param */
83	+ (parent != NULL) &&
84	+ (parent->name != NULL) &&
85	+ (parent->name[0] != 'p')) /* p, pre, param */
86	xmlOutputBufferWriteString(buf, "\n");
87	}
88
89	@@ -842,9 +856,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
90	break;
91	if (((cur->name == (const xmlChar *)xmlStringText) \|\|
92	(cur->name != (const xmlChar *)xmlStringTextNoenc)) &&
93	- ((cur->parent == NULL) \|\|
94	- ((xmlStrcasecmp(cur->parent->name, BAD_CAST "script")) &&
95	- (xmlStrcasecmp(cur->parent->name, BAD_CAST "style"))))) {
96	+ ((parent == NULL) \|\|
97	+ ((xmlStrcasecmp(parent->name, BAD_CAST "script")) &&
98	+ (xmlStrcasecmp(parent->name, BAD_CAST "style"))))) {
99	xmlChar *buffer;
100
101	buffer = xmlEncodeEntitiesReentrant(doc, cur->content);
102	@@ -902,13 +916,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
103	break;
104	}
105
106	- /*
107	- * The parent should never be NULL here but we want to handle
108	- * corrupted documents gracefully.
109	- */
110	- if (cur->parent == NULL)
111	- return;
112	- cur = cur->parent;
113	+ cur = parent;
114	+ /* cur->parent was validated when descending. */
115	+ parent = cur->parent;
116
117	if ((cur->type == XML_HTML_DOCUMENT_NODE) \|\|
118	(cur->type == XML_DOCUMENT_NODE)) {
119	@@ -939,9 +949,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
120	(cur->next != NULL)) {
121	if ((cur->next->type != HTML_TEXT_NODE) &&
122	(cur->next->type != HTML_ENTITY_REF_NODE) &&
123	- (cur->parent != NULL) &&
124	- (cur->parent->name != NULL) &&
125	- (cur->parent->name[0] != 'p')) /* p, pre, param */
126	+ (parent != NULL) &&
127	+ (parent->name != NULL) &&
128	+ (parent->name[0] != 'p')) /* p, pre, param */
129	xmlOutputBufferWriteString(buf, "\n");
130	}
131	}
132	diff --git a/xmlsave.c b/xmlsave.c
133	index 61a40459..aedbd5e7 100644
134	--- xmlsave.c
135	+++ xmlsave.c
136	@@ -847,7 +847,7 @@ htmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
137	static void
138	xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
139	int format = ctxt->format;
140	- xmlNodePtr tmp, root, unformattedNode = NULL;
141	+ xmlNodePtr tmp, root, unformattedNode = NULL, parent;
142	xmlAttrPtr attr;
143	xmlChar start, end;
144	xmlOutputBufferPtr buf;
145	@@ -856,6 +856,7 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
146	buf = ctxt->buf;
147
148	root = cur;
149	+ parent = cur->parent;
150	while (1) {
151	switch (cur->type) {
152	case XML_DOCUMENT_NODE:
153	@@ -868,7 +869,9 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
154	break;
155
156	case XML_DOCUMENT_FRAG_NODE:
157	- if (cur->children != NULL) {
158	+ /* Always validate cur->parent when descending. */
159	+ if ((cur->parent == parent) && (cur->children != NULL)) {
160	+ parent = cur;
161	cur = cur->children;
162	continue;
163	}
164	@@ -887,7 +890,18 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
165	break;
166
167	case XML_ELEMENT_NODE:
168	- if ((cur != root) && (ctxt->format == 1) && (xmlIndentTreeOutput))
169	+ /*
170	+ * Some users like lxml are known to pass nodes with a corrupted
171	+ * tree structure. Fall back to a recursive call to handle this
172	+ * case.
173	+ */
174	+ if ((cur->parent != parent) && (cur->children != NULL)) {
175	+ xmlNodeDumpOutputInternal(ctxt, cur);
176	+ break;
177	+ }
178	+
179	+ if ((ctxt->level > 0) && (ctxt->format == 1) &&
180	+ (xmlIndentTreeOutput))
181	xmlOutputBufferWrite(buf, ctxt->indent_size *
182	(ctxt->level > ctxt->indent_nr ?
183	ctxt->indent_nr : ctxt->level),
184	@@ -942,6 +956,7 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
185	xmlOutputBufferWrite(buf, 1, ">");
186	if (ctxt->format == 1) xmlOutputBufferWrite(buf, 1, "\n");
187	if (ctxt->level >= 0) ctxt->level++;
188	+ parent = cur;
189	cur = cur->children;
190	continue;
191	}
192	@@ -1058,13 +1073,9 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
193	break;
194	}
195
196	- /*
197	- * The parent should never be NULL here but we want to handle
198	- * corrupted documents gracefully.
199	- */
200	- if (cur->parent == NULL)
201	- return;
202	- cur = cur->parent;
203	+ cur = parent;
204	+ /* cur->parent was validated when descending. */
205	+ parent = cur->parent;
206
207	if (cur->type == XML_ELEMENT_NODE) {
208	if (ctxt->level > 0) ctxt->level--;
209	--
210	GitLab
211

