debian/0000775000000000000000000000000013334547330007175 5ustar debian/libxml2.install0000664000000000000000000000002712154654360012136 0ustar usr/lib/*/libxml2.so.* debian/libxml2-utils.install0000664000000000000000000000004312154654360013272 0ustar usr/bin/xmllint usr/bin/xmlcatalog debian/python-libxml2-dbg.preinst0000664000000000000000000000022412154654360014224 0ustar #!/bin/sh set -e [ "$1" = "upgrade" ] && [ -L /usr/share/doc/python-libxml2-dbg ] && rm -f /usr/share/doc/python-libxml2-dbg #DEBHELPER# exit 0 debian/libxml2-doc.install0000664000000000000000000000005412154654360012701 0ustar usr/share/doc/libxml2-doc usr/share/gtk-doc debian/watch0000664000000000000000000000034412170545233010224 0ustar version=3 opts=dversionmangle=s/\+(debian|dfsg|ds|deb)\d*$//,uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|BETA|beta|alpha|b|a)[\-\.]?\d*)$/$1~$2/ \ ftp://xmlsoft.org/libxml2/libxml2-(\d.*)\.(?:tgz|tbz2|txz|tar\.(?:gz|bz2|xz)) debian/source/0000775000000000000000000000000012154654360010476 5ustar debian/source/format0000664000000000000000000000001412154654360011704 0ustar 3.0 (quilt) debian/compat0000664000000000000000000000000212154654360010374 0ustar 9 debian/README.Debian0000664000000000000000000000116512154654360011242 0ustar Notes about libxml2 ------------------- While libxml2 is trying to fit at best the XML, XPath, XIncludes, etc. standards, it is likely to contain implementation bugs which tend to disappear with newer versions. For this reason, if you are using libxml2 libraries or tools for standard conforming development, it's suggested to upgrade libxml2 with newer packages from either testing or unstable Debian repositories. If you're using libxml2 in Gnome context, or similar case (ie. xml usage not requiring heavy standards compliance), you don't need such upgrade. -- Mike Hommey , Sat Oct 16 14:29:43 JST 2004 debian/control.udeb0000664000000000000000000000126612170545233011520 0ustar Package: libxml2-udeb XC-Package-Type: udeb Architecture: any Section: debian-installer Depends: ${shlibs:Depends}, ${misc:Depends} Description: GNOME XML library - minimal runtime XML is a metalanguage to let you design your own markup language. A regular markup language defines a way to describe information in a certain class of documents (eg HTML). XML lets you define your own customized markup languages for many classes of document. It can do this because it's written in SGML, the international standard metalanguage for markup languages. . This is a minimal package for use in debian-installer that yields a library providing an extensive API to handle such XML data files. debian/python-libxml2.examples0000664000000000000000000000004512154654360013625 0ustar python/tests/*.py python/tests/*.xml debian/tests/0000775000000000000000000000000012170545233010334 5ustar debian/tests/build0000664000000000000000000000156212170545233011362 0ustar #!/bin/sh # autopkgtest check: Build and run a program against libxml2, to verify that the # headers and pkg-config file are installed correctly # (C) 2012 Canonical Ltd. # Author: Daniel Holbach set -e WORKDIR=$(mktemp -d) trap "rm -rf $WORKDIR" 0 INT QUIT ABRT PIPE TERM cd $WORKDIR cat < xmltest.c #include int main(void) { xmlNodePtr n; xmlDocPtr doc; xmlNodePtr cur; doc = xmlNewDoc(BAD_CAST "1.0"); n = xmlNewNode(NULL, BAD_CAST "root"); xmlNodeSetContent(n, BAD_CAST "content"); xmlDocSetRootElement(doc, n); cur = xmlDocGetRootElement(doc); if (xmlStrcmp(cur->name, (const xmlChar *) "root")) return (1); xmlFreeDoc(doc); return (0); } EOF gcc -o xmltest xmltest.c `pkg-config --cflags --libs libxml-2.0` echo "build: OK" [ -x xmltest ] ./xmltest echo "run: OK" debian/tests/python0000664000000000000000000000104312170545233011576 0ustar #!/bin/sh python < ]> """) elem = doc.getRootElement() attr = elem.hasNsProp('attr', 'http://abc.org') if attr == None or attr.serialize()[:-1] != """""": print("Failed to find defaulted attribute abc:attr") sys.exit(1) doc.freeDoc() EOF debian/tests/control0000664000000000000000000000012612170545233011736 0ustar Tests: build python Depends: libxml2-dev, python-libxml2, build-essential, pkg-config debian/libxml2.symbols0000664000000000000000000001436213062227505012163 0ustar libxml2.so.2 libxml2 #MINVER# (symver|optional)LIBXML2_2.4.30 2.7.4 (symver|optional)LIBXML2_2.5.0 2.7.4 (symver|optional)LIBXML2_2.5.2 2.7.4 (symver|optional)LIBXML2_2.5.4 2.7.4 (symver|optional)LIBXML2_2.5.5 2.7.4 (symver|optional)LIBXML2_2.5.6 2.7.4 (symver|optional)LIBXML2_2.5.7 2.7.4 (symver|optional)LIBXML2_2.5.8 2.7.4 (symver|optional)LIBXML2_2.5.9 2.7.4 (symver|optional)LIBXML2_2.6.0 2.7.4 (symver|optional)LIBXML2_2.6.10 2.7.4 (symver|optional)LIBXML2_2.6.11 2.7.4 (symver|optional)LIBXML2_2.6.12 2.7.4 (symver|optional)LIBXML2_2.6.14 2.7.4 (symver|optional)LIBXML2_2.6.15 2.7.4 (symver|optional)LIBXML2_2.6.16 2.7.4 (symver|optional)LIBXML2_2.6.17 2.7.4 (symver|optional)LIBXML2_2.6.18 2.7.4 (symver|optional)LIBXML2_2.6.19 2.7.4 (symver|optional)LIBXML2_2.6.1 2.7.4 (symver|optional)LIBXML2_2.6.20 2.7.4 (symver|optional)LIBXML2_2.6.21 2.7.4 (symver|optional)LIBXML2_2.6.23 2.7.4 (symver|optional)LIBXML2_2.6.24 2.7.4 (symver|optional)LIBXML2_2.6.25 2.7.4 (symver|optional)LIBXML2_2.6.27 2.7.4 (symver|optional)LIBXML2_2.6.28 2.7.4 (symver|optional)LIBXML2_2.6.29 2.7.4 (symver|optional)LIBXML2_2.6.2 2.7.4 (symver|optional)LIBXML2_2.6.32 2.7.4 (symver|optional)LIBXML2_2.6.3 2.7.4 (symver|optional)LIBXML2_2.6.5 2.7.4 (symver|optional)LIBXML2_2.6.6 2.7.4 (symver|optional)LIBXML2_2.6.7 2.7.4 (symver|optional)LIBXML2_2.6.8 2.7.4 (symver|optional)LIBXML2_2.7.0 2.7.4 (symver|optional)LIBXML2_2.7.3 2.7.4 (symver|optional)LIBXML2_2.7.4 2.7.4 (symver|optional)LIBXML2_2.8.0 2.8.0 (symver|optional)LIBXML2_2.9.0 2.9.0 (symver|optional)LIBXML2_2.9.1 2.9.1 __docbDefaultSAXHandler@Base 2.6.27 __htmlDefaultSAXHandler@Base 2.6.27 __htmlParseContent@Base 2.6.27 __libxml2_xzclose@Base 2.8.0 __libxml2_xzdopen@Base 2.8.0 __libxml2_xzopen@Base 2.8.0 __libxml2_xzread@Base 2.8.0 __oldXMLWDcompatibility@Base 2.6.27 __xmlBufferAllocScheme@Base 2.6.27 __xmlDefaultBufferSize@Base 2.6.27 __xmlDefaultSAXHandler@Base 2.6.27 __xmlDefaultSAXLocator@Base 2.6.27 __xmlDeregisterNodeDefaultValue@Base 2.6.27 __xmlDoValidityCheckingDefaultValue@Base 2.6.27 __xmlErrEncoding@Base 2.6.27 __xmlGenericError@Base 2.6.27 __xmlGenericErrorContext@Base 2.6.27 __xmlGetWarningsDefaultValue@Base 2.6.27 __xmlGlobalInitMutexDestroy@Base 2.6.31 __xmlGlobalInitMutexLock@Base 2.6.28 __xmlGlobalInitMutexUnlock@Base 2.6.28 __xmlIOErr@Base 2.6.27 __xmlIndentTreeOutput@Base 2.6.27 __xmlInitializeDict@Base 2.9.1 __xmlKeepBlanksDefaultValue@Base 2.6.27 __xmlLastError@Base 2.6.27 __xmlLineNumbersDefaultValue@Base 2.6.27 __xmlLoadExtDtdDefaultValue@Base 2.6.27 __xmlLoaderErr@Base 2.6.27 __xmlOutputBufferCreateFilename@Base 2.6.27 __xmlOutputBufferCreateFilenameValue@Base 2.6.27 __xmlParserDebugEntities@Base 2.6.27 __xmlParserInputBufferCreateFilename@Base 2.6.27 __xmlParserInputBufferCreateFilenameValue@Base 2.6.27 __xmlParserVersion@Base 2.6.27 __xmlPedanticParserDefaultValue@Base 2.6.27 __xmlRaiseError@Base 2.6.27 __xmlRandom@Base 2.8.0 __xmlRegisterCallbacks@Base 2.6.27 __xmlRegisterNodeDefaultValue@Base 2.6.27 __xmlSaveNoEmptyTags@Base 2.6.27 __xmlSimpleError@Base 2.6.27 __xmlStructuredError@Base 