From 4a5e25fad6693afda89b3826f73e83d826618863 Mon Sep 17 00:00:00 2001 From: Aron Xu Date: Sun, 26 Oct 2014 07:04:07 +0800 Subject: Remove no-longer-needed upstream patches --- ...-calls-to-xml-and-html-Read-parsing-entry.patch | 148 --------------------- 1 file changed, 148 deletions(-) delete mode 100644 debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch (limited to 'debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch') diff --git a/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch b/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch deleted file mode 100644 index 7820411..0000000 --- a/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch +++ /dev/null @@ -1,148 +0,0 @@ -From: Daniel Veillard -Date: Mon, 9 Dec 2013 15:23:40 +0800 -Subject: adding init calls to xml and html Read parsing entry points - -As pointed out by "Tassyns, Bram " on the list -some call had it other didn't, clean it up and add to all missing -ones ---- - HTMLparser.c | 6 ++++++ - parser.c | 10 ++++++++++ - 2 files changed, 16 insertions(+) - -diff --git a/HTMLparser.c b/HTMLparser.c -index dd0c1ea..44c1a3c 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -6808,6 +6808,7 @@ htmlReadFd(int fd, const char *URL, const char *encoding, int options) - - if (fd < 0) - return (NULL); -+ xmlInitParser(); - - xmlInitParser(); - input = xmlParserInputBufferCreateFd(fd, XML_CHAR_ENCODING_NONE); -@@ -6898,6 +6899,7 @@ htmlCtxtReadDoc(htmlParserCtxtPtr ctxt, const xmlChar * cur, - return (NULL); - if (ctxt == NULL) - return (NULL); -+ xmlInitParser(); - - htmlCtxtReset(ctxt); - -@@ -6931,6 +6933,7 @@ htmlCtxtReadFile(htmlParserCtxtPtr ctxt, const char *filename, - return (NULL); - if (ctxt == NULL) - return (NULL); -+ xmlInitParser(); - - htmlCtxtReset(ctxt); - -@@ -6967,6 +6970,7 @@ htmlCtxtReadMemory(htmlParserCtxtPtr ctxt, const char *buffer, int size, - return (NULL); - if (buffer == NULL) - return (NULL); -+ xmlInitParser(); - - htmlCtxtReset(ctxt); - -@@ -7009,6 +7013,7 @@ htmlCtxtReadFd(htmlParserCtxtPtr ctxt, int fd, - return (NULL); - if (ctxt == NULL) - return (NULL); -+ xmlInitParser(); - - htmlCtxtReset(ctxt); - -@@ -7053,6 +7058,7 @@ htmlCtxtReadIO(htmlParserCtxtPtr ctxt, xmlInputReadCallback ioread, - return (NULL); - if (ctxt == NULL) - return (NULL); -+ xmlInitParser(); - - htmlCtxtReset(ctxt); - -diff --git a/parser.c b/parser.c -index dd00399..ad400f4 100644 ---- a/parser.c -+++ b/parser.c -@@ -15217,6 +15217,7 @@ xmlReadDoc(const xmlChar * cur, const char *URL, const char *encoding, int optio - - if (cur == NULL) - return (NULL); -+ xmlInitParser(); - - ctxt = xmlCreateDocParserCtxt(cur); - if (ctxt == NULL) -@@ -15239,6 +15240,7 @@ xmlReadFile(const char *filename, const char *encoding, int options) - { - xmlParserCtxtPtr ctxt; - -+ xmlInitParser(); - ctxt = xmlCreateURLParserCtxt(filename, options); - if (ctxt == NULL) - return (NULL); -@@ -15262,6 +15264,7 @@ xmlReadMemory(const char *buffer, int size, const char *URL, const char *encodin - { - xmlParserCtxtPtr ctxt; - -+ xmlInitParser(); - ctxt = xmlCreateMemoryParserCtxt(buffer, size); - if (ctxt == NULL) - return (NULL); -@@ -15290,6 +15293,7 @@ xmlReadFd(int fd, const char *URL, const char *encoding, int options) - - if (fd < 0) - return (NULL); -+ xmlInitParser(); - - input = xmlParserInputBufferCreateFd(fd, XML_CHAR_ENCODING_NONE); - if (input == NULL) -@@ -15333,6 +15337,7 @@ xmlReadIO(xmlInputReadCallback ioread, xmlInputCloseCallback ioclose, - - if (ioread == NULL) - return (NULL); -+ xmlInitParser(); - - input = xmlParserInputBufferCreateIO(ioread, ioclose, ioctx, - XML_CHAR_ENCODING_NONE); -@@ -15379,6 +15384,7 @@ xmlCtxtReadDoc(xmlParserCtxtPtr ctxt, const xmlChar * cur, - return (NULL); - if (ctxt == NULL) - return (NULL); -+ xmlInitParser(); - - xmlCtxtReset(ctxt); - -@@ -15412,6 +15418,7 @@ xmlCtxtReadFile(xmlParserCtxtPtr ctxt, const char *filename, - return (NULL); - if (ctxt == NULL) - return (NULL); -+ xmlInitParser(); - - xmlCtxtReset(ctxt); - -@@ -15448,6 +15455,7 @@ xmlCtxtReadMemory(xmlParserCtxtPtr ctxt, const char *buffer, int size, - return (NULL); - if (buffer == NULL) - return (NULL); -+ xmlInitParser(); - - xmlCtxtReset(ctxt); - -@@ -15492,6 +15500,7 @@ xmlCtxtReadFd(xmlParserCtxtPtr ctxt, int fd, - return (NULL); - if (ctxt == NULL) - return (NULL); -+ xmlInitParser(); - - xmlCtxtReset(ctxt); - -@@ -15537,6 +15546,7 @@ xmlCtxtReadIO(xmlParserCtxtPtr ctxt, xmlInputReadCallback ioread, - return (NULL); - if (ctxt == NULL) - return (NULL); -+ xmlInitParser(); - - xmlCtxtReset(ctxt); - -- cgit v1.2.3 From 3b14c3fd6410716d407178e48972b1c1bea48c29 Mon Sep 17 00:00:00 2001 From: Raphaël Hertzog Date: Tue, 25 Aug 2015 22:26:52 +0200 Subject: Revert "Remove no-longer-needed upstream patches" This reverts commit 4a5e25fad6693afda89b3826f73e83d826618863. --- .../0003-Fix-an-error-in-xmlCleanupParser.patch | 27 ++++ ...ing-break-on-last-function-for-attributes.patch | 21 +++ ...xmllint-memory-should-fail-on-empty-files.patch | 27 ++++ ...ote-the-namespace-uris-written-out-during.patch | 32 +++++ ...ng-bug-on-non-ascii-element-and-CR-LF-usa.patch | 57 ++++++++ debian/patches/0008-missing-else-in-xlink.c.patch | 22 +++ ...9-Catch-malloc-error-and-exit-accordingly.patch | 24 ++++ .../patches/0010-Fix-handling-of-mmap-errors.patch | 51 +++++++ .../0011-Avoid-crash-if-allocation-fails.patch | 25 ++++ .../0012-Fix-a-possible-NULL-dereference.patch | 30 +++++ ...013-Clear-up-a-potential-NULL-dereference.patch | 26 ++++ ...14-Fix-XPath-optimization-with-predicates.patch | 27 ++++ ...tty-crashed-without-following-numeric-arg.patch | 34 +++++ ...al-NULL-pointer-dereferences-in-regexp-co.patch | 45 +++++++ ...a-potential-NULL-dereference-in-tree-code.patch | 26 ++++ ...ix-pointer-dereferenced-before-null-check.patch | 25 ++++ ...9-Fix-a-bug-loading-some-compressed-files.patch | 69 ++++++++++ ...-possibility-of-dangling-encoding-handler.patch | 57 ++++++++ .../0021-Fix-a-couple-of-missing-NULL-checks.patch | 29 ++++ ...-calls-to-xml-and-html-Read-parsing-entry.patch | 148 +++++++++++++++++++++ ...of-XPath-function-arguments-in-error-case.patch | 41 ++++++ ...ing-initialization-for-the-catalog-module.patch | 22 +++ .../0025-Fix-an-fd-leak-in-an-error-case.patch | 24 ++++ ...-fixing-a-ptotential-uninitialized-access.patch | 21 +++ ...WriterWriteElement-when-a-null-content-is.patch | 29 ++++ ...Avoid-a-possible-NULL-pointer-dereference.patch | 22 +++ ...-Do-not-fetch-external-parameter-entities.patch | 35 +++++ ...ble-null-pointer-dereference-in-memory-de.patch | 32 +++++ ...1-xmllint-was-not-parsing-the-c14n11-flag.patch | 22 +++ ...essions-introduced-by-CVE-2014-0191-patch.patch | 58 ++++++++ debian/patches/series | 31 ++++- 31 files changed, 1138 insertions(+), 1 deletion(-) create mode 100644 debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch create mode 100644 debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch create mode 100644 debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch create mode 100644 debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch create mode 100644 debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch create mode 100644 debian/patches/0008-missing-else-in-xlink.c.patch create mode 100644 debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch create mode 100644 debian/patches/0010-Fix-handling-of-mmap-errors.patch create mode 100644 debian/patches/0011-Avoid-crash-if-allocation-fails.patch create mode 100644 debian/patches/0012-Fix-a-possible-NULL-dereference.patch create mode 100644 debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch create mode 100644 debian/patches/0014-Fix-XPath-optimization-with-predicates.patch create mode 100644 debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch create mode 100644 debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch create mode 100644 debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch create mode 100644 debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch create mode 100644 debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch create mode 100644 debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch create mode 100644 debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch create mode 100644 debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch create mode 100644 debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch create mode 100644 debian/patches/0024-Missing-initialization-for-the-catalog-module.patch create mode 100644 debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch create mode 100644 debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch create mode 100644 debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch create mode 100644 debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch create mode 100644 debian/patches/0029-Do-not-fetch-external-parameter-entities.patch create mode 100644 debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch create mode 100644 debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch create mode 100644 debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch (limited to 'debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch') diff --git a/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch b/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch new file mode 100644 index 0000000..03bf447 --- /dev/null +++ b/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch @@ -0,0 +1,27 @@ +From: Alexander Pastukhov +Date: Tue, 23 Apr 2013 05:02:11 +0000 +Subject: Fix an error in xmlCleanupParser + +https://bugzilla.gnome.org/show_bug.cgi?id=698582 + +xmlCleanupParser calls xmlCleanupGlobals() and then +xmlResetLastError() but the later reallocate the global +data freed by previous call. Just swap the two calls. +--- + parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index ee429f3..b9df6d8 100644 +--- a/parser.c ++++ b/parser.c +@@ -14763,8 +14763,8 @@ xmlCleanupParser(void) { + xmlSchemaCleanupTypes(); + xmlRelaxNGCleanupTypes(); + #endif +- xmlCleanupGlobals(); + xmlResetLastError(); ++ xmlCleanupGlobals(); + xmlCleanupThreads(); /* must be last if called not from the main thread */ + xmlCleanupMemory(); + xmlParserInitialized = 0; diff --git a/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch b/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch new file mode 100644 index 0000000..cff8b72 --- /dev/null +++ b/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch @@ -0,0 +1,21 @@ +From: dcb +Date: Thu, 2 May 2013 08:11:46 +0000 +Subject: Fix missing break on last() function for attributes + +pointed out by cppcheck +--- + python/libxml.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/python/libxml.c b/python/libxml.c +index 03cfb9f..3338b83 100644 +--- a/python/libxml.c ++++ b/python/libxml.c +@@ -2683,6 +2683,7 @@ libxml_last(ATTRIBUTE_UNUSED PyObject * self, PyObject * args) + xmlAttrPtr attr = (xmlAttrPtr) cur; + + res = attr->last; ++ break; + } + default: + res = NULL; diff --git a/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch b/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch new file mode 100644 index 0000000..e1a2197 --- /dev/null +++ b/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch @@ -0,0 +1,27 @@ +From: Daniel Veillard +Date: Wed, 8 May 2013 05:45:48 +0000 +Subject: xmllint --memory should fail on empty files + +Exposed by https://bugzilla.gnome.org/show_bug.cgi?id=699896 +when doing analysis but a priori unrelated. +--- + xmllint.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/xmllint.c b/xmllint.c +index 26d8db1..c0196ab 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -2338,8 +2338,11 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) { + if ((fd = open(filename, O_RDONLY)) < 0) + return; + base = mmap(NULL, info.st_size, PROT_READ, MAP_SHARED, fd, 0) ; +- if (base == (void *) MAP_FAILED) ++ if (base == (void *) MAP_FAILED) { ++ fprintf(stderr, "mmap failure for file %s\n", filename); ++ progresult = XMLLINT_ERR_RDFILE; + return; ++ } + + if (rectxt == NULL) + doc = xmlReadMemory((char *) base, info.st_size, diff --git a/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch b/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch new file mode 100644 index 0000000..6f4c4c8 --- /dev/null +++ b/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch @@ -0,0 +1,32 @@ +From: Aleksey Sanin +Date: Thu, 9 May 2013 16:02:16 +0000 +Subject: properly quote the namespace uris written out during c14n + +--- + c14n.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/c14n.c b/c14n.c +index afd95b3..ca77f92 100644 +--- a/c14n.c ++++ b/c14n.c +@@ -547,14 +547,15 @@ xmlC14NPrintNamespaces(const xmlNsPtr ns, xmlC14NCtxPtr ctx) + if (ns->prefix != NULL) { + xmlOutputBufferWriteString(ctx->buf, " xmlns:"); + xmlOutputBufferWriteString(ctx->buf, (const char *) ns->prefix); +- xmlOutputBufferWriteString(ctx->buf, "=\""); ++ xmlOutputBufferWriteString(ctx->buf, "="); + } else { +- xmlOutputBufferWriteString(ctx->buf, " xmlns=\""); ++ xmlOutputBufferWriteString(ctx->buf, " xmlns="); + } + if(ns->href != NULL) { +- xmlOutputBufferWriteString(ctx->buf, (const char *) ns->href); ++ xmlBufWriteQuotedString(ctx->buf->buffer, ns->href); ++ } else { ++ xmlOutputBufferWriteString(ctx->buf, "\"\""); + } +- xmlOutputBufferWriteString(ctx->buf, "\""); + return (1); + } + diff --git a/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch b/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch new file mode 100644 index 0000000..442fd11 --- /dev/null +++ b/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch @@ -0,0 +1,57 @@ +From: Daniel Veillard +Date: Wed, 22 May 2013 20:56:45 +0000 +Subject: Fix a parsing bug on non-ascii element and CR/LF usage + +https://bugzilla.gnome.org/show_bug.cgi?id=698550 + +Somehow the behaviour of the internal parser routine changed +slightly when encountering CR/LF, which led to a bug when +parsing document with non-ascii Names +--- + parser.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index b9df6d8..dd00399 100644 +--- a/parser.c ++++ b/parser.c +@@ -3404,6 +3404,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + int len = 0, l; + int c; + int count = 0; ++ const xmlChar *end; /* needed because CUR_CHAR() can move cur on \r\n */ + + #ifdef DEBUG + nbParseNCNameComplex++; +@@ -3413,6 +3414,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + * Handler for more complex cases + */ + GROW; ++ end = ctxt->input->cur; + c = CUR_CHAR(l); + if ((c == ' ') || (c == '>') || (c == '/') || /* accelerators */ + (!xmlIsNameStartChar(ctxt, c) || (c == ':'))) { +@@ -3434,12 +3436,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + } + len += l; + NEXTL(l); ++ end = ctxt->input->cur; + c = CUR_CHAR(l); + if (c == 0) { + count = 0; + GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); ++ end = ctxt->input->cur; + c = CUR_CHAR(l); + } + } +@@ -3448,7 +3452,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + return(NULL); + } +- return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); ++ return(xmlDictLookup(ctxt->dict, end - len, len)); + } + + /** diff --git a/debian/patches/0008-missing-else-in-xlink.c.patch b/debian/patches/0008-missing-else-in-xlink.c.patch new file mode 100644 index 0000000..88a4e86 --- /dev/null +++ b/debian/patches/0008-missing-else-in-xlink.c.patch @@ -0,0 +1,22 @@ +From: Ami Fischman +Date: Tue, 2 Jul 2013 09:47:26 +0800 +Subject: missing else in xlink.c + +Obviously forgotten +--- + xlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xlink.c b/xlink.c +index 3566e06..c0e4ff3 100644 +--- a/xlink.c ++++ b/xlink.c +@@ -150,7 +150,7 @@ xlinkIsLink (xmlDocPtr doc, xmlNodePtr node) { + if (type != NULL) { + if (xmlStrEqual(type, BAD_CAST "simple")) { + ret = XLINK_TYPE_SIMPLE; +- } if (xmlStrEqual(type, BAD_CAST "extended")) { ++ } else if (xmlStrEqual(type, BAD_CAST "extended")) { + role = xmlGetNsProp(node, BAD_CAST "role", XLINK_NAMESPACE); + if (role != NULL) { + xmlNsPtr xlink; diff --git a/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch b/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch new file mode 100644 index 0000000..3f93a57 --- /dev/null +++ b/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch @@ -0,0 +1,24 @@ +From: Daniel Veillard +Date: Thu, 11 Jul 2013 15:41:22 +0800 +Subject: Catch malloc error and exit accordingly + +As pointed privately by Bill Parker +--- + xmllint.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/xmllint.c b/xmllint.c +index c0196ab..4d464e4 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -3090,6 +3090,10 @@ static void usage(const char *name) { + static void registerNode(xmlNodePtr node) + { + node->_private = malloc(sizeof(long)); ++ if (node->_private == NULL) { ++ fprintf(stderr, "Out of memory in xmllint:registerNode()\n"); ++ exit(XMLLINT_ERR_MEM); ++ } + *(long*)node->_private = (long) 0x81726354; + nbregister++; + } diff --git a/debian/patches/0010-Fix-handling-of-mmap-errors.patch b/debian/patches/0010-Fix-handling-of-mmap-errors.patch new file mode 100644 index 0000000..0c55cfe --- /dev/null +++ b/debian/patches/0010-Fix-handling-of-mmap-errors.patch @@ -0,0 +1,51 @@ +From: Daniel Veillard +Date: Fri, 12 Jul 2013 12:08:40 +0800 +Subject: Fix handling of mmap errors + +https://bugzilla.gnome.org/show_bug.cgi?id=702320 + +as raised by Gaurav +--- + xmllint.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/xmllint.c b/xmllint.c +index 4d464e4..92e6b03 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -1837,8 +1837,12 @@ static void streamFile(char *filename) { + if ((fd = open(filename, O_RDONLY)) < 0) + return; + base = mmap(NULL, info.st_size, PROT_READ, MAP_SHARED, fd, 0) ; +- if (base == (void *) MAP_FAILED) ++ if (base == (void *) MAP_FAILED) { ++ close(fd); ++ fprintf(stderr, "mmap failure for file %s\n", filename); ++ progresult = XMLLINT_ERR_RDFILE; + return; ++ } + + reader = xmlReaderForMemory(base, info.st_size, filename, + NULL, options); +@@ -2223,8 +2227,12 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) { + if ((fd = open(filename, O_RDONLY)) < 0) + return; + base = mmap(NULL, info.st_size, PROT_READ, MAP_SHARED, fd, 0) ; +- if (base == (void *) MAP_FAILED) ++ if (base == (void *) MAP_FAILED) { ++ close(fd); ++ fprintf(stderr, "mmap failure for file %s\n", filename); ++ progresult = XMLLINT_ERR_RDFILE; + return; ++ } + + doc = htmlReadMemory((char *) base, info.st_size, filename, + NULL, options); +@@ -2339,6 +2347,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) { + return; + base = mmap(NULL, info.st_size, PROT_READ, MAP_SHARED, fd, 0) ; + if (base == (void *) MAP_FAILED) { ++ close(fd); + fprintf(stderr, "mmap failure for file %s\n", filename); + progresult = XMLLINT_ERR_RDFILE; + return; diff --git a/debian/patches/0011-Avoid-crash-if-allocation-fails.patch b/debian/patches/0011-Avoid-crash-if-allocation-fails.patch new file mode 100644 index 0000000..e4e7206 --- /dev/null +++ b/debian/patches/0011-Avoid-crash-if-allocation-fails.patch @@ -0,0 +1,25 @@ +From: Daniel Veillard +Date: Mon, 22 Jul 2013 14:28:20 +0800 +Subject: Avoid crash if allocation fails + +https://bugzilla.gnome.org/show_bug.cgi?id=704527 +xmlSchemaNewValue() may fail on OOM error +--- + xmlschemastypes.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/xmlschemastypes.c b/xmlschemastypes.c +index a9edc03..ec403e8 100644 +--- a/xmlschemastypes.c ++++ b/xmlschemastypes.c +@@ -242,6 +242,10 @@ xmlSchemaNewMinLengthFacet(int value) + } + ret->type = XML_SCHEMA_FACET_MINLENGTH; + ret->val = xmlSchemaNewValue(XML_SCHEMAS_NNINTEGER); ++ if (ret->val == NULL) { ++ xmlFree(ret); ++ return(NULL); ++ } + ret->val->value.decimal.lo = value; + return (ret); + } diff --git a/debian/patches/0012-Fix-a-possible-NULL-dereference.patch b/debian/patches/0012-Fix-a-possible-NULL-dereference.patch new file mode 100644 index 0000000..9a7cf6f --- /dev/null +++ b/debian/patches/0012-Fix-a-possible-NULL-dereference.patch @@ -0,0 +1,30 @@ +From: Gaurav +Date: Sat, 3 Aug 2013 22:16:02 +0800 +Subject: Fix a possible NULL dereference + +https://bugzilla.gnome.org/show_bug.cgi?id=705400 +In case of allocation error the pointer was dereferenced before the +test for a failure +--- + SAX2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/SAX2.c b/SAX2.c +index 4adf202..33d167e 100644 +--- a/SAX2.c ++++ b/SAX2.c +@@ -994,12 +994,12 @@ xmlSAX2StartDocument(void *ctx) + #ifdef LIBXML_HTML_ENABLED + if (ctxt->myDoc == NULL) + ctxt->myDoc = htmlNewDocNoDtD(NULL, NULL); +- ctxt->myDoc->properties = XML_DOC_HTML; +- ctxt->myDoc->parseFlags = ctxt->options; + if (ctxt->myDoc == NULL) { + xmlSAX2ErrMemory(ctxt, "xmlSAX2StartDocument"); + return; + } ++ ctxt->myDoc->properties = XML_DOC_HTML; ++ ctxt->myDoc->parseFlags = ctxt->options; + #else + xmlGenericError(xmlGenericErrorContext, + "libxml2 built without HTML support\n"); diff --git a/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch b/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch new file mode 100644 index 0000000..a18dfaf --- /dev/null +++ b/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch @@ -0,0 +1,26 @@ +From: Daniel Veillard +Date: Sat, 3 Aug 2013 22:25:13 +0800 +Subject: Clear up a potential NULL dereference + +https://bugzilla.gnome.org/show_bug.cgi?id=705399 + +if ctxt->node_seq.buffer is null then ctxt->node_seq.maximum ought +to be zero but it's better to clarify the check in the code directly. +--- + parserInternals.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parserInternals.c b/parserInternals.c +index f8a7041..98a5836 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -1990,7 +1990,8 @@ xmlParserAddNodeInfo(xmlParserCtxtPtr ctxt, + + /* Otherwise, we need to add new node to buffer */ + else { +- if (ctxt->node_seq.length + 1 > ctxt->node_seq.maximum) { ++ if ((ctxt->node_seq.length + 1 > ctxt->node_seq.maximum) || ++ (ctxt->node_seq.buffer == NULL)) { + xmlParserNodeInfo *tmp_buffer; + unsigned int byte_size; + diff --git a/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch b/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch new file mode 100644 index 0000000..f24424a --- /dev/null +++ b/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch @@ -0,0 +1,27 @@ +From: Nick Wellnhofer +Date: Sun, 4 Aug 2013 22:15:11 +0000 +Subject: Fix XPath '//' optimization with predicates + +My attempt to optimize XPath expressions containing '//' caused a +regression reported in bug #695699. This commit disables the +optimization for expressions of the form '//foo[predicate]'. +--- + xpath.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 97410e7..a676989 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -14719,8 +14719,9 @@ xmlXPathOptimizeExpression(xmlXPathCompExprPtr comp, xmlXPathStepOpPtr op) + * internal representation. + */ + +- if ((op->ch1 != -1) && +- (op->op == XPATH_OP_COLLECT /* 11 */)) ++ if ((op->op == XPATH_OP_COLLECT /* 11 */) && ++ (op->ch1 != -1) && ++ (op->ch2 == -1 /* no predicate */)) + { + xmlXPathStepOpPtr prevop = &comp->steps[op->ch1]; + diff --git a/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch b/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch new file mode 100644 index 0000000..b910c3a --- /dev/null +++ b/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch @@ -0,0 +1,34 @@ +From: Tim Galeckas +Date: Thu, 29 Aug 2013 16:44:33 +0800 +Subject: xmllint --pretty crashed without following numeric argument + +https://bugzilla.gnome.org/show_bug.cgi?id=674789 + +We need to check for NULL argument before calling atoi() +--- + xmllint.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/xmllint.c b/xmllint.c +index 92e6b03..d69722c 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -3388,11 +3388,13 @@ main(int argc, char **argv) { + (!strcmp(argv[i], "--pretty"))) { + i++; + #ifdef LIBXML_OUTPUT_ENABLED +- format = atoi(argv[i]); +- if (format == 1) { +- noblanks++; +- xmlKeepBlanksDefault(0); +- } ++ if (argv[i] != NULL) { ++ format = atoi(argv[i]); ++ if (format == 1) { ++ noblanks++; ++ xmlKeepBlanksDefault(0); ++ } ++ } + #endif /* LIBXML_OUTPUT_ENABLED */ + } + #ifdef LIBXML_READER_ENABLED diff --git a/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch b/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch new file mode 100644 index 0000000..fa8a176 --- /dev/null +++ b/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch @@ -0,0 +1,45 @@ +From: Gaurav +Date: Wed, 11 Sep 2013 14:59:06 +0800 +Subject: Fix potential NULL pointer dereferences in regexp code + +https://bugzilla.gnome.org/show_bug.cgi?id=707749 + +Fix 3 cases where we might dereference NULL +--- + xmlregexp.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/xmlregexp.c b/xmlregexp.c +index 1f9911c..8e63d74 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -3162,8 +3162,10 @@ xmlFARegExecRollBack(xmlRegExecCtxtPtr exec) { + exec->status = -6; + return; + } +- memcpy(exec->counts, exec->rollbacks[exec->nbRollbacks].counts, ++ if (exec->counts) { ++ memcpy(exec->counts, exec->rollbacks[exec->nbRollbacks].counts, + exec->comp->nbCounters * sizeof(int)); ++ } + } + + #ifdef DEBUG_REGEXP_EXEC +@@ -4091,7 +4093,7 @@ rollback: + */ + exec->determinist = 0; + xmlFARegExecRollBack(exec); +- if (exec->status == 0) { ++ if ((exec->inputStack != NULL ) && (exec->status == 0)) { + value = exec->inputStack[exec->index].value; + data = exec->inputStack[exec->index].data; + #ifdef DEBUG_PUSH +@@ -4306,7 +4308,7 @@ xmlRegExecGetValues(xmlRegExecCtxtPtr exec, int err, + (*nbval)++; + } + } else { +- if ((exec->comp->states[trans->to] != NULL) && ++ if ((exec->comp != NULL) && (exec->comp->states[trans->to] != NULL) && + (exec->comp->states[trans->to]->type != + XML_REGEXP_SINK_STATE)) { + if (atom->neg) diff --git a/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch b/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch new file mode 100644 index 0000000..2c55813 --- /dev/null +++ b/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch @@ -0,0 +1,26 @@ +From: Daniel Veillard +Date: Wed, 11 Sep 2013 15:11:27 +0800 +Subject: Fix a potential NULL dereference in tree code + +https://bugzilla.gnome.org/show_bug.cgi?id=707750 + +Also reported by Gaurav, simple fix to check the pointer before +dereference +--- + tree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tree.c b/tree.c +index 7e5af26..efc3ca2 100644 +--- a/tree.c ++++ b/tree.c +@@ -9780,7 +9780,8 @@ leave_node: + if (clone->parent != NULL) + clone->parent->last = clone; + clone = clone->parent; +- parentClone = clone->parent; ++ if (clone != NULL) ++ parentClone = clone->parent; + /* + * Process parent --> next; + */ diff --git a/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch b/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch new file mode 100644 index 0000000..3ae1c59 --- /dev/null +++ b/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch @@ -0,0 +1,25 @@ +From: Gaurav +Date: Mon, 30 Sep 2013 10:43:47 +0800 +Subject: Fix pointer dereferenced before null check + +for https://bugzilla.gnome.org/show_bug.cgi?id=708364 + +xmlValidateElementContent is a private function but should still +check the ctxt argument before dereferencing +--- + valid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/valid.c b/valid.c +index 6e53a76..e0832e7 100644 +--- a/valid.c ++++ b/valid.c +@@ -5236,7 +5236,7 @@ xmlValidateElementContent(xmlValidCtxtPtr ctxt, xmlNodePtr child, + xmlElementContentPtr cont; + const xmlChar *name; + +- if ((elemDecl == NULL) || (parent == NULL)) ++ if ((elemDecl == NULL) || (parent == NULL) || (ctxt == NULL)) + return(-1); + cont = elemDecl->content; + name = elemDecl->name; diff --git a/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch b/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch new file mode 100644 index 0000000..48b4fa4 --- /dev/null +++ b/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch @@ -0,0 +1,69 @@ +From: Mike Alexander +Date: Thu, 28 Nov 2013 23:21:23 +0800 +Subject: Fix a bug loading some compressed files + +For https://bugzilla.gnome.org/show_bug.cgi?id=712528 +Related to https://bugzilla.redhat.com/show_bug.cgi?id=877567 + +There is a bug in xzlib.c which causes certain compressed XML files to fail to +load correctly. The code in xz_decomp which attempts to verify the checksum +and length of the expanded data fails if the checksum or length at the end of +the file crosses a 1024 byte boundary. It calls gz_next4 to get those two +values. This function uses the stream state in state->zstrm, but calls +xz_avail which uses the state->strm stream info. This causes gz_next4 to +signal a premature EOF if the data it is fetching crosses a 1024 byte boundary. +--- + xzlib.