Updated libxml2 to 2.9.5.

2.9.5: Sep 04 2017
 • Reference Manual
 • Security:
   Detect infinite recursion in parameter entities
   (Nick Wellnhofer),
   Fix handling of parameter-entity references (Nick
   Wellnhofer),
   Disallow namespace nodes in XPointer ranges (Nick
   Wellnhofer),
   Fix XPointer paths beginning with range-to (Nick
   Wellnhofer)
 • Documentation:
   Documentation fixes (Nick Wellnhofer),
   Spelling and grammar fixes (Nick Wellnhofer)
 • Portability:
   Adding README.zOS to list of extra files for the
   release (Daniel Veillard),
   Description of work needed to compile on zOS
   (Stéphane Michaut),
   Porting libxml2 on zOS encoding of code (Stéphane
   Michaut),
   small changes for OS/400 (Patrick Monnerat),
   relaxng.c, xmlschemas.c: Fix build on pre-C99
   compilers (Chun-wei Fan)
 • Bug Fixes:
   Problem resolving relative URIs (Daniel
   Veillard),
   Fix unwanted warnings when switching encodings
   (Nick Wellnhofer),
   Fix signature of xmlSchemaAugmentImportedIDC
   (Daniel Veillard),
   Heap-buffer-overflow read of size 1 in
   xmlFAParsePosCharGroup (David Kilzer),
   Fix NULL pointer deref in xmlFAParseCharClassEsc
   (Nick Wellnhofer),
   Fix infinite loops with push parser in recovery
   mode (Nick Wellnhofer),
   Send xmllint usage error to stderr (Nick
   Wellnhofer),
   Fix NULL deref in xmlParseExternalEntityPrivate
   (Nick Wellnhofer),
   Make sure not to call IS_BLANK_CH when parsing
   the DTD (Nick Wellnhofer),
   Fix xmlHaltParser (Nick Wellnhofer),
   Fix pathological performance when outputting
   charrefs (Nick Wellnhofer),
   Fix invalid-source-encoding warnings in
   testWriter.c (Nick Wellnhofer),
   Fix duplicate SAX callbacks for entity content
   (David Kilzer),
   Treat URIs with scheme as absolute in C14N (Nick
   Wellnhofer),
   Fix copy-paste errors in error messages (Nick
   Wellnhofer),
   Fix sanity check in htmlParseNameComplex (Nick
   Wellnhofer),
   Fix potential infinite loop in
   xmlStringLenDecodeEntities (Nick Wellnhofer),
   Reset parser input pointers on encoding failure
   (Nick Wellnhofer),
   Fix memory leak in xmlParseEntityDecl error path
   (Nick Wellnhofer),
   Fix xmlBuildRelativeURI for URIs starting with '.
   /' (Nick Wellnhofer),
   Fix type confusion in xmlValidateOneNamespace
   (Nick Wellnhofer),
   Fix memory leak in xmlStringLenGetNodeList (Nick
   Wellnhofer),
   Fix NULL pointer deref in xmlDumpElementContent
   (Daniel Veillard),
   Fix memory leak in xmlBufAttrSerializeTxtContent
   (Nick Wellnhofer),
   Stop parser on unsupported encodings (Nick
   Wellnhofer),
   Check for integer overflow in memory debug code
   (Nick Wellnhofer),
   Fix buffer size checks in
   xmlSnprintfElementContent (Nick Wellnhofer),
   Avoid reparsing in xmlParseStartTag2 (Nick
   Wellnhofer),
   Fix undefined behavior in
   xmlRegExecPushStringInternal (Nick Wellnhofer),
   Check XPath exponents for overflow (Nick
   Wellnhofer),
   Check for overflow in
   xmlXPathIsPositionalPredicate (Nick Wellnhofer),
   Fix spurious error message (Nick Wellnhofer),
   Fix memory leak in xmlCanonicPath (Nick
   Wellnhofer),
   Fix memory leak in xmlXPathCompareNodeSetValue
   (Nick Wellnhofer),
   Fix memory leak in pattern error path (Nick
   Wellnhofer),
   Fix memory leak in parser error path (Nick
   Wellnhofer),
   Fix memory leaks in XPointer error paths (Nick
   Wellnhofer),
