diffstat for libxml2-2.9.3+dfsg1 libxml2-2.9.3+dfsg1 changelog | 153 +++++ control | 19 libxml2.symbols | 1 patches/CVE-2016-1762.patch | 30 + patches/CVE-2016-1833.patch | 247 +++++++++ patches/CVE-2016-1834.patch | 50 + patches/CVE-2016-1835.patch | 139 +++++ patches/CVE-2016-1836.patch | 437 ++++++++++++++++ patches/CVE-2016-1837.patch | 137 +++++ patches/CVE-2016-1838.patch | 90 +++ patches/CVE-2016-1839.patch | 60 ++ patches/CVE-2016-1840.patch | 32 + patches/CVE-2016-3627.patch | 59 ++ patches/CVE-2016-3705.patch | 65 ++ patches/CVE-2016-4447.patch | 64 ++ patches/CVE-2016-4448-1.patch | 1065 +++++++++++++++++++++++++++++++++++++++ patches/CVE-2016-4448-2.patch | 204 +++++++ patches/CVE-2016-4449.patch | 44 + patches/CVE-2016-4483.patch | 49 + patches/CVE-2016-4658.patch | 249 +++++++++ patches/CVE-2016-5131-1.patch | 142 +++++ patches/CVE-2016-5131-2.patch | 34 + patches/CVE-2016-9318.patch | 51 + patches/CVE-2017-0663.patch | 45 + patches/CVE-2017-15412.patch | 33 + patches/CVE-2017-16932.patch | 105 +++ patches/CVE-2017-18258.patch | 25 patches/CVE-2017-7375.patch | 37 + patches/CVE-2017-7376.patch | 33 + patches/CVE-2017-9047-9048.patch | 118 ++++ patches/CVE-2017-9049-9050.patch | 302 +++++++++++ patches/CVE-2018-14404.patch | 47 + patches/CVE-2018-14567.patch | 43 + patches/lp1652325.patch | 580 +++++++++++++++++++++ patches/series | 31 + 35 files changed, 4819 insertions(+), 1 deletion(-) diff -Nru libxml2-2.9.3+dfsg1/debian/changelog libxml2-2.9.3+dfsg1/debian/changelog --- libxml2-2.9.3+dfsg1/debian/changelog 2015-12-14 07:35:50.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/changelog 2018-08-13 19:50:14.000000000 +0000 @@ -1,3 +1,156 @@ +libxml2 (2.9.3+dfsg1-1ubuntu0.6) xenial-security; urgency=medium + + * SECURITY UPDATE: XXE attacks + - debian/patches/CVE-2016-9318.patch: fix in parser.c. + - CVE-2016-9318 + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2017-18258.patch: fix in xzlib.c. + - CVE-2017-18258 + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2018-14404.patch: fix in xpath.c. + - CVE-2018-14404 + * SECURITY UPDATE: Infinite loop in LZMA decompression + - debian/patches/CVE-2018-14567.patch: fix in xzlib.c. + - CVE-2018-14567 + + -- Leonidas S. Barbosa Mon, 13 Aug 2018 16:49:50 -0300 + +libxml2 (2.9.3+dfsg1-1ubuntu0.5) xenial-security; urgency=medium + + * SECURITY UPDATE: use after-free in xmlXPathCompOpEvalPositionPredicate + - debian/patches/CVE-2017-15412.patch: fix XPath stack frame logic in + xpath.c. + - CVE-2017-15412 + + -- Leonidas S. Barbosa Mon, 11 Dec 2017 13:29:09 -0300 + +libxml2 (2.9.3+dfsg1-1ubuntu0.4) xenial-security; urgency=medium + + * SECURITY UPDATE: infinite recursion in parameter entities + - CVE-2017-16932 + + -- Leonidas S. Barbosa Mon, 04 Dec 2017 15:20:29 -0300 + +libxml2 (2.9.3+dfsg1-1ubuntu0.3) xenial-security; urgency=medium + + * SECURITY UPDATE: type confusion leading to out-of-bounds write + - debian/patches/CVE-2017-0663.patch: eliminate cast + - CVE-2017-0663 + * SECURITY UPDATE: XML external entity (XXE) vulnerability + - debian/patches/CVE-2017-7375.patch: add validation for parsed + entity references + - CVE-2017-7375 + * SECURITY UPDATE: buffer overflow in URL handling + - debian/patches/CVE-2017-7376.patch: allocate enough memory for + ports in HTTP redirect support + - CVE-2017-7376 + * SECURITY UPDATE: buffer overflows in xmlSnprintfElementContent() + - debian/patches/CVE-2017-9047-9048.patch: ensure enough space + remains in buffer for copied data + - CVE-2017-9047, CVE-2017-9048 + * SECURITY UPDATE: heap based buffer overreads in + xmlDictComputeFastKey() + - debian/patches/CVE-2017-9049-9050.patch: drop uneccessary + expansions, add additional sanity check + - CVE-2017-9049, CVE-2017-9050 + + -- Steve Beattie Fri, 15 Sep 2017 16:00:14 -0700 + +libxml2 (2.9.3+dfsg1-1ubuntu0.2) xenial-security; urgency=medium + + * SECURITY UPDATE: format string vulnerabilities + - debian/patches/CVE-2016-4448-1.patch: fix format string warnings in + HTMLparser.c, SAX2.c, catalog.c, configure.ac, debugXML.c, + encoding.c, entities.c, error.c, include/libxml/parserInternals.h, + include/libxml/xmlerror.h, include/libxml/xmlstring.h, libxml.h, + parser.c, parserInternals.c, relaxng.c, schematron.c, testModule.c, + valid.c, xinclude.c, xmlIO.c, xmllint.c, xmlreader.c, xmlschemas.c, + xmlstring.c, xmlwriter.c, xpath.c, xpointer.c. + - debian/patches/CVE-2016-4448-2.patch: fix format string warnings in + libxml.h, relaxng.c, xmlschemas.c, xmlstring.c. + - debian/libxml2.symbols: added new symbol. + - CVE-2016-4448 + * SECURITY UPDATE: use-after-free via namespace nodes in XPointer ranges + - debian/patches/CVE-2016-4658.patch: disallow namespace nodes in + XPointer ranges in xpointer.c. + - CVE-2016-4658 + * SECURITY UPDATE: use-after-free in XPointer range-to function + - debian/patches/CVE-2016-5131-1.patch: fix XPointer paths beginning + with range-to in xpath.c, xpointer.c. + - debian/patches/CVE-2016-5131-2.patch: fix comparison with root node + in xmlXPathCmpNodes in xpath.c. + - CVE-2016-5131 + * debian/patches/lp1652325.patch: XML push parser fails with bogus + UTF-8 encoding error when multi-byte character in large CDATA section + is split across buffer (LP: #1652325) + + -- Marc Deslauriers Tue, 14 Mar 2017 16:06:13 -0400 + +libxml2 (2.9.3+dfsg1-1ubuntu0.1) xenial-security; urgency=medium + + * SECURITY UPDATE: heap-based buffer overread in xmlNextChar + - debian/patches/CVE-2016-1762.patch: return after error in parser.c. + - CVE-2016-1762 + * SECURITY UPDATE: heap-based buffer overread in htmlCurrentChar + - debian/patches/CVE-2016-1833.patch: fix tests in parserInternals.c. + - CVE-2016-1833 + * SECURITY UPDATE: heap-buffer-overflow in xmlStrncat + - debian/patches/CVE-2016-1834.patch: check for negative lengths in + xmlstring.c. + - CVE-2016-1834 + * SECURITY UPDATE: heap use-after-free in xmlSAX2AttributeNs + - debian/patches/CVE-2016-1835.patch: add check to parser.c, add tests + to result/errors/759020.xml.err, result/errors/759020.xml.str, + test/errors/759020.xml. + - CVE-2016-1835 + * SECURITY UPDATE: heap use-after-free in xmlDictComputeFastKey + - debian/patches/CVE-2016-1836.patch: prevent stale pointer usage in + parser.c, added tests to result/errors/759398.xml.err, + result/errors/759398.xml.str, test/errors/759398.xml. + - CVE-2016-1836 + * SECURITY UPDATE: heap use-after-free in htmlParsePubidLiteral and + htmlParseSystemiteral + - debian/patches/CVE-2016-1837.patch: prevent stable pointer usage in + HTMLparser.c. + - CVE-2016-1837 + * SECURITY UPDATE: heap-based buffer overread in + xmlParserPrintFileContextInternal + - debian/patches/CVE-2016-1838.patch: add bounds check to parser.c, + add tests to result/errors/758588.xml.err, + result/errors/758588.xml.str, test/errors/758588.xml. + - CVE-2016-1838 + * SECURITY UPDATE: heap-based buffer overread in xmlDictAddString + - debian/patches/CVE-2016-1839.patch: add bounds check to HTMLparser.c. + - CVE-2015-8806 + - CVE-2016-1839 + - CVE-2016-2073 + * SECURITY UPDATE: heap-buffer-overflow in xmlFAParsePosCharGroup + - debian/patches/CVE-2016-1840.patch: properly handle error in + xmlregexp.c. + - CVE-2016-1840 + * SECURITY UPDATE: avoid building recursive entities + - debian/patches/CVE-2016-3627.patch: properly handle recursion in + parser.c, tree.c. + - CVE-2016-3627 + * SECURITY UPDATE: recursion depth counter issue + - debian/patches/CVE-2016-3705.patch: properly could recursion depth in + parser.c. + - CVE-2016-3705 + * SECURITY UPDATE: heap-based buffer-underreads due to xmlParseName + - debian/patches/CVE-2016-4447.patch: improve error handling in + parser.c. + - CVE-2016-4447 + * SECURITY UPDATE: inappropriate fetch of entities content + - debian/patches/CVE-2016-4449.patch: fix another external entity fetch + in parser.c. + - CVE-2016-4449 + * SECURITY UPDATE: out of bound access when serializing malformed strings + - debian/patches/CVE-2016-4483.patch: improve string handling in + xmlsave.c. + - CVE-2016-4483 + + -- Marc Deslauriers Fri, 03 Jun 2016 08:05:40 -0400 + libxml2 (2.9.3+dfsg1-1) unstable; urgency=medium * New upstream release. diff -Nru libxml2-2.9.3+dfsg1/debian/control libxml2-2.9.3+dfsg1/debian/control --- libxml2-2.9.3+dfsg1/debian/control 2015-12-14 07:43:05.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/control 2016-06-03 12:23:54.000000000 +0000 @@ -1,7 +1,8 @@ Source: libxml2 Priority: optional Section: libs -Maintainer: Debian XML/SGML Group +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian XML/SGML Group Uploaders: Aron Xu , YunQiang Su Standards-Version: 3.9.6 Build-Depends: debhelper (>= 9), dh-autoreconf, autotools-dev, pkg-config, @@ -145,3 +146,19 @@ . This package contains the files needed to use the GNOME XML library in Python programs for use with the Python debug interpreter. + +Package: libxml2-udeb +XC-Package-Type: udeb +Architecture: any +Section: debian-installer +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: GNOME XML library - minimal runtime + XML is a metalanguage to let you design your own markup language. + A regular markup language defines a way to describe information in + a certain class of documents (eg HTML). XML lets you define your + own customized markup languages for many classes of document. It + can do this because it's written in SGML, the international standard + metalanguage for markup languages. + . + This is a minimal package for use in debian-installer that yields a + library providing an extensive API to handle such XML data files. diff -Nru libxml2-2.9.3+dfsg1/debian/libxml2.symbols libxml2-2.9.3+dfsg1/debian/libxml2.symbols --- libxml2-2.9.3+dfsg1/debian/libxml2.symbols 2015-12-14 07:52:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/libxml2.symbols 2017-03-14 22:04:23.000000000 +0000 @@ -143,6 +143,7 @@ xmlDictGetUsage@LIBXML2_2.9.0 2.9.0 xmlDictSetLimit@LIBXML2_2.9.0 2.9.0 xmlEncodeAttributeEntities@Base 2.9.0 + xmlEscapeFormatString@Base 2.9.3+dfsg1-1ubuntu0.2 xmlGenericErrorDefaultFunc@Base 2.6.27 xmlInitializeDict@LIBXML2_2.8.0 2.8.0 xmlMallocBreakpoint@Base 2.6.27 diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1762.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1762.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1762.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1762.patch 2016-06-03 12:03:37.000000000 +0000 @@ -0,0 +1,30 @@ +From a7a94612aa3b16779e2c74e1fa353b5d9786c602 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 9 Feb 2016 12:55:29 +0100 +Subject: Heap-based buffer overread in xmlNextChar + +For https://bugzilla.gnome.org/show_bug.cgi?id=759671 + +when the end of the internal subset isn't properly detected +xmlParseInternalSubset should just return instead of trying +to process input further. +--- + parser.c | 1 + + result/errors/754946.xml.err | 10 +++++----- + result/errors/content1.xml.err | 2 +- + result/valid/t8.xml.err | 2 +- + result/valid/t8a.xml.err | 2 +- + 5 files changed, 9 insertions(+), 8 deletions(-) + +Index: libxml2-2.9.3+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.3+dfsg1.orig/parser.c 2016-06-03 07:59:16.115545731 -0400 ++++ libxml2-2.9.3+dfsg1/parser.c 2016-06-03 07:59:16.107545634 -0400 +@@ -8468,6 +8468,7 @@ + */ + if (RAW != '>') { + xmlFatalErr(ctxt, XML_ERR_DOCTYPE_NOT_FINISHED, NULL); ++ return; + } + NEXT; + } diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1833.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1833.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1833.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1833.patch 2016-06-03 12:06:53.000000000 +0000 @@ -0,0 +1,247 @@ +From 0bcd05c5cd83dec3406c8f68b769b1d610c72f76 Mon Sep 17 00:00:00 2001 +From: Pranjal Jumde +Date: Tue, 1 Mar 2016 15:18:04 -0800 +Subject: Heap-based buffer overread in htmlCurrentChar + +For https://bugzilla.gnome.org/show_bug.cgi?id=758606 + +* parserInternals.c: +(xmlNextChar): Add an test to catch other issues on ctxt->input +corruption proactively. +For non-UTF-8 charsets, xmlNextChar() failed to check for the end +of the input buffer and would continuing reading. Fix this by +pulling out the check for the end of the input buffer into common +code, and return if we reach the end of the input buffer +prematurely. +* result/HTML/758606.html: Added. +* result/HTML/758606.html.err: Added. +* result/HTML/758606.html.sax: Added. +* result/HTML/758606_2.html: Added. +* result/HTML/758606_2.html.err: Added. +* result/HTML/758606_2.html.sax: Added. +* test/HTML/758606.html: Added test case. +* test/HTML/758606_2.html: Added test case. +--- + parserInternals.c | 172 ++++++++++++++++++++++-------------------- + result/HTML/758606.html | 2 + + result/HTML/758606.html.err | 16 ++++ + result/HTML/758606.html.sax | 10 +++ + result/HTML/758606_2.html | 2 + + result/HTML/758606_2.html.err | 16 ++++ + result/HTML/758606_2.html.sax | 17 +++++ + test/HTML/758606.html | 1 + + test/HTML/758606_2.html | 1 + + 9 files changed, 154 insertions(+), 83 deletions(-) + create mode 100644 result/HTML/758606.html + create mode 100644 result/HTML/758606.html.err + create mode 100644 result/HTML/758606.html.sax + create mode 100644 result/HTML/758606_2.html + create mode 100644 result/HTML/758606_2.html.err + create mode 100644 result/HTML/758606_2.html.sax + create mode 100644 test/HTML/758606.html + create mode 100644 test/HTML/758606_2.html + +diff --git a/parserInternals.c b/parserInternals.c +index 8c79678..bfc778a 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -55,6 +55,10 @@ + #include + #include + ++#define CUR(ctxt) ctxt->input->cur ++#define END(ctxt) ctxt->input->end ++#define VALID_CTXT(ctxt) (CUR(ctxt) <= END(ctxt)) ++ + #include "buf.h" + #include "enc.h" + +@@ -422,103 +426,105 @@ xmlNextChar(xmlParserCtxtPtr ctxt) + (ctxt->input == NULL)) + return; + +- if (ctxt->charset == XML_CHAR_ENCODING_UTF8) { +- if ((*ctxt->input->cur == 0) && +- (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0) && +- (ctxt->instate != XML_PARSER_COMMENT)) { +- /* +- * If we are at the end of the current entity and +- * the context allows it, we pop consumed entities +- * automatically. +- * the auto closing should be blocked in other cases +- */ ++ if (!(VALID_CTXT(ctxt))) { ++ xmlErrInternal(ctxt, "Parser input data memory error\n", NULL); ++ ctxt->errNo = XML_ERR_INTERNAL_ERROR; ++ xmlStopParser(ctxt); ++ return; ++ } ++ ++ if ((*ctxt->input->cur == 0) && ++ (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) { ++ if ((ctxt->instate != XML_PARSER_COMMENT)) + xmlPopInput(ctxt); +- } else { +- const unsigned char *cur; +- unsigned char c; ++ return; ++ } + +- /* +- * 2.11 End-of-Line Handling +- * the literal two-character sequence "#xD#xA" or a standalone +- * literal #xD, an XML processor must pass to the application +- * the single character #xA. +- */ +- if (*(ctxt->input->cur) == '\n') { +- ctxt->input->line++; ctxt->input->col = 1; +- } else +- ctxt->input->col++; ++ if (ctxt->charset == XML_CHAR_ENCODING_UTF8) { ++ const unsigned char *cur; ++ unsigned char c; + +- /* +- * We are supposed to handle UTF8, check it's valid +- * From rfc2044: encoding of the Unicode values on UTF-8: +- * +- * UCS-4 range (hex.) UTF-8 octet sequence (binary) +- * 0000 0000-0000 007F 0xxxxxxx +- * 0000 0080-0000 07FF 110xxxxx 10xxxxxx +- * 0000 0800-0000 FFFF 1110xxxx 10xxxxxx 10xxxxxx +- * +- * Check for the 0x110000 limit too +- */ +- cur = ctxt->input->cur; ++ /* ++ * 2.11 End-of-Line Handling ++ * the literal two-character sequence "#xD#xA" or a standalone ++ * literal #xD, an XML processor must pass to the application ++ * the single character #xA. ++ */ ++ if (*(ctxt->input->cur) == '\n') { ++ ctxt->input->line++; ctxt->input->col = 1; ++ } else ++ ctxt->input->col++; + +- c = *cur; +- if (c & 0x80) { +- if (c == 0xC0) +- goto encoding_error; +- if (cur[1] == 0) { ++ /* ++ * We are supposed to handle UTF8, check it's valid ++ * From rfc2044: encoding of the Unicode values on UTF-8: ++ * ++ * UCS-4 range (hex.) UTF-8 octet sequence (binary) ++ * 0000 0000-0000 007F 0xxxxxxx ++ * 0000 0080-0000 07FF 110xxxxx 10xxxxxx ++ * 0000 0800-0000 FFFF 1110xxxx 10xxxxxx 10xxxxxx ++ * ++ * Check for the 0x110000 limit too ++ */ ++ cur = ctxt->input->cur; ++ ++ c = *cur; ++ if (c & 0x80) { ++ if (c == 0xC0) ++ goto encoding_error; ++ if (cur[1] == 0) { ++ xmlParserInputGrow(ctxt->input, INPUT_CHUNK); ++ cur = ctxt->input->cur; ++ } ++ if ((cur[1] & 0xc0) != 0x80) ++ goto encoding_error; ++ if ((c & 0xe0) == 0xe0) { ++ unsigned int val; ++ ++ if (cur[2] == 0) { + xmlParserInputGrow(ctxt->input, INPUT_CHUNK); + cur = ctxt->input->cur; + } +- if ((cur[1] & 0xc0) != 0x80) ++ if ((cur[2] & 0xc0) != 0x80) + goto encoding_error; +- if ((c & 0xe0) == 0xe0) { +- unsigned int val; +- +- if (cur[2] == 0) { ++ if ((c & 0xf0) == 0xf0) { ++ if (cur[3] == 0) { + xmlParserInputGrow(ctxt->input, INPUT_CHUNK); + cur = ctxt->input->cur; + } +- if ((cur[2] & 0xc0) != 0x80) ++ if (((c & 0xf8) != 0xf0) || ++ ((cur[3] & 0xc0) != 0x80)) + goto encoding_error; +- if ((c & 0xf0) == 0xf0) { +- if (cur[3] == 0) { +- xmlParserInputGrow(ctxt->input, INPUT_CHUNK); +- cur = ctxt->input->cur; +- } +- if (((c & 0xf8) != 0xf0) || +- ((cur[3] & 0xc0) != 0x80)) +- goto encoding_error; +- /* 4-byte code */ +- ctxt->input->cur += 4; +- val = (cur[0] & 0x7) << 18; +- val |= (cur[1] & 0x3f) << 12; +- val |= (cur[2] & 0x3f) << 6; +- val |= cur[3] & 0x3f; +- } else { +- /* 3-byte code */ +- ctxt->input->cur += 3; +- val = (cur[0] & 0xf) << 12; +- val |= (cur[1] & 0x3f) << 6; +- val |= cur[2] & 0x3f; +- } +- if (((val > 0xd7ff) && (val < 0xe000)) || +- ((val > 0xfffd) && (val < 0x10000)) || +- (val >= 0x110000)) { +- xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR, +- "Char 0x%X out of allowed range\n", +- val); +- } +- } else +- /* 2-byte code */ +- ctxt->input->cur += 2; ++ /* 4-byte code */ ++ ctxt->input->cur += 4; ++ val = (cur[0] & 0x7) << 18; ++ val |= (cur[1] & 0x3f) << 12; ++ val |= (cur[2] & 0x3f) << 6; ++ val |= cur[3] & 0x3f; ++ } else { ++ /* 3-byte code */ ++ ctxt->input->cur += 3; ++ val = (cur[0] & 0xf) << 12; ++ val |= (cur[1] & 0x3f) << 6; ++ val |= cur[2] & 0x3f; ++ } ++ if (((val > 0xd7ff) && (val < 0xe000)) || ++ ((val > 0xfffd) && (val < 0x10000)) || ++ (val >= 0x110000)) { ++ xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR, ++ "Char 0x%X out of allowed range\n", ++ val); ++ } + } else +- /* 1-byte code */ +- ctxt->input->cur++; ++ /* 2-byte code */ ++ ctxt->input->cur += 2; ++ } else ++ /* 1-byte code */ ++ ctxt->input->cur++; + +- ctxt->nbChars++; +- if (*ctxt->input->cur == 0) +- xmlParserInputGrow(ctxt->input, INPUT_CHUNK); +- } ++ ctxt->nbChars++; ++ if (*ctxt->input->cur == 0) ++ xmlParserInputGrow(ctxt->input, INPUT_CHUNK); + } else { + /* + * Assume it's a fixed length encoding (1) with diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1834.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1834.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1834.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1834.patch 2016-06-03 12:03:47.000000000 +0000 @@ -0,0 +1,50 @@ +From 8fbbf5513d609c1770b391b99e33314cd0742704 Mon Sep 17 00:00:00 2001 +From: Pranjal Jumde +Date: Tue, 8 Mar 2016 17:29:00 -0800 +Subject: Bug 763071: heap-buffer-overflow in xmlStrncat + + +* xmlstring.c: +(xmlStrncat): Return NULL if xmlStrlen returns a negative length. +(xmlStrncatNew): Ditto. +--- + xmlstring.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/xmlstring.c b/xmlstring.c +index b89c9e9..00287d4 100644 +--- a/xmlstring.c ++++ b/xmlstring.c +@@ -457,6 +457,8 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) { + return(xmlStrndup(add, len)); + + size = xmlStrlen(cur); ++ if (size < 0) ++ return(NULL); + ret = (xmlChar *) xmlRealloc(cur, (size + len + 1) * sizeof(xmlChar)); + if (ret == NULL) { + xmlErrMemory(NULL, NULL); +@@ -484,14 +486,19 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) { + int size; + xmlChar *ret; + +- if (len < 0) ++ if (len < 0) { + len = xmlStrlen(str2); ++ if (len < 0) ++ return(NULL); ++ } + if ((str2 == NULL) || (len == 0)) + return(xmlStrdup(str1)); + if (str1 == NULL) + return(xmlStrndup(str2, len)); + + size = xmlStrlen(str1); ++ if (size < 0) ++ return(NULL); + ret = (xmlChar *) xmlMalloc((size + len + 1) * sizeof(xmlChar)); + if (ret == NULL) { + xmlErrMemory(NULL, NULL); +-- +cgit v0.12 + diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1835.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1835.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1835.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1835.patch 2016-06-03 12:03:52.000000000 +0000 @@ -0,0 +1,139 @@ +From 38eae571111db3b43ffdeb05487c9f60551906fb Mon Sep 17 00:00:00 2001 +From: Pranjal Jumde +Date: Mon, 7 Mar 2016 14:04:08 -0800 +Subject: Heap use-after-free in xmlSAX2AttributeNs + +For https://bugzilla.gnome.org/show_bug.cgi?id=759020 + +* parser.c: +(xmlParseStartTag2): Attribute strings are only valid if the +base does not change, so add another check where the base may +change. Make sure to set 'attvalue' to NULL after freeing it. +* result/errors/759020.xml: Added. +* result/errors/759020.xml.err: Added. +* result/errors/759020.xml.str: Added. +* test/errors/759020.xml: Added test case. +--- + parser.c | 12 ++++++++++-- + result/errors/759020.xml | 0 + result/errors/759020.xml.err | 6 ++++++ + result/errors/759020.xml.str | 7 +++++++ + test/errors/759020.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 69 insertions(+), 2 deletions(-) + create mode 100644 result/errors/759020.xml + create mode 100644 result/errors/759020.xml.err + create mode 100644 result/errors/759020.xml.str + create mode 100644 test/errors/759020.xml + +Index: libxml2-2.9.3+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.3+dfsg1.orig/parser.c 2016-06-03 07:59:48.723940391 -0400 ++++ libxml2-2.9.3+dfsg1/parser.c 2016-06-03 07:59:48.719940342 -0400 +@@ -9466,7 +9466,10 @@ + else + if (nsPush(ctxt, NULL, URL) > 0) nbNs++; + skip_default_ns: +- if (alloc != 0) xmlFree(attvalue); ++ if ((attvalue != NULL) && (alloc != 0)) { ++ xmlFree(attvalue); ++ attvalue = NULL; ++ } + if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) + break; + if (!IS_BLANK_CH(RAW)) { +@@ -9475,6 +9478,8 @@ + break; + } + SKIP_BLANKS; ++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) ++ goto base_changed; + continue; + } + if (aprefix == ctxt->str_xmlns) { +@@ -9546,7 +9551,10 @@ + else + if (nsPush(ctxt, attname, URL) > 0) nbNs++; + skip_ns: +- if (alloc != 0) xmlFree(attvalue); ++ if ((attvalue != NULL) && (alloc != 0)) { ++ xmlFree(attvalue); ++ attvalue = NULL; ++ } + if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) + break; + if (!IS_BLANK_CH(RAW)) { +Index: libxml2-2.9.3+dfsg1/result/errors/759020.xml.err +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/errors/759020.xml.err 2016-06-03 07:59:48.719940342 -0400 +@@ -0,0 +1,6 @@ ++./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute ++0000000000000000000000000000000000000000000000000000000000000000000000000000000' ++ ^ ++./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2 ++ ++ ^ +Index: libxml2-2.9.3+dfsg1/result/errors/759020.xml.str +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/errors/759020.xml.str 2016-06-03 07:59:48.719940342 -0400 +@@ -0,0 +1,7 @@ ++./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute ++0000000000000000000000000000000000000000000000000000000000000000000000000000000' ++ ^ ++./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 ++ ++ ^ ++./test/errors/759020.xml : failed to parse +Index: libxml2-2.9.3+dfsg1/test/errors/759020.xml +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/test/errors/759020.xml 2016-06-03 07:59:48.723940391 -0400 +@@ -0,0 +1,46 @@ ++ ++ +Date: Thu, 3 Mar 2016 11:50:34 -0800 +Subject: Bug 759398: Heap use-after-free in xmlDictComputeFastKey + + +* parser.c: +(xmlParseNCNameComplex): Store start position instead of a +pointer to the name since the underlying buffer may change, +resulting in a stale pointer being used. +* result/errors/759398.xml: Added. +* result/errors/759398.xml.err: Added. +* result/errors/759398.xml.str: Added. +* test/errors/759398.xml: Added test case. +--- + parser.c | 9 +- + result/errors/759398.xml | 0 + result/errors/759398.xml.err | 9 ++ + result/errors/759398.xml.str | 5 + + test/errors/759398.xml | 326 +++++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 344 insertions(+), 5 deletions(-) + create mode 100644 result/errors/759398.xml + create mode 100644 result/errors/759398.xml.err + create mode 100644 result/errors/759398.xml.str + create mode 100755 test/errors/759398.xml + +Index: libxml2-2.9.3+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.3+dfsg1.orig/parser.c 2016-06-03 08:00:12.936233410 -0400 ++++ libxml2-2.9.3+dfsg1/parser.c 2016-06-03 08:00:12.932233362 -0400 +@@ -2008,6 +2008,7 @@ + #define CUR (*ctxt->input->cur) + #define NXT(val) ctxt->input->cur[(val)] + #define CUR_PTR ctxt->input->cur ++#define BASE_PTR ctxt->input->base + + #define CMP4( s, c1, c2, c3, c4 ) \ + ( ((unsigned char *) s)[ 0 ] == c1 && ((unsigned char *) s)[ 1 ] == c2 && \ +@@ -3470,7 +3471,7 @@ + int len = 0, l; + int c; + int count = 0; +- const xmlChar *end; /* needed because CUR_CHAR() can move cur on \r\n */ ++ size_t startPosition = 0; + + #ifdef DEBUG + nbParseNCNameComplex++; +@@ -3480,7 +3481,7 @@ + * Handler for more complex cases + */ + GROW; +- end = ctxt->input->cur; ++ startPosition = CUR_PTR - BASE_PTR; + c = CUR_CHAR(l); + if ((c == ' ') || (c == '>') || (c == '/') || /* accelerators */ + (!xmlIsNameStartChar(ctxt, c) || (c == ':'))) { +@@ -3502,7 +3503,6 @@ + } + len += l; + NEXTL(l); +- end = ctxt->input->cur; + c = CUR_CHAR(l); + if (c == 0) { + count = 0; +@@ -3516,7 +3516,6 @@ + ctxt->input->cur += l; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); +- end = ctxt->input->cur; + c = CUR_CHAR(l); + } + } +@@ -3525,7 +3524,7 @@ + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + return(NULL); + } +- return(xmlDictLookup(ctxt->dict, end - len, len)); ++ return(xmlDictLookup(ctxt->dict, (BASE_PTR + startPosition), len)); + } + + /** +Index: libxml2-2.9.3+dfsg1/result/errors/759398.xml.err +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/errors/759398.xml.err 2016-06-03 08:00:12.932233362 -0400 +@@ -0,0 +1,9 @@ ++./test/errors/759398.xml:210: parser error : StartTag: invalid element name ++need to worry about parsers whi ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++"> ++ ++'"> ++ ++ ++ ++ ++ ++ ++ ++ ++ ++amp, ++lt, ++gt, ++apos, ++quot"> ++ ++ ++ ++ ++ ++]> ++ ++ ++ ++ ++ ++
++Extensible Markup Language (XML) 1.0 ++ ++REC-xml-&iso6.doc.date; ++W3C Recommendation ++&draft.day;&draft.month;&draft.year; ++ ++ ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date; ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.xml ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.html ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.pdf ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.ps ++ ++ ++ ++httÿÿÿ€www.w3.org/TR/REC-xml ++ ++ ++ ++http://www.w3.org/TR/PR-xml-971208 ++ ++ ++ ++Tim Bray ++Textuality and Netscape ++tbray@textuality.com ++Jean Paoli ++Microsoft ++jeanpa@microsoft.com ++C. M. Sperberg-McQueen ++University of Illinois at Chicago ++cmsmcq@uic.edu ++ ++ ++

