1 files changed, 32 insertions, 3 deletions

diff --git a/textproc/libxml2/patches/patch-al b/textproc/libxml2/patches/patch-al
index 1e45675c7d1..6e6250b86c9 100644
--- a/textproc/libxml2/patches/patch-al
+++ b/textproc/libxml2/patches/patch-al
@@ -1,10 +1,39 @@
-$NetBSD: patch-al,v 1.1 2011/06/06 12:09:01 drochner Exp $
+$NetBSD: patch-al,v 1.2 2012/01/12 11:25:10 drochner Exp $
 
-from gnome git: Fix memory corruption
+-from gnome git: Fix some potential problems on reallocation failures
+-CVE-2011-3919
+-from gnome git: Fix memory corruption
 
 --- parser.c.orig	2010-11-04 15:55:45.000000000 +0000
 +++ parser.c
-@@ -6992,6 +6992,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
+@@ -1819,15 +1819,14 @@ namePush(xmlParserCtxtPtr ctxt, const xm
+ 
+     if (ctxt->nameNr >= ctxt->nameMax) {
+         const xmlChar * *tmp;
+-        ctxt->nameMax *= 2;
+         tmp = (const xmlChar * *) xmlRealloc((xmlChar * *)ctxt->nameTab,
+-                                    ctxt->nameMax *
++                                    ctxt->nameMax * 2 *
+                                     sizeof(ctxt->nameTab[0]));
+         if (tmp == NULL) {
+-	    ctxt->nameMax /= 2;
+ 	    goto mem_error;
+         }
+ 	ctxt->nameTab = tmp;
++	ctxt->nameMax *= 2;
+     }
+     ctxt->nameTab[ctxt->nameNr] = value;
+     ctxt->name = value;
+@@ -2709,7 +2708,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
+ 
+ 		buffer[nbchars++] = '&';
+ 		if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) {
+-		    growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
++		    growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE);
+ 		}
+ 		for (;i > 0;i--)
+ 		    buffer[nbchars++] = *cur++;
+@@ -6992,6 +6991,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
  		    ent->owner = 1;
  		    while (list != NULL) {
  			list->parent = (xmlNodePtr) ent;