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +diff --git a/xzlib.c b/xzlib.c +index 928bd17..cd045fa 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -245,6 +245,20 @@ xz_avail(xz_statep state) + return 0; + } + ++#ifdef HAVE_ZLIB_H ++static int ++xz_avail_zstrm(xz_statep state) ++{ ++ int ret; ++ state->strm.avail_in = state->zstrm.avail_in; ++ state->strm.next_in = state->zstrm.next_in; ++ ret = xz_avail(state); ++ state->zstrm.avail_in = (uInt) state->strm.avail_in; ++ state->zstrm.next_in = (Bytef *) state->strm.next_in; ++ return ret; ++} ++#endif ++ + static int + is_format_xz(xz_statep state) + { +@@ -314,6 +328,10 @@ is_format_lzma(xz_statep state) + #define NEXT() ((strm->avail_in == 0 && xz_avail(state) == -1) ? -1 : \ + (strm->avail_in == 0 ? -1 : \ + (strm->avail_in--, *(strm->next_in)++))) ++/* Same thing, but from zstrm */ ++#define NEXTZ() ((strm->avail_in == 0 && xz_avail_zstrm(state) == -1) ? -1 : \ ++ (strm->avail_in == 0 ? -1 : \ ++ (strm->avail_in--, *(strm->next_in)++))) + + /* Get a four-byte little-endian integer and return 0 on success and the value + in *ret. Otherwise -1 is returned and *ret is not modified. */ +@@ -324,10 +342,10 @@ gz_next4(xz_statep state, unsigned long *ret) + unsigned long val; + z_streamp strm = &(state->zstrm); + +- val = NEXT(); +- val += (unsigned) NEXT() << 8; +- val += (unsigned long) NEXT() << 16; +- ch = NEXT(); ++ val = NEXTZ(); ++ val += (unsigned) NEXTZ() << 8; ++ val += (unsigned long) NEXTZ() << 16; ++ ch = NEXTZ(); + if (ch == -1) + return -1; + val += (unsigned long) ch << 24; diff --git a/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch b/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch new file mode 100644 index 0000000..ab0bde8 --- /dev/null +++ b/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch @@ -0,0 +1,57 @@ +From: Gaurav +Date: Fri, 29 Nov 2013 23:10:50 +0800 +Subject: Avoid a possibility of dangling encoding handler + +For https://bugzilla.gnome.org/show_bug.cgi?id=711149 + +In Function: +int xmlCharEncCloseFunc(xmlCharEncodingHandler *handler) + +If the freed handler is any one of handlers[i] list, then it will make that +hanldlers[i] as dangling. This may lead to crash issues at places where +handlers is read. +--- + encoding.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/encoding.c b/encoding.c +index 7330e90..d4fc45f 100644 +--- a/encoding.c ++++ b/encoding.c +@@ -2851,14 +2851,25 @@ int + xmlCharEncCloseFunc(xmlCharEncodingHandler *handler) { + int ret = 0; + int tofree = 0; ++ int i, handler_in_list = 0; ++ + if (handler == NULL) return(-1); + if (handler->name == NULL) return(-1); ++ if (handlers != NULL) { ++ for (i = 0;i < nbCharEncodingHandler; i++) { ++ if (handler == handlers[i]) { ++ handler_in_list = 1; ++ break; ++ } ++ } ++ } + #ifdef LIBXML_ICONV_ENABLED + /* + * Iconv handlers can be used only once, free the whole block. + * and the associated icon resources. + */ +- if ((handler->iconv_out != NULL) || (handler->iconv_in != NULL)) { ++ if ((handler_in_list == 0) && ++ ((handler->iconv_out != NULL) || (handler->iconv_in != NULL))) { + tofree = 1; + if (handler->iconv_out != NULL) { + if (iconv_close(handler->iconv_out)) +@@ -2873,7 +2884,8 @@ xmlCharEncCloseFunc(xmlCharEncodingHandler *handler) { + } + #endif /* LIBXML_ICONV_ENABLED */ + #ifdef LIBXML_ICU_ENABLED +- if ((handler->uconv_out != NULL) || (handler->uconv_in != NULL)) { ++ if ((handler_in_list == 0) && ++ ((handler->uconv_out != NULL) || (handler->uconv_in != NULL))) { + tofree = 1; + if (handler->uconv_out != NULL) { + closeIcuConverter(handler->uconv_out); diff --git a/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch b/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch new file mode 100644 index 0000000..6771dbb --- /dev/null +++ b/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch @@ -0,0 +1,29 @@ +From: Gaurav +Date: Fri, 29 Nov 2013 23:28:21 +0800 +Subject: Fix a couple of missing NULL checks + +For https://bugzilla.gnome.org/show_bug.cgi?id=708681 +--- + tree.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tree.c b/tree.c +index efc3ca2..43c3c57 100644 +--- a/tree.c ++++ b/tree.c +@@ -4294,6 +4294,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + } + if (doc->intSubset == NULL) { + q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); ++ if (q == NULL) return(NULL); + q->doc = doc; + q->parent = parent; + doc->intSubset = (xmlDtdPtr) q; +@@ -4305,6 +4306,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + } else + #endif /* LIBXML_TREE_ENABLED */ + q = xmlStaticCopyNode(node, doc, parent, 1); ++ if (q == NULL) return(NULL); + if (ret == NULL) { + q->prev = NULL; + ret = p = q; diff --git a/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch b/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch new file mode 100644 index 0000000..7820411 --- /dev/null +++ b/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch @@ -0,0 +1,148 @@ +From: Daniel Veillard +Date: Mon, 9 Dec 2013 15:23:40 +0800 +Subject: adding init calls to xml and html Read parsing entry points + +As pointed out by "Tassyns, Bram " on the list +some call had it other didn't, clean it up and add to all missing +ones +--- + HTMLparser.c | 6 ++++++ + parser.c | 10 ++++++++++ + 2 files changed, 16 insertions(+) + +diff --git a/HTMLparser.c b/HTMLparser.c +index dd0c1ea..44c1a3c 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -6808,6 +6808,7 @@ htmlReadFd(int fd, const char *URL, const char *encoding, int options) + + if (fd < 0) + return (NULL); ++ xmlInitParser(); + + xmlInitParser(); + input = xmlParserInputBufferCreateFd(fd, XML_CHAR_ENCODING_NONE); +@@ -6898,6 +6899,7 @@ htmlCtxtReadDoc(htmlParserCtxtPtr ctxt, const xmlChar * cur, + return (NULL); + if (ctxt == NULL) + return (NULL); ++ xmlInitParser(); + + htmlCtxtReset(ctxt); + +@@ -6931,6 +6933,7 @@ htmlCtxtReadFile(htmlParserCtxtPtr ctxt, const char *filename, + return (NULL); + if (ctxt == NULL) + return (NULL); ++ xmlInitParser(); + + htmlCtxtReset(ctxt); + +@@ -6967,6 +6970,7 @@ htmlCtxtReadMemory(htmlParserCtxtPtr ctxt, const char *buffer, int size, + return (NULL); + if (buffer == NULL) + return (NULL); ++ xmlInitParser(); + + htmlCtxtReset(ctxt); + +@@ -7009,6 +7013,7 @@ htmlCtxtReadFd(htmlParserCtxtPtr ctxt, int fd, + return (NULL); + if (ctxt == NULL) + return (NULL); ++ xmlInitParser(); + + htmlCtxtReset(ctxt); + +@@ -7053,6 +7058,7 @@ htmlCtxtReadIO(htmlParserCtxtPtr ctxt, xmlInputReadCallback ioread, + return (NULL); + if (ctxt == NULL) + return (NULL); ++ xmlInitParser(); + + htmlCtxtReset(ctxt); + +diff --git a/parser.c b/parser.c +index dd00399..ad400f4 100644 +--- a/parser.c ++++ b/parser.c +@@ -15217,6 +15217,7 @@ xmlReadDoc(const xmlChar * cur, const char *URL, const char *encoding, int optio + + if (cur == NULL) + return (NULL); ++ xmlInitParser(); + + ctxt = xmlCreateDocParserCtxt(cur); + if (ctxt == NULL) +@@ -15239,6 +15240,7 @@ xmlReadFile(const char *filename, const char *encoding, int options) + { + xmlParserCtxtPtr ctxt; + ++ xmlInitParser(); + ctxt = xmlCreateURLParserCtxt(filename, options); + if (ctxt == NULL) + return (NULL); +@@ -15262,6 +15264,7 @@ xmlReadMemory(const char *buffer, int size, const char *URL, const char *encodin + { + xmlParserCtxtPtr ctxt; + ++ xmlInitParser(); + ctxt = xmlCreateMemoryParserCtxt(buffer, size); + if (ctxt == NULL) + return (NULL); +@@ -15290,6 +15293,7 @@ xmlReadFd(int fd, const char *URL, const char *encoding, int options) + + if (fd < 0) + return (NULL); ++ xmlInitParser(); + + input = xmlParserInputBufferCreateFd(fd, XML_CHAR_ENCODING_NONE); + if (input == NULL) +@@ -15333,6 +15337,7 @@ xmlReadIO(xmlInputReadCallback ioread, xmlInputCloseCallback ioclose, + + if (ioread == NULL) + return (NULL); ++ xmlInitParser(); + + input = xmlParserInputBufferCreateIO(ioread, ioclose, ioctx, + XML_CHAR_ENCODING_NONE); +@@ -15379,6 +15384,7 @@ xmlCtxtReadDoc(xmlParserCtxtPtr ctxt, const xmlChar * cur, + return (NULL); + if (ctxt == NULL) + return (NULL); ++ xmlInitParser(); + + xmlCtxtReset(ctxt); + +@@ -15412,6 +15418,7 @@ xmlCtxtReadFile(xmlParserCtxtPtr ctxt, const char *filename, + return (NULL); + if (ctxt == NULL) + return (NULL); ++ xmlInitParser(); + + xmlCtxtReset(ctxt); + +@@ -15448,6 +15455,7 @@ xmlCtxtReadMemory(xmlParserCtxtPtr ctxt, const char *buffer, int size, + return (NULL); + if (buffer == NULL) + return (NULL); ++ xmlInitParser(); + + xmlCtxtReset(ctxt); + +@@ -15492,6 +15500,7 @@ xmlCtxtReadFd(xmlParserCtxtPtr ctxt, int fd, + return (NULL); + if (ctxt == NULL) + return (NULL); ++ xmlInitParser(); + + xmlCtxtReset(ctxt); + +@@ -15537,6 +15546,7 @@ xmlCtxtReadIO(xmlParserCtxtPtr ctxt, xmlInputReadCallback ioread, + return (NULL); + if (ctxt == NULL) + return (NULL); ++ xmlInitParser(); + + xmlCtxtReset(ctxt); + diff --git a/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch b/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch new file mode 100644 index 0000000..cc18db7 --- /dev/null +++ b/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch @@ -0,0 +1,41 @@ +From: Nick Wellnhofer +Date: Fri, 20 Dec 2013 00:01:53 +0100 +Subject: Handling of XPath function arguments in error case + +The XPath engine tries to guarantee that every XPath function can pop +'nargs' non-NULL values off the stack. libxslt, for example, relies on +this assumption. But the check isn't thorough enough if there are errors +during the evaluation of arguments. This can lead to segfaults: + +https://mail.gnome.org/archives/xslt/2013-December/msg00005.html + +This commit makes the handling of function arguments more robust. + +* Bail out early when evaluation of XPath function arguments fails. +* Make sure that there are 'nargs' arguments in the current call frame. +--- + xpath.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/xpath.c b/xpath.c +index a676989..a75df9b 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -13512,10 +13512,15 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + int frame; + + frame = xmlXPathSetFrame(ctxt); +- if (op->ch1 != -1) ++ if (op->ch1 != -1) { + total += + xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]); +- if (ctxt->valueNr < op->value) { ++ if (ctxt->error != XPATH_EXPRESSION_OK) { ++ xmlXPathPopFrame(ctxt, frame); ++ return (total); ++ } ++ } ++ if (ctxt->valueNr < ctxt->valueFrame + op->value) { + xmlGenericError(xmlGenericErrorContext, + "xmlXPathCompOpEval: parameter error\n"); + ctxt->error = XPATH_INVALID_OPERAND; diff --git a/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch b/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch new file mode 100644 index 0000000..c5a5d16 --- /dev/null +++ b/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch @@ -0,0 +1,22 @@ +From: Daniel Veillard +Date: Sun, 26 Jan 2014 15:02:25 +0100 +Subject: Missing initialization for the catalog module + +--- + parser.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/parser.c b/parser.c +index ad400f4..7381a78 100644 +--- a/parser.c ++++ b/parser.c +@@ -14720,6 +14720,9 @@ xmlInitParser(void) { + #ifdef LIBXML_XPATH_ENABLED + xmlXPathInit(); + #endif ++#ifdef LIBXML_CATALOG_ENABLED ++ xmlInitializeCatalog(); ++#endif + xmlParserInitialized = 1; + #ifdef LIBXML_THREAD_ENABLED + } diff --git a/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch b/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch new file mode 100644 index 0000000..edf1752 --- /dev/null +++ b/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch @@ -0,0 +1,24 @@ +From: Daniel Veillard +Date: Thu, 6 Feb 2014 10:38:00 +0100 +Subject: Fix an fd leak in an error case + +--- + catalog.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/catalog.c b/catalog.c +index 8e34cd2..56991da 100644 +--- a/catalog.c ++++ b/catalog.c +@@ -994,6 +994,11 @@ xmlLoadFileContent(const char *filename) + content = (xmlChar*)xmlMallocAtomic(size + 10); + if (content == NULL) { + xmlCatalogErrMemory("allocating catalog data"); ++#ifdef HAVE_STAT ++ close(fd); ++#else ++ fclose(fd); ++#endif + return (NULL); + } + #ifdef HAVE_STAT diff --git a/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch b/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch new file mode 100644 index 0000000..65eae92 --- /dev/null +++ b/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch @@ -0,0 +1,21 @@ +From: Daniel Veillard +Date: Thu, 6 Feb 2014 10:47:20 +0100 +Subject: fixing a ptotential uninitialized access + +--- + valid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/valid.c b/valid.c +index e0832e7..114bb72 100644 +--- a/valid.c ++++ b/valid.c +@@ -6948,7 +6948,7 @@ xmlValidGetValidElements(xmlNode *prev, xmlNode *next, const xmlChar **names, + int max) { + xmlValidCtxt vctxt; + int nb_valid_elements = 0; +- const xmlChar *elements[256]; ++ const xmlChar *elements[256]={0}; + int nb_elements = 0, i; + const xmlChar *name; + diff --git a/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch b/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch new file mode 100644 index 0000000..22d206a --- /dev/null +++ b/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch @@ -0,0 +1,29 @@ +From: Daniel Veillard +Date: Sat, 8 Feb 2014 02:22:35 +0800 +Subject: Fix xmlTextWriterWriteElement when a null content is given + +--- + xmlwriter.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/xmlwriter.c b/xmlwriter.c +index d3f29f8..27209b9 100644 +--- a/xmlwriter.c ++++ b/xmlwriter.c +@@ -2238,10 +2238,12 @@ xmlTextWriterWriteElement(xmlTextWriterPtr writer, const xmlChar * name, + if (count == -1) + return -1; + sum += count; +- count = xmlTextWriterWriteString(writer, content); +- if (count == -1) +- return -1; +- sum += count; ++ if (content != NULL) { ++ count = xmlTextWriterWriteString(writer, content); ++ if (count == -1) ++ return -1; ++ sum += count; ++ } + count = xmlTextWriterEndElement(writer); + if (count == -1) + return -1; diff --git a/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch b/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch new file mode 100644 index 0000000..219d13a --- /dev/null +++ b/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch @@ -0,0 +1,22 @@ +From: Gaurav +Date: Tue, 18 Feb 2014 11:47:43 +0800 +Subject: Avoid a possible NULL pointer dereference + +For https://bugzilla.gnome.org/show_bug.cgi?id=708355 +--- + xmlmodule.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmlmodule.c b/xmlmodule.c +index 7fe5bc2..50ed666 100644 +--- a/xmlmodule.c ++++ b/xmlmodule.c +@@ -115,7 +115,7 @@ xmlModuleSymbol(xmlModulePtr module, const char *name, void **symbol) + { + int rc = -1; + +- if ((NULL == module) || (symbol == NULL)) { ++ if ((NULL == module) || (symbol == NULL) || (name == NULL)) { + __xmlRaiseError(NULL, NULL, NULL, NULL, NULL, XML_FROM_MODULE, + XML_MODULE_OPEN, XML_ERR_FATAL, NULL, 0, 0, + NULL, NULL, 0, 0, "null parameter\n"); diff --git a/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch b/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch new file mode 100644 index 0000000..06ec27c --- /dev/null +++ b/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch @@ -0,0 +1,35 @@ +From: Daniel Veillard +Date: Tue, 22 Apr 2014 15:30:56 +0800 +Subject: Do not fetch external parameter entities + +Unless explicitely asked for when validating or replacing entities +with their value. Problem pointed out by Daniel Berrange +--- + parser.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/parser.c b/parser.c +index 7381a78..8aad7b4 100644 +--- a/parser.c ++++ b/parser.c +@@ -2595,6 +2595,20 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { + xmlCharEncoding enc; + + /* ++ * Note: external parsed entities will not be loaded, it is ++ * not required for a non-validating parser, unless the ++ * option of validating, or substituting entities were ++ * given. Doing so is far more secure as the parser will ++ * only process data coming from the document entity by ++ * default. ++ */ ++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && ++ ((ctxt->options & XML_PARSE_NOENT) == 0) && ++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ (ctxt->validate == 0)) ++ return; ++ ++ /* + * handle the extra spaces added before and after + * c.f. http://www.w3.org/TR/REC-xml#as-PE + * this is done independently. diff --git a/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch b/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch new file mode 100644 index 0000000..8a84731 --- /dev/null +++ b/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch @@ -0,0 +1,32 @@ +From: Gaurav +Date: Fri, 9 May 2014 17:00:08 +0800 +Subject: Avoid Possible null pointer dereference in memory debug mode + +Fix a use before check on pointer +For https://bugzilla.gnome.org/show_bug.cgi?id=729849 +--- + xmlmemory.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/xmlmemory.c b/xmlmemory.c +index 25d9318..37dcf3b 100644 +--- a/xmlmemory.c ++++ b/xmlmemory.c +@@ -583,13 +583,15 @@ xmlMemBlocks(void) { + static void + xmlMemContentShow(FILE *fp, MEMHDR *p) + { +- int i,j,k,len = p->mh_size; +- const char *buf = (const char *) HDR_2_CLIENT(p); ++ int i,j,k,len; ++ const char *buf; + + if (p == NULL) { + fprintf(fp, " NULL"); + return; + } ++ len = p->mh_size; ++ buf = (const char *) HDR_2_CLIENT(p); + + for (i = 0;i < len;i++) { + if (buf[i] == 0) break; diff --git a/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch b/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch new file mode 100644 index 0000000..7b24f6b --- /dev/null +++ b/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch @@ -0,0 +1,22 @@ +From: =?UTF-8?q?S=C3=A9rgio=20Batista?= +Date: Mon, 9 Jun 2014 22:10:15 +0800 +Subject: xmllint was not parsing the --c14n11 flag + +Cut and paste error, using the wrong variable +--- + xmllint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmllint.c b/xmllint.c +index d69722c..4a5d043 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -2573,7 +2573,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) { + fprintf(stderr, "Failed to canonicalize\n"); + progresult = XMLLINT_ERR_OUT; + } +- } else if (canonical) { ++ } else if (canonical_11) { + xmlChar *result = NULL; + int size; + diff --git a/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch b/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch new file mode 100644 index 0000000..d9fc108 --- /dev/null +++ b/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch @@ -0,0 +1,58 @@ +From: Daniel Veillard +Date: Wed, 11 Jun 2014 16:54:32 +0800 +Subject: Fix regressions introduced by CVE-2014-0191 patch + +A number of issues have been raised after the fix, and this patch +tries to correct all of them, though most were related to +postvalidation. +https://bugzilla.gnome.org/show_bug.cgi?id=730290 +and other reports on list, off-list and on Red Hat bugzilla +--- + parser.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/parser.c b/parser.c +index 8aad7b4..ea0ea65 100644 +--- a/parser.c ++++ b/parser.c +@@ -2595,8 +2595,8 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { + xmlCharEncoding enc; + + /* +- * Note: external parsed entities will not be loaded, it is +- * not required for a non-validating parser, unless the ++ * Note: external parameter entities will not be loaded, it ++ * is not required for a non-validating parser, unless the + * option of validating, or substituting entities were + * given. Doing so is far more secure as the parser will + * only process data coming from the document entity by +@@ -2605,6 +2605,9 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + ((ctxt->options & XML_PARSE_NOENT) == 0) && + ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && ++ ((ctxt->options & XML_PARSE_DTDATTR) == 0) && ++ (ctxt->replaceEntities == 0) && + (ctxt->validate == 0)) + return; + +@@ -12609,6 +12612,9 @@ xmlIOParseDTD(xmlSAXHandlerPtr sax, xmlParserInputBufferPtr input, + return(NULL); + } + ++ /* We are loading a DTD */ ++ ctxt->options |= XML_PARSE_DTDLOAD; ++ + /* + * Set-up the SAX context + */ +@@ -12736,6 +12742,9 @@ xmlSAXParseDTD(xmlSAXHandlerPtr sax, const xmlChar *ExternalID, + return(NULL); + } + ++ /* We are loading a DTD */ ++ ctxt->options |= XML_PARSE_DTDLOAD; ++ + /* + * Set-up the SAX context + */ diff --git a/debian/patches/series b/debian/patches/series index 631a2bf..ce6e665 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,32 @@ 0001-modify-xml2-config-and-pkgconfig-behaviour.patch 0002-fix-python-multiarch-includes.patch -0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch +0003-Fix-an-error-in-xmlCleanupParser.patch +0004-Fix-missing-break-on-last-function-for-attributes.patch +0005-xmllint-memory-should-fail-on-empty-files.patch +0006-properly-quote-the-namespace-uris-written-out-during.patch +0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch +0008-missing-else-in-xlink.c.patch +0009-Catch-malloc-error-and-exit-accordingly.patch +0010-Fix-handling-of-mmap-errors.patch +0011-Avoid-crash-if-allocation-fails.patch +0012-Fix-a-possible-NULL-dereference.patch +0013-Clear-up-a-potential-NULL-dereference.patch +0014-Fix-XPath-optimization-with-predicates.patch +0015-xmllint-pretty-crashed-without-following-numeric-arg.patch +0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch +0017-Fix-a-potential-NULL-dereference-in-tree-code.patch +0018-Fix-pointer-dereferenced-before-null-check.patch +0019-Fix-a-bug-loading-some-compressed-files.patch +0020-Avoid-a-possibility-of-dangling-encoding-handler.patch +0021-Fix-a-couple-of-missing-NULL-checks.patch +0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch +0023-Handling-of-XPath-function-arguments-in-error-case.patch +0024-Missing-initialization-for-the-catalog-module.patch +0025-Fix-an-fd-leak-in-an-error-case.patch +0026-fixing-a-ptotential-uninitialized-access.patch +0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch +0028-Avoid-a-possible-NULL-pointer-dereference.patch +0029-Do-not-fetch-external-parameter-entities.patch +0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch +0031-xmllint-was-not-parsing-the-c14n11-flag.patch +0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch -- cgit v1.2.3 From 37f590756a23e167808f76f1389c36f0a2d39f11 Mon Sep 17 00:00:00 2001 From: Raphaël Hertzog Date: Tue, 25 Aug 2015 22:30:28 +0200 Subject: Restore all patches available in 2.9.1+dfsg1-5 in stretch, ensuring CVE-2014-3660 is fixed too. --- debian/changelog | 14 +- ...odify-xml2-config-and-pkgconfig-behaviour.patch | 34 +++-- .../0002-fix-python-multiarch-includes.patch | 4 +- .../0003-Fix-an-error-in-xmlCleanupParser.patch | 2 +- ...ing-break-on-last-function-for-attributes.patch | 2 +- ...xmllint-memory-should-fail-on-empty-files.patch | 2 +- ...ote-the-namespace-uris-written-out-during.patch | 2 +- ...ng-bug-on-non-ascii-element-and-CR-LF-usa.patch | 2 +- debian/patches/0008-missing-else-in-xlink.c.patch | 2 +- ...9-Catch-malloc-error-and-exit-accordingly.patch | 2 +- .../patches/0010-Fix-handling-of-mmap-errors.patch | 2 +- .../0011-Avoid-crash-if-allocation-fails.patch | 2 +- .../0012-Fix-a-possible-NULL-dereference.patch | 2 +- ...013-Clear-up-a-potential-NULL-dereference.patch | 2 +- ...14-Fix-XPath-optimization-with-predicates.patch | 2 +- ...tty-crashed-without-following-numeric-arg.patch | 2 +- ...al-NULL-pointer-dereferences-in-regexp-co.patch | 2 +- ...a-potential-NULL-dereference-in-tree-code.patch | 2 +- ...ix-pointer-dereferenced-before-null-check.patch | 2 +- ...9-Fix-a-bug-loading-some-compressed-files.patch | 2 +- ...-possibility-of-dangling-encoding-handler.patch | 2 +- .../0021-Fix-a-couple-of-missing-NULL-checks.patch | 2 +- ...-calls-to-xml-and-html-Read-parsing-entry.patch | 4 +- ...of-XPath-function-arguments-in-error-case.patch | 2 +- ...ing-initialization-for-the-catalog-module.patch | 2 +- .../0025-Fix-an-fd-leak-in-an-error-case.patch | 2 +- ...-fixing-a-ptotential-uninitialized-access.patch | 2 +- ...WriterWriteElement-when-a-null-content-is.patch | 2 +- ...Avoid-a-possible-NULL-pointer-dereference.patch | 2 +- ...-Do-not-fetch-external-parameter-entities.patch | 2 +- ...ble-null-pointer-dereference-in-memory-de.patch | 2 +- ...1-xmllint-was-not-parsing-the-c14n11-flag.patch | 4 +- ...essions-introduced-by-CVE-2014-0191-patch.patch | 2 +- .../0033-Adding-some-missing-NULL-checks.patch | 57 +++++++++ ...incorrectly-recomposes-URIs-with-rootless.patch | 27 ++++ ...dding-a-check-in-case-of-allocation-error.patch | 28 ++++ .../0036-Add-a-missing-argument-check.patch | 24 ++++ ...e-of-misisng-check-in-xmlRelaxNGCleanupTr.patch | 43 +++++++ .../0038-Fix-a-potential-NULL-dereference.patch | 29 +++++ ...ing-in-SAX2-in-case-of-an-allocation-fail.patch | 21 +++ ...040-Avoid-Possible-Null-Pointer-in-trio.c.patch | 47 +++++++ ...or-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch | 32 +++++ ...Correctly-initialise-a-stack-allocated-st.patch | 29 +++++ ...0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch | 34 +++++ ...schemastypes-Fix-potential-array-overflow.patch | 28 ++++ .../0045-Add-couple-of-missing-Null-checks.patch | 49 +++++++ .../0046-Couple-of-Missing-Null-checks.patch | 35 +++++ .../0047-Fix-Enum-check-and-missing-break.patch | 43 +++++++ .../0048-Possible-overflow-in-HTMLParser.c.patch | 38 ++++++ ...k-of-struct-addrinfo-in-xmlNanoFTPConnect.patch | 25 ++++ ...50-Pointer-dereferenced-before-null-check.patch | 61 +++++++++ .../0051-xpointer-fixing-Null-Pointers.patch | 110 ++++++++++++++++ .../0052-xmlmemory-handle-realloc-properly.patch | 39 ++++++ ...leak-xml-header-encoding-field-with-XML_P.patch | 50 ++++++++ debian/patches/0054-Fix-for-CVE-2014-3660.patch | 141 +++++++++++++++++++++ ...