2.6.27 __xmlStructuredErrorContext@Base 2.7.4 __xmlSubstituteEntitiesDefaultValue@Base 2.6.27 __xmlTreeIndentString@Base 2.6.27 compute_minrun@Base 2.9.0 htmlDecodeEntities@Base 2.6.27 libxml_domnode_binary_insertion_sort@Base 2.9.0 libxml_domnode_tim_sort@Base 2.9.0 xmlAllocOutputBufferInternal@Base 2.7.1 xmlAutomataSetFlags@Base 2.7.4 xmlBufAdd@Base 2.9.0 xmlBufAddHead@Base 2.9.0 xmlBufAddLen@Base 2.9.0 xmlBufAttrSerializeTxtContent@Base 2.9.0 xmlBufAvail@Base 2.9.0 xmlBufBackToBuffer@Base 2.9.0 xmlBufCCat@Base 2.9.0 xmlBufCat@Base 2.9.0 xmlBufContent@LIBXML2_2.9.0 2.9.0 xmlBufCreate@Base 2.9.0 xmlBufCreateSize@Base 2.9.0 xmlBufCreateStatic@Base 2.9.0 xmlBufDetach@Base 2.9.0 xmlBufDump@Base 2.9.0 xmlBufDumpAttributeDecl@Base 2.9.0 xmlBufDumpElementDecl@Base 2.9.0 xmlBufDumpEntityDecl@Base 2.9.0 xmlBufDumpNotationTable@Base 2.9.0 xmlBufEmpty@Base 2.9.0 xmlBufEnd@LIBXML2_2.9.0 2.9.0 xmlBufErase@Base 2.9.0 xmlBufFree@Base 2.9.0 xmlBufFromBuffer@Base 2.9.0 xmlBufGetAllocationScheme@Base 2.9.0 xmlBufGetInputBase@Base 2.9.0 xmlBufGetNodeContent@LIBXML2_2.9.0 2.9.0 xmlBufGrow@Base 2.9.0 xmlBufInflate@Base 2.9.0 xmlBufIsEmpty@Base 2.9.0 xmlBufLength@Base 2.9.0 xmlBufMergeBuffer@Base 2.9.0 xmlBufNodeDump@LIBXML2_2.9.0 2.9.0 xmlBufResetInput@Base 2.9.0 xmlBufResize@Base 2.9.0 xmlBufSetAllocationScheme@Base 2.9.0 xmlBufSetInputBaseCur@Base 2.9.0 xmlBufShrink@LIBXML2_2.9.0 2.9.0 xmlBufUse@LIBXML2_2.9.0 2.9.0 xmlBufWriteCHAR@Base 2.9.0 xmlBufWriteChar@Base 2.9.0 xmlBufWriteQuotedString@Base 2.9.0 xmlBufferDetach@LIBXML2_2.8.0 2.8.0 xmlBuildRelativeURI@LIBXML2_2.6.11 2.8.0 xmlCharEncFirstLineInput@Base 2.9.0 xmlCharEncFirstLineInt@Base 2.7.4 xmlCharEncInput@Base 2.9.0 xmlCharEncOutput@Base 2.9.0 xmlDictGetUsage@LIBXML2_2.9.0 2.9.0 xmlDictSetLimit@LIBXML2_2.9.0 2.9.0 xmlEncodeAttributeEntities@Base 2.9.0 xmlEscapeFormatString@Base 2.9.1+dfsg1-3ubuntu4.9 xmlGenericErrorDefaultFunc@Base 2.6.27 xmlInitializeDict@LIBXML2_2.8.0 2.8.0 xmlMallocBreakpoint@Base 2.6.27 xmlNop@Base 2.9.1 xmlNsListDumpOutput@Base 2.6.27 xmlOutputBufferCreateFilenameDefault@LIBXML2_2.6.11 2.8.0 xmlOutputBufferCreateFilenameValue@LIBXML2_2.6.11 2.8.0 xmlOutputBufferGetContent@LIBXML2_2.9.0 2.9.0 xmlOutputBufferGetSize@LIBXML2_2.9.0 2.9.0 xmlParserInputBufferCreateFilenameDefault@LIBXML2_2.6.11 2.8.0 xmlParserInputBufferCreateFilenameValue@LIBXML2_2.6.11 2.8.0 xmlSchemaCollapseString@LIBXML2_2.6.11 2.8.0 xmlSchemaFreeWildcard@LIBXML2_2.6.11 2.8.0 xmlSchemaGetBuiltInListSimpleTypeItemType@LIBXML2_2.6.11 2.8.0 xmlSchemaGetBuiltInType@LIBXML2_2.6.11 2.8.0 xmlSchemaIsBuiltInTypeFacet@LIBXML2_2.6.11 2.8.0 xmlSchemaValidateListSimpleTypeFacet@LIBXML2_2.6.11 2.8.0 xmlSchemaValidateSetFilename@LIBXML2_2.9.0 2.9.0 xmlSchemaValidateSetLocator@LIBXML2_2.9.0 2.9.0 xmlTextWriterSetQuoteChar@LIBXML2_2.9.0 2.9.0 xmlThrDefOutputBufferCreateFilenameDefault@LIBXML2_2.6.11 2.8.0 xmlThrDefParserInputBufferCreateFilenameDefault@LIBXML2_2.6.11 2.8.0 xmlTextReaderRelaxNGValidateCtxt@LIBXML2_2.8.0 xmlUpgradeOldNs@Base 2.6.27 xmlXPathNodeEval@LIBXML2_2.9.1 2.9.1 xmlXPathSetContextNode@LIBXML2_2.9.1 2.9.1 xmlXPtrAdvanceNode@Base 2.6.27 debian/libxml2-utils.manpages0000664000000000000000000000003712154654360013422 0ustar doc/xmllint.1 doc/xmlcatalog.1 debian/patches/0000775000000000000000000000000013334547071010626 5ustar debian/patches/CVE-2015-7498.patch0000664000000000000000000000524612632056661013271 0ustar From afd27c21f6b36e22682b7da20d726bce2dcb2f43 Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Mon, 9 Nov 2015 18:07:18 +0800 Subject: Avoid processing entities after encoding conversion failures For https://bugzilla.gnome.org/show_bug.cgi?id=756527 and was also raised by Chromium team in the past When we hit a convwersion failure when switching encoding it is bestter to stop parsing there, this was treated as a fatal error but the parser was continuing to process to extract more errors, unfortunately that makes little sense as the data is obviously corrupt and can potentially lead to unexpected behaviour. --- parser.c | 7 +++++-- parserInternals.c | 11 ++++++++++- 2 files changed, 15 insertions(+), 3 deletions(-) Index: libxml2-2.9.1+dfsg1/parser.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 11:58:21.915129571 -0500 +++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 11:58:21.903129455 -0500 @@ -10593,7 +10593,8 @@ xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n"); } xmlParseEncodingDecl(ctxt); - if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { + if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || + (ctxt->instate == XML_PARSER_EOF)) { /* * The XML REC instructs us to stop parsing right here */ @@ -10717,6 +10718,7 @@ if (CUR == 0) { xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL); + return(-1); } /* @@ -10734,7 +10736,8 @@ * Note that we will switch encoding on the fly. */ xmlParseXMLDecl(ctxt); - if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { + if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || + (ctxt->instate == XML_PARSER_EOF)) { /* * The XML REC instructs us to stop parsing right here */ Index: libxml2-2.9.1+dfsg1/parserInternals.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/parserInternals.c 2015-12-09 11:58:21.915129571 -0500 +++ libxml2-2.9.1+dfsg1/parserInternals.c 2015-12-09 11:58:21.907129494 -0500 @@ -937,6 +937,7 @@ { xmlCharEncodingHandlerPtr handler; int len = -1; + int ret; if (ctxt == NULL) return(-1); switch (enc) { @@ -1097,7 +1098,15 @@ if (handler == NULL) return(-1); ctxt->charset = XML_CHAR_ENCODING_UTF8; - return(xmlSwitchToEncodingInt(ctxt, handler, len)); + ret = xmlSwitchToEncodingInt(ctxt, handler, len); + if ((ret < 0) || (ctxt->errNo == XML_I18N_CONV_FAILED)) { + /* + * on encoding conversion errors, stop the parser + */ + xmlStopParser(ctxt); + ctxt->errNo = XML_I18N_CONV_FAILED; + } + return(ret); } /** debian/patches/0006-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch0000664000000000000000000000324212177612662023464 0ustar From: Daniel Veillard Date: Wed, 22 May 2013 20:56:45 +0000 Subject: Fix a parsing bug on non-ascii element and CR/LF usage https://bugzilla.gnome.org/show_bug.cgi?id=698550 Somehow the behaviour of the internal parser routine changed slightly when encountering CR/LF, which led to a bug when parsing document with non-ascii Names --- parser.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/parser.c b/parser.c index b9df6d8..dd00399 100644 --- a/parser.c +++ b/parser.c @@ -3404,6 +3404,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { int len = 0, l; int c; int count = 0; + const xmlChar *end; /* needed because CUR_CHAR() can move cur on \r\n */ #ifdef DEBUG nbParseNCNameComplex++; @@ -3413,6 +3414,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { * Handler for more complex cases */ GROW; + end = ctxt->input->cur; c = CUR_CHAR(l); if ((c == ' ') || (c == '>') || (c == '/') || /* accelerators */ (!xmlIsNameStartChar(ctxt, c) || (c == ':'))) { @@ -3434,12 +3436,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { } len += l; NEXTL(l); + end = ctxt->input->cur; c = CUR_CHAR(l); if (c == 0) { count = 0; GROW; if (ctxt->instate == XML_PARSER_EOF) return(NULL); + end = ctxt->input->cur; c = CUR_CHAR(l); } } @@ -3448,7 +3452,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); return(NULL); } - return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); + return(xmlDictLookup(ctxt->dict, end - len, len)); } /** debian/patches/CVE-2018-14404.patch0000664000000000000000000000331013334547063013324 0ustar From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Mon, 30 Jul 2018 12:54:38 +0200 Subject: [PATCH] Fix nullptr deref with XPath logic ops If the XPath stack is corrupted, for example by a misbehaving extension function, the "and" and "or" XPath operators could dereference NULL pointers. Check that the XPath stack isn't empty and optimize the logic operators slightly. Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5 Also see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 https://bugzilla.redhat.com/show_bug.cgi?id=1595985 This is CVE-2018-14404. Thanks to Guy Inbar for the report. diff --git a/xpath.c b/xpath.c index 4d3503b..ee9a85b 100644 --- a/xpath.c +++ b/xpath.c @@ -13297,9 +13297,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) return(0); } xmlXPathBooleanFunction(ctxt, 1); - arg1 = valuePop(ctxt); - arg1->boolval &= arg2->boolval; - valuePush(ctxt, arg1); + if (ctxt->value != NULL) + ctxt->value->boolval &= arg2->boolval; xmlXPathReleaseObject(ctxt->context, arg2); return (total); case XPATH_OP_OR: @@ -13323,9 +13322,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) return(0); } xmlXPathBooleanFunction(ctxt, 1); - arg1 = valuePop(ctxt); - arg1->boolval |= arg2->boolval; - valuePush(ctxt, arg1); + if (ctxt->value != NULL) + ctxt->value->boolval |= arg2->boolval; xmlXPathReleaseObject(ctxt->context, arg2); return (total); case XPATH_OP_EQUAL: debian/patches/CVE-2015-7499-1.patch0000664000000000000000000000443612632056672013432 0ustar From 28cd9cb747a94483f4aea7f0968d202c20bb4cfc Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Fri, 20 Nov 2015 14:55:30 +0800 Subject: Add xmlHaltParser() to stop the parser The problem is doing it in a consistent and safe fashion It's more complex than just setting ctxt->instate = XML_PARSER_EOF Update the public function to reuse that new internal routine --- parser.c | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) Index: libxml2-2.9.1+dfsg1/parser.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 11:58:32.055227430 -0500 +++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 11:58:32.051227393 -0500 @@ -94,6 +94,8 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, const xmlChar *base, xmlParserCtxtPtr pctx); +static void xmlHaltParser(xmlParserCtxtPtr ctxt); + /************************************************************************ * * * Arbitrary limits set in the parser. See XML_PARSE_HUGE * @@ -12542,25 +12544,47 @@ #endif /* LIBXML_PUSH_ENABLED */ /** - * xmlStopParser: + * xmlHaltParser: * @ctxt: an XML parser context * - * Blocks further parser processing + * Blocks further parser processing don't override error + * for internal use */ -void -xmlStopParser(xmlParserCtxtPtr ctxt) { +static void +xmlHaltParser(xmlParserCtxtPtr ctxt) { if (ctxt == NULL) return; ctxt->instate = XML_PARSER_EOF; - ctxt->errNo = XML_ERR_USER_STOP; ctxt->disableSAX = 1; if (ctxt->input != NULL) { + /* + * in case there was a specific allocation deallocate before + * overriding base + */ + if (ctxt->input->free != NULL) { + ctxt->input->free((xmlChar *) ctxt->input->base); + ctxt->input->free = NULL; + } ctxt->input->cur = BAD_CAST""; ctxt->input->base = ctxt->input->cur; } } /** + * xmlStopParser: + * @ctxt: an XML parser context + * + * Blocks further parser processing + */ +void +xmlStopParser(xmlParserCtxtPtr ctxt) { + if (ctxt == NULL) + return; + xmlHaltParser(ctxt); + ctxt->errNo = XML_ERR_USER_STOP; +} + +/** * xmlCreateIOParserCtxt: * @sax: a SAX handler * @user_data: The user data returned on SAX callbacks debian/patches/CVE-2016-1836.patch0000664000000000000000000005222012724277346013261 0ustar Backport of: From 45752d2c334b50016666d8f0ec3691e2d680f0a0 Mon Sep 17 00:00:00 2001 From: Pranjal Jumde Date: Thu, 3 Mar 2016 11:50:34 -0800 Subject: Bug 759398: Heap use-after-free in xmlDictComputeFastKey * parser.c: (xmlParseNCNameComplex): Store start position instead of a pointer to the name since the underlying buffer may change, resulting in a stale pointer being used. * result/errors/759398.xml: Added. * result/errors/759398.xml.err: Added. * result/errors/759398.xml.str: Added. * test/errors/759398.xml: Added test case. --- parser.c | 9 +- result/errors/759398.xml | 0 result/errors/759398.xml.err | 9 ++ result/errors/759398.xml.str | 5 + test/errors/759398.xml | 326 +++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 344 insertions(+), 5 deletions(-) create mode 100644 result/errors/759398.xml create mode 100644 result/errors/759398.xml.err create mode 100644 result/errors/759398.xml.str create mode 100755 test/errors/759398.xml Index: libxml2-2.9.1+dfsg1/parser.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:58:10.916382845 -0400 +++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:58:10.916382845 -0400 @@ -2008,6 +2008,7 @@ #define CUR (*ctxt->input->cur) #define NXT(val) ctxt->input->cur[(val)] #define CUR_PTR ctxt->input->cur +#define BASE_PTR ctxt->input->base #define CMP4( s, c1, c2, c3, c4 ) \ ( ((unsigned char *) s)[ 0 ] == c1 && ((unsigned char *) s)[ 1 ] == c2 && \ @@ -3463,7 +3464,7 @@ int len = 0, l; int c; int count = 0; - const xmlChar *end; /* needed because CUR_CHAR() can move cur on \r\n */ + size_t startPosition = 0; #ifdef DEBUG nbParseNCNameComplex++; @@ -3473,7 +3474,7 @@ * Handler for more complex cases */ GROW; - end = ctxt->input->cur; + startPosition = CUR_PTR - BASE_PTR; c = CUR_CHAR(l); if ((c == ' ') || (c == '>') || (c == '/') || /* accelerators */ (!xmlIsNameStartChar(ctxt, c) || (c == ':'))) { @@ -3495,14 +3496,12 @@ } len += l; NEXTL(l); - end = ctxt->input->cur; c = CUR_CHAR(l); if (c == 0) { count = 0; GROW; if (ctxt->instate == XML_PARSER_EOF) return(NULL); - end = ctxt->input->cur; c = CUR_CHAR(l); } } @@ -3511,7 +3510,7 @@ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); return(NULL); } - return(xmlDictLookup(ctxt->dict, end - len, len)); + return(xmlDictLookup(ctxt->dict, (BASE_PTR + startPosition), len)); } /** Index: libxml2-2.9.1+dfsg1/result/errors/759398.xml.err =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/result/errors/759398.xml.err 2016-06-03 08:58:10.916382845 -0400 @@ -0,0 +1,9 @@ +./test/errors/759398.xml:210: parser error : StartTag: invalid element name +need to worry about parsers whi + + + + + + + + + + + + + + + +"> + +'"> + + + + + + + + + +amp, +lt, +gt, +apos, +quot"> + + + + + +]> + + + + + +
+Extensible Markup Language (XML) 1.0 + +REC-xml-&iso6.doc.date; +W3C Recommendation +&draft.day;&draft.month;&draft.year; + + + +http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date; + +http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.xml + +http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.html + +http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.pdf + +http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.ps + + + +httwww.w3.org/TR/REC-xml + + + +http://www.w3.org/TR/PR-xml-971208 + + + +Tim Bray +Textuality and Netscape +tbray@textuality.com +Jean Paoli +Microsoft +jeanpa@microsoft.com +C. M. Sperberg-McQueen +University of Illinois at Chicago +cmsmcq@uic.edu + + +