The Extensible Markup Language (XML) is a subset of ++SGML that is completely described in this document. Its goal is to ++enable generic SGML to be served, received, and processed on the Web ++in the way that is now possible with HTML. XML has been designed for ++ease of implementation and for interoperability with both SGML and ++HTML.

++ ++ ++

This document has been reviewed by W3C Members and ++other interested parties and has been endorsed by the ++Director as a W3C Recommendation. It is a stable ++document and may be used as reference material or cited ++as a normative reference from another document. W3C's ++role in making the Recommendation is to draw attention ++to the spPcification and to promote its widespread ++deployment. This enhances the functionality and ++interoperability of the Web.

++

++This document specifies a syntax created by subsetting an existing, ++widely used international text processing standard (Standard ++Generalized Markup Language, ISO 8879:1986(E) as amended and ++corrected) for use on the World Wide Web. It is a product of the W3C ++XML Activity, details of which can be found at http://www.w3.org/XML. A list of ++current W3C Recommendations and other technical documents can be found ++at http://www.w3.org/TR. ++

++

This specification uses the term URI, which is defined by , a work in progress expected to update and . ++

++

The list of known errors in this specification is ++available at ++http://www.w3.org/XML/xml-19980210-errata.

++

Please report errors in this document to ++xml-editor@w3.org. ++

++ ++ ++ ++ ++

Chicago, Vancouver, Mountain View, et al.: ++World-Wide Web Consortium, XML Working Group, 1996, 1997.

++ ++ ++

Created in electronic form.

++ ++ ++English ++Extended Backus-Naur Form (formal grammar) ++ ++ ++ ++1997-12-03 : CMSMcQ : yet further changes ++1997-12-02 : TB : further changes (see TB to XML WG, ++2 December 1997) ++1997-12-02 : CMSMcQ : deal with as many corrections and ++comments from the proofreaders as possible: ++entify hard-coded document date in pubdate element, ++change expansion of entity WebSGML, ++update status description as per Dan Connolly (am not sure ++about refernece to Berners-Lee et al.), ++add 'The' to abstract as per WG decision, ++move Relationship to Existing Standards to back matter and ++combine with References, ++re-order back matter so normative appendices come first, ++re-tag back matter so informative appendices are tagged informdiv1, ++remove XXX XXX from list of 'normative' specs in prose, ++move some references from Other References to Normative References, ++add RFC 1738, 1808, and 2141 to Other References (they are not ++normative since we do not require the processor to enforce any ++rules based on them), ++add reference to 'Fielding draft' (Berners-Lee et al.), ++move notation section to end of body, ++drop URIchar non-terminal and use SkipLit instead, ++lose stray reference to defunct nonterminal 'markupdecls', ++move reference to Aho et al. into appendix (Tim's right), ++add prose note saying that hash marks and fragment identifiers are ++NOT part of the URI formally speaking, and are NOT legal in ++system identifiers (processor 'may' signal an error). ++Work through: ++Tim Bray reacting to James Clark, ++Tim Bray on his own, ++Eve Maler, ++ ++NOT DONE YET: ++change binary / text to unparsed / parsed. ++handle James's suggestion about < in attriubte values ++uppercase hex characters, ++namechar list, ++ ++1997-12-01 : JB : add some column-width parameters ++1997-12-01 : CMSMcQ : begin round of changes to incorporate ++recent WG decisions and other corrections: ++binding sources of character encoding info (27 Aug / 3 Sept), ++correct wording of Faust quotation (restore dropped line), ++drop SDD from EncodingDecl, ++change text at version number 1.0, ++drop misleading (wrong!) sentence about ignorables and extenders, ++modify definÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙÙxamples with Byte Order Mark. ++Add content model as a term and clarify that it applies to both ++mixed and element content. ++ ++1997-06-30 : CMSMcQ : change date, some cosmetic changes, ++changes to productions for choice, seq, Mixed, NotationType, ++Enumeration. Follow James Clark's suggestion and prohibit ++conditional sections in internal subset. TO DO: simplify ++production for ignored sections as a result, since we don't ++need to worry about parsers whi ++1997-06-29 : TB : various edits ++1997-06-29 : CMSMcQ : further changes: ++Suppress old FINAL EDIT comments and some dead material. ++Revise occurrences of % in grammar to exploit Henry Thompson's pun, ++especially markupdecl and attdef. ++Remove RMD requirement relating to element content (?). ++ ++1997-06-28 : CMSMcQ : Various changes for 1 July draft: ++Add text for draconian error handling (introduce ++the term Fatal Error). ++RE deleta est (changing wording from ++original announcement to restrict the requirement to validating ++parsers). ++Tag definition of validawwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww it meant 'may or may not'. ++1997-03-21 : TB : massive changes on plane flight from Chicago ++to Vancouver ++1997-03-21 : CMSMcQ : correct as many reported errors as possible. ++ ++1997-03-20 : CMSMcQ : correct typos listed in CMSMcQ hand copy of spec. ++1997 James Clark: ++Define the set of characters from which [^abc] subtracts. ++Charref should use just [0-9] not Digit. ++Location info needs cleaner treatment: remove? (ERB ++question). ++One example of a PI has wrong pic. ++Clarify discussion of encoding names. ++Encoding failure should lead to unspecified results; don't ++prescribe error recovery. ++Don't require exposure of entity boundaries. ++Ignore white space in element content. ++Reserve entity names of the form u-NNNN. ++Clarify relative URLs. ++And some of my own: ++Correct productions for content model: model cannot ++consist of a name, so "elements ::= cp" is no good. ++ ++1996-11-11 : CMSMcQ : revise for style. ++Add new rhs to entity declaration, for parameter entities. ++1996-11-10 : CMSMcQ : revise for style. ++Fix / complete section on names, characters. ++Add sections on parameter entities, conditional sections. ++Still to do: Add compatibility note on deterministic content models. ++Finish stylistic revision. ++1996-10-31 : TB : Add Entity Handling section ++1996-10-30 : TB : Clean up term & termdef. Slip in ++ERB decision re EMPTY. ++1996-10-28 : TB : Change DTD. Implement some of Michael's ++suggestions. Change comments back to //. Introduce language for ++XML namespace reservation. Add section on white-space handling. ++Lots more cleanup. ++1996-10-24 : CMSMcQ : quick tweaks, implement some ERB ++decisions. Characters are not integers. Comments are /* */ not //. ++Add bibliographic refs to 10646, HyTime, Unicode. ++Rename old Cdata as MsData since it's only seen ++in marked sections. Call them attribute-value pairs not ++name-value pairs, except once. Internal subset is optional, needs ++'?'. Implied attributes should be signaled to the app, not ++have values supplied by processor. ++1996-10-16 : TB : track down & excise all DSD references; ++introduce some EBNF for entity declarations. ++1996-10-?? nsistency check, fix up scraps so ++they all parse, get formatter working, correct a few productions. ++1996-10-10/11 : CMSMcQ : various maintenance, stylistic, and ++organizational changes: ++Replace a few literals with xmlpio and ++pi""entities, to make them consistent and ensure we can change pic ++reliably when the ERB votes. ++Drop paragraph on recognizers from notation section. ++Add match, exact match to terminology. ++Move old 2.2 XML Processors and Apps into intro. ++Mention comments, PIs, and marked sections in discussion of ++delimiter escaping. ++Streamline discussion of doctype decl syntax. ++Drop old section of 'PI syntax' for doctype decl, and add ++section on partial-DTD summary PIs to end of Logical Structures ++section. ++Revise DSD syntax section to use Tim's subset-in-a-PI ++mechanism. ++1996-10-10 : TB : eliminate name recognizers (and more?) ++1996-10-09 : CMSMcQ : revise for style, consistency through 2.3 ++(Characters) ++1996-10-09 : CMSMcQ : re-unite everything for convenience, ++at least temporarily, and revise quickly ++1996-10-08 : TB : first major homogenization pass ++1996-10-08 : TB : turn "current" attribute on div type into ++CDATA ++1996-10-02 : TB : remould into skeleton + entities ++1996-09-30 : CMSMcQ : add a few more sections prior to exchange ++ with Tim. ++1996-09-20 : CMSMcQ : finish transcribing notes. ++1996-09-19 : CMSMcQ : begin transcribing notes for draft. ++1996-09-13 : CMSMcQ : made outline from notes of 09-06, ++do some housekeeping ++ ++ ++
++<ğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğğm> is used to read XML documents ++and provide access to their content and structure. It is @ssumed that an XML processor is ++doing its work on behalf of another module, called the ++application. This specification describes the ++required beh\vior of an XML processor in terms of how it must read XML ++data and the information it must provide to the application.

++ ++ ++Origin and Goals ++

XML was developed by an XML Working Group (orisable over the ++Internet.

++

XML shall support a wide variey of applications.

 ++

XML shall be compatible with SGML.

 ++

It shall be easy to write programs which process XML ++documents.

 ++

The number of optional features in XML is to be kept to the ++absolute minimum, ideally zero.