Added Link Here

(-)b/textproc/libxml2/files/patch-git-02-13ad8736d294536da4cbcd70a96b0a2fbf47070c (+46 lines)
1	From 13ad8736d294536da4cbcd70a96b0a2fbf47070c Mon Sep 17 00:00:00 2001
2	From: Nick Wellnhofer <wellnhofer@aevum.de>
3	Date: Tue, 25 May 2021 10:55:25 +0200
4	Subject: [PATCH] Fix regression in xmlNodeDumpOutputInternal
5
6	Commit 85b1792e could cause additional whitespace if xmlNodeDump was
7	called with a non-zero starting level.
8	---
9	xmlsave.c \| 14 +++++++-------
10	1 file changed, 7 insertions(+), 7 deletions(-)
11
12	diff --git a/xmlsave.c b/xmlsave.c
13	index aedbd5e7..489505f4 100644
14	--- xmlsave.c
15	+++ xmlsave.c
16	@@ -890,6 +890,13 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
17	break;
18
19	case XML_ELEMENT_NODE:
20	+ if ((cur != root) && (ctxt->format == 1) &&
21	+ (xmlIndentTreeOutput))
22	+ xmlOutputBufferWrite(buf, ctxt->indent_size *
23	+ (ctxt->level > ctxt->indent_nr ?
24	+ ctxt->indent_nr : ctxt->level),
25	+ ctxt->indent);
26	+
27	/*
28	* Some users like lxml are known to pass nodes with a corrupted
29	* tree structure. Fall back to a recursive call to handle this
30	@@ -900,13 +907,6 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
31	break;
32	}
33
34	- if ((ctxt->level > 0) && (ctxt->format == 1) &&
35	- (xmlIndentTreeOutput))
36	- xmlOutputBufferWrite(buf, ctxt->indent_size *
37	- (ctxt->level > ctxt->indent_nr ?
38	- ctxt->indent_nr : ctxt->level),
39	- ctxt->indent);
40	-
41	xmlOutputBufferWrite(buf, 1, "<");
42	if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) {
43	xmlOutputBufferWriteString(buf, (const char *)cur->ns->prefix);
44	--
45	GitLab
46

Added Link Here

(-)b/textproc/libxml2/files/patch-git-03-3e1aad4fe584747fd7d17cc7b2863a78e2d21a77 (+31 lines)
1	From 3e1aad4fe584747fd7d17cc7b2863a78e2d21a77 Mon Sep 17 00:00:00 2001
2	From: Nick Wellnhofer <wellnhofer@aevum.de>
3	Date: Wed, 2 Jun 2021 17:31:49 +0200
4	Subject: [PATCH] Fix XPath recursion limit
5
6	Fix accounting of recursion depth when parsing XPath expressions.
7
8	This silly bug introduced in commit 804c5297 could lead to spurious
9	errors when parsing larger expressions or XSLT documents.
10
11	Should fix #264.
12	---
13	xpath.c \| 2 +-
14	1 file changed, 1 insertion(+), 1 deletion(-)
15
16	diff --git a/xpath.c b/xpath.c
17	index 7497ba07..1aa2f1ab 100644
18	--- xpath.c
19	+++ xpath.c
20	@@ -10983,7 +10983,7 @@ xmlXPathCompileExpr(xmlXPathParserContextPtr ctxt, int sort) {
21	}
22
23	if (xpctxt != NULL)
24	- xpctxt->depth -= 1;
25	+ xpctxt->depth -= 10;
26	}
27
28	/**
29	--
30	GitLab
31

Removed Link Here

(-)a/textproc/libxml2/files/patch-git-106757e8c1e26ad9b8c924c7f304074b79e082c5 (-39 lines)
1	commit 106757e8c1e26ad9b8c924c7f304074b79e082c5
2	Author: Daniel Cheng <dcheng@google.com>
3	Date: Fri Apr 10 14:52:03 2020 -0700
4
5	Guard new calls to xmlValidatePopElement in xml_reader.c
6
7	Closes #154.
8
9	commit 386fb27654b93d9fb2880e03fb508d618a2e66f1
10	Author: Łukasz Wojniłowicz <lukasz.wojnilowicz@gmail.com>
11	Date: Tue Apr 28 17:00:37 2020 +0200
12
13	Add LIBXML_VALID_ENABLED to xmlreader
14
15	There are already LIBXML_VALID_ENABLED in this file to guard against
16	"--without-valid" at "./configure" step, but here they were missing.
17	diff --git xmlreader.c xmlreader.c
18	index 687c8b3c..3fd9aa4c 100644
19	--- xmlreader.c
20	+++ xmlreader.c
21	@@ -2260,14 +2260,18 @@ xmlFreeTextReader(xmlTextReaderPtr reader) {
22	if (reader->ctxt != NULL) {
23	if (reader->dict == reader->ctxt->dict)
24	reader->dict = NULL;
25	+#ifdef LIBXML_VALID_ENABLED
26	if ((reader->ctxt->vctxt.vstateTab != NULL) &&
27	(reader->ctxt->vctxt.vstateMax > 0)){
28	+#ifdef LIBXML_REGEXP_ENABLED
29	while (reader->ctxt->vctxt.vstateNr > 0)
30	xmlValidatePopElement(&reader->ctxt->vctxt, NULL, NULL, NULL);
31	+#endif /* LIBXML_REGEXP_ENABLED */
32	xmlFree(reader->ctxt->vctxt.vstateTab);
33	reader->ctxt->vctxt.vstateTab = NULL;
34	reader->ctxt->vctxt.vstateMax = 0;
35	}
36	+#endif /* LIBXML_VALID_ENABLED */
37	if (reader->ctxt->myDoc != NULL) {
38	if (reader->preserve == 0)
39	xmlTextReaderFreeDoc(reader, reader->ctxt->myDoc);