diffstat for libxml2_2.7.8.dfsg-5.1 libxml2_2.7.8.dfsg-5.1ubuntu4.17 HTMLparser.c | 95 ++- SAX2.c | 20 catalog.c | 2 debugXML.c | 4 dict.c | 89 ++- entities.c | 38 - error.c | 44 - hash.c | 41 + include/libxml/entities.h | 3 include/libxml/parser.h | 1 include/libxml/parserInternals.h | 2 include/libxml/tree.h | 4 include/libxml/xmlerror.h | 3 include/libxml/xmlstring.h | 8 libxml2-2.7.8.dfsg/config.guess | 49 + libxml2-2.7.8.dfsg/config.sub | 65 +- libxml2-2.7.8.dfsg/configure | 4 libxml2-2.7.8.dfsg/configure.in | 5 libxml2-2.7.8.dfsg/debian/changelog | 327 ++++++++++++ libxml2-2.7.8.dfsg/debian/compat | 2 libxml2-2.7.8.dfsg/debian/control | 24 libxml2-2.7.8.dfsg/debian/libxml2-dev.install | 8 libxml2-2.7.8.dfsg/debian/libxml2-udeb.install | 2 libxml2-2.7.8.dfsg/debian/libxml2.install | 2 libxml2-2.7.8.dfsg/debian/libxml2.symbols | 1 libxml2-2.7.8.dfsg/debian/rules | 10 libxml2-2.7.8.dfsg/encoding.c | 2 libxml2-2.7.8.dfsg/libxml.h | 6 libxml2-2.7.8.dfsg/parser.c | 629 ++++++++++++++++++++----- libxml2-2.7.8.dfsg/xmllint.c | 20 libxml2-2.7.8.dfsg/xpath.c | 13 libxml2-2.7.8.dfsg/xpointer.c | 242 ++------- parserInternals.c | 194 ++++--- relaxng.c | 8 result/errors/758588.xml.err | 9 result/errors/758588.xml.str | 10 result/errors/759020.xml.err | 6 result/errors/759020.xml.str | 7 result/errors/extparsedent.xml | 5 schematron.c | 2 test/errors/758588.xml | 1 test/errors/759020.xml | 46 + test/errors/extparsedent.xml | 5 testModule.c | 2 tree.c | 37 + valid.c | 8 xinclude.c | 4 xmlIO.c | 14 xmlreader.c | 35 + xmlregexp.c | 3 xmlsave.c | 8 xmlschemas.c | 105 ++-- xmlstring.c | 68 ++ xmlwriter.c | 4 54 files changed, 1693 insertions(+), 653 deletions(-) diff -u libxml2-2.7.8.dfsg/configure libxml2-2.7.8.dfsg/configure --- libxml2-2.7.8.dfsg/configure +++ libxml2-2.7.8.dfsg/configure @@ -13303,7 +13303,7 @@ CFLAGS="${CFLAGS} -fexceptions" fi - CFLAGS="${CFLAGS} -pedantic -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls" + CFLAGS="${CFLAGS} -pedantic -W -Wformat -Wno-format-extra-args -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls" case "${host}" in alpha*-*-linux* ) CFLAGS="${CFLAGS} -mieee" @@ -13685,7 +13685,7 @@ fi fi if test "${GCC}" = "yes" ; then - CFLAGS="-g -O -pedantic -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wall" + CFLAGS="-g -O -pedantic -W -Wformat -Wno-format-extra-args -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wall" fi STATIC_BINARIES="-static" else diff -u libxml2-2.7.8.dfsg/xmllint.c libxml2-2.7.8.dfsg/xmllint.c --- libxml2-2.7.8.dfsg/xmllint.c +++ libxml2-2.7.8.dfsg/xmllint.c @@ -447,7 +447,7 @@ * message about the timing performed; format is a printf * type argument */ -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(1,2) endTimer(const char *fmt, ...) { long msec; @@ -483,7 +483,7 @@ { begin = clock(); } -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(1,2) endTimer(const char *fmt, ...) { long msec; @@ -512,7 +512,7 @@ * Do nothing */ } -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(1,2) endTimer(char *format, ...) { /* @@ -631,7 +631,7 @@ * Display and format an error messages, gives file, line, position and * extra parameters. */ -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) xmlHTMLError(void *ctx, const char *msg, ...) { xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; @@ -668,7 +668,7 @@ * Display and format a warning messages, gives file, line, position and * extra parameters. */ -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) xmlHTMLWarning(void *ctx, const char *msg, ...) { xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; @@ -706,7 +706,7 @@ * Display and format an validity error messages, gives file, * line, position and extra parameters. */ -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) xmlHTMLValidityError(void *ctx, const char *msg, ...) { xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; @@ -743,7 +743,7 @@ * Display and format a validity warning messages, gives file, line, * position and extra parameters. */ -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) xmlHTMLValidityWarning(void *ctx, const char *msg, ...) { xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; @@ -1407,7 +1407,7 @@ * Display and format a warning messages, gives file, line, position and * extra parameters. */ -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) warningDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) { va_list args; @@ -1430,7 +1430,7 @@ * Display and format a error messages, gives file, line, position and * extra parameters. */ -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) errorDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) { va_list args; @@ -1453,7 +1453,7 @@ * Display and format a fatalError messages, gives file, line, position and * extra parameters. */ -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) fatalErrorDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) { va_list args; diff -u libxml2-2.7.8.dfsg/parser.c libxml2-2.7.8.dfsg/parser.c --- libxml2-2.7.8.dfsg/parser.c +++ libxml2-2.7.8.dfsg/parser.c @@ -40,6 +40,7 @@ #endif #include +#include #include #include #include @@ -87,6 +88,8 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, const xmlChar *base, xmlParserCtxtPtr pctx); +static void xmlHaltParser(xmlParserCtxtPtr ctxt); + /************************************************************************ * * * Arbitrary limits set in the parser. See XML_PARSE_HUGE * @@ -114,16 +117,62 @@ * parser option. */ static int -xmlParserEntityCheck(xmlParserCtxtPtr ctxt, unsigned long size, - xmlEntityPtr ent) +xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + xmlEntityPtr ent, size_t replacement) { - unsigned long consumed = 0; + size_t consumed = 0; if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE)) return (0); if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) return (1); - if (size != 0) { + + /* + * This may look absurd but is needed to detect + * entities problems + */ + if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) && + (ent->content != NULL) && (ent->checked == 0) && + (ctxt->errNo != XML_ERR_ENTITY_LOOP)) { + unsigned long oldnbent = ctxt->nbentities; + xmlChar *rep; + + ent->checked = 1; + + ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); + --ctxt->depth; + if (ctxt->errNo == XML_ERR_ENTITY_LOOP) { + ent->content[0] = 0; + } + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { + if (xmlStrchr(rep, '<')) + ent->checked |= 1; + xmlFree(rep); + rep = NULL; + } + } + if (replacement != 0) { + if (replacement < XML_MAX_TEXT_LENGTH) + return(0); + + /* + * If the volume of entity copy reaches 10 times the + * amount of parsed data and over the large text threshold + * then that's very likely to be an abuse. + */ + if (ctxt->input != NULL) { + consumed = ctxt->input->consumed + + (ctxt->input->cur - ctxt->input->base); + } + consumed += ctxt->sizeentities; + + if (replacement < XML_PARSER_NON_LINEAR * consumed) + return(0); + } else if (size != 0) { /* * Do the check based on the replacement size of the entity */ @@ -146,7 +195,7 @@ /* * use the number of parsed entities in the replacement */ - size = ent->checked; + size = ent->checked / 2; /* * The amount of data parsed counting entities size only once @@ -165,11 +214,13 @@ return (0); } else { /* - * strange we got no data for checking just return + * strange we got no data for checking */ - return (0); + if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) && + (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) || + (ctxt->nbentities <= 10000)) + return (0); } - xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); return (1); } @@ -484,7 +535,7 @@ * * Handle a fatal parser error, i.e. violating Well-Formedness constraints */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg) { @@ -512,7 +563,7 @@ * * Handle a warning. */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlWarningMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const xmlChar *str1, const xmlChar *str2) { @@ -550,7 +601,7 @@ * * Handle a validity error. */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlValidityError(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const xmlChar *str1, const xmlChar *str2) { @@ -590,7 +641,7 @@ * * Handle a fatal parser error, i.e. violating Well-Formedness constraints */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlFatalErrMsgInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, int val) { @@ -620,7 +671,7 @@ * * Handle a fatal parser error, i.e. violating Well-Formedness constraints */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlFatalErrMsgStrIntStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const xmlChar *str1, int val, const xmlChar *str2) @@ -650,7 +701,7 @@ * * Handle a fatal parser error, i.e. violating Well-Formedness constraints */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlFatalErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const xmlChar * val) { @@ -679,7 +730,7 @@ * * Handle a non fatal parser error */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const xmlChar * val) { @@ -704,7 +755,7 @@ * * Handle a fatal parser error, i.e. violating Well-Formedness constraints */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlNsErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const xmlChar * info1, const xmlChar * info2, @@ -733,7 +784,7 @@ * * Handle a fatal parser error, i.e. violating Well-Formedness constraints */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlNsWarn(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const xmlChar * info1, const xmlChar * info2, @@ -1696,7 +1747,7 @@ xmlFatalErrMsgInt(ctxt, XML_ERR_INTERNAL_ERROR, "Excessive depth in document: %d use XML_PARSE_HUGE option\n", xmlParserMaxDepth); - ctxt->instate = XML_PARSER_EOF; + xmlHaltParser(ctxt); return(-1); } ctxt->nodeTab[ctxt->nodeNr] = value; @@ -1992,6 +2043,12 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { xmlParserInputGrow(ctxt->input, INPUT_CHUNK); + if ((ctxt->input->cur > ctxt->input->end) || + (ctxt->input->cur < ctxt->input->base)) { + xmlHaltParser(ctxt); + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound"); + return; + } if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) && (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) xmlPopInput(ctxt); @@ -2135,6 +2192,8 @@ "Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur); } ret = inputPush(ctxt, input); + if (ctxt->instate == XML_PARSER_EOF) + return(-1); GROW; return(ret); } @@ -2171,6 +2230,8 @@ if (count++ > 20) { count = 0; GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(0); } if ((RAW >= '0') && (RAW <= '9')) val = val * 16 + (CUR - '0'); @@ -2202,6 +2263,8 @@ if (count++ > 20) { count = 0; GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(0); } if ((RAW >= '0') && (RAW <= '9')) val = val * 10 + (CUR - '0'); @@ -2488,6 +2551,8 @@ NEXT; if ((ctxt->sax != NULL) && (ctxt->sax->getParameterEntity != NULL)) entity = ctxt->sax->getParameterEntity(ctxt->userData, name); + if (ctxt->instate == XML_PARSER_EOF) + return; if (entity == NULL) { /* @@ -2521,6 +2586,7 @@ name, NULL); ctxt->valid = 0; } + xmlParserEntityCheck(ctxt, 0, NULL, 0); } else if (ctxt->input->free != deallocblankswrapper) { input = xmlNewBlanksWrapperInputStream(ctxt, entity); if (xmlPushInput(ctxt, input) < 0) @@ -2532,6 +2598,23 @@ xmlCharEncoding enc; /* + * Note: external parameter entities will not be loaded, it + * is not required for a non-validating parser, unless the + * option of validating, or substituting entities were + * given. Doing so is far more secure as the parser will + * only process data coming from the document entity by + * default. + */ + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + ((ctxt->options & XML_PARSE_NOENT) == 0) && + ((ctxt->options & XML_PARSE_DTDVALID) == 0) && + ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && + ((ctxt->options & XML_PARSE_DTDATTR) == 0) && + (ctxt->replaceEntities == 0) && + (ctxt->validate == 0)) + return; + + /* * handle the extra spaces added before and after * c.f. http://www.w3.org/TR/REC-xml#as-PE * this is done independently. @@ -2550,6 +2633,8 @@ * the amount of data in the buffer. */ GROW + if (ctxt->instate == XML_PARSER_EOF) + return; if ((ctxt->input->end - ctxt->input->cur)>=4) { start[0] = RAW; start[1] = NXT(1); @@ -2580,15 +2665,17 @@ /* * Macro used to grow the current buffer. + * buffer##_size is expected to be a size_t + * mem_error: is expected to handle memory allocation failures */ #define growBuffer(buffer, n) { \ xmlChar *tmp; \ - buffer##_size *= 2; \ - buffer##_size += n; \ - tmp = (xmlChar *) \ - xmlRealloc(buffer, buffer##_size * sizeof(xmlChar)); \ + size_t new_size = buffer##_size * 2 + n; \ + if (new_size < buffer##_size) goto mem_error; \ + tmp = (xmlChar *) xmlRealloc(buffer, new_size); \ if (tmp == NULL) goto mem_error; \ buffer = tmp; \ + buffer##_size = new_size; \ } /** @@ -2614,14 +2701,14 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, int what, xmlChar end, xmlChar end2, xmlChar end3) { xmlChar *buffer = NULL; - int buffer_size = 0; + size_t buffer_size = 0; + size_t nbchars = 0; xmlChar *current = NULL; xmlChar *rep = NULL; const xmlChar *last; xmlEntityPtr ent; int c,l; - int nbchars = 0; if ((ctxt == NULL) || (str == NULL) || (len < 0)) return(NULL); @@ -2638,7 +2725,7 @@ * allocate a translation buffer. */ buffer_size = XML_PARSER_BIG_BUFFER_SIZE; - buffer = (xmlChar *) xmlMallocAtomic(buffer_size * sizeof(xmlChar)); + buffer = (xmlChar *) xmlMallocAtomic(buffer_size); if (buffer == NULL) goto mem_error; /* @@ -2658,7 +2745,7 @@ if (val != 0) { COPY_BUF(0,buffer,nbchars,val); } - if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } } else if ((c == '&') && (what & XML_SUBSTITUTE_REF)) { @@ -2670,13 +2757,14 @@ if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) goto int_error; + xmlParserEntityCheck(ctxt, 0, ent, 0); if (ent != NULL) - ctxt->nbentities += ent->checked; + ctxt->nbentities += ent->checked / 2; if ((ent != NULL) && (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) { if (ent->content != NULL) { COPY_BUF(0,buffer,nbchars,ent->content[0]); - if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } } else { @@ -2689,13 +2777,16 @@ 0, 0, 0); ctxt->depth--; + if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || + (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) + goto int_error; + if (rep != NULL) { current = rep; while (*current != 0) { /* non input consuming loop */ buffer[nbchars++] = *current++; - if (nbchars > - buffer_size - XML_PARSER_BUFFER_SIZE) { - if (xmlParserEntityCheck(ctxt, nbchars, ent)) + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { + if (xmlParserEntityCheck(ctxt, nbchars, ent, 0)) goto int_error; growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } @@ -2708,8 +2799,8 @@ const xmlChar *cur = ent->name; buffer[nbchars++] = '&'; - if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) { - growBuffer(buffer, XML_PARSER_BUFFER_SIZE); + if (nbchars + i + XML_PARSER_BUFFER_SIZE > buffer_size) { + growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE); } for (;i > 0;i--) buffer[nbchars++] = *cur++; @@ -2722,11 +2813,26 @@ ent = xmlParseStringPEReference(ctxt, &str); if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) goto int_error; + xmlParserEntityCheck(ctxt, 0, ent, 0); if (ent != NULL) - ctxt->nbentities += ent->checked; + ctxt->nbentities += ent->checked / 2; if (ent != NULL) { if (ent->content == NULL) { - xmlLoadEntityContent(ctxt, ent); + /* + * Note: external parsed entities will not be loaded, + * it is not required for a non-validating parser to + * complete external PEreferences coming from the + * internal subset + */ + if (((ctxt->options & XML_PARSE_NOENT) != 0) || + ((ctxt->options & XML_PARSE_DTDVALID) != 0) || + (ctxt->validate != 0)) { + xmlLoadEntityContent(ctxt, ent); + } else { + xmlWarningMsg(ctxt, XML_ERR_ENTITY_PROCESSING, + "not validating will not read content for PE entity %s\n", + ent->name, NULL); + } } ctxt->depth++; rep = xmlStringDecodeEntities(ctxt, ent->content, what, @@ -2736,9 +2842,8 @@ current = rep; while (*current != 0) { /* non input consuming loop */ buffer[nbchars++] = *current++; - if (nbchars > - buffer_size - XML_PARSER_BUFFER_SIZE) { - if (xmlParserEntityCheck(ctxt, nbchars, ent)) + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { + if (xmlParserEntityCheck(ctxt, nbchars, ent, 0)) goto int_error; growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } @@ -2750,8 +2855,8 @@ } else { COPY_BUF(l,buffer,nbchars,c); str += l; - if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { - growBuffer(buffer, XML_PARSER_BUFFER_SIZE); + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { + growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } } if (str < last) @@ -3168,6 +3273,8 @@ * Handler for more complex cases */ GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); c = CUR_CHAR(l); if ((ctxt->options & XML_PARSE_OLD10) == 0) { /* @@ -3219,6 +3326,8 @@ if (count++ > 100) { count = 0; GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); } len += l; NEXTL(l); @@ -3243,6 +3352,8 @@ if (count++ > 100) { count = 0; GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); } len += l; NEXTL(l); @@ -3336,6 +3447,8 @@ if (count++ > 100) { count = 0; GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); } len += l; NEXTL(l); @@ -3416,6 +3529,8 @@ const xmlChar *ret; GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); in = ctxt->input->cur; while (*in != 0 && *in == *cmp) { @@ -3543,6 +3658,8 @@ #endif GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); c = CUR_CHAR(l); while (xmlIsNameChar(ctxt, c)) { @@ -3571,6 +3688,10 @@ if (count++ > 100) { count = 0; GROW; + if (ctxt->instate == XML_PARSER_EOF) { + xmlFree(buffer); + return(NULL); + } } if (len + 10 > max) { xmlChar *tmp; @@ -3641,6 +3762,10 @@ ctxt->instate = XML_PARSER_ENTITY_VALUE; input = ctxt->input; GROW; + if (ctxt->instate == XML_PARSER_EOF) { + xmlFree(buf); + return(NULL); + } NEXT; c = CUR_CHAR(l); /* @@ -3652,8 +3777,8 @@ * In practice it means we stop the loop only when back at parsing * the initial entity and the quote is found */ - while ((IS_CHAR(c)) && ((c != stop) || /* checked */ - (ctxt->input != input))) { + while (((IS_CHAR(c)) && ((c != stop) || /* checked */ + (ctxt->input != input))) && (ctxt->instate != XML_PARSER_EOF)) { if (len + 5 >= size) { xmlChar *tmp; @@ -3682,6 +3807,10 @@ } } buf[len] = 0; + if (ctxt->instate == XML_PARSER_EOF) { + xmlFree(buf); + return(NULL); + } /* * Raise problem w.r.t. '&' and '%' being used in non-entities @@ -3727,14 +3856,16 @@ * an entity declaration, it is bypassed and left as is. * so XML_SUBSTITUTE_REF is not set here. */ + ++ctxt->depth; ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF, 0, 0, 0); - if (orig != NULL) + --ctxt->depth; + if (orig != NULL) *orig = buf; else xmlFree(buf); } - + return(ret); } @@ -3755,8 +3886,8 @@ xmlChar limit = 0; xmlChar *buf = NULL; xmlChar *rep = NULL; - int len = 0; - int buf_size = 0; + size_t len = 0; + size_t buf_size = 0; int c, l, in_space = 0; xmlChar *current = NULL; xmlEntityPtr ent; @@ -3778,15 +3909,16 @@ * allocate a translation buffer. */ buf_size = XML_PARSER_BUFFER_SIZE; - buf = (xmlChar *) xmlMallocAtomic(buf_size * sizeof(xmlChar)); + buf = (xmlChar *) xmlMallocAtomic(buf_size); if (buf == NULL) goto mem_error; /* * OK loop until we reach one of the ending char or a size limit. */ c = CUR_CHAR(l); - while ((NXT(0) != limit) && /* checked */ - (IS_CHAR(c)) && (c != '<')) { + while (((NXT(0) != limit) && /* checked */ + (IS_CHAR(c)) && (c != '<')) && + (ctxt->instate != XML_PARSER_EOF)) { if (c == 0) break; if (c == '&') { in_space = 0; @@ -3795,7 +3927,7 @@ if (val == '&') { if (ctxt->replaceEntities) { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } buf[len++] = '&'; @@ -3804,7 +3936,7 @@ * The reparsing will be done in xmlStringGetNodeList() * called by the attribute() function in SAX.c */ - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } buf[len++] = '&'; @@ -3814,7 +3946,7 @@ buf[len++] = ';'; } } else if (val != 0) { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } len += xmlCopyChar(0, &buf[len], val); @@ -3826,7 +3958,7 @@ ctxt->nbentities += ent->owner; if ((ent != NULL) && (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } if ((ctxt->replaceEntities == 0) && @@ -3842,9 +3974,11 @@ } else if ((ent != NULL) && (ctxt->replaceEntities != 0)) { if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) { + ++ctxt->depth; rep = xmlStringDecodeEntities(ctxt, ent->content, XML_SUBSTITUTE_REF, 0, 0, 0); + --ctxt->depth; if (rep != NULL) { current = rep; while (*current != 0) { /* non input consuming */ @@ -3854,7 +3988,7 @@ current++; } else buf[len++] = *current++; - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } } @@ -3862,7 +3996,7 @@ rep = NULL; } } else { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } if (ent->content != NULL) @@ -3877,10 +4011,18 @@ * entities problems */ if ((ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) && - (ent->content != NULL)) { + (ent->content != NULL) && (ent->checked == 0)) { + unsigned long oldnbent = ctxt->nbentities; + + ++ctxt->depth; rep = xmlStringDecodeEntities(ctxt, ent->content, XML_SUBSTITUTE_REF, 0, 0, 0); + --ctxt->depth; + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; if (rep != NULL) { + if (xmlStrchr(rep, '<')) + ent->checked |= 1; xmlFree(rep); rep = NULL; } @@ -3890,7 +4032,7 @@ * Just output the reference */ buf[len++] = '&'; - while (len > buf_size - i - 10) { + while (len + i + 10 > buf_size) { growBuffer(buf, i + 10); } for (;i > 0;i--) @@ -3903,7 +4045,7 @@ if ((len != 0) || (!normalize)) { if ((!normalize) || (!in_space)) { COPY_BUF(l,buf,len,0x20); - while (len > buf_size - 10) { + while (len + 10 > buf_size) { growBuffer(buf, 10); } } @@ -3912,7 +4054,7 @@ } else { in_space = 0; COPY_BUF(l,buf,len,c); - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } } @@ -3921,8 +4063,11 @@ GROW; c = CUR_CHAR(l); } + if (ctxt->instate == XML_PARSER_EOF) + goto error; + if ((in_space) && (normalize)) { - while (buf[len - 1] == 0x20) len--; + while ((len > 0) && (buf[len - 1] == 0x20)) len--; } buf[len] = 0; if (RAW == '<') { @@ -3937,11 +4082,23 @@ } } else NEXT; - if (attlen != NULL) *attlen = len; + + /* + * There we potentially risk an overflow, don't allow attribute value of + * lenght more than INT_MAX it is a very reasonnable assumption ! + */ + if (len >= INT_MAX) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue lenght too long\n"); + goto mem_error; + } + + if (attlen != NULL) *attlen = (int) len; return(buf); mem_error: xmlErrMemory(ctxt, NULL); +error: if (buf != NULL) xmlFree(buf); if (rep != NULL) @@ -4047,6 +4204,10 @@ if (count > 50) { GROW; count = 0; + if (ctxt->instate == XML_PARSER_EOF) { + xmlFree(buf); + return(NULL); + } } COPY_BUF(l,buf,len,cur); NEXTL(l); @@ -4124,6 +4285,10 @@ if (count > 50) { GROW; count = 0; + if (ctxt->instate == XML_PARSER_EOF) { + xmlFree(buf); + return(NULL); + } } NEXT; cur = CUR; @@ -4330,6 +4495,8 @@ } SHRINK; GROW; + if (ctxt->instate == XML_PARSER_EOF) + return; in = ctxt->input->cur; } while (((*in >= 0x20) && (*in <= 0x7F)) || (*in == 0x09)); nbchar = 0; @@ -4398,6 +4565,8 @@ if (count > 50) { GROW; count = 0; + if (ctxt->instate == XML_PARSER_EOF) + return; } NEXTL(l); cur = CUR_CHAR(l); @@ -4598,6 +4767,10 @@ if (count > 50) { GROW; count = 0; + if (ctxt->instate == XML_PARSER_EOF) { + xmlFree(buf); + return; + } } NEXTL(l); cur = CUR_CHAR(l); @@ -4748,6 +4921,10 @@ } SHRINK; GROW; + if (ctxt->instate == XML_PARSER_EOF) { + xmlFree(buf); + return; + } in = ctxt->input->cur; if (*in == '-') { if (in[1] == '-') { @@ -4766,7 +4943,8 @@ } if (buf != NULL) xmlFree(buf); - ctxt->instate = state; + if (ctxt->instate != XML_PARSER_EOF) + ctxt->instate = state; return; } if (buf != NULL) @@ -4984,6 +5162,10 @@ count++; if (count > 50) { GROW; + if (ctxt->instate == XML_PARSER_EOF) { + xmlFree(buf); + return; + } count = 0; } COPY_BUF(l,buf,len,cur); @@ -5156,7 +5338,7 @@ skipped = SKIP_BLANKS; if (skipped == 0) { xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, - "Space required after '%'\n"); + "Space required after '%%'\n"); } isParameter = 1; } @@ -5333,10 +5515,13 @@ } } } + if (ctxt->instate == XML_PARSER_EOF) + return; SKIP_BLANKS; if (RAW != '>') { xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED, "xmlParseEntityDecl: entity %s not terminated\n", name); + xmlHaltParser(ctxt); } else { if (input != ctxt->input) { xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, @@ -5724,7 +5909,7 @@ } SKIP_BLANKS; GROW; - while (RAW != '>') { + while ((RAW != '>') && (ctxt->instate != XML_PARSER_EOF)) { const xmlChar *check = CUR_PTR; int type; int def; @@ -5873,7 +6058,7 @@ ret = cur = xmlNewDocElementContent(ctxt->myDoc, NULL, XML_ELEMENT_CONTENT_PCDATA); if (ret == NULL) return(NULL); } - while (RAW == '|') { + while ((RAW == '|') && (ctxt->instate != XML_PARSER_EOF)) { NEXT; if (elem == NULL) { ret = xmlNewDocElementContent(ctxt->myDoc, NULL, XML_ELEMENT_CONTENT_OR); @@ -6017,7 +6202,7 @@ } SKIP_BLANKS; SHRINK; - while (RAW != ')') { + while ((RAW != ')') && (ctxt->instate != XML_PARSER_EOF)) { /* * Each loop we parse one separator and one element. */ @@ -6296,6 +6481,8 @@ } NEXT; GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(-1); SKIP_BLANKS; if (CMP7(CUR_PTR, '#', 'P', 'C', 'D', 'A', 'T', 'A')) { tree = xmlParseElementMixedContentDecl(ctxt, inputid); @@ -6336,6 +6523,7 @@ if (!IS_BLANK_CH(CUR)) { xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Space required after 'ELEMENT'\n"); + return(-1); } SKIP_BLANKS; name = xmlParseName(ctxt); @@ -6446,6 +6634,8 @@ SKIP_BLANKS; if (RAW != '[') { xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); + xmlHaltParser(ctxt); + return; } else { if (ctxt->input->id != id) { xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, @@ -6463,8 +6653,8 @@ "Entering INCLUDE Conditional Section\n"); } - while ((RAW != 0) && ((RAW != ']') || (NXT(1) != ']') || - (NXT(2) != '>'))) { + while (((RAW != 0) && ((RAW != ']') || (NXT(1) != ']') || + (NXT(2) != '>'))) && (ctxt->instate != XML_PARSER_EOF)) { const xmlChar *check = CUR_PTR; unsigned int cons = ctxt->input->consumed; @@ -6485,6 +6675,7 @@ if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) { xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL); + xmlHaltParser(ctxt); break; } } @@ -6506,6 +6697,8 @@ SKIP_BLANKS; if (RAW != '[') { xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); + xmlHaltParser(ctxt); + return; } else { if (ctxt->input->id != id) { xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, @@ -6532,7 +6725,8 @@ if (ctxt->recovery == 0) ctxt->disableSAX = 1; ctxt->instate = XML_PARSER_IGNORE; - while ((depth >= 0) && (RAW != 0)) { + while (((depth >= 0) && (RAW != 0)) && + (ctxt->instate != XML_PARSER_EOF)) { if ((RAW == '<') && (NXT(1) == '!') && (NXT(2) == '[')) { depth++; SKIP(3); @@ -6560,6 +6754,8 @@ } else { xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); + xmlHaltParser(ctxt); + return; } if (RAW == 0) @@ -6573,7 +6769,9 @@ "All markup of the conditional section is not in the same entity\n", NULL, NULL); } - SKIP(3); + if ((ctxt-> instate != XML_PARSER_EOF) && + ((ctxt->input->cur + 3) <= ctxt->input->end)) + SKIP(3); } } @@ -6628,6 +6826,14 @@ xmlParsePI(ctxt); } } + + /* + * detect requirement to exit there and act accordingly + * and avoid having instate overriden later on + */ + if (ctxt->instate == XML_PARSER_EOF) + return; + /* * This is only for internal subset. On external entities, * the replacement is done before parsing stage @@ -6759,7 +6965,7 @@ /* * The XML REC instructs us to stop parsing right here */ - ctxt->instate = XML_PARSER_EOF; + xmlHaltParser(ctxt); return; } } @@ -6803,7 +7009,7 @@ break; } } - + if (RAW != 0) { xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL); } @@ -6905,8 +7111,15 @@ * The first reference to the entity trigger a parsing phase * where the ent->children is filled with the result from * the parsing. + * Note: external parsed entities will not be loaded, it is not + * required for a non-validating parser, unless the parsing option + * of validating, or substituting entities were given. Doing so is + * far more secure as the parser will only process data coming from + * the document entity by default. */ - if (ent->checked == 0) { + if ((ent->checked == 0) && + ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) || + (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) { unsigned long oldnbent = ctxt->nbentities; /* @@ -6948,13 +7161,15 @@ * Store the number of entities needing parsing for this entity * content and do checkings */ - ent->checked = ctxt->nbentities - oldnbent; + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if ((ent->content != NULL) && (xmlStrchr(ent->content, '<'))) + ent->checked |= 1; if (ret == XML_ERR_ENTITY_LOOP) { xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); xmlFreeNodeList(list); return; } - if (xmlParserEntityCheck(ctxt, 0, ent)) { + if (xmlParserEntityCheck(ctxt, 0, ent, 0)) { xmlFreeNodeList(list); return; } @@ -7007,14 +7222,15 @@ (ret != XML_WAR_UNDECLARED_ENTITY)) { xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY, "Entity '%s' failed to parse\n", ent->name); + xmlParserEntityCheck(ctxt, 0, ent, 0); } else if (list != NULL) { xmlFreeNodeList(list); list = NULL; } if (ent->checked == 0) - ent->checked = 1; + ent->checked = 2; } else if (ent->checked != 1) { - ctxt->nbentities += ent->checked; + ctxt->nbentities += ent->checked / 2; } /* @@ -7113,6 +7329,13 @@ xmlNodePtr nw = NULL, cur, firstChild = NULL; /* + * We are copying here, make sure there is no abuse + */ + ctxt->sizeentcopy += ent->length + 5; + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) + return; + + /* * when operating on a reader, the entities definitions * are always owning the entities subtree. if (ctxt->parseMode == XML_PARSE_READER) @@ -7152,6 +7375,14 @@ } else if (list == NULL) { xmlNodePtr nw = NULL, cur, next, last, firstChild = NULL; + + /* + * We are copying here, make sure there is no abuse + */ + ctxt->sizeentcopy += ent->length + 5; + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) + return; + /* * Copy the entity child list and make it the new * entity child list. The goal is to make sure any @@ -7249,6 +7480,8 @@ xmlEntityPtr ent = NULL; GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); if (RAW != '&') return(NULL); @@ -7294,6 +7527,8 @@ ent = xmlSAX2GetEntity(ctxt, name); } } + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); /* * [ WFC: Entity Declared ] * In a document without any DTD, a document with only an @@ -7330,6 +7565,7 @@ ctxt->sax->reference(ctxt->userData, name); } } + xmlParserEntityCheck(ctxt, 0, ent, 0); ctxt->valid = 0; } @@ -7360,11 +7596,13 @@ * not contain a <. */ else if ((ctxt->instate == XML_PARSER_ATTRIBUTE_VALUE) && - (ent != NULL) && (ent->content != NULL) && - (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) && - (xmlStrchr(ent->content, '<'))) { - xmlFatalErrMsgStr(ctxt, XML_ERR_LT_IN_ATTRIBUTE, - "'<' in entity '%s' is not allowed in attributes values\n", name); + (ent != NULL) && + (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY)) { + if ((ent->checked & 1) || ((ent->checked == 0) && + (ent->content != NULL) &&(xmlStrchr(ent->content, '<')))) { + xmlFatalErrMsgStr(ctxt, XML_ERR_LT_IN_ATTRIBUTE, + "'<' in entity '%s' is not allowed in attributes values\n", name); + } } /* @@ -7484,6 +7722,10 @@ ent = xmlSAX2GetEntity(ctxt, name); } } + if (ctxt->instate == XML_PARSER_EOF) { + xmlFree(name); + return(NULL); + } /* * [ WFC: Entity Declared ] @@ -7517,6 +7759,7 @@ "Entity '%s' not defined\n", name); } + xmlParserEntityCheck(ctxt, 0, ent, 0); /* TODO ? check regressions ctxt->valid = 0; */ } @@ -7645,8 +7888,9 @@ */ if ((ctxt->sax != NULL) && (ctxt->sax->getParameterEntity != NULL)) - entity = ctxt->sax->getParameterEntity(ctxt->userData, - name); + entity = ctxt->sax->getParameterEntity(ctxt->userData, name); + if (ctxt->instate == XML_PARSER_EOF) + return; if (entity == NULL) { /* * [ WFC: Entity Declared ] @@ -7675,6 +7919,7 @@ name, NULL); ctxt->valid = 0; } + xmlParserEntityCheck(ctxt, 0, NULL, 0); } else { /* * Internal checking in case the entity quest barfed @@ -7707,7 +7952,7 @@ * The XML REC instructs us to stop parsing * right here */ - ctxt->instate = XML_PARSER_EOF; + xmlHaltParser(ctxt); return; } } @@ -7779,6 +8024,10 @@ if (count++ > 100) { count = 0; GROW; + if (ctxt->instate == XML_PARSER_EOF) { + xmlBufferFree(buf); + return(-1); + } } NEXTL(l); c = CUR_CHAR(l); @@ -7870,8 +8119,11 @@ */ if ((ctxt->sax != NULL) && (ctxt->sax->getParameterEntity != NULL)) - entity = ctxt->sax->getParameterEntity(ctxt->userData, - name); + entity = ctxt->sax->getParameterEntity(ctxt->userData, name); + if (ctxt->instate == XML_PARSER_EOF) { + xmlFree(name); + return(NULL); + } if (entity == NULL) { /* * [ WFC: Entity Declared ] @@ -7898,6 +8150,7 @@ name, NULL); ctxt->valid = 0; } + xmlParserEntityCheck(ctxt, 0, NULL, 0); } else { /* * Internal checking in case the entity quest barfed @@ -7973,6 +8226,8 @@ if ((ctxt->sax != NULL) && (ctxt->sax->internalSubset != NULL) && (!ctxt->disableSAX)) ctxt->sax->internalSubset(ctxt->userData, name, ExternalID, URI); + if (ctxt->instate == XML_PARSER_EOF) + return; /* * Is there any internal subset declarations ? @@ -8012,7 +8267,7 @@ * PEReferences. * Subsequence (markupdecl | PEReference | S)* */ - while (RAW != ']') { + while ((RAW != ']') && (ctxt->instate != XML_PARSER_EOF)) { const xmlChar *check = CUR_PTR; unsigned int cons = ctxt->input->consumed; @@ -8043,6 +8298,7 @@ */ if (RAW != '>') { xmlFatalErr(ctxt, XML_ERR_DOCTYPE_NOT_FINISHED, NULL); + return; } NEXT; } @@ -8198,9 +8454,9 @@ SKIP_BLANKS; GROW; - while ((RAW != '>') && + while (((RAW != '>') && ((RAW != '/') || (NXT(1) != '>')) && - (IS_BYTE_CHAR(RAW))) { + (IS_BYTE_CHAR(RAW))) && (ctxt->instate != XML_PARSER_EOF)) { const xmlChar *q = CUR_PTR; unsigned int cons = ctxt->input->consumed; @@ -8624,6 +8880,8 @@ if (in >= end) { const xmlChar *oldbase = ctxt->input->base; GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); if (oldbase != ctxt->input->base) { long delta = ctxt->input->base - oldbase; start = start + delta; @@ -8638,6 +8896,8 @@ if (in >= end) { const xmlChar *oldbase = ctxt->input->base; GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); if (oldbase != ctxt->input->base) { long delta = ctxt->input->base - oldbase; start = start + delta; @@ -8658,6 +8918,8 @@ if (in >= end) { const xmlChar *oldbase = ctxt->input->base; GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); if (oldbase != ctxt->input->base) { long delta = ctxt->input->base - oldbase; start = start + delta; @@ -8675,6 +8937,8 @@ if (in >= end) { const xmlChar *oldbase = ctxt->input->base; GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); if (oldbase != ctxt->input->base) { long delta = ctxt->input->base - oldbase; start = start + delta; @@ -8860,7 +9124,7 @@ const xmlChar **atts = ctxt->atts; int maxatts = ctxt->maxatts; int nratts, nbatts, nbdef; - int i, j, nbNs, attval, oldline, oldcol; + int i, j, nbNs, attval, oldline, oldcol, inputNr; const xmlChar *base; unsigned long cur; int nsNr = ctxt->nsNr; @@ -8879,6 +9143,7 @@ SHRINK; base = ctxt->input->base; cur = ctxt->input->cur - ctxt->input->base; + inputNr = ctxt->inputNr; oldline = ctxt->input->line; oldcol = ctxt->input->col; nbatts = 0; @@ -8904,18 +9169,19 @@ */ SKIP_BLANKS; GROW; - if (ctxt->input->base != base) goto base_changed; + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) + goto base_changed; - while ((RAW != '>') && + while (((RAW != '>') && ((RAW != '/') || (NXT(1) != '>')) && - (IS_BYTE_CHAR(RAW))) { + (IS_BYTE_CHAR(RAW))) && (ctxt->instate != XML_PARSER_EOF)) { const xmlChar *q = CUR_PTR; unsigned int cons = ctxt->input->consumed; int len = -1, alloc = 0; attname = xmlParseAttribute2(ctxt, prefix, localname, &aprefix, &attvalue, &len, &alloc); - if (ctxt->input->base != base) { + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) { if ((attvalue != NULL) && (alloc != 0)) xmlFree(attvalue); attvalue = NULL; @@ -8969,8 +9235,13 @@ else if (nsPush(ctxt, NULL, URL) > 0) nbNs++; skip_default_ns: - if (alloc != 0) xmlFree(attvalue); + if ((attvalue != NULL) && (alloc != 0)) { + xmlFree(attvalue); + attvalue = NULL; + } SKIP_BLANKS; + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) + goto base_changed; continue; } if (aprefix == ctxt->str_xmlns) { @@ -9042,9 +9313,13 @@ else if (nsPush(ctxt, attname, URL) > 0) nbNs++; skip_ns: - if (alloc != 0) xmlFree(attvalue); + if ((attvalue != NULL) && (alloc != 0)) { + xmlFree(attvalue); + attvalue = NULL; + } SKIP_BLANKS; - if (ctxt->input->base != base) goto base_changed; + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) + goto base_changed; continue; } @@ -9079,7 +9354,10 @@ failed: GROW - if (ctxt->input->base != base) goto base_changed; + if (ctxt->instate == XML_PARSER_EOF) + break; + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) + goto base_changed; if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) break; if (!IS_BLANK_CH(RAW)) { @@ -9095,7 +9373,8 @@ break; } GROW; - if (ctxt->input->base != base) goto base_changed; + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) + goto base_changed; } /* @@ -9262,6 +9541,17 @@ if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL)) xmlFree((xmlChar *) atts[i]); } + + /* + * We can't switch from one entity to another in the middle + * of a start tag + */ + if (inputNr != ctxt->inputNr) { + xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, + "Start tag doesn't start and stop in the same entity\n"); + return(NULL); + } + ctxt->input->cur = ctxt->input->base + cur; ctxt->input->line = oldline; ctxt->input->col = oldcol; @@ -9290,6 +9580,7 @@ xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix, const xmlChar *URI, int line, int nsNr, int tlen) { const xmlChar *name; + size_t curLength; GROW; if ((RAW != '<') || (NXT(1) != '/')) { @@ -9298,8 +9589,11 @@ } SKIP(2); - if ((tlen > 0) && (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) { - if (ctxt->input->cur[tlen] == '>') { + curLength = ctxt->input->end - ctxt->input->cur; + if ((tlen > 0) && (curLength >= (size_t)tlen) && + (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) { + if ((curLength >= (size_t)(tlen + 1)) && + (ctxt->input->cur[tlen] == '>')) { ctxt->input->cur += tlen + 1; goto done; } @@ -9316,6 +9610,8 @@ * We should definitely be at the ending "S? '>'" part */ GROW; + if (ctxt->instate == XML_PARSER_EOF) + return; SKIP_BLANKS; if ((!IS_BYTE_CHAR(RAW)) || (RAW != '>')) { xmlFatalErr(ctxt, XML_ERR_GT_REQUIRED, NULL); @@ -9424,6 +9720,10 @@ count++; if (count > 50) { GROW; + if (ctxt->instate == XML_PARSER_EOF) { + xmlFree(buf); + return; + } count = 0; } NEXTL(l); @@ -9528,7 +9828,7 @@ if ((cons == ctxt->input->consumed) && (test == CUR_PTR)) { xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "detected an error in element content\n"); - ctxt->instate = XML_PARSER_EOF; + xmlHaltParser(ctxt); break; } } @@ -9563,7 +9863,7 @@ xmlFatalErrMsgInt(ctxt, XML_ERR_INTERNAL_ERROR, "Excessive depth in document: %d use XML_PARSE_HUGE option\n", xmlParserMaxDepth); - ctxt->instate = XML_PARSER_EOF; + xmlHaltParser(ctxt); return; } @@ -9672,6 +9972,8 @@ * Parse the content of the element: */ xmlParseContent(ctxt); + if (ctxt->instate == XML_PARSER_EOF) + return; if (!IS_BYTE_CHAR(RAW)) { xmlFatalErrMsgStrIntStr(ctxt, XML_ERR_TAG_NOT_FINISHED, "Premature end of data in tag %s line %d\n", @@ -9913,6 +10215,8 @@ encoding = xmlParseEncName(ctxt); if (RAW != '"') { xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL); + xmlFree((xmlChar *) encoding); + return(NULL); } else NEXT; } else if (RAW == '\''){ @@ -9920,6 +10224,8 @@ encoding = xmlParseEncName(ctxt); if (RAW != '\'') { xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL); + xmlFree((xmlChar *) encoding); + return(NULL); } else NEXT; } else { @@ -9967,7 +10273,11 @@ handler = xmlFindCharEncodingHandler((const char *) encoding); if (handler != NULL) { - xmlSwitchToEncoding(ctxt, handler); + if (xmlSwitchToEncoding(ctxt, handler) < 0) { + /* failed to convert */ + ctxt->errNo = XML_ERR_UNSUPPORTED_ENCODING; + return(NULL); + } } else { xmlFatalErrMsgStr(ctxt, XML_ERR_UNSUPPORTED_ENCODING, "Unsupported encoding %s\n", encoding); @@ -10136,7 +10446,8 @@ xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n"); } xmlParseEncodingDecl(ctxt); - if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { + if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || + (ctxt->instate == XML_PARSER_EOF)) { /* * The XML REC instructs us to stop parsing right here */ @@ -10187,9 +10498,10 @@ void xmlParseMisc(xmlParserCtxtPtr ctxt) { - while (((RAW == '<') && (NXT(1) == '?')) || - (CMP4(CUR_PTR, '<', '!', '-', '-')) || - IS_BLANK_CH(CUR)) { + while ((ctxt->instate != XML_PARSER_EOF) && + (((RAW == '<') && (NXT(1) == '?')) || + (CMP4(CUR_PTR, '<', '!', '-', '-')) || + IS_BLANK_CH(CUR))) { if ((RAW == '<') && (NXT(1) == '?')) { xmlParsePI(ctxt); } else if (IS_BLANK_CH(CUR)) { @@ -10236,6 +10548,8 @@ */ if ((ctxt->sax) && (ctxt->sax->setDocumentLocator)) ctxt->sax->setDocumentLocator(ctxt->userData, &xmlDefaultSAXLocator); + if (ctxt->instate == XML_PARSER_EOF) + return(-1); if ((ctxt->encoding == NULL) && ((ctxt->input->end - ctxt->input->cur) >= 4)) { @@ -10257,6 +10571,7 @@ if (CUR == 0) { xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL); + return(-1); } /* @@ -10274,7 +10589,8 @@ * Note that we will switch encoding on the fly. */ xmlParseXMLDecl(ctxt); - if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { + if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || + (ctxt->instate == XML_PARSER_EOF)) { /* * The XML REC instructs us to stop parsing right here */ @@ -10287,6 +10603,8 @@ } if ((ctxt->sax) && (ctxt->sax->startDocument) && (!ctxt->disableSAX)) ctxt->sax->startDocument(ctxt->userData); + if (ctxt->instate == XML_PARSER_EOF) + return(-1); /* * The Misc part of the Prolog @@ -10306,6 +10624,8 @@ if (RAW == '[') { ctxt->instate = XML_PARSER_DTD; xmlParseInternalSubset(ctxt); + if (ctxt->instate == XML_PARSER_EOF) + return(-1); } /* @@ -10316,6 +10636,8 @@ (!ctxt->disableSAX)) ctxt->sax->externalSubset(ctxt->userData, ctxt->intSubName, ctxt->extSubSystem, ctxt->extSubURI); + if (ctxt->instate == XML_PARSER_EOF) + return(-1); ctxt->inSubset = 0; xmlCleanSpecialAttr(ctxt); @@ -10456,6 +10778,8 @@ } if ((ctxt->sax) && (ctxt->sax->startDocument) && (!ctxt->disableSAX)) ctxt->sax->startDocument(ctxt->userData); + if (ctxt->instate == XML_PARSER_EOF) + return(-1); /* * Doing validity checking on chunk doesn't make sense @@ -10467,6 +10791,9 @@ xmlParseContent(ctxt); + if (ctxt->instate == XML_PARSER_EOF) + return(-1); + if ((RAW == '<') && (NXT(1) == '/')) { xmlFatalErr(ctxt, XML_ERR_NOT_WELL_BALANCED, NULL); } else if (RAW != 0) { @@ -10773,7 +11100,7 @@ } xmlParseGetLasts(ctxt, &lastlt, &lastgt); - while (1) { + while (ctxt->instate != XML_PARSER_EOF) { if ((ctxt->errNo != XML_ERR_OK) && (ctxt->disableSAX == 1)) return(0); @@ -10854,7 +11181,7 @@ ctxt->sax->setDocumentLocator(ctxt->userData, &xmlDefaultSAXLocator); xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL); - ctxt->instate = XML_PARSER_EOF; + xmlHaltParser(ctxt); #ifdef DEBUG_PUSH xmlGenericError(xmlGenericErrorContext, "PP: entering EOF\n"); @@ -10887,7 +11214,7 @@ * The XML REC instructs us to stop parsing right * here */ - ctxt->instate = XML_PARSER_EOF; + xmlHaltParser(ctxt); return(0); } ctxt->standalone = ctxt->input->standalone; @@ -10943,7 +11270,7 @@ cur = ctxt->input->cur[0]; if (cur != '<') { xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL); - ctxt->instate = XML_PARSER_EOF; + xmlHaltParser(ctxt); if ((ctxt->sax) && (ctxt->sax->endDocument != NULL)) ctxt->sax->endDocument(ctxt->userData); goto done; @@ -10975,7 +11302,7 @@ goto done; if (name == NULL) { spacePop(ctxt); - ctxt->instate = XML_PARSER_EOF; + xmlHaltParser(ctxt); if ((ctxt->sax) && (ctxt->sax->endDocument != NULL)) ctxt->sax->endDocument(ctxt->userData); goto done; @@ -11013,6 +11340,8 @@ ctxt->sax->endElement(ctxt->userData, name); #endif /* LIBXML_SAX1_ENABLED */ } + if (ctxt->instate == XML_PARSER_EOF) + goto done; spacePop(ctxt); if (ctxt->nameNr == 0) { ctxt->instate = XML_PARSER_EPILOG; @@ -11131,7 +11460,7 @@ if ((cons == ctxt->input->consumed) && (test == CUR_PTR)) { xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "detected an error in element content\n"); - ctxt->instate = XML_PARSER_EOF; + xmlHaltParser(ctxt); break; } break; @@ -11194,6 +11523,8 @@ ctxt->sax->characters(ctxt->userData, ctxt->input->cur, tmp); } + if (ctxt->instate == XML_PARSER_EOF) + goto done; SKIPL(tmp); ctxt->checkIndex = 0; } @@ -11229,6 +11560,8 @@ ctxt->sax->characters(ctxt->userData, ctxt->input->cur, base); } + if (ctxt->instate == XML_PARSER_EOF) + goto done; SKIPL(base + 3); ctxt->checkIndex = 0; ctxt->instate = XML_PARSER_CONTENT; @@ -11260,6 +11593,8 @@ "PP: Parsing PI\n"); #endif xmlParsePI(ctxt); + if (ctxt->instate == XML_PARSER_EOF) + goto done; ctxt->checkIndex = 0; } else if ((cur == '<') && (next == '!') && (ctxt->input->cur[2] == '-') && @@ -11272,6 +11607,8 @@ "PP: Parsing Comment\n"); #endif xmlParseComment(ctxt); + if (ctxt->instate == XML_PARSER_EOF) + goto done; ctxt->instate = XML_PARSER_MISC; ctxt->checkIndex = 0; } else if ((cur == '<') && (next == '!') && @@ -11291,6 +11628,8 @@ #endif ctxt->inSubset = 1; xmlParseDocTypeDecl(ctxt); + if (ctxt->instate == XML_PARSER_EOF) + goto done; if (RAW == '[') { ctxt->instate = XML_PARSER_DTD; #ifdef DEBUG_PUSH @@ -11347,6 +11686,8 @@ "PP: Parsing PI\n"); #endif xmlParsePI(ctxt); + if (ctxt->instate == XML_PARSER_EOF) + goto done; } else if ((cur == '<') && (next == '!') && (ctxt->input->cur[2] == '-') && (ctxt->input->cur[3] == '-')) { if ((!terminate) && @@ -11357,6 +11698,8 @@ "PP: Parsing Comment\n"); #endif xmlParseComment(ctxt); + if (ctxt->instate == XML_PARSER_EOF) + goto done; ctxt->instate = XML_PARSER_PROLOG; } else if ((cur == '<') && (next == '!') && (avail < 4)) { @@ -11391,6 +11734,8 @@ "PP: Parsing PI\n"); #endif xmlParsePI(ctxt); + if (ctxt->instate == XML_PARSER_EOF) + goto done; ctxt->instate = XML_PARSER_EPILOG; } else if ((cur == '<') && (next == '!') && (ctxt->input->cur[2] == '-') && (ctxt->input->cur[3] == '-')) { @@ -11402,13 +11747,15 @@ "PP: Parsing Comment\n"); #endif xmlParseComment(ctxt); + if (ctxt->instate == XML_PARSER_EOF) + goto done; ctxt->instate = XML_PARSER_EPILOG; } else if ((cur == '<') && (next == '!') && (avail < 4)) { goto done; } else { xmlFatalErr(ctxt, XML_ERR_DOCUMENT_END, NULL); - ctxt->instate = XML_PARSER_EOF; + xmlHaltParser(ctxt); #ifdef DEBUG_PUSH xmlGenericError(xmlGenericErrorContext, "PP: entering EOF\n"); @@ -11530,6 +11877,8 @@ found_end_int_subset: xmlParseInternalSubset(ctxt); + if (ctxt->instate == XML_PARSER_EOF) + goto done; ctxt->inSubset = 2; if ((ctxt->sax != NULL) && (!ctxt->disableSAX) && (ctxt->sax->externalSubset != NULL)) @@ -11537,6 +11886,8 @@ ctxt->extSubSystem, ctxt->extSubURI); ctxt->inSubset = 0; xmlCleanSpecialAttr(ctxt); + if (ctxt->instate == XML_PARSER_EOF) + goto done; ctxt->instate = XML_PARSER_PROLOG; ctxt->checkIndex = 0; #ifdef DEBUG_PUSH @@ -11713,7 +12064,7 @@ res =xmlParserInputBufferPush(ctxt->input->buf, size, chunk); if (res < 0) { ctxt->errNo = XML_PARSER_EOF; - ctxt->disableSAX = 1; + xmlHaltParser(ctxt); return (XML_PARSER_EOF); } ctxt->input->base = ctxt->input->buf->buffer->content + base; @@ -11745,6 +12096,10 @@ xmlParseTryOrFinish(ctxt, 0); else xmlParseTryOrFinish(ctxt, terminate); + + if (ctxt->instate == XML_PARSER_EOF) + return(ctxt->errNo); + if ((ctxt->errNo != XML_ERR_OK) && (ctxt->disableSAX == 1)) return(ctxt->errNo); @@ -11928,24 +12283,47 @@ #endif /* LIBXML_PUSH_ENABLED */ /** - * xmlStopParser: + * xmlHaltParser: * @ctxt: an XML parser context * - * Blocks further parser processing + * Blocks further parser processing don't override error + * for internal use */ -void -xmlStopParser(xmlParserCtxtPtr ctxt) { +static void +xmlHaltParser(xmlParserCtxtPtr ctxt) { if (ctxt == NULL) return; ctxt->instate = XML_PARSER_EOF; ctxt->disableSAX = 1; if (ctxt->input != NULL) { + /* + * in case there was a specific allocation deallocate before + * overriding base + */ + if (ctxt->input->free != NULL) { + ctxt->input->free((xmlChar *) ctxt->input->base); + ctxt->input->free = NULL; + } ctxt->input->cur = BAD_CAST""; ctxt->input->base = ctxt->input->cur; } } /** + * xmlStopParser: + * @ctxt: an XML parser context + * + * Blocks further parser processing + */ +void +xmlStopParser(xmlParserCtxtPtr ctxt) { + if (ctxt == NULL) + return; + xmlHaltParser(ctxt); + ctxt->errNo = XML_ERR_USER_STOP; +} + +/** * xmlCreateIOParserCtxt: * @sax: a SAX handler * @user_data: The user data returned on SAX callbacks @@ -12043,6 +12421,9 @@ return(NULL); } + /* We are loading a DTD */ + ctxt->options |= XML_PARSE_DTDLOAD; + /* * Set-up the SAX context */ @@ -12170,6 +12551,9 @@ return(NULL); } + /* We are loading a DTD */ + ctxt->options |= XML_PARSE_DTDLOAD; + /* * Set-up the SAX context */ @@ -14310,6 +14694,7 @@ ctxt->catalogs = NULL; ctxt->nbentities = 0; ctxt->sizeentities = 0; + ctxt->sizeentcopy = 0; xmlInitNodeInfoSeq(&ctxt->node_seq); if (ctxt->attsDefault != NULL) { diff -u libxml2-2.7.8.dfsg/encoding.c libxml2-2.7.8.dfsg/encoding.c --- libxml2-2.7.8.dfsg/encoding.c +++ libxml2-2.7.8.dfsg/encoding.c @@ -89,7 +89,7 @@ * * n encoding error */ -static void +static void LIBXML_ATTR_FORMAT(2,0) xmlEncodingErr(xmlParserErrors error, const char *msg, const char *val) { __xmlRaiseError(NULL, NULL, NULL, NULL, NULL, diff -u libxml2-2.7.8.dfsg/config.guess libxml2-2.7.8.dfsg/config.guess --- libxml2-2.7.8.dfsg/config.guess +++ libxml2-2.7.8.dfsg/config.guess @@ -2,9 +2,9 @@ # Attempt to guess a canonical system name. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, # 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, -# 2011 Free Software Foundation, Inc. +# 2011, 2012 Free Software Foundation, Inc. -timestamp='2011-05-11' +timestamp='2012-02-10' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -17,9 +17,7 @@ # General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA -# 02110-1301, USA. +# along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -57,8 +55,8 @@ Originally written by Per Bothner. Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, -2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free -Software Foundation, Inc. +2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 +Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -145,7 +143,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or - # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*, + # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently # switched to ELF, *-*-netbsd* would select the old # object file format. This provides both forward @@ -792,13 +790,12 @@ echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} exit ;; *:FreeBSD:*:*) - case ${UNAME_MACHINE} in - pc98) - echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + UNAME_PROCESSOR=`/usr/bin/uname -p` + case ${UNAME_PROCESSOR} in amd64) echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; *) - echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; esac exit ;; i*:CYGWIN*:*) @@ -807,6 +804,9 @@ *:MINGW*:*) echo ${UNAME_MACHINE}-pc-mingw32 exit ;; + i*:MSYS*:*) + echo ${UNAME_MACHINE}-pc-msys + exit ;; i*:windows32*:*) # uname -m includes "-pc" on this system. echo ${UNAME_MACHINE}-mingw32 @@ -861,6 +861,13 @@ i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix exit ;; + aarch64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + aarch64_be:Linux:*:*) + UNAME_MACHINE=aarch64_be + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; alpha:Linux:*:*) case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in EV5) UNAME_MACHINE=alphaev5 ;; @@ -895,13 +902,16 @@ echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; cris:Linux:*:*) - echo cris-axis-linux-gnu + echo ${UNAME_MACHINE}-axis-linux-gnu exit ;; crisv32:Linux:*:*) - echo crisv32-axis-linux-gnu + echo ${UNAME_MACHINE}-axis-linux-gnu exit ;; frv:Linux:*:*) - echo frv-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + hexagon:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; i*86:Linux:*:*) LIBC=gnu @@ -943,7 +953,7 @@ test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } ;; or32:Linux:*:*) - echo or32-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; padre:Linux:*:*) echo sparc-unknown-linux-gnu @@ -978,13 +988,13 @@ echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; tile*:Linux:*:*) - echo ${UNAME_MACHINE}-tilera-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; vax:Linux:*:*) echo ${UNAME_MACHINE}-dec-linux-gnu exit ;; x86_64:Linux:*:*) - echo x86_64-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; xtensa*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu @@ -1315,6 +1325,9 @@ i*86:AROS:*:*) echo ${UNAME_MACHINE}-pc-aros exit ;; + x86_64:VMkernel:*:*) + echo ${UNAME_MACHINE}-unknown-esx + exit ;; esac #echo '(No uname command or uname output not recognized.)' 