   Fix memory leak in xmlXPathNodeSetMergeAndClear
   (Nick Wellnhofer),
   Fix memory leak in XPath filter optimizations
   (Nick Wellnhofer),
   Fix memory leaks in XPath error paths (Nick
   Wellnhofer),
   Do not leak the new CData node if adding fails
   (David Tardon),
   Prevent unwanted external entity reference (Neel
   Mehta),
   Increase buffer space for port in HTTP redirect
   support (Daniel Veillard),
   Fix more NULL pointer derefs in xpointer.c (Nick
   Wellnhofer),
   Avoid function/data pointer conversion in xpath.c
   (Nick Wellnhofer),
   Fix format string warnings (Nick Wellnhofer),
   Disallow namespace nodes in XPointer points (Nick
   Wellnhofer),
   Fix comparison with root node in xmlXPathCmpNodes
   (Nick Wellnhofer),
   Fix attribute decoding during XML schema
   validation (Alex Henrie),
   Fix NULL pointer deref in XPointer range-to (Nick
   Wellnhofer)
 • Improvements:
   Updating the spec file to reflect Fedora 24
   (Daniel Veillard),
   Add const in five places to move 1 KiB to .rdata
   (Bruce Dawson),
   Fix missing part of comment for function
   xmlXPathEvalExpression() (Daniel Veillard),
   Get rid of "blanks wrapper" for parameter
   entities (Nick Wellnhofer),
   Simplify handling of parameter entity references
   (Nick Wellnhofer),
   Deduplicate code in encoding.c (Nick Wellnhofer),
   Make HTML parser functions take const pointers
   (Nick Wellnhofer),
   Build test programs only when needed (Nick
   Wellnhofer),
   Fix doc/examples/index.py (Nick Wellnhofer),
   Fix compiler warnings in threads.c (Nick
   Wellnhofer),
   Fix empty-body warning in nanohttp.c (Nick
   Wellnhofer),
   Fix cast-align warnings (Nick Wellnhofer),
   Fix unused-parameter warnings (Nick Wellnhofer),
   Rework entity boundary checks (Nick Wellnhofer),
   Don't switch encoding for internal parameter
   entities (Nick Wellnhofer),
   Merge duplicate code paths handling PE references
   (Nick Wellnhofer),
   Test SAX2 callbacks with entity substitution
   (Nick Wellnhofer),
   Support catalog and threads tests under
   --without-sax1 (Nick Wellnhofer),
   Misc fixes for 'make tests' (Nick Wellnhofer),
   Initialize keepBlanks in HTML parser (Nick
   Wellnhofer),
   Add test cases for bug 758518 (David Kilzer),
   Fix compiler warning in htmlParseElementInternal
   (Nick Wellnhofer),
   Remove useless check in xmlParseAttributeListDecl
   (Nick Wellnhofer),
   Allow zero sized memory input buffers (Nick
   Wellnhofer),
   Add TODO comment in xmlSwitchEncoding (Nick
   Wellnhofer),
   Check for integer overflow in
   xmlXPathFormatNumber (Nick Wellnhofer),
   Make Travis print UBSan stacktraces (Nick
   Wellnhofer),
   Add .travis.yml (Nick Wellnhofer),
   Fix expected error output in Python tests (Nick
   Wellnhofer),
   Simplify control flow in xmlParseStartTag2 (Nick
   Wellnhofer),
   Disable LeakSanitizer when running API tests
   (Nick Wellnhofer),
   Avoid out-of-bound array access in API tests
   (Nick Wellnhofer),
   Avoid spurious UBSan errors in parser.c (Nick
   Wellnhofer),
   Parse small XPath numbers more accurately (Nick
   Wellnhofer),
   Rework XPath rounding functions (Nick
   Wellnhofer),
   Fix white space in test output (Nick Wellnhofer),
   Fix axis traversal from attribute and namespace
   nodes (Nick Wellnhofer),
   Check for trailing characters in XPath
   expressions earlier (Nick Wellnhofer),
   Rework final handling of XPath results (Nick