 ++

XML documents shou +\ No newline at end of file diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1837.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1837.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1837.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1837.patch 2016-06-03 12:04:01.000000000 +0000 @@ -0,0 +1,137 @@ +From 11ed4a7a90d5ce156a18980a4ad4e53e77384852 Mon Sep 17 00:00:00 2001 +From: Pranjal Jumde +Date: Wed, 2 Mar 2016 15:52:24 -0800 +Subject: Heap use-after-free in htmlParsePubidLiteral and + htmlParseSystemiteral + +For https://bugzilla.gnome.org/show_bug.cgi?id=760263 + +* HTMLparser.c: Add BASE_PTR convenience macro. +(htmlParseSystemLiteral): Store length and start position instead +of a pointer while iterating through the public identifier since +the underlying buffer may change, resulting in a stale pointer +being used. +(htmlParsePubidLiteral): Ditto. +--- + HTMLparser.c | 58 +++++++++++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 43 insertions(+), 15 deletions(-) + +Index: libxml2-2.9.3+dfsg1/HTMLparser.c +=================================================================== +--- libxml2-2.9.3+dfsg1.orig/HTMLparser.c 2016-06-03 08:00:33.892487010 -0400 ++++ libxml2-2.9.3+dfsg1/HTMLparser.c 2016-06-03 08:00:33.888486962 -0400 +@@ -303,6 +303,7 @@ + #define UPP(val) (toupper(ctxt->input->cur[(val)])) + + #define CUR_PTR ctxt->input->cur ++#define BASE_PTR ctxt->input->base + + #define SHRINK if ((ctxt->input->cur - ctxt->input->base > 2 * INPUT_CHUNK) && \ + (ctxt->input->end - ctxt->input->cur < 2 * INPUT_CHUNK)) \ +@@ -2765,31 +2766,43 @@ + + static xmlChar * + htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) { +- const xmlChar *q; ++ size_t len = 0, startPosition = 0; + xmlChar *ret = NULL; + + if (CUR == '"') { + NEXT; +- q = CUR_PTR; +- while ((IS_CHAR_CH(CUR)) && (CUR != '"')) ++ ++ if (CUR_PTR < BASE_PTR) ++ return(ret); ++ startPosition = CUR_PTR - BASE_PTR; ++ ++ while ((IS_CHAR_CH(CUR)) && (CUR != '"')) { + NEXT; ++ len++; ++ } + if (!IS_CHAR_CH(CUR)) { + htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, + "Unfinished SystemLiteral\n", NULL, NULL); + } else { +- ret = xmlStrndup(q, CUR_PTR - q); ++ ret = xmlStrndup((BASE_PTR+startPosition), len); + NEXT; + } + } else if (CUR == '\'') { + NEXT; +- q = CUR_PTR; +- while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) ++ ++ if (CUR_PTR < BASE_PTR) ++ return(ret); ++ startPosition = CUR_PTR - BASE_PTR; ++ ++ while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) { + NEXT; ++ len++; ++ } + if (!IS_CHAR_CH(CUR)) { + htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, + "Unfinished SystemLiteral\n", NULL, NULL); + } else { +- ret = xmlStrndup(q, CUR_PTR - q); ++ ret = xmlStrndup((BASE_PTR+startPosition), len); + NEXT; + } + } else { +@@ -2813,32 +2826,47 @@ + + static xmlChar * + htmlParsePubidLiteral(htmlParserCtxtPtr ctxt) { +- const xmlChar *q; ++ size_t len = 0, startPosition = 0; + xmlChar *ret = NULL; + /* + * Name ::= (Letter | '_') (NameChar)* + */ + if (CUR == '"') { + NEXT; +- q = CUR_PTR; +- while (IS_PUBIDCHAR_CH(CUR)) NEXT; ++ ++ if (CUR_PTR < BASE_PTR) ++ return(ret); ++ startPosition = CUR_PTR - BASE_PTR; ++ ++ while (IS_PUBIDCHAR_CH(CUR)) { ++ len++; ++ NEXT; ++ } ++ + if (CUR != '"') { + htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, + "Unfinished PubidLiteral\n", NULL, NULL); + } else { +- ret = xmlStrndup(q, CUR_PTR - q); ++ ret = xmlStrndup((BASE_PTR + startPosition), len); + NEXT; + } + } else if (CUR == '\'') { + NEXT; +- q = CUR_PTR; +- while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')) +- NEXT; ++ ++ if (CUR_PTR < BASE_PTR) ++ return(ret); ++ startPosition = CUR_PTR - BASE_PTR; ++ ++ while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')){ ++ len++; ++ NEXT; ++ } ++ + if (CUR != '\'') { + htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, + "Unfinished PubidLiteral\n", NULL, NULL); + } else { +- ret = xmlStrndup(q, CUR_PTR - q); ++ ret = xmlStrndup((BASE_PTR + startPosition), len); + NEXT; + } + } else { diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1838.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1838.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1838.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1838.patch 2016-06-03 12:04:06.000000000 +0000 @@ -0,0 +1,90 @@ +From db07dd613e461df93dde7902c6505629bf0734e9 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Fri, 12 Feb 2016 09:58:29 -0800 +Subject: Bug 758588: Heap-based buffer overread in + xmlParserPrintFileContextInternal + + +* parser.c: +(xmlParseEndTag2): Add bounds checks before dereferencing +ctxt->input->cur past the end of the buffer, or incrementing the +pointer past the end of the buffer. + +* result/errors/758588.xml: Add test result. +* result/errors/758588.xml.err: Ditto. +* result/errors/758588.xml.str: Ditto. +* test/errors/758588.xml: Add regression test. +--- + parser.c | 8 ++++++-- + result/errors/758588.xml | 0 + result/errors/758588.xml.err | 9 +++++++++ + result/errors/758588.xml.str | 10 ++++++++++ + test/errors/758588.xml | 1 + + 5 files changed, 26 insertions(+), 2 deletions(-) + create mode 100644 result/errors/758588.xml + create mode 100644 result/errors/758588.xml.err + create mode 100644 result/errors/758588.xml.str + create mode 100644 test/errors/758588.xml + +Index: libxml2-2.9.3+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.3+dfsg1.orig/parser.c 2016-06-03 08:00:41.384577672 -0400 ++++ libxml2-2.9.3+dfsg1/parser.c 2016-06-03 08:00:41.376577575 -0400 +@@ -9824,6 +9824,7 @@ + xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix, + const xmlChar *URI, int line, int nsNr, int tlen) { + const xmlChar *name; ++ size_t curLength; + + GROW; + if ((RAW != '<') || (NXT(1) != '/')) { +@@ -9832,8 +9833,11 @@ + } + SKIP(2); + +- if ((tlen > 0) && (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) { +- if (ctxt->input->cur[tlen] == '>') { ++ curLength = ctxt->input->end - ctxt->input->cur; ++ if ((tlen > 0) && (curLength >= (size_t)tlen) && ++ (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) { ++ if ((curLength >= (size_t)(tlen + 1)) && ++ (ctxt->input->cur[tlen] == '>')) { + ctxt->input->cur += tlen + 1; + ctxt->input->col += tlen + 1; + goto done; +Index: libxml2-2.9.3+dfsg1/result/errors/758588.xml.err +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/errors/758588.xml.err 2016-06-03 08:00:41.380577623 -0400 +@@ -0,0 +1,9 @@ ++./test/errors/758588.xml:1: namespace error : Namespace prefix a-340282366920938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867261d on a is not defined ++63472597946867209384634725979468672093846347259794686720938463472597946867261d:a ++ ^ ++./test/errors/758588.xml:1: parser error : expected '>' ++2597946867209384634725979468672093846347259794686720938463472597946867261d:a>' ++2597946867209384634725979468672093846347259794686720938463472597946867261d:a> +Date: Tue, 1 Mar 2016 11:34:04 -0800 +Subject: Bug 758605: Heap-based buffer overread in xmlDictAddString + + +Reviewed by David Kilzer. + +* HTMLparser.c: +(htmlParseName): Add bounds check. +(htmlParseNameComplex): Ditto. +* result/HTML/758605.html: Added. +* result/HTML/758605.html.err: Added. +* result/HTML/758605.html.sax: Added. +* runtest.c: +(pushParseTest): The input for the new test case was so small +(4 bytes) that htmlParseChunk() was never called after +htmlCreatePushParserCtxt(), thereby creating a false positive +test failure. Fixed by using a do-while loop so we always call +htmlParseChunk() at least once. +* test/HTML/758605.html: Added. +--- + HTMLparser.c | 8 ++++++++ + result/HTML/758605.html | 3 +++ + result/HTML/758605.html.err | 3 +++ + result/HTML/758605.html.sax | 13 +++++++++++++ + runtest.c | 4 ++-- + test/HTML/758605.html | 1 + + 6 files changed, 30 insertions(+), 2 deletions(-) + create mode 100644 result/HTML/758605.html + create mode 100644 result/HTML/758605.html.err + create mode 100644 result/HTML/758605.html.sax + create mode 100644 test/HTML/758605.html + +Index: libxml2-2.9.3+dfsg1/HTMLparser.c +=================================================================== +--- libxml2-2.9.3+dfsg1.orig/HTMLparser.c 2016-06-03 08:00:49.064670606 -0400 ++++ libxml2-2.9.3+dfsg1/HTMLparser.c 2016-06-03 08:00:49.060670558 -0400 +@@ -2472,6 +2472,10 @@ + (*in == '_') || (*in == '-') || + (*in == ':') || (*in == '.')) + in++; ++ ++ if (in == ctxt->input->end) ++ return(NULL); ++ + if ((*in > 0) && (*in < 0x80)) { + count = in - ctxt->input->cur; + ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count); +@@ -2515,6 +2519,10 @@ + NEXTL(l); + c = CUR_CHAR(l); + } ++ ++ if (ctxt->input->base > ctxt->input->cur - len) ++ return(NULL); ++ + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); + } + diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1840.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1840.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1840.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-1840.patch 2016-06-03 12:04:17.000000000 +0000 @@ -0,0 +1,32 @@ +From cbb271655cadeb8dbb258a64701d9a3a0c4835b4 Mon Sep 17 00:00:00 2001 +From: Pranjal Jumde +Date: Mon, 7 Mar 2016 06:34:26 -0800 +Subject: Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup + + +* xmlregexp.c: +(xmlFAParseCharRange): Only advance to the next character if +there is no error. Advancing to the next character in case of +an error while parsing regexp leads to an out of bounds access. +--- + xmlregexp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: libxml2-2.9.3+dfsg1/xmlregexp.c +=================================================================== +--- libxml2-2.9.3+dfsg1.orig/xmlregexp.c 2016-06-03 08:00:57.248769637 -0400 ++++ libxml2-2.9.3+dfsg1/xmlregexp.c 2016-06-03 08:00:57.244769588 -0400 +@@ -5052,11 +5052,12 @@ + ERROR("Expecting the end of a char range"); + return; + } +- NEXTL(len); ++ + /* TODO check that the values are acceptable character ranges for XML */ + if (end < start) { + ERROR("End of range is before start of range"); + } else { ++ NEXTL(len); + xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg, + XML_REGEXP_CHARVAL, start, end, NULL); + } diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-3627.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-3627.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-3627.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-3627.patch 2016-06-03 12:05:29.000000000 +0000 @@ -0,0 +1,59 @@ +From bdd66182ef53fe1f7209ab6535fda56366bd7ac9 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 23 May 2016 12:27:58 +0800 +Subject: Avoid building recursive entities + +For https://bugzilla.gnome.org/show_bug.cgi?id=762100 + +When we detect a recusive entity we should really not +build the associated data, moreover if someone bypass +libxml2 fatal errors and still tries to serialize a broken +entity make sure we don't risk to get ito a recursion + +* parser.c: xmlParserEntityCheck() don't build if entity loop + were found and remove the associated text content +* tree.c: xmlStringGetNodeList() avoid a potential recursion +--- + parser.c | 6 +++++- + tree.c | 1 + + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index ea0e89e..53a6b7f 100644 +--- a/parser.c ++++ b/parser.c +@@ -138,7 +138,8 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + * entities problems + */ + if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) && +- (ent->content != NULL) && (ent->checked == 0)) { ++ (ent->content != NULL) && (ent->checked == 0) && ++ (ctxt->errNo != XML_ERR_ENTITY_LOOP)) { + unsigned long oldnbent = ctxt->nbentities; + xmlChar *rep; + +@@ -148,6 +149,9 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); + --ctxt->depth; ++ if (ctxt->errNo == XML_ERR_ENTITY_LOOP) { ++ ent->content[0] = 0; ++ } + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { +diff --git a/tree.c b/tree.c +index 7fbca6e..9d330b8 100644 +--- a/tree.c ++++ b/tree.c +@@ -1593,6 +1593,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) { + else if ((ent != NULL) && (ent->children == NULL)) { + xmlNodePtr temp; + ++ ent->children = (xmlNodePtr) -1; + ent->children = xmlStringGetNodeList(doc, + (const xmlChar*)node->content); + ent->owner = 1; +-- +cgit v0.12 + diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-3705.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-3705.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-3705.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-3705.patch 2016-06-03 12:04:25.000000000 +0000 @@ -0,0 +1,65 @@ +From 8f30bdff69edac9075f4663ce3b56b0c52d48ce6 Mon Sep 17 00:00:00 2001 +From: Peter Simons +Date: Fri, 15 Apr 2016 11:56:55 +0200 +Subject: Add missing increments of recursion depth counter to XML parser. + +For https://bugzilla.gnome.org/show_bug.cgi?id=765207 +CVE-2016-3705 +The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call +xmlStringDecodeEntities() in a recursive context without incrementing the +'depth' counter in the parser context. Because of that omission, the parser +failed to detect attribute recursions in certain documents before running out +of stack space. +--- + parser.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +Index: libxml2-2.9.3+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.3+dfsg1.orig/parser.c 2016-06-03 08:01:57.773501948 -0400 ++++ libxml2-2.9.3+dfsg1/parser.c 2016-06-03 08:01:57.769501899 -0400 +@@ -144,8 +144,10 @@ + + ent->checked = 1; + ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); ++ --ctxt->depth; + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { +@@ -3965,8 +3967,10 @@ + * an entity declaration, it is bypassed and left as is. + * so XML_SUBSTITUTE_REF is not set here. + */ ++ ++ctxt->depth; + ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF, + 0, 0, 0); ++ --ctxt->depth; + if (orig != NULL) + *orig = buf; + else +@@ -4091,9 +4095,11 @@ + } else if ((ent != NULL) && + (ctxt->replaceEntities != 0)) { + if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) { ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, + 0, 0, 0); ++ --ctxt->depth; + if (rep != NULL) { + current = rep; + while (*current != 0) { /* non input consuming */ +@@ -4129,8 +4135,10 @@ + (ent->content != NULL) && (ent->checked == 0)) { + unsigned long oldnbent = ctxt->nbentities; + ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); ++ --ctxt->depth; + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4447.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4447.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4447.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4447.patch 2016-06-03 12:05:05.000000000 +0000 @@ -0,0 +1,64 @@ +From 00906759053986b8079985644172085f74331f83 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Tue, 26 Jan 2016 16:57:03 -0800 +Subject: Heap-based buffer-underreads due to xmlParseName + +For https://bugzilla.gnome.org/show_bug.cgi?id=759573 + +* parser.c: +(xmlParseElementDecl): Return early on invalid input to fix +non-minimized test case (759573-2.xml). Otherwise the parser +gets into a bad state in SKIP(3) at the end of the function. +(xmlParseConditionalSections): Halt parsing when hitting invalid +input that would otherwise caused xmlParserHandlePEReference() +to recurse unexpectedly. This fixes the minimized test case +(759573.xml). + +* result/errors/759573-2.xml: Add. +* result/errors/759573-2.xml.err: Add. +* result/errors/759573-2.xml.str: Add. +* result/errors/759573.xml: Add. +* result/errors/759573.xml.err: Add. +* result/errors/759573.xml.str: Add. +* test/errors/759573-2.xml: Add. +* test/errors/759573.xml: Add. +--- + parser.c | 2 ++ + result/errors/759573-2.xml | 0 + result/errors/759573-2.xml.err | 58 ++++++++++++++++++++++++++++++++++++++++++ + result/errors/759573-2.xml.str | 4 +++ + result/errors/759573.xml | 0 + result/errors/759573.xml.err | 31 ++++++++++++++++++++++ + result/errors/759573.xml.str | 4 +++ + test/errors/759573-2.xml | 9 +++++++ + test/errors/759573.xml | 1 + + 9 files changed, 109 insertions(+) + create mode 100644 result/errors/759573-2.xml + create mode 100644 result/errors/759573-2.xml.err + create mode 100644 result/errors/759573-2.xml.str + create mode 100644 result/errors/759573.xml + create mode 100644 result/errors/759573.xml.err + create mode 100644 result/errors/759573.xml.str + create mode 100644 test/errors/759573-2.xml + create mode 100644 test/errors/759573.xml + +Index: libxml2-2.9.3+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.3+dfsg1.orig/parser.c 2016-06-03 08:05:01.531724616 -0400 ++++ libxml2-2.9.3+dfsg1/parser.c 2016-06-03 08:05:01.527724569 -0400 +@@ -6693,6 +6693,7 @@ + if (!IS_BLANK_CH(CUR)) { + xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, + "Space required after 'ELEMENT'\n"); ++ return(-1); + } + SKIP_BLANKS; + name = xmlParseName(ctxt); +@@ -6844,6 +6845,7 @@ + + if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) { + xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL); ++ xmlHaltParser(ctxt); + break; + } + } diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4448-1.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4448-1.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4448-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4448-1.patch 2017-03-14 20:05:20.000000000 +0000 @@ -0,0 +1,1065 @@ +From 4472c3a5a5b516aaf59b89be602fbce52756c3e9 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Fri, 13 May 2016 15:13:17 +0800 +Subject: Fix some format string warnings with possible format string + vulnerability + +For https://bugzilla.gnome.org/show_bug.cgi?id=761029 + +Decorate every method in libxml2 with the appropriate +LIBXML_ATTR_FORMAT(fmt,args) macro and add some cleanups +following the reports. +--- + HTMLparser.c | 4 +-- + SAX2.c | 12 ++++---- + catalog.c | 2 +- + configure.ac | 4 +-- + debugXML.c | 4 +-- + encoding.c | 2 +- + entities.c | 2 +- + error.c | 2 +- + include/libxml/parserInternals.h | 2 +- + include/libxml/xmlerror.h | 2 +- + include/libxml/xmlstring.h | 8 ++--- + libxml.h | 2 +- + parser.c | 37 +++++++++++----------- + parserInternals.c | 4 +-- + relaxng.c | 4 +-- + schematron.c | 2 +- + testModule.c | 2 +- + valid.c | 8 ++--- + xinclude.c | 4 +-- + xmlIO.c | 14 ++++----- + xmllint.c | 20 ++++++------ + xmlreader.c | 16 +++++++--- + xmlschemas.c | 66 ++++++++++++++++++++-------------------- + xmlstring.c | 4 +-- + xmlwriter.c | 4 +-- + xpath.c | 2 +- + xpointer.c | 2 +- + 27 files changed, 121 insertions(+), 114 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index c6fcbc9..0985d1d 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -105,7 +105,7 @@ htmlErrMemory(xmlParserCtxtPtr ctxt, const char *extra) + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + htmlParseErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +@@ -132,7 +132,7 @@ htmlParseErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + htmlParseErrInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, int val) + { +diff --git a/SAX2.c b/SAX2.c +index ffef3e1..5cbb700 100644 +--- a/SAX2.c ++++ b/SAX2.c +@@ -55,7 +55,7 @@ + * @ctxt: an XML validation parser context + * @msg: a string to accompany the error message + */ +-static void ++static void LIBXML_ATTR_FORMAT(2,0) + xmlSAX2ErrMemory(xmlParserCtxtPtr ctxt, const char *msg) { + xmlStructuredErrorFunc schannel = NULL; + const char *str1 = "out of memory\n"; +@@ -93,7 +93,7 @@ xmlSAX2ErrMemory(xmlParserCtxtPtr ctxt, const char *msg) { + * + * Handle a validation error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlErrValid(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const char *str1, const char *str2) + { +@@ -133,7 +133,7 @@ xmlErrValid(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +@@ -164,7 +164,7 @@ xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a parser warning + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlWarnMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1) + { +@@ -189,7 +189,7 @@ xmlWarnMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a namespace error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlNsErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +@@ -213,7 +213,7 @@ xmlNsErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a namespace warning + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlNsWarnMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +diff --git a/catalog.c b/catalog.c +index ac6e981..6dfdfbb 100644 +--- a/catalog.c ++++ b/catalog.c +@@ -238,7 +238,7 @@ xmlCatalogErrMemory(const char *extra) + * + * Handle a catalog error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlCatalogErr(xmlCatalogEntryPtr catal, xmlNodePtr node, int error, + const char *msg, const xmlChar *str1, const xmlChar *str2, + const xmlChar *str3) +diff --git a/configure.ac b/configure.ac +index 5ffa01f..911984e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -791,7 +791,7 @@ else + fi + + # warnings we'd like to see +- CFLAGS="${CFLAGS} -pedantic -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls" ++ CFLAGS="${CFLAGS} -pedantic -W -Wformat -Wno-format-extra-args -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls" + # warnings we'd like to supress + CFLAGS="${CFLAGS} -Wno-long-long" + case "${host}" in +@@ -1010,7 +1010,7 @@ if [[ "${LOGNAME}" = "veillard" -a "`pwd`" = "/u/veillard/XML" ]] || \ + fi + fi + if test "${GCC}" = "yes" ; then +- CFLAGS="-g -O -pedantic -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wall" ++ CFLAGS="-g -O -pedantic -W -Wformat -Wno-format-extra-args -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wall" + fi + STATIC_BINARIES="-static" + dnl -Wcast-qual -ansi +diff --git a/debugXML.c b/debugXML.c +index e34b140..a1b550a 100644 +--- a/debugXML.c ++++ b/debugXML.c +@@ -164,7 +164,7 @@ xmlDebugErr(xmlDebugCtxtPtr ctxt, int error, const char *msg) + NULL, NULL, NULL, 0, 0, + "%s", msg); + } +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlDebugErr2(xmlDebugCtxtPtr ctxt, int error, const char *msg, int extra) + { + ctxt->errors++; +@@ -174,7 +174,7 @@ xmlDebugErr2(xmlDebugCtxtPtr ctxt, int error, const char *msg, int extra) + NULL, NULL, NULL, 0, 0, + msg, extra); + } +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlDebugErr3(xmlDebugCtxtPtr ctxt, int error, const char *msg, const char *extra) + { + ctxt->errors++; +diff --git a/encoding.c b/encoding.c +index 574e1ae..e49c7f8 100644 +--- a/encoding.c ++++ b/encoding.c +@@ -93,7 +93,7 @@ xmlEncodingErrMemory(const char *extra) + * + * n encoding error + */ +-static void ++static void LIBXML_ATTR_FORMAT(2,0) + xmlEncodingErr(xmlParserErrors error, const char *msg, const char *val) + { + __xmlRaiseError(NULL, NULL, NULL, NULL, NULL, +diff --git a/entities.c b/entities.c +index a72afb3..64808ff 100644 +--- a/entities.c ++++ b/entities.c +@@ -83,7 +83,7 @@ xmlEntitiesErrMemory(const char *extra) + * + * Handle an out of memory condition + */ +-static void ++static void LIBXML_ATTR_FORMAT(2,0) + xmlEntitiesErr(xmlParserErrors code, const char *msg) + { + __xmlSimpleError(XML_FROM_TREE, code, NULL, msg, NULL); +diff --git a/error.c b/error.c +index 4ca6838..9606f13 100644 +--- a/error.c ++++ b/error.c +@@ -18,7 +18,7 @@ + + void XMLCDECL xmlGenericErrorDefaultFunc (void *ctx ATTRIBUTE_UNUSED, + const char *msg, +- ...); ++ ...) LIBXML_ATTR_FORMAT(2,3); + + #define XML_GET_VAR_STR(msg, str) { \ + int size, prev_size = -1; \ +diff --git a/include/libxml/parserInternals.h b/include/libxml/parserInternals.h +index 6065320..f30fc68 100644 +--- a/include/libxml/parserInternals.h ++++ b/include/libxml/parserInternals.h +@@ -351,7 +351,7 @@ XMLPUBFUN void XMLCALL + xmlParserErrors xmlerr, + const char *msg, + const xmlChar * str1, +- const xmlChar * str2); ++ const xmlChar * str2) LIBXML_ATTR_FORMAT(3,0); + #endif + + /** +diff --git a/include/libxml/xmlerror.h b/include/libxml/xmlerror.h +index 43e68ca..037c16d 100644 +--- a/include/libxml/xmlerror.h ++++ b/include/libxml/xmlerror.h +@@ -937,7 +937,7 @@ XMLPUBFUN void XMLCALL + int code, + xmlNodePtr node, + const char *msg, +- const char *extra); ++ const char *extra) LIBXML_ATTR_FORMAT(4,0); + #endif + #ifdef __cplusplus + } +diff --git a/include/libxml/xmlstring.h b/include/libxml/xmlstring.h +index 2036236..2d0b2d1 100644 +--- a/include/libxml/xmlstring.h ++++ b/include/libxml/xmlstring.h +@@ -97,13 +97,13 @@ XMLPUBFUN xmlChar * XMLCALL + XMLPUBFUN int XMLCALL + xmlStrPrintf (xmlChar *buf, + int len, +- const xmlChar *msg, +- ...); ++ const char *msg, ++ ...) LIBXML_ATTR_FORMAT(3,4); + XMLPUBFUN int XMLCALL + xmlStrVPrintf (xmlChar *buf, + int len, +- const xmlChar *msg, +- va_list ap); ++ const char *msg, ++ va_list ap) LIBXML_ATTR_FORMAT(3,0); + + XMLPUBFUN int XMLCALL + xmlGetUTF8Char (const unsigned char *utf, +diff --git a/libxml.h b/libxml.h +index 2da9044..4558b70 100644 +--- a/libxml.h ++++ b/libxml.h +@@ -68,7 +68,7 @@ extern int __xmlRegisterCallbacks; + * internal error reporting routines, shared but not partof the API. + */ + void __xmlIOErr(int domain, int code, const char *extra); +-void __xmlLoaderErr(void *ctx, const char *msg, const char *filename); ++void __xmlLoaderErr(void *ctx, const char *msg, const char *filename) LIBXML_ATTR_FORMAT(2,0); + #ifdef LIBXML_HTML_ENABLED + /* + * internal function of HTML parser needed for xmlParseInNodeContext +diff --git a/parser.c b/parser.c +index f6d652e..15c606f 100644 +--- a/parser.c ++++ b/parser.c +@@ -346,7 +346,6 @@ static void + xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info) + { + const char *errmsg; +- char errstr[129] = ""; + + if ((ctxt != NULL) && (ctxt->disableSAX != 0) && + (ctxt->instate == XML_PARSER_EOF)) +@@ -533,15 +532,17 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info) + default: + errmsg = "Unregistered error message"; + } +- if (info == NULL) +- snprintf(errstr, 128, "%s\n", errmsg); +- else +- snprintf(errstr, 128, "%s: %%s\n", errmsg); + if (ctxt != NULL) + ctxt->errNo = error; +- __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error, +- XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, &errstr[0], +- info); ++ if (info == NULL) { ++ __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error, ++ XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, "%s\n", ++ errmsg); ++ } else { ++ __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error, ++ XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, "%s: %s\n", ++ errmsg, info); ++ } + if (ctxt != NULL) { + ctxt->wellFormed = 0; + if (ctxt->recovery == 0) +@@ -557,7 +558,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info) + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg) + { +@@ -585,7 +586,7 @@ xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a warning. + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlWarningMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +@@ -623,7 +624,7 @@ xmlWarningMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a validity error. + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlValidityError(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +@@ -663,7 +664,7 @@ xmlValidityError(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlFatalErrMsgInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, int val) + { +@@ -693,7 +694,7 @@ xmlFatalErrMsgInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlFatalErrMsgStrIntStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, int val, + const xmlChar *str2) +@@ -723,7 +724,7 @@ xmlFatalErrMsgStrIntStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlFatalErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar * val) + { +@@ -752,7 +753,7 @@ xmlFatalErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a non fatal parser error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar * val) + { +@@ -777,7 +778,7 @@ xmlErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlNsErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, + const xmlChar * info1, const xmlChar * info2, +@@ -806,7 +807,7 @@ xmlNsErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a namespace warning error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlNsWarn(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, + const xmlChar * info1, const xmlChar * info2, +@@ -5522,7 +5523,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) { + skipped = SKIP_BLANKS; + if (skipped == 0) { + xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, +- "Space required after '%'\n"); ++ "Space required after '%%'\n"); + } + isParameter = 1; + } +diff --git a/parserInternals.c b/parserInternals.c +index 6c3995c..8c79678 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -165,7 +165,7 @@ __xmlErrEncoding(xmlParserCtxtPtr ctxt, xmlParserErrors xmlerr, + * + * Handle an internal error + */ +-static void ++static void LIBXML_ATTR_FORMAT(2,0) + xmlErrInternal(xmlParserCtxtPtr ctxt, const char *msg, const xmlChar * str) + { + if ((ctxt != NULL) && (ctxt->disableSAX != 0) && +@@ -193,7 +193,7 @@ xmlErrInternal(xmlParserCtxtPtr ctxt, const char *msg, const xmlChar * str) + * + * n encoding error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlErrEncodingInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, int val) + { +diff --git a/relaxng.c b/relaxng.c +index 5779e7f..345f354 100644 +--- a/relaxng.c ++++ b/relaxng.c +@@ -507,7 +507,7 @@ xmlRngVErrMemory(xmlRelaxNGValidCtxtPtr ctxt, const char *extra) + * + * Handle a Relax NG Parsing error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlRngPErr(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar * str1, const xmlChar * str2) + { +@@ -541,7 +541,7 @@ xmlRngPErr(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr node, int error, + * + * Handle a Relax NG Validation error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlRngVErr(xmlRelaxNGValidCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar * str1, const xmlChar * str2) + { +diff --git a/schematron.c b/schematron.c +index 458984f..6200f2d 100644 +--- a/schematron.c ++++ b/schematron.c +@@ -245,7 +245,7 @@ xmlSchematronPErrMemory(xmlSchematronParserCtxtPtr ctxt, + * + * Handle a parser error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlSchematronPErr(xmlSchematronParserCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar * str1, const xmlChar * str2) + { +diff --git a/testModule.c b/testModule.c +index e399f5c..77b7ba1 100644 +--- a/testModule.c ++++ b/testModule.c +@@ -47,7 +47,7 @@ int main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) { + + /* build the module filename, and confirm the module exists */ + xmlStrPrintf(filename, sizeof(filename), +- (const xmlChar*) "%s/testdso%s", ++ "%s/testdso%s", + (const xmlChar*)MODULE_PATH, + (const xmlChar*)LIBXML_MODULE_EXTENSION); + +diff --git a/valid.c b/valid.c +index 6567f15..19f84b8 100644 +--- a/valid.c ++++ b/valid.c +@@ -93,7 +93,7 @@ xmlVErrMemory(xmlValidCtxtPtr ctxt, const char *extra) + * + * Handle a validation error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlErrValid(xmlValidCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const char *extra) + { +@@ -137,7 +137,7 @@ xmlErrValid(xmlValidCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a validation error, provide contextual informations + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlErrValidNode(xmlValidCtxtPtr ctxt, + xmlNodePtr node, xmlParserErrors error, + const char *msg, const xmlChar * str1, +@@ -180,7 +180,7 @@ xmlErrValidNode(xmlValidCtxtPtr ctxt, + * + * Handle a validation error, provide contextual informations + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlErrValidNodeNr(xmlValidCtxtPtr ctxt, + xmlNodePtr node, xmlParserErrors error, + const char *msg, const xmlChar * str1, +@@ -221,7 +221,7 @@ xmlErrValidNodeNr(xmlValidCtxtPtr ctxt, + * + * Handle a validation error, provide contextual information + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlErrValidWarning(xmlValidCtxtPtr ctxt, + xmlNodePtr node, xmlParserErrors error, + const char *msg, const xmlChar * str1, +diff --git a/xinclude.c b/xinclude.c +index ff3dafb..e3bb43e 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -125,7 +125,7 @@ xmlXIncludeErrMemory(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node, + * + * Handle an XInclude error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlXIncludeErr(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar *extra) + { +@@ -147,7 +147,7 @@ xmlXIncludeErr(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node, int error, + * + * Emit an XInclude warning. + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlXIncludeWarn(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar *extra) + { +diff --git a/xmlIO.c b/xmlIO.c +index 8b13184..1a79c09 100644 +--- a/xmlIO.c ++++ b/xmlIO.c +@@ -1604,7 +1604,7 @@ xmlCreateZMemBuff( int compression ) { + xmlFreeZMemBuff( buff ); + buff = NULL; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlCreateZMemBuff: %s %d\n", ++ "xmlCreateZMemBuff: %s %d\n", + "Error initializing compression context. ZLIB error:", + z_err ); + xmlIOErr(XML_IO_WRITE, (const char *) msg); +@@ -1672,7 +1672,7 @@ xmlZMemBuffExtend( xmlZMemBuffPtr buff, size_t ext_amt ) { + else { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlZMemBuffExtend: %s %lu bytes.\n", ++ "xmlZMemBuffExtend: %s %lu bytes.\n", + "Allocation failure extending output buffer to", + new_size ); + xmlIOErr(XML_IO_WRITE, (const char *) msg); +@@ -1718,7 +1718,7 @@ xmlZMemBuffAppend( xmlZMemBuffPtr buff, const char * src, int len ) { + if ( z_err != Z_OK ) { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlZMemBuffAppend: %s %d %s - %d", ++ "xmlZMemBuffAppend: %s %d %s - %d", + "Compression error while appending", + len, "bytes to buffer. ZLIB error", z_err ); + xmlIOErr(XML_IO_WRITE, (const char *) msg); +@@ -1791,7 +1791,7 @@ xmlZMemBuffGetContent( xmlZMemBuffPtr buff, char ** data_ref ) { + else { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlZMemBuffGetContent: %s - %d\n", ++ "xmlZMemBuffGetContent: %s - %d\n", + "Error flushing zlib buffers. Error code", z_err ); + xmlIOErr(XML_IO_WRITE, (const char *) msg); + } +@@ -1996,7 +1996,7 @@ xmlIOHTTPWrite( void * context, const char * buffer, int len ) { + if ( len < 0 ) { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlIOHTTPWrite: %s\n%s '%s'.\n", ++ "xmlIOHTTPWrite: %s\n%s '%s'.\n", + "Error appending to internal buffer.", + "Error sending document to URI", + ctxt->uri ); +@@ -2068,7 +2068,7 @@ xmlIOHTTPCloseWrite( void * context, const char * http_mthd ) { + if ( http_content == NULL ) { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlIOHTTPCloseWrite: %s '%s' %s '%s'.\n", ++ "xmlIOHTTPCloseWrite: %s '%s' %s '%s'.\n", + "Error retrieving content.\nUnable to", + http_mthd, "data to URI", ctxt->uri ); + xmlIOErr(XML_IO_WRITE, (const char *) msg); +@@ -2140,7 +2140,7 @@ xmlIOHTTPCloseWrite( void * context, const char * http_mthd ) { + else { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlIOHTTPCloseWrite: HTTP '%s' of %d %s\n'%s' %s %d\n", ++ "xmlIOHTTPCloseWrite: HTTP '%s' of %d %s\n'%s' %s %d\n", + http_mthd, content_lgth, + "bytes to URI", ctxt->uri, + "failed. HTTP return code:", http_rtn ); +diff --git a/xmllint.c b/xmllint.c +index 00f1769..67f7adb 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -449,7 +449,7 @@ startTimer(void) + * message about the timing performed; format is a printf + * type argument + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(1,2) + endTimer(const char *fmt, ...) + { + long msec; +@@ -485,7 +485,7 @@ startTimer(void) + { + begin = clock(); + } +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(1,2) + endTimer(const char *fmt, ...) + { + long msec; +@@ -514,7 +514,7 @@ startTimer(void) + * Do nothing + */ + } +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(1,2) + endTimer(char *format, ...) + { + /* +@@ -634,7 +634,7 @@ xmlHTMLPrintFileContext(xmlParserInputPtr input) { + * Display and format an error messages, gives file, line, position and + * extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlHTMLError(void *ctx, const char *msg, ...) + { + xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; +@@ -671,7 +671,7 @@ xmlHTMLError(void *ctx, const char *msg, ...) + * Display and format a warning messages, gives file, line, position and + * extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlHTMLWarning(void *ctx, const char *msg, ...) + { + xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; +@@ -709,7 +709,7 @@ xmlHTMLWarning(void *ctx, const char *msg, ...) + * Display and format an validity error messages, gives file, + * line, position and extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlHTMLValidityError(void *ctx, const char *msg, ...) + { + xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; +@@ -746,7 +746,7 @@ xmlHTMLValidityError(void *ctx, const char *msg, ...) + * Display and format a validity warning messages, gives file, line, + * position and extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlHTMLValidityWarning(void *ctx, const char *msg, ...) + { + xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; +@@ -1411,7 +1411,7 @@ commentDebug(void *ctx ATTRIBUTE_UNUSED, const xmlChar *value) + * Display and format a warning messages, gives file, line, position and + * extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + warningDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) + { + va_list args; +@@ -1434,7 +1434,7 @@ warningDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) + * Display and format a error messages, gives file, line, position and + * extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + errorDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) + { + va_list args; +@@ -1457,7 +1457,7 @@ errorDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) + * Display and format a fatalError messages, gives file, line, position and + * extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + fatalErrorDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) + { + va_list args; +diff --git a/xmlreader.c b/xmlreader.c +index d416dac..f285790 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -4050,13 +4050,19 @@ xmlTextReaderCurrentDoc(xmlTextReaderPtr reader) { + } + + #ifdef LIBXML_SCHEMAS_ENABLED +-static char *xmlTextReaderBuildMessage(const char *msg, va_list ap); ++static char *xmlTextReaderBuildMessage(const char *msg, va_list ap) LIBXML_ATTR_FORMAT(1,0); + + static void XMLCDECL +-xmlTextReaderValidityError(void *ctxt, const char *msg, ...); ++xmlTextReaderValidityError(void *ctxt, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3); + + static void XMLCDECL +-xmlTextReaderValidityWarning(void *ctxt, const char *msg, ...); ++xmlTextReaderValidityWarning(void *ctxt, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3); ++ ++static void XMLCDECL ++xmlTextReaderValidityErrorRelay(void *ctx, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3); ++ ++static void XMLCDECL ++xmlTextReaderValidityWarningRelay(void *ctx, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3); + + static void XMLCDECL + xmlTextReaderValidityErrorRelay(void *ctx, const char *msg, ...) +@@ -4850,7 +4856,7 @@ xmlTextReaderStructuredError(void *ctxt, xmlErrorPtr error) + } + } + +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlTextReaderError(void *ctxt, const char *msg, ...) + { + va_list ap; +@@ -4863,7 +4869,7 @@ xmlTextReaderError(void *ctxt, const char *msg, ...) + + } + +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlTextReaderWarning(void *ctxt, const char *msg, ...) + { + va_list ap; +diff --git a/xmlschemas.c b/xmlschemas.c +index ee22a6d..76f2119 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -1085,7 +1085,7 @@ xmlSchemaGetUnionSimpleTypeMemberTypes(xmlSchemaTypePtr type); + static void + xmlSchemaInternalErr(xmlSchemaAbstractCtxtPtr actxt, + const char *funcName, +- const char *message); ++ const char *message) LIBXML_ATTR_FORMAT(3,0); + static int + xmlSchemaCheckCOSSTDerivedOK(xmlSchemaAbstractCtxtPtr ctxt, + xmlSchemaTypePtr type, +@@ -1889,7 +1889,7 @@ xmlSchemaPErrMemory(xmlSchemaParserCtxtPtr ctxt, + * + * Handle a parser error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlSchemaPErr(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar * str1, const xmlChar * str2) + { +@@ -1922,7 +1922,7 @@ xmlSchemaPErr(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, int error, + * + * Handle a parser error + */ +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaPErr2(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, + xmlNodePtr child, int error, + const char *msg, const xmlChar * str1, const xmlChar * str2) +@@ -1951,7 +1951,7 @@ xmlSchemaPErr2(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, + * + * Handle a parser error + */ +-static void ++static void LIBXML_ATTR_FORMAT(7,0) + xmlSchemaPErrExt(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, int error, + const xmlChar * strData1, const xmlChar * strData2, + const xmlChar * strData3, const char *msg, const xmlChar * str1, +@@ -2002,7 +2002,7 @@ xmlSchemaVErrMemory(xmlSchemaValidCtxtPtr ctxt, + extra); + } + +-static void ++static void LIBXML_ATTR_FORMAT(2,0) + xmlSchemaPSimpleInternalErr(xmlNodePtr node, + const char *msg, const xmlChar *str) + { +@@ -2013,18 +2013,21 @@ xmlSchemaPSimpleInternalErr(xmlNodePtr node, + #define WXS_ERROR_TYPE_ERROR 1 + #define WXS_ERROR_TYPE_WARNING 2 + /** +- * xmlSchemaErr3: ++ * xmlSchemaErr4Line: + * @ctxt: the validation context +- * @node: the context node ++ * @errorLevel: the error level + * @error: the error code ++ * @node: the context node ++ * @line: the line number + * @msg: the error message + * @str1: extra data + * @str2: extra data + * @str3: extra data ++ * @str4: extra data + * + * Handle a validation error + */ +-static void ++static void LIBXML_ATTR_FORMAT(6,0) + xmlSchemaErr4Line(xmlSchemaAbstractCtxtPtr ctxt, + xmlErrorLevel errorLevel, + int error, xmlNodePtr node, int line, const char *msg, +@@ -2139,7 +2142,7 @@ xmlSchemaErr4Line(xmlSchemaAbstractCtxtPtr ctxt, + * + * Handle a validation error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlSchemaErr3(xmlSchemaAbstractCtxtPtr actxt, + int error, xmlNodePtr node, const char *msg, + const xmlChar *str1, const xmlChar *str2, const xmlChar *str3) +@@ -2148,7 +2151,7 @@ xmlSchemaErr3(xmlSchemaAbstractCtxtPtr actxt, + msg, str1, str2, str3, NULL); + } + +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlSchemaErr4(xmlSchemaAbstractCtxtPtr actxt, + int error, xmlNodePtr node, const char *msg, + const xmlChar *str1, const xmlChar *str2, +@@ -2158,7 +2161,7 @@ xmlSchemaErr4(xmlSchemaAbstractCtxtPtr actxt, + msg, str1, str2, str3, str4); + } + +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlSchemaErr(xmlSchemaAbstractCtxtPtr actxt, + int error, xmlNodePtr node, const char *msg, + const xmlChar *str1, const xmlChar *str2) +@@ -2181,7 +2184,7 @@ xmlSchemaFormatNodeForError(xmlChar ** msg, + /* + * Don't try to format other nodes than element and + * attribute nodes. +- * Play save and return an empty string. ++ * Play safe and return an empty string. + */ + *msg = xmlStrdup(BAD_CAST ""); + return(*msg); +@@ -2262,7 +2265,7 @@ xmlSchemaFormatNodeForError(xmlChar ** msg, + return (*msg); + } + +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlSchemaInternalErr2(xmlSchemaAbstractCtxtPtr actxt, + const char *funcName, + const char *message, +@@ -2273,24 +2276,21 @@ xmlSchemaInternalErr2(xmlSchemaAbstractCtxtPtr actxt, + + if (actxt == NULL) + return; +- msg = xmlStrdup(BAD_CAST "Internal error: "); +- msg = xmlStrcat(msg, BAD_CAST funcName); +- msg = xmlStrcat(msg, BAD_CAST ", "); ++ msg = xmlStrdup(BAD_CAST "Internal error: %s, "); + msg = xmlStrcat(msg, BAD_CAST message); + msg = xmlStrcat(msg, BAD_CAST ".