-missing-entities-after-CVE-2014-3660-fix.patch | 27 ++++ debian/patches/series | 23 ++++ 57 files changed, 1109 insertions(+), 47 deletions(-) create mode 100644 debian/patches/0033-Adding-some-missing-NULL-checks.patch create mode 100644 debian/patches/0034-xmlSaveUri-incorrectly-recomposes-URIs-with-rootless.patch create mode 100644 debian/patches/0035-Adding-a-check-in-case-of-allocation-error.patch create mode 100644 debian/patches/0036-Add-a-missing-argument-check.patch create mode 100644 debian/patches/0037-Add-a-couple-of-misisng-check-in-xmlRelaxNGCleanupTr.patch create mode 100644 debian/patches/0038-Fix-a-potential-NULL-dereference.patch create mode 100644 debian/patches/0039-Fix-processing-in-SAX2-in-case-of-an-allocation-fail.patch create mode 100644 debian/patches/0040-Avoid-Possible-Null-Pointer-in-trio.c.patch create mode 100644 debian/patches/0041-Check-for-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch create mode 100644 debian/patches/0042-HTMLparser-Correctly-initialise-a-stack-allocated-st.patch create mode 100644 debian/patches/0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch create mode 100644 debian/patches/0044-xmlschemastypes-Fix-potential-array-overflow.patch create mode 100644 debian/patches/0045-Add-couple-of-missing-Null-checks.patch create mode 100644 debian/patches/0046-Couple-of-Missing-Null-checks.patch create mode 100644 debian/patches/0047-Fix-Enum-check-and-missing-break.patch create mode 100644 debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch create mode 100644 debian/patches/0049-Leak-of-struct-addrinfo-in-xmlNanoFTPConnect.patch create mode 100644 debian/patches/0050-Pointer-dereferenced-before-null-check.patch create mode 100644 debian/patches/0051-xpointer-fixing-Null-Pointers.patch create mode 100644 debian/patches/0052-xmlmemory-handle-realloc-properly.patch create mode 100644 debian/patches/0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch create mode 100644 debian/patches/0054-Fix-for-CVE-2014-3660.patch create mode 100644 debian/patches/0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch (limited to 'debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch') diff --git a/debian/changelog b/debian/changelog index 3350507..dc762be 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,10 +1,12 @@ -libxml2 (2.9.2+really2.9.1+dfsg1-0.1) UNRELEASED; urgency=medium +libxml2 (2.9.2+really2.9.1+dfsg1-0.1) unstable; urgency=medium * Non-maintainer upload. * Go back to 2.9.1+dfsg1 upstream sources so that xmllint works again. Closes: #766884 + * Restore all patches available in 2.9.1+dfsg1-5 in stretch, ensuring + CVE-2014-3660 is fixed too. - -- Raphaël Hertzog Tue, 25 Aug 2015 21:49:14 +0200 + -- Raphaël Hertzog Tue, 25 Aug 2015 22:31:29 +0200 libxml2 (2.9.2+dfsg1-3) unstable; urgency=medium @@ -33,6 +35,14 @@ libxml2 (2.9.2+dfsg1-1) unstable; urgency=low -- Aron Xu Sun, 26 Oct 2014 07:04:50 +0800 +libxml2 (2.9.1+dfsg1-5) testing; urgency=medium + + * Add pkg-config to B-D + * Cherry-pick upstream memory related fixes + - Including CVE-2014-3660 (Closes: #765722, #768089) + + -- Aron Xu Sun, 01 Feb 2015 13:48:36 +0800 + libxml2 (2.9.1+dfsg1-4) unstable; urgency=low [ Christian Svensson ] diff --git a/debian/patches/0001-modify-xml2-config-and-pkgconfig-behaviour.patch b/debian/patches/0001-modify-xml2-config-and-pkgconfig-behaviour.patch index d5d3622..6b16e59 100644 --- a/debian/patches/0001-modify-xml2-config-and-pkgconfig-behaviour.patch +++ b/debian/patches/0001-modify-xml2-config-and-pkgconfig-behaviour.patch @@ -1,19 +1,20 @@ From: Aron Xu -Date: Sun, 26 Oct 2014 06:02:29 +0800 +Date: Fri, 21 Sep 2012 00:19:41 +0800 Subject: modify xml2-config and pkgconfig behaviour --- - configure.ac | 2 +- + configure.in | 2 +- libxml-2.0-uninstalled.pc.in | 3 ++- + libxml-2.0.pc.in | 2 +- xml2-config.1 | 4 ++++ xml2-config.in | 22 ++++++++++------------ - 4 files changed, 17 insertions(+), 14 deletions(-) + 5 files changed, 18 insertions(+), 15 deletions(-) -diff --git a/configure.ac b/configure.ac -index 14ac0a8..21d90ab 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1476,7 +1476,7 @@ case "$host" in +diff --git a/configure.in b/configure.in +index d449b11..668f233 100644 +--- a/configure.in ++++ b/configure.in +@@ -1380,7 +1380,7 @@ case "$host" in *) M_LIBS="-lm" ;; esac @@ -23,17 +24,28 @@ index 14ac0a8..21d90ab 100644 AC_SUBST(WITH_ICONV) diff --git a/libxml-2.0-uninstalled.pc.in b/libxml-2.0-uninstalled.pc.in -index 60b886b..0d5d6cb 100644 +index cab6834..af16ebc 100644 --- a/libxml-2.0-uninstalled.pc.in +++ b/libxml-2.0-uninstalled.pc.in @@ -8,5 +8,6 @@ Name: libXML Version: @VERSION@ Description: libXML library version2. Requires: --Libs: -L${libdir} -lxml2 @ICU_LIBS@ @THREAD_LIBS@ @Z_LIBS@ @LZMA_LIBS@ @ICONV_LIBS@ @M_LIBS@ @LIBS@ +-Libs: -L${libdir} -lxml2 @ICU_LIBS@ @THREAD_LIBS@ @Z_LIBS@ @ICONV_LIBS@ @M_LIBS@ @LIBS@ +Libs: -L${libdir} -lxml2 -+Libs.private: @ICU_LIBS@ @THREAD_LIBS@ @Z_LIBS@ @LZMA_LIBS@ @ICONV_LIBS@ @M_LIBS@ @LIBS@ ++Libs.private: @BASE_THREAD_LIBS@ @THREAD_LIBS@ @Z_LIBS@ @ICONV_LIBS@ @M_LIBS@ @LIBS@ Cflags: -I${includedir} @XML_INCLUDEDIR@ @XML_CFLAGS@ +diff --git a/libxml-2.0.pc.in b/libxml-2.0.pc.in +index f5f5f03..0de667b 100644 +--- a/libxml-2.0.pc.in ++++ b/libxml-2.0.pc.in +@@ -9,5 +9,5 @@ Version: @VERSION@ + Description: libXML library version2. + Requires: + Libs: -L${libdir} -lxml2 +-Libs.private: @ICU_LIBS@ @THREAD_LIBS@ @Z_LIBS@ @ICONV_LIBS@ @M_LIBS@ @WIN32_EXTRA_LIBADD@ @LIBS@ ++Libs.private: @ICU_LIBS@ @THREAD_LIBS@ @Z_LIBS@ @ICONV_LIBS@ @M_LIBS@ @WIN32_EXTRA_LIBADD@ @LIBS@ @LZMA_LIBS@ + Cflags: @XML_INCLUDEDIR@ @XML_CFLAGS@ diff --git a/xml2-config.1 b/xml2-config.1 index 8cf9858..7b4195d 100644 --- a/xml2-config.1 diff --git a/debian/patches/0002-fix-python-multiarch-includes.patch b/debian/patches/0002-fix-python-multiarch-includes.patch index bcab67e..3201fb3 100644 --- a/debian/patches/0002-fix-python-multiarch-includes.patch +++ b/debian/patches/0002-fix-python-multiarch-includes.patch @@ -21,10 +21,10 @@ index 34aed96..8445ea5 100644 python_LTLIBRARIES = libxml2mod.la diff --git a/python/Makefile.in b/python/Makefile.in -index 03fbd5b..7299c82 100644 +index efdea43..23e7fa2 100644 --- a/python/Makefile.in +++ b/python/Makefile.in -@@ -490,7 +490,7 @@ EXTRA_DIST = \ +@@ -430,7 +430,7 @@ EXTRA_DIST = \ @WITH_PYTHON_TRUE@AM_CPPFLAGS = \ @WITH_PYTHON_TRUE@ -I$(top_builddir)/include \ @WITH_PYTHON_TRUE@ -I$(top_srcdir)/include \ diff --git a/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch b/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch index 03bf447..8834c99 100644 --- a/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch +++ b/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch @@ -8,7 +8,7 @@ xmlCleanupParser calls xmlCleanupGlobals() and then xmlResetLastError() but the later reallocate the global data freed by previous call. Just swap the two calls. --- - parser.c | 2 +- + parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/parser.c b/parser.c diff --git a/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch b/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch index cff8b72..5dabed6 100644 --- a/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch +++ b/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch @@ -4,7 +4,7 @@ Subject: Fix missing break on last() function for attributes pointed out by cppcheck --- - python/libxml.c | 1 + + python/libxml.c | 1 + 1 file changed, 1 insertion(+) diff --git a/python/libxml.c b/python/libxml.c diff --git a/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch b/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch index e1a2197..48ee651 100644 --- a/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch +++ b/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch @@ -5,7 +5,7 @@ Subject: xmllint --memory should fail on empty files Exposed by https://bugzilla.gnome.org/show_bug.cgi?id=699896 when doing analysis but a priori unrelated. --- - xmllint.c | 5 ++++- + xmllint.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/xmllint.c b/xmllint.c diff --git a/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch b/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch index 6f4c4c8..682fb41 100644 --- a/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch +++ b/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch @@ -3,7 +3,7 @@ Date: Thu, 9 May 2013 16:02:16 +0000 Subject: properly quote the namespace uris written out during c14n --- - c14n.c | 9 +++++---- + c14n.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/c14n.c b/c14n.c diff --git a/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch b/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch index 442fd11..b4b5e3b 100644 --- a/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch +++ b/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch @@ -8,7 +8,7 @@ Somehow the behaviour of the internal parser routine changed slightly when encountering CR/LF, which led to a bug when parsing document with non-ascii Names --- - parser.c | 6 +++++- + parser.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/parser.c b/parser.c diff --git a/debian/patches/0008-missing-else-in-xlink.c.patch b/debian/patches/0008-missing-else-in-xlink.c.patch index 88a4e86..9349cdc 100644 --- a/debian/patches/0008-missing-else-in-xlink.c.patch +++ b/debian/patches/0008-missing-else-in-xlink.c.patch @@ -4,7 +4,7 @@ Subject: missing else in xlink.c Obviously forgotten --- - xlink.c | 2 +- + xlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xlink.c b/xlink.c diff --git a/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch b/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch index 3f93a57..a8b9db8 100644 --- a/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch +++ b/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch @@ -4,7 +4,7 @@ Subject: Catch malloc error and exit accordingly As pointed privately by Bill Parker --- - xmllint.c | 4 ++++ + xmllint.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/xmllint.c b/xmllint.c diff --git a/debian/patches/0010-Fix-handling-of-mmap-errors.patch b/debian/patches/0010-Fix-handling-of-mmap-errors.patch index 0c55cfe..3c220a1 100644 --- a/debian/patches/0010-Fix-handling-of-mmap-errors.patch +++ b/debian/patches/0010-Fix-handling-of-mmap-errors.patch @@ -6,7 +6,7 @@ https://bugzilla.gnome.org/show_bug.cgi?id=702320 as raised by Gaurav --- - xmllint.c | 13 +++++++++++-- + xmllint.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/xmllint.c b/xmllint.c diff --git a/debian/patches/0011-Avoid-crash-if-allocation-fails.patch b/debian/patches/0011-Avoid-crash-if-allocation-fails.patch index e4e7206..abbb38f 100644 --- a/debian/patches/0011-Avoid-crash-if-allocation-fails.patch +++ b/debian/patches/0011-Avoid-crash-if-allocation-fails.patch @@ -5,7 +5,7 @@ Subject: Avoid crash if allocation fails https://bugzilla.gnome.org/show_bug.cgi?id=704527 xmlSchemaNewValue() may fail on OOM error --- - xmlschemastypes.c | 4 ++++ + xmlschemastypes.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/xmlschemastypes.c b/xmlschemastypes.c diff --git a/debian/patches/0012-Fix-a-possible-NULL-dereference.patch b/debian/patches/0012-Fix-a-possible-NULL-dereference.patch index 9a7cf6f..1683440 100644 --- a/debian/patches/0012-Fix-a-possible-NULL-dereference.patch +++ b/debian/patches/0012-Fix-a-possible-NULL-dereference.patch @@ -6,7 +6,7 @@ https://bugzilla.gnome.org/show_bug.cgi?id=705400 In case of allocation error the pointer was dereferenced before the test for a failure --- - SAX2.c | 4 ++-- + SAX2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SAX2.c b/SAX2.c diff --git a/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch b/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch index a18dfaf..3814294 100644 --- a/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch +++ b/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch @@ -7,7 +7,7 @@ https://bugzilla.gnome.org/show_bug.cgi?id=705399 if ctxt->node_seq.buffer is null then ctxt->node_seq.maximum ought to be zero but it's better to clarify the check in the code directly. --- - parserInternals.c | 3 ++- + parserInternals.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/parserInternals.c b/parserInternals.c diff --git a/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch b/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch index f24424a..4fc23a2 100644 --- a/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch +++ b/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch @@ -6,7 +6,7 @@ My attempt to optimize XPath expressions containing '//' caused a regression reported in bug #695699. This commit disables the optimization for expressions of the form '//foo[predicate]'. --- - xpath.c | 5 +++-- + xpath.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/xpath.c b/xpath.c diff --git a/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch b/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch index b910c3a..4db2660 100644 --- a/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch +++ b/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch @@ -6,7 +6,7 @@ https://bugzilla.gnome.org/show_bug.cgi?id=674789 We need to check for NULL argument before calling atoi() --- - xmllint.c | 12 +++++++----- + xmllint.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/xmllint.c b/xmllint.c diff --git a/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch b/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch index fa8a176..13df103 100644 --- a/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch +++ b/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch @@ -6,7 +6,7 @@ https://bugzilla.gnome.org/show_bug.cgi?id=707749 Fix 3 cases where we might dereference NULL --- - xmlregexp.c | 8 +++++--- + xmlregexp.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/xmlregexp.c b/xmlregexp.c diff --git a/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch b/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch index 2c55813..dd8ee34 100644 --- a/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch +++ b/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch @@ -7,7 +7,7 @@ https://bugzilla.gnome.org/show_bug.cgi?id=707750 Also reported by Gaurav, simple fix to check the pointer before dereference --- - tree.c | 3 ++- + tree.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tree.c b/tree.c diff --git a/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch b/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch index 3ae1c59..a038b02 100644 --- a/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch +++ b/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch @@ -7,7 +7,7 @@ for https://bugzilla.gnome.org/show_bug.cgi?id=708364 xmlValidateElementContent is a private function but should still check the ctxt argument before dereferencing --- - valid.c | 2 +- + valid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/valid.c b/valid.c diff --git a/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch b/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch index 48b4fa4..25c7739 100644 --- a/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch +++ b/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch @@ -13,7 +13,7 @@ values. This function uses the stream state in state->zstrm, but calls xz_avail which uses the state->strm stream info. This causes gz_next4 to signal a premature EOF if the data it is fetching crosses a 1024 byte boundary. --- - xzlib.c | 26 ++++++++++++++++++++++---- + xzlib.c | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/xzlib.c b/xzlib.c diff --git a/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch b/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch index ab0bde8..3590669 100644 --- a/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch +++ b/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch @@ -11,7 +11,7 @@ If the freed handler is any one of handlers[i] list, then it will make that hanldlers[i] as dangling. This may lead to crash issues at places where handlers is read. --- - encoding.c | 16 ++++++++++++++-- + encoding.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/encoding.c b/encoding.c diff --git a/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch b/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch index 6771dbb..62ce6c4 100644 --- a/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch +++ b/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch @@ -4,7 +4,7 @@ Subject: Fix a couple of missing NULL checks For https://bugzilla.gnome.org/show_bug.cgi?id=708681 --- - tree.c | 2 ++ + tree.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tree.c b/tree.c diff --git a/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch b/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch index 7820411..2dd7cac 100644 --- a/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch +++ b/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch @@ -6,8 +6,8 @@ As pointed out by "Tassyns, Bram " on the list some call had it other didn't, clean it up and add to all missing ones --- - HTMLparser.c | 6 ++++++ - parser.c | 10 ++++++++++ + HTMLparser.c | 6 ++++++ + parser.c | 10 ++++++++++ 2 files changed, 16 insertions(+) diff --git a/HTMLparser.c b/HTMLparser.c diff --git a/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch b/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch index cc18db7..bb185c8 100644 --- a/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch +++ b/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch @@ -14,7 +14,7 @@ This commit makes the handling of function arguments more robust. * Bail out early when evaluation of XPath function arguments fails. * Make sure that there are 'nargs' arguments in the current call frame. --- - xpath.c | 9 +++++++-- + xpath.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/xpath.c b/xpath.c diff --git a/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch b/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch index c5a5d16..a4b8a21 100644 --- a/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch +++ b/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch @@ -3,7 +3,7 @@ Date: Sun, 26 Jan 2014 15:02:25 +0100 Subject: Missing initialization for the catalog module --- - parser.c | 3 +++ + parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/parser.c b/parser.c diff --git a/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch b/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch index edf1752..2166d8a 100644 --- a/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch +++ b/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch @@ -3,7 +3,7 @@ Date: Thu, 6 Feb 2014 10:38:00 +0100 Subject: Fix an fd leak in an error case --- - catalog.c | 5 +++++ + catalog.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/catalog.c b/catalog.c diff --git a/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch b/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch index 65eae92..ca3c141 100644 --- a/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch +++ b/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch @@ -3,7 +3,7 @@ Date: Thu, 6 Feb 2014 10:47:20 +0100 Subject: fixing a ptotential uninitialized access --- - valid.c | 2 +- + valid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/valid.c b/valid.c diff --git a/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch b/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch index 22d206a..7748610 100644 --- a/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch +++ b/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch @@ -3,7 +3,7 @@ Date: Sat, 8 Feb 2014 02:22:35 +0800 Subject: Fix xmlTextWriterWriteElement when a null content is given --- - xmlwriter.c | 10 ++++++---- + xmlwriter.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/xmlwriter.c b/xmlwriter.c diff --git a/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch b/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch index 219d13a..7962722 100644 --- a/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch +++ b/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch @@ -4,7 +4,7 @@ Subject: Avoid a possible NULL pointer dereference For https://bugzilla.gnome.org/show_bug.cgi?id=708355 --- - xmlmodule.c | 2 +- + xmlmodule.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xmlmodule.c b/xmlmodule.c diff --git a/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch b/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch index 06ec27c..9dbf07f 100644 --- a/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch +++ b/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch @@ -5,7 +5,7 @@ Subject: Do not fetch external parameter entities Unless explicitely asked for when validating or replacing entities with their value. Problem pointed out by Daniel Berrange --- - parser.c | 14 ++++++++++++++ + parser.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/parser.c b/parser.c diff --git a/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch b/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch index 8a84731..382b8b2 100644 --- a/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch +++ b/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch @@ -5,7 +5,7 @@ Subject: Avoid Possible null pointer dereference in memory debug mode Fix a use before check on pointer For https://bugzilla.gnome.org/show_bug.cgi?id=729849 --- - xmlmemory.c | 6 ++++-- + xmlmemory.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/xmlmemory.c b/xmlmemory.c diff --git a/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch b/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch index 7b24f6b..ddab29f 100644 --- a/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch +++ b/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch @@ -1,10 +1,10 @@ -From: =?UTF-8?q?S=C3=A9rgio=20Batista?= +From: =?utf-8?q?S=C3=A9rgio_Batista?= Date: Mon, 9 Jun 2014 22:10:15 +0800 Subject: xmllint was not parsing the --c14n11 flag Cut and paste error, using the wrong variable --- - xmllint.c | 2 +- + xmllint.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xmllint.c b/xmllint.c diff --git a/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch b/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch index d9fc108..412fcbd 100644 --- a/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch +++ b/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch @@ -8,7 +8,7 @@ postvalidation. https://bugzilla.gnome.org/show_bug.cgi?id=730290 and other reports on list, off-list and on Red Hat bugzilla --- - parser.c | 13 +++++++++++-- + parser.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/parser.c b/parser.c diff --git a/debian/patches/0033-Adding-some-missing-NULL-checks.patch b/debian/patches/0033-Adding-some-missing-NULL-checks.patch new file mode 100644 index 0000000..967fa75 --- /dev/null +++ b/debian/patches/0033-Adding-some-missing-NULL-checks.patch @@ -0,0 +1,57 @@ +From: Gaurav +Date: Fri, 13 Jun 2014 14:45:20 +0800 +Subject: Adding some missing NULL checks + +in SAX2 DOM building code and in the HTML parser +--- + HTMLparser.c | 4 ++-- + SAX2.c | 9 +++++++++ + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 44c1a3c..79b1adf 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -3671,13 +3671,13 @@ htmlParseStartTag(htmlParserCtxtPtr ctxt) { + int i; + int discardtag = 0; + +- if (ctxt->instate == XML_PARSER_EOF) +- return(-1); + if ((ctxt == NULL) || (ctxt->input == NULL)) { + htmlParseErr(ctxt, XML_ERR_INTERNAL_ERROR, + "htmlParseStartTag: context error\n", NULL, NULL); + return -1; + } ++ if (ctxt->instate == XML_PARSER_EOF) ++ return(-1); + if (CUR != '<') return -1; + NEXT; + +diff --git a/SAX2.c b/SAX2.c +index 33d167e..76b7158 100644 +--- a/SAX2.c ++++ b/SAX2.c +@@ -1177,6 +1177,12 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname, + val = xmlStringDecodeEntities(ctxt, value, XML_SUBSTITUTE_REF, + 0,0,0); + ctxt->depth--; ++ if (val == NULL) { ++ xmlSAX2ErrMemory(ctxt, "xmlSAX2StartElement"); ++ if (name != NULL) ++ xmlFree(name); ++ return; ++ } + } else { + val = (xmlChar *) value; + } +@@ -2570,6 +2576,9 @@ xmlSAX2Characters(void *ctx, const xmlChar *ch, int len) + (xmlDictOwns(ctxt->dict, lastChild->content))) { + lastChild->content = xmlStrdup(lastChild->content); + } ++ if (lastChild->content == NULL) { ++ xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: xmlStrdup returned NULL"); ++ } + if (((size_t)ctxt->nodelen + (size_t)len > XML_MAX_TEXT_LENGTH) && + ((ctxt->options & XML_PARSE_HUGE) == 0)) { + xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: huge text node"); diff --git a/debian/patches/0034-xmlSaveUri-incorrectly-recomposes-URIs-with-rootless.patch b/debian/patches/0034-xmlSaveUri-incorrectly-recomposes-URIs-with-rootless.patch new file mode 100644 index 0000000..34e6547 --- /dev/null +++ b/debian/patches/0034-xmlSaveUri-incorrectly-recomposes-URIs-with-rootless.patch @@ -0,0 +1,27 @@ +From: Dennis Filder +Date: Fri, 13 Jun 2014 14:56:14 +0800 +Subject: xmlSaveUri() incorrectly recomposes URIs with rootless paths + +For https://bugzilla.gnome.org/show_bug.cgi?id=731063 + +xmlSaveUri() of libxml2 (snapshot 2014-05-31 and earlier) returns +bogus values when called with URIs that have rootless paths +(e.g. "urx:b:b" becomes "urx://b%3Ab" where "urx:b%3Ab" would be +correct) +--- + uri.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/uri.c b/uri.c +index 4ab0ce2..d4dcd2f 100644 +--- a/uri.c ++++ b/uri.c +@@ -1194,8 +1194,6 @@ xmlSaveUri(xmlURIPtr uri) { + if (temp == NULL) goto mem_error; + ret = temp; + } +- ret[len++] = '/'; +- ret[len++] = '/'; + } + if (uri->path != NULL) { + p = uri->path; diff --git a/debian/patches/0035-Adding-a-check-in-case-of-allocation-error.patch b/debian/patches/0035-Adding-a-check-in-case-of-allocation-error.patch new file mode 100644 index 0000000..a0b4fc7 --- /dev/null +++ b/debian/patches/0035-Adding-a-check-in-case-of-allocation-error.patch @@ -0,0 +1,28 @@ +From: Gaurav Gupta +Date: Mon, 14 Jul 2014 16:01:10 +0800 +Subject: Adding a check in case of allocation error + +For https://bugzilla.gnome.org/show_bug.cgi?id=733043 + +There is missing Null condition in xmlRelaxNGValidateInterleave of +relaxng.c +Dereferencing it may cause a crash. +--- + relaxng.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/relaxng.c b/relaxng.c +index 370e314..3d8524d 100644 +--- a/relaxng.c ++++ b/relaxng.c +@@ -9409,6 +9409,10 @@ xmlRelaxNGValidateInterleave(xmlRelaxNGValidCtxtPtr ctxt, + oldstate = ctxt->state; + for (i = 0; i < nbgroups; i++) { + ctxt->state = xmlRelaxNGCopyValidState(ctxt, oldstate); ++ if (ctxt->state == NULL) { ++ ret = -1; ++ break; ++ } + group = partitions->groups[i]; + if (lasts[i] != NULL) { + last = lasts[i]->next; diff --git a/debian/patches/0036-Add-a-missing-argument-check.patch b/debian/patches/0036-Add-a-missing-argument-check.patch new file mode 100644 index 0000000..6956d56 --- /dev/null +++ b/debian/patches/0036-Add-a-missing-argument-check.patch @@ -0,0 +1,24 @@ +From: Gaurav Gupta +Date: Mon, 14 Jul 2014 16:08:28 +0800 +Subject: Add a missing argument check + +For https://bugzilla.gnome.org/show_bug.cgi?id=733042 + +the states argument of xmlRelaxNGAddStates() ought to be checked too +--- + relaxng.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/relaxng.c b/relaxng.c +index 3d8524d..89fcc4e 100644 +--- a/relaxng.c ++++ b/relaxng.c +@@ -1095,7 +1095,7 @@ xmlRelaxNGAddStates(xmlRelaxNGValidCtxtPtr ctxt, + { + int i; + +- if (state == NULL) { ++ if (state == NULL || states == NULL) { + return (-1); + } + if (states->nbState >= states->maxState) { diff --git a/debian/patches/0037-Add-a-couple-of-misisng-check-in-xmlRelaxNGCleanupTr.patch b/debian/patches/0037-Add-a-couple-of-misisng-check-in-xmlRelaxNGCleanupTr.patch new file mode 100644 index 0000000..8263b84 --- /dev/null +++ b/debian/patches/0037-Add-a-couple-of-misisng-check-in-xmlRelaxNGCleanupTr.patch @@ -0,0 +1,43 @@ +From: Gaurav Gupta +Date: Mon, 14 Jul 2014 16:14:44 +0800 +Subject: Add a couple of misisng check in xmlRelaxNGCleanupTree + +For https://bugzilla.gnome.org/show_bug.cgi?id=733041 + +check cur->parent before dereferencing the pointer even if +a null parent there should not happen +Also fix a typo +--- + relaxng.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/relaxng.c b/relaxng.c +index 89fcc4e..33fc71a 100644 +--- a/relaxng.c ++++ b/relaxng.c +@@ -7346,13 +7346,13 @@ xmlRelaxNGCleanupTree(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr root) + if (ns != NULL) + xmlFree(ns); + /* +- * Since we are about to delete cur, if it's nsDef is non-NULL we ++ * Since we are about to delete cur, if its nsDef is non-NULL we + * need to preserve it (it contains the ns definitions for the + * children we just moved). We'll just stick it on to the end + * of cur->parent's list, since it's never going to be re-serialized + * (bug 143738). + */ +- if (cur->nsDef != NULL) { ++ if ((cur->nsDef != NULL) && (cur->parent != NULL)) { + xmlNsPtr parDef = (xmlNsPtr)&cur->parent->nsDef; + while (parDef->next != NULL) + parDef = parDef->next; +@@ -7370,7 +7370,8 @@ xmlRelaxNGCleanupTree(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr root) + else if ((cur->type == XML_TEXT_NODE) || + (cur->type == XML_CDATA_SECTION_NODE)) { + if (IS_BLANK_NODE(cur)) { +- if (cur->parent->type == XML_ELEMENT_NODE) { ++ if ((cur->parent != NULL) && ++ (cur->parent->type == XML_ELEMENT_NODE)) { + if ((!xmlStrEqual(cur->parent->name, BAD_CAST "value")) + && + (!xmlStrEqual diff --git a/debian/patches/0038-Fix-a-potential-NULL-dereference.patch b/debian/patches/0038-Fix-a-potential-NULL-dereference.patch new file mode 100644 index 0000000..35aea33 --- /dev/null +++ b/debian/patches/0038-Fix-a-potential-NULL-dereference.patch @@ -0,0 +1,29 @@ +From: Daniel Veillard +Date: Mon, 14 Jul 2014 16:39:50 +0800 +Subject: Fix a potential NULL dereference + +For https://bugzilla.gnome.org/show_bug.cgi?id=733040 + +xmlDictLookup() may return NULL in case of allocation error, +though very unlikely it need to be checked. +--- + parser.