The Extensible Markup Language (XML) is a subset of +SGML that is completely described in this document. Its goal is to +enable generic SGML to be served, received, and processed on the Web +in the way that is now possible with HTML. XML has been designed for +ease of implementation and for interoperability with both SGML and +HTML.

+ + +

This document has been reviewed by W3C Members and +other interested parties and has been endorsed by the +Director as a W3C Recommendation. It is a stable +document and may be used as reference material or cited +as a normative reference from another document. W3C's +role in making the Recommendation is to draw attention +to the spPcification and to promote its widespread +deployment. This enhances the functionality and +interoperability of the Web.

+

+This document specifies a syntax created by subsetting an existing, +widely used international text processing standard (Standard +Generalized Markup Language, ISO 8879:1986(E) as amended and +corrected) for use on the World Wide Web. It is a product of the W3C +XML Activity, details of which can be found at http://www.w3.org/XML. A list of +current W3C Recommendations and other technical documents can be found +at http://www.w3.org/TR. +

+

This specification uses the term URI, which is defined by , a work in progress expected to update and . +

+

The list of known errors in this specification is +available at +http://www.w3.org/XML/xml-19980210-errata.

+

Please report errors in this document to +xml-editor@w3.org. +

+ + + + +

Chicago, Vancouver, Mountain View, et al.: +World-Wide Web Consortium, XML Working Group, 1996, 1997.

+ + +

Created in electronic form.