\n"); + + if (actxt->type == XML_SCHEMA_CTXT_VALIDATOR) +- xmlSchemaErr(actxt, XML_SCHEMAV_INTERNAL, NULL, +- (const char *) msg, str1, str2); +- ++ xmlSchemaErr3(actxt, XML_SCHEMAV_INTERNAL, NULL, ++ (const char *) msg, (const xmlChar *) funcName, str1, str2); + else if (actxt->type == XML_SCHEMA_CTXT_PARSER) +- xmlSchemaErr(actxt, XML_SCHEMAP_INTERNAL, NULL, +- (const char *) msg, str1, str2); ++ xmlSchemaErr3(actxt, XML_SCHEMAP_INTERNAL, NULL, ++ (const char *) msg, (const xmlChar *) funcName, str1, str2); + + FREE_AND_NULL(msg) + } + +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlSchemaInternalErr(xmlSchemaAbstractCtxtPtr actxt, + const char *funcName, + const char *message) +@@ -2299,7 +2299,7 @@ xmlSchemaInternalErr(xmlSchemaAbstractCtxtPtr actxt, + } + + #if 0 +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlSchemaPInternalErr(xmlSchemaParserCtxtPtr pctxt, + const char *funcName, + const char *message, +@@ -2311,7 +2311,7 @@ xmlSchemaPInternalErr(xmlSchemaParserCtxtPtr pctxt, + } + #endif + +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaCustomErr4(xmlSchemaAbstractCtxtPtr actxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -2336,7 +2336,7 @@ xmlSchemaCustomErr4(xmlSchemaAbstractCtxtPtr actxt, + FREE_AND_NULL(msg) + } + +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaCustomErr(xmlSchemaAbstractCtxtPtr actxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -2351,7 +2351,7 @@ xmlSchemaCustomErr(xmlSchemaAbstractCtxtPtr actxt, + + + +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaCustomWarning(xmlSchemaAbstractCtxtPtr actxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -2376,7 +2376,7 @@ xmlSchemaCustomWarning(xmlSchemaAbstractCtxtPtr actxt, + + + +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaKeyrefErr(xmlSchemaValidCtxtPtr vctxt, + xmlParserErrors error, + xmlSchemaPSVIIDCNodePtr idcNode, +@@ -2525,7 +2525,7 @@ xmlSchemaIllegalAttrErr(xmlSchemaAbstractCtxtPtr actxt, + FREE_AND_NULL(msg) + } + +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaComplexTypeErr(xmlSchemaAbstractCtxtPtr actxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -2625,7 +2625,7 @@ xmlSchemaComplexTypeErr(xmlSchemaAbstractCtxtPtr actxt, + xmlFree(msg); + } + +-static void ++static void LIBXML_ATTR_FORMAT(8,0) + xmlSchemaFacetErr(xmlSchemaAbstractCtxtPtr actxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -2916,7 +2916,7 @@ xmlSchemaPIllegalAttrErr(xmlSchemaParserCtxtPtr ctxt, + * + * Reports an error during parsing. + */ +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaPCustomErrExt(xmlSchemaParserCtxtPtr ctxt, + xmlParserErrors error, + xmlSchemaBasicItemPtr item, +@@ -2952,7 +2952,7 @@ xmlSchemaPCustomErrExt(xmlSchemaParserCtxtPtr ctxt, + * + * Reports an error during parsing. + */ +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaPCustomErr(xmlSchemaParserCtxtPtr ctxt, + xmlParserErrors error, + xmlSchemaBasicItemPtr item, +@@ -2977,7 +2977,7 @@ xmlSchemaPCustomErr(xmlSchemaParserCtxtPtr ctxt, + * + * Reports an attribute use error during parsing. + */ +-static void ++static void LIBXML_ATTR_FORMAT(6,0) + xmlSchemaPAttrUseErr4(xmlSchemaParserCtxtPtr ctxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -3099,7 +3099,7 @@ xmlSchemaPMutualExclAttrErr(xmlSchemaParserCtxtPtr ctxt, + * Reports a simple type validation error. + * TODO: Should this report the value of an element as well? + */ +-static void ++static void LIBXML_ATTR_FORMAT(8,0) + xmlSchemaPSimpleTypeErr(xmlSchemaParserCtxtPtr ctxt, + xmlParserErrors error, + xmlSchemaBasicItemPtr ownerItem ATTRIBUTE_UNUSED, +diff --git a/xmlstring.c b/xmlstring.c +index 00287d4..42e380f 100644 +--- a/xmlstring.c ++++ b/xmlstring.c +@@ -545,7 +545,7 @@ xmlStrcat(xmlChar *cur, const xmlChar *add) { + * Returns the number of characters written to @buf or -1 if an error occurs. + */ + int XMLCDECL +-xmlStrPrintf(xmlChar *buf, int len, const xmlChar *msg, ...) { ++xmlStrPrintf(xmlChar *buf, int len, const char *msg, ...) { + va_list args; + int ret; + +@@ -573,7 +573,7 @@ xmlStrPrintf(xmlChar *buf, int len, const xmlChar *msg, ...) { + * Returns the number of characters written to @buf or -1 if an error occurs. + */ + int +-xmlStrVPrintf(xmlChar *buf, int len, const xmlChar *msg, va_list ap) { ++xmlStrVPrintf(xmlChar *buf, int len, const char *msg, va_list ap) { + int ret; + + if((buf == NULL) || (msg == NULL)) { +diff --git a/xmlwriter.c b/xmlwriter.c +index fac20ac..69541b8 100644 +--- a/xmlwriter.c ++++ b/xmlwriter.c +@@ -113,7 +113,7 @@ static int xmlTextWriterWriteDocCallback(void *context, + const xmlChar * str, int len); + static int xmlTextWriterCloseDocCallback(void *context); + +-static xmlChar *xmlTextWriterVSprintf(const char *format, va_list argptr); ++static xmlChar *xmlTextWriterVSprintf(const char *format, va_list argptr) LIBXML_ATTR_FORMAT(1,0); + static int xmlOutputBufferWriteBase64(xmlOutputBufferPtr out, int len, + const unsigned char *data); + static void xmlTextWriterStartDocumentCallback(void *ctx); +@@ -153,7 +153,7 @@ xmlWriterErrMsg(xmlTextWriterPtr ctxt, xmlParserErrors error, + * + * Handle a writer error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlWriterErrMsgInt(xmlTextWriterPtr ctxt, xmlParserErrors error, + const char *msg, int val) + { +diff --git a/xpath.c b/xpath.c +index 620e814..113bce6 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -639,7 +639,7 @@ xmlXPathErrMemory(xmlXPathContextPtr ctxt, const char *extra) + xmlChar buf[200]; + + xmlStrPrintf(buf, 200, +- BAD_CAST "Memory allocation failed : %s\n", ++ "Memory allocation failed : %s\n", + extra); + ctxt->lastError.message = (char *) xmlStrdup(buf); + } else { +diff --git a/xpointer.c b/xpointer.c +index 4b4ac2e..676c510 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -85,7 +85,7 @@ xmlXPtrErrMemory(const char *extra) + * + * Handle a redefinition of attribute error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlXPtrErr(xmlXPathParserContextPtr ctxt, int error, + const char * msg, const xmlChar *extra) + { +-- +cgit v0.12 + diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4448-2.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4448-2.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4448-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4448-2.patch 2017-03-14 20:05:29.000000000 +0000 @@ -0,0 +1,204 @@ +From 502f6a6d08b08c04b3ddfb1cd21b2f699c1b7f5b Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Mon, 23 May 2016 14:58:41 +0800 +Subject: More format string warnings with possible format string vulnerability + +For https://bugzilla.gnome.org/show_bug.cgi?id=761029 + +adds a new xmlEscapeFormatString() function to escape composed format +strings +--- + libxml.h | 3 +++ + relaxng.c | 3 ++- + xmlschemas.c | 39 ++++++++++++++++++++++++++------------- + xmlstring.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 86 insertions(+), 14 deletions(-) + +diff --git a/libxml.h b/libxml.h +index 4558b70..88e515f 100644 +--- a/libxml.h ++++ b/libxml.h +@@ -9,6 +9,8 @@ + #ifndef __XML_LIBXML_H__ + #define __XML_LIBXML_H__ + ++#include ++ + #ifndef NO_LARGEFILE_SOURCE + #ifndef _LARGEFILE_SOURCE + #define _LARGEFILE_SOURCE +@@ -93,6 +95,7 @@ int __xmlInitializeDict(void); + int __xmlRandom(void); + #endif + ++XMLPUBFUN xmlChar * XMLCALL xmlEscapeFormatString(xmlChar **msg); + int xmlNop(void); + + #ifdef IN_LIBXML +diff --git a/relaxng.c b/relaxng.c +index 345f354..56a3344 100644 +--- a/relaxng.c ++++ b/relaxng.c +@@ -2215,7 +2215,8 @@ xmlRelaxNGGetErrorString(xmlRelaxNGValidErr err, const xmlChar * arg1, + snprintf(msg, 1000, "Unknown error code %d\n", err); + } + msg[1000 - 1] = 0; +- return (xmlStrdup((xmlChar *) msg)); ++ xmlChar *result = xmlCharStrdup(msg); ++ return (xmlEscapeFormatString(&result)); + } + + /** +diff --git a/xmlschemas.c b/xmlschemas.c +index 76f2119..e1b3a4f 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -1769,7 +1769,7 @@ xmlSchemaFormatItemForReport(xmlChar **buf, + } + FREE_AND_NULL(str) + +- return (*buf); ++ return (xmlEscapeFormatString(buf)); + } + + /** +@@ -2249,6 +2249,13 @@ xmlSchemaFormatNodeForError(xmlChar ** msg, + TODO + return (NULL); + } ++ ++ /* ++ * xmlSchemaFormatItemForReport() also returns an escaped format ++ * string, so do this before calling it below (in the future). ++ */ ++ xmlEscapeFormatString(msg); ++ + /* + * VAL TODO: The output of the given schema component is currently + * disabled. +@@ -2476,11 +2483,13 @@ xmlSchemaSimpleTypeErr(xmlSchemaAbstractCtxtPtr actxt, + msg = xmlStrcat(msg, BAD_CAST " '"); + if (type->builtInType != 0) { + msg = xmlStrcat(msg, BAD_CAST "xs:"); +- msg = xmlStrcat(msg, type->name); +- } else +- msg = xmlStrcat(msg, +- xmlSchemaFormatQName(&str, +- type->targetNamespace, type->name)); ++ str = xmlStrdup(type->name); ++ } else { ++ const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name); ++ if (!str) ++ str = xmlStrdup(qName); ++ } ++ msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); + msg = xmlStrcat(msg, BAD_CAST "'"); + FREE_AND_NULL(str); + } +@@ -2617,7 +2626,7 @@ xmlSchemaComplexTypeErr(xmlSchemaAbstractCtxtPtr actxt, + str = xmlStrcat(str, BAD_CAST ", "); + } + str = xmlStrcat(str, BAD_CAST " ).\n"); +- msg = xmlStrcat(msg, BAD_CAST str); ++ msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); + FREE_AND_NULL(str) + } else + msg = xmlStrcat(msg, BAD_CAST "\n"); +@@ -3141,11 +3150,13 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserCtxtPtr ctxt, + msg = xmlStrcat(msg, BAD_CAST " '"); + if (type->builtInType != 0) { + msg = xmlStrcat(msg, BAD_CAST "xs:"); +- msg = xmlStrcat(msg, type->name); +- } else +- msg = xmlStrcat(msg, +- xmlSchemaFormatQName(&str, +- type->targetNamespace, type->name)); ++ str = xmlStrdup(type->name); ++ } else { ++ const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name); ++ if (!str) ++ str = xmlStrdup(qName); ++ } ++ msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); + msg = xmlStrcat(msg, BAD_CAST "'."); + FREE_AND_NULL(str); + } +@@ -3158,7 +3169,9 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserCtxtPtr ctxt, + } + if (expected) { + msg = xmlStrcat(msg, BAD_CAST " Expected is '"); +- msg = xmlStrcat(msg, BAD_CAST expected); ++ xmlChar *expectedEscaped = xmlCharStrdup(expected); ++ msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped)); ++ FREE_AND_NULL(expectedEscaped); + msg = xmlStrcat(msg, BAD_CAST "'.\n"); + } else + msg = xmlStrcat(msg, BAD_CAST "\n"); +diff --git a/xmlstring.c b/xmlstring.c +index 42e380f..cc85777 100644 +--- a/xmlstring.c ++++ b/xmlstring.c +@@ -987,5 +987,60 @@ xmlUTF8Strsub(const xmlChar *utf, int start, int len) { + return(xmlUTF8Strndup(utf, len)); + } + ++/** ++ * xmlEscapeFormatString: ++ * @msg: a pointer to the string in which to escape '%' characters. ++ * Must be a heap-allocated buffer created by libxml2 that may be ++ * returned, or that may be freed and replaced. ++ * ++ * Replaces the string pointed to by 'msg' with an escaped string. ++ * Returns the same string with all '%' characters escaped. ++ */ ++xmlChar * ++xmlEscapeFormatString(xmlChar **msg) ++{ ++ xmlChar *msgPtr = NULL; ++ xmlChar *result = NULL; ++ xmlChar *resultPtr = NULL; ++ size_t count = 0; ++ size_t msgLen = 0; ++ size_t resultLen = 0; ++ ++ if (!msg || !*msg) ++ return(NULL); ++ ++ for (msgPtr = *msg; *msgPtr != '\0'; ++msgPtr) { ++ ++msgLen; ++ if (*msgPtr == '%') ++ ++count; ++ } ++ ++ if (count == 0) ++ return(*msg); ++ ++ resultLen = msgLen + count + 1; ++ result = (xmlChar *) xmlMallocAtomic(resultLen * sizeof(xmlChar)); ++ if (result == NULL) { ++ /* Clear *msg to prevent format string vulnerabilities in ++ out-of-memory situations. */ ++ xmlFree(*msg); ++ *msg = NULL; ++ xmlErrMemory(NULL, NULL); ++ return(NULL); ++ } ++ ++ for (msgPtr = *msg, resultPtr = result; *msgPtr != '\0'; ++msgPtr, ++resultPtr) { ++ *resultPtr = *msgPtr; ++ if (*msgPtr == '%') ++ *(++resultPtr) = '%'; ++ } ++ result[resultLen - 1] = '\0'; ++ ++ xmlFree(*msg); ++ *msg = result; ++ ++ return *msg; ++} ++ + #define bottom_xmlstring + #include "elfgcchack.h" +-- +cgit v0.12 + diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4449.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4449.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4449.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4449.patch 2016-06-03 12:05:12.000000000 +0000 @@ -0,0 +1,44 @@ +From b1d34de46a11323fccffa9fadeb33be670d602f5 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 14 Mar 2016 17:19:44 +0800 +Subject: Fix inappropriate fetch of entities content + +For https://bugzilla.gnome.org/show_bug.cgi?id=761430 + +libfuzzer regression testing exposed another case where the parser would +fetch content of an external entity while not in validating mode. +Plug that hole +--- + parser.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index c424fc1..f6d652e 100644 +--- a/parser.c ++++ b/parser.c +@@ -2861,7 +2861,21 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + ctxt->nbentities += ent->checked / 2; + if (ent != NULL) { + if (ent->content == NULL) { +- xmlLoadEntityContent(ctxt, ent); ++ /* ++ * Note: external parsed entities will not be loaded, ++ * it is not required for a non-validating parser to ++ * complete external PEreferences coming from the ++ * internal subset ++ */ ++ if (((ctxt->options & XML_PARSE_NOENT) != 0) || ++ ((ctxt->options & XML_PARSE_DTDVALID) != 0) || ++ (ctxt->validate != 0)) { ++ xmlLoadEntityContent(ctxt, ent); ++ } else { ++ xmlWarningMsg(ctxt, XML_ERR_ENTITY_PROCESSING, ++ "not validating will not read content for PE entity %s\n", ++ ent->name, NULL); ++ } + } + ctxt->depth++; + rep = xmlStringDecodeEntities(ctxt, ent->content, what, +-- +cgit v0.12 + diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4483.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4483.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4483.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4483.patch 2016-06-03 12:05:20.000000000 +0000 @@ -0,0 +1,49 @@ +From c97750d11bb8b6f3303e7131fe526a61ac65bcfd Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 23 May 2016 13:39:13 +0800 +Subject: Avoid an out of bound access when serializing malformed strings + +For https://bugzilla.gnome.org/show_bug.cgi?id=766414 + +* xmlsave.c: xmlBufAttrSerializeTxtContent() if an attribute value + is not UTF-8 be more careful when serializing it as we may do an + out of bound access as a result. +--- + xmlsave.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xmlsave.c b/xmlsave.c +index 774404b..4a8e3f3 100644 +--- a/xmlsave.c ++++ b/xmlsave.c +@@ -2097,8 +2097,8 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc, + xmlBufAdd(buf, BAD_CAST "&", 5); + cur++; + base = cur; +- } else if ((*cur >= 0x80) && ((doc == NULL) || +- (doc->encoding == NULL))) { ++ } else if ((*cur >= 0x80) && (cur[1] != 0) && ++ ((doc == NULL) || (doc->encoding == NULL))) { + /* + * We assume we have UTF-8 content. + */ +@@ -2121,14 +2121,14 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc, + val <<= 6; + val |= (cur[1]) & 0x3F; + l = 2; +- } else if (*cur < 0xF0) { ++ } else if ((*cur < 0xF0) && (cur [2] != 0)) { + val = (cur[0]) & 0x0F; + val <<= 6; + val |= (cur[1]) & 0x3F; + val <<= 6; + val |= (cur[2]) & 0x3F; + l = 3; +- } else if (*cur < 0xF8) { ++ } else if ((*cur < 0xF8) && (cur [2] != 0) && (cur[3] != 0)) { + val = (cur[0]) & 0x07; + val <<= 6; + val |= (cur[1]) & 0x3F; +-- +cgit v0.12 + diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4658.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4658.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4658.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-4658.patch 2017-03-14 20:05:39.000000000 +0000 @@ -0,0 +1,249 @@ +From c1d1f7121194036608bf555f08d3062a36fd344b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 28 Jun 2016 18:34:52 +0200 +Subject: Disallow namespace nodes in XPointer ranges + +Namespace nodes must be copied to avoid use-after-free errors. +But they don't necessarily have a physical representation in a +document, so simply disallow them in XPointer ranges. + +Found with afl-fuzz. + +Fixes CVE-2016-4658. +--- + xpointer.c | 149 +++++++++++++++++++++++-------------------------------------- + 1 file changed, 56 insertions(+), 93 deletions(-) + +diff --git a/xpointer.c b/xpointer.c +index a7b03fb..694d120 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -320,6 +320,45 @@ xmlXPtrRangesEqual(xmlXPathObjectPtr range1, xmlXPathObjectPtr range2) { + } + + /** ++ * xmlXPtrNewRangeInternal: ++ * @start: the starting node ++ * @startindex: the start index ++ * @end: the ending point ++ * @endindex: the ending index ++ * ++ * Internal function to create a new xmlXPathObjectPtr of type range ++ * ++ * Returns the newly created object. ++ */ ++static xmlXPathObjectPtr ++xmlXPtrNewRangeInternal(xmlNodePtr start, int startindex, ++ xmlNodePtr end, int endindex) { ++ xmlXPathObjectPtr ret; ++ ++ /* ++ * Namespace nodes must be copied (see xmlXPathNodeSetDupNs). ++ * Disallow them for now. ++ */ ++ if ((start != NULL) && (start->type == XML_NAMESPACE_DECL)) ++ return(NULL); ++ if ((end != NULL) && (end->type == XML_NAMESPACE_DECL)) ++ return(NULL); ++ ++ ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); ++ if (ret == NULL) { ++ xmlXPtrErrMemory("allocating range"); ++ return(NULL); ++ } ++ memset(ret, 0, sizeof(xmlXPathObject)); ++ ret->type = XPATH_RANGE; ++ ret->user = start; ++ ret->index = startindex; ++ ret->user2 = end; ++ ret->index2 = endindex; ++ return(ret); ++} ++ ++/** + * xmlXPtrNewRange: + * @start: the starting node + * @startindex: the start index +@@ -344,17 +383,7 @@ xmlXPtrNewRange(xmlNodePtr start, int startindex, + if (endindex < 0) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = startindex; +- ret->user2 = end; +- ret->index2 = endindex; ++ ret = xmlXPtrNewRangeInternal(start, startindex, end, endindex); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -381,17 +410,8 @@ xmlXPtrNewRangePoints(xmlXPathObjectPtr start, xmlXPathObjectPtr end) { + if (end->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start->user; +- ret->index = start->index; +- ret->user2 = end->user; +- ret->index2 = end->index; ++ ret = xmlXPtrNewRangeInternal(start->user, start->index, end->user, ++ end->index); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -416,17 +436,7 @@ xmlXPtrNewRangePointNode(xmlXPathObjectPtr start, xmlNodePtr end) { + if (start->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start->user; +- ret->index = start->index; +- ret->user2 = end; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start->user, start->index, end, -1); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -453,17 +463,7 @@ xmlXPtrNewRangeNodePoint(xmlNodePtr start, xmlXPathObjectPtr end) { + if (end->type != XPATH_POINT) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = end->user; +- ret->index2 = end->index; ++ ret = xmlXPtrNewRangeInternal(start, -1, end->user, end->index); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -486,17 +486,7 @@ xmlXPtrNewRangeNodes(xmlNodePtr start, xmlNodePtr end) { + if (end == NULL) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = end; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start, -1, end, -1); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +@@ -516,17 +506,7 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) { + if (start == NULL) + return(NULL); + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- ret->user2 = NULL; +- ret->index2 = -1; ++ ret = xmlXPtrNewRangeInternal(start, -1, NULL, -1); + return(ret); + } + +@@ -541,6 +521,8 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) { + */ + xmlXPathObjectPtr + xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { ++ xmlNodePtr endNode; ++ int endIndex; + xmlXPathObjectPtr ret; + + if (start == NULL) +@@ -549,7 +531,12 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { + return(NULL); + switch (end->type) { + case XPATH_POINT: ++ endNode = end->user; ++ endIndex = end->index; ++ break; + case XPATH_RANGE: ++ endNode = end->user2; ++ endIndex = end->index2; + break; + case XPATH_NODESET: + /* +@@ -557,39 +544,15 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { + */ + if (end->nodesetval->nodeNr <= 0) + return(NULL); ++ endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1]; ++ endIndex = -1; + break; + default: + /* TODO */ + return(NULL); + } + +- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); +- if (ret == NULL) { +- xmlXPtrErrMemory("allocating range"); +- return(NULL); +- } +- memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); +- ret->type = XPATH_RANGE; +- ret->user = start; +- ret->index = -1; +- switch (end->type) { +- case XPATH_POINT: +- ret->user2 = end->user; +- ret->index2 = end->index; +- break; +- case XPATH_RANGE: +- ret->user2 = end->user2; +- ret->index2 = end->index2; +- break; +- case XPATH_NODESET: { +- ret->user2 = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1]; +- ret->index2 = -1; +- break; +- } +- default: +- STRANGE +- return(NULL); +- } ++ ret = xmlXPtrNewRangeInternal(start, -1, endNode, endIndex); + xmlXPtrRangeCheckOrder(ret); + return(ret); + } +-- +cgit v0.12 + diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-5131-1.