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/parser.c b/parser.c +index ea0ea65..b02333b 100644 +--- a/parser.c ++++ b/parser.c +@@ -9313,6 +9313,12 @@ reparse: + const xmlChar *URL = xmlDictLookup(ctxt->dict, attvalue, len); + xmlURIPtr uri; + ++ if (URL == NULL) { ++ xmlErrMemory(ctxt, "dictionary allocation failure"); ++ if ((attvalue != NULL) && (alloc != 0)) ++ xmlFree(attvalue); ++ return(NULL); ++ } + if (*URL != 0) { + uri = xmlParseURI((const char *) URL); + if (uri == NULL) { diff --git a/debian/patches/0039-Fix-processing-in-SAX2-in-case-of-an-allocation-fail.patch b/debian/patches/0039-Fix-processing-in-SAX2-in-case-of-an-allocation-fail.patch new file mode 100644 index 0000000..73813e4 --- /dev/null +++ b/debian/patches/0039-Fix-processing-in-SAX2-in-case-of-an-allocation-fail.patch @@ -0,0 +1,21 @@ +From: Daniel Veillard +Date: Mon, 14 Jul 2014 20:29:34 +0800 +Subject: Fix processing in SAX2 in case of an allocation failure + +Related to https://bugzilla.gnome.org/show_bug.cgi?id=731360 +--- + SAX2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/SAX2.c b/SAX2.c +index 76b7158..791992c 100644 +--- a/SAX2.c ++++ b/SAX2.c +@@ -2578,6 +2578,7 @@ xmlSAX2Characters(void *ctx, const xmlChar *ch, int len) + } + if (lastChild->content == NULL) { + xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: xmlStrdup returned NULL"); ++ return; + } + if (((size_t)ctxt->nodelen + (size_t)len > XML_MAX_TEXT_LENGTH) && + ((ctxt->options & XML_PARSE_HUGE) == 0)) { diff --git a/debian/patches/0040-Avoid-Possible-Null-Pointer-in-trio.c.patch b/debian/patches/0040-Avoid-Possible-Null-Pointer-in-trio.c.patch new file mode 100644 index 0000000..22895c1 --- /dev/null +++ b/debian/patches/0040-Avoid-Possible-Null-Pointer-in-trio.c.patch @@ -0,0 +1,47 @@ +From: Gaurav Gupta +Date: Mon, 14 Jul 2014 21:22:07 +0800 +Subject: Avoid Possible Null Pointer in trio.c + +For https://bugzilla.gnome.org/show_bug.cgi?id=730005 +While using assert in libxml2 is really not a good idea, it's +still better to assert than crash +--- + trio.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/trio.c b/trio.c +index d885db9..1bf99e3 100644 +--- a/trio.c ++++ b/trio.c +@@ -6418,11 +6418,14 @@ TRIO_ARGS2((self, intPointer), + trio_class_t *self, + int *intPointer) + { +- FILE *file = (FILE *)self->location; ++ FILE *file; + + assert(VALID(self)); ++ assert(VALID(self->location)); + assert(VALID(file)); + ++ file = (FILE *)self->location; ++ + self->current = fgetc(file); + if (self->current == EOF) + { +@@ -6451,11 +6454,14 @@ TRIO_ARGS2((self, intPointer), + trio_class_t *self, + int *intPointer) + { +- int fd = *((int *)self->location); ++ int fd; + int size; + unsigned char input; + + assert(VALID(self)); ++ assert(VALID(self->location)); ++ ++ fd = *((int *)self->location); + + size = read(fd, &input, sizeof(char)); + if (size == -1) diff --git a/debian/patches/0041-Check-for-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch b/debian/patches/0041-Check-for-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch new file mode 100644 index 0000000..d4fddfe --- /dev/null +++ b/debian/patches/0041-Check-for-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch @@ -0,0 +1,32 @@ +From: David Kilzer +Date: Mon, 14 Jul 2014 22:29:56 +0800 +Subject: Check for tmon in _xmlSchemaDateAdd() is incorrect + +For https://bugzilla.gnome.org/show_bug.cgi?id=732705 +In _xmlSchemaDateAdd(), the check for |tmon| should be the following +since MAX_DAYINMONTH() expects a month in the range [1,12]: + + if (tmon < 1) + tmon = 1; + +Regression introduced in +https://git.gnome.org/browse/libxml2/commit/?id=14b5643947845df089376106517c4f7ba061e4b0 +--- + xmlschemastypes.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xmlschemastypes.c b/xmlschemastypes.c +index ec403e8..7e1d54a 100644 +--- a/xmlschemastypes.c ++++ b/xmlschemastypes.c +@@ -3848,8 +3848,8 @@ _xmlSchemaDateAdd (xmlSchemaValPtr dt, xmlSchemaValPtr dur) + * Coverity detected an overrun in daysInMonth + * of size 12 at position 12 with index variable "((r)->mon - 1)" + */ +- if (tmon < 0) +- tmon = 0; ++ if (tmon < 1) ++ tmon = 1; + if (tmon > 12) + tmon = 12; + tempdays += MAX_DAYINMONTH(tyr, tmon); diff --git a/debian/patches/0042-HTMLparser-Correctly-initialise-a-stack-allocated-st.patch b/debian/patches/0042-HTMLparser-Correctly-initialise-a-stack-allocated-st.patch new file mode 100644 index 0000000..e991045 --- /dev/null +++ b/debian/patches/0042-HTMLparser-Correctly-initialise-a-stack-allocated-st.patch @@ -0,0 +1,29 @@ +From: Philip Withnall +Date: Fri, 20 Jun 2014 21:03:42 +0100 +Subject: HTMLparser: Correctly initialise a stack allocated structure +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +If not initialised, the ‘node’ member remains undefined. + +Coverity issue: #60466 + +https://bugzilla.gnome.org/show_bug.cgi?id=731990 +--- + HTMLparser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 79b1adf..4c51cc5 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -4366,7 +4366,7 @@ static void + htmlParseElementInternal(htmlParserCtxtPtr ctxt) { + const xmlChar *name; + const htmlElemDesc * info; +- htmlParserNodeInfo node_info; ++ htmlParserNodeInfo node_info = { 0, }; + int failed; + + if ((ctxt == NULL) || (ctxt->input == NULL)) { diff --git a/debian/patches/0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch b/debian/patches/0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch new file mode 100644 index 0000000..c0151db --- /dev/null +++ b/debian/patches/0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch @@ -0,0 +1,34 @@ +From: Philip Withnall +Date: Fri, 20 Jun 2014 21:05:33 +0100 +Subject: xmlcatalog: Fix a memory leak on quit + +Coverity issue: #60442 + +https://bugzilla.gnome.org/show_bug.cgi?id=731990 +--- + xmlcatalog.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/xmlcatalog.c b/xmlcatalog.c +index 43f455a..b9ed6a4 100644 +--- a/xmlcatalog.c ++++ b/xmlcatalog.c +@@ -181,12 +181,13 @@ static void usershell(void) { + /* + * start interpreting the command + */ +- if (!strcmp(command, "exit")) +- break; +- if (!strcmp(command, "quit")) +- break; +- if (!strcmp(command, "bye")) ++ if (!strcmp(command, "exit") || ++ !strcmp(command, "quit") || ++ !strcmp(command, "bye")) { ++ free(cmdline); + break; ++ } ++ + if (!strcmp(command, "public")) { + if (nbargs != 1) { + printf("public requires 1 arguments\n"); diff --git a/debian/patches/0044-xmlschemastypes-Fix-potential-array-overflow.patch b/debian/patches/0044-xmlschemastypes-Fix-potential-array-overflow.patch new file mode 100644 index 0000000..b2824e5 --- /dev/null +++ b/debian/patches/0044-xmlschemastypes-Fix-potential-array-overflow.patch @@ -0,0 +1,28 @@ +From: Philip Withnall +Date: Fri, 20 Jun 2014 21:37:21 +0100 +Subject: xmlschemastypes: Fix potential array overflow + +The year and month need validating before being put into the +MAX_DAYINMONTH macro. + +Coverity issue: #60436 + +https://bugzilla.gnome.org/show_bug.cgi?id=731990 +--- + xmlschemastypes.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xmlschemastypes.c b/xmlschemastypes.c +index 7e1d54a..6e8bb70 100644 +--- a/xmlschemastypes.c ++++ b/xmlschemastypes.c +@@ -3854,7 +3854,8 @@ _xmlSchemaDateAdd (xmlSchemaValPtr dt, xmlSchemaValPtr dur) + tmon = 12; + tempdays += MAX_DAYINMONTH(tyr, tmon); + carry = -1; +- } else if (tempdays > (long) MAX_DAYINMONTH(r->year, r->mon)) { ++ } else if (VALID_YEAR(r->year) && VALID_MONTH(r->mon) && ++ tempdays > (long) MAX_DAYINMONTH(r->year, r->mon)) { + tempdays = tempdays - MAX_DAYINMONTH(r->year, r->mon); + carry = 1; + } else diff --git a/debian/patches/0045-Add-couple-of-missing-Null-checks.patch b/debian/patches/0045-Add-couple-of-missing-Null-checks.patch new file mode 100644 index 0000000..29d8523 --- /dev/null +++ b/debian/patches/0045-Add-couple-of-missing-Null-checks.patch @@ -0,0 +1,49 @@ +From: Daniel Veillard +Date: Sat, 26 Jul 2014 21:04:54 +0800 +Subject: Add couple of missing Null checks + +For https://bugzilla.gnome.org/show_bug.cgi?id=733710 +Reported by Gaurav but with slightly different fixes +--- + relaxng.c | 7 ++++++- + tree.c | 4 ++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/relaxng.c b/relaxng.c +index 33fc71a..936f657 100644 +--- a/relaxng.c ++++ b/relaxng.c +@@ -6655,12 +6655,17 @@ xmlRelaxNGParseDocument(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr node) + ctxt->define = NULL; + if (IS_RELAXNG(node, "grammar")) { + schema->topgrammar = xmlRelaxNGParseGrammar(ctxt, node->children); ++ if (schema->topgrammar == NULL) { ++ xmlRelaxNGFree(schema); ++ return (NULL); ++ } + } else { + xmlRelaxNGGrammarPtr tmp, ret; + + schema->topgrammar = ret = xmlRelaxNGNewGrammar(ctxt); + if (schema->topgrammar == NULL) { +- return (schema); ++ xmlRelaxNGFree(schema); ++ return (NULL); + } + /* + * Link the new grammar in the tree +diff --git a/tree.c b/tree.c +index 43c3c57..967c6a4 100644 +--- a/tree.c ++++ b/tree.c +@@ -4509,6 +4509,10 @@ xmlCopyDoc(xmlDocPtr doc, int recursive) { + #ifdef LIBXML_TREE_ENABLED + if (doc->intSubset != NULL) { + ret->intSubset = xmlCopyDtd(doc->intSubset); ++ if (ret->intSubset == NULL) { ++ xmlFreeDoc(ret); ++ return(NULL); ++ } + xmlSetTreeDoc((xmlNodePtr)ret->intSubset, ret); + ret->intSubset->parent = ret; + } diff --git a/debian/patches/0046-Couple-of-Missing-Null-checks.patch b/debian/patches/0046-Couple-of-Missing-Null-checks.patch new file mode 100644 index 0000000..c8320de --- /dev/null +++ b/debian/patches/0046-Couple-of-Missing-Null-checks.patch @@ -0,0 +1,35 @@ +From: Gaurav Gupta +Date: Thu, 7 Aug 2014 11:19:03 +0800 +Subject: Couple of Missing Null checks + +For https://bugzilla.gnome.org/show_bug.cgi?id=734328 + +Missing Null check could cause crash, if a pointer is dereferenced. + +Found problem at two places in valid.c +--- + valid.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/valid.c b/valid.c +index 114bb72..6255b5b 100644 +--- a/valid.c ++++ b/valid.c +@@ -1798,6 +1798,7 @@ xmlCopyEnumeration(xmlEnumerationPtr cur) { + + if (cur == NULL) return(NULL); + ret = xmlCreateEnumeration((xmlChar *) cur->name); ++ if (ret == NULL) return(NULL); + + if (cur->next != NULL) ret->next = xmlCopyEnumeration(cur->next); + else ret->next = NULL; +@@ -6998,6 +6999,9 @@ xmlValidGetValidElements(xmlNode *prev, xmlNode *next, const xmlChar **names, + * Creates a dummy node and insert it into the tree + */ + test_node = xmlNewDocNode (ref_node->doc, NULL, BAD_CAST "", NULL); ++ if (test_node == NULL) ++ return(-1); ++ + test_node->parent = parent; + test_node->prev = prev; + test_node->next = next; diff --git a/debian/patches/0047-Fix-Enum-check-and-missing-break.patch b/debian/patches/0047-Fix-Enum-check-and-missing-break.patch new file mode 100644 index 0000000..decca97 --- /dev/null +++ b/debian/patches/0047-Fix-Enum-check-and-missing-break.patch @@ -0,0 +1,43 @@ +From: Gaurav Gupta +Date: Mon, 6 Oct 2014 12:24:17 +0800 +Subject: Fix Enum check and missing break + +for https://bugzilla.gnome.org/show_bug.cgi?id=737403 + +In file xmlreader.c +1. An enum is checked to proper value instead of checking like a boolean. +2. Missing break statement added. +--- + xmlreader.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/xmlreader.c b/xmlreader.c +index 00083d0..9620f52 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -1427,7 +1427,7 @@ get_next_node: + goto node_found; + } + #ifdef LIBXML_REGEXP_ENABLED +- if ((reader->validate) && (reader->node->type == XML_ELEMENT_NODE)) ++ if ((reader->validate != XML_TEXTREADER_NOT_VALIDATE) && (reader->node->type == XML_ELEMENT_NODE)) + xmlTextReaderValidatePop(reader); + #endif /* LIBXML_REGEXP_ENABLED */ + if ((reader->preserves > 0) && +@@ -1560,7 +1560,7 @@ node_found: + goto get_next_node; + } + #ifdef LIBXML_REGEXP_ENABLED +- if ((reader->validate) && (reader->node != NULL)) { ++ if ((reader->validate != XML_TEXTREADER_NOT_VALIDATE) && (reader->node != NULL)) { + xmlNodePtr node = reader->node; + + if ((node->type == XML_ELEMENT_NODE) && +@@ -1790,6 +1790,7 @@ xmlTextReaderReadString(xmlTextReaderPtr reader) + if (xmlTextReaderDoExpand(reader) != -1) { + return xmlTextReaderCollectSiblings(node->children); + } ++ break; + case XML_ATTRIBUTE_NODE: + TODO + break; diff --git a/debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch b/debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch new file mode 100644 index 0000000..8d0dcc8 --- /dev/null +++ b/debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch @@ -0,0 +1,38 @@ +From: Daniel Veillard +Date: Mon, 6 Oct 2014 18:51:04 +0800 +Subject: Possible overflow in HTMLParser.c + +For https://bugzilla.gnome.org/show_bug.cgi?id=720615 + +make sure that the encoding string passed is of reasonable size +--- + HTMLparser.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 4c51cc5..8d34fd1 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -6288,12 +6288,16 @@ htmlCreateFileParserCtxt(const char *filename, const char *encoding) + + /* set encoding */ + if (encoding) { +- content = xmlMallocAtomic (xmlStrlen(content_line) + strlen(encoding) + 1); +- if (content) { +- strcpy ((char *)content, (char *)content_line); +- strcat ((char *)content, (char *)encoding); +- htmlCheckEncoding (ctxt, content); +- xmlFree (content); ++ size_t l = strlen(encoding); ++ ++ if (l < 1000) { ++ content = xmlMallocAtomic (xmlStrlen(content_line) + l + 1); ++ if (content) { ++ strcpy ((char *)content, (char *)content_line); ++ strcat ((char *)content, (char *)encoding); ++ htmlCheckEncoding (ctxt, content); ++ xmlFree (content); ++ } + } + } + diff --git a/debian/patches/0049-Leak-of-struct-addrinfo-in-xmlNanoFTPConnect.patch b/debian/patches/0049-Leak-of-struct-addrinfo-in-xmlNanoFTPConnect.patch new file mode 100644 index 0000000..45a4f15 --- /dev/null +++ b/debian/patches/0049-Leak-of-struct-addrinfo-in-xmlNanoFTPConnect.patch @@ -0,0 +1,25 @@ +From: Gaurav Gupta +Date: Mon, 6 Oct 2014 19:28:29 +0800 +Subject: Leak of struct addrinfo in xmlNanoFTPConnect() + +For https://bugzilla.gnome.org/show_bug.cgi?id=732352 + +in case of error condition in IPv6 support, the early return here +doesn't call freeaddrinfo(result), thus leaking memory. +--- + nanoftp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/nanoftp.c b/nanoftp.c +index 077bfe2..010e0b1 100644 +--- a/nanoftp.c ++++ b/nanoftp.c +@@ -908,6 +908,8 @@ xmlNanoFTPConnect(void *ctx) { + return (-1); + } + if (tmp->ai_addrlen > sizeof(ctxt->ftpAddr)) { ++ if (result) ++ freeaddrinfo (result); + __xmlIOErr(XML_FROM_FTP, 0, "gethostbyname address mismatch"); + return (-1); + } diff --git a/debian/patches/0050-Pointer-dereferenced-before-null-check.patch b/debian/patches/0050-Pointer-dereferenced-before-null-check.patch new file mode 100644 index 0000000..9370f13 --- /dev/null +++ b/debian/patches/0050-Pointer-dereferenced-before-null-check.patch @@ -0,0 +1,61 @@ +From: Daniel Veillard +Date: Mon, 6 Oct 2014 20:07:19 +0800 +Subject: Pointer dereferenced before null check + +For https://bugzilla.gnome.org/show_bug.cgi?id=707027 + +A few pointer dereference before NULL check fixed. +Removed a useless test +--- + xmlreader.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/xmlreader.c b/xmlreader.c +index 9620f52..8834f50 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -282,7 +282,10 @@ static void + xmlTextReaderFreeProp(xmlTextReaderPtr reader, xmlAttrPtr cur) { + xmlDictPtr dict; + +- dict = reader->ctxt->dict; ++ if ((reader != NULL) && (reader->ctxt != NULL)) ++ dict = reader->ctxt->dict; ++ else ++ dict = NULL; + if (cur == NULL) return; + + if ((__xmlRegisterCallbacks) && (xmlDeregisterNodeDefaultValue)) +@@ -319,7 +322,7 @@ xmlTextReaderFreeProp(xmlTextReaderPtr reader, xmlAttrPtr cur) { + static void + xmlTextReaderFreePropList(xmlTextReaderPtr reader, xmlAttrPtr cur) { + xmlAttrPtr next; +- if (cur == NULL) return; ++ + while (cur != NULL) { + next = cur->next; + xmlTextReaderFreeProp(reader, cur); +@@ -340,7 +343,10 @@ xmlTextReaderFreeNodeList(xmlTextReaderPtr reader, xmlNodePtr cur) { + xmlNodePtr next; + xmlDictPtr dict; + +- dict = reader->ctxt->dict; ++ if ((reader != NULL) && (reader->ctxt != NULL)) ++ dict = reader->ctxt->dict; ++ else ++ dict = NULL; + if (cur == NULL) return; + if (cur->type == XML_NAMESPACE_DECL) { + xmlFreeNsList((xmlNsPtr) cur); +@@ -417,7 +423,10 @@ static void + xmlTextReaderFreeNode(xmlTextReaderPtr reader, xmlNodePtr cur) { + xmlDictPtr dict; + +- dict = reader->ctxt->dict; ++ if ((reader != NULL) && (reader->ctxt != NULL)) ++ dict = reader->ctxt->dict; ++ else ++ dict = NULL; + if (cur->type == XML_DTD_NODE) { + xmlFreeDtd((xmlDtdPtr) cur); + return; diff --git a/debian/patches/0051-xpointer-fixing-Null-Pointers.patch b/debian/patches/0051-xpointer-fixing-Null-Pointers.patch new file mode 100644 index 0000000..1bc5f96 --- /dev/null +++ b/debian/patches/0051-xpointer-fixing-Null-Pointers.patch @@ -0,0 +1,110 @@ +From: Gaurav Gupta +Date: Tue, 7 Oct 2014 17:09:35 +0800 +Subject: xpointer : fixing Null Pointers + +For https://bugzilla.gnome.org/show_bug.cgi?id=738053 +At many places in xpointer.c +Null check is missing which is dereferenced at later places. +--- + xpointer.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/xpointer.c b/xpointer.c +index 46f11e8..1ae2e53 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -1375,6 +1375,8 @@ xmlXPtrEval(const xmlChar *str, xmlXPathContextPtr ctx) { + return(NULL); + + ctxt = xmlXPathNewParserContext(str, ctx); ++ if (ctxt == NULL) ++ return(NULL); + ctxt->xptr = 1; + xmlXPtrEvalXPointer(ctxt); + +@@ -1807,6 +1809,8 @@ xmlXPtrStartPointFunction(xmlXPathParserContextPtr ctxt, int nargs) { + */ + tmp = xmlXPtrNewLocationSetNodeSet(obj->nodesetval); + xmlXPathFreeObject(obj); ++ if (tmp == NULL) ++ XP_ERROR(XPATH_MEMORY_ERROR) + obj = tmp; + } + +@@ -1901,10 +1905,16 @@ xmlXPtrEndPointFunction(xmlXPathParserContextPtr ctxt, int nargs) { + */ + tmp = xmlXPtrNewLocationSetNodeSet(obj->nodesetval); + xmlXPathFreeObject(obj); ++ if (tmp == NULL) ++ XP_ERROR(XPATH_MEMORY_ERROR) + obj = tmp; + } + + newset = xmlXPtrLocationSetCreate(NULL); ++ if (newset == NULL) { ++ xmlXPathFreeObject(obj); ++ XP_ERROR(XPATH_MEMORY_ERROR); ++ } + oldset = (xmlLocationSetPtr) obj->user; + if (oldset != NULL) { + int i; +@@ -2049,6 +2059,8 @@ xmlXPtrRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) { + */ + tmp = xmlXPtrNewLocationSetNodeSet(set->nodesetval); + xmlXPathFreeObject(set); ++ if (tmp == NULL) ++ XP_ERROR(XPATH_MEMORY_ERROR) + set = tmp; + } + oldset = (xmlLocationSetPtr) set->user; +@@ -2057,6 +2069,10 @@ xmlXPtrRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) { + * The loop is to compute the covering range for each item and add it + */ + newset = xmlXPtrLocationSetCreate(NULL); ++ if (newset == NULL) { ++ xmlXPathFreeObject(set); ++ XP_ERROR(XPATH_MEMORY_ERROR); ++ } + for (i = 0;i < oldset->locNr;i++) { + xmlXPtrLocationSetAdd(newset, + xmlXPtrCoveringRange(ctxt, oldset->locTab[i])); +@@ -2195,6 +2211,8 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) { + */ + tmp = xmlXPtrNewLocationSetNodeSet(set->nodesetval); + xmlXPathFreeObject(set); ++ if (tmp == NULL) ++ XP_ERROR(XPATH_MEMORY_ERROR) + set = tmp; + } + oldset = (xmlLocationSetPtr) set->user; +@@ -2203,6 +2221,10 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) { + * The loop is to compute the covering range for each item and add it + */ + newset = xmlXPtrLocationSetCreate(NULL); ++ if (newset == NULL) { ++ xmlXPathFreeObject(set); ++ XP_ERROR(XPATH_MEMORY_ERROR); ++ } + for (i = 0;i < oldset->locNr;i++) { + xmlXPtrLocationSetAdd(newset, + xmlXPtrInsideRange(ctxt, oldset->locTab[i])); +@@ -2798,6 +2820,10 @@ xmlXPtrStringRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) { + + set = valuePop(ctxt); + newset = xmlXPtrLocationSetCreate(NULL); ++ if (newset == NULL) { ++ xmlXPathFreeObject(set); ++ XP_ERROR(XPATH_MEMORY_ERROR); ++ } + if (set->nodesetval == NULL) { + goto error; + } +@@ -2809,6 +2835,8 @@ xmlXPtrStringRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) { + */ + tmp = xmlXPtrNewLocationSetNodeSet(set->nodesetval); + xmlXPathFreeObject(set); ++ if (tmp == NULL) ++ XP_ERROR(XPATH_MEMORY_ERROR) + set = tmp; + } + oldset = (xmlLocationSetPtr) set->user; diff --git a/debian/patches/0052-xmlmemory-handle-realloc-properly.patch b/debian/patches/0052-xmlmemory-handle-realloc-properly.patch new file mode 100644 index 0000000..f16d038 --- /dev/null +++ b/debian/patches/0052-xmlmemory-handle-realloc-properly.patch @@ -0,0 +1,39 @@ +From: Yegor Yefremov +Date: Fri, 10 Oct 2014 12:23:09 +0200 +Subject: xmlmemory: handle realloc properly + +If realloc fails, free original pointer. + +Signed-off-by: Yegor Yefremov +--- + xmlmemory.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/xmlmemory.c b/xmlmemory.c +index 37dcf3b..6110849 100644 +--- a/xmlmemory.c ++++ b/xmlmemory.c +@@ -313,7 +313,7 @@ xmlMemMalloc(size_t size) + void * + xmlReallocLoc(void *ptr,size_t size, const char * file, int line) + { +- MEMHDR *p; ++ MEMHDR *p, *tmp; + unsigned long number; + #ifdef DEBUG_MEMORY + size_t oldsize; +@@ -344,10 +344,12 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line) + #endif + xmlMutexUnlock(xmlMemMutex); + +- p = (MEMHDR *) realloc(p,RESERVE_SIZE+size); +- if (!p) { ++ tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size); ++ if (!tmp) { ++ free(p); + goto error; + } ++ p = tmp; + if (xmlMemTraceBlockAt == ptr) { + xmlGenericError(xmlGenericErrorContext, + "%p : Realloced(%lu -> %lu) Ok\n", diff --git a/debian/patches/0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch b/debian/patches/0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch new file mode 100644 index 0000000..4fc48a0 --- /dev/null +++ b/debian/patches/0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch @@ -0,0 +1,50 @@ +From: Bart De Schuymer +Date: Thu, 16 Oct 2014 12:17:20 +0800 +Subject: fix memory leak xml header encoding field with XML_PARSE_IGNORE_ENC + +When the xml parser encounters an xml encoding in an xml header while +configured with option XML_PARSE_IGNORE_ENC, it fails to free memory +allocated for storing the encoding. +The patch below fixes this. +How to reproduce: +1. Change doc/examples/parse4.c to add xmlCtxtUseOptions(ctxt, +XML_PARSE_IGNORE_ENC); after the call to xmlCreatePushParserCtxt. +2. Rebuild +3. run the following command from the top libxml2 directory: +LD_LIBRARY_PATH=.libs/ valgrind --leak-check=full +./doc/examples/.libs/parse4 ./test.xml , where test.xml contains +following +input: + +valgrind will report: +==1964== 10 bytes in 1 blocks are definitely lost in loss record 1 of 1 +==1964== at 0x4C272DB: malloc (in +/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) +==1964== by 0x4E88497: xmlParseEncName (parser.c:10224) +==1964== by 0x4E888FE: xmlParseEncodingDecl (parser.c:10295) +==1964== by 0x4E89630: xmlParseXMLDecl (parser.c:10534) +==1964== by 0x4E8B737: xmlParseTryOrFinish (parser.c:11293) +==1964== by 0x4E8E775: xmlParseChunk (parser.c:12283) + +Signed-off-by: Bart De Schuymer +--- + parser.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/parser.c b/parser.c +index b02333b..ab69d56 100644 +--- a/parser.c ++++ b/parser.c +@@ -10338,8 +10338,10 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) { + /* + * Non standard parsing, allowing the user to ignore encoding + */ +- if (ctxt->options & XML_PARSE_IGNORE_ENC) +- return(encoding); ++ if (ctxt->options & XML_PARSE_IGNORE_ENC) { ++ xmlFree((xmlChar *) encoding); ++ return(NULL); ++ } + + /* + * UTF-16 encoding stwich has already taken place at this stage, diff --git a/debian/patches/0054-Fix-for-CVE-2014-3660.patch b/debian/patches/0054-Fix-for-CVE-2014-3660.patch new file mode 100644 index 0000000..43ffa32 --- /dev/null +++ b/debian/patches/0054-Fix-for-CVE-2014-3660.patch @@ -0,0 +1,141 @@ +From: Daniel Veillard +Date: Thu, 16 Oct 2014 13:59:47 +0800 +Subject: Fix for CVE-2014-3660 + +Issues related to the billion laugh entity expansion which happened to +escape the initial set of fixes +--- + parser.c | 42 ++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 38 insertions(+), 4 deletions(-) + +diff --git a/parser.c b/parser.c +index ab69d56..b7f3c03 100644 +--- a/parser.c ++++ b/parser.c +@@ -130,6 +130,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + return (0); + if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) + return (1); ++ ++ /* ++ * This may look absurd but is needed to detect ++ * entities problems ++ */ ++ if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) && ++ (ent->content != NULL) && (ent->checked == 0)) { ++ unsigned long oldnbent = ctxt->nbentities; ++ xmlChar *rep; ++ ++ ent->checked = 1; ++ ++ rep = xmlStringDecodeEntities(ctxt, ent->content, ++ XML_SUBSTITUTE_REF, 0, 0, 0); ++ ++ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; ++ if (rep != NULL) { ++ if (xmlStrchr(rep, '<')) ++ ent->checked |= 1; ++ xmlFree(rep); ++ rep = NULL; ++ } ++ } + if (replacement != 0) { + if (replacement < XML_MAX_TEXT_LENGTH) + return(0); +@@ -189,9 +212,12 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + return (0); + } else { + /* +- * strange we got no data for checking just return ++ * strange we got no data for checking + */ +- return (0); ++ if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) && ++ (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) || ++ (ctxt->nbentities <= 10000)) ++ return (0); + } + xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); + return (1); +@@ -2584,6 +2610,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { + name, NULL); + ctxt->valid = 0; + } ++ xmlParserEntityCheck(ctxt, 0, NULL, 0); + } else if (ctxt->input->free != deallocblankswrapper) { + input = xmlNewBlanksWrapperInputStream(ctxt, entity); + if (xmlPushInput(ctxt, input) < 0) +@@ -2754,6 +2781,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || + (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) + goto int_error; ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + if (ent != NULL) + ctxt->nbentities += ent->checked / 2; + if ((ent != NULL) && +@@ -2805,6 +2833,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + ent = xmlParseStringPEReference(ctxt, &str); + if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) + goto int_error; ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + if (ent != NULL) + ctxt->nbentities += ent->checked / 2; + if (ent != NULL) { +@@ -7307,6 +7336,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + (ret != XML_WAR_UNDECLARED_ENTITY)) { + xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY, + "Entity '%s' failed to parse\n", ent->name); ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + } else if (list != NULL) { + xmlFreeNodeList(list); + list = NULL; +@@ -7413,7 +7443,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + /* + * We are copying here, make sure there is no abuse + */ +- ctxt->sizeentcopy += ent->length; ++ ctxt->sizeentcopy += ent->length + 5; + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) + return; + +@@ -7461,7 +7491,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + /* + * We are copying here, make sure there is no abuse + */ +- ctxt->sizeentcopy += ent->length; ++ ctxt->sizeentcopy += ent->length + 5; + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) + return; + +@@ -7647,6 +7677,7 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) { + ctxt->sax->reference(ctxt->userData, name); + } + } ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + ctxt->valid = 0; + } + +@@ -7840,6 +7871,7 @@ xmlParseStringEntityRef(xmlParserCtxtPtr ctxt, const xmlChar ** str) { + "Entity '%s' not defined\n", + name); + } ++ xmlParserEntityCheck(ctxt, 0, ent, 0); + /* TODO ? check regressions ctxt->valid = 0; */ + } + +@@ -7999,6 +8031,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + name, NULL); + ctxt->valid = 0; + } ++ xmlParserEntityCheck(ctxt, 0, NULL, 0); + } else { + /* + * Internal checking in case the entity quest barfed +@@ -8238,6 +8271,7 @@ xmlParseStringPEReference(xmlParserCtxtPtr ctxt, const xmlChar **str) { + name, NULL); + ctxt->valid = 0; + } ++ xmlParserEntityCheck(ctxt, 0, NULL, 0); + } else { + /* + * Internal checking in case the entity quest barfed diff --git a/debian/patches/0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch b/debian/patches/0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch new file mode 100644 index 0000000..fc40734 --- /dev/null +++ b/debian/patches/0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch @@ -0,0 +1,27 @@ +From: Daniel Veillard +Date: Thu, 23 Oct 2014 11:35:36 +0800 +Subject: Fix missing entities after CVE-2014-3660 fix + +For https://bugzilla.gnome.org/show_bug.cgi?id=738805 + +The fix for CVE-2014-3660 introduced a regression in some case +where entity substitution is required and the entity is used +first in anotther entity referenced from an attribute value +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index b7f3c03..c187327 100644 +--- a/parser.c ++++ b/parser.c +@@ -7230,7 +7230,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + * far more secure as the parser will only process data coming from + * the document entity by default. + */ +- if ((ent->checked == 0) && ++ if (((ent->checked == 0) || ++ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) && + ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) || + (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) { + unsigned long oldnbent = ctxt->nbentities; diff --git a/debian/patches/series b/debian/patches/series index ce6e665..99fd190 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -30,3 +30,26 @@ 0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch 0031-xmllint-was-not-parsing-the-c14n11-flag.patch 0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch +0033-Adding-some-missing-NULL-checks.patch +0034-xmlSaveUri-incorrectly-recomposes-URIs-with-rootless.patch +0035-Adding-a-check-in-case-of-allocation-error.patch +0036-Add-a-missing-argument-check.patch +0037-Add-a-couple-of-misisng-check-in-xmlRelaxNGCleanupTr.patch +0038-Fix-a-potential-NULL-dereference.patch +0039-Fix-processing-in-SAX2-in-case-of-an-allocation-fail.patch +0040-Avoid-Possible-Null-Pointer-in-trio.c.patch +0041-Check-for-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch +0042-HTMLparser-Correctly-initialise-a-stack-allocated-st.patch +0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch +0044-xmlschemastypes-Fix-potential-array-overflow.patch +0045-Add-couple-of-missing-Null-checks.patch +0046-Couple-of-Missing-Null-checks.patch +0047-Fix-Enum-check-and-missing-break.patch +0048-Possible-overflow-in-HTMLParser.c.patch +0049-Leak-of-struct-addrinfo-in-xmlNanoFTPConnect.patch +0050-Pointer-dereferenced-before-null-check.patch +0051-xpointer-fixing-Null-Pointers.patch +0052-xmlmemory-handle-realloc-properly.patch +0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch +0054-Fix-for-CVE-2014-3660.patch +0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch -- cgit v1.2.3 From d548c999ade382febb424b26743b3c4d63159ae0 Mon Sep 17 00:00:00 2001 From: Aron Xu Date: Mon, 21 Sep 2015 22:55:08 +0800 Subject: Revert "Restore all patches available in 2.9.1+dfsg1-5 in stretch, ensuring CVE-2014-3660 is fixed too." This reverts commit 37f590756a23e167808f76f1389c36f0a2d39f11. --- debian/changelog | 14 +- ...odify-xml2-config-and-pkgconfig-behaviour.patch | 34 ++--- .../0002-fix-python-multiarch-includes.patch | 4 +- .../0003-Fix-an-error-in-xmlCleanupParser.patch | 2 +- ...ing-break-on-last-function-for-attributes.patch | 2 +- ...xmllint-memory-should-fail-on-empty-files.patch | 2 +- ...ote-the-namespace-uris-written-out-during.patch | 2 +- ...ng-bug-on-non-ascii-element-and-CR-LF-usa.patch | 2 +- debian/patches/0008-missing-else-in-xlink.c.patch | 2 +- ...9-Catch-malloc-error-and-exit-accordingly.patch | 2 +- .../patches/0010-Fix-handling-of-mmap-errors.patch | 2 +- .../0011-Avoid-crash-if-allocation-fails.patch | 2 +- .../0012-Fix-a-possible-NULL-dereference.patch | 2 +- ...013-Clear-up-a-potential-NULL-dereference.patch | 2 +- ...14-Fix-XPath-optimization-with-predicates.patch | 2 +- ...tty-crashed-without-following-numeric-arg.patch | 2 +- ...al-NULL-pointer-dereferences-in-regexp-co.patch | 2 +- ...a-potential-NULL-dereference-in-tree-code.patch | 2 +- ...ix-pointer-dereferenced-before-null-check.patch | 2 +- ...9-Fix-a-bug-loading-some-compressed-files.patch | 2 +- ...