   Wellnhofer),
   Make xmlXPathEvalExpression call xmlXPathEval
   (Nick Wellnhofer),
   Remove unused variables (Nick Wellnhofer),
   Don't print generic error messages in XPath tests
   (Nick Wellnhofer)
 • Cleanups:
   Fix a couple of misleading indentation errors
   (Daniel Veillard),
   Remove unnecessary calls to xmlPopInput (Nick
   Wellnhofer)

14 files changed, 8 insertions, 467 deletions

diff --git a/textproc/libxml2/Makefile b/textproc/libxml2/Makefile
index 75d1a58eba8..60f5b4d3855 100644
--- a/textproc/libxml2/Makefile
+++ b/textproc/libxml2/Makefile
@@ -1,9 +1,7 @@
-# $NetBSD: Makefile,v 1.145 2017/06/21 00:23:23 tez Exp $
+# $NetBSD: Makefile,v 1.146 2017/09/10 20:49:20 wiz Exp $
 
 .include "../../textproc/libxml2/Makefile.common"
 
-PKGREVISION=	4
-
 COMMENT=	XML parser library from the GNOME project
 LICENSE=	modified-bsd
 
diff --git a/textproc/libxml2/Makefile.common b/textproc/libxml2/Makefile.common
index 43bc907f44b..b23cd937838 100644
--- a/textproc/libxml2/Makefile.common
+++ b/textproc/libxml2/Makefile.common
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile.common,v 1.6 2017/01/19 18:52:27 agc Exp $
+# $NetBSD: Makefile.common,v 1.7 2017/09/10 20:49:20 wiz Exp $
 #
 # used by textproc/libxml2/Makefile
 # used by textproc/py-libxml2/Makefile
 
-DISTNAME=	libxml2-2.9.4
+DISTNAME=	libxml2-2.9.5
 CATEGORIES=	textproc
 MASTER_SITES=	ftp://xmlsoft.org/libxml2/
 MASTER_SITES+=	http://xmlsoft.org/sources/
diff --git a/textproc/libxml2/distinfo b/textproc/libxml2/distinfo
index 1f8a9d5fcd1..ea931b83a77 100644
--- a/textproc/libxml2/distinfo
+++ b/textproc/libxml2/distinfo
@@ -1,23 +1,12 @@
-$NetBSD: distinfo,v 1.116 2017/06/21 00:23:23 tez Exp $
+$NetBSD: distinfo,v 1.117 2017/09/10 20:49:20 wiz Exp $
 
-SHA1 (libxml2-2.9.4.tar.gz) = 958ae70baf186263a4bd801a81dd5d682aedd1db
-RMD160 (libxml2-2.9.4.tar.gz) = bb59656e0683d64a38a2f1a45ca9d918837e1e56
-SHA512 (libxml2-2.9.4.tar.gz) = f5174ab1a3a0ec0037a47f47aa47def36674e02bfb42b57f609563f84c6247c585dbbb133c056953a5adb968d328f18cbc102eb0d00d48eb7c95478389e5daf9
-Size (libxml2-2.9.4.tar.gz) = 5374830 bytes
+SHA1 (libxml2-2.9.5.tar.gz) = 6ab515fa4d087a3973e880d46bf6bdad48114d20
+RMD160 (libxml2-2.9.5.tar.gz) = 598fbbd97120b672760c934c12648dfd1065f856
+SHA512 (libxml2-2.9.5.tar.gz) = 197dbd1722e5f90eea43837323352f48d215e198aa6b95685645ef7511e2beba8aadc0dd67e099c945120c5dbe7f8c9da5f376b22f447059e9ffa941c1bfd175
+Size (libxml2-2.9.5.tar.gz) = 5466888 bytes
 SHA1 (patch-aa) = e687eaa9805b855b0c8a944ec5c597bd34954472
 SHA1 (patch-ab) = d6d6e9a91307da0c7f334b5b9ad432878babd1ac
 SHA1 (patch-ac) = 34afe787f6012b460a85be993048e133907a1621
 SHA1 (patch-ad) = d65b7e3be9694147e96ce4bb70a1739e2279ba81
 SHA1 (patch-ae) = 4eede9719724f94402e850ee6d6043a74aaf62b2
 SHA1 (patch-encoding.c) = 6cf0a7d421828b9f40a4079ee85adb791c54d096
-SHA1 (patch-parseInternals.c) = dc58145943a4fb6368d848c0155d144b1f9b676c
-SHA1 (patch-parser.c) = 23e39127bf65e721dd76d80b389c1ccacf8e5746
-SHA1 (patch-result_XPath_xptr_vidbase) = f0ef1ac593cb25f96b7ffef93e0f214aa8fc6103
-SHA1 (patch-runtest.c) = 759fcee959833b33d72e85108f7973859dcba1f6
-SHA1 (patch-test_XPath_xptr_vidbase) = a9b497505f914924388145c6266aa517152f9da3
-SHA1 (patch-testlimits.c) = 8cba18464b619469abbb8488fd950a32a567be7b
-SHA1 (patch-timsort.h) = e09118e7c99d53f71c28fe4d54269c4801244959
-SHA1 (patch-valid.c) = 9eda3633b3ea5269e0ef33fa0508de18e7a76def
