xmlSnprintfElementContent failed to correctly check the available

buffer space in two locations.
Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
From: https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74


There were two bugs where parameter-entity references could lead to an
unexpected change of the input buffer in xmlParseNameComplex and
xmlDictLookup being called with an invalid pointer.

Percent sign in DTD Names
=========================
This fixes bug 766956 initially reported by Wei Lei and independently by
Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
involved.

xmlParseNameComplex with XML_PARSE_OLD10
========================================
This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
Thanks to Marcel Böhme and Thuan Pham for the report.

Additional hardening
====================
A separate check was added in xmlParseNameComplex to validate the
buffer size.

From: https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3

4 files changed, 124 insertions, 7 deletions

diff --git a/textproc/libxml2/Makefile b/textproc/libxml2/Makefile
index e0a7b47d0d0..75d1a58eba8 100644
--- a/textproc/libxml2/Makefile
+++ b/textproc/libxml2/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.144 2017/06/11 04:40:53 maya Exp $
+# $NetBSD: Makefile,v 1.145 2017/06/21 00:23:23 tez Exp $
 
 .include "../../textproc/libxml2/Makefile.common"
 
-PKGREVISION=	3
+PKGREVISION=	4
 
 COMMENT=	XML parser library from the GNOME project
 LICENSE=	modified-bsd
diff --git a/textproc/libxml2/distinfo b/textproc/libxml2/distinfo
index 5fcd2e272f9..1f8a9d5fcd1 100644
--- a/textproc/libxml2/distinfo
+++ b/textproc/libxml2/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.115 2017/06/11 04:40:53 maya Exp $
+$NetBSD: distinfo,v 1.116 2017/06/21 00:23:23 tez Exp $
 
 SHA1 (libxml2-2.9.4.tar.gz) = 958ae70baf186263a4bd801a81dd5d682aedd1db
 RMD160 (libxml2-2.9.4.tar.gz) = bb59656e0683d64a38a2f1a45ca9d918837e1e56
@@ -11,12 +11,13 @@ SHA1 (patch-ad) = d65b7e3be9694147e96ce4bb70a1739e2279ba81
 SHA1 (patch-ae) = 4eede9719724f94402e850ee6d6043a74aaf62b2
 SHA1 (patch-encoding.c) = 6cf0a7d421828b9f40a4079ee85adb791c54d096
 SHA1 (patch-parseInternals.c) = dc58145943a4fb6368d848c0155d144b1f9b676c
+SHA1 (patch-parser.c) = 23e39127bf65e721dd76d80b389c1ccacf8e5746
 SHA1 (patch-result_XPath_xptr_vidbase) = f0ef1ac593cb25f96b7ffef93e0f214aa8fc6103
 SHA1 (patch-runtest.c) = 759fcee959833b33d72e85108f7973859dcba1f6
 SHA1 (patch-test_XPath_xptr_vidbase) = a9b497505f914924388145c6266aa517152f9da3
 SHA1 (patch-testlimits.c) = 8cba18464b619469abbb8488fd950a32a567be7b
 SHA1 (patch-timsort.h) = e09118e7c99d53f71c28fe4d54269c4801244959
-SHA1 (patch-valid.c) = e6ff3a9aed6b985fcc69d214efa953a90a055d6b
+SHA1 (patch-valid.c) = 9eda3633b3ea5269e0ef33fa0508de18e7a76def
 SHA1 (patch-xmlIO.c) = 5efcc5e43a8b3139832ab69af6b5ab94e5a6ad59
 SHA1 (patch-xpath.c) = ec94ab2116f99a08f51630dee6b9e7e25d2b5c00
 SHA1 (patch-xpointer.c) = 8ca75f64b89369106c0d088ff7fd36b38005e032
diff --git a/textproc/libxml2/patches/patch-parser.c b/textproc/libxml2/patches/patch-parser.c
new file mode 100644
index 00000000000..88b70f85411
--- /dev/null
+++ b/textproc/libxml2/patches/patch-parser.c
@@ -0,0 +1,69 @@
+$NetBSD: patch-parser.c,v 1.3 2017/06/21 00:23:24 tez Exp $
+
+There were two bugs where parameter-entity references could lead to an
+unexpected change of the input buffer in xmlParseNameComplex and
+xmlDictLookup being called with an invalid pointer.
+
+Percent sign in DTD Names
+=========================
+
+This fixes bug 766956 initially reported by Wei Lei and independently by
+Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
+involved.
+
+xmlParseNameComplex with XML_PARSE_OLD10
+========================================
+
+This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
+Thanks to Marcel Böhme and Thuan Pham for the report.
+
+Additional hardening
+====================
+
+A separate check was added in xmlParseNameComplex to validate the
+buffer size.
+
+From: https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3
+
+
+--- parser.c.orig
++++ parser.c
+@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
+ 	ctxt->input->line++; ctxt->input->col = 1;			\
+     } else ctxt->input->col++;						\
+     ctxt->input->cur += l;				\
+-    if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt);	\
+   } while (0)
+ 
+ #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
+@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ 	    len += l;
+ 	    NEXTL(l);
+ 	    c = CUR_CHAR(l);
+-	    if (c == 0) {
+-		count = 0;
+-		GROW;
+-                if (ctxt->instate == XML_PARSER_EOF)
+-                    return(NULL);
+-		c = CUR_CHAR(l);
+-	    }
+ 	}
+     }
+     if ((len > XML_MAX_NAME_LENGTH) &&
+@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
+         return(NULL);
+     }
++    if (ctxt->input->cur - ctxt->input->base < len) {
++        /*
++         * There were a couple of bugs where PERefs lead to to a change
++         * of the buffer. Check the buffer size to avoid passing an invalid
++         * pointer to xmlDictLookup.
++         */
++        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
++                    "unexpected change of input buffer");
++        return (NULL);
++    }
+     if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
+         return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
+     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
diff --git a/textproc/libxml2/patches/patch-valid.c b/textproc/libxml2/patches/patch-valid.c
index d7a04e4778a..0096999861b 100644
--- a/textproc/libxml2/patches/patch-valid.c
+++ b/textproc/libxml2/patches/patch-valid.c
@@ -1,4 +1,4 @@
-$NetBSD: patch-valid.c,v 1.1 2017/06/11 04:40:53 maya Exp $
+$NetBSD: patch-valid.c,v 1.2 2017/06/21 00:23:24 tez Exp $
 