-possibility-of-dangling-encoding-handler.patch | 2 +- .../0021-Fix-a-couple-of-missing-NULL-checks.patch | 2 +- ...-calls-to-xml-and-html-Read-parsing-entry.patch | 4 +- ...of-XPath-function-arguments-in-error-case.patch | 2 +- ...ing-initialization-for-the-catalog-module.patch | 2 +- .../0025-Fix-an-fd-leak-in-an-error-case.patch | 2 +- ...-fixing-a-ptotential-uninitialized-access.patch | 2 +- ...WriterWriteElement-when-a-null-content-is.patch | 2 +- ...Avoid-a-possible-NULL-pointer-dereference.patch | 2 +- ...-Do-not-fetch-external-parameter-entities.patch | 2 +- ...ble-null-pointer-dereference-in-memory-de.patch | 2 +- ...1-xmllint-was-not-parsing-the-c14n11-flag.patch | 4 +- ...essions-introduced-by-CVE-2014-0191-patch.patch | 2 +- .../0033-Adding-some-missing-NULL-checks.patch | 57 --------- ...incorrectly-recomposes-URIs-with-rootless.patch | 27 ---- ...dding-a-check-in-case-of-allocation-error.patch | 28 ---- .../0036-Add-a-missing-argument-check.patch | 24 ---- ...e-of-misisng-check-in-xmlRelaxNGCleanupTr.patch | 43 ------- .../0038-Fix-a-potential-NULL-dereference.patch | 29 ----- ...ing-in-SAX2-in-case-of-an-allocation-fail.patch | 21 --- ...040-Avoid-Possible-Null-Pointer-in-trio.c.patch | 47 ------- ...or-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch | 32 ----- ...Correctly-initialise-a-stack-allocated-st.patch | 29 ----- ...0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch | 34 ----- ...schemastypes-Fix-potential-array-overflow.patch | 28 ---- .../0045-Add-couple-of-missing-Null-checks.patch | 49 ------- .../0046-Couple-of-Missing-Null-checks.patch | 35 ----- .../0047-Fix-Enum-check-and-missing-break.patch | 43 ------- .../0048-Possible-overflow-in-HTMLParser.c.patch | 38 ------ ...k-of-struct-addrinfo-in-xmlNanoFTPConnect.patch | 25 ---- ...50-Pointer-dereferenced-before-null-check.patch | 61 --------- .../0051-xpointer-fixing-Null-Pointers.patch | 110 ---------------- .../0052-xmlmemory-handle-realloc-properly.patch | 39 ------ ...leak-xml-header-encoding-field-with-XML_P.patch | 50 -------- debian/patches/0054-Fix-for-CVE-2014-3660.patch | 141 --------------------- ...-missing-entities-after-CVE-2014-3660-fix.patch | 27 ---- debian/patches/series | 23 ---- 57 files changed, 47 insertions(+), 1109 deletions(-) delete mode 100644 debian/patches/0033-Adding-some-missing-NULL-checks.patch delete mode 100644 debian/patches/0034-xmlSaveUri-incorrectly-recomposes-URIs-with-rootless.patch delete mode 100644 debian/patches/0035-Adding-a-check-in-case-of-allocation-error.patch delete mode 100644 debian/patches/0036-Add-a-missing-argument-check.patch delete mode 100644 debian/patches/0037-Add-a-couple-of-misisng-check-in-xmlRelaxNGCleanupTr.patch delete mode 100644 debian/patches/0038-Fix-a-potential-NULL-dereference.patch delete mode 100644 debian/patches/0039-Fix-processing-in-SAX2-in-case-of-an-allocation-fail.patch delete mode 100644 debian/patches/0040-Avoid-Possible-Null-Pointer-in-trio.c.patch delete mode 100644 debian/patches/0041-Check-for-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch delete mode 100644 debian/patches/0042-HTMLparser-Correctly-initialise-a-stack-allocated-st.patch delete mode 100644 debian/patches/0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch delete mode 100644 debian/patches/0044-xmlschemastypes-Fix-potential-array-overflow.patch delete mode 100644 debian/patches/0045-Add-couple-of-missing-Null-checks.patch delete mode 100644 debian/patches/0046-Couple-of-Missing-Null-checks.patch delete mode 100644 debian/patches/0047-Fix-Enum-check-and-missing-break.patch delete mode 100644 debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch delete mode 100644 debian/patches/0049-Leak-of-struct-addrinfo-in-xmlNanoFTPConnect.patch delete mode 100644 debian/patches/0050-Pointer-dereferenced-before-null-check.patch delete mode 100644 debian/patches/0051-xpointer-fixing-Null-Pointers.patch delete mode 100644 debian/patches/0052-xmlmemory-handle-realloc-properly.patch delete mode 100644 debian/patches/0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch delete mode 100644 debian/patches/0054-Fix-for-CVE-2014-3660.patch delete mode 100644 debian/patches/0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch (limited to 'debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch') diff --git a/debian/changelog b/debian/changelog index dc762be..3350507 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,12 +1,10 @@ -libxml2 (2.9.2+really2.9.1+dfsg1-0.1) unstable; urgency=medium +libxml2 (2.9.2+really2.9.1+dfsg1-0.1) UNRELEASED; urgency=medium * Non-maintainer upload. * Go back to 2.9.1+dfsg1 upstream sources so that xmllint works again. Closes: #766884 - * Restore all patches available in 2.9.1+dfsg1-5 in stretch, ensuring - CVE-2014-3660 is fixed too. - -- Raphaël Hertzog Tue, 25 Aug 2015 22:31:29 +0200 + -- Raphaël Hertzog Tue, 25 Aug 2015 21:49:14 +0200 libxml2 (2.9.2+dfsg1-3) unstable; urgency=medium @@ -35,14 +33,6 @@ libxml2 (2.9.2+dfsg1-1) unstable; urgency=low -- Aron Xu Sun, 26 Oct 2014 07:04:50 +0800 -libxml2 (2.9.1+dfsg1-5) testing; urgency=medium - - * Add pkg-config to B-D - * Cherry-pick upstream memory related fixes - - Including CVE-2014-3660 (Closes: #765722, #768089) - - -- Aron Xu Sun, 01 Feb 2015 13:48:36 +0800 - libxml2 (2.9.1+dfsg1-4) unstable; urgency=low [ Christian Svensson ] diff --git a/debian/patches/0001-modify-xml2-config-and-pkgconfig-behaviour.patch b/debian/patches/0001-modify-xml2-config-and-pkgconfig-behaviour.patch index 6b16e59..d5d3622 100644 --- a/debian/patches/0001-modify-xml2-config-and-pkgconfig-behaviour.patch +++ b/debian/patches/0001-modify-xml2-config-and-pkgconfig-behaviour.patch @@ -1,20 +1,19 @@ From: Aron Xu -Date: Fri, 21 Sep 2012 00:19:41 +0800 +Date: Sun, 26 Oct 2014 06:02:29 +0800 Subject: modify xml2-config and pkgconfig behaviour --- - configure.in | 2 +- + configure.ac | 2 +- libxml-2.0-uninstalled.pc.in | 3 ++- - libxml-2.0.pc.in | 2 +- xml2-config.1 | 4 ++++ xml2-config.in | 22 ++++++++++------------ - 5 files changed, 18 insertions(+), 15 deletions(-) + 4 files changed, 17 insertions(+), 14 deletions(-) -diff --git a/configure.in b/configure.in -index d449b11..668f233 100644 ---- a/configure.in -+++ b/configure.in -@@ -1380,7 +1380,7 @@ case "$host" in +diff --git a/configure.ac b/configure.ac +index 14ac0a8..21d90ab 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1476,7 +1476,7 @@ case "$host" in *) M_LIBS="-lm" ;; esac @@ -24,28 +23,17 @@ index d449b11..668f233 100644 AC_SUBST(WITH_ICONV) diff --git a/libxml-2.0-uninstalled.pc.in b/libxml-2.0-uninstalled.pc.in -index cab6834..af16ebc 100644 +index 60b886b..0d5d6cb 100644 --- a/libxml-2.0-uninstalled.pc.in +++ b/libxml-2.0-uninstalled.pc.in @@ -8,5 +8,6 @@ Name: libXML Version: @VERSION@ Description: libXML library version2. Requires: --Libs: -L${libdir} -lxml2 @ICU_LIBS@ @THREAD_LIBS@ @Z_LIBS@ @ICONV_LIBS@ @M_LIBS@ @LIBS@ +-Libs: -L${libdir} -lxml2 @ICU_LIBS@ @THREAD_LIBS@ @Z_LIBS@ @LZMA_LIBS@ @ICONV_LIBS@ @M_LIBS@ @LIBS@ +Libs: -L${libdir} -lxml2 -+Libs.private: @BASE_THREAD_LIBS@ @THREAD_LIBS@ @Z_LIBS@ @ICONV_LIBS@ @M_LIBS@ @LIBS@ ++Libs.private: @ICU_LIBS@ @THREAD_LIBS@ @Z_LIBS@ @LZMA_LIBS@ @ICONV_LIBS@ @M_LIBS@ @LIBS@ Cflags: -I${includedir} @XML_INCLUDEDIR@ @XML_CFLAGS@ -diff --git a/libxml-2.0.pc.in b/libxml-2.0.pc.in -index f5f5f03..0de667b 100644 ---- a/libxml-2.0.pc.in -+++ b/libxml-2.0.pc.in -@@ -9,5 +9,5 @@ Version: @VERSION@ - Description: libXML library version2. - Requires: - Libs: -L${libdir} -lxml2 --Libs.private: @ICU_LIBS@ @THREAD_LIBS@ @Z_LIBS@ @ICONV_LIBS@ @M_LIBS@ @WIN32_EXTRA_LIBADD@ @LIBS@ -+Libs.private: @ICU_LIBS@ @THREAD_LIBS@ @Z_LIBS@ @ICONV_LIBS@ @M_LIBS@ @WIN32_EXTRA_LIBADD@ @LIBS@ @LZMA_LIBS@ - Cflags: @XML_INCLUDEDIR@ @XML_CFLAGS@ diff --git a/xml2-config.1 b/xml2-config.1 index 8cf9858..7b4195d 100644 --- a/xml2-config.1 diff --git a/debian/patches/0002-fix-python-multiarch-includes.patch b/debian/patches/0002-fix-python-multiarch-includes.patch index 3201fb3..bcab67e 100644 --- a/debian/patches/0002-fix-python-multiarch-includes.patch +++ b/debian/patches/0002-fix-python-multiarch-includes.patch @@ -21,10 +21,10 @@ index 34aed96..8445ea5 100644 python_LTLIBRARIES = libxml2mod.la diff --git a/python/Makefile.in b/python/Makefile.in -index efdea43..23e7fa2 100644 +index 03fbd5b..7299c82 100644 --- a/python/Makefile.in +++ b/python/Makefile.in -@@ -430,7 +430,7 @@ EXTRA_DIST = \ +@@ -490,7 +490,7 @@ EXTRA_DIST = \ @WITH_PYTHON_TRUE@AM_CPPFLAGS = \ @WITH_PYTHON_TRUE@ -I$(top_builddir)/include \ @WITH_PYTHON_TRUE@ -I$(top_srcdir)/include \ diff --git a/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch b/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch index 8834c99..03bf447 100644 --- a/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch +++ b/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch @@ -8,7 +8,7 @@ xmlCleanupParser calls xmlCleanupGlobals() and then xmlResetLastError() but the later reallocate the global data freed by previous call. Just swap the two calls. --- - parser.c | 2 +- + parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/parser.c b/parser.c diff --git a/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch b/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch index 5dabed6..cff8b72 100644 --- a/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch +++ b/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch @@ -4,7 +4,7 @@ Subject: Fix missing break on last() function for attributes pointed out by cppcheck --- - python/libxml.c | 1 + + python/libxml.c | 1 + 1 file changed, 1 insertion(+) diff --git a/python/libxml.c b/python/libxml.c diff --git a/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch b/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch index 48ee651..e1a2197 100644 --- a/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch +++ b/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch @@ -5,7 +5,7 @@ Subject: xmllint --memory should fail on empty files Exposed by https://bugzilla.gnome.org/show_bug.cgi?id=699896 when doing analysis but a priori unrelated. --- - xmllint.c | 5 ++++- + xmllint.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/xmllint.c b/xmllint.c diff --git a/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch b/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch index 682fb41..6f4c4c8 100644 --- a/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch +++ b/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch @@ -3,7 +3,7 @@ Date: Thu, 9 May 2013 16:02:16 +0000 Subject: properly quote the namespace uris written out during c14n --- - c14n.c | 9 +++++---- + c14n.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/c14n.c b/c14n.c diff --git a/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch b/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch index b4b5e3b..442fd11 100644 --- a/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch +++ b/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch @@ -8,7 +8,7 @@ Somehow the behaviour of the internal parser routine changed slightly when encountering CR/LF, which led to a bug when parsing document with non-ascii Names --- - parser.c | 6 +++++- + parser.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/parser.c b/parser.c diff --git a/debian/patches/0008-missing-else-in-xlink.c.patch b/debian/patches/0008-missing-else-in-xlink.c.patch index 9349cdc..88a4e86 100644 --- a/debian/patches/0008-missing-else-in-xlink.c.patch +++ b/debian/patches/0008-missing-else-in-xlink.c.patch @@ -4,7 +4,7 @@ Subject: missing else in xlink.c Obviously forgotten --- - xlink.c | 2 +- + xlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xlink.c b/xlink.c diff --git a/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch b/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch index a8b9db8..3f93a57 100644 --- a/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch +++ b/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch @@ -4,7 +4,7 @@ Subject: Catch malloc error and exit accordingly As pointed privately by Bill Parker --- - xmllint.c | 4 ++++ + xmllint.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/xmllint.c b/xmllint.c diff --git a/debian/patches/0010-Fix-handling-of-mmap-errors.patch b/debian/patches/0010-Fix-handling-of-mmap-errors.patch index 3c220a1..0c55cfe 100644 --- a/debian/patches/0010-Fix-handling-of-mmap-errors.patch +++ b/debian/patches/0010-Fix-handling-of-mmap-errors.patch @@ -6,7 +6,7 @@ https://bugzilla.gnome.org/show_bug.cgi?id=702320 as raised by Gaurav --- - xmllint.c | 13 +++++++++++-- + xmllint.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/xmllint.c b/xmllint.c diff --git a/debian/patches/0011-Avoid-crash-if-allocation-fails.patch b/debian/patches/0011-Avoid-crash-if-allocation-fails.patch index abbb38f..e4e7206 100644 --- a/debian/patches/0011-Avoid-crash-if-allocation-fails.patch +++ b/debian/patches/0011-Avoid-crash-if-allocation-fails.patch @@ -5,7 +5,7 @@ Subject: Avoid crash if allocation fails https://bugzilla.gnome.org/show_bug.cgi?id=704527 xmlSchemaNewValue() may fail on OOM error --- - xmlschemastypes.c | 4 ++++ + xmlschemastypes.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/xmlschemastypes.c b/xmlschemastypes.c diff --git a/debian/patches/0012-Fix-a-possible-NULL-dereference.patch b/debian/patches/0012-Fix-a-possible-NULL-dereference.patch index 1683440..9a7cf6f 100644 --- a/debian/patches/0012-Fix-a-possible-NULL-dereference.patch +++ b/debian/patches/0012-Fix-a-possible-NULL-dereference.patch @@ -6,7 +6,7 @@ https://bugzilla.gnome.org/show_bug.cgi?id=705400 In case of allocation error the pointer was dereferenced before the test for a failure --- - SAX2.c | 4 ++-- + SAX2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SAX2.c b/SAX2.c diff --git a/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch b/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch index 3814294..a18dfaf 100644 --- a/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch +++ b/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch @@ -7,7 +7,7 @@ https://bugzilla.gnome.org/show_bug.cgi?id=705399 if ctxt->node_seq.buffer is null then ctxt->node_seq.maximum ought to be zero but it's better to clarify the check in the code directly. --- - parserInternals.c | 3 ++- + parserInternals.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/parserInternals.c b/parserInternals.c diff --git a/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch b/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch index 4fc23a2..f24424a 100644 --- a/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch +++ b/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch @@ -6,7 +6,7 @@ My attempt to optimize XPath expressions containing '//' caused a regression reported in bug #695699. This commit disables the optimization for expressions of the form '//foo[predicate]'. --- - xpath.c | 5 +++-- + xpath.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/xpath.c b/xpath.c diff --git a/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch b/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch index 4db2660..b910c3a 100644 --- a/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch +++ b/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch @@ -6,7 +6,7 @@ https://bugzilla.gnome.org/show_bug.cgi?id=674789 We need to check for NULL argument before calling atoi() --- - xmllint.c | 12 +++++++----- + xmllint.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/xmllint.c b/xmllint.c diff --git a/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch b/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch index 13df103..fa8a176 100644 --- a/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch +++ b/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch @@ -6,7 +6,7 @@ https://bugzilla.gnome.org/show_bug.cgi?id=707749 Fix 3 cases where we might dereference NULL --- - xmlregexp.c | 8 +++++--- + xmlregexp.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/xmlregexp.c b/xmlregexp.c diff --git a/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch b/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch index dd8ee34..2c55813 100644 --- a/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch +++ b/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch @@ -7,7 +7,7 @@ https://bugzilla.gnome.org/show_bug.cgi?id=707750 Also reported by Gaurav, simple fix to check the pointer before dereference --- - tree.c | 3 ++- + tree.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tree.c b/tree.c diff --git a/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch b/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch index a038b02..3ae1c59 100644 --- a/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch +++ b/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch @@ -7,7 +7,7 @@ for https://bugzilla.gnome.org/show_bug.cgi?id=708364 xmlValidateElementContent is a private function but should still check the ctxt argument before dereferencing --- - valid.c | 2 +- + valid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/valid.c b/valid.c diff --git a/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch b/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch index 25c7739..48b4fa4 100644 --- a/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch +++ b/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch @@ -13,7 +13,7 @@ values. This function uses the stream state in state->zstrm, but calls xz_avail which uses the state->strm stream info. This causes gz_next4 to signal a premature EOF if the data it is fetching crosses a 1024 byte boundary. --- - xzlib.c | 26 ++++++++++++++++++++++---- + xzlib.c | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/xzlib.c b/xzlib.c diff --git a/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch b/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch index 3590669..ab0bde8 100644 --- a/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch +++ b/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch @@ -11,7 +11,7 @@ If the freed handler is any one of handlers[i] list, then it will make that hanldlers[i] as dangling. This may lead to crash issues at places where handlers is read. --- - encoding.c | 16 ++++++++++++++-- + encoding.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/encoding.c b/encoding.c diff --git a/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch b/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch index 62ce6c4..6771dbb 100644 --- a/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch +++ b/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch @@ -4,7 +4,7 @@ Subject: Fix a couple of missing NULL checks For https://bugzilla.gnome.org/show_bug.cgi?id=708681 --- - tree.c | 2 ++ + tree.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tree.c b/tree.c diff --git a/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch b/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch index 2dd7cac..7820411 100644 --- a/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch +++ b/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch @@ -6,8 +6,8 @@ As pointed out by "Tassyns, Bram " on the list some call had it other didn't, clean it up and add to all missing ones --- - HTMLparser.c | 6 ++++++ - parser.c | 10 ++++++++++ + HTMLparser.c | 6 ++++++ + parser.c | 10 ++++++++++ 2 files changed, 16 insertions(+) diff --git a/HTMLparser.c b/HTMLparser.c diff --git a/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch b/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch index bb185c8..cc18db7 100644 --- a/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch +++ b/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch @@ -14,7 +14,7 @@ This commit makes the handling of function arguments more robust. * Bail out early when evaluation of XPath function arguments fails. * Make sure that there are 'nargs' arguments in the current call frame. --- - xpath.c | 9 +++++++-- + xpath.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/xpath.c b/xpath.c diff --git a/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch b/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch index a4b8a21..c5a5d16 100644 --- a/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch +++ b/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch @@ -3,7 +3,7 @@ Date: Sun, 26 Jan 2014 15:02:25 +0100 Subject: Missing initialization for the catalog module --- - parser.c | 3 +++ + parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/parser.c b/parser.c diff --git a/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch b/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch index 2166d8a..edf1752 100644 --- a/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch +++ b/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch @@ -3,7 +3,7 @@ Date: Thu, 6 Feb 2014 10:38:00 +0100 Subject: Fix an fd leak in an error case --- - catalog.c | 5 +++++ + catalog.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/catalog.c b/catalog.c diff --git a/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch b/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch index ca3c141..65eae92 100644 --- a/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch +++ b/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch @@ -3,7 +3,7 @@ Date: Thu, 6 Feb 2014 10:47:20 +0100 Subject: fixing a ptotential uninitialized access --- - valid.c | 2 +- + valid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/valid.c b/valid.c diff --git a/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch b/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch index 7748610..22d206a 100644 --- a/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch +++ b/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch @@ -3,7 +3,7 @@ Date: Sat, 8 Feb 2014 02:22:35 +0800 Subject: Fix xmlTextWriterWriteElement when a null content is given --- - xmlwriter.c | 10 ++++++---- + xmlwriter.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/xmlwriter.c b/xmlwriter.c diff --git a/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch b/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch index 7962722..219d13a 100644 --- a/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch +++ b/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch @@ -4,7 +4,7 @@ Subject: Avoid a possible NULL pointer dereference For https://bugzilla.gnome.org/show_bug.cgi?id=708355 --- - xmlmodule.c | 2 +- + xmlmodule.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xmlmodule.c b/xmlmodule.c diff --git a/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch b/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch index 9dbf07f..06ec27c 100644 --- a/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch +++ b/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch @@ -5,7 +5,7 @@ Subject: Do not fetch external parameter entities Unless explicitely asked for when validating or replacing entities with their value. Problem pointed out by Daniel Berrange --- - parser.c | 14 ++++++++++++++ + parser.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/parser.c b/parser.c diff --git a/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch b/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch index 382b8b2..8a84731 100644 --- a/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch +++ b/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch @@ -5,7 +5,7 @@ Subject: Avoid Possible null pointer dereference in memory debug mode Fix a use before check on pointer For https://bugzilla.gnome.org/show_bug.cgi?id=729849 --- - xmlmemory.c | 6 ++++-- + xmlmemory.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/xmlmemory.c b/xmlmemory.c diff --git a/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch b/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch index ddab29f..7b24f6b 100644 --- a/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch +++ b/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch @@ -1,10 +1,10 @@ -From: =?utf-8?q?S=C3=A9rgio_Batista?= +From: =?UTF-8?q?S=C3=A9rgio=20Batista?= Date: Mon, 9 Jun 2014 22:10:15 +0800 Subject: xmllint was not parsing the --c14n11 flag Cut and paste error, using the wrong variable --- - xmllint.c | 2 +- + xmllint.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xmllint.c b/xmllint.c diff --git a/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch b/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch index 412fcbd..d9fc108 100644 --- a/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch +++ b/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch @@ -8,7 +8,7 @@ postvalidation. https://bugzilla.gnome.org/show_bug.cgi?id=730290 and other reports on list, off-list and on Red Hat bugzilla --- - parser.c | 13 +++++++++++-- + parser.