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-5131-1.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-5131-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-5131-1.patch 2017-03-14 20:05:55.000000000 +0000 @@ -0,0 +1,142 @@ +From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 28 Jun 2016 14:22:23 +0200 +Subject: Fix XPointer paths beginning with range-to + +The old code would invoke the broken xmlXPtrRangeToFunction. range-to +isn't really a function but a special kind of location step. Remove +this function and always handle range-to in the XPath code. + +The old xmlXPtrRangeToFunction could also be abused to trigger a +use-after-free error with the potential for remote code execution. + +Found with afl-fuzz. + +Fixes CVE-2016-5131. +--- + result/XPath/xptr/vidbase | 13 ++++++++ + test/XPath/xptr/vidbase | 1 + + xpath.c | 7 ++++- + xpointer.c | 76 ++++------------------------------------------- + 4 files changed, 26 insertions(+), 71 deletions(-) + +Index: libxml2-2.9.3+dfsg1/xpath.c +=================================================================== +--- libxml2-2.9.3+dfsg1.orig/xpath.c 2017-03-14 16:05:53.137793821 -0400 ++++ libxml2-2.9.3+dfsg1/xpath.c 2017-03-14 16:05:53.133793777 -0400 +@@ -10691,13 +10691,18 @@ + lc = 1; + break; + } else if ((NXT(len) == '(')) { +- /* Note Type or Function */ ++ /* Node Type or Function */ + if (xmlXPathIsNodeType(name)) { + #ifdef DEBUG_STEP + xmlGenericError(xmlGenericErrorContext, + "PathExpr: Type search\n"); + #endif + lc = 1; ++#ifdef LIBXML_XPTR_ENABLED ++ } else if (ctxt->xptr && ++ xmlStrEqual(name, BAD_CAST "range-to")) { ++ lc = 1; ++#endif + } else { + #ifdef DEBUG_STEP + xmlGenericError(xmlGenericErrorContext, +Index: libxml2-2.9.3+dfsg1/xpointer.c +=================================================================== +--- libxml2-2.9.3+dfsg1.orig/xpointer.c 2017-03-14 16:05:53.137793821 -0400 ++++ libxml2-2.9.3+dfsg1/xpointer.c 2017-03-14 16:05:53.137793821 -0400 +@@ -1295,8 +1295,6 @@ + ret->here = here; + ret->origin = origin; + +- xmlXPathRegisterFunc(ret, (xmlChar *)"range-to", +- xmlXPtrRangeToFunction); + xmlXPathRegisterFunc(ret, (xmlChar *)"range", + xmlXPtrRangeFunction); + xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside", +@@ -2206,76 +2204,14 @@ + * @nargs: the number of args + * + * Implement the range-to() XPointer function ++ * ++ * Obsolete. range-to is not a real function but a special type of location ++ * step which is handled in xpath.c. + */ + void +-xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) { +- xmlXPathObjectPtr range; +- const xmlChar *cur; +- xmlXPathObjectPtr res, obj; +- xmlXPathObjectPtr tmp; +- xmlLocationSetPtr newset = NULL; +- xmlNodeSetPtr oldset; +- int i; +- +- if (ctxt == NULL) return; +- CHECK_ARITY(1); +- /* +- * Save the expression pointer since we will have to evaluate +- * it multiple times. Initialize the new set. +- */ +- CHECK_TYPE(XPATH_NODESET); +- obj = valuePop(ctxt); +- oldset = obj->nodesetval; +- ctxt->context->node = NULL; +- +- cur = ctxt->cur; +- newset = xmlXPtrLocationSetCreate(NULL); +- +- for (i = 0; i < oldset->nodeNr; i++) { +- ctxt->cur = cur; +- +- /* +- * Run the evaluation with a node list made of a single item +- * in the nodeset. +- */ +- ctxt->context->node = oldset->nodeTab[i]; +- tmp = xmlXPathNewNodeSet(ctxt->context->node); +- valuePush(ctxt, tmp); +- +- xmlXPathEvalExpr(ctxt); +- CHECK_ERROR; +- +- /* +- * The result of the evaluation need to be tested to +- * decided whether the filter succeeded or not +- */ +- res = valuePop(ctxt); +- range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res); +- if (range != NULL) { +- xmlXPtrLocationSetAdd(newset, range); +- } +- +- /* +- * Cleanup +- */ +- if (res != NULL) +- xmlXPathFreeObject(res); +- if (ctxt->value == tmp) { +- res = valuePop(ctxt); +- xmlXPathFreeObject(res); +- } +- +- ctxt->context->node = NULL; +- } +- +- /* +- * The result is used as the new evaluation set. +- */ +- xmlXPathFreeObject(obj); +- ctxt->context->node = NULL; +- ctxt->context->contextSize = -1; +- ctxt->context->proximityPosition = -1; +- valuePush(ctxt, xmlXPtrWrapLocationSet(newset)); ++xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, ++ int nargs ATTRIBUTE_UNUSED) { ++ XP_ERROR(XPATH_EXPR_ERROR); + } + + /** diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-5131-2.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-5131-2.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-5131-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-5131-2.patch 2017-03-14 20:06:01.000000000 +0000 @@ -0,0 +1,34 @@ +From a005199330b86dada19d162cae15ef9bdcb6baa8 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 28 Jun 2016 14:19:58 +0200 +Subject: Fix comparison with root node in xmlXPathCmpNodes + +This change has already been made in xmlXPathCmpNodesExt but not in +xmlXPathCmpNodes. +--- + xpath.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 751665b..d992841 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) { + * compute depth to root + */ + for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) { +- if (cur == node1) ++ if (cur->parent == node1) + return(1); + depth2++; + } + root = cur; + for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) { +- if (cur == node2) ++ if (cur->parent == node2) + return(-1); + depth1++; + } +-- +cgit v0.12 + diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-9318.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-9318.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-9318.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2016-9318.patch 2018-08-13 19:48:59.000000000 +0000 @@ -0,0 +1,51 @@ +From ad88b54f1a28a8565964a370b5d387927b633c0d Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 8 Dec 2017 09:42:31 +0100 +Subject: [PATCH] Improve handling of context input_id + +For https://bugzilla.gnome.org/show_bug.cgi?id=772726 +This was used in xmlsec to detect issues with accessing external entities +and prevent them, but was unreliable, based on a patch from Aleksey Sanin + +* parser.c: make sure input_id is incremented when creating sub-entities + for parsing or when parsing out of context +diff --git a/parser.c b/parser.c +index 4ab9b5a..262f992 100644 +--- a/parser.c ++++ b/parser.c +@@ -13636,6 +13636,7 @@ xmlParseBalancedChunkMemoryInternal(xmlParserCtxtPtr oldctxt, + ctxt->userData = ctxt; + if (ctxt->dict != NULL) xmlDictFree(ctxt->dict); + ctxt->dict = oldctxt->dict; ++ ctxt->input_id = oldctxt->input_id + 1; + ctxt->str_xml = xmlDictLookup(ctxt->dict, BAD_CAST "xml", 3); + ctxt->str_xmlns = xmlDictLookup(ctxt->dict, BAD_CAST "xmlns", 5); + ctxt->str_xml_ns = xmlDictLookup(ctxt->dict, XML_XML_NAMESPACE, 36); +@@ -13889,6 +13890,7 @@ xmlParseInNodeContext(xmlNodePtr node, const char *data, int datalen, + xmlDetectSAX2(ctxt); + ctxt->myDoc = doc; + /* parsing in context, i.e. as within existing content */ ++ ctxt->input_id = 2; + ctxt->instate = XML_PARSER_CONTENT; + + fake = xmlNewComment(NULL); +@@ -14101,6 +14103,7 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax, + newDoc->oldNs = doc->oldNs; + } + ctxt->instate = XML_PARSER_CONTENT; ++ ctxt->input_id = 2; + ctxt->depth = depth; + + /* +@@ -14261,6 +14264,11 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, + if (pctx != NULL) { + ctxt->options = pctx->options; + ctxt->_private = pctx->_private; ++ /* ++ * this is a subparser of pctx, so the input_id should be ++ * incremented to distinguish from main entity ++ */ ++ ctxt->input_id = pctx->input_id + 1; + } + + uri = xmlBuildURI(URL, base); diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-0663.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-0663.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-0663.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-0663.patch 2017-09-15 22:40:08.000000000 +0000 @@ -0,0 +1,45 @@ +From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 6 Jun 2017 12:56:28 +0200 +Subject: [PATCH] Fix type confusion in xmlValidateOneNamespace + +Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on +namespace declarations make no practical sense anyway. + +Fixes bug 780228. + +Found with libFuzzer and ASan. + +CVE-2017-0663 +--- + valid.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/valid.c b/valid.c +index 8075d3a..c51ea29 100644 +--- a/valid.c ++++ b/valid.c +@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) { + } + } + ++ /* ++ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions ++ * xmlAddID and xmlAddRef for namespace declarations, but it makes ++ * no practical sense to use ID types anyway. ++ */ ++#if 0 + /* Validity Constraint: ID uniqueness */ + if (attrDecl->atype == XML_ATTRIBUTE_ID) { + if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL) +@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) { + if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL) + ret = 0; + } ++#endif + + /* Validity Constraint: Notation Attributes */ + if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) { +-- +2.7.4 + diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-15412.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-15412.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-15412.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-15412.patch 2017-12-11 16:29:01.000000000 +0000 @@ -0,0 +1,33 @@ +From 0f3b843b3534784ef57a4f9b874238aa1fda5a73 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 1 Jun 2017 23:12:19 +0200 +Subject: Fix XPath stack frame logic + +Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in +xmlXPathCompOpEvalPositionalPredicate to make sure that the context +object on the stack is actually protected. Otherwise, memory corruption +can occur when calling sloppily coded XPath extension functions. + +Fixes bug 783160. +--- + xpath.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: libxml2-2.9.3+dfsg1/xpath.c +=================================================================== +--- libxml2-2.9.3+dfsg1.orig/xpath.c ++++ libxml2-2.9.3+dfsg1/xpath.c +@@ -11915,11 +11915,11 @@ xmlXPathCompOpEvalPositionalPredicate(xm + } + } + +- frame = xmlXPathSetFrame(ctxt); + valuePush(ctxt, contextObj); ++ frame = xmlXPathSetFrame(ctxt); + res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1); +- tmp = valuePop(ctxt); + xmlXPathPopFrame(ctxt, frame); ++ tmp = valuePop(ctxt); + + if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) { + while (tmp != contextObj) { diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-16932.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-16932.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-16932.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-16932.patch 2017-12-04 18:20:19.000000000 +0000 @@ -0,0 +1,105 @@ +Backport of: + +From 899a5d9f0ed13b8e32449a08a361e0de127dd961 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 25 Jul 2017 14:59:49 +0200 +Subject: [PATCH] Detect infinite recursion in parameter entities + +When expanding a parameter entity in a DTD, infinite recursion could +lead to an infinite loop or memory exhaustion. + +Thanks to Wei Lei for the first of many reports. + +Fixes bug 759579. + +--- + parser.c | 13 +++++++++++-- + result/errors/759579.xml | 0 + result/errors/759579.xml.err | 6 ++++++ + result/errors/759579.xml.str | 7 +++++++ + test/errors/759579.xml | 11 +++++++++++ + 5 files changed, 35 insertions(+), 2 deletions(-) + create mode 100644 result/errors/759579.xml + create mode 100644 result/errors/759579.xml.err + create mode 100644 result/errors/759579.xml.str + create mode 100644 test/errors/759579.xml + +diff --git a/parser.c b/parser.c +index 7f33bb9..036308a 100644 +--- a/parser.c ++++ b/parser.c +@@ -2238,6 +2238,13 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) { + xmlGenericError(xmlGenericErrorContext, + "Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur); + } ++ if (((ctxt->inputNr > 40) && ((ctxt->options & XML_PARSE_HUGE) == 0)) || ++ (ctxt->inputNr > 1024)) { ++ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); ++ while (ctxt->inputNr > 1) ++ xmlFreeInputStream(inputPop(ctxt)); ++ return(-1); ++ } + ret = inputPush(ctxt, input); + if (ctxt->instate == XML_PARSER_EOF) + return(-1); +@@ -8140,8 +8147,10 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + * c.f. http://www.w3.org/TR/REC-xml#as-PE + */ + input = xmlNewEntityInputStream(ctxt, entity); +- if (xmlPushInput(ctxt, input) < 0) +- return; ++ if (xmlPushInput(ctxt, input) < 0) { ++ xmlFreeInputStream(input); ++ return; ++ } + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + (CMP5(CUR_PTR, '<', '?', 'x', 'm', 'l')) && + (IS_BLANK_CH(NXT(5)))) { +diff --git a/result/errors/759579.xml b/result/errors/759579.xml +new file mode 100644 +index 0000000..e69de29 +diff --git a/result/errors/759579.xml.err b/result/errors/759579.xml.err +new file mode 100644 +index 0000000..288026e +--- /dev/null ++++ b/result/errors/759579.xml.err +@@ -0,0 +1,6 @@ ++Entity: line 2: parser error : Detected an entity reference loop ++ %z; %z; %z; %z; %z; ++ ^ ++Entity: line 2: ++ %z; %z; %z; %z; %z; ++ ^ +diff --git a/result/errors/759579.xml.str b/result/errors/759579.xml.str +new file mode 100644 +index 0000000..09408f5 +--- /dev/null ++++ b/result/errors/759579.xml.str +@@ -0,0 +1,7 @@ ++Entity: line 2: parser error : Detected an entity reference loop ++ %z; %z; %z; %z; %z; ++ ^ ++Entity: line 2: ++ %z; %z; %z; %z; %z; ++ ^ ++./test/errors/759579.xml : failed to parse +diff --git a/test/errors/759579.xml b/test/errors/759579.xml +new file mode 100644 +index 0000000..7fadd70 +--- /dev/null ++++ b/test/errors/759579.xml +@@ -0,0 +1,11 @@ ++ ++ %z; ++]> ++ +-- +2.7.4 + diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-18258.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-18258.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-18258.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-18258.patch 2018-08-13 19:49:07.000000000 +0000 @@ -0,0 +1,25 @@ +From e2a9122b8dde53d320750451e9907a7dcb2ca8bb Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 7 Sep 2017 18:36:01 +0200 +Subject: [PATCH] Set memory limit for LZMA decompression + +Otherwise malicious LZMA compressed files could consume large amounts +of memory when decompressed. + +According to the xz man page, files compressed with `xz -9` currently +require 65 MB to decompress, so set the limit to 100 MB. + +Should fix bug 786696. +diff --git a/xzlib.c b/xzlib.c +index 782957f..f43632b 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -408,7 +408,7 @@ xz_head(xz_statep state) + state->strm = init; + state->strm.avail_in = 0; + state->strm.next_in = NULL; +- if (lzma_auto_decoder(&state->strm, UINT64_MAX, 0) != LZMA_OK) { ++ if (lzma_auto_decoder(&state->strm, 100000000, 0) != LZMA_OK) { + xmlFree(state->out); + xmlFree(state->in); + state->size = 0; diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-7375.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-7375.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-7375.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-7375.patch 2017-09-15 22:40:38.000000000 +0000 @@ -0,0 +1,37 @@ +From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001 +From: Neel Mehta +Date: Fri, 7 Apr 2017 17:43:02 +0200 +Subject: [PATCH] Prevent unwanted external entity reference + +For https://bugzilla.gnome.org/show_bug.cgi?id=780691 + +* parser.c: add a specific check to avoid PE reference + +CVE-2017-7375 +--- + parser.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/parser.c b/parser.c +index 609a270..c2c812d 100644 +--- a/parser.c ++++ b/parser.c +@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + if (xmlPushInput(ctxt, input) < 0) + return; + } else { ++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && ++ ((ctxt->options & XML_PARSE_NOENT) == 0) && ++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && ++ ((ctxt->options & XML_PARSE_DTDATTR) == 0) && ++ (ctxt->replaceEntities == 0) && ++ (ctxt->validate == 0)) ++ return; ++ + /* + * TODO !!! + * handle the extra spaces added before and after +-- +2.7.4 + diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-7376.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-7376.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-7376.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-7376.patch 2017-09-15 22:40:46.000000000 +0000 @@ -0,0 +1,33 @@ +From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 7 Apr 2017 17:13:28 +0200 +Subject: [PATCH] Increase buffer space for port in HTTP redirect support + +For https://bugzilla.gnome.org/show_bug.cgi?id=780690 + +nanohttp.c: the code wrongly assumed a short int port value. + +CVE-2017-7376 +--- + nanohttp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/nanohttp.c b/nanohttp.c +index e109ad7..373425d 100644 +--- a/nanohttp.c ++++ b/nanohttp.c +@@ -1423,9 +1423,9 @@ retry: + if (ctxt->port != 80) { + /* reserve space for ':xxxxx', incl. potential proxy */ + if (proxy) +- blen += 12; ++ blen += 17; + else +- blen += 6; ++ blen += 11; + } + bp = (char*)xmlMallocAtomic(blen); + if ( bp == NULL ) { +-- +2.7.4 + diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-9047-9048.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-9047-9048.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-9047-9048.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-9047-9048.patch 2017-09-15 22:40:57.000000000 +0000 @@ -0,0 +1,118 @@ +From 932cc9896ab41475d4aa429c27d9afd175959d74 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 3 Jun 2017 02:01:29 +0200 +Subject: [PATCH] Fix buffer size checks in xmlSnprintfElementContent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +xmlSnprintfElementContent failed to correctly check the available +buffer space in two locations. + +Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048). + +Thanks to Marcel Böhme and Thuan Pham for the report. + +CVE-2017-9047, CVE-2017-9048 +--- + result/valid/781333.xml | 5 +++++ + result/valid/781333.xml.err | 3 +++ + result/valid/781333.xml.err.rdr | 6 ++++++ + test/valid/781333.xml | 4 ++++ + valid.c | 20 +++++++++++--------- + 5 files changed, 29 insertions(+), 9 deletions(-) + create mode 100644 result/valid/781333.xml + create mode 100644 result/valid/781333.xml.err + create mode 100644 result/valid/781333.xml.err.rdr + create mode 100644 test/valid/781333.xml + +diff --git a/result/valid/781333.xml b/result/valid/781333.xml +new file mode 100644 +index 0000000..45dc451 +--- /dev/null ++++ b/result/valid/781333.xml +@@ -0,0 +1,5 @@ ++ ++ ++]> ++ +diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err +new file mode 100644 +index 0000000..b401b49 +--- /dev/null ++++ b/result/valid/781333.xml.err +@@ -0,0 +1,3 @@ ++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got ++ ++ ^ +diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr +new file mode 100644 +index 0000000..5ff5699 +--- /dev/null ++++ b/result/valid/781333.xml.err.rdr +@@ -0,0 +1,6 @@ ++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got ++ ++ ^ ++./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child ++ ++^ +diff --git a/test/valid/781333.xml b/test/valid/781333.xml +new file mode 100644 +index 0000000..b29e5a6 +--- /dev/null ++++ b/test/valid/781333.xml +@@ -0,0 +1,4 @@ ++ ++]> ++ +diff --git a/valid.c b/valid.c +index 19f84b8..9b2df56 100644 +--- a/valid.c ++++ b/valid.c +@@ -1262,22 +1262,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int + case XML_ELEMENT_CONTENT_PCDATA: + strcat(buf, "#PCDATA"); + break; +- case XML_ELEMENT_CONTENT_ELEMENT: ++ case XML_ELEMENT_CONTENT_ELEMENT: { ++ int qnameLen = xmlStrlen(content->name); ++ ++ if (content->prefix != NULL) ++ qnameLen += xmlStrlen(content->prefix) + 1; ++ if (size - len < qnameLen + 10) { ++ strcat(buf, " ..."); ++ return; ++ } + if (content->prefix != NULL) { +- if (size - len < xmlStrlen(content->prefix) + 10) { +- strcat(buf, " ..."); +- return; +- } + strcat(buf, (char *) content->prefix); + strcat(buf, ":"); + } +- if (size - len < xmlStrlen(content->name) + 10) { +- strcat(buf, " ..."); +- return; +- } + if (content->name != NULL) + strcat(buf, (char *) content->name); + break; ++ } + case XML_ELEMENT_CONTENT_SEQ: + if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || + (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) +@@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int + xmlSnprintfElementContent(buf, size, content->c2, 0); + break; + } ++ if (size - strlen(buf) <= 2) return; + if (englob) + strcat(buf, ")"); + switch (content->ocur) { +-- +2.7.4 + diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-9049-9050.