1>&2 diff -u libxml2-2.7.8.dfsg/configure.in libxml2-2.7.8.dfsg/configure.in --- libxml2-2.7.8.dfsg/configure.in +++ libxml2-2.7.8.dfsg/configure.in @@ -477,6 +477,7 @@ AC_CHECK_FUNCS(finite isnand fp_class class fpclass) AC_CHECK_FUNCS(strftime localtime gettimeofday ftime) AC_CHECK_FUNCS(stat _stat signal) +AC_CHECK_FUNCS(rand srand time) dnl Checking the standard string functions availability AC_CHECK_FUNCS(printf sprintf fprintf snprintf vfprintf vsprintf vsnprintf sscanf,, @@ -662,7 +663,7 @@ CFLAGS="${CFLAGS} -fexceptions" fi - CFLAGS="${CFLAGS} -pedantic -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls" + CFLAGS="${CFLAGS} -pedantic -W -Wformat -Wno-format-extra-args -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls" case "${host}" in alpha*-*-linux* ) CFLAGS="${CFLAGS} -mieee" @@ -872,7 +873,7 @@ fi fi if test "${GCC}" = "yes" ; then - CFLAGS="-g -O -pedantic -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wall" + CFLAGS="-g -O -pedantic -W -Wformat -Wno-format-extra-args -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wall" fi STATIC_BINARIES="-static" dnl -Wcast-qual -ansi diff -u libxml2-2.7.8.dfsg/config.sub libxml2-2.7.8.dfsg/config.sub --- libxml2-2.7.8.dfsg/config.sub +++ libxml2-2.7.8.dfsg/config.sub @@ -2,9 +2,9 @@ # Configuration validation subroutine script. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, # 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, -# 2011 Free Software Foundation, Inc. +# 2011, 2012 Free Software Foundation, Inc. -timestamp='2011-03-23' +timestamp='2012-02-10' # This file is (in principle) common to ALL GNU software. # The presence of a machine in this file suggests that SOME GNU software @@ -21,9 +21,7 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA -# 02110-1301, USA. +# along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -76,8 +74,8 @@ GNU config.sub ($timestamp) Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, -2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free -Software Foundation, Inc. +2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 +Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -132,6 +130,10 @@ os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` ;; + android-linux) + os=-linux-android + basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown + ;; *) basic_machine=`echo $1 | sed 's/-[^-]*$//'` if [ $basic_machine != $1 ] @@ -247,17 +249,22 @@ # Some are omitted here because they have special meanings below. 1750a | 580 \ | a29k \ + | aarch64 | aarch64_be \ | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ | am33_2.0 \ | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \ + | be32 | be64 \ | bfin \ | c4x | clipper \ | d10v | d30v | dlx | dsp16xx \ + | epiphany \ | fido | fr30 | frv \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ + | hexagon \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ + | le32 | le64 \ | lm32 \ | m32c | m32r | m32rle | m68000 | m68k | m88k \ | maxq | mb | microblaze | mcore | mep | metag \ @@ -291,7 +298,7 @@ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle \ | pyramid \ - | rx \ + | rl78 | rx \ | score \ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ @@ -300,7 +307,7 @@ | spu \ | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ | ubicom32 \ - | v850 | v850e \ + | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ | we32k \ | x86 | xc16x | xstormy16 | xtensa \ | z8k | z80) @@ -315,8 +322,7 @@ c6x) basic_machine=tic6x-unknown ;; - m6811 | m68hc11 | m6812 | m68hc12 | picochip) - # Motorola 68HC11/12. + m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip) basic_machine=$basic_machine-unknown os=-none ;; @@ -329,7 +335,10 @@ strongarm | thumb | xscale) basic_machine=arm-unknown ;; - + xgate) + basic_machine=$basic_machine-unknown + os=-none + ;; xscaleeb) basic_machine=armeb-unknown ;; @@ -352,11 +361,13 @@ # Recognize the basic CPU types with company name. 580-* \ | a29k-* \ + | aarch64-* | aarch64_be-* \ | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ | avr-* | avr32-* \ + | be32-* | be64-* \ | bfin-* | bs2000-* \ | c[123]* | c30-* | [cjt]90-* | c4x-* \ | clipper-* | craynv-* | cydra-* \ @@ -365,8 +376,10 @@ | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ | h8300-* | h8500-* \ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ + | hexagon-* \ | i*86-* | i860-* | i960-* | ia64-* \ | ip2k-* | iq2000-* \ + | le32-* | le64-* \ | lm32-* \ | m32c-* | m32r-* | m32rle-* \ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ @@ -400,7 +413,7 @@ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ | pyramid-* \ - | romp-* | rs6000-* | rx-* \ + | rl78-* | romp-* | rs6000-* | rx-* \ | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ @@ -408,10 +421,11 @@ | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \ | tahoe-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ - | tile-* | tilegx-* \ + | tile*-* \ | tron-* \ | ubicom32-* \ - | v850-* | v850e-* | vax-* \ + | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ + | vax-* \ | we32k-* \ | x86-* | x86_64-* | xc16x-* | xps100-* \ | xstormy16-* | xtensa*-* \ @@ -711,7 +725,6 @@ i370-ibm* | ibm*) basic_machine=i370-ibm ;; -# I'm not sure what "Sysv32" means. Should this be sysv3.2? i*86v32) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv32 @@ -808,10 +821,18 @@ ms1-*) basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` ;; + msys) + basic_machine=i386-pc + os=-msys + ;; mvs) basic_machine=i370-ibm os=-mvs ;; + nacl) + basic_machine=le32-unknown + os=-nacl + ;; ncr3000) basic_machine=i486-ncr os=-sysv4 @@ -1120,13 +1141,8 @@ basic_machine=t90-cray os=-unicos ;; - # This must be matched before tile*. - tilegx*) - basic_machine=tilegx-unknown - os=-linux-gnu - ;; tile*) - basic_machine=tile-unknown + basic_machine=$basic_machine-unknown os=-linux-gnu ;; tx39) @@ -1336,7 +1352,7 @@ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ | -chorusos* | -chorusrdb* | -cegcc* \ - | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ + | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ | -mingw32* | -linux-gnu* | -linux-android* \ | -linux-newlib* | -linux-uclibc* \ | -uxpv* | -beos* | -mpeix* | -udk* \ @@ -1548,9 +1564,6 @@ ;; m68000-sun) os=-sunos3 - # This also exists in the configure program, but was not the - # default. - # os=-sunos4 ;; m68*-cisco) os=-aout diff -u libxml2-2.7.8.dfsg/xpath.c libxml2-2.7.8.dfsg/xpath.c --- libxml2-2.7.8.dfsg/xpath.c +++ libxml2-2.7.8.dfsg/xpath.c @@ -272,7 +272,7 @@ xmlChar buf[200]; xmlStrPrintf(buf, 200, - BAD_CAST "Memory allocation failed : %s\n", + "Memory allocation failed : %s\n", extra); ctxt->lastError.message = (char *) xmlStrdup(buf); } else { @@ -3246,13 +3246,13 @@ * compute depth to root */ for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) { - if (cur == node1) + if (cur->parent == node1) return(1); depth2++; } root = cur; for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) { - if (cur == node2) + if (cur->parent == node2) return(-1); depth1++; } @@ -10594,13 +10594,18 @@ lc = 1; break; } else if ((NXT(len) == '(')) { - /* Note Type or Function */ + /* Node Type or Function */ if (xmlXPathIsNodeType(name)) { #ifdef DEBUG_STEP xmlGenericError(xmlGenericErrorContext, "PathExpr: Type search\n"); #endif lc = 1; +#ifdef LIBXML_XPTR_ENABLED + } else if (ctxt->xptr && + xmlStrEqual(name, BAD_CAST "range-to")) { + lc = 1; +#endif } else { #ifdef DEBUG_STEP xmlGenericError(xmlGenericErrorContext, diff -u libxml2-2.7.8.dfsg/libxml.h libxml2-2.7.8.dfsg/libxml.h --- libxml2-2.7.8.dfsg/libxml.h +++ libxml2-2.7.8.dfsg/libxml.h @@ -9,6 +9,8 @@ #ifndef __XML_LIBXML_H__ #define __XML_LIBXML_H__ +#include + #ifndef NO_LARGEFILE_SOURCE #ifndef _LARGEFILE_SOURCE #define _LARGEFILE_SOURCE @@ -66,7 +68,7 @@ * internal error reporting routines, shared but not partof the API. */ void __xmlIOErr(int domain, int code, const char *extra); -void __xmlLoaderErr(void *ctx, const char *msg, const char *filename); +void __xmlLoaderErr(void *ctx, const char *msg, const char *filename) LIBXML_ATTR_FORMAT(2,0); #ifdef LIBXML_HTML_ENABLED /* * internal function of HTML parser needed for xmlParseInNodeContext @@ -82,6 +84,8 @@ void __xmlGlobalInitMutexUnlock(void); void __xmlGlobalInitMutexDestroy(void); +XMLPUBFUN xmlChar * XMLCALL xmlEscapeFormatString(xmlChar **msg); + #ifdef IN_LIBXML #ifdef __GNUC__ #ifdef PIC diff -u libxml2-2.7.8.dfsg/xpointer.c libxml2-2.7.8.dfsg/xpointer.c --- libxml2-2.7.8.dfsg/xpointer.c +++ libxml2-2.7.8.dfsg/xpointer.c @@ -85,7 +85,7 @@ * * Handle a redefinition of attribute error */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlXPtrErr(xmlXPathParserContextPtr ctxt, int error, const char * msg, const xmlChar *extra) { @@ -320,6 +320,45 @@ } /** + * xmlXPtrNewRangeInternal: + * @start: the starting node + * @startindex: the start index + * @end: the ending point + * @endindex: the ending index + * + * Internal function to create a new xmlXPathObjectPtr of type range + * + * Returns the newly created object. + */ +static xmlXPathObjectPtr +xmlXPtrNewRangeInternal(xmlNodePtr start, int startindex, + xmlNodePtr end, int endindex) { + xmlXPathObjectPtr ret; + + /* + * Namespace nodes must be copied (see xmlXPathNodeSetDupNs). + * Disallow them for now. + */ + if ((start != NULL) && (start->type == XML_NAMESPACE_DECL)) + return(NULL); + if ((end != NULL) && (end->type == XML_NAMESPACE_DECL)) + return(NULL); + + ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); + if (ret == NULL) { + xmlXPtrErrMemory("allocating range"); + return(NULL); + } + memset(ret, 0, sizeof(xmlXPathObject)); + ret->type = XPATH_RANGE; + ret->user = start; + ret->index = startindex; + ret->user2 = end; + ret->index2 = endindex; + return(ret); +} + +/** * xmlXPtrNewRange: * @start: the starting node * @startindex: the start index @@ -344,17 +383,7 @@ if (endindex < 0) return(NULL); - ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); - if (ret == NULL) { - xmlXPtrErrMemory("allocating range"); - return(NULL); - } - memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); - ret->type = XPATH_RANGE; - ret->user = start; - ret->index = startindex; - ret->user2 = end; - ret->index2 = endindex; + ret = xmlXPtrNewRangeInternal(start, startindex, end, endindex); xmlXPtrRangeCheckOrder(ret); return(ret); } @@ -381,17 +410,8 @@ if (end->type != XPATH_POINT) return(NULL); - ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); - if (ret == NULL) { - xmlXPtrErrMemory("allocating range"); - return(NULL); - } - memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); - ret->type = XPATH_RANGE; - ret->user = start->user; - ret->index = start->index; - ret->user2 = end->user; - ret->index2 = end->index; + ret = xmlXPtrNewRangeInternal(start->user, start->index, end->user, + end->index); xmlXPtrRangeCheckOrder(ret); return(ret); } @@ -416,17 +436,7 @@ if (start->type != XPATH_POINT) return(NULL); - ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); - if (ret == NULL) { - xmlXPtrErrMemory("allocating range"); - return(NULL); - } - memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); - ret->type = XPATH_RANGE; - ret->user = start->user; - ret->index = start->index; - ret->user2 = end; - ret->index2 = -1; + ret = xmlXPtrNewRangeInternal(start->user, start->index, end, -1); xmlXPtrRangeCheckOrder(ret); return(ret); } @@ -453,17 +463,7 @@ if (end->type != XPATH_POINT) return(NULL); - ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); - if (ret == NULL) { - xmlXPtrErrMemory("allocating range"); - return(NULL); - } - memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); - ret->type = XPATH_RANGE; - ret->user = start; - ret->index = -1; - ret->user2 = end->user; - ret->index2 = end->index; + ret = xmlXPtrNewRangeInternal(start, -1, end->user, end->index); xmlXPtrRangeCheckOrder(ret); return(ret); } @@ -486,17 +486,7 @@ if (end == NULL) return(NULL); - ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); - if (ret == NULL) { - xmlXPtrErrMemory("allocating range"); - return(NULL); - } - memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); - ret->type = XPATH_RANGE; - ret->user = start; - ret->index = -1; - ret->user2 = end; - ret->index2 = -1; + ret = xmlXPtrNewRangeInternal(start, -1, end, -1); xmlXPtrRangeCheckOrder(ret); return(ret); } @@ -516,17 +506,7 @@ if (start == NULL) return(NULL); - ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); - if (ret == NULL) { - xmlXPtrErrMemory("allocating range"); - return(NULL); - } - memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); - ret->type = XPATH_RANGE; - ret->user = start; - ret->index = -1; - ret->user2 = NULL; - ret->index2 = -1; + ret = xmlXPtrNewRangeInternal(start, -1, NULL, -1); return(ret); } @@ -541,6 +521,8 @@ */ xmlXPathObjectPtr xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { + xmlNodePtr endNode; + int endIndex; xmlXPathObjectPtr ret; if (start == NULL) @@ -549,7 +531,12 @@ return(NULL); switch (end->type) { case XPATH_POINT: + endNode = end->user; + endIndex = end->index; + break; case XPATH_RANGE: + endNode = end->user2; + endIndex = end->index2; break; case XPATH_NODESET: /* @@ -557,39 +544,15 @@ */ if (end->nodesetval->nodeNr <= 0) return(NULL); + endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1]; + endIndex = -1; break; default: /* TODO */ return(NULL); } - ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); - if (ret == NULL) { - xmlXPtrErrMemory("allocating range"); - return(NULL); - } - memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); - ret->type = XPATH_RANGE; - ret->user = start; - ret->index = -1; - switch (end->type) { - case XPATH_POINT: - ret->user2 = end->user; - ret->index2 = end->index; - break; - case XPATH_RANGE: - ret->user2 = end->user2; - ret->index2 = end->index2; - break; - case XPATH_NODESET: { - ret->user2 = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1]; - ret->index2 = -1; - break; - } - default: - STRANGE - return(NULL); - } + ret = xmlXPtrNewRangeInternal(start, -1, endNode, endIndex); xmlXPtrRangeCheckOrder(ret); return(ret); } @@ -1007,21 +970,14 @@ NEXT; break; } - *cur++ = CUR; } else if (CUR == '(') { level++; - *cur++ = CUR; } else if (CUR == '^') { - NEXT; - if ((CUR == ')') || (CUR == '(') || (CUR == '^')) { - *cur++ = CUR; - } else { - *cur++ = '^'; - *cur++ = CUR; - } - } else { - *cur++ = CUR; + if ((NXT(1) == ')') || (NXT(1) == '(') || (NXT(1) == '^')) { + NEXT; + } } + *cur++ = CUR; NEXT; } *cur = 0; @@ -1339,8 +1295,6 @@ ret->here = here; ret->origin = origin; - xmlXPathRegisterFunc(ret, (xmlChar *)"range-to", - xmlXPtrRangeToFunction); xmlXPathRegisterFunc(ret, (xmlChar *)"range", xmlXPtrRangeFunction); xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside", @@ -2226,76 +2180,14 @@ * @nargs: the number of args * * Implement the range-to() XPointer function + * + * Obsolete. range-to is not a real function but a special type of location + * step which is handled in xpath.c. */ void -xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) { - xmlXPathObjectPtr range; - const xmlChar *cur; - xmlXPathObjectPtr res, obj; - xmlXPathObjectPtr tmp; - xmlLocationSetPtr newset = NULL; - xmlNodeSetPtr oldset; - int i; - - if (ctxt == NULL) return; - CHECK_ARITY(1); - /* - * Save the expression pointer since we will have to evaluate - * it multiple times. Initialize the new set. - */ - CHECK_TYPE(XPATH_NODESET); - obj = valuePop(ctxt); - oldset = obj->nodesetval; - ctxt->context->node = NULL; - - cur = ctxt->cur; - newset = xmlXPtrLocationSetCreate(NULL); - - for (i = 0; i < oldset->nodeNr; i++) { - ctxt->cur = cur; - - /* - * Run the evaluation with a node list made of a single item - * in the nodeset. - */ - ctxt->context->node = oldset->nodeTab[i]; - tmp = xmlXPathNewNodeSet(ctxt->context->node); - valuePush(ctxt, tmp); - - xmlXPathEvalExpr(ctxt); - CHECK_ERROR; - - /* - * The result of the evaluation need to be tested to - * decided whether the filter succeeded or not - */ - res = valuePop(ctxt); - range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res); - if (range != NULL) { - xmlXPtrLocationSetAdd(newset, range); - } - - /* - * Cleanup - */ - if (res != NULL) - xmlXPathFreeObject(res); - if (ctxt->value == tmp) { - res = valuePop(ctxt); - xmlXPathFreeObject(res); - } - - ctxt->context->node = NULL; - } - - /* - * The result is used as the new evaluation set. - */ - xmlXPathFreeObject(obj); - ctxt->context->node = NULL; - ctxt->context->contextSize = -1; - ctxt->context->proximityPosition = -1; - valuePush(ctxt, xmlXPtrWrapLocationSet(newset)); +xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, + int nargs ATTRIBUTE_UNUSED) { + XP_ERROR(XPATH_EXPR_ERROR); } /** diff -u libxml2-2.7.8.dfsg/debian/libxml2.install libxml2-2.7.8.dfsg/debian/libxml2.install --- libxml2-2.7.8.dfsg/debian/libxml2.install +++ libxml2-2.7.8.dfsg/debian/libxml2.install @@ -1 +1 @@ -usr/lib/libxml2.so.* +usr/lib/*/libxml2.so.* diff -u libxml2-2.7.8.dfsg/debian/rules libxml2-2.7.8.dfsg/debian/rules --- libxml2-2.7.8.dfsg/debian/rules +++ libxml2-2.7.8.dfsg/debian/rules @@ -45,7 +45,8 @@ build-python%: BUILD_DIR=build/main/$* build-python%: BUILD_FLAGS = libxml2mod_la_LIBADD='$$(mylibs)' -build-python%-dbg: BUILD_FLAGS += PYTHON_INCLUDES=/usr/include/$(*:-dbg=_d) LDFLAGS="-L$(CURDIR)/debian/tmp/usr/lib" CFLAGS="-Wall -g -O0" +build-python%-dbg: BUILD_FLAGS += PYTHON_INCLUDES=/usr/include/$(*:-dbg=_d) \ + LDFLAGS="-L$(CURDIR)/debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)" CFLAGS="-Wall -g -O0" override_dh_auto_clean: rm -rf build debian/tmp-dbg @@ -102,7 +103,10 @@ dh_install -Npython-libxml2-dbg -Nlibxml2-udeb dh_install -ppython-libxml2-dbg --sourcedir=debian/tmp-dbg dh_install -plibxml2-udeb --sourcedir=debian/tmp-udeb - sed "/dependency_libs/ s/'.*'/''/" debian/tmp/usr/lib/libxml2.la > debian/libxml2-dev/usr/lib/libxml2.la + sed "/dependency_libs/ s/'.*'/''/" debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libxml2.la > \ + debian/libxml2-dev/usr/lib/$(DEB_HOST_MULTIARCH)/libxml2.la + # for multiarch xml2-config needs to be identical on all archs + sed -i -e 's,/usr/lib/$(DEB_HOST_MULTIARCH),/usr/lib,' debian/libxml2-dev/usr/bin/xml2-config override_dh_strip: dh_strip -a --dbg-package=libxml2-dbg -Npython-libxml2 -Npython-libxml2-dbg @@ -121 +125 @@ - dh --with python2 $@ + dh $@ --with python2 diff -u libxml2-2.7.8.dfsg/debian/libxml2-dev.install libxml2-2.7.8.dfsg/debian/libxml2-dev.install --- libxml2-2.7.8.dfsg/debian/libxml2-dev.install +++ libxml2-2.7.8.dfsg/debian/libxml2-dev.install @@ -1,7 +1,7 @@ usr/bin/xml2-config -usr/lib/libxml2.so -usr/lib/libxml2.a -usr/lib/xml2Conf.sh +usr/lib/*/libxml2.so +usr/lib/*/libxml2.a +usr/lib/*/xml2Conf.sh usr/share/aclocal -usr/lib/pkgconfig +usr/lib/*/pkgconfig usr/include/libxml2 diff -u libxml2-2.7.8.dfsg/debian/compat libxml2-2.7.8.dfsg/debian/compat --- libxml2-2.7.8.dfsg/debian/compat +++ libxml2-2.7.8.dfsg/debian/compat @@ -1 +1 @@ -7 +9 diff -u libxml2-2.7.8.dfsg/debian/control libxml2-2.7.8.dfsg/debian/control --- libxml2-2.7.8.dfsg/debian/control +++ libxml2-2.7.8.dfsg/debian/control @@ -1,10 +1,11 @@ Source: libxml2 Priority: optional Section: libs -Maintainer: Debian XML/SGML Group +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian XML/SGML Group Uploaders: Mike Hommey Standards-Version: 3.9.2.0 -Build-Depends: debhelper (>= 7.0.50~), zlib1g-dev | libz-dev, python-all-dev (>= 2.6.6-3~), python-all-dbg, autotools-dev, libreadline-dev | libreadline5-dev, binutils (>= 2.14.90.0.7), dpkg-dev (>= 1.14.9), perl +Build-Depends: debhelper (>= 8.1.3), zlib1g-dev | libz-dev, python-all-dev (>= 2.6.6-3~), python-all-dbg, autotools-dev, libreadline-dev | libreadline5-dev, binutils (>= 2.14.90.0.7), perl Homepage: http://xmlsoft.org/ Vcs-Git: git://git.debian.org/debian-xml-sgml/libxml2.git Vcs-Browser: http://git.debian.org/?p=debian-xml-sgml/libxml2.git @@ -15,6 +16,8 @@ Section: libs Depends: ${shlibs:Depends}, ${misc:Depends} Recommends: xml-core +Pre-Depends: ${misc:Pre-Depends} +Multi-Arch: same Description: GNOME XML library XML is a metalanguage to let you design your own markup language. A regular markup language defines a way to describe information in @@ -30,6 +33,7 @@ Architecture: any Section: text Depends: ${shlibs:Depends}, ${misc:Depends} +Multi-Arch: foreign Description: XML utilities XML is a metalanguage to let you design your own markup language. A regular markup language defines a way to describe information in @@ -46,6 +50,7 @@ Architecture: any Section: libdevel Depends: libxml2 (= ${binary:Version}), ${misc:Depends} +Multi-Arch: same Description: Development files for the GNOME XML library XML is a metalanguage to let you design your own markup language. A regular markup language defines a way to describe information in @@ -125,0 +131,15 @@ +Package: libxml2-udeb +XC-Package-Type: udeb +Architecture: any +Section: debian-installer +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: GNOME XML library - minimal runtime + XML is a metalanguage to let you design your own markup language. + A regular markup language defines a way to describe information in + a certain class of documents (eg HTML). XML lets you define your + own customized markup languages for many classes of document. It + can do this because it's written in SGML, the international standard + metalanguage for markup languages. + . + This is a minimal package for use in debian-installer that yields a + library providing an extensive API to handle such XML data files. diff -u libxml2-2.7.8.dfsg/debian/changelog libxml2-2.7.8.dfsg/debian/changelog --- libxml2-2.7.8.dfsg/debian/changelog +++ libxml2-2.7.8.dfsg/debian/changelog @@ -1,3 +1,321 @@ +libxml2 (2.7.8.dfsg-5.1ubuntu4.17) precise-security; urgency=medium + + * SECURITY UPDATE: format string vulnerabilities + - fix format string warnings in HTMLparser.c, SAX2.c, catalog.c, + configure, configure.in, debugXML.c, encoding.c, entities.c, error.c, + include/libxml/parserInternals.h, include/libxml/xmlerror.h, + include/libxml/xmlstring.h, libxml.h, parser.c, parserInternals.c, + relaxng.c, schematron.c, testModule.c, valid.c, xinclude.c, xmlIO.c, + xmllint.c, xmlreader.c, xmlschemas.c, xmlstring.c, xmlwriter.c, + xpath.c, xpointer.c. + - 4472c3a5a5b516aaf59b89be602fbce52756c3e9 + - 502f6a6d08b08c04b3ddfb1cd21b2f699c1b7f5b + - d77e5fc4bcdb7da748c9cca116a601ae4df60d21 + - debian/libxml2.symbols: added new symbol. + - CVE-2016-4448 + * SECURITY UPDATE: use-after-free via namespace nodes in XPointer ranges + - disallow namespace nodes in XPointer ranges in xpointer.c. + - c1d1f7121194036608bf555f08d3062a36fd344b + - CVE-2016-4658 + * SECURITY UPDATE: use-after-free in XPointer range-to function + - fix XPointer paths beginning with range-to and fix comparison with + root node in xmlXPathCmpNodesin xpath.c, xpointer.c. + - 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e + - a005199330b86dada19d162cae15ef9bdcb6baa8 + - CVE-2016-5131 + + -- Marc Deslauriers Wed, 15 Mar 2017 09:00:55 -0400 + +libxml2 (2.7.8.dfsg-5.1ubuntu4.15) precise-security; urgency=medium + + * SECURITY UPDATE: heap-based buffer overread in xmlNextChar + - return after error in parser.c. + - a7a94612aa3b16779e2c74e1fa353b5d9786c602 + - CVE-2016-1762 + * SECURITY UPDATE: heap-based buffer overread in htmlCurrentChar + - clear up NULL deref, handle 0-length entities and fix tests in + parserInternals.c. + - ff76eb28c75451bc56e3b93f44dac155ca29e7f5 + - fdfeecc1b73b0318466f0d61f0b8881ed9d92dd2 + - 0bcd05c5cd83dec3406c8f68b769b1d610c72f76 + - CVE-2016-1833 + * SECURITY UPDATE: heap-buffer-overflow in xmlStrncat + - check for negative lengths in xmlstring.c. + - 8fbbf5513d609c1770b391b99e33314cd0742704 + - CVE-2016-1834 + * SECURITY UPDATE: heap use-after-free in xmlSAX2AttributeNs + - add check to parser.c, add tests to result/errors/759020.xml.err, + result/errors/759020.xml.str, test/errors/759020.xml. + - 38eae571111db3b43ffdeb05487c9f60551906fb + - CVE-2016-1835 + * SECURITY UPDATE: heap use-after-free in htmlParsePubidLiteral and + htmlParseSystemiteral + - prevent stable pointer usage in HTMLparser.c. + - 11ed4a7a90d5ce156a18980a4ad4e53e77384852 + - CVE-2016-1837 + * SECURITY UPDATE: heap-based buffer overread in + xmlParserPrintFileContextInternal + - add bounds check to parser.c, + add tests to result/errors/758588.xml.err, + result/errors/758588.xml.str, test/errors/758588.xml. + - db07dd613e461df93dde7902c6505629bf0734e9 + - CVE-2016-1838 + * SECURITY UPDATE: heap-based buffer overread in xmlDictAddString + - add bounds check to HTMLparser.c. + - a820dbeac29d330bae4be05d9ecd939ad6b4aa33 + - CVE-2015-8806 + - CVE-2016-1839 + - CVE-2016-2073 + * SECURITY UPDATE: heap-buffer-overflow in xmlFAParsePosCharGroup + - properly handle error in xmlregexp.c. + - cbb271655cadeb8dbb258a64701d9a3a0c4835b4 + - CVE-2016-1840 + * SECURITY UPDATE: avoid building recursive entities + - properly handle recursion in parser.c, tree.c. + - bdd66182ef53fe1f7209ab6535fda56366bd7ac9 + - CVE-2016-3627 + * SECURITY UPDATE: recursion depth counter issue + - properly could recursion depth in parser.c. + - 8f30bdff69edac9075f4663ce3b56b0c52d48ce6 + - CVE-2016-3705 + * SECURITY UPDATE: heap-based buffer-underreads due to xmlParseName + - improve error handling in parser.c. + - 00906759053986b8079985644172085f74331f83 + - CVE-2016-4447 + * SECURITY UPDATE: inappropriate fetch of entities content + - fix another external entity fetch in parser.c. + - b1d34de46a11323fccffa9fadeb33be670d602f5 + - CVE-2016-4449 + * SECURITY UPDATE: out of bound access when serializing malformed strings + - improve string handling in xmlsave.c. + - c97750d11bb8b6f3303e7131fe526a61ac65bcfd + - CVE-2016-4483 + + -- Marc Deslauriers Fri, 03 Jun 2016 09:11:38 -0400 + +libxml2 (2.7.8.dfsg-5.1ubuntu4.14) precise-security; urgency=medium + + * SECURITY UPDATE: incomplete fix for out of bounds read in xmlGROW + (LP: #1525996) + - add extra commits to this previously-fixed CVE + - parser.c: reuse xmlHaltParser() where it makes sense. + - e3b1597421ad7cbeb5939fc3b54f43f141c82366 + - error.c: do not print error context when there is none. + - ce0b0d0d81fdbb5f722a890432b52d363e4de57b + - CVE-2015-7499 + * SECURITY UPDATE: out of bounds memory access via unclosed html comment + - HTMLparser.c: fix parsing short unclosed comment uninitialized + access. + - e724879d964d774df9b7969fc846605aa1bac54c + - CVE-2015-8710 + + -- Marc Deslauriers Thu, 14 Jan 2016 13:16:09 -0500 + +libxml2 (2.7.8.dfsg-5.1ubuntu4.13) precise-security; urgency=medium + + * SECURITY UPDATE: denial of service via entity expansion issue + - parser.c: properly exit when entity expansion is detected. + - https://git.gnome.org/browse/libxml2/commit/?id=69030714cde66d525a8884bda01b9e8f0abf8e1e + - CVE-2015-5312 + * SECURITY UPDATE: heap buffer overflow in xmlDictComputeFastQKey + - dict.c: check offset. + - https://git.gnome.org/browse/libxml2/commit/?id=6360a31a84efe69d155ed96306b9a931a40beab9 + - CVE-2015-7497 + * SECURITY UPDATE: denial of service via encoding conversion failures + - parser.c: avoid processing entities after encoding conversion + failures. + - https://git.gnome.org/browse/libxml2/commit/?id=afd27c21f6b36e22682b7da20d726bce2dcb2f43 + - CVE-2015-7498 + * SECURITY UPDATE: out of bounds read in xmlGROW + - parser.c: add xmlHaltParser() to stop the parser and check input. + - https://git.gnome.org/browse/libxml2/commit/?id=28cd9cb747a94483f4aea7f0968d202c20bb4cfc + - https://git.gnome.org/browse/libxml2/commit/?id=35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da + - CVE-2015-7499 + * SECURITY UPDATE: out of bounds read in xmlParseMisc + - parser.c: check entity boundaries. + - https://git.gnome.org/browse/libxml2/commit/?id=f1063fdbe7fa66332bbb76874101c2a7b51b519f + - CVE-2015-7500 + * SECURITY UPDATE: denial of service via extra processing of MarkupDecl + - parser.c: add extra EOF check. + - https://git.gnome.org/browse/libxml2/commit/?id=ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe + - CVE-2015-8241 + * SECURITY UPDATE: buffer overead with HTML parser in push mode + - HTMLparser.c: use pointer in the input in. + - https://git.gnome.org/browse/libxml2/commit/?id=8fb4a770075628d6441fb17a1e435100e2f3b1a2 + - CVE-2015-8242 + * SECURITY UPDATE: denial of service via encoding failures + - parser.c: do not process encoding values if the declaration is broken + and fail parsing if the encoding conversion failed. + - https://git.gnome.org/browse/libxml2/commit/?id=9aa37588ee78a06ca1379a9d9356eab16686099c + - https://git.gnome.org/browse/libxml2/commit/?id=709a952110e98621c9b78c4f26462a9d8333102e + - CVE-2015-8317 + + -- Marc Deslauriers Wed, 09 Dec 2015 12:35:41 -0500 + +libxml2 (2.7.8.dfsg-5.1ubuntu4.12) precise-security; urgency=medium + + * SECURITY UPDATE: denial of service via XEE attack + - include/libxml/tree.h, tree.c, xmlreader.c: enforce the reader to run + in constant memory. + - patch obtained from Debian's 2.7.8.dfsg-2+squeeze12 package. + - CVE-2015-1819 + * SECURITY UPDATE: denial of service via out-of-bounds read + - parser.c: stop parsing on entities boundaries errors. + - https://git.gnome.org/browse/libxml2/commit/?id=a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 + - https://git.gnome.org/browse/libxml2/commit/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489 + - CVE-2015-7941 + * SECURITY UPDATE: overflow in conditional sections + - parser.c: properly check input. + - https://git.gnome.org/browse/libxml2/commit/?id=bd0526e66a56e75a18da8c15c4750db8f801c52d + - https://git.gnome.org/browse/libxml2/commit/?id=41ac9049a27f52e7a1f3b341f8714149fc88d450 + - CVE-2015-7942 + + -- Marc Deslauriers Fri, 13 Nov 2015 09:28:57 -0500 + +libxml2 (2.7.8.dfsg-5.1ubuntu4.11) precise-security; urgency=medium + + * SECURITY UPDATE: denial of service via entity expansion + - parser.c, SAX2.c, include/libxml/entities.h: refactor entity checking + and add additional tests. + - https://git.gnome.org/browse/libxml2/commit/?id=a3f1e3e5712257fd279917a9158278534e8f4b72 + - https://git.gnome.org/browse/libxml2/commit/?id=cff2546f13503ac028e4c1f63c7b6d85f2f2d777 + - https://git.gnome.org/browse/libxml2/commit/?id=be2a7edaf289c5da74a4f9ed3a0b6c733e775230 + - CVE-2014-3660 + + -- Marc Deslauriers Wed, 22 Oct 2014 12:16:42 -0400 + +libxml2 (2.7.8.dfsg-5.1ubuntu4.9) precise-security; urgency=medium + + * SECURITY REGRESSION: more xmllint regressions (LP: #1321869) + - use upstream commit which includes additional regression fixes to + parser.c. + - https://git.gnome.org/browse/libxml2/commit/?id=dd8367da17c2948981a51e52c8a6beb445edf825 + + -- Marc Deslauriers Fri, 13 Jun 2014 09:11:38 -0400 + +libxml2 (2.7.8.dfsg-5.1ubuntu4.8) precise-security; urgency=medium + + * SECURITY REGRESSION: xmllint no longer loads entities with --postvalid + (LP: #1321869) + - Thanks to Alexey Neyman for proposed patch + - https://mail.gnome.org/archives/xml/2014-May/msg00003.html + + -- Marc Deslauriers Fri, 06 Jun 2014 12:32:11 -0400 + +libxml2 (2.7.8.dfsg-5.1ubuntu4.7) precise-security; urgency=medium + + * SECURITY UPDATE: resource exhaustion via external parameter entities + - parser.c: do not fetch external parameter entities. + - https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df + - CVE-2014-0191 + + -- Marc Deslauriers Thu, 08 May 2014 14:30:38 -0400 + +libxml2 (2.7.8.dfsg-5.1ubuntu4.6) precise-security; urgency=low + + * SECURITY REGRESSION: regression with lxml (LP: #1201849) + - parser.c: revised to fix regression, and a couple of wrong return + values. + - CVE-2013-2877 + + -- Marc Deslauriers Tue, 16 Jul 2013 14:05:24 -0400 + +libxml2 (2.7.8.dfsg-5.1ubuntu4.5) precise-security; urgency=low + + * SECURITY UPDATE: external entity expansion attack (LP: #1194410) + - do not fetch external parsed entities in parser.c, added test to + test/errors/extparsedent.xml, result/errors/extparsedent.xml. + - https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f + - CVE-2013-0339 + * SECURITY UPDATE: denial of service via incomplete document + - try to stop parsing as quickly as possible in parser.c, + include/libxml/xmlerror.h. + - https://git.gnome.org/browse/libxml2/commit/?id=48b4cdde3483e054af8ea02e0cd7ee467b0e9a50 + - https://git.gnome.org/browse/libxml2/commit/?id=e50ba8164eee06461c73cd8abb9b46aa0be81869 + - CVE-2013-2877 + + -- Marc Deslauriers Thu, 11 Jul 2013 14:57:48 -0400 + +libxml2 (2.7.8.dfsg-5.1ubuntu4.4) precise-security; urgency=low + + * SECURITY UPDATE: denial of service via entity expansion + - include/libxml/parser.h, parser.c, parserInternals.c: limit number of + entity expansions, thanks to Daniel Veillard. + - http://git.gnome.org/browse/libxml2/commit/?id=23f05e0c33987d6605387b300c4be5da2120a7ab + - CVE-2013-0338 + + -- Marc Deslauriers Tue, 26 Mar 2013 10:11:00 -0400 + +libxml2 (2.7.8.dfsg-5.1ubuntu4.3) precise-security; urgency=low + + * SECURITY UPDATE: buffer underflow in xmlParseAttValueComplex() + - debian/patches/CVE-2012-5134.patch: add array bounds checking in + parser.c, thanks to Daniel Veillard + - http://git.gnome.org/browse/libxml2/commit/?id=6a36fbe3b3e001a8a840b5c1fdd81cefc9947f0d + - CVE-2012-5134 + + -- Seth Arnold Tue, 04 Dec 2012 11:39:55 -0800 + +libxml2 (2.7.8.dfsg-5.1ubuntu4.2) precise-security; urgency=low + + * SECURITY UPDATE: denial of service and possible code execution via + incorrect buffer sizes. + - http://git.gnome.org/browse/libxml2/commit/?id=459eeb9dc752d5185f57ff6b135027f11981a626 + - http://git.gnome.org/browse/libxml2/commit/?id=4f9fdc709c4861c390cd84e2ed1fd878b3442e28 + - http://git.gnome.org/browse/libxml2/commit/?id=baaf03f80f817bb34c421421e6cb4d68c353ac9a + - CVE-2012-2807 + + -- Marc Deslauriers Wed, 26 Sep 2012 13:10:43 -0400 + +libxml2 (2.7.8.dfsg-5.1ubuntu4.1) precise-security; urgency=low + + * SECURITY UPDATE: Fix an off by one pointer access in xpointer.c + - d8e1faeaa99c7a7c07af01c1c72de352eb590a3e + - CVE-2011-3102 + + -- Jamie Strandboge Fri, 18 May 2012 08:55:39 -0500 + +libxml2 (2.7.8.dfsg-5.1ubuntu4) precise; urgency=low + + * SECURITY UPDATE: add randomization to dictionaries with hash tables + help prevent denial of service via hash algorithm collision + - configure.in: lookup for rand, srand and time + - dict.c: add randomization to dictionaries hash tables + - hash.c: add randomization to normal hash tables + - 8973d58b7498fa5100a876815476b81fd1a2412a + - CVE-2012-0841 + + -- Jamie Strandboge Tue, 28 Feb 2012 07:20:11 -0600 + +libxml2 (2.7.8.dfsg-5.1ubuntu3) precise; urgency=low + + * various fixes for __xmlRaiseError (LP: #686363). This can be dropped in + 2.7.8.dfsg-6 + - 111d705c282e03e7202723c6c7e4499f8582bd4f + - 1b9128bae737fa559f5e2c191d6679a856efbad9 + - 241d4a1069e6bedd0ee2295d7b43858109c1c6d1 + - c2a0fdc4e6d106690d7fd8fa1677e133c94e155d + + -- Jamie Strandboge Thu, 19 Jan 2012 11:59:30 -0600 + +libxml2 (2.7.8.dfsg-5.1ubuntu2) precise; urgency=low + + * SECURITY UPDATE: denial of service via buffer overflow + - parser.c: fix an allocation error when copying entities + - 5bd3c061823a8499b27422aee04ea20aae24f03e + - CVE-2011-3919 + + -- Jamie Strandboge Wed, 18 Jan 2012 13:03:04 -0600 + +libxml2 (2.7.8.dfsg-5.1ubuntu1) precise; urgency=low + + * Merge from Debian testing, remaining changes: + - Build for multiarch. + - Use debhelper compat 9 instead of hardcoding --libdir. + - Move the udeb contents back into /usr/lib. + + -- Steve Langasek Thu, 12 Jan 2012 09:18:30 +0100 + libxml2 (2.7.8.dfsg-5.1) unstable; urgency=high * Non-maintainer upload. @@ -8,6 +326,15 @@ -- Luk Claes Fri, 30 Dec 2011 18:31:13 +0100 +libxml2 (2.7.8.dfsg-5ubuntu1) precise; urgency=low + + * Build for multiarch; thanks to Riku Voipio for the patch. + Closes: #643026. + * Use debhelper compat 9 instead of hardcoding --libdir. + * Move the udeb contents back into /usr/lib. + + -- Steve Langasek Wed, 19 Oct 2011 22:00:20 -0700 + libxml2 (2.7.8.dfsg-5) unstable; urgency=low * xpath.c, xpointer.c, include/libxml/xpath.h: Hardening of XPath evaluation. diff -u libxml2-2.7.8.dfsg/debian/libxml2.symbols libxml2-2.7.8.dfsg/debian/libxml2.symbols --- libxml2-2.7.8.dfsg/debian/libxml2.symbols +++ libxml2-2.7.8.dfsg/debian/libxml2.symbols @@ -81,6 +81,7 @@ xmlAllocOutputBufferInternal@Base 2.7.1 xmlAutomataSetFlags@Base 2.7.4 xmlCharEncFirstLineInt@Base 2.7.4 + xmlEscapeFormatString@Base 2.7.8.dfsg-5.1ubuntu4.16 xmlGenericErrorDefaultFunc@Base 2.6.27 xmlMallocBreakpoint@Base 2.6.27 xmlNsListDumpOutput@Base 2.6.27 diff -u libxml2-2.7.8.dfsg/debian/libxml2-udeb.install libxml2-2.7.8.dfsg/debian/libxml2-udeb.install --- libxml2-2.7.8.dfsg/debian/libxml2-udeb.install +++ libxml2-2.7.8.dfsg/debian/libxml2-udeb.install @@ -1 +1 @@ -usr/lib/libxml2.so.* +usr/lib/*/libxml2.so.