-SHA1 (patch-xmlIO.c) = 5efcc5e43a8b3139832ab69af6b5ab94e5a6ad59
-SHA1 (patch-xpath.c) = ec94ab2116f99a08f51630dee6b9e7e25d2b5c00
-SHA1 (patch-xpointer.c) = 8ca75f64b89369106c0d088ff7fd36b38005e032
diff --git a/textproc/libxml2/patches/patch-parseInternals.c b/textproc/libxml2/patches/patch-parseInternals.c
deleted file mode 100644
index c14ab3d4333..00000000000
--- a/textproc/libxml2/patches/patch-parseInternals.c
+++ /dev/null
@@ -1,18 +0,0 @@
-$NetBSD: patch-parseInternals.c,v 1.1 2016/11/30 14:46:22 sevan Exp $
-
-CVE-2016-9318 https://bugzilla.gnome.org/show_bug.cgi?id=772726
-
---- parserInternals.c.orig	2016-11-30 14:35:55.000000000 +0000
-+++ parserInternals.c
-@@ -1438,6 +1438,11 @@ xmlNewEntityInputStream(xmlParserCtxtPtr
-                 break;
-             case XML_EXTERNAL_GENERAL_PARSED_ENTITY:
-             case XML_EXTERNAL_PARAMETER_ENTITY:
-+		if (((ctxt->options & XML_PARSE_NOENT) == 0) &&
-+		    ((ctxt->options & XML_PARSE_DTDVALID) == 0)) {
-+		    xmlErrInternal(ctxt, "xmlNewEntityInputStream will not read content for external entity\n",
-+				    NULL);
-+		}
- 		return(xmlLoadExternalEntity((char *) entity->URI,
- 		       (char *) entity->ExternalID, ctxt));
-             case XML_INTERNAL_GENERAL_ENTITY:
diff --git a/textproc/libxml2/patches/patch-parser.c b/textproc/libxml2/patches/patch-parser.c
deleted file mode 100644
index 88b70f85411..00000000000
--- a/textproc/libxml2/patches/patch-parser.c
+++ /dev/null
@@ -1,69 +0,0 @@
-$NetBSD: patch-parser.c,v 1.3 2017/06/21 00:23:24 tez Exp $
-
-There were two bugs where parameter-entity references could lead to an
-unexpected change of the input buffer in xmlParseNameComplex and
-xmlDictLookup being called with an invalid pointer.
-
-Percent sign in DTD Names
-=========================
-
-This fixes bug 766956 initially reported by Wei Lei and independently by
-Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
-involved.
-
-xmlParseNameComplex with XML_PARSE_OLD10
-========================================
-
-This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
-Thanks to Marcel Böhme and Thuan Pham for the report.
-
-Additional hardening
-====================
-
-A separate check was added in xmlParseNameComplex to validate the
-buffer size.
-
-From: https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3
-
-
---- parser.c.orig
-+++ parser.c
-@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
- 	ctxt->input->line++; ctxt->input->col = 1;			\
-     } else ctxt->input->col++;						\
-     ctxt->input->cur += l;				\
--    if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt);	\
-   } while (0)
- 
- #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
-@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
- 	    len += l;
- 	    NEXTL(l);
- 	    c = CUR_CHAR(l);
--	    if (c == 0) {
--		count = 0;
--		GROW;
--                if (ctxt->instate == XML_PARSER_EOF)
--                    return(NULL);
--		c = CUR_CHAR(l);
--	    }
- 	}
-     }
-     if ((len > XML_MAX_NAME_LENGTH) &&
-@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
-         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
-         return(NULL);
-     }
-+    if (ctxt->input->cur - ctxt->input->base < len) {
-+        /*
-+         * There were a couple of bugs where PERefs lead to to a change
-+         * of the buffer. Check the buffer size to avoid passing an invalid
-+         * pointer to xmlDictLookup.