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/parser.c b/parser.c diff --git a/debian/patches/0033-Adding-some-missing-NULL-checks.patch b/debian/patches/0033-Adding-some-missing-NULL-checks.patch deleted file mode 100644 index 967fa75..0000000 --- a/debian/patches/0033-Adding-some-missing-NULL-checks.patch +++ /dev/null @@ -1,57 +0,0 @@ -From: Gaurav -Date: Fri, 13 Jun 2014 14:45:20 +0800 -Subject: Adding some missing NULL checks - -in SAX2 DOM building code and in the HTML parser ---- - HTMLparser.c | 4 ++-- - SAX2.c | 9 +++++++++ - 2 files changed, 11 insertions(+), 2 deletions(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index 44c1a3c..79b1adf 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -3671,13 +3671,13 @@ htmlParseStartTag(htmlParserCtxtPtr ctxt) { - int i; - int discardtag = 0; - -- if (ctxt->instate == XML_PARSER_EOF) -- return(-1); - if ((ctxt == NULL) || (ctxt->input == NULL)) { - htmlParseErr(ctxt, XML_ERR_INTERNAL_ERROR, - "htmlParseStartTag: context error\n", NULL, NULL); - return -1; - } -+ if (ctxt->instate == XML_PARSER_EOF) -+ return(-1); - if (CUR != '<') return -1; - NEXT; - -diff --git a/SAX2.c b/SAX2.c -index 33d167e..76b7158 100644 ---- a/SAX2.c -+++ b/SAX2.c -@@ -1177,6 +1177,12 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname, - val = xmlStringDecodeEntities(ctxt, value, XML_SUBSTITUTE_REF, - 0,0,0); - ctxt->depth--; -+ if (val == NULL) { -+ xmlSAX2ErrMemory(ctxt, "xmlSAX2StartElement"); -+ if (name != NULL) -+ xmlFree(name); -+ return; -+ } - } else { - val = (xmlChar *) value; - } -@@ -2570,6 +2576,9 @@ xmlSAX2Characters(void *ctx, const xmlChar *ch, int len) - (xmlDictOwns(ctxt->dict, lastChild->content))) { - lastChild->content = xmlStrdup(lastChild->content); - } -+ if (lastChild->content == NULL) { -+ xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: xmlStrdup returned NULL"); -+ } - if (((size_t)ctxt->nodelen + (size_t)len > XML_MAX_TEXT_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { - xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: huge text node"); diff --git a/debian/patches/0034-xmlSaveUri-incorrectly-recomposes-URIs-with-rootless.patch b/debian/patches/0034-xmlSaveUri-incorrectly-recomposes-URIs-with-rootless.patch deleted file mode 100644 index 34e6547..0000000 --- a/debian/patches/0034-xmlSaveUri-incorrectly-recomposes-URIs-with-rootless.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Dennis Filder -Date: Fri, 13 Jun 2014 14:56:14 +0800 -Subject: xmlSaveUri() incorrectly recomposes URIs with rootless paths - -For https://bugzilla.gnome.org/show_bug.cgi?id=731063 - -xmlSaveUri() of libxml2 (snapshot 2014-05-31 and earlier) returns -bogus values when called with URIs that have rootless paths -(e.g. "urx:b:b" becomes "urx://b%3Ab" where "urx:b%3Ab" would be -correct) ---- - uri.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/uri.c b/uri.c -index 4ab0ce2..d4dcd2f 100644 ---- a/uri.c -+++ b/uri.c -@@ -1194,8 +1194,6 @@ xmlSaveUri(xmlURIPtr uri) { - if (temp == NULL) goto mem_error; - ret = temp; - } -- ret[len++] = '/'; -- ret[len++] = '/'; - } - if (uri->path != NULL) { - p = uri->path; diff --git a/debian/patches/0035-Adding-a-check-in-case-of-allocation-error.patch b/debian/patches/0035-Adding-a-check-in-case-of-allocation-error.patch deleted file mode 100644 index a0b4fc7..0000000 --- a/debian/patches/0035-Adding-a-check-in-case-of-allocation-error.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Gaurav Gupta -Date: Mon, 14 Jul 2014 16:01:10 +0800 -Subject: Adding a check in case of allocation error - -For https://bugzilla.gnome.org/show_bug.cgi?id=733043 - -There is missing Null condition in xmlRelaxNGValidateInterleave of -relaxng.c -Dereferencing it may cause a crash. ---- - relaxng.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/relaxng.c b/relaxng.c -index 370e314..3d8524d 100644 ---- a/relaxng.c -+++ b/relaxng.c -@@ -9409,6 +9409,10 @@ xmlRelaxNGValidateInterleave(xmlRelaxNGValidCtxtPtr ctxt, - oldstate = ctxt->state; - for (i = 0; i < nbgroups; i++) { - ctxt->state = xmlRelaxNGCopyValidState(ctxt, oldstate); -+ if (ctxt->state == NULL) { -+ ret = -1; -+ break; -+ } - group = partitions->groups[i]; - if (lasts[i] != NULL) { - last = lasts[i]->next; diff --git a/debian/patches/0036-Add-a-missing-argument-check.patch b/debian/patches/0036-Add-a-missing-argument-check.patch deleted file mode 100644 index 6956d56..0000000 --- a/debian/patches/0036-Add-a-missing-argument-check.patch +++ /dev/null @@ -1,24 +0,0 @@ -From: Gaurav Gupta -Date: Mon, 14 Jul 2014 16:08:28 +0800 -Subject: Add a missing argument check - -For https://bugzilla.gnome.org/show_bug.cgi?id=733042 - -the states argument of xmlRelaxNGAddStates() ought to be checked too ---- - relaxng.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/relaxng.c b/relaxng.c -index 3d8524d..89fcc4e 100644 ---- a/relaxng.c -+++ b/relaxng.c -@@ -1095,7 +1095,7 @@ xmlRelaxNGAddStates(xmlRelaxNGValidCtxtPtr ctxt, - { - int i; - -- if (state == NULL) { -+ if (state == NULL || states == NULL) { - return (-1); - } - if (states->nbState >= states->maxState) { diff --git a/debian/patches/0037-Add-a-couple-of-misisng-check-in-xmlRelaxNGCleanupTr.patch b/debian/patches/0037-Add-a-couple-of-misisng-check-in-xmlRelaxNGCleanupTr.patch deleted file mode 100644 index 8263b84..0000000 --- a/debian/patches/0037-Add-a-couple-of-misisng-check-in-xmlRelaxNGCleanupTr.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Gaurav Gupta -Date: Mon, 14 Jul 2014 16:14:44 +0800 -Subject: Add a couple of misisng check in xmlRelaxNGCleanupTree - -For https://bugzilla.gnome.org/show_bug.cgi?id=733041 - -check cur->parent before dereferencing the pointer even if -a null parent there should not happen -Also fix a typo ---- - relaxng.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/relaxng.c b/relaxng.c -index 89fcc4e..33fc71a 100644 ---- a/relaxng.c -+++ b/relaxng.c -@@ -7346,13 +7346,13 @@ xmlRelaxNGCleanupTree(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr root) - if (ns != NULL) - xmlFree(ns); - /* -- * Since we are about to delete cur, if it's nsDef is non-NULL we -+ * Since we are about to delete cur, if its nsDef is non-NULL we - * need to preserve it (it contains the ns definitions for the - * children we just moved). We'll just stick it on to the end - * of cur->parent's list, since it's never going to be re-serialized - * (bug 143738). - */ -- if (cur->nsDef != NULL) { -+ if ((cur->nsDef != NULL) && (cur->parent != NULL)) { - xmlNsPtr parDef = (xmlNsPtr)&cur->parent->nsDef; - while (parDef->next != NULL) - parDef = parDef->next; -@@ -7370,7 +7370,8 @@ xmlRelaxNGCleanupTree(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr root) - else if ((cur->type == XML_TEXT_NODE) || - (cur->type == XML_CDATA_SECTION_NODE)) { - if (IS_BLANK_NODE(cur)) { -- if (cur->parent->type == XML_ELEMENT_NODE) { -+ if ((cur->parent != NULL) && -+ (cur->parent->type == XML_ELEMENT_NODE)) { - if ((!xmlStrEqual(cur->parent->name, BAD_CAST "value")) - && - (!xmlStrEqual diff --git a/debian/patches/0038-Fix-a-potential-NULL-dereference.patch b/debian/patches/0038-Fix-a-potential-NULL-dereference.patch deleted file mode 100644 index 35aea33..0000000 --- a/debian/patches/0038-Fix-a-potential-NULL-dereference.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Daniel Veillard -Date: Mon, 14 Jul 2014 16:39:50 +0800 -Subject: Fix a potential NULL dereference - -For https://bugzilla.gnome.org/show_bug.cgi?id=733040 - -xmlDictLookup() may return NULL in case of allocation error, -though very unlikely it need to be checked. ---- - parser.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/parser.c b/parser.c -index ea0ea65..b02333b 100644 ---- a/parser.c -+++ b/parser.c -@@ -9313,6 +9313,12 @@ reparse: - const xmlChar *URL = xmlDictLookup(ctxt->dict, attvalue, len); - xmlURIPtr uri; - -+ if (URL == NULL) { -+ xmlErrMemory(ctxt, "dictionary allocation failure"); -+ if ((attvalue != NULL) && (alloc != 0)) -+ xmlFree(attvalue); -+ return(NULL); -+ } - if (*URL != 0) { - uri = xmlParseURI((const char *) URL); - if (uri == NULL) { diff --git a/debian/patches/0039-Fix-processing-in-SAX2-in-case-of-an-allocation-fail.patch b/debian/patches/0039-Fix-processing-in-SAX2-in-case-of-an-allocation-fail.patch deleted file mode 100644 index 73813e4..0000000 --- a/debian/patches/0039-Fix-processing-in-SAX2-in-case-of-an-allocation-fail.patch +++ /dev/null @@ -1,21 +0,0 @@ -From: Daniel Veillard -Date: Mon, 14 Jul 2014 20:29:34 +0800 -Subject: Fix processing in SAX2 in case of an allocation failure - -Related to https://bugzilla.gnome.org/show_bug.cgi?id=731360 ---- - SAX2.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/SAX2.c b/SAX2.c -index 76b7158..791992c 100644 ---- a/SAX2.c -+++ b/SAX2.c -@@ -2578,6 +2578,7 @@ xmlSAX2Characters(void *ctx, const xmlChar *ch, int len) - } - if (lastChild->content == NULL) { - xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: xmlStrdup returned NULL"); -+ return; - } - if (((size_t)ctxt->nodelen + (size_t)len > XML_MAX_TEXT_LENGTH) && - ((ctxt->options & XML_PARSE_HUGE) == 0)) { diff --git a/debian/patches/0040-Avoid-Possible-Null-Pointer-in-trio.c.patch b/debian/patches/0040-Avoid-Possible-Null-Pointer-in-trio.c.patch deleted file mode 100644 index 22895c1..0000000 --- a/debian/patches/0040-Avoid-Possible-Null-Pointer-in-trio.c.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Gaurav Gupta -Date: Mon, 14 Jul 2014 21:22:07 +0800 -Subject: Avoid Possible Null Pointer in trio.c - -For https://bugzilla.gnome.org/show_bug.cgi?id=730005 -While using assert in libxml2 is really not a good idea, it's -still better to assert than crash ---- - trio.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/trio.c b/trio.c -index d885db9..1bf99e3 100644 ---- a/trio.c -+++ b/trio.c -@@ -6418,11 +6418,14 @@ TRIO_ARGS2((self, intPointer), - trio_class_t *self, - int *intPointer) - { -- FILE *file = (FILE *)self->location; -+ FILE *file; - - assert(VALID(self)); -+ assert(VALID(self->location)); - assert(VALID(file)); - -+ file = (FILE *)self->location; -+ - self->current = fgetc(file); - if (self->current == EOF) - { -@@ -6451,11 +6454,14 @@ TRIO_ARGS2((self, intPointer), - trio_class_t *self, - int *intPointer) - { -- int fd = *((int *)self->location); -+ int fd; - int size; - unsigned char input; - - assert(VALID(self)); -+ assert(VALID(self->location)); -+ -+ fd = *((int *)self->location); - - size = read(fd, &input, sizeof(char)); - if (size == -1) diff --git a/debian/patches/0041-Check-for-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch b/debian/patches/0041-Check-for-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch deleted file mode 100644 index d4fddfe..0000000 --- a/debian/patches/0041-Check-for-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: David Kilzer -Date: Mon, 14 Jul 2014 22:29:56 +0800 -Subject: Check for tmon in _xmlSchemaDateAdd() is incorrect - -For https://bugzilla.gnome.org/show_bug.cgi?id=732705 -In _xmlSchemaDateAdd(), the check for |tmon| should be the following -since MAX_DAYINMONTH() expects a month in the range [1,12]: - - if (tmon < 1) - tmon = 1; - -Regression introduced in -https://git.gnome.org/browse/libxml2/commit/?id=14b5643947845df089376106517c4f7ba061e4b0 ---- - xmlschemastypes.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/xmlschemastypes.c b/xmlschemastypes.c -index ec403e8..7e1d54a 100644 ---- a/xmlschemastypes.c -+++ b/xmlschemastypes.c -@@ -3848,8 +3848,8 @@ _xmlSchemaDateAdd (xmlSchemaValPtr dt, xmlSchemaValPtr dur) - * Coverity detected an overrun in daysInMonth - * of size 12 at position 12 with index variable "((r)->mon - 1)" - */ -- if (tmon < 0) -- tmon = 0; -+ if (tmon < 1) -+ tmon = 1; - if (tmon > 12) - tmon = 12; - tempdays += MAX_DAYINMONTH(tyr, tmon); diff --git a/debian/patches/0042-HTMLparser-Correctly-initialise-a-stack-allocated-st.patch b/debian/patches/0042-HTMLparser-Correctly-initialise-a-stack-allocated-st.patch deleted file mode 100644 index e991045..0000000 --- a/debian/patches/0042-HTMLparser-Correctly-initialise-a-stack-allocated-st.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Philip Withnall -Date: Fri, 20 Jun 2014 21:03:42 +0100 -Subject: HTMLparser: Correctly initialise a stack allocated structure -MIME-Version: 1.0 -Content-Type: text/plain; charset="utf-8" -Content-Transfer-Encoding: 8bit - -If not initialised, the ‘node’ member remains undefined. - -Coverity issue: #60466 - -https://bugzilla.gnome.org/show_bug.cgi?id=731990 ---- - HTMLparser.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index 79b1adf..4c51cc5 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -4366,7 +4366,7 @@ static void - htmlParseElementInternal(htmlParserCtxtPtr ctxt) { - const xmlChar *name; - const htmlElemDesc * info; -- htmlParserNodeInfo node_info; -+ htmlParserNodeInfo node_info = { 0, }; - int failed; - - if ((ctxt == NULL) || (ctxt->input == NULL)) { diff --git a/debian/patches/0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch b/debian/patches/0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch deleted file mode 100644 index c0151db..0000000 --- a/debian/patches/0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Philip Withnall -Date: Fri, 20 Jun 2014 21:05:33 +0100 -Subject: xmlcatalog: Fix a memory leak on quit - -Coverity issue: #60442 - -https://bugzilla.gnome.org/show_bug.cgi?id=731990 ---- - xmlcatalog.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/xmlcatalog.c b/xmlcatalog.c -index 43f455a..b9ed6a4 100644 ---- a/xmlcatalog.c -+++ b/xmlcatalog.c -@@ -181,12 +181,13 @@ static void usershell(void) { - /* - * start interpreting the command - */ -- if (!strcmp(command, "exit")) -- break; -- if (!strcmp(command, "quit")) -- break; -- if (!strcmp(command, "bye")) -+ if (!strcmp(command, "exit") || -+ !strcmp(command, "quit") || -+ !strcmp(command, "bye")) { -+ free(cmdline); - break; -+ } -+ - if (!strcmp(command, "public")) { - if (nbargs != 1) { - printf("public requires 1 arguments\n"); diff --git a/debian/patches/0044-xmlschemastypes-Fix-potential-array-overflow.patch b/debian/patches/0044-xmlschemastypes-Fix-potential-array-overflow.patch deleted file mode 100644 index b2824e5..0000000 --- a/debian/patches/0044-xmlschemastypes-Fix-potential-array-overflow.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Philip Withnall -Date: Fri, 20 Jun 2014 21:37:21 +0100 -Subject: xmlschemastypes: Fix potential array overflow - -The year and month need validating before being put into the -MAX_DAYINMONTH macro. - -Coverity issue: #60436 - -https://bugzilla.gnome.org/show_bug.cgi?id=731990 ---- - xmlschemastypes.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/xmlschemastypes.c b/xmlschemastypes.c -index 7e1d54a..6e8bb70 100644 ---- a/xmlschemastypes.c -+++ b/xmlschemastypes.c -@@ -3854,7 +3854,8 @@ _xmlSchemaDateAdd (xmlSchemaValPtr dt, xmlSchemaValPtr dur) - tmon = 12; - tempdays += MAX_DAYINMONTH(tyr, tmon); - carry = -1; -- } else if (tempdays > (long) MAX_DAYINMONTH(r->year, r->mon)) { -+ } else if (VALID_YEAR(r->year) && VALID_MONTH(r->mon) && -+ tempdays > (long) MAX_DAYINMONTH(r->year, r->mon)) { - tempdays = tempdays - MAX_DAYINMONTH(r->year, r->mon); - carry = 1; - } else diff --git a/debian/patches/0045-Add-couple-of-missing-Null-checks.patch b/debian/patches/0045-Add-couple-of-missing-Null-checks.patch deleted file mode 100644 index 29d8523..0000000 --- a/debian/patches/0045-Add-couple-of-missing-Null-checks.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Daniel Veillard -Date: Sat, 26 Jul 2014 21:04:54 +0800 -Subject: Add couple of missing Null checks - -For https://bugzilla.gnome.org/show_bug.cgi?id=733710 -Reported by Gaurav but with slightly different fixes ---- - relaxng.c | 7 ++++++- - tree.c | 4 ++++ - 2 files changed, 10 insertions(+), 1 deletion(-) - -diff --git a/relaxng.c b/relaxng.c -index 33fc71a..936f657 100644 ---- a/relaxng.c -+++ b/relaxng.c -@@ -6655,12 +6655,17 @@ xmlRelaxNGParseDocument(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr node) - ctxt->define = NULL; - if (IS_RELAXNG(node, "grammar")) { - schema->topgrammar = xmlRelaxNGParseGrammar(ctxt, node->children); -+ if (schema->topgrammar == NULL) { -+ xmlRelaxNGFree(schema); -+ return (NULL); -+ } - } else { - xmlRelaxNGGrammarPtr tmp, ret; - - schema->topgrammar = ret = xmlRelaxNGNewGrammar(ctxt); - if (schema->topgrammar == NULL) { -- return (schema); -+ xmlRelaxNGFree(schema); -+ return (NULL); - } - /* - * Link the new grammar in the tree -diff --git a/tree.c b/tree.c -index 43c3c57..967c6a4 100644 ---- a/tree.c -+++ b/tree.c -@@ -4509,6 +4509,10 @@ xmlCopyDoc(xmlDocPtr doc, int recursive) { - #ifdef LIBXML_TREE_ENABLED - if (doc->intSubset != NULL) { - ret->intSubset = xmlCopyDtd(doc->intSubset); -+ if (ret->intSubset == NULL) { -+ xmlFreeDoc(ret); -+ return(NULL); -+ } - xmlSetTreeDoc((xmlNodePtr)ret->intSubset, ret); - ret->intSubset->parent = ret; - } diff --git a/debian/patches/0046-Couple-of-Missing-Null-checks.patch b/debian/patches/0046-Couple-of-Missing-Null-checks.patch deleted file mode 100644 index c8320de..0000000 --- a/debian/patches/0046-Couple-of-Missing-Null-checks.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Gaurav Gupta -Date: Thu, 7 Aug 2014 11:19:03 +0800 -Subject: Couple of Missing Null checks - -For https://bugzilla.gnome.org/show_bug.cgi?id=734328 - -Missing Null check could cause crash, if a pointer is dereferenced. - -Found problem at two places in valid.c ---- - valid.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/valid.c b/valid.c -index 114bb72..6255b5b 100644 ---- a/valid.c -+++ b/valid.c -@@ -1798,6 +1798,7 @@ xmlCopyEnumeration(xmlEnumerationPtr cur) { - - if (cur == NULL) return(NULL); - ret = xmlCreateEnumeration((xmlChar *) cur->name); -+ if (ret == NULL) return(NULL); - - if (cur->next != NULL) ret->next = xmlCopyEnumeration(cur->next); - else ret->next = NULL; -@@ -6998,6 +6999,9 @@ xmlValidGetValidElements(xmlNode *prev, xmlNode *next, const xmlChar **names, - * Creates a dummy node and insert it into the tree - */ - test_node = xmlNewDocNode (ref_node->doc, NULL, BAD_CAST "", NULL); -+ if (test_node == NULL) -+ return(-1); -+ - test_node->parent = parent; - test_node->prev = prev; - test_node->next = next; diff --git a/debian/patches/0047-Fix-Enum-check-and-missing-break.patch b/debian/patches/0047-Fix-Enum-check-and-missing-break.patch deleted file mode 100644 index decca97..0000000 --- a/debian/patches/0047-Fix-Enum-check-and-missing-break.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Gaurav Gupta -Date: Mon, 6 Oct 2014 12:24:17 +0800 -Subject: Fix Enum check and missing break - -for https://bugzilla.gnome.org/show_bug.cgi?id=737403 - -In file xmlreader.c -1. An enum is checked to proper value instead of checking like a boolean. -2. Missing break statement added. ---- - xmlreader.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/xmlreader.c b/xmlreader.c -index 00083d0..9620f52 100644 ---- a/xmlreader.c -+++ b/xmlreader.c -@@ -1427,7 +1427,7 @@ get_next_node: - goto node_found; - } - #ifdef LIBXML_REGEXP_ENABLED -- if ((reader->validate) && (reader->node->type == XML_ELEMENT_NODE)) -+ if ((reader->validate != XML_TEXTREADER_NOT_VALIDATE) && (reader->node->type == XML_ELEMENT_NODE)) - xmlTextReaderValidatePop(reader); - #endif /* LIBXML_REGEXP_ENABLED */ - if ((reader->preserves > 0) && -@@ -1560,7 +1560,7 @@ node_found: - goto get_next_node; - } - #ifdef LIBXML_REGEXP_ENABLED -- if ((reader->validate) && (reader->node != NULL)) { -+ if ((reader->validate != XML_TEXTREADER_NOT_VALIDATE) && (reader->node != NULL)) { - xmlNodePtr node = reader->node; - - if ((node->type == XML_ELEMENT_NODE) && -@@ -1790,6 +1790,7 @@ xmlTextReaderReadString(xmlTextReaderPtr reader) - if (xmlTextReaderDoExpand(reader) != -1) { - return xmlTextReaderCollectSiblings(node->children); - } -+ break; - case XML_ATTRIBUTE_NODE: - TODO - break; diff --git a/debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch b/debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch deleted file mode 100644 index 8d0dcc8..0000000 --- a/debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Daniel Veillard -Date: Mon, 6 Oct 2014 18:51:04 +0800 -Subject: Possible overflow in HTMLParser.c - -For https://bugzilla.gnome.org/show_bug.cgi?id=720615 - -make sure that the encoding string passed is of reasonable size ---- - HTMLparser.c | 16 ++++++++++------ - 1 file changed, 10 insertions(+), 6 deletions(-) - -diff --git a/HTMLparser.c b/HTMLparser.c -index 4c51cc5..8d34fd1 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -6288,12 +6288,16 @@ htmlCreateFileParserCtxt(const char *filename, const char *encoding) - - /* set encoding */ - if (encoding) { -- content = xmlMallocAtomic (xmlStrlen(content_line) + strlen(encoding) + 1); -- if (content) { -- strcpy ((char *)content, (char *)content_line); -- strcat ((char *)content, (char *)encoding); -- htmlCheckEncoding (ctxt, content); -- xmlFree (content); -+ size_t l = strlen(encoding); -+ -+ if (l < 1000) { -+ content = xmlMallocAtomic (xmlStrlen(content_line) + l + 1); -+ if (content) { -+ strcpy ((char *)content, (char *)content_line); -+ strcat ((char *)content, (char *)encoding); -+ htmlCheckEncoding (ctxt, content); -+ xmlFree (content); -+ } - } - } - diff --git a/debian/patches/0049-Leak-of-struct-addrinfo-in-xmlNanoFTPConnect.patch b/debian/patches/0049-Leak-of-struct-addrinfo-in-xmlNanoFTPConnect.patch deleted file mode 100644 index 45a4f15..0000000 --- a/debian/patches/0049-Leak-of-struct-addrinfo-in-xmlNanoFTPConnect.patch +++ /dev/null @@ -1,25 +0,0 @@ -From: Gaurav Gupta -Date: Mon, 6 Oct 2014 19:28:29 +0800 -Subject: Leak of struct addrinfo in xmlNanoFTPConnect() - -For https://bugzilla.gnome.org/show_bug.cgi?id=732352 - -in case of error condition in IPv6 support, the early return here -doesn't call freeaddrinfo(result), thus leaking memory. ---- - nanoftp.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/nanoftp.c b/nanoftp.c -index 077bfe2..010e0b1 100644 ---- a/nanoftp.c -+++ b/nanoftp.c -@@ -908,6 +908,8 @@ xmlNanoFTPConnect(void *ctx) { - return (-1); - } - if (tmp->ai_addrlen > sizeof(ctxt->ftpAddr)) { -+ if (result) -+ freeaddrinfo (result); - __xmlIOErr(XML_FROM_FTP, 0, "gethostbyname address mismatch"); - return (-1); - } diff --git a/debian/patches/0050-Pointer-dereferenced-before-null-check.patch b/debian/patches/0050-Pointer-dereferenced-before-null-check.patch deleted file mode 100644 index 9370f13..0000000 --- a/debian/patches/0050-Pointer-dereferenced-before-null-check.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: Daniel Veillard -Date: Mon, 6 Oct 2014 20:07:19 +0800 -Subject: Pointer dereferenced before null check - -For https://bugzilla.gnome.org/show_bug.cgi?id=707027 - -A few pointer dereference before NULL check fixed. -Removed a useless test ---- - xmlreader.c | 17 +++++++++++++---- - 1 file changed, 13 insertions(+), 4 deletions(-) - -diff --git a/xmlreader.c b/xmlreader.c -index 9620f52..8834f50 100644 ---- a/xmlreader.c -+++ b/xmlreader.c -@@ -282,7 +282,10 @@ static void - xmlTextReaderFreeProp(xmlTextReaderPtr reader, xmlAttrPtr cur) { - xmlDictPtr dict; - -- dict = reader->ctxt->dict; -+ if ((reader != NULL) && (reader->ctxt != NULL)) -+ dict = reader->ctxt->dict; -+ else -+ dict = NULL; - if (cur == NULL) return; - - if ((__xmlRegisterCallbacks) && (xmlDeregisterNodeDefaultValue)) -@@ -319,7 +322,7 @@ xmlTextReaderFreeProp(xmlTextReaderPtr reader, xmlAttrPtr cur) { - static void - xmlTextReaderFreePropList(xmlTextReaderPtr reader, xmlAttrPtr cur) { - xmlAttrPtr next; -- if (cur == NULL) return; -+ - while (cur != NULL) { - next = cur->next; - xmlTextReaderFreeProp(reader, cur); -@@ -340,7 +343,10 @@ xmlTextReaderFreeNodeList(xmlTextReaderPtr reader, xmlNodePtr cur) { - xmlNodePtr next; - xmlDictPtr dict; - -- dict = reader->ctxt->dict; -+ if ((reader != NULL) && (reader->ctxt != NULL)) -+ dict = reader->ctxt->dict; -+ else -+ dict = NULL; - if (cur == NULL) return; - if (cur->type == XML_NAMESPACE_DECL) { - xmlFreeNsList((xmlNsPtr) cur); -@@ -417,7 +423,10 @@ static void - xmlTextReaderFreeNode(xmlTextReaderPtr reader, xmlNodePtr cur) { - xmlDictPtr dict; - -- dict = reader->ctxt->dict; -+ if ((reader != NULL) && (reader->ctxt != NULL)) -+ dict = reader->ctxt->dict; -+ else -+ dict = NULL; - if (cur->type == XML_DTD_NODE) { - xmlFreeDtd((xmlDtdPtr) cur); - return; diff --git a/debian/patches/0051-xpointer-fixing-Null-Pointers.patch b/debian/patches/0051-xpointer-fixing-Null-Pointers.patch deleted file mode 100644 index 1bc5f96..0000000 --- a/debian/patches/0051-xpointer-fixing-Null-Pointers.patch +++ /dev/null @@ -1,110 +0,0 @@ -From: Gaurav Gupta -Date: Tue, 7 Oct 2014 17:09:35 +0800 -Subject: xpointer : fixing Null Pointers - -For https://bugzilla.gnome.org/show_bug.cgi?id=738053 -At many places in xpointer.c -Null check is missing which is dereferenced at later places. ---- - xpointer.c | 28 ++++++++++++++++++++++++++++ - 1 file changed, 28 insertions(+) - -diff --git a/xpointer.c b/xpointer.c -index 46f11e8..1ae2e53 100644 ---- a/xpointer.c -+++ b/xpointer.c -@@ -1375,6 +1375,8 @@ xmlXPtrEval(const xmlChar *str, xmlXPathContextPtr ctx) { - return(NULL); - - ctxt = xmlXPathNewParserContext(str, ctx); -+ if (ctxt == NULL) -+ return(NULL); - ctxt->xptr = 1; - xmlXPtrEvalXPointer(ctxt); - -@@ -1807,6 +1809,8 @@ xmlXPtrStartPointFunction(xmlXPathParserContextPtr ctxt, int nargs) { - */ - tmp = xmlXPtrNewLocationSetNodeSet(obj->nodesetval); - xmlXPathFreeObject(obj); -+ if (tmp == NULL) -+ XP_ERROR(XPATH_MEMORY_ERROR) - obj = tmp; - } - -@@ -1901,10 +1905,16 @@ xmlXPtrEndPointFunction(xmlXPathParserContextPtr ctxt, int nargs) { - */ - tmp = xmlXPtrNewLocationSetNodeSet(obj->nodesetval); - xmlXPathFreeObject(obj); -+ if (tmp == NULL) -+ XP_ERROR(XPATH_MEMORY_ERROR) - obj = tmp; - } - - newset = xmlXPtrLocationSetCreate(NULL); -+ if (newset == NULL) { -+ xmlXPathFreeObject(obj); -+ XP_ERROR(XPATH_MEMORY_ERROR); -+ } - oldset = (xmlLocationSetPtr) obj->user; - if (oldset != NULL) { - int i; -@@ -2049,6 +2059,8 @@ xmlXPtrRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) { - */ - tmp = xmlXPtrNewLocationSetNodeSet(set->nodesetval); - xmlXPathFreeObject(set); -+ if (tmp == NULL) -+ XP_ERROR(XPATH_MEMORY_ERROR) - set = tmp; - } - oldset = (xmlLocationSetPtr) set->user; -@@ -2057,6 +2069,10 @@ xmlXPtrRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) { - * The loop is to compute the covering range for each item and add it - */ - newset = xmlXPtrLocationSetCreate(NULL); -+ if (newset == NULL) { -+ xmlXPathFreeObject(set); -+ XP_ERROR(XPATH_MEMORY_ERROR); -+ } - for (i = 0;i < oldset->locNr;i++) { - xmlXPtrLocationSetAdd(newset, - xmlXPtrCoveringRange(ctxt, oldset->locTab[i])); -@@ -2195,6 +2211,8 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) { - */ - tmp = xmlXPtrNewLocationSetNodeSet(set->nodesetval); - xmlXPathFreeObject(set); -+ if (tmp == NULL) -+ XP_ERROR(XPATH_MEMORY_ERROR) - set = tmp; - } - oldset = (xmlLocationSetPtr) set->user; -@@ -2203,6 +2221,10 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) { - * The loop is to compute the covering range for each item and add it - */ - newset = xmlXPtrLocationSetCreate(NULL); -+ if (newset == NULL) { -+ xmlXPathFreeObject(set); -+ XP_ERROR(XPATH_MEMORY_ERROR); -+ } - for (i = 0;i < oldset->locNr;i++) { - xmlXPtrLocationSetAdd(newset, - xmlXPtrInsideRange(ctxt, oldset->locTab[i])); -@@ -2798,6 +2820,10 @@ xmlXPtrStringRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) { - - set = valuePop(ctxt); - newset = xmlXPtrLocationSetCreate(NULL); -+ if (newset == NULL) { -+ xmlXPathFreeObject(set); -+ XP_ERROR(XPATH_MEMORY_ERROR); -+ } - if (set->nodesetval == NULL) { - goto error; - } -@@ -2809,6 +2835,8 @@ xmlXPtrStringRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) { - */ - tmp = xmlXPtrNewLocationSetNodeSet(set->nodesetval); - xmlXPathFreeObject(set); -+ if (tmp == NULL) -+ XP_ERROR(XPATH_MEMORY_ERROR) - set = tmp; - } - oldset = (xmlLocationSetPtr) set->user; diff --git a/debian/patches/0052-xmlmemory-handle-realloc-properly.patch b/debian/patches/0052-xmlmemory-handle-realloc-properly.patch deleted file mode 100644 index f16d038..0000000 --- a/debian/patches/0052-xmlmemory-handle-realloc-properly.