+ + +English +Extended Backus-Naur Form (formal grammar) + + + +1997-12-03 : CMSMcQ : yet further changes +1997-12-02 : TB : further changes (see TB to XML WG, +2 December 1997) +1997-12-02 : CMSMcQ : deal with as many corrections and +comments from the proofreaders as possible: +entify hard-coded document date in pubdate element, +change expansion of entity WebSGML, +update status description as per Dan Connolly (am not sure +about refernece to Berners-Lee et al.), +add 'The' to abstract as per WG decision, +move Relationship to Existing Standards to back matter and +combine with References, +re-order back matter so normative appendices come first, +re-tag back matter so informative appendices are tagged informdiv1, +remove XXX XXX from list of 'normative' specs in prose, +move some references from Other References to Normative References, +add RFC 1738, 1808, and 2141 to Other References (they are not +normative since we do not require the processor to enforce any +rules based on them), +add reference to 'Fielding draft' (Berners-Lee et al.), +move notation section to end of body, +drop URIchar non-terminal and use SkipLit instead, +lose stray reference to defunct nonterminal 'markupdecls', +move reference to Aho et al. into appendix (Tim's right), +add prose note saying that hash marks and fragment identifiers are +NOT part of the URI formally speaking, and are NOT legal in +system identifiers (processor 'may' signal an error). +Work through: +Tim Bray reacting to James Clark, +Tim Bray on his own, +Eve Maler, + +NOT DONE YET: +change binary / text to unparsed / parsed. +handle James's suggestion about < in attriubte values +uppercase hex characters, +namechar list, + +1997-12-01 : JB : add some column-width parameters +1997-12-01 : CMSMcQ : begin round of changes to incorporate +recent WG decisions and other corrections: +binding sources of character encoding info (27 Aug / 3 Sept), +correct wording of Faust quotation (restore dropped line), +drop SDD from EncodingDecl, +change text at version number 1.0, +drop misleading (wrong!) sentence about ignorables and extenders, +modify definxamples with Byte Order Mark. +Add content model as a term and clarify that it applies to both +mixed and element content. + +1997-06-30 : CMSMcQ : change date, some cosmetic changes, +changes to productions for choice, seq, Mixed, NotationType, +Enumeration. Follow James Clark's suggestion and prohibit +conditional sections in internal subset. TO DO: simplify +production for ignored sections as a result, since we don't +need to worry about parsers whi +1997-06-29 : TB : various edits +1997-06-29 : CMSMcQ : further changes: +Suppress old FINAL EDIT comments and some dead material. +Revise occurrences of % in grammar to exploit Henry Thompson's pun, +especially markupdecl and attdef. +Remove RMD requirement relating to element content (?). + +1997-06-28 : CMSMcQ : Various changes for 1 July draft: +Add text for draconian error handling (introduce +the term Fatal Error). +RE deleta est (changing wording from +original announcement to restrict the requirement to validating +parsers). +Tag definition of validawwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww it meant 'may or may not'. +1997-03-21 : TB : massive changes on plane flight from Chicago +to Vancouver +1997-03-21 : CMSMcQ : correct as many reported errors as possible. + +1997-03-20 : CMSMcQ : correct typos listed in CMSMcQ hand copy of spec. +1997 James Clark: +Define the set of characters from which [^abc] subtracts. +Charref should use just [0-9] not Digit. +Location info needs cleaner treatment: remove? (ERB +question). +One example of a PI has wrong pic. +Clarify discussion of encoding names. +Encoding failure should lead to unspecified results; don't +prescribe error recovery. +Don't require exposure of entity boundaries. +Ignore white space in element content. +Reserve entity names of the form u-NNNN. +Clarify relative URLs. +And some of my own: +Correct productions for content model: model cannot +consist of a name, so "elements ::= cp" is no good. + +1996-11-11 : CMSMcQ : revise for style. +Add new rhs to entity declaration, for parameter entities. +1996-11-10 : CMSMcQ : revise for style. +Fix / complete section on names, characters. +Add sections on parameter entities, conditional sections. +Still to do: Add compatibility note on deterministic content models. +Finish stylistic revision. +1996-10-31 : TB : Add Entity Handling section +1996-10-30 : TB : Clean up term & termdef. Slip in +ERB decision re EMPTY. +1996-10-28 : TB : Change DTD. Implement some of Michael's +suggestions. Change comments back to //. Introduce language for +XML namespace reservation. Add section on white-space handling. +Lots more cleanup. +1996-10-24 : CMSMcQ : quick tweaks, implement some ERB +decisions. Characters are not integers. Comments are /* */ not //. +Add bibliographic refs to 10646, HyTime, Unicode. +Rename old Cdata as MsData since it's only seen +in marked sections. Call them attribute-value pairs not +name-value pairs, except once. Internal subset is optional, needs +'?'. Implied attributes should be signaled to the app, not +have values supplied by processor. +1996-10-16 : TB : track down & excise all DSD references; +introduce some EBNF for entity declarations. +1996-10-?? nsistency check, fix up scraps so +they all parse, get formatter working, correct a few productions. +1996-10-10/11 : CMSMcQ : various maintenance, stylistic, and +organizational changes: +Replace a few literals with xmlpio and +pi""entities, to make them consistent and ensure we can change pic +reliably when the ERB votes. +Drop paragraph on recognizers from notation section. +Add match, exact match to terminology. +Move old 2.2 XML Processors and Apps into intro. +Mention comments, PIs, and marked sections in discussion of +delimiter escaping. +Streamline discussion of doctype decl syntax. +Drop old section of 'PI syntax' for doctype decl, and add +section on partial-DTD summary PIs to end of Logical Structures +section. +Revise DSD syntax section to use Tim's subset-in-a-PI +mechanism. +1996-10-10 : TB : eliminate name recognizers (and more?) +1996-10-09 : CMSMcQ : revise for style, consistency through 2.3 +(Characters) +1996-10-09 : CMSMcQ : re-unite everything for convenience, +at least temporarily, and revise quickly +1996-10-08 : TB : first major homogenization pass +1996-10-08 : TB : turn "current" attribute on div type into +CDATA +1996-10-02 : TB : remould into skeleton + entities +1996-09-30 : CMSMcQ : add a few more sections prior to exchange + with Tim. +1996-09-20 : CMSMcQ : finish transcribing notes. +1996-09-19 : CMSMcQ : begin transcribing notes for draft. +1996-09-13 : CMSMcQ : made outline from notes of 09-06, +do some housekeeping + + +
+ is used to read XML documents +and provide access to their content and structure. It is @ssumed that an XML processor is +doing its work on behalf of another module, called the +application. This specification describes the +required beh\vior of an XML processor in terms of how it must read XML +data and the information it must provide to the application.

+ + +Origin and Goals +

XML was developed by an XML Working Group (orisable over the +Internet.

+

XML shall support a wide variey of applications.

 +

XML shall be compatible with SGML.

 +

It shall be easy to write programs which process XML +documents.

 +

The number of optional features in XML is to be kept to the +absolute minimum, ideally zero.