-+         */
-+        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
-+                    "unexpected change of input buffer");
-+        return (NULL);
-+    }
-     if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
-         return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
-     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
diff --git a/textproc/libxml2/patches/patch-result_XPath_xptr_vidbase b/textproc/libxml2/patches/patch-result_XPath_xptr_vidbase
deleted file mode 100644
index 54fa4259464..00000000000
--- a/textproc/libxml2/patches/patch-result_XPath_xptr_vidbase
+++ /dev/null
@@ -1,24 +0,0 @@
-$NetBSD: patch-result_XPath_xptr_vidbase,v 1.1 2016/12/27 02:34:34 sevan Exp $
-
-CVE-2016-5131
-https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e
-
---- result/XPath/xptr/vidbase.orig	2016-12-27 02:22:25.000000000 +0000
-+++ result/XPath/xptr/vidbase
-@@ -17,3 +17,16 @@ Object is a Location Set:
-   To node
-     ELEMENT p
- 
-+
-+========================
-+Expression: xpointer(range-to(id('chapter2')))
-+Object is a Location Set:
-+1 :   Object is a range :
-+  From node
-+     /
-+  To node
-+    ELEMENT chapter
-+      ATTRIBUTE id
-+        TEXT
-+          content=chapter2
-+
diff --git a/textproc/libxml2/patches/patch-runtest.c b/textproc/libxml2/patches/patch-runtest.c
deleted file mode 100644
index 4a3c82ac1ea..00000000000
--- a/textproc/libxml2/patches/patch-runtest.c
+++ /dev/null
@@ -1,17 +0,0 @@
-$NetBSD$
-
-Since this is built with C90, and %zu isn't supported then, cast
-the size_t argument to long to match the format.
-https://bugzilla.gnome.org/show_bug.cgi?id=766839
-
---- runtest.c.orig	2016-05-23 07:25:25.000000000 +0000
-+++ runtest.c
-@@ -688,7 +688,7 @@ static int compareFileMem(const char *fi
-     }
-     if (info.st_size != size) {
-         fprintf(stderr, "file %s is %ld bytes, result is %d bytes\n",
--	        filename, info.st_size, size);
-+	        filename, (long)info.st_size, size);
-         return(-1);
-     }
-     fd = open(filename, RD_FLAGS);
diff --git a/textproc/libxml2/patches/patch-test_XPath_xptr_vidbase b/textproc/libxml2/patches/patch-test_XPath_xptr_vidbase
deleted file mode 100644
index 19f060fb828..00000000000
--- a/textproc/libxml2/patches/patch-test_XPath_xptr_vidbase
+++ /dev/null
@@ -1,11 +0,0 @@
-$NetBSD: patch-test_XPath_xptr_vidbase,v 1.1 2016/12/27 02:34:34 sevan Exp $
-
-CVE-2016-5131
-https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e
-
---- test/XPath/xptr/vidbase.orig	2016-12-27 02:22:06.000000000 +0000
-+++ test/XPath/xptr/vidbase
-@@ -1,2 +1,3 @@
- xpointer(id('chapter1')/p)
- xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2]))
-+xpointer(range-to(id('chapter2')))
diff --git a/textproc/libxml2/patches/patch-testlimits.c b/textproc/libxml2/patches/patch-testlimits.c
deleted file mode 100644
index 60332ae0695..00000000000
--- a/textproc/libxml2/patches/patch-testlimits.c
+++ /dev/null
@@ -1,43 +0,0 @@
-$NetBSD$
-
-Since this is built with C90, and %zu isn't supported then, cast
-the size_t argument to unsigned long to match the format.