* usr/lib only in patch2: unchanged: --- libxml2-2.7.8.dfsg.orig/tree.c +++ libxml2-2.7.8.dfsg/tree.c @@ -678,11 +678,13 @@ * XML_BUFFER_ALLOC_EXACT - use exact sizes, keeps memory usage down * XML_BUFFER_ALLOC_DOUBLEIT - double buffer when extra needed, * improves performance + * XML_BUFFER_ALLOC_BOUNDED - limit the upper size of the buffer */ void xmlSetBufferAllocationScheme(xmlBufferAllocationScheme scheme) { if ((scheme == XML_BUFFER_ALLOC_EXACT) || - (scheme == XML_BUFFER_ALLOC_DOUBLEIT)) + (scheme == XML_BUFFER_ALLOC_DOUBLEIT) || + (scheme == XML_BUFFER_ALLOC_BOUNDED)) xmlBufferAllocScheme = scheme; } @@ -1567,6 +1569,7 @@ else if ((ent != NULL) && (ent->children == NULL)) { xmlNodePtr temp; + ent->children = (xmlNodePtr) -1; ent->children = xmlStringGetNodeList(doc, (const xmlChar*)node->content); ent->owner = 1; @@ -7099,6 +7102,19 @@ size = buf->use + len + 100; #endif + if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { + /* + * Used to provide parsing limits + */ + if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || + (buf->size >= XML_MAX_TEXT_LENGTH)) { + xmlTreeErrMemory("buffer error: text too long"); + return(0); + } + if (size >= XML_MAX_TEXT_LENGTH) + size = XML_MAX_TEXT_LENGTH; + } + if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { size_t start_buf = buf->content - buf->contentIO; @@ -7209,7 +7225,15 @@ return(0); if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); - + if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { + /* + * Used to provide parsing limits + */ + if (size >= XML_MAX_TEXT_LENGTH) { + xmlTreeErrMemory("buffer error: text too long"); + return(0); + } + } /* Don't resize if we don't have to */ if (size < buf->size) return 1; @@ -7388,6 +7412,15 @@ } needSize = buf->use + len + 2; if (needSize > buf->size){ + if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { + /* + * Used to provide parsing limits + */ + if (needSize >= XML_MAX_TEXT_LENGTH) { + xmlTreeErrMemory("buffer error: text too long"); + return(-1); + } + } if (!xmlBufferResize(buf, needSize)){ xmlTreeErrMemory("growing buffer"); return XML_ERR_NO_MEMORY; only in patch2: unchanged: --- libxml2-2.7.8.dfsg.orig/xmlschemas.c +++ libxml2-2.7.8.dfsg/xmlschemas.c @@ -1080,7 +1080,7 @@ static void xmlSchemaInternalErr(xmlSchemaAbstractCtxtPtr actxt, const char *funcName, - const char *message); + const char *message) LIBXML_ATTR_FORMAT(3,0); static int xmlSchemaCheckCOSSTDerivedOK(xmlSchemaAbstractCtxtPtr ctxt, xmlSchemaTypePtr type, @@ -1764,7 +1764,7 @@ } FREE_AND_NULL(str) - return (*buf); + return (xmlEscapeFormatString(buf)); } /** @@ -1884,7 +1884,7 @@ * * Handle a parser error */ -static void +static void LIBXML_ATTR_FORMAT(4,0) xmlSchemaPErr(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, int error, const char *msg, const xmlChar * str1, const xmlChar * str2) { @@ -1917,7 +1917,7 @@ * * Handle a parser error */ -static void +static void LIBXML_ATTR_FORMAT(5,0) xmlSchemaPErr2(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, xmlNodePtr child, int error, const char *msg, const xmlChar * str1, const xmlChar * str2) @@ -1946,7 +1946,7 @@ * * Handle a parser error */ -static void +static void LIBXML_ATTR_FORMAT(7,0) xmlSchemaPErrExt(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, int error, const xmlChar * strData1, const xmlChar * strData2, const xmlChar * strData3, const char *msg, const xmlChar * str1, @@ -1997,7 +1997,7 @@ extra); } -static void +static void LIBXML_ATTR_FORMAT(2,0) xmlSchemaPSimpleInternalErr(xmlNodePtr node, const char *msg, const xmlChar *str) { @@ -2008,18 +2008,21 @@ #define WXS_ERROR_TYPE_ERROR 1 #define WXS_ERROR_TYPE_WARNING 2 /** - * xmlSchemaErr3: + * xmlSchemaErr4Line: * @ctxt: the validation context - * @node: the context node + * @errorLevel: the error level * @error: the error code + * @node: the context node + * @line: the line number * @msg: the error message * @str1: extra data * @str2: extra data * @str3: extra data + * @str4: extra data * * Handle a validation error */ -static void +static void LIBXML_ATTR_FORMAT(6,0) xmlSchemaErr4Line(xmlSchemaAbstractCtxtPtr ctxt, xmlErrorLevel errorLevel, int error, xmlNodePtr node, int line, const char *msg, @@ -2118,7 +2121,7 @@ * * Handle a validation error */ -static void +static void LIBXML_ATTR_FORMAT(4,0) xmlSchemaErr3(xmlSchemaAbstractCtxtPtr actxt, int error, xmlNodePtr node, const char *msg, const xmlChar *str1, const xmlChar *str2, const xmlChar *str3) @@ -2127,7 +2130,7 @@ msg, str1, str2, str3, NULL); } -static void +static void LIBXML_ATTR_FORMAT(4,0) xmlSchemaErr4(xmlSchemaAbstractCtxtPtr actxt, int error, xmlNodePtr node, const char *msg, const xmlChar *str1, const xmlChar *str2, @@ -2137,7 +2140,7 @@ msg, str1, str2, str3, str4); } -static void +static void LIBXML_ATTR_FORMAT(4,0) xmlSchemaErr(xmlSchemaAbstractCtxtPtr actxt, int error, xmlNodePtr node, const char *msg, const xmlChar *str1, const xmlChar *str2) @@ -2160,7 +2163,7 @@ /* * Don't try to format other nodes than element and * attribute nodes. - * Play save and return an empty string. + * Play safe and return an empty string. */ *msg = xmlStrdup(BAD_CAST ""); return(*msg); @@ -2225,6 +2228,13 @@ TODO return (NULL); } + + /* + * xmlSchemaFormatItemForReport() also returns an escaped format + * string, so do this before calling it below (in the future). + */ + xmlEscapeFormatString(msg); + /* * VAL TODO: The output of the given schema component is currently * disabled. @@ -2241,7 +2251,7 @@ return (*msg); } -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlSchemaInternalErr2(xmlSchemaAbstractCtxtPtr actxt, const char *funcName, const char *message, @@ -2252,24 +2262,21 @@ if (actxt == NULL) return; - msg = xmlStrdup(BAD_CAST "Internal error: "); - msg = xmlStrcat(msg, BAD_CAST funcName); - msg = xmlStrcat(msg, BAD_CAST ", "); + msg = xmlStrdup(BAD_CAST "Internal error: %s, "); msg = xmlStrcat(msg, BAD_CAST message); msg = xmlStrcat(msg, BAD_CAST ".\n"); if (actxt->type == XML_SCHEMA_CTXT_VALIDATOR) - xmlSchemaErr(actxt, XML_SCHEMAV_INTERNAL, NULL, - (const char *) msg, str1, str2); - + xmlSchemaErr3(actxt, XML_SCHEMAV_INTERNAL, NULL, + (const char *) msg, (const xmlChar *) funcName, str1, str2); else if (actxt->type == XML_SCHEMA_CTXT_PARSER) - xmlSchemaErr(actxt, XML_SCHEMAP_INTERNAL, NULL, - (const char *) msg, str1, str2); + xmlSchemaErr3(actxt, XML_SCHEMAP_INTERNAL, NULL, + (const char *) msg, (const xmlChar *) funcName, str1, str2); FREE_AND_NULL(msg) } -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlSchemaInternalErr(xmlSchemaAbstractCtxtPtr actxt, const char *funcName, const char *message) @@ -2278,7 +2285,7 @@ } #if 0 -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlSchemaPInternalErr(xmlSchemaParserCtxtPtr pctxt, const char *funcName, const char *message, @@ -2290,7 +2297,7 @@ } #endif -static void +static void LIBXML_ATTR_FORMAT(5,0) xmlSchemaCustomErr4(xmlSchemaAbstractCtxtPtr actxt, xmlParserErrors error, xmlNodePtr node, @@ -2315,7 +2322,7 @@ FREE_AND_NULL(msg) } -static void +static void LIBXML_ATTR_FORMAT(5,0) xmlSchemaCustomErr(xmlSchemaAbstractCtxtPtr actxt, xmlParserErrors error, xmlNodePtr node, @@ -2330,7 +2337,7 @@ -static void +static void LIBXML_ATTR_FORMAT(5,0) xmlSchemaCustomWarning(xmlSchemaAbstractCtxtPtr actxt, xmlParserErrors error, xmlNodePtr node, @@ -2355,7 +2362,7 @@ -static void +static void LIBXML_ATTR_FORMAT(5,0) xmlSchemaKeyrefErr(xmlSchemaValidCtxtPtr vctxt, xmlParserErrors error, xmlSchemaPSVIIDCNodePtr idcNode, @@ -2455,11 +2462,13 @@ msg = xmlStrcat(msg, BAD_CAST " '"); if (type->builtInType != 0) { msg = xmlStrcat(msg, BAD_CAST "xs:"); - msg = xmlStrcat(msg, type->name); - } else - msg = xmlStrcat(msg, - xmlSchemaFormatQName(&str, - type->targetNamespace, type->name)); + str = xmlStrdup(type->name); + } else { + const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name); + if (!str) + str = xmlStrdup(qName); + } + msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); msg = xmlStrcat(msg, BAD_CAST "'"); FREE_AND_NULL(str); } @@ -2504,7 +2513,7 @@ FREE_AND_NULL(msg) } -static void +static void LIBXML_ATTR_FORMAT(5,0) xmlSchemaComplexTypeErr(xmlSchemaAbstractCtxtPtr actxt, xmlParserErrors error, xmlNodePtr node, @@ -2596,7 +2605,7 @@ str = xmlStrcat(str, BAD_CAST ", "); } str = xmlStrcat(str, BAD_CAST " ).\n"); - msg = xmlStrcat(msg, BAD_CAST str); + msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); FREE_AND_NULL(str) } else msg = xmlStrcat(msg, BAD_CAST "\n"); @@ -2604,7 +2613,7 @@ xmlFree(msg); } -static void +static void LIBXML_ATTR_FORMAT(8,0) xmlSchemaFacetErr(xmlSchemaAbstractCtxtPtr actxt, xmlParserErrors error, xmlNodePtr node, @@ -2895,7 +2904,7 @@ * * Reports an error during parsing. */ -static void +static void LIBXML_ATTR_FORMAT(5,0) xmlSchemaPCustomErrExt(xmlSchemaParserCtxtPtr ctxt, xmlParserErrors error, xmlSchemaBasicItemPtr item, @@ -2931,7 +2940,7 @@ * * Reports an error during parsing. */ -static void +static void LIBXML_ATTR_FORMAT(5,0) xmlSchemaPCustomErr(xmlSchemaParserCtxtPtr ctxt, xmlParserErrors error, xmlSchemaBasicItemPtr item, @@ -2956,7 +2965,7 @@ * * Reports an attribute use error during parsing. */ -static void +static void LIBXML_ATTR_FORMAT(6,0) xmlSchemaPAttrUseErr4(xmlSchemaParserCtxtPtr ctxt, xmlParserErrors error, xmlNodePtr node, @@ -3078,7 +3087,7 @@ * Reports a simple type validation error. * TODO: Should this report the value of an element as well? */ -static void +static void LIBXML_ATTR_FORMAT(8,0) xmlSchemaPSimpleTypeErr(xmlSchemaParserCtxtPtr ctxt, xmlParserErrors error, xmlSchemaBasicItemPtr ownerItem ATTRIBUTE_UNUSED, @@ -3120,11 +3129,13 @@ msg = xmlStrcat(msg, BAD_CAST " '"); if (type->builtInType != 0) { msg = xmlStrcat(msg, BAD_CAST "xs:"); - msg = xmlStrcat(msg, type->name); - } else - msg = xmlStrcat(msg, - xmlSchemaFormatQName(&str, - type->targetNamespace, type->name)); + str = xmlStrdup(type->name); + } else { + const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name); + if (!str) + str = xmlStrdup(qName); + } + msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); msg = xmlStrcat(msg, BAD_CAST "'."); FREE_AND_NULL(str); } @@ -3136,8 +3147,10 @@ "valid."); } if (expected) { + xmlChar *expectedEscaped = xmlCharStrdup(expected); msg = xmlStrcat(msg, BAD_CAST " Expected is '"); - msg = xmlStrcat(msg, BAD_CAST expected); + msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped)); + FREE_AND_NULL(expectedEscaped); msg = xmlStrcat(msg, BAD_CAST "'.\n"); } else msg = xmlStrcat(msg, BAD_CAST "\n"); only in patch2: unchanged: --- libxml2-2.7.8.dfsg.orig/HTMLparser.c +++ libxml2-2.7.8.dfsg/HTMLparser.c @@ -102,7 +102,7 @@ * * Handle a fatal parser error, i.e. violating Well-Formedness constraints */ -static void +static void LIBXML_ATTR_FORMAT(3,0) htmlParseErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const xmlChar *str1, const xmlChar *str2) { @@ -129,7 +129,7 @@ * * Handle a fatal parser error, i.e. violating Well-Formedness constraints */ -static void +static void LIBXML_ATTR_FORMAT(3,0) htmlParseErrInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, int val) { @@ -300,6 +300,7 @@ #define UPP(val) (toupper(ctxt->input->cur[(val)])) #define CUR_PTR ctxt->input->cur +#define BASE_PTR ctxt->input->base #define SHRINK if ((ctxt->input->cur - ctxt->input->base > 2 * INPUT_CHUNK) && \ (ctxt->input->end - ctxt->input->cur < 2 * INPUT_CHUNK)) \ @@ -2431,6 +2432,10 @@ (*in == '_') || (*in == '-') || (*in == ':') || (*in == '.')) in++; + + if (in == ctxt->input->end) + return(NULL); + if ((*in > 0) && (*in < 0x80)) { count = in - ctxt->input->cur; ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count); @@ -2474,6 +2479,10 @@ NEXTL(l); c = CUR_CHAR(l); } + + if (ctxt->input->base > ctxt->input->cur - len) + return(NULL); + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); } @@ -2725,31 +2734,43 @@ static xmlChar * htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) { - const xmlChar *q; + size_t len = 0, startPosition = 0; xmlChar *ret = NULL; if (CUR == '"') { NEXT; - q = CUR_PTR; - while ((IS_CHAR_CH(CUR)) && (CUR != '"')) + + if (CUR_PTR < BASE_PTR) + return(ret); + startPosition = CUR_PTR - BASE_PTR; + + while ((IS_CHAR_CH(CUR)) && (CUR != '"')) { NEXT; + len++; + } if (!IS_CHAR_CH(CUR)) { htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, "Unfinished SystemLiteral\n", NULL, NULL); } else { - ret = xmlStrndup(q, CUR_PTR - q); + ret = xmlStrndup((BASE_PTR+startPosition), len); NEXT; } } else if (CUR == '\'') { NEXT; - q = CUR_PTR; - while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) + + if (CUR_PTR < BASE_PTR) + return(ret); + startPosition = CUR_PTR - BASE_PTR; + + while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) { NEXT; + len++; + } if (!IS_CHAR_CH(CUR)) { htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, "Unfinished SystemLiteral\n", NULL, NULL); } else { - ret = xmlStrndup(q, CUR_PTR - q); + ret = xmlStrndup((BASE_PTR+startPosition), len); NEXT; } } else { @@ -2773,32 +2794,47 @@ static xmlChar * htmlParsePubidLiteral(htmlParserCtxtPtr ctxt) { - const xmlChar *q; + size_t len = 0, startPosition = 0; xmlChar *ret = NULL; /* * Name ::= (Letter | '_') (NameChar)* */ if (CUR == '"') { NEXT; - q = CUR_PTR; - while (IS_PUBIDCHAR_CH(CUR)) NEXT; + + if (CUR_PTR < BASE_PTR) + return(ret); + startPosition = CUR_PTR - BASE_PTR; + + while (IS_PUBIDCHAR_CH(CUR)) { + len++; + NEXT; + } + if (CUR != '"') { htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, "Unfinished PubidLiteral\n", NULL, NULL); } else { - ret = xmlStrndup(q, CUR_PTR - q); + ret = xmlStrndup((BASE_PTR + startPosition), len); NEXT; } } else if (CUR == '\'') { NEXT; - q = CUR_PTR; - while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')) - NEXT; + + if (CUR_PTR < BASE_PTR) + return(ret); + startPosition = CUR_PTR - BASE_PTR; + + while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')){ + len++; + NEXT; + } + if (CUR != '\'') { htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, "Unfinished PubidLiteral\n", NULL, NULL); } else { - ret = xmlStrndup(q, CUR_PTR - q); + ret = xmlStrndup((BASE_PTR + startPosition), len); NEXT; } } else { @@ -3194,12 +3230,17 @@ ctxt->instate = state; return; } + len = 0; + buf[len] = 0; q = CUR_CHAR(ql); + if (!IS_CHAR(q)) + goto unfinished; NEXTL(ql); r = CUR_CHAR(rl); + if (!IS_CHAR(r)) + goto unfinished; NEXTL(rl); cur = CUR_CHAR(l); - len = 0; while (IS_CHAR(cur) && ((cur != '>') || (r != '-') || (q != '-'))) { @@ -3230,18 +3271,20 @@ } } buf[len] = 0; - if (!IS_CHAR(cur)) { - htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, - "Comment not terminated \n