 +

XML documents shou \ No newline at end of file debian/patches/0004-xmllint-memory-should-fail-on-empty-files.patch0000664000000000000000000000163712177612662022312 0ustar From: Daniel Veillard Date: Wed, 8 May 2013 05:45:48 +0000 Subject: xmllint --memory should fail on empty files Exposed by https://bugzilla.gnome.org/show_bug.cgi?id=699896 when doing analysis but a priori unrelated. --- xmllint.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/xmllint.c b/xmllint.c index 26d8db1..c0196ab 100644 --- a/xmllint.c +++ b/xmllint.c @@ -2338,8 +2338,11 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) { if ((fd = open(filename, O_RDONLY)) < 0) return; base = mmap(NULL, info.st_size, PROT_READ, MAP_SHARED, fd, 0) ; - if (base == (void *) MAP_FAILED) + if (base == (void *) MAP_FAILED) { + fprintf(stderr, "mmap failure for file %s\n", filename); + progresult = XMLLINT_ERR_RDFILE; return; + } if (rectxt == NULL) doc = xmlReadMemory((char *) base, info.st_size, debian/patches/CVE-2016-4448-2.patch0000664000000000000000000001377113062225532013414 0ustar From 502f6a6d08b08c04b3ddfb1cd21b2f699c1b7f5b Mon Sep 17 00:00:00 2001 From: David Kilzer Date: Mon, 23 May 2016 14:58:41 +0800 Subject: More format string warnings with possible format string vulnerability For https://bugzilla.gnome.org/show_bug.cgi?id=761029 adds a new xmlEscapeFormatString() function to escape composed format strings --- libxml.h | 3 +++ relaxng.c | 3 ++- xmlschemas.c | 39 ++++++++++++++++++++++++++------------- xmlstring.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 86 insertions(+), 14 deletions(-) Index: libxml2-2.9.1+dfsg1/libxml.h =================================================================== --- libxml2-2.9.1+dfsg1.orig/libxml.h 2017-03-15 07:53:59.463564729 -0400 +++ libxml2-2.9.1+dfsg1/libxml.h 2017-03-15 07:53:59.455564642 -0400 @@ -9,6 +9,8 @@ #ifndef __XML_LIBXML_H__ #define __XML_LIBXML_H__ +#include + #ifndef NO_LARGEFILE_SOURCE #ifndef _LARGEFILE_SOURCE #define _LARGEFILE_SOURCE @@ -93,6 +95,7 @@ int __xmlRandom(void); #endif +XMLPUBFUN xmlChar * XMLCALL xmlEscapeFormatString(xmlChar **msg); int xmlNop(void); #ifdef IN_LIBXML Index: libxml2-2.9.1+dfsg1/relaxng.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/relaxng.c 2017-03-15 07:53:59.463564729 -0400 +++ libxml2-2.9.1+dfsg1/relaxng.c 2017-03-15 07:53:59.459564686 -0400 @@ -2215,7 +2215,8 @@ snprintf(msg, 1000, "Unknown error code %d\n", err); } msg[1000 - 1] = 0; - return (xmlStrdup((xmlChar *) msg)); + xmlChar *result = xmlCharStrdup(msg); + return (xmlEscapeFormatString(&result)); } /** Index: libxml2-2.9.1+dfsg1/xmlschemas.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/xmlschemas.c 2017-03-15 07:53:59.463564729 -0400 +++ libxml2-2.9.1+dfsg1/xmlschemas.c 2017-03-15 07:53:59.463564729 -0400 @@ -1769,7 +1769,7 @@ } FREE_AND_NULL(str) - return (*buf); + return (xmlEscapeFormatString(buf)); } /** @@ -2247,6 +2247,13 @@ TODO return (NULL); } + + /* + * xmlSchemaFormatItemForReport() also returns an escaped format + * string, so do this before calling it below (in the future). + */ + xmlEscapeFormatString(msg); + /* * VAL TODO: The output of the given schema component is currently * disabled. @@ -2474,11 +2481,13 @@ msg = xmlStrcat(msg, BAD_CAST " '"); if (type->builtInType != 0) { msg = xmlStrcat(msg, BAD_CAST "xs:"); - msg = xmlStrcat(msg, type->name); - } else - msg = xmlStrcat(msg, - xmlSchemaFormatQName(&str, - type->targetNamespace, type->name)); + str = xmlStrdup(type->name); + } else { + const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name); + if (!str) + str = xmlStrdup(qName); + } + msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); msg = xmlStrcat(msg, BAD_CAST "'"); FREE_AND_NULL(str); } @@ -2615,7 +2624,7 @@ str = xmlStrcat(str, BAD_CAST ", "); } str = xmlStrcat(str, BAD_CAST " ).\n"); - msg = xmlStrcat(msg, BAD_CAST str); + msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); FREE_AND_NULL(str) } else msg = xmlStrcat(msg, BAD_CAST "\n"); @@ -3139,11 +3148,13 @@ msg = xmlStrcat(msg, BAD_CAST " '"); if (type->builtInType != 0) { msg = xmlStrcat(msg, BAD_CAST "xs:"); - msg = xmlStrcat(msg, type->name); - } else - msg = xmlStrcat(msg, - xmlSchemaFormatQName(&str, - type->targetNamespace, type->name)); + str = xmlStrdup(type->name); + } else { + const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name); + if (!str) + str = xmlStrdup(qName); + } + msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); msg = xmlStrcat(msg, BAD_CAST "'."); FREE_AND_NULL(str); } @@ -3156,7 +3167,9 @@ } if (expected) { msg = xmlStrcat(msg, BAD_CAST " Expected is '"); - msg = xmlStrcat(msg, BAD_CAST expected); + xmlChar *expectedEscaped = xmlCharStrdup(expected); + msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped)); + FREE_AND_NULL(expectedEscaped); msg = xmlStrcat(msg, BAD_CAST "'.\n"); } else msg = xmlStrcat(msg, BAD_CAST "\n"); Index: libxml2-2.9.1+dfsg1/xmlstring.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/xmlstring.c 2017-03-15 07:53:59.463564729 -0400 +++ libxml2-2.9.1+dfsg1/xmlstring.c 2017-03-15 07:53:59.463564729 -0400 @@ -987,5 +987,60 @@ return(xmlUTF8Strndup(utf, len)); } +/** + * xmlEscapeFormatString: + * @msg: a pointer to the string in which to escape '%' characters. + * Must be a heap-allocated buffer created by libxml2 that may be + * returned, or that may be freed and replaced. + * + * Replaces the string pointed to by 'msg' with an escaped string. + * Returns the same string with all '%' characters escaped. + */ +xmlChar * +xmlEscapeFormatString(xmlChar **msg) +{ + xmlChar *msgPtr = NULL; + xmlChar *result = NULL; + xmlChar *resultPtr = NULL; + size_t count = 0; + size_t msgLen = 0; + size_t resultLen = 0; + + if (!msg || !*msg) + return(NULL); + + for (msgPtr = *msg; *msgPtr != '\0'; ++msgPtr) { + ++msgLen; + if (*msgPtr == '%') + ++count; + } + + if (count == 0) + return(*msg); + + resultLen = msgLen + count + 1; + result = (xmlChar *) xmlMallocAtomic(resultLen * sizeof(xmlChar)); + if (result == NULL) { + /* Clear *msg to prevent format string vulnerabilities in + out-of-memory situations. */ + xmlFree(*msg); + *msg = NULL; + xmlErrMemory(NULL, NULL); + return(NULL); + } + + for (msgPtr = *msg, resultPtr = result; *msgPtr != '\0'; ++msgPtr, ++resultPtr) { + *resultPtr = *msgPtr; + if (*msgPtr == '%') + *(++resultPtr) = '%'; + } + result[resultLen - 1] = '\0'; + + xmlFree(*msg); + *msg = result; + + return *msg; +} + #define bottom_xmlstring #include "elfgcchack.h" debian/patches/CVE-2016-4483.patch0000664000000000000000000000345712724277475013275 0ustar From c97750d11bb8b6f3303e7131fe526a61ac65bcfd Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Mon, 23 May 2016 13:39:13 +0800 Subject: Avoid an out of bound access when serializing malformed strings For https://bugzilla.gnome.org/show_bug.cgi?id=766414 * xmlsave.c: xmlBufAttrSerializeTxtContent() if an attribute value is not UTF-8 be more careful when serializing it as we may do an out of bound access as a result. --- xmlsave.