-https://bugzilla.gnome.org/show_bug.cgi?id=766839
-
---- testlimits.c.orig	2016-02-09 10:17:34.000000000 +0000
-+++ testlimits.c
-@@ -1284,13 +1284,14 @@ saxTest(const char *filename, size_t lim
-         if (fail)
-             res = 0;
-         else {
--            fprintf(stderr, "Failed to parse '%s' %lu\n", filename, limit);
-+            fprintf(stderr, "Failed to parse '%s' %lu\n", filename,
-+		    (unsigned long)limit);
-             res = 1;
-         }
-     } else {
-         if (fail) {
-             fprintf(stderr, "Failed to get failure for '%s' %lu\n",
--                    filename, limit);
-+                    filename, (unsigned long)limit);
-             res = 1;
-         } else
-             res = 0;
-@@ -1339,7 +1340,7 @@ readerTest(const char *filename, size_t 
-                         filename, crazy_indx);
-             else
-                 fprintf(stderr, "Failed to parse '%s' %lu\n",
--                        filename, limit);
-+                        filename, (unsigned long)limit);
-             res = 1;
-         }
-     } else {
-@@ -1349,7 +1350,7 @@ readerTest(const char *filename, size_t 
-                         filename, crazy_indx);
-             else
-                 fprintf(stderr, "Failed to get failure for '%s' %lu\n",
--                        filename, limit);
-+                        filename, (unsigned long)limit);
-             res = 1;
-         } else
-             res = 0;
diff --git a/textproc/libxml2/patches/patch-timsort.h b/textproc/libxml2/patches/patch-timsort.h
deleted file mode 100644
index 15e5d6bb871..00000000000
--- a/textproc/libxml2/patches/patch-timsort.h
+++ /dev/null
@@ -1,16 +0,0 @@
-$NetBSD$
-
-Cast argument (gcc says "unsigned int") to match %lu format.
-https://bugzilla.gnome.org/show_bug.cgi?id=766839
-
---- timsort.h.orig	2016-02-09 10:17:34.000000000 +0000
-+++ timsort.h
-@@ -323,7 +323,7 @@ static void TIM_SORT_RESIZE(TEMP_STORAGE
-     SORT_TYPE *tempstore = (SORT_TYPE *)realloc(store->storage, new_size * sizeof(SORT_TYPE));
-     if (tempstore == NULL)
-     {
--      fprintf(stderr, "Error allocating temporary storage for tim sort: need %lu bytes", sizeof(SORT_TYPE) * new_size);
-+      fprintf(stderr, "Error allocating temporary storage for tim sort: need %lu bytes", (unsigned long)(sizeof(SORT_TYPE) * new_size));
-       exit(1);
-     }
-     store->storage = tempstore;
diff --git a/textproc/libxml2/patches/patch-valid.c b/textproc/libxml2/patches/patch-valid.c
deleted file mode 100644
index 0096999861b..00000000000
--- a/textproc/libxml2/patches/patch-valid.c
+++ /dev/null
@@ -1,102 +0,0 @@
-$NetBSD: patch-valid.c,v 1.2 2017/06/21 00:23:24 tez Exp $
-
-Upstream commit by Daniel Veillard
-
-Fix NULL pointer deref in xmlDumpElementContent
-Can only be triggered in recovery mode.
-Fixes bug 758422 (CVE-2017-5969).
-
-
-xmlSnprintfElementContent failed to correctly check the available
-buffer space in two locations.
-Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
-From: https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74
-
-
---- valid.c.orig	2017-06-21 00:07:08.204619100 +0000
-+++ valid.c
-@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf,
- 	    xmlBufferWriteCHAR(buf, content->name);
- 	    break;
- 	case XML_ELEMENT_CONTENT_SEQ:
--	    if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
--	        (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
-+	    if ((content->c1 != NULL) &&
-+	        ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
-+	         (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
- 		xmlDumpElementContent(buf, content->c1, 1);
- 	    else
- 		xmlDumpElementContent(buf, content->c1, 0);
-             xmlBufferWriteChar(buf, " , ");
--	    if ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
--	        ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
--		 (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
-+	    if ((content->c2 != NULL) &&
-+	        ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
-+	         ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
-+		  (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
- 		xmlDumpElementContent(buf, content->c2, 1);
- 	    else
- 		xmlDumpElementContent(buf, content->c2, 0);
- 	    break;
- 	case XML_ELEMENT_CONTENT_OR:
--	    if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
--	        (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
-+	    if ((content->c1 != NULL) &&
-+	        ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
-+	         (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
- 		xmlDumpElementContent(buf, content->c1, 1);
- 	    else
- 		xmlDumpElementContent(buf, content->c1, 0);
-             xmlBufferWriteChar(buf, " | ");
--	    if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
--	        ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
--		 (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
-+	    if ((content->c2 != NULL) &&
-+	        ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
-+	         ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
-+		  (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
- 		xmlDumpElementContent(buf, content->c2, 1);
- 	    else
- 		xmlDumpElementContent(buf, content->c2, 0);
-@@ -1262,22 +1266,23 @@ xmlSnprintfElementContent(char *buf, int
-         case XML_ELEMENT_CONTENT_PCDATA:
-             strcat(buf, "#PCDATA");
- 	    break;
--	case XML_ELEMENT_CONTENT_ELEMENT:
-+	case XML_ELEMENT_CONTENT_ELEMENT: {
-+            int qnameLen = xmlStrlen(content->name);
-+
-+	    if (content->prefix != NULL)
-+                qnameLen += xmlStrlen(content->prefix) + 1;
-+	    if (size - len < qnameLen + 10) {
-+		strcat(buf, " ...");
-+		return;
-+	    }
- 	    if (content->prefix != NULL) {
--		if (size - len < xmlStrlen(content->prefix) + 10) {
--		    strcat(buf, " ...");
--		    return;
--		}
- 		strcat(buf, (char *) content->prefix);
- 		strcat(buf, ":");
- 	    }
--	    if (size - len < xmlStrlen(content->name) + 10) {
--		strcat(buf, " ...");
--		return;
--	    }
- 	    if (content->name != NULL)
- 		strcat(buf, (char *) content->name);
- 	    break;
-+        }
- 	case XML_ELEMENT_CONTENT_SEQ:
- 	    if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
- 	        (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
-@@ -1319,6 +1324,7 @@ xmlSnprintfElementContent(char *buf, int
- 		xmlSnprintfElementContent(buf, size, content->c2, 0);
- 	    break;
-     }
-+    if (size - strlen(buf) <= 2) return;
-     if (englob)
-         strcat(buf, ")");
-     switch (content->ocur) {
diff --git a/textproc/libxml2/patches/patch-xmlIO.c b/textproc/libxml2/patches/patch-xmlIO.c
deleted file mode 100644
index 1ee175b79c1..00000000000
--- a/textproc/libxml2/patches/patch-xmlIO.c
+++ /dev/null
@@ -1,17 +0,0 @@
-$NetBSD$
-
-Since this is built with C90, and %zu isn't supported then, cast
-the size_t argument to unsigned long to match the format.
-https://bugzilla.gnome.org/show_bug.cgi?id=766839
-
---- xmlIO.c.orig	2016-05-23 07:25:25.000000000 +0000
-+++ xmlIO.c
-@@ -1674,7 +1674,7 @@ xmlZMemBuffExtend( xmlZMemBuffPtr buff, 
- 	xmlStrPrintf(msg, 500,
- 		    "xmlZMemBuffExtend:  %s %lu bytes.\n",
- 		    "Allocation failure extending output buffer to",