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Yegor Yefremov -Date: Fri, 10 Oct 2014 12:23:09 +0200 -Subject: xmlmemory: handle realloc properly - -If realloc fails, free original pointer. - -Signed-off-by: Yegor Yefremov ---- - xmlmemory.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/xmlmemory.c b/xmlmemory.c -index 37dcf3b..6110849 100644 ---- a/xmlmemory.c -+++ b/xmlmemory.c -@@ -313,7 +313,7 @@ xmlMemMalloc(size_t size) - void * - xmlReallocLoc(void *ptr,size_t size, const char * file, int line) - { -- MEMHDR *p; -+ MEMHDR *p, *tmp; - unsigned long number; - #ifdef DEBUG_MEMORY - size_t oldsize; -@@ -344,10 +344,12 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line) - #endif - xmlMutexUnlock(xmlMemMutex); - -- p = (MEMHDR *) realloc(p,RESERVE_SIZE+size); -- if (!p) { -+ tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size); -+ if (!tmp) { -+ free(p); - goto error; - } -+ p = tmp; - if (xmlMemTraceBlockAt == ptr) { - xmlGenericError(xmlGenericErrorContext, - "%p : Realloced(%lu -> %lu) Ok\n", diff --git a/debian/patches/0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch b/debian/patches/0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch deleted file mode 100644 index 4fc48a0..0000000 --- a/debian/patches/0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Bart De Schuymer -Date: Thu, 16 Oct 2014 12:17:20 +0800 -Subject: fix memory leak xml header encoding field with XML_PARSE_IGNORE_ENC - -When the xml parser encounters an xml encoding in an xml header while -configured with option XML_PARSE_IGNORE_ENC, it fails to free memory -allocated for storing the encoding. -The patch below fixes this. -How to reproduce: -1. Change doc/examples/parse4.c to add xmlCtxtUseOptions(ctxt, -XML_PARSE_IGNORE_ENC); after the call to xmlCreatePushParserCtxt. -2. Rebuild -3. run the following command from the top libxml2 directory: -LD_LIBRARY_PATH=.libs/ valgrind --leak-check=full -./doc/examples/.libs/parse4 ./test.xml , where test.xml contains -following -input: - -valgrind will report: -==1964== 10 bytes in 1 blocks are definitely lost in loss record 1 of 1 -==1964== at 0x4C272DB: malloc (in -/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) -==1964== by 0x4E88497: xmlParseEncName (parser.c:10224) -==1964== by 0x4E888FE: xmlParseEncodingDecl (parser.c:10295) -==1964== by 0x4E89630: xmlParseXMLDecl (parser.c:10534) -==1964== by 0x4E8B737: xmlParseTryOrFinish (parser.c:11293) -==1964== by 0x4E8E775: xmlParseChunk (parser.c:12283) - -Signed-off-by: Bart De Schuymer ---- - parser.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/parser.c b/parser.c -index b02333b..ab69d56 100644 ---- a/parser.c -+++ b/parser.c -@@ -10338,8 +10338,10 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) { - /* - * Non standard parsing, allowing the user to ignore encoding - */ -- if (ctxt->options & XML_PARSE_IGNORE_ENC) -- return(encoding); -+ if (ctxt->options & XML_PARSE_IGNORE_ENC) { -+ xmlFree((xmlChar *) encoding); -+ return(NULL); -+ } - - /* - * UTF-16 encoding stwich has already taken place at this stage, diff --git a/debian/patches/0054-Fix-for-CVE-2014-3660.patch b/debian/patches/0054-Fix-for-CVE-2014-3660.patch deleted file mode 100644 index 43ffa32..0000000 --- a/debian/patches/0054-Fix-for-CVE-2014-3660.patch +++ /dev/null @@ -1,141 +0,0 @@ -From: Daniel Veillard -Date: Thu, 16 Oct 2014 13:59:47 +0800 -Subject: Fix for CVE-2014-3660 - -Issues related to the billion laugh entity expansion which happened to -escape the initial set of fixes ---- - parser.c | 42 ++++++++++++++++++++++++++++++++++++++---- - 1 file changed, 38 insertions(+), 4 deletions(-) - -diff --git a/parser.c b/parser.c -index ab69d56..b7f3c03 100644 ---- a/parser.c -+++ b/parser.c -@@ -130,6 +130,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, - return (0); - if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) - return (1); -+ -+ /* -+ * This may look absurd but is needed to detect -+ * entities problems -+ */ -+ if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) && -+ (ent->content != NULL) && (ent->checked == 0)) { -+ unsigned long oldnbent = ctxt->nbentities; -+ xmlChar *rep; -+ -+ ent->checked = 1; -+ -+ rep = xmlStringDecodeEntities(ctxt, ent->content, -+ XML_SUBSTITUTE_REF, 0, 0, 0); -+ -+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; -+ if (rep != NULL) { -+ if (xmlStrchr(rep, '<')) -+ ent->checked |= 1; -+ xmlFree(rep); -+ rep = NULL; -+ } -+ } - if (replacement != 0) { - if (replacement < XML_MAX_TEXT_LENGTH) - return(0); -@@ -189,9 +212,12 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, - return (0); - } else { - /* -- * strange we got no data for checking just return -+ * strange we got no data for checking - */ -- return (0); -+ if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) && -+ (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) || -+ (ctxt->nbentities <= 10000)) -+ return (0); - } - xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); - return (1); -@@ -2584,6 +2610,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { - name, NULL); - ctxt->valid = 0; - } -+ xmlParserEntityCheck(ctxt, 0, NULL, 0); - } else if (ctxt->input->free != deallocblankswrapper) { - input = xmlNewBlanksWrapperInputStream(ctxt, entity); - if (xmlPushInput(ctxt, input) < 0) -@@ -2754,6 +2781,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, - if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || - (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) - goto int_error; -+ xmlParserEntityCheck(ctxt, 0, ent, 0); - if (ent != NULL) - ctxt->nbentities += ent->checked / 2; - if ((ent != NULL) && -@@ -2805,6 +2833,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, - ent = xmlParseStringPEReference(ctxt, &str); - if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) - goto int_error; -+ xmlParserEntityCheck(ctxt, 0, ent, 0); - if (ent != NULL) - ctxt->nbentities += ent->checked / 2; - if (ent != NULL) { -@@ -7307,6 +7336,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { - (ret != XML_WAR_UNDECLARED_ENTITY)) { - xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY, - "Entity '%s' failed to parse\n", ent->name); -+ xmlParserEntityCheck(ctxt, 0, ent, 0); - } else if (list != NULL) { - xmlFreeNodeList(list); - list = NULL; -@@ -7413,7 +7443,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { - /* - * We are copying here, make sure there is no abuse - */ -- ctxt->sizeentcopy += ent->length; -+ ctxt->sizeentcopy += ent->length + 5; - if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) - return; - -@@ -7461,7 +7491,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { - /* - * We are copying here, make sure there is no abuse - */ -- ctxt->sizeentcopy += ent->length; -+ ctxt->sizeentcopy += ent->length + 5; - if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) - return; - -@@ -7647,6 +7677,7 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) { - ctxt->sax->reference(ctxt->userData, name); - } - } -+ xmlParserEntityCheck(ctxt, 0, ent, 0); - ctxt->valid = 0; - } - -@@ -7840,6 +7871,7 @@ xmlParseStringEntityRef(xmlParserCtxtPtr ctxt, const xmlChar ** str) { - "Entity '%s' not defined\n", - name); - } -+ xmlParserEntityCheck(ctxt, 0, ent, 0); - /* TODO ? check regressions ctxt->valid = 0; */ - } - -@@ -7999,6 +8031,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) - name, NULL); - ctxt->valid = 0; - } -+ xmlParserEntityCheck(ctxt, 0, NULL, 0); - } else { - /* - * Internal checking in case the entity quest barfed -@@ -8238,6 +8271,7 @@ xmlParseStringPEReference(xmlParserCtxtPtr ctxt, const xmlChar **str) { - name, NULL); - ctxt->valid = 0; - } -+ xmlParserEntityCheck(ctxt, 0, NULL, 0); - } else { - /* - * Internal checking in case the entity quest barfed diff --git a/debian/patches/0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch b/debian/patches/0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch deleted file mode 100644 index fc40734..0000000 --- a/debian/patches/0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Daniel Veillard -Date: Thu, 23 Oct 2014 11:35:36 +0800 -Subject: Fix missing entities after CVE-2014-3660 fix - -For https://bugzilla.gnome.org/show_bug.cgi?id=738805 - -The fix for CVE-2014-3660 introduced a regression in some case -where entity substitution is required and the entity is used -first in anotther entity referenced from an attribute value ---- - parser.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index b7f3c03..c187327 100644 ---- a/parser.c -+++ b/parser.c -@@ -7230,7 +7230,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { - * far more secure as the parser will only process data coming from - * the document entity by default. - */ -- if ((ent->checked == 0) && -+ if (((ent->checked == 0) || -+ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) && - ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) || - (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) { - unsigned long oldnbent = ctxt->nbentities; diff --git a/debian/patches/series b/debian/patches/series index 99fd190..ce6e665 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -30,26 +30,3 @@ 0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch 0031-xmllint-was-not-parsing-the-c14n11-flag.patch 0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch -0033-Adding-some-missing-NULL-checks.patch -0034-xmlSaveUri-incorrectly-recomposes-URIs-with-rootless.patch -0035-Adding-a-check-in-case-of-allocation-error.patch -0036-Add-a-missing-argument-check.patch -0037-Add-a-couple-of-misisng-check-in-xmlRelaxNGCleanupTr.patch -0038-Fix-a-potential-NULL-dereference.patch -0039-Fix-processing-in-SAX2-in-case-of-an-allocation-fail.patch -0040-Avoid-Possible-Null-Pointer-in-trio.c.patch -0041-Check-for-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch -0042-HTMLparser-Correctly-initialise-a-stack-allocated-st.patch -0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch -0044-xmlschemastypes-Fix-potential-array-overflow.patch -0045-Add-couple-of-missing-Null-checks.patch -0046-Couple-of-Missing-Null-checks.patch -0047-Fix-Enum-check-and-missing-break.patch -0048-Possible-overflow-in-HTMLParser.c.patch -0049-Leak-of-struct-addrinfo-in-xmlNanoFTPConnect.patch -0050-Pointer-dereferenced-before-null-check.patch -0051-xpointer-fixing-Null-Pointers.patch -0052-xmlmemory-handle-realloc-properly.patch -0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch -0054-Fix-for-CVE-2014-3660.patch -0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch -- cgit v1.2.3 From d5d6ab20a82566c3b9e20a626df186fe4e670c70 Mon Sep 17 00:00:00 2001 From: Aron Xu Date: Mon, 21 Sep 2015 22:55:14 +0800 Subject: Revert "Revert "Remove no-longer-needed upstream patches"" This reverts commit 3b14c3fd6410716d407178e48972b1c1bea48c29. --- .../0003-Fix-an-error-in-xmlCleanupParser.patch | 27 ---- ...ing-break-on-last-function-for-attributes.patch | 21 --- ...xmllint-memory-should-fail-on-empty-files.patch | 27 ---- ...ote-the-namespace-uris-written-out-during.patch | 32 ----- ...ng-bug-on-non-ascii-element-and-CR-LF-usa.patch | 57 -------- debian/patches/0008-missing-else-in-xlink.c.patch | 22 --- ...9-Catch-malloc-error-and-exit-accordingly.patch | 24 ---- .../patches/0010-Fix-handling-of-mmap-errors.patch | 51 ------- .../0011-Avoid-crash-if-allocation-fails.patch | 25 ---- .../0012-Fix-a-possible-NULL-dereference.patch | 30 ----- ...013-Clear-up-a-potential-NULL-dereference.patch | 26 ---- ...14-Fix-XPath-optimization-with-predicates.patch | 27 ---- ...tty-crashed-without-following-numeric-arg.patch | 34 ----- ...al-NULL-pointer-dereferences-in-regexp-co.patch | 45 ------- ...a-potential-NULL-dereference-in-tree-code.patch | 26 ---- ...ix-pointer-dereferenced-before-null-check.patch | 25 ---- ...9-Fix-a-bug-loading-some-compressed-files.patch | 69 ---------- ...-possibility-of-dangling-encoding-handler.patch | 57 -------- .../0021-Fix-a-couple-of-missing-NULL-checks.patch | 29 ---- ...-calls-to-xml-and-html-Read-parsing-entry.patch | 148 --------------------- ...of-XPath-function-arguments-in-error-case.patch | 41 ------ ...ing-initialization-for-the-catalog-module.patch | 22 --- .../0025-Fix-an-fd-leak-in-an-error-case.patch | 24 ---- ...-fixing-a-ptotential-uninitialized-access.patch | 21 --- ...WriterWriteElement-when-a-null-content-is.patch | 29 ---- ...Avoid-a-possible-NULL-pointer-dereference.patch | 22 --- ...-Do-not-fetch-external-parameter-entities.patch | 35 ----- ...ble-null-pointer-dereference-in-memory-de.patch | 32 ----- ...1-xmllint-was-not-parsing-the-c14n11-flag.patch | 22 --- ...essions-introduced-by-CVE-2014-0191-patch.patch | 58 -------- debian/patches/series | 31 +---- 31 files changed, 1 insertion(+), 1138 deletions(-) delete mode 100644 debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch delete mode 100644 debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch delete mode 100644 debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch delete mode 100644 debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch delete mode 100644 debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch delete mode 100644 debian/patches/0008-missing-else-in-xlink.c.patch delete mode 100644 debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch delete mode 100644 debian/patches/0010-Fix-handling-of-mmap-errors.patch delete mode 100644 debian/patches/0011-Avoid-crash-if-allocation-fails.patch delete mode 100644 debian/patches/0012-Fix-a-possible-NULL-dereference.patch delete mode 100644 debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch delete mode 100644 debian/patches/0014-Fix-XPath-optimization-with-predicates.patch delete mode 100644 debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch delete mode 100644 debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch delete mode 100644 debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch delete mode 100644 debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch delete mode 100644 debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch delete mode 100644 debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch delete mode 100644 debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch delete mode 100644 debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch delete mode 100644 debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch delete mode 100644 debian/patches/0024-Missing-initialization-for-the-catalog-module.patch delete mode 100644 debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch delete mode 100644 debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch delete mode 100644 debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch delete mode 100644 debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch delete mode 100644 debian/patches/0029-Do-not-fetch-external-parameter-entities.patch delete mode 100644 debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch delete mode 100644 debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch delete mode 100644 debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch (limited to 'debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch') diff --git a/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch b/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch deleted file mode 100644 index 03bf447..0000000 --- a/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Alexander Pastukhov -Date: Tue, 23 Apr 2013 05:02:11 +0000 -Subject: Fix an error in xmlCleanupParser - -https://bugzilla.gnome.org/show_bug.cgi?id=698582 - -xmlCleanupParser calls xmlCleanupGlobals() and then -xmlResetLastError() but the later reallocate the global -data freed by previous call. Just swap the two calls. ---- - parser.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index ee429f3..b9df6d8 100644 ---- a/parser.c -+++ b/parser.c -@@ -14763,8 +14763,8 @@ xmlCleanupParser(void) { - xmlSchemaCleanupTypes(); - xmlRelaxNGCleanupTypes(); - #endif -- xmlCleanupGlobals(); - xmlResetLastError(); -+ xmlCleanupGlobals(); - xmlCleanupThreads(); /* must be last if called not from the main thread */ - xmlCleanupMemory(); - xmlParserInitialized = 0; diff --git a/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch b/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch deleted file mode 100644 index cff8b72..0000000 --- a/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch +++ /dev/null @@ -1,21 +0,0 @@ -From: dcb -Date: Thu, 2 May 2013 08:11:46 +0000 -Subject: Fix missing break on last() function for attributes - -pointed out by cppcheck ---- - python/libxml.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/python/libxml.c b/python/libxml.c -index 03cfb9f..3338b83 100644 ---- a/python/libxml.c -+++ b/python/libxml.c -@@ -2683,6 +2683,7 @@ libxml_last(ATTRIBUTE_UNUSED PyObject * self, PyObject * args) - xmlAttrPtr attr = (xmlAttrPtr) cur; - - res = attr->last; -+ break; - } - default: - res = NULL; diff --git a/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch b/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch deleted file mode 100644 index e1a2197..0000000 --- a/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Daniel Veillard -Date: Wed, 8 May 2013 05:45:48 +0000 -Subject: xmllint --memory should fail on empty files - -Exposed by https://bugzilla.gnome.org/show_bug.cgi?id=699896 -when doing analysis but a priori unrelated. ---- - xmllint.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/xmllint.c b/xmllint.c -index 26d8db1..c0196ab 100644 ---- a/xmllint.c -+++ b/xmllint.c -@@ -2338,8 +2338,11 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) { - if ((fd = open(filename, O_RDONLY)) < 0) - return; - base = mmap(NULL, info.st_size, PROT_READ, MAP_SHARED, fd, 0) ; -- if (base == (void *) MAP_FAILED) -+ if (base == (void *) MAP_FAILED) { -+ fprintf(stderr, "mmap failure for file %s\n", filename); -+ progresult = XMLLINT_ERR_RDFILE; - return; -+ } - - if (rectxt == NULL) - doc = xmlReadMemory((char *) base, info.st_size, diff --git a/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch b/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch deleted file mode 100644 index 6f4c4c8..0000000 --- a/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Aleksey Sanin -Date: Thu, 9 May 2013 16:02:16 +0000 -Subject: properly quote the namespace uris written out during c14n - ---- - c14n.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/c14n.c b/c14n.c -index afd95b3..ca77f92 100644 ---- a/c14n.c -+++ b/c14n.c -@@ -547,14 +547,15 @@ xmlC14NPrintNamespaces(const xmlNsPtr ns, xmlC14NCtxPtr ctx) - if (ns->prefix != NULL) { - xmlOutputBufferWriteString(ctx->buf, " xmlns:"); - xmlOutputBufferWriteString(ctx->buf, (const char *) ns->prefix); -- xmlOutputBufferWriteString(ctx->buf, "=\""); -+ xmlOutputBufferWriteString(ctx->buf, "="); - } else { -- xmlOutputBufferWriteString(ctx->buf, " xmlns=\""); -+ xmlOutputBufferWriteString(ctx->buf, " xmlns="); - } - if(ns->href != NULL) { -- xmlOutputBufferWriteString(ctx->buf, (const char *) ns->href); -+ xmlBufWriteQuotedString(ctx->buf->buffer, ns->href); -+ } else { -+ xmlOutputBufferWriteString(ctx->buf, "\"\""); - } -- xmlOutputBufferWriteString(ctx->buf, "\""); - return (1); - } - diff --git a/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch b/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch deleted file mode 100644 index 442fd11..0000000 --- a/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch +++ /dev/null @@ -1,57 +0,0 @@ -From: Daniel Veillard -Date: Wed, 22 May 2013 20:56:45 +0000 -Subject: Fix a parsing bug on non-ascii element and CR/LF usage - -https://bugzilla.gnome.org/show_bug.cgi?id=698550 - -Somehow the behaviour of the internal parser routine changed -slightly when encountering CR/LF, which led to a bug when -parsing document with non-ascii Names ---- - parser.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index b9df6d8..dd00399 100644 ---- a/parser.c -+++ b/parser.c -@@ -3404,6 +3404,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { - int len = 0, l; - int c; - int count = 0; -+ const xmlChar *end; /* needed because CUR_CHAR() can move cur on \r\n */ - - #ifdef DEBUG - nbParseNCNameComplex++; -@@ -3413,6 +3414,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { - * Handler for more complex cases - */ - GROW; -+ end = ctxt->input->cur; - c = CUR_CHAR(l); - if ((c == ' ') || (c == '>') || (c == '/') || /* accelerators */ - (!xmlIsNameStartChar(ctxt, c) || (c == ':'))) { -@@ -3434,12 +3436,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { - } - len += l; - NEXTL(l); -+ end = ctxt->input->cur; - c = CUR_CHAR(l); - if (c == 0) { - count = 0; - GROW; - if (ctxt->instate == XML_PARSER_EOF) - return(NULL); -+ end = ctxt->input->cur; - c = CUR_CHAR(l); - } - } -@@ -3448,7 +3452,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); - return(NULL); - } -- return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); -+ return(xmlDictLookup(ctxt->dict, end - len, len)); - } - - /** diff --git a/debian/patches/0008-missing-else-in-xlink.c.patch b/debian/patches/0008-missing-else-in-xlink.c.patch deleted file mode 100644 index 88a4e86..0000000 --- a/debian/patches/0008-missing-else-in-xlink.c.patch +++ /dev/null @@ -1,22 +0,0 @@ -From: Ami Fischman -Date: Tue, 2 Jul 2013 09:47:26 +0800 -Subject: missing else in xlink.c - -Obviously forgotten ---- - xlink.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xlink.c b/xlink.c -index 3566e06..c0e4ff3 100644 ---- a/xlink.c -+++ b/xlink.c -@@ -150,7 +150,7 @@ xlinkIsLink (xmlDocPtr doc, xmlNodePtr node) { - if (type != NULL) { - if (xmlStrEqual(type, BAD_CAST "simple")) { - ret = XLINK_TYPE_SIMPLE; -- } if (xmlStrEqual(type, BAD_CAST "extended")) { -+ } else if (xmlStrEqual(type, BAD_CAST "extended")) { - role = xmlGetNsProp(node, BAD_CAST "role", XLINK_NAMESPACE); - if (role != NULL) { - xmlNsPtr xlink; diff --git a/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch b/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch deleted file mode 100644 index 3f93a57..0000000 --- a/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch +++ /dev/null @@ -1,24 +0,0 @@ -From: Daniel Veillard -Date: Thu, 11 Jul 2013 15:41:22 +0800 -Subject: Catch malloc error and exit accordingly - -As pointed privately by Bill Parker ---- - xmllint.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/xmllint.c b/xmllint.c -index c0196ab..4d464e4 100644 ---- a/xmllint.c -+++ b/xmllint.c -@@ -3090,6 +3090,10 @@ static void usage(const char *name) { - static void registerNode(xmlNodePtr node) - { - node->_private = malloc(sizeof(long)); -+ if (node->_private == NULL) { -+ fprintf(stderr, "Out of memory in xmllint:registerNode()\n"); -+ exit(XMLLINT_ERR_MEM); -+ } - *(long*)node->_private = (long) 0x81726354; - nbregister++; - } diff --git a/debian/patches/0010-Fix-handling-of-mmap-errors.patch b/debian/patches/0010-Fix-handling-of-mmap-errors.patch deleted file mode 100644 index 0c55cfe..0000000 --- a/debian/patches/0010-Fix-handling-of-mmap-errors.patch +++ /dev/null @@ -1,51 +0,0 @@ -From: Daniel Veillard -Date: Fri, 12 Jul 2013 12:08:40 +0800 -Subject: Fix handling of mmap errors - -https://bugzilla.gnome.org/show_bug.cgi?id=702320 - -as raised by Gaurav ---- - xmllint.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/xmllint.c b/xmllint.c -index 4d464e4..92e6b03 100644 ---- a/xmllint.c -+++ b/xmllint.c -@@ -1837,8 +1837,12 @@ static void streamFile(char *filename) { - if ((fd = open(filename, O_RDONLY)) < 0) - return; - base = mmap(NULL, info.st_size, PROT_READ, MAP_SHARED, fd, 0) ; -- if (base == (void *) MAP_FAILED) -+ if (base == (void *) MAP_FAILED) { -+ close(fd); -+ fprintf(stderr, "mmap failure for file %s\n", filename); -+ progresult = XMLLINT_ERR_RDFILE; - return; -+ } - - reader = xmlReaderForMemory(base, info.st_size, filename, - NULL, options); -@@ -2223,8 +2227,12 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) { - if ((fd = open(filename, O_RDONLY)) < 0) - return; - base = mmap(NULL, info.st_size, PROT_READ, MAP_SHARED, fd, 0) ; -- if (base == (void *) MAP_FAILED) -+ if (base == (void *) MAP_FAILED) { -+ close(fd); -+ fprintf(stderr, "mmap failure for file %s\n", filename); -+ progresult = XMLLINT_ERR_RDFILE; - return; -+ } - - doc = htmlReadMemory((char *) base, info.st_size, filename, - NULL, options); -@@ -2339,6 +2347,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) { - return; - base = mmap(NULL, info.st_size, PROT_READ, MAP_SHARED, fd, 0) ; - if (base == (void *) MAP_FAILED) { -+ close(fd); - fprintf(stderr, "mmap failure for file %s\n", filename); - progresult = XMLLINT_ERR_RDFILE; - return; diff --git a/debian/patches/0011-Avoid-crash-if-allocation-fails.patch b/debian/patches/0011-Avoid-crash-if-allocation-fails.patch deleted file mode 100644 index e4e7206..0000000 --- a/debian/patches/0011-Avoid-crash-if-allocation-fails.patch +++ /dev/null @@ -1,25 +0,0 @@ -From: Daniel Veillard -Date: Mon, 22 Jul 2013 14:28:20 +0800 -Subject: Avoid crash if allocation fails - -https://bugzilla.gnome.org/show_bug.cgi?id=704527 -xmlSchemaNewValue() may fail on OOM error ---- - xmlschemastypes.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/xmlschemastypes.c b/xmlschemastypes.c -index a9edc03..ec403e8 100644 ---- a/xmlschemastypes.c -+++ b/xmlschemastypes.c -@@ -242,6 +242,10 @@ xmlSchemaNewMinLengthFacet(int value) - } - ret->type = XML_SCHEMA_FACET_MINLENGTH; - ret->val = xmlSchemaNewValue(XML_SCHEMAS_NNINTEGER); -+ if (ret->val == NULL) { -+ xmlFree(ret); -+ return(NULL); -+ } - ret->val->value.decimal.lo = value; - return (ret); - } diff --git a/debian/patches/0012-Fix-a-possible-NULL-dereference.patch b/debian/patches/0012-Fix-a-possible-NULL-dereference.patch deleted file mode 100644 index 9a7cf6f..0000000 --- a/debian/patches/0012-Fix-a-possible-NULL-dereference.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Gaurav -Date: Sat, 3 Aug 2013 22:16:02 +0800 -Subject: Fix a possible NULL dereference - -https://bugzilla.gnome.org/show_bug.cgi?id=705400 -In case of allocation error the pointer was dereferenced before the -test for a failure ---- - SAX2.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/SAX2.c b/SAX2.c -index 4adf202..33d167e 100644 ---- a/SAX2.c -+++ b/SAX2.c -@@ -994,12 +994,12 @@ xmlSAX2StartDocument(void *ctx) - #ifdef LIBXML_HTML_ENABLED - if (ctxt->myDoc == NULL) - ctxt->myDoc = htmlNewDocNoDtD(NULL, NULL); -- ctxt->myDoc->properties = XML_DOC_HTML; -- ctxt->myDoc->parseFlags = ctxt->options; - if (ctxt->myDoc == NULL) { - xmlSAX2ErrMemory(ctxt, "xmlSAX2StartDocument"); - return; - } -+ ctxt->myDoc->properties = XML_DOC_HTML; -+ ctxt->myDoc->parseFlags = ctxt->options; - #else - xmlGenericError(xmlGenericErrorContext, - "libxml2 built without HTML support\n"); diff --git a/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch b/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch deleted file mode 100644 index a18dfaf..0000000 --- a/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Daniel Veillard -Date: Sat, 3 Aug 2013 22:25:13 +0800 -Subject: Clear up a potential NULL dereference - -https://bugzilla.gnome.org/show_bug.cgi?id=705399 - -if ctxt->node_seq.buffer is null then ctxt->node_seq.maximum ought -to be zero but it's better to clarify the check in the code directly. ---- - parserInternals.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/parserInternals.c b/parserInternals.c -index f8a7041..98a5836 100644 ---- a/parserInternals.c -+++ b/parserInternals.c -@@ -1990,7 +1990,8 @@ xmlParserAddNodeInfo(xmlParserCtxtPtr ctxt, - - /* Otherwise, we need to add new node to buffer */ - else { -- if (ctxt->node_seq.length + 1 > ctxt->node_seq.maximum) { -+ if ((ctxt->node_seq.length + 1 > ctxt->node_seq.maximum) || -+ (ctxt->node_seq.buffer == NULL)) { - xmlParserNodeInfo *tmp_buffer; - unsigned int byte_size; - diff --git a/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch b/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch deleted file mode 100644 index f24424a..0000000 --- a/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Nick Wellnhofer -Date: Sun, 4 Aug 2013 22:15:11 +0000 -Subject: Fix XPath '//' optimization with predicates - -My attempt to optimize XPath expressions containing '//' caused a -regression reported in bug #695699. This commit disables the -optimization for expressions of the form '//foo[predicate]'. ---- - xpath.