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-9049-9050.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-9049-9050.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2017-9049-9050.patch 2017-09-15 22:41:06.000000000 +0000 @@ -0,0 +1,302 @@ +From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 5 Jun 2017 15:37:17 +0200 +Subject: [PATCH] Fix handling of parameter-entity references +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There were two bugs where parameter-entity references could lead to an +unexpected change of the input buffer in xmlParseNameComplex and +xmlDictLookup being called with an invalid pointer. + +Percent sign in DTD Names +========================= + +The NEXTL macro used to call xmlParserHandlePEReference. When parsing +"complex" names inside the DTD, this could result in entity expansion +which created a new input buffer. The fix is to simply remove the call +to xmlParserHandlePEReference from the NEXTL macro. This is safe because +no users of the macro require expansion of parameter entities. + +- xmlParseNameComplex +- xmlParseNCNameComplex +- xmlParseNmtoken + +The percent sign is not allowed in names, which are grammatical tokens. + +- xmlParseEntityValue + +Parameter-entity references in entity values are expanded but this +happens in a separate step in this function. + +- xmlParseSystemLiteral + +Parameter-entity references are ignored in the system literal. + +- xmlParseAttValueComplex +- xmlParseCharDataComplex +- xmlParseCommentComplex +- xmlParsePI +- xmlParseCDSect + +Parameter-entity references are ignored outside the DTD. + +- xmlLoadEntityContent + +This function is only called from xmlStringLenDecodeEntities and +entities are replaced in a separate step immediately after the function +call. + +This bug could also be triggered with an internal subset and double +entity expansion. + +This fixes bug 766956 initially reported by Wei Lei and independently by +Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone +involved. + +xmlParseNameComplex with XML_PARSE_OLD10 +======================================== + +When parsing Names inside an expanded parameter entity with the +XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the +GROW macro if the input buffer was exhausted. At the end of the +parameter entity's replacement text, this function would then call +xmlPopInput which invalidated the input buffer. + +There should be no need to invoke GROW in this situation because the +buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and, +at least for UTF-8, in xmlCurrentChar. This also matches the code path +executed when XML_PARSE_OLD10 is not set. + +This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050). +Thanks to Marcel Böhme and Thuan Pham for the report. + +Additional hardening +==================== + +A separate check was added in xmlParseNameComplex to validate the +buffer size. + +CVE-2017-9049, CVE-2017-9050 +--- + Makefile.am | 18 ++++++++++++++++++ + parser.c | 18 ++++++++++-------- + result/errors10/781205.xml | 0 + result/errors10/781205.xml.err | 21 +++++++++++++++++++++ + result/errors10/781361.xml | 0 + result/errors10/781361.xml.err | 13 +++++++++++++ + result/valid/766956.xml | 0 + Makefile.am | 18 ++++++++++++++++++ + parser.c | 18 ++++++++++-------- + result/errors10/781205.xml.err | 21 +++++++++++++++++++++ + result/errors10/781361.xml.err | 13 +++++++++++++ + result/valid/766956.xml.err | 9 +++++++++ + result/valid/766956.xml.err.rdr | 10 ++++++++++ + runtest.c | 3 +++ + test/errors10/781205.xml | 3 +++ + test/errors10/781361.xml | 3 +++ + test/valid/766956.xml | 2 ++ + test/valid/dtds/766956.dtd | 2 ++ + 11 files changed, 94 insertions(+), 8 deletions(-) + create mode 100644 result/errors10/781205.xml + create mode 100644 result/errors10/781205.xml.err + create mode 100644 result/errors10/781361.xml + create mode 100644 result/errors10/781361.xml.err + create mode 100644 result/valid/766956.xml + create mode 100644 result/valid/766956.xml.err + create mode 100644 result/valid/766956.xml.err.rdr + create mode 100644 test/errors10/781205.xml + create mode 100644 test/errors10/781361.xml + create mode 100644 test/valid/766956.xml + create mode 100644 test/valid/dtds/766956.dtd + +Index: b/Makefile.am +=================================================================== +--- a/Makefile.am ++++ b/Makefile.am +@@ -422,6 +422,24 @@ Errtests : xmllint$(EXEEXT) + if [ -n "$$log" ] ; then echo $$name result ; echo $$log ; fi ; \ + rm result.$$name error.$$name ; \ + fi ; fi ; done) ++ @echo "## Error cases regression tests (old 1.0)" ++ -@(for i in $(srcdir)/test/errors10/*.xml ; do \ ++ name=`basename $$i`; \ ++ if [ ! -d $$i ] ; then \ ++ if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \ ++ echo New test file $$name ; \ ++ $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \ ++ 2> $(srcdir)/result/errors10/$$name.err \ ++ > $(srcdir)/result/errors10/$$name ; \ ++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ ++ else \ ++ log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \ ++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ ++ diff $(srcdir)/result/errors10/$$name result.$$name ; \ ++ diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \ ++ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \ ++ rm result.$$name error.$$name ; \ ++ fi ; fi ; done) + @echo "## Error cases stream regression tests" + -@(for i in $(srcdir)/test/errors/*.xml ; do \ + name=`basename $$i`; \ +Index: b/parser.c +=================================================================== +--- a/parser.c ++++ b/parser.c +@@ -2115,7 +2115,6 @@ static void xmlGROW (xmlParserCtxtPtr ct + ctxt->input->line++; ctxt->input->col = 1; \ + } else ctxt->input->col++; \ + ctxt->input->cur += l; \ +- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \ + } while (0) + + #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l) +@@ -3406,13 +3405,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctx + len += l; + NEXTL(l); + c = CUR_CHAR(l); +- if (c == 0) { +- count = 0; +- GROW; +- if (ctxt->instate == XML_PARSER_EOF) +- return(NULL); +- c = CUR_CHAR(l); +- } + } + } + if ((len > XML_MAX_NAME_LENGTH) && +@@ -3420,6 +3412,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctx + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); + return(NULL); + } ++ if (ctxt->input->cur - ctxt->input->base < len) { ++ /* ++ * There were a couple of bugs where PERefs lead to to a change ++ * of the buffer. Check the buffer size to avoid passing an invalid ++ * pointer to xmlDictLookup. ++ */ ++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, ++ "unexpected change of input buffer"); ++ return (NULL); ++ } + if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r')) + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len)); + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); +Index: b/result/errors10/781205.xml.err +=================================================================== +--- /dev/null ++++ b/result/errors10/781205.xml.err +@@ -0,0 +1,21 @@ ++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration ++ ++ %a; ++ ^ ++Entity: line 1: ++<:0000 ++^ ++Entity: line 1: parser error : DOCTYPE improperly terminated ++ %a; ++ ^ ++Entity: line 1: ++<:0000 ++^ ++namespace error : Failed to parse QName ':0000' ++ %a; ++ ^ ++<:0000 ++ ^ ++./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1 ++ ++^ +Index: b/result/errors10/781361.xml.err +=================================================================== +--- /dev/null ++++ b/result/errors10/781361.xml.err +@@ -0,0 +1,13 @@ ++./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected ++ ++^ ++./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration ++ ++ ++^ ++./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated ++ ++^ ++./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found ++ ++^ +Index: b/result/valid/766956.xml.err +=================================================================== +--- /dev/null ++++ b/result/valid/766956.xml.err +@@ -0,0 +1,9 @@ ++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' ++%ä%ent; ++ ^ ++Entity: line 1: parser error : Content error in the external subset ++ %ent; ++ ^ ++Entity: line 1: ++value ++^ +Index: b/result/valid/766956.xml.err.rdr +=================================================================== +--- /dev/null ++++ b/result/valid/766956.xml.err.rdr +@@ -0,0 +1,10 @@ ++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' ++%ä%ent; ++ ^ ++Entity: line 1: parser error : Content error in the external subset ++ %ent; ++ ^ ++Entity: line 1: ++value ++^ ++./test/valid/766956.xml : failed to parse +Index: b/runtest.c +=================================================================== +--- a/runtest.c ++++ b/runtest.c +@@ -4202,6 +4202,9 @@ testDesc testDescriptions[] = { + { "Error cases regression tests", + errParseTest, "./test/errors/*.xml", "result/errors/", "", ".err", + 0 }, ++ { "Error cases regression tests (old 1.0)", ++ errParseTest, "./test/errors10/*.xml", "result/errors10/", "", ".err", ++ XML_PARSE_OLD10 }, + #ifdef LIBXML_READER_ENABLED + { "Error cases stream regression tests", + streamParseTest, "./test/errors/*.xml", "result/errors/", NULL, ".str", +Index: b/test/errors10/781205.xml +=================================================================== +--- /dev/null ++++ b/test/errors10/781205.xml +@@ -0,0 +1,3 @@ ++ ++ %a; +Index: b/test/errors10/781361.xml +=================================================================== +--- /dev/null ++++ b/test/errors10/781361.xml +@@ -0,0 +1,3 @@ ++ ++ %elem; +Index: b/test/valid/766956.xml +=================================================================== +--- /dev/null ++++ b/test/valid/766956.xml +@@ -0,0 +1,2 @@ ++ ++ +Index: b/test/valid/dtds/766956.dtd +=================================================================== +--- /dev/null ++++ b/test/valid/dtds/766956.dtd +@@ -0,0 +1,2 @@ ++ ++%ä%ent; diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2018-14404.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2018-14404.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2018-14404.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2018-14404.patch 2018-08-13 19:49:14.000000000 +0000 @@ -0,0 +1,47 @@ +From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jul 2018 12:54:38 +0200 +Subject: [PATCH] Fix nullptr deref with XPath logic ops + +If the XPath stack is corrupted, for example by a misbehaving extension +function, the "and" and "or" XPath operators could dereference NULL +pointers. Check that the XPath stack isn't empty and optimize the +logic operators slightly. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5 + +Also see +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 +https://bugzilla.redhat.com/show_bug.cgi?id=1595985 + +This is CVE-2018-14404. + +Thanks to Guy Inbar for the report. +diff --git a/xpath.c b/xpath.c +index 7a3f114..ac92fec 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -13309,9 +13309,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval &= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval &= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_OR: +@@ -13335,9 +13334,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval |= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval |= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_EQUAL: diff -Nru libxml2-2.9.3+dfsg1/debian/patches/CVE-2018-14567.patch libxml2-2.9.3+dfsg1/debian/patches/CVE-2018-14567.patch --- libxml2-2.9.3+dfsg1/debian/patches/CVE-2018-14567.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/CVE-2018-14567.patch 2018-08-13 19:49:23.000000000 +0000 @@ -0,0 +1,43 @@ +From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jul 2018 13:14:11 +0200 +Subject: [PATCH] Fix infinite loop in LZMA decompression +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Check the liblzma error code more thoroughly to avoid infinite loops. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13 +Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914 + +This is CVE-2018-9251 and CVE-2018-14567. + +Thanks to Dongliang Mu and Simon Wörner for the reports. +diff --git a/xzlib.c b/xzlib.c +index f43632b..5df477e 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -562,6 +562,10 @@ xz_decomp(xz_statep state) + "internal error: inflate stream corrupt"); + return -1; + } ++ /* ++ * FIXME: Remapping a couple of error codes and falling through ++ * to the LZMA error handling looks fragile. ++ */ + if (ret == Z_MEM_ERROR) + ret = LZMA_MEM_ERROR; + if (ret == Z_DATA_ERROR) +@@ -587,6 +591,11 @@ xz_decomp(xz_statep state) + xz_error(state, LZMA_PROG_ERROR, "compression error"); + return -1; + } ++ if ((state->how != GZIP) && ++ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) { ++ xz_error(state, ret, "lzma error"); ++ return -1; ++ } + } while (strm->avail_out && ret != LZMA_STREAM_END); + + /* update available output and crc check value */ diff -Nru libxml2-2.9.3+dfsg1/debian/patches/lp1652325.patch libxml2-2.9.3+dfsg1/debian/patches/lp1652325.patch --- libxml2-2.9.3+dfsg1/debian/patches/lp1652325.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/lp1652325.patch 2017-03-14 20:05:09.000000000 +0000 @@ -0,0 +1,580 @@ +From 4f8606c13cb7f2684839f850b83de5ce647d3ca7 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Tue, 5 Jan 2016 13:38:09 -0800 +Subject: Bug 760183: REGRESSION (v2.9.3): XML push parser fails with bogus + UTF-8 encoding error when multi-byte character in large CDATA section is + split across buffer + +* parser.c: +(xmlCheckCdataPush): Add 'complete' argument to describe whether +the buffer passed in is the whole CDATA buffer, or if there is +more data to parse. If there is more data to parse, don't +return a negative value for an invalid multi-byte UTF-8 +character that is split between buffers. +(xmlParseTryOrFinish): Pass 'complete' argument to +xmlCheckCdataPush() as appropriate. + +* result/cdata-2-byte-UTF-8.xml: Added. +* result/cdata-2-byte-UTF-8.xml.rde: Added. +* result/cdata-2-byte-UTF-8.xml.rdr: Added. +* result/cdata-2-byte-UTF-8.xml.sax: Added. +* result/cdata-2-byte-UTF-8.xml.sax2: Added. +* result/cdata-3-byte-UTF-8.xml: Added. +* result/cdata-3-byte-UTF-8.xml.rde: Added. +* result/cdata-3-byte-UTF-8.xml.rdr: Added. +* result/cdata-3-byte-UTF-8.xml.sax: Added. +* result/cdata-3-byte-UTF-8.xml.sax2: Added. +* result/cdata-4-byte-UTF-8.xml: Added. +* result/cdata-4-byte-UTF-8.xml.rde: Added. +* result/cdata-4-byte-UTF-8.xml.rdr: Added. +* result/cdata-4-byte-UTF-8.xml.sax: Added. +* result/cdata-4-byte-UTF-8.xml.sax2: Added. +* result/noent/cdata-2-byte-UTF-8.xml: Added. +* result/noent/cdata-3-byte-UTF-8.xml: Added. +* result/noent/cdata-4-byte-UTF-8.xml: Added. +* test/cdata-2-byte-UTF-8.xml: Added. +* test/cdata-3-byte-UTF-8.xml: Added. +* test/cdata-4-byte-UTF-8.xml: Added. +- Add tests and results. Only 'make Readertests XMLPushtests' + fails prior to the fix. +--- + parser.c | 15 ++++++++------- + result/cdata-2-byte-UTF-8.xml | 6 ++++++ + result/cdata-2-byte-UTF-8.xml.rde | 15 +++++++++++++++ + result/cdata-2-byte-UTF-8.xml.rdr | 15 +++++++++++++++ + result/cdata-2-byte-UTF-8.xml.sax | 18 ++++++++++++++++++ + result/cdata-2-byte-UTF-8.xml.sax2 | 18 ++++++++++++++++++ + result/cdata-3-byte-UTF-8.xml | 7 +++++++ + result/cdata-3-byte-UTF-8.xml.rde | 20 ++++++++++++++++++++ + result/cdata-3-byte-UTF-8.xml.rdr | 20 ++++++++++++++++++++ + result/cdata-3-byte-UTF-8.xml.sax | 23 +++++++++++++++++++++++ + result/cdata-3-byte-UTF-8.xml.sax2 | 23 +++++++++++++++++++++++ + result/cdata-4-byte-UTF-8.xml | 8 ++++++++ + result/cdata-4-byte-UTF-8.xml.rde | 25 +++++++++++++++++++++++++ + result/cdata-4-byte-UTF-8.xml.rdr | 25 +++++++++++++++++++++++++ + result/cdata-4-byte-UTF-8.xml.sax | 28 ++++++++++++++++++++++++++++ + result/cdata-4-byte-UTF-8.xml.sax2 | 28 ++++++++++++++++++++++++++++ + result/noent/cdata-2-byte-UTF-8.xml | 6 ++++++ + result/noent/cdata-3-byte-UTF-8.xml | 7 +++++++ + result/noent/cdata-4-byte-UTF-8.xml | 8 ++++++++ + test/cdata-2-byte-UTF-8.xml | 6 ++++++ + test/cdata-3-byte-UTF-8.xml | 7 +++++++ + test/cdata-4-byte-UTF-8.xml | 8 ++++++++ + 22 files changed, 329 insertions(+), 7 deletions(-) + create mode 100644 result/cdata-2-byte-UTF-8.xml + create mode 100644 result/cdata-2-byte-UTF-8.xml.rde + create mode 100644 result/cdata-2-byte-UTF-8.xml.rdr + create mode 100644 result/cdata-2-byte-UTF-8.xml.sax + create mode 100644 result/cdata-2-byte-UTF-8.xml.sax2 + create mode 100644 result/cdata-3-byte-UTF-8.xml + create mode 100644 result/cdata-3-byte-UTF-8.xml.rde + create mode 100644 result/cdata-3-byte-UTF-8.xml.rdr + create mode 100644 result/cdata-3-byte-UTF-8.xml.sax + create mode 100644 result/cdata-3-byte-UTF-8.xml.sax2 + create mode 100644 result/cdata-4-byte-UTF-8.xml + create mode 100644 result/cdata-4-byte-UTF-8.xml.rde + create mode 100644 result/cdata-4-byte-UTF-8.xml.rdr + create mode 100644 result/cdata-4-byte-UTF-8.xml.sax + create mode 100644 result/cdata-4-byte-UTF-8.xml.sax2 + create mode 100644 result/noent/cdata-2-byte-UTF-8.xml + create mode 100644 result/noent/cdata-3-byte-UTF-8.xml + create mode 100644 result/noent/cdata-4-byte-UTF-8.xml + create mode 100644 test/cdata-2-byte-UTF-8.xml + create mode 100644 test/cdata-3-byte-UTF-8.xml + create mode 100644 test/cdata-4-byte-UTF-8.xml + +Index: libxml2-2.9.3+dfsg1/parser.c +=================================================================== +--- libxml2-2.9.3+dfsg1.orig/parser.c 2017-03-14 16:05:02.893244645 -0400 ++++ libxml2-2.9.3+dfsg1/parser.c 2017-03-14 16:05:02.889244601 -0400 +@@ -11249,8 +11249,9 @@ + } + /** + * xmlCheckCdataPush: +- * @cur: pointer to the bock of characters ++ * @cur: pointer to the block of characters + * @len: length of the block in bytes ++ * @complete: 1 if complete CDATA block is passed in, 0 if partial block + * + * Check that the block of characters is okay as SCdata content [20] + * +@@ -11258,7 +11259,7 @@ + * UTF-8 error occured otherwise + */ + static int +-xmlCheckCdataPush(const xmlChar *utf, int len) { ++xmlCheckCdataPush(const xmlChar *utf, int len, int complete) { + int ix; + unsigned char c; + int codepoint; +@@ -11276,7 +11277,7 @@ + else + return(-ix); + } else if ((c & 0xe0) == 0xc0) {/* 2-byte code, starts with 110 */ +- if (ix + 2 > len) return(-ix); ++ if (ix + 2 > len) return(complete ? -ix : ix); + if ((utf[ix+1] & 0xc0 ) != 0x80) + return(-ix); + codepoint = (utf[ix] & 0x1f) << 6; +@@ -11285,7 +11286,7 @@ + return(-ix); + ix += 2; + } else if ((c & 0xf0) == 0xe0) {/* 3-byte code, starts with 1110 */ +- if (ix + 3 > len) return(-ix); ++ if (ix + 3 > len) return(complete ? -ix : ix); + if (((utf[ix+1] & 0xc0) != 0x80) || + ((utf[ix+2] & 0xc0) != 0x80)) + return(-ix); +@@ -11296,7 +11297,7 @@ + return(-ix); + ix += 3; + } else if ((c & 0xf8) == 0xf0) {/* 4-byte code, starts with 11110 */ +- if (ix + 4 > len) return(-ix); ++ if (ix + 4 > len) return(complete ? -ix : ix); + if (((utf[ix+1] & 0xc0) != 0x80) || + ((utf[ix+2] & 0xc0) != 0x80) || + ((utf[ix+3] & 0xc0) != 0x80)) +@@ -11811,7 +11812,7 @@ + int tmp; + + tmp = xmlCheckCdataPush(ctxt->input->cur, +- XML_PARSER_BIG_BUFFER_SIZE); ++ XML_PARSER_BIG_BUFFER_SIZE, 0); + if (tmp < 0) { + tmp = -tmp; + ctxt->input->cur += tmp; +@@ -11834,7 +11835,7 @@ + } else { + int tmp; + +- tmp = xmlCheckCdataPush(ctxt->input->cur, base); ++ tmp = xmlCheckCdataPush(ctxt->input->cur, base, 1); + if ((tmp < 0) || (tmp != base)) { + tmp = -tmp; + ctxt->input->cur += tmp; +Index: libxml2-2.9.3+dfsg1/result/cdata-2-byte-UTF-8.xml +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/cdata-2-byte-UTF-8.xml 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,6 @@ ++ ++ ++ ++