--		    new_size );
-+		    (unsigned long)new_size );
- 	xmlIOErr(XML_IO_WRITE, (const char *) msg);
-     }
- 
diff --git a/textproc/libxml2/patches/patch-xpath.c b/textproc/libxml2/patches/patch-xpath.c
deleted file mode 100644
index 2089e4abf72..00000000000
--- a/textproc/libxml2/patches/patch-xpath.c
+++ /dev/null
@@ -1,27 +0,0 @@
-$NetBSD: patch-xpath.c,v 1.1 2016/12/27 02:34:34 sevan Exp $
-
-CVE-2016-5131
-https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e
-
---- xpath.c.orig	2016-12-27 02:21:53.000000000 +0000
-+++ xpath.c
-@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserConte
- 		    lc = 1;
- 		    break;
- 		} else if ((NXT(len) == '(')) {
--		    /* Note Type or Function */
-+		    /* Node Type or Function */
- 		    if (xmlXPathIsNodeType(name)) {
- #ifdef DEBUG_STEP
- 		        xmlGenericError(xmlGenericErrorContext,
- 				"PathExpr: Type search\n");
- #endif
- 			lc = 1;
-+#ifdef LIBXML_XPTR_ENABLED
-+                    } else if (ctxt->xptr &&
-+                               xmlStrEqual(name, BAD_CAST "range-to")) {
-+                        lc = 1;
-+#endif
- 		    } else {
- #ifdef DEBUG_STEP
- 		        xmlGenericError(xmlGenericErrorContext,
diff --git a/textproc/libxml2/patches/patch-xpointer.c b/textproc/libxml2/patches/patch-xpointer.c
deleted file mode 100644
index 4da030f286e..00000000000
--- a/textproc/libxml2/patches/patch-xpointer.c
+++ /dev/null
@@ -1,102 +0,0 @@
-$NetBSD: patch-xpointer.c,v 1.4 2016/12/27 02:34:34 sevan Exp $
-
-CVE-2016-4658
-https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b
-
-CVE-2016-5131
-https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e
-
---- xpointer.c.orig	2016-12-27 02:19:03.000000000 +0000
-+++ xpointer.c
-@@ -1295,8 +1295,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNode
-     ret->here = here;
-     ret->origin = origin;
- 
--    xmlXPathRegisterFunc(ret, (xmlChar *)"range-to",
--	                 xmlXPtrRangeToFunction);
-     xmlXPathRegisterFunc(ret, (xmlChar *)"range",
- 	                 xmlXPtrRangeFunction);
-     xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside",
-@@ -2206,76 +2204,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParse
-  * @nargs:  the number of args
-  *
-  * Implement the range-to() XPointer function
-+ *
-+ * Obsolete. range-to is not a real function but a special type of location
-+ * step which is handled in xpath.c.
-  */
- void
--xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) {
--    xmlXPathObjectPtr range;
--    const xmlChar *cur;
--    xmlXPathObjectPtr res, obj;
--    xmlXPathObjectPtr tmp;
--    xmlLocationSetPtr newset = NULL;
--    xmlNodeSetPtr oldset;
--    int i;
--
--    if (ctxt == NULL) return;
--    CHECK_ARITY(1);
--    /*
--     * Save the expression pointer since we will have to evaluate
--     * it multiple times. Initialize the new set.
--     */
--    CHECK_TYPE(XPATH_NODESET);
--    obj = valuePop(ctxt);
--    oldset = obj->nodesetval;
--    ctxt->context->node = NULL;
--
--    cur = ctxt->cur;
--    newset = xmlXPtrLocationSetCreate(NULL);
--
--    for (i = 0; i < oldset->nodeNr; i++) {
--	ctxt->cur = cur;
--
--	/*
--	 * Run the evaluation with a node list made of a single item
--	 * in the nodeset.
--	 */
--	ctxt->context->node = oldset->nodeTab[i];
--	tmp = xmlXPathNewNodeSet(ctxt->context->node);
--	valuePush(ctxt, tmp);
--
--	xmlXPathEvalExpr(ctxt);
--	CHECK_ERROR;
--
--	/*
--	 * The result of the evaluation need to be tested to
--	 * decided whether the filter succeeded or not
--	 */
--	res = valuePop(ctxt);
--	range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res);
--	if (range != NULL) {
--	    xmlXPtrLocationSetAdd(newset, range);
--	}
--
--	/*
--	 * Cleanup
--	 */
--	if (res != NULL)
--	    xmlXPathFreeObject(res);
--	if (ctxt->value == tmp) {
--	    res = valuePop(ctxt);
--	    xmlXPathFreeObject(res);
--	}
--
--	ctxt->context->node = NULL;
--    }
--
--    /*
--     * The result is used as the new evaluation set.
--     */
--    xmlXPathFreeObject(obj);
--    ctxt->context->node = NULL;
--    ctxt->context->contextSize = -1;
--    ctxt->context->proximityPosition = -1;
--    valuePush(ctxt, xmlXPtrWrapLocationSet(newset));
-+xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt,
-+                       int nargs ATTRIBUTE_UNUSED) {
-+    XP_ERROR(XPATH_EXPR_ERROR);
- }
- 
- /**