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/xpath.c b/xpath.c -index 97410e7..a676989 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -14719,8 +14719,9 @@ xmlXPathOptimizeExpression(xmlXPathCompExprPtr comp, xmlXPathStepOpPtr op) - * internal representation. - */ - -- if ((op->ch1 != -1) && -- (op->op == XPATH_OP_COLLECT /* 11 */)) -+ if ((op->op == XPATH_OP_COLLECT /* 11 */) && -+ (op->ch1 != -1) && -+ (op->ch2 == -1 /* no predicate */)) - { - xmlXPathStepOpPtr prevop = &comp->steps[op->ch1]; - diff --git a/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch b/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch deleted file mode 100644 index b910c3a..0000000 --- a/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Tim Galeckas -Date: Thu, 29 Aug 2013 16:44:33 +0800 -Subject: xmllint --pretty crashed without following numeric argument - -https://bugzilla.gnome.org/show_bug.cgi?id=674789 - -We need to check for NULL argument before calling atoi() ---- - xmllint.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/xmllint.c b/xmllint.c -index 92e6b03..d69722c 100644 ---- a/xmllint.c -+++ b/xmllint.c -@@ -3388,11 +3388,13 @@ main(int argc, char **argv) { - (!strcmp(argv[i], "--pretty"))) { - i++; - #ifdef LIBXML_OUTPUT_ENABLED -- format = atoi(argv[i]); -- if (format == 1) { -- noblanks++; -- xmlKeepBlanksDefault(0); -- } -+ if (argv[i] != NULL) { -+ format = atoi(argv[i]); -+ if (format == 1) { -+ noblanks++; -+ xmlKeepBlanksDefault(0); -+ } -+ } - #endif /* LIBXML_OUTPUT_ENABLED */ - } - #ifdef LIBXML_READER_ENABLED diff --git a/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch b/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch deleted file mode 100644 index fa8a176..0000000 --- a/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Gaurav -Date: Wed, 11 Sep 2013 14:59:06 +0800 -Subject: Fix potential NULL pointer dereferences in regexp code - -https://bugzilla.gnome.org/show_bug.cgi?id=707749 - -Fix 3 cases where we might dereference NULL ---- - xmlregexp.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/xmlregexp.c b/xmlregexp.c -index 1f9911c..8e63d74 100644 ---- a/xmlregexp.c -+++ b/xmlregexp.c -@@ -3162,8 +3162,10 @@ xmlFARegExecRollBack(xmlRegExecCtxtPtr exec) { - exec->status = -6; - return; - } -- memcpy(exec->counts, exec->rollbacks[exec->nbRollbacks].counts, -+ if (exec->counts) { -+ memcpy(exec->counts, exec->rollbacks[exec->nbRollbacks].counts, - exec->comp->nbCounters * sizeof(int)); -+ } - } - - #ifdef DEBUG_REGEXP_EXEC -@@ -4091,7 +4093,7 @@ rollback: - */ - exec->determinist = 0; - xmlFARegExecRollBack(exec); -- if (exec->status == 0) { -+ if ((exec->inputStack != NULL ) && (exec->status == 0)) { - value = exec->inputStack[exec->index].value; - data = exec->inputStack[exec->index].data; - #ifdef DEBUG_PUSH -@@ -4306,7 +4308,7 @@ xmlRegExecGetValues(xmlRegExecCtxtPtr exec, int err, - (*nbval)++; - } - } else { -- if ((exec->comp->states[trans->to] != NULL) && -+ if ((exec->comp != NULL) && (exec->comp->states[trans->to] != NULL) && - (exec->comp->states[trans->to]->type != - XML_REGEXP_SINK_STATE)) { - if (atom->neg) diff --git a/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch b/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch deleted file mode 100644 index 2c55813..0000000 --- a/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Daniel Veillard -Date: Wed, 11 Sep 2013 15:11:27 +0800 -Subject: Fix a potential NULL dereference in tree code - -https://bugzilla.gnome.org/show_bug.cgi?id=707750 - -Also reported by Gaurav, simple fix to check the pointer before -dereference ---- - tree.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/tree.c b/tree.c -index 7e5af26..efc3ca2 100644 ---- a/tree.c -+++ b/tree.c -@@ -9780,7 +9780,8 @@ leave_node: - if (clone->parent != NULL) - clone->parent->last = clone; - clone = clone->parent; -- parentClone = clone->parent; -+ if (clone != NULL) -+ parentClone = clone->parent; - /* - * Process parent --> next; - */ diff --git a/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch b/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch deleted file mode 100644 index 3ae1c59..0000000 --- a/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch +++ /dev/null @@ -1,25 +0,0 @@ -From: Gaurav -Date: Mon, 30 Sep 2013 10:43:47 +0800 -Subject: Fix pointer dereferenced before null check - -for https://bugzilla.gnome.org/show_bug.cgi?id=708364 - -xmlValidateElementContent is a private function but should still -check the ctxt argument before dereferencing ---- - valid.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/valid.c b/valid.c -index 6e53a76..e0832e7 100644 ---- a/valid.c -+++ b/valid.c -@@ -5236,7 +5236,7 @@ xmlValidateElementContent(xmlValidCtxtPtr ctxt, xmlNodePtr child, - xmlElementContentPtr cont; - const xmlChar *name; - -- if ((elemDecl == NULL) || (parent == NULL)) -+ if ((elemDecl == NULL) || (parent == NULL) || (ctxt == NULL)) - return(-1); - cont = elemDecl->content; - name = elemDecl->name; diff --git a/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch b/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch deleted file mode 100644 index 48b4fa4..0000000 --- a/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch +++ /dev/null @@ -1,69 +0,0 @@ -From: Mike Alexander -Date: Thu, 28 Nov 2013 23:21:23 +0800 -Subject: Fix a bug loading some compressed files - -For https://bugzilla.gnome.org/show_bug.cgi?id=712528 -Related to https://bugzilla.redhat.com/show_bug.cgi?id=877567 - -There is a bug in xzlib.c which causes certain compressed XML files to fail to -load correctly. The code in xz_decomp which attempts to verify the checksum -and length of the expanded data fails if the checksum or length at the end of -the file crosses a 1024 byte boundary. It calls gz_next4 to get those two -values. This function uses the stream state in state->zstrm, but calls -xz_avail which uses the state->strm stream info. This causes gz_next4 to -signal a premature EOF if the data it is fetching crosses a 1024 byte boundary. ---- - xzlib.c | 26 ++++++++++++++++++++++---- - 1 file changed, 22 insertions(+), 4 deletions(-) - -diff --git a/xzlib.c b/xzlib.c -index 928bd17..cd045fa 100644 ---- a/xzlib.c -+++ b/xzlib.c -@@ -245,6 +245,20 @@ xz_avail(xz_statep state) - return 0; - } - -+#ifdef HAVE_ZLIB_H -+static int -+xz_avail_zstrm(xz_statep state) -+{ -+ int ret; -+ state->strm.avail_in = state->zstrm.avail_in; -+ state->strm.next_in = state->zstrm.next_in; -+ ret = xz_avail(state); -+ state->zstrm.avail_in = (uInt) state->strm.avail_in; -+ state->zstrm.next_in = (Bytef *) state->strm.next_in; -+ return ret; -+} -+#endif -+ - static int - is_format_xz(xz_statep state) - { -@@ -314,6 +328,10 @@ is_format_lzma(xz_statep state) - #define NEXT() ((strm->avail_in == 0 && xz_avail(state) == -1) ? -1 : \ - (strm->avail_in == 0 ? -1 : \ - (strm->avail_in--, *(strm->next_in)++))) -+/* Same thing, but from zstrm */ -+#define NEXTZ() ((strm->avail_in == 0 && xz_avail_zstrm(state) == -1) ? -1 : \ -+ (strm->avail_in == 0 ? -1 : \ -+ (strm->avail_in--, *(strm->next_in)++))) - - /* Get a four-byte little-endian integer and return 0 on success and the value - in *ret. Otherwise -1 is returned and *ret is not modified. */ -@@ -324,10 +342,10 @@ gz_next4(xz_statep state, unsigned long *ret) - unsigned long val; - z_streamp strm = &(state->zstrm); - -- val = NEXT(); -- val += (unsigned) NEXT() << 8; -- val += (unsigned long) NEXT() << 16; -- ch = NEXT(); -+ val = NEXTZ(); -+ val += (unsigned) NEXTZ() << 8; -+ val += (unsigned long) NEXTZ() << 16; -+ ch = NEXTZ(); - if (ch == -1) - return -1; - val += (unsigned long) ch << 24; diff --git a/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch b/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch deleted file mode 100644 index ab0bde8..0000000 --- a/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch +++ /dev/null @@ -1,57 +0,0 @@ -From: Gaurav -Date: Fri, 29 Nov 2013 23:10:50 +0800 -Subject: Avoid a possibility of dangling encoding handler - -For https://bugzilla.gnome.org/show_bug.cgi?id=711149 - -In Function: -int xmlCharEncCloseFunc(xmlCharEncodingHandler *handler) - -If the freed handler is any one of handlers[i] list, then it will make that -hanldlers[i] as dangling. This may lead to crash issues at places where -handlers is read. ---- - encoding.c | 16 ++++++++++++++-- - 1 file changed, 14 insertions(+), 2 deletions(-) - -diff --git a/encoding.c b/encoding.c -index 7330e90..d4fc45f 100644 ---- a/encoding.c -+++ b/encoding.c -@@ -2851,14 +2851,25 @@ int - xmlCharEncCloseFunc(xmlCharEncodingHandler *handler) { - int ret = 0; - int tofree = 0; -+ int i, handler_in_list = 0; -+ - if (handler == NULL) return(-1); - if (handler->name == NULL) return(-1); -+ if (handlers != NULL) { -+ for (i = 0;i < nbCharEncodingHandler; i++) { -+ if (handler == handlers[i]) { -+ handler_in_list = 1; -+ break; -+ } -+ } -+ } - #ifdef LIBXML_ICONV_ENABLED - /* - * Iconv handlers can be used only once, free the whole block. - * and the associated icon resources. - */ -- if ((handler->iconv_out != NULL) || (handler->iconv_in != NULL)) { -+ if ((handler_in_list == 0) && -+ ((handler->iconv_out != NULL) || (handler->iconv_in != NULL))) { - tofree = 1; - if (handler->iconv_out != NULL) { - if (iconv_close(handler->iconv_out)) -@@ -2873,7 +2884,8 @@ xmlCharEncCloseFunc(xmlCharEncodingHandler *handler) { - } - #endif /* LIBXML_ICONV_ENABLED */ - #ifdef LIBXML_ICU_ENABLED -- if ((handler->uconv_out != NULL) || (handler->uconv_in != NULL)) { -+ if ((handler_in_list == 0) && -+ ((handler->uconv_out != NULL) || (handler->uconv_in != NULL))) { - tofree = 1; - if (handler->uconv_out != NULL) { - closeIcuConverter(handler->uconv_out); diff --git a/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch b/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch deleted file mode 100644 index 6771dbb..0000000 --- a/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Gaurav -Date: Fri, 29 Nov 2013 23:28:21 +0800 -Subject: Fix a couple of missing NULL checks - -For https://bugzilla.gnome.org/show_bug.cgi?id=708681 ---- - tree.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/tree.c b/tree.c -index efc3ca2..43c3c57 100644 ---- a/tree.c -+++ b/tree.c -@@ -4294,6 +4294,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { - } - if (doc->intSubset == NULL) { - q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); -+ if (q == NULL) return(NULL); - q->doc = doc; - q->parent = parent; - doc->intSubset = (xmlDtdPtr) q; -@@ -4305,6 +4306,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { - } else - #endif /* LIBXML_TREE_ENABLED */ - q = xmlStaticCopyNode(node, doc, parent, 1); -+ if (q == NULL) return(NULL); - if (ret == NULL) { - q->prev = NULL; - ret = p = q; diff --git a/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch b/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch deleted file mode 100644 index 7820411..0000000 --- a/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch +++ /dev/null @@ -1,148 +0,0 @@ -From: Daniel Veillard -Date: Mon, 9 Dec 2013 15:23:40 +0800 -Subject: adding init calls to xml and html Read parsing entry points - -As pointed out by "Tassyns, Bram " on the list -some call had it other didn't, clean it up and add to all missing -ones ---- - HTMLparser.c | 6 ++++++ - parser.c | 10 ++++++++++ - 2 files changed, 16 insertions(+) - -diff --git a/HTMLparser.c b/HTMLparser.c -index dd0c1ea..44c1a3c 100644 ---- a/HTMLparser.c -+++ b/HTMLparser.c -@@ -6808,6 +6808,7 @@ htmlReadFd(int fd, const char *URL, const char *encoding, int options) - - if (fd < 0) - return (NULL); -+ xmlInitParser(); - - xmlInitParser(); - input = xmlParserInputBufferCreateFd(fd, XML_CHAR_ENCODING_NONE); -@@ -6898,6 +6899,7 @@ htmlCtxtReadDoc(htmlParserCtxtPtr ctxt, const xmlChar * cur, - return (NULL); - if (ctxt == NULL) - return (NULL); -+ xmlInitParser(); - - htmlCtxtReset(ctxt); - -@@ -6931,6 +6933,7 @@ htmlCtxtReadFile(htmlParserCtxtPtr ctxt, const char *filename, - return (NULL); - if (ctxt == NULL) - return (NULL); -+ xmlInitParser(); - - htmlCtxtReset(ctxt); - -@@ -6967,6 +6970,7 @@ htmlCtxtReadMemory(htmlParserCtxtPtr ctxt, const char *buffer, int size, - return (NULL); - if (buffer == NULL) - return (NULL); -+ xmlInitParser(); - - htmlCtxtReset(ctxt); - -@@ -7009,6 +7013,7 @@ htmlCtxtReadFd(htmlParserCtxtPtr ctxt, int fd, - return (NULL); - if (ctxt == NULL) - return (NULL); -+ xmlInitParser(); - - htmlCtxtReset(ctxt); - -@@ -7053,6 +7058,7 @@ htmlCtxtReadIO(htmlParserCtxtPtr ctxt, xmlInputReadCallback ioread, - return (NULL); - if (ctxt == NULL) - return (NULL); -+ xmlInitParser(); - - htmlCtxtReset(ctxt); - -diff --git a/parser.c b/parser.c -index dd00399..ad400f4 100644 ---- a/parser.c -+++ b/parser.c -@@ -15217,6 +15217,7 @@ xmlReadDoc(const xmlChar * cur, const char *URL, const char *encoding, int optio - - if (cur == NULL) - return (NULL); -+ xmlInitParser(); - - ctxt = xmlCreateDocParserCtxt(cur); - if (ctxt == NULL) -@@ -15239,6 +15240,7 @@ xmlReadFile(const char *filename, const char *encoding, int options) - { - xmlParserCtxtPtr ctxt; - -+ xmlInitParser(); - ctxt = xmlCreateURLParserCtxt(filename, options); - if (ctxt == NULL) - return (NULL); -@@ -15262,6 +15264,7 @@ xmlReadMemory(const char *buffer, int size, const char *URL, const char *encodin - { - xmlParserCtxtPtr ctxt; - -+ xmlInitParser(); - ctxt = xmlCreateMemoryParserCtxt(buffer, size); - if (ctxt == NULL) - return (NULL); -@@ -15290,6 +15293,7 @@ xmlReadFd(int fd, const char *URL, const char *encoding, int options) - - if (fd < 0) - return (NULL); -+ xmlInitParser(); - - input = xmlParserInputBufferCreateFd(fd, XML_CHAR_ENCODING_NONE); - if (input == NULL) -@@ -15333,6 +15337,7 @@ xmlReadIO(xmlInputReadCallback ioread, xmlInputCloseCallback ioclose, - - if (ioread == NULL) - return (NULL); -+ xmlInitParser(); - - input = xmlParserInputBufferCreateIO(ioread, ioclose, ioctx, - XML_CHAR_ENCODING_NONE); -@@ -15379,6 +15384,7 @@ xmlCtxtReadDoc(xmlParserCtxtPtr ctxt, const xmlChar * cur, - return (NULL); - if (ctxt == NULL) - return (NULL); -+ xmlInitParser(); - - xmlCtxtReset(ctxt); - -@@ -15412,6 +15418,7 @@ xmlCtxtReadFile(xmlParserCtxtPtr ctxt, const char *filename, - return (NULL); - if (ctxt == NULL) - return (NULL); -+ xmlInitParser(); - - xmlCtxtReset(ctxt); - -@@ -15448,6 +15455,7 @@ xmlCtxtReadMemory(xmlParserCtxtPtr ctxt, const char *buffer, int size, - return (NULL); - if (buffer == NULL) - return (NULL); -+ xmlInitParser(); - - xmlCtxtReset(ctxt); - -@@ -15492,6 +15500,7 @@ xmlCtxtReadFd(xmlParserCtxtPtr ctxt, int fd, - return (NULL); - if (ctxt == NULL) - return (NULL); -+ xmlInitParser(); - - xmlCtxtReset(ctxt); - -@@ -15537,6 +15546,7 @@ xmlCtxtReadIO(xmlParserCtxtPtr ctxt, xmlInputReadCallback ioread, - return (NULL); - if (ctxt == NULL) - return (NULL); -+ xmlInitParser(); - - xmlCtxtReset(ctxt); - diff --git a/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch b/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch deleted file mode 100644 index cc18db7..0000000 --- a/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Nick Wellnhofer -Date: Fri, 20 Dec 2013 00:01:53 +0100 -Subject: Handling of XPath function arguments in error case - -The XPath engine tries to guarantee that every XPath function can pop -'nargs' non-NULL values off the stack. libxslt, for example, relies on -this assumption. But the check isn't thorough enough if there are errors -during the evaluation of arguments. This can lead to segfaults: - -https://mail.gnome.org/archives/xslt/2013-December/msg00005.html - -This commit makes the handling of function arguments more robust. - -* Bail out early when evaluation of XPath function arguments fails. -* Make sure that there are 'nargs' arguments in the current call frame. ---- - xpath.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/xpath.c b/xpath.c -index a676989..a75df9b 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -13512,10 +13512,15 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) - int frame; - - frame = xmlXPathSetFrame(ctxt); -- if (op->ch1 != -1) -+ if (op->ch1 != -1) { - total += - xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]); -- if (ctxt->valueNr < op->value) { -+ if (ctxt->error != XPATH_EXPRESSION_OK) { -+ xmlXPathPopFrame(ctxt, frame); -+ return (total); -+ } -+ } -+ if (ctxt->valueNr < ctxt->valueFrame + op->value) { - xmlGenericError(xmlGenericErrorContext, - "xmlXPathCompOpEval: parameter error\n"); - ctxt->error = XPATH_INVALID_OPERAND; diff --git a/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch b/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch deleted file mode 100644 index c5a5d16..0000000 --- a/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch +++ /dev/null @@ -1,22 +0,0 @@ -From: Daniel Veillard -Date: Sun, 26 Jan 2014 15:02:25 +0100 -Subject: Missing initialization for the catalog module - ---- - parser.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/parser.c b/parser.c -index ad400f4..7381a78 100644 ---- a/parser.c -+++ b/parser.c -@@ -14720,6 +14720,9 @@ xmlInitParser(void) { - #ifdef LIBXML_XPATH_ENABLED - xmlXPathInit(); - #endif -+#ifdef LIBXML_CATALOG_ENABLED -+ xmlInitializeCatalog(); -+#endif - xmlParserInitialized = 1; - #ifdef LIBXML_THREAD_ENABLED - } diff --git a/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch b/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch deleted file mode 100644 index edf1752..0000000 --- a/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch +++ /dev/null @@ -1,24 +0,0 @@ -From: Daniel Veillard -Date: Thu, 6 Feb 2014 10:38:00 +0100 -Subject: Fix an fd leak in an error case - ---- - catalog.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/catalog.c b/catalog.c -index 8e34cd2..56991da 100644 ---- a/catalog.c -+++ b/catalog.c -@@ -994,6 +994,11 @@ xmlLoadFileContent(const char *filename) - content = (xmlChar*)xmlMallocAtomic(size + 10); - if (content == NULL) { - xmlCatalogErrMemory("allocating catalog data"); -+#ifdef HAVE_STAT -+ close(fd); -+#else -+ fclose(fd); -+#endif - return (NULL); - } - #ifdef HAVE_STAT diff --git a/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch b/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch deleted file mode 100644 index 65eae92..0000000 --- a/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch +++ /dev/null @@ -1,21 +0,0 @@ -From: Daniel Veillard -Date: Thu, 6 Feb 2014 10:47:20 +0100 -Subject: fixing a ptotential uninitialized access - ---- - valid.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/valid.c b/valid.c -index e0832e7..114bb72 100644 ---- a/valid.c -+++ b/valid.c -@@ -6948,7 +6948,7 @@ xmlValidGetValidElements(xmlNode *prev, xmlNode *next, const xmlChar **names, - int max) { - xmlValidCtxt vctxt; - int nb_valid_elements = 0; -- const xmlChar *elements[256]; -+ const xmlChar *elements[256]={0}; - int nb_elements = 0, i; - const xmlChar *name; - diff --git a/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch b/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch deleted file mode 100644 index 22d206a..0000000 --- a/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Daniel Veillard -Date: Sat, 8 Feb 2014 02:22:35 +0800 -Subject: Fix xmlTextWriterWriteElement when a null content is given - ---- - xmlwriter.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/xmlwriter.c b/xmlwriter.c -index d3f29f8..27209b9 100644 ---- a/xmlwriter.c -+++ b/xmlwriter.c -@@ -2238,10 +2238,12 @@ xmlTextWriterWriteElement(xmlTextWriterPtr writer, const xmlChar * name, - if (count == -1) - return -1; - sum += count; -- count = xmlTextWriterWriteString(writer, content); -- if (count == -1) -- return -1; -- sum += count; -+ if (content != NULL) { -+ count = xmlTextWriterWriteString(writer, content); -+ if (count == -1) -+ return -1; -+ sum += count; -+ } - count = xmlTextWriterEndElement(writer); - if (count == -1) - return -1; diff --git a/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch b/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch deleted file mode 100644 index 219d13a..0000000 --- a/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch +++ /dev/null @@ -1,22 +0,0 @@ -From: Gaurav -Date: Tue, 18 Feb 2014 11:47:43 +0800 -Subject: Avoid a possible NULL pointer dereference - -For https://bugzilla.gnome.org/show_bug.cgi?id=708355 ---- - xmlmodule.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xmlmodule.c b/xmlmodule.c -index 7fe5bc2..50ed666 100644 ---- a/xmlmodule.c -+++ b/xmlmodule.c -@@ -115,7 +115,7 @@ xmlModuleSymbol(xmlModulePtr module, const char *name, void **symbol) - { - int rc = -1; - -- if ((NULL == module) || (symbol == NULL)) { -+ if ((NULL == module) || (symbol == NULL) || (name == NULL)) { - __xmlRaiseError(NULL, NULL, NULL, NULL, NULL, XML_FROM_MODULE, - XML_MODULE_OPEN, XML_ERR_FATAL, NULL, 0, 0, - NULL, NULL, 0, 0, "null parameter\n"); diff --git a/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch b/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch deleted file mode 100644 index 06ec27c..0000000 --- a/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Daniel Veillard -Date: Tue, 22 Apr 2014 15:30:56 +0800 -Subject: Do not fetch external parameter entities - -Unless explicitely asked for when validating or replacing entities -with their value. Problem pointed out by Daniel Berrange ---- - parser.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/parser.c b/parser.c -index 7381a78..8aad7b4 100644 ---- a/parser.c -+++ b/parser.c -@@ -2595,6 +2595,20 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { - xmlCharEncoding enc; - - /* -+ * Note: external parsed entities will not be loaded, it is -+ * not required for a non-validating parser, unless the -+ * option of validating, or substituting entities were -+ * given. Doing so is far more secure as the parser will -+ * only process data coming from the document entity by -+ * default. -+ */ -+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && -+ ((ctxt->options & XML_PARSE_NOENT) == 0) && -+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && -+ (ctxt->validate == 0)) -+ return; -+ -+ /* - * handle the extra spaces added before and after - * c.f. http://www.w3.org/TR/REC-xml#as-PE - * this is done independently. diff --git a/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch b/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch deleted file mode 100644 index 8a84731..0000000 --- a/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Gaurav -Date: Fri, 9 May 2014 17:00:08 +0800 -Subject: Avoid Possible null pointer dereference in memory debug mode - -Fix a use before check on pointer -For https://bugzilla.gnome.org/show_bug.cgi?id=729849 ---- - xmlmemory.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/xmlmemory.c b/xmlmemory.c -index 25d9318..37dcf3b 100644 ---- a/xmlmemory.c -+++ b/xmlmemory.c -@@ -583,13 +583,15 @@ xmlMemBlocks(void) { - static void - xmlMemContentShow(FILE *fp, MEMHDR *p) - { -- int i,j,k,len = p->mh_size; -- const char *buf = (const char *) HDR_2_CLIENT(p); -+ int i,j,k,len; -+ const char *buf; - - if (p == NULL) { - fprintf(fp, " NULL"); - return; - } -+ len = p->mh_size; -+ buf = (const char *) HDR_2_CLIENT(p); - - for (i = 0;i < len;i++) { - if (buf[i] == 0) break; diff --git a/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch b/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch deleted file mode 100644 index 7b24f6b..0000000 --- a/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch +++ /dev/null @@ -1,22 +0,0 @@ -From: =?UTF-8?q?S=C3=A9rgio=20Batista?= -Date: Mon, 9 Jun 2014 22:10:15 +0800 -Subject: xmllint was not parsing the --c14n11 flag - -Cut and paste error, using the wrong variable ---- - xmllint.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xmllint.c b/xmllint.c -index d69722c..4a5d043 100644 ---- a/xmllint.c -+++ b/xmllint.c -@@ -2573,7 +2573,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) { - fprintf(stderr, "Failed to canonicalize\n"); - progresult = XMLLINT_ERR_OUT; - } -- } else if (canonical) { -+ } else if (canonical_11) { - xmlChar *result = NULL; - int size; - diff --git a/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch b/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch deleted file mode 100644 index d9fc108..0000000 --- a/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch +++ /dev/null @@ -1,58 +0,0 @@ -From: Daniel Veillard -Date: Wed, 11 Jun 2014 16:54:32 +0800 -Subject: Fix regressions introduced by CVE-2014-0191 patch - -A number of issues have been raised after the fix, and this patch -tries to correct all of them, though most were related to -postvalidation. -https://bugzilla.gnome.org/show_bug.cgi?id=730290 -and other reports on list, off-list and on Red Hat bugzilla ---- - parser.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/parser.c b/parser.c -index 8aad7b4..ea0ea65 100644 ---- a/parser.c -+++ b/parser.c -@@ -2595,8 +2595,8 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { - xmlCharEncoding enc; - - /* -- * Note: external parsed entities will not be loaded, it is -- * not required for a non-validating parser, unless the -+ * Note: external parameter entities will not be loaded, it -+ * is not required for a non-validating parser, unless the - * option of validating, or substituting entities were - * given. Doing so is far more secure as the parser will - * only process data coming from the document entity by -@@ -2605,6 +2605,9 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { - if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && - ((ctxt->options & XML_PARSE_NOENT) == 0) && - ((ctxt->options & XML_PARSE_DTDVALID) == 0) && -+ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && -+ ((ctxt->options & XML_PARSE_DTDATTR) == 0) && -+ (ctxt->replaceEntities == 0) && - (ctxt->validate == 0)) - return; - -@@ -12609,6 +12612,9 @@ xmlIOParseDTD(xmlSAXHandlerPtr sax, xmlParserInputBufferPtr input, - return(NULL); - } - -+ /* We are loading a DTD */ -+ ctxt->options |= XML_PARSE_DTDLOAD; -+ - /* - * Set-up the SAX context - */ -@@ -12736,6 +12742,9 @@ xmlSAXParseDTD(xmlSAXHandlerPtr sax, const xmlChar *ExternalID, - return(NULL); - } - -+ /* We are loading a DTD */ -+ ctxt->options |= XML_PARSE_DTDLOAD; -+ - /* - * Set-up the SAX context - */ diff --git a/debian/patches/series b/debian/patches/series index ce6e665..631a2bf 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,32 +1,3 @@ 0001-modify-xml2-config-and-pkgconfig-behaviour.patch 0002-fix-python-multiarch-includes.patch -0003-Fix-an-error-in-xmlCleanupParser.patch -0004-Fix-missing-break-on-last-function-for-attributes.patch -0005-xmllint-memory-should-fail-on-empty-files.patch -0006-properly-quote-the-namespace-uris-written-out-during.patch -0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch -0008-missing-else-in-xlink.c.patch -0009-Catch-malloc-error-and-exit-accordingly.patch -0010-Fix-handling-of-mmap-errors.patch -0011-Avoid-crash-if-allocation-fails.patch -0012-Fix-a-possible-NULL-dereference.patch -0013-Clear-up-a-potential-NULL-dereference.patch -0014-Fix-XPath-optimization-with-predicates.patch -0015-xmllint-pretty-crashed-without-following-numeric-arg.patch -0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch -0017-Fix-a-potential-NULL-dereference-in-tree-code.patch -0018-Fix-pointer-dereferenced-before-null-check.patch -0019-Fix-a-bug-loading-some-compressed-files.patch -0020-Avoid-a-possibility-of-dangling-encoding-handler.patch -0021-Fix-a-couple-of-missing-NULL-checks.patch -0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch -0023-Handling-of-XPath-function-arguments-in-error-case.patch -0024-Missing-initialization-for-the-catalog-module.patch -0025-Fix-an-fd-leak-in-an-error-case.patch -0026-fixing-a-ptotential-uninitialized-access.patch -0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch -0028-Avoid-a-possible-NULL-pointer-dereference.patch -0029-Do-not-fetch-external-parameter-entities.patch -0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch -0031-xmllint-was-not-parsing-the-c14n11-flag.patch -0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch +0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch -- cgit v1.2.3