++

++ +Index: libxml2-2.9.3+dfsg1/result/cdata-2-byte-UTF-8.xml.rde +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/cdata-2-byte-UTF-8.xml.rde 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,15 @@ ++0 8 #comment 0 1 This tests that two-byte UTF-8 characters are parsed properly when split across a buffer boundary of length XML_PARSER_BIG_BUFFER_SIZE (300 bytes). ++0 1 doc 0 0 ++1 14 #text 0 1 ++ ++1 1 p 0 0 ++2 4 #cdata-section 0 1 ČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČ ++1 15 p 0 0 ++1 14 #text 0 1 ++ ++1 1 p 0 0 ++2 4 #cdata-section 0 1 ČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČ ++1 15 p 0 0 ++1 14 #text 0 1 ++ ++0 15 doc 0 0 +Index: libxml2-2.9.3+dfsg1/result/cdata-2-byte-UTF-8.xml.rdr +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/cdata-2-byte-UTF-8.xml.rdr 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,15 @@ ++0 8 #comment 0 1 This tests that two-byte UTF-8 characters are parsed properly when split across a buffer boundary of length XML_PARSER_BIG_BUFFER_SIZE (300 bytes). ++0 1 doc 0 0 ++1 14 #text 0 1 ++ ++1 1 p 0 0 ++2 4 #cdata-section 0 1 ČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČ ++1 15 p 0 0 ++1 14 #text 0 1 ++ ++1 1 p 0 0 ++2 4 #cdata-section 0 1 ČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČČ ++1 15 p 0 0 ++1 14 #text 0 1 ++ ++0 15 doc 0 0 +Index: libxml2-2.9.3+dfsg1/result/cdata-2-byte-UTF-8.xml.sax +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/cdata-2-byte-UTF-8.xml.sax 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,18 @@ ++SAX.setDocumentLocator() ++SAX.startDocument() ++SAX.comment( This tests that two-byte UTF-8 characters are parsed properly when split across a buffer boundary of length XML_PARSER_BIG_BUFFER_SIZE (300 bytes). ) ++SAX.startElement(doc) ++SAX.characters( ++, 1) ++SAX.startElement(p) ++SAX.pcdata(ČČČČČČČČČČ, 1200) ++SAX.endElement(p) ++SAX.characters( ++, 1) ++SAX.startElement(p) ++SAX.pcdata( ČČČČČČČČČÄ, 1201) ++SAX.endElement(p) ++SAX.characters( ++, 1) ++SAX.endElement(doc) ++SAX.endDocument() +Index: libxml2-2.9.3+dfsg1/result/cdata-2-byte-UTF-8.xml.sax2 +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/cdata-2-byte-UTF-8.xml.sax2 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,18 @@ ++SAX.setDocumentLocator() ++SAX.startDocument() ++SAX.comment( This tests that two-byte UTF-8 characters are parsed properly when split across a buffer boundary of length XML_PARSER_BIG_BUFFER_SIZE (300 bytes). ) ++SAX.startElementNs(doc, NULL, NULL, 0, 0, 0) ++SAX.characters( ++, 1) ++SAX.startElementNs(p, NULL, NULL, 0, 0, 0) ++SAX.pcdata(ČČČČČČČČČČ, 1200) ++SAX.endElementNs(p, NULL, NULL) ++SAX.characters( ++, 1) ++SAX.startElementNs(p, NULL, NULL, 0, 0, 0) ++SAX.pcdata( ČČČČČČČČČÄ, 1201) ++SAX.endElementNs(p, NULL, NULL) ++SAX.characters( ++, 1) ++SAX.endElementNs(doc, NULL, NULL) ++SAX.endDocument() +Index: libxml2-2.9.3+dfsg1/result/cdata-3-byte-UTF-8.xml +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/cdata-3-byte-UTF-8.xml 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,7 @@ ++ ++ ++ ++

++

++

++ +Index: libxml2-2.9.3+dfsg1/result/cdata-3-byte-UTF-8.xml.rde +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/cdata-3-byte-UTF-8.xml.rde 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,20 @@ ++0 8 #comment 0 1 This tests that three-byte UTF-8 characters are parsed properly when split across a buffer boundary of length XML_PARSER_BIG_BUFFER_SIZE (300 bytes). ++0 1 doc 0 0 ++1 14 #text 0 1 ++ ++1 1 p 0 0 ++2 4 #cdata-section 0 1 牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛 ++1 15 p 0 0 ++1 14 #text 0 1 ++ ++1 1 p 0 0 ++2 4 #cdata-section 0 1 牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛 ++1 15 p 0 0 ++1 14 #text 0 1 ++ ++1 1 p 0 0 ++2 4 #cdata-section 0 1 牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛 ++1 15 p 0 0 ++1 14 #text 0 1 ++ ++0 15 doc 0 0 +Index: libxml2-2.9.3+dfsg1/result/cdata-3-byte-UTF-8.xml.rdr +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/cdata-3-byte-UTF-8.xml.rdr 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,20 @@ ++0 8 #comment 0 1 This tests that three-byte UTF-8 characters are parsed properly when split across a buffer boundary of length XML_PARSER_BIG_BUFFER_SIZE (300 bytes). ++0 1 doc 0 0 ++1 14 #text 0 1 ++ ++1 1 p 0 0 ++2 4 #cdata-section 0 1 牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛 ++1 15 p 0 0 ++1 14 #text 0 1 ++ ++1 1 p 0 0 ++2 4 #cdata-section 0 1 牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛 ++1 15 p 0 0 ++1 14 #text 0 1 ++ ++1 1 p 0 0 ++2 4 #cdata-section 0 1 牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛牛 ++1 15 p 0 0 ++1 14 #text 0 1 ++ ++0 15 doc 0 0 +Index: libxml2-2.9.3+dfsg1/result/cdata-3-byte-UTF-8.xml.sax +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/cdata-3-byte-UTF-8.xml.sax 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,23 @@ ++SAX.setDocumentLocator() ++SAX.startDocument() ++SAX.comment( This tests that three-byte UTF-8 characters are parsed properly when split across a buffer boundary of length XML_PARSER_BIG_BUFFER_SIZE (300 bytes). ) ++SAX.startElement(doc) ++SAX.characters( ++, 1) ++SAX.startElement(p) ++SAX.pcdata(牛牛牛牛牛牛ç‰, 1200) ++SAX.endElement(p) ++SAX.characters( ++, 1) ++SAX.startElement(p) ++SAX.pcdata( 牛牛牛牛牛牛ç, 1201) ++SAX.endElement(p) ++SAX.characters( ++, 1) ++SAX.startElement(p) ++SAX.pcdata( 牛牛牛牛牛牛, 1202) ++SAX.endElement(p) ++SAX.characters( ++, 1) ++SAX.endElement(doc) ++SAX.endDocument() +Index: libxml2-2.9.3+dfsg1/result/cdata-3-byte-UTF-8.xml.sax2 +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/cdata-3-byte-UTF-8.xml.sax2 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,23 @@ ++SAX.setDocumentLocator() ++SAX.startDocument() ++SAX.comment( This tests that three-byte UTF-8 characters are parsed properly when split across a buffer boundary of length XML_PARSER_BIG_BUFFER_SIZE (300 bytes). ) ++SAX.startElementNs(doc, NULL, NULL, 0, 0, 0) ++SAX.characters( ++, 1) ++SAX.startElementNs(p, NULL, NULL, 0, 0, 0) ++SAX.pcdata(牛牛牛牛牛牛ç‰, 1200) ++SAX.endElementNs(p, NULL, NULL) ++SAX.characters( ++, 1) ++SAX.startElementNs(p, NULL, NULL, 0, 0, 0) ++SAX.pcdata( 牛牛牛牛牛牛ç, 1201) ++SAX.endElementNs(p, NULL, NULL) ++SAX.characters( ++, 1) ++SAX.startElementNs(p, NULL, NULL, 0, 0, 0) ++SAX.pcdata( 牛牛牛牛牛牛, 1202) ++SAX.endElementNs(p, NULL, NULL) ++SAX.characters( ++, 1) ++SAX.endElementNs(doc, NULL, NULL) ++SAX.endDocument() +Index: libxml2-2.9.3+dfsg1/result/cdata-4-byte-UTF-8.xml +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/cdata-4-byte-UTF-8.xml 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,8 @@ ++ ++ ++ ++

++

++

++

++ +Index: libxml2-2.9.3+dfsg1/result/cdata-4-byte-UTF-8.xml.rde +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/cdata-4-byte-UTF-8.xml.rde 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,25 @@ ++0 8 #comment 0 1 This tests that four-byte UTF-8 characters are parsed properly when split across a buffer boundary of length XML_PARSER_BIG_BUFFER_SIZE (300 bytes). ++0 1 doc 0 0 ++1 14 #text 0 1 ++ ++1 1 p 0 0 ++2 4 #cdata-section 0 1 ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ ++1 15 p 0 0 ++1 14 #text 0 1 ++ ++1 1 p 0 0 ++2 4 #cdata-section 0 1 ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ ++1 15 p 0 0 ++1 14 #text 0 1 ++ ++1 1 p 0 0 ++2 4 #cdata-section 0 1 ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ ++1 15 p 0 0 ++1 14 #text 0 1 ++ ++1 1 p 0 0 ++2 4 #cdata-section 0 1 ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ ++1 15 p 0 0 ++1 14 #text 0 1 ++ ++0 15 doc 0 0 +Index: libxml2-2.9.3+dfsg1/result/cdata-4-byte-UTF-8.xml.rdr +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/cdata-4-byte-UTF-8.xml.rdr 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,25 @@ ++0 8 #comment 0 1 This tests that four-byte UTF-8 characters are parsed properly when split across a buffer boundary of length XML_PARSER_BIG_BUFFER_SIZE (300 bytes). ++0 1 doc 0 0 ++1 14 #text 0 1 ++ ++1 1 p 0 0 ++2 4 #cdata-section 0 1 ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ ++1 15 p 0 0 ++1 14 #text 0 1 ++ ++1 1 p 0 0 ++2 4 #cdata-section 0 1 ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ ++1 15 p 0 0 ++1 14 #text 0 1 ++ ++1 1 p 0 0 ++2 4 #cdata-section 0 1 ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ ++1 15 p 0 0 ++1 14 #text 0 1 ++ ++1 1 p 0 0 ++2 4 #cdata-section 0 1 ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦ ++1 15 p 0 0 ++1 14 #text 0 1 ++ ++0 15 doc 0 0 +Index: libxml2-2.9.3+dfsg1/result/cdata-4-byte-UTF-8.xml.sax +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/cdata-4-byte-UTF-8.xml.sax 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,28 @@ ++SAX.setDocumentLocator() ++SAX.startDocument() ++SAX.comment( This tests that four-byte UTF-8 characters are parsed properly when split across a buffer boundary of length XML_PARSER_BIG_BUFFER_SIZE (300 bytes). ) ++SAX.startElement(doc) ++SAX.characters( ++, 1) ++SAX.startElement(p) ++SAX.pcdata(ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦, 1200) ++SAX.endElement(p) ++SAX.characters( ++, 1) ++SAX.startElement(p) ++SAX.pcdata( ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ, 1201) ++SAX.endElement(p) ++SAX.characters( ++, 1) ++SAX.startElement(p) ++SAX.pcdata( ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ, 1202) ++SAX.endElement(p) ++SAX.characters( ++, 1) ++SAX.startElement(p) ++SAX.pcdata( ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğ, 1203) ++SAX.endElement(p) ++SAX.characters( ++, 1) ++SAX.endElement(doc) ++SAX.endDocument() +Index: libxml2-2.9.3+dfsg1/result/cdata-4-byte-UTF-8.xml.sax2 +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/cdata-4-byte-UTF-8.xml.sax2 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,28 @@ ++SAX.setDocumentLocator() ++SAX.startDocument() ++SAX.comment( This tests that four-byte UTF-8 characters are parsed properly when split across a buffer boundary of length XML_PARSER_BIG_BUFFER_SIZE (300 bytes). ) ++SAX.startElementNs(doc, NULL, NULL, 0, 0, 0) ++SAX.characters( ++, 1) ++SAX.startElementNs(p, NULL, NULL, 0, 0, 0) ++SAX.pcdata(ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ¦, 1200) ++SAX.endElementNs(p, NULL, NULL) ++SAX.characters( ++, 1) ++SAX.startElementNs(p, NULL, NULL, 0, 0, 0) ++SAX.pcdata( ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ, 1201) ++SAX.endElementNs(p, NULL, NULL) ++SAX.characters( ++, 1) ++SAX.startElementNs(p, NULL, NULL, 0, 0, 0) ++SAX.pcdata( ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğŸ, 1202) ++SAX.endElementNs(p, NULL, NULL) ++SAX.characters( ++, 1) ++SAX.startElementNs(p, NULL, NULL, 0, 0, 0) ++SAX.pcdata( ğŸ¦ğŸ¦ğŸ¦ğŸ¦ğ, 1203) ++SAX.endElementNs(p, NULL, NULL) ++SAX.characters( ++, 1) ++SAX.endElementNs(doc, NULL, NULL) ++SAX.endDocument() +Index: libxml2-2.9.3+dfsg1/result/noent/cdata-2-byte-UTF-8.xml +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/noent/cdata-2-byte-UTF-8.xml 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,6 @@ ++ ++ ++ ++

++

++ +Index: libxml2-2.9.3+dfsg1/result/noent/cdata-3-byte-UTF-8.xml +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/noent/cdata-3-byte-UTF-8.xml 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,7 @@ ++ ++ ++ ++

++

++

++ +Index: libxml2-2.9.3+dfsg1/result/noent/cdata-4-byte-UTF-8.xml +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/result/noent/cdata-4-byte-UTF-8.xml 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,8 @@ ++ ++ ++ ++

++

++

++

++ +Index: libxml2-2.9.3+dfsg1/test/cdata-2-byte-UTF-8.xml +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/test/cdata-2-byte-UTF-8.xml 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,6 @@ ++ ++ ++ ++

++

++ +Index: libxml2-2.9.3+dfsg1/test/cdata-3-byte-UTF-8.xml +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/test/cdata-3-byte-UTF-8.xml 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,7 @@ ++ ++ ++ ++

++

++

++ +Index: libxml2-2.9.3+dfsg1/test/cdata-4-byte-UTF-8.xml +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libxml2-2.9.3+dfsg1/test/cdata-4-byte-UTF-8.xml 2017-03-14 16:05:02.889244601 -0400 +@@ -0,0 +1,8 @@ ++ ++ ++ ++

++

++

++

++ diff -Nru libxml2-2.9.3+dfsg1/debian/patches/series libxml2-2.9.3+dfsg1/debian/patches/series --- libxml2-2.9.3+dfsg1/debian/patches/series 2015-12-14 07:42:04.000000000 +0000 +++ libxml2-2.9.3+dfsg1/debian/patches/series 2018-08-13 19:49:23.000000000 +0000 @@ -1,2 +1,33 @@ 0001-modify-xml2-config-and-pkgconfig-behaviour.patch 0002-fix-python-multiarch-includes.patch +CVE-2016-1762.patch +CVE-2016-1833.patch +CVE-2016-1834.patch +CVE-2016-1835.patch +CVE-2016-1836.patch +CVE-2016-1837.patch +CVE-2016-1838.patch +CVE-2016-1839.patch +CVE-2016-1840.patch +CVE-2016-3705.patch +CVE-2016-4447.patch +CVE-2016-4449.patch +CVE-2016-4483.patch +CVE-2016-3627.patch +lp1652325.patch +CVE-2016-4448-1.patch +CVE-2016-4448-2.patch +CVE-2016-4658.patch +CVE-2016-5131-1.patch +CVE-2016-5131-2.patch +CVE-2017-0663.patch +CVE-2017-7375.patch +CVE-2017-7376.patch +CVE-2017-9047-9048.patch +CVE-2017-9049-9050.patch +CVE-2017-16932.patch +CVE-2017-15412.patch +CVE-2016-9318.patch +CVE-2017-18258.patch +CVE-2018-14404.patch +CVE-2018-14567.patch