 Upstream commit by Daniel Veillard
 
@@ -7,9 +7,15 @@ Can only be triggered in recovery mode.
 Fixes bug 758422 (CVE-2017-5969).
 
 
---- valid.c.orig	2016-05-23 07:25:25.000000000 +0000
+xmlSnprintfElementContent failed to correctly check the available
+buffer space in two locations.
+Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
+From: https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74
+
+
+--- valid.c.orig	2017-06-21 00:07:08.204619100 +0000
 +++ valid.c
-@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, 
+@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf,
  	    xmlBufferWriteCHAR(buf, content->name);
  	    break;
  	case XML_ELEMENT_CONTENT_SEQ:
@@ -53,3 +59,44 @@ Fixes bug 758422 (CVE-2017-5969).
  		xmlDumpElementContent(buf, content->c2, 1);
  	    else
  		xmlDumpElementContent(buf, content->c2, 0);
+@@ -1262,22 +1266,23 @@ xmlSnprintfElementContent(char *buf, int
+         case XML_ELEMENT_CONTENT_PCDATA:
+             strcat(buf, "#PCDATA");
+ 	    break;
+-	case XML_ELEMENT_CONTENT_ELEMENT:
++	case XML_ELEMENT_CONTENT_ELEMENT: {
++            int qnameLen = xmlStrlen(content->name);
++
++	    if (content->prefix != NULL)
++                qnameLen += xmlStrlen(content->prefix) + 1;
++	    if (size - len < qnameLen + 10) {
++		strcat(buf, " ...");
++		return;
++	    }
+ 	    if (content->prefix != NULL) {
+-		if (size - len < xmlStrlen(content->prefix) + 10) {
+-		    strcat(buf, " ...");
+-		    return;
+-		}
+ 		strcat(buf, (char *) content->prefix);
+ 		strcat(buf, ":");
+ 	    }
+-	    if (size - len < xmlStrlen(content->name) + 10) {
+-		strcat(buf, " ...");
+-		return;
+-	    }
+ 	    if (content->name != NULL)
+ 		strcat(buf, (char *) content->name);
+ 	    break;
++        }
+ 	case XML_ELEMENT_CONTENT_SEQ:
+ 	    if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+ 	        (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+@@ -1319,6 +1324,7 @@ xmlSnprintfElementContent(char *buf, int
+ 		xmlSnprintfElementContent(buf, size, content->c2, 0);
+ 	    break;
+     }
++    if (size - strlen(buf) <= 2) return;
+     if (englob)
+         strcat(buf, ")");
+     switch (content->ocur) {