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/xmlsave.c b/xmlsave.c index 774404b..4a8e3f3 100644 --- a/xmlsave.c +++ b/xmlsave.c @@ -2097,8 +2097,8 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc, xmlBufAdd(buf, BAD_CAST "&", 5); cur++; base = cur; - } else if ((*cur >= 0x80) && ((doc == NULL) || - (doc->encoding == NULL))) { + } else if ((*cur >= 0x80) && (cur[1] != 0) && + ((doc == NULL) || (doc->encoding == NULL))) { /* * We assume we have UTF-8 content. */ @@ -2121,14 +2121,14 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc, val <<= 6; val |= (cur[1]) & 0x3F; l = 2; - } else if (*cur < 0xF0) { + } else if ((*cur < 0xF0) && (cur [2] != 0)) { val = (cur[0]) & 0x0F; val <<= 6; val |= (cur[1]) & 0x3F; val <<= 6; val |= (cur[2]) & 0x3F; l = 3; - } else if (*cur < 0xF8) { + } else if ((*cur < 0xF8) && (cur [2] != 0) && (cur[3] != 0)) { val = (cur[0]) & 0x07; val <<= 6; val |= (cur[1]) & 0x3F; -- cgit v0.12 debian/patches/CVE-2017-9049-9050.patch0000664000000000000000000002454013157060000013637 0ustar From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Mon, 5 Jun 2017 15:37:17 +0200 Subject: [PATCH] Fix handling of parameter-entity references MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There were two bugs where parameter-entity references could lead to an unexpected change of the input buffer in xmlParseNameComplex and xmlDictLookup being called with an invalid pointer. Percent sign in DTD Names ========================= The NEXTL macro used to call xmlParserHandlePEReference. When parsing "complex" names inside the DTD, this could result in entity expansion which created a new input buffer. The fix is to simply remove the call to xmlParserHandlePEReference from the NEXTL macro. This is safe because no users of the macro require expansion of parameter entities. - xmlParseNameComplex - xmlParseNCNameComplex - xmlParseNmtoken The percent sign is not allowed in names, which are grammatical tokens. - xmlParseEntityValue Parameter-entity references in entity values are expanded but this happens in a separate step in this function. - xmlParseSystemLiteral Parameter-entity references are ignored in the system literal. - xmlParseAttValueComplex - xmlParseCharDataComplex - xmlParseCommentComplex - xmlParsePI - xmlParseCDSect Parameter-entity references are ignored outside the DTD. - xmlLoadEntityContent This function is only called from xmlStringLenDecodeEntities and entities are replaced in a separate step immediately after the function call. This bug could also be triggered with an internal subset and double entity expansion. This fixes bug 766956 initially reported by Wei Lei and independently by Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone involved. xmlParseNameComplex with XML_PARSE_OLD10 ======================================== When parsing Names inside an expanded parameter entity with the XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the GROW macro if the input buffer was exhausted. At the end of the parameter entity's replacement text, this function would then call xmlPopInput which invalidated the input buffer. There should be no need to invoke GROW in this situation because the buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and, at least for UTF-8, in xmlCurrentChar. This also matches the code path executed when XML_PARSE_OLD10 is not set. This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050). Thanks to Marcel Böhme and Thuan Pham for the report. Additional hardening ==================== A separate check was added in xmlParseNameComplex to validate the buffer size. CVE-2017-9049, CVE-2017-9050 --- Makefile.am | 18 ++++++++++++++++++ parser.c | 18 ++++++++++-------- result/errors10/781205.xml | 0 result/errors10/781205.xml.err | 21 +++++++++++++++++++++ result/errors10/781361.xml | 0 result/errors10/781361.xml.err | 13 +++++++++++++ result/valid/766956.xml | 0 Makefile.am | 18 ++++++++++++++++++ parser.c | 18 ++++++++++-------- result/errors10/781205.xml.err | 21 +++++++++++++++++++++ result/errors10/781361.xml.err | 13 +++++++++++++ result/valid/766956.xml.err | 9 +++++++++ result/valid/766956.xml.err.rdr | 10 ++++++++++ runtest.c | 3 +++ test/errors10/781205.xml | 3 +++ test/errors10/781361.xml | 3 +++ test/valid/766956.xml | 2 ++ test/valid/dtds/766956.dtd | 2 ++ 11 files changed, 94 insertions(+), 8 deletions(-) create mode 100644 result/errors10/781205.xml create mode 100644 result/errors10/781205.xml.err create mode 100644 result/errors10/781361.xml create mode 100644 result/errors10/781361.xml.err create mode 100644 result/valid/766956.xml create mode 100644 result/valid/766956.xml.err create mode 100644 result/valid/766956.xml.err.rdr create mode 100644 test/errors10/781205.xml create mode 100644 test/errors10/781361.xml create mode 100644 test/valid/766956.xml create mode 100644 test/valid/dtds/766956.dtd Index: b/Makefile.am =================================================================== --- a/Makefile.am +++ b/Makefile.am @@ -422,6 +422,24 @@ Errtests : xmllint$(EXEEXT) if [ -n "$$log" ] ; then echo $$name result ; echo $$log ; fi ; \ rm result.$$name error.$$name ; \ fi ; fi ; done) + @echo "## Error cases regression tests (old 1.0)" + -@(for i in $(srcdir)/test/errors10/*.xml ; do \ + name=`basename $$i`; \ + if [ ! -d $$i ] ; then \ + if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \ + echo New test file $$name ; \ + $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \ + 2> $(srcdir)/result/errors10/$$name.err \ + > $(srcdir)/result/errors10/$$name ; \ + grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ + else \ + log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \ + grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ + diff $(srcdir)/result/errors10/$$name result.$$name ; \ + diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \ + if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \ + rm result.$$name error.$$name ; \ + fi ; fi ; done) @echo "## Error cases stream regression tests" -@(for i in $(srcdir)/test/errors/*.xml ; do \ name=`basename $$i`; \ Index: b/parser.c =================================================================== --- a/parser.c +++ b/parser.c @@ -2115,7 +2115,6 @@ static void xmlGROW (xmlParserCtxtPtr ct ctxt->input->line++; ctxt->input->col = 1; \ } else ctxt->input->col++; \ ctxt->input->cur += l; \ - if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \ } while (0) #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l) @@ -3406,13 +3405,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctx len += l; NEXTL(l); c = CUR_CHAR(l); - if (c == 0) { - count = 0; - GROW; - if (ctxt->instate == XML_PARSER_EOF) - return(NULL); - c = CUR_CHAR(l); - } } } if ((len > XML_MAX_NAME_LENGTH) && @@ -3420,6 +3412,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctx xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); return(NULL); } + if (ctxt->input->cur - ctxt->input->base < len) { + /* + * There were a couple of bugs where PERefs lead to to a change + * of the buffer. Check the buffer size to avoid passing an invalid + * pointer to xmlDictLookup. + */ + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, + "unexpected change of input buffer"); + return (NULL); + } if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r')) return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len)); return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); Index: b/result/errors10/781205.xml.err =================================================================== --- /dev/null +++ b/result/errors10/781205.xml.err @@ -0,0 +1,21 @@ +Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration + + %a; + ^ +Entity: line 1: +<:0000 +^ +Entity: line 1: parser error : DOCTYPE improperly terminated + %a; + ^ +Entity: line 1: +<:0000 +^ +namespace error : Failed to parse QName ':0000' + %a; + ^ +<:0000 + ^ +./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1 + +^ Index: b/result/errors10/781361.xml.err =================================================================== --- /dev/null +++ b/result/errors10/781361.xml.err @@ -0,0 +1,13 @@ +./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected + +^ +./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration + + +^ +./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated + +^ +./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found + +^ Index: b/result/valid/766956.xml.err =================================================================== --- /dev/null +++ b/result/valid/766956.xml.err @@ -0,0 +1,9 @@ +test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' +%ä%ent; + ^ +Entity: line 1: parser error : Content error in the external subset + %ent; + ^ +Entity: line 1: +value +^ Index: b/result/valid/766956.xml.err.rdr =================================================================== --- /dev/null +++ b/result/valid/766956.xml.err.rdr @@ -0,0 +1,10 @@ +test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' +%ä%ent; + ^ +Entity: line 1: parser error : Content error in the external subset + %ent; + ^ +Entity: line 1: +value +^ +./test/valid/766956.xml : failed to parse Index: b/runtest.c =================================================================== --- a/runtest.c +++ b/runtest.c @@ -4202,6 +4202,9 @@ testDesc testDescriptions[] = { { "Error cases regression tests", errParseTest, "./test/errors/*.xml", "result/errors/", "", ".err", 0 }, + { "Error cases regression tests (old 1.0)", + errParseTest, "./test/errors10/*.xml", "result/errors10/", "", ".err", + XML_PARSE_OLD10 }, #ifdef LIBXML_READER_ENABLED { "Error cases stream regression tests", streamParseTest, "./test/errors/*.xml", "result/errors/", NULL, ".str", Index: b/test/errors10/781205.xml =================================================================== --- /dev/null +++ b/test/errors10/781205.xml @@ -0,0 +1,3 @@ + + %a; Index: b/test/errors10/781361.xml =================================================================== --- /dev/null +++ b/test/errors10/781361.xml @@ -0,0 +1,3 @@ + + %elem; Index: b/test/valid/766956.xml =================================================================== --- /dev/null +++ b/test/valid/766956.xml @@ -0,0 +1,2 @@ + + Index: b/test/valid/dtds/766956.dtd =================================================================== --- /dev/null +++ b/test/valid/dtds/766956.dtd @@ -0,0 +1,2 @@ + +%ä%ent; debian/patches/0002-Fix-an-error-in-xmlCleanupParser.patch0000664000000000000000000000150712177612662020374 0ustar From: Alexander Pastukhov Date: Tue, 23 Apr 2013 05:02:11 +0000 Subject: Fix an error in xmlCleanupParser https://bugzilla.gnome.org/show_bug.cgi?id=698582 xmlCleanupParser calls xmlCleanupGlobals() and then xmlResetLastError() but the later reallocate the global data freed by previous call. Just swap the two calls. --- parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/parser.c b/parser.c index ee429f3..b9df6d8 100644 --- a/parser.c +++ b/parser.c @@ -14763,8 +14763,8 @@ xmlCleanupParser(void) { xmlSchemaCleanupTypes(); xmlRelaxNGCleanupTypes(); #endif - xmlCleanupGlobals(); xmlResetLastError(); + xmlCleanupGlobals(); xmlCleanupThreads(); /* must be last if called not from the main thread */ xmlCleanupMemory(); xmlParserInitialized = 0; debian/patches/series0000664000000000000000000000302213334547071012040 0ustar 0001-modify-xml2-config-and-pkgconfig-behaviour.patch 0002-Fix-an-error-in-xmlCleanupParser.patch 0003-Fix-missing-break-on-last-function-for-attributes.patch 0004-xmllint-memory-should-fail-on-empty-files.patch 0005-properly-quote-the-namespace-uris-written-out-during.patch 0006-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch 0007-Fix-XPath-optimization-with-predicates.patch 0006-fix-python-multiarch-includes.patch xmllint_pretty.patch CVE-2014-0191.patch lp1321869.patch CVE-2014-3660.patch CVE-2015-1819.patch CVE-2015-7941.patch CVE-2015-7942.patch CVE-2015-8035.patch CVE-2015-5312.patch CVE-2015-7497.patch CVE-2015-7498.patch CVE-2015-7499-1.patch CVE-2015-7499-2.patch CVE-2015-7500.patch CVE-2015-8241.patch CVE-2015-8242.patch CVE-2015-8317-1.patch CVE-2015-8317-2.patch CVE-2015-7499-3.patch CVE-2015-7499-4.patch CVE-2015-8710.patch CVE-2016-1762.patch CVE-2016-1833-pre.patch CVE-2016-1833-pre2.patch CVE-2016-1833.patch CVE-2016-1834.patch CVE-2016-1835.patch CVE-2016-1836.patch CVE-2016-1837.patch CVE-2016-1838.patch CVE-2016-1839.patch CVE-2016-1840.patch CVE-2016-3705.patch CVE-2016-4447.patch CVE-2016-4449.patch CVE-2016-4483.patch CVE-2016-3627.patch CVE-2016-4448-1.patch CVE-2016-4448-2.patch CVE-2016-4448-3.patch CVE-2016-4658.patch CVE-2016-5131-1.patch CVE-2016-5131-2.patch CVE-2017-0663.patch CVE-2017-7375.patch CVE-2017-7376.patch CVE-2017-9047-9048.patch CVE-2017-9049-9050.patch CVE-2017-16932.patch CVE-2017-15412.patch CVE-2016-9318.patch CVE-2017-18258.patch CVE-2018-14404.patch CVE-2018-14567.patch debian/patches/CVE-2015-1819.patch0000664000000000000000000001422012621366111013240 0ustar From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Tue, 14 Apr 2015 17:41:48 +0800 Subject: CVE-2015-1819 Enforce the reader to run in constant memory One of the operation on the reader could resolve entities leading to the classic expansion issue. Make sure the buffer used for xmlreader operation is bounded. Introduce a new allocation type for the buffers for this effect. --- buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++- include/libxml/tree.h | 3 ++- xmlreader.c | 20 +++++++++++++++++++- 3 files changed, 63 insertions(+), 3 deletions(-) Index: libxml2-2.9.1+dfsg1/buf.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/buf.c 2015-11-13 08:57:26.800279755 -0500 +++ libxml2-2.9.1+dfsg1/buf.c 2015-11-13 08:57:26.796279703 -0500 @@ -27,6 +27,7 @@ #include #include #include +#include /* for XML_MAX_TEXT_LENGTH */ #include "buf.h" #define WITH_BUFFER_COMPAT @@ -299,7 +300,8 @@ if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) || (scheme == XML_BUFFER_ALLOC_EXACT) || (scheme == XML_BUFFER_ALLOC_HYBRID) || - (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) { + (scheme == XML_BUFFER_ALLOC_IMMUTABLE) || + (scheme == XML_BUFFER_ALLOC_BOUNDED)) { buf->alloc = scheme; if (buf->buffer) buf->buffer->alloc = scheme; @@ -458,6 +460,18 @@ size = buf->use + len + 100; #endif + if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { + /* + * Used to provide parsing limits + */ + if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || + (buf->size >= XML_MAX_TEXT_LENGTH)) { + xmlBufMemoryError(buf, "buffer error: text too long\n"); + return(0); + } + if (size >= XML_MAX_TEXT_LENGTH) + size = XML_MAX_TEXT_LENGTH; + } if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { size_t start_buf = buf->content - buf->contentIO; @@ -739,6 +753,15 @@ CHECK_COMPAT(buf) if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); + if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { + /* + * Used to provide parsing limits + */ + if (size >= XML_MAX_TEXT_LENGTH) { + xmlBufMemoryError(buf, "buffer error: text too long\n"); + return(0); + } + } /* Don't resize if we don't have to */ if (size < buf->size) @@ -867,6 +890,15 @@ needSize = buf->use + len + 2; if (needSize > buf->size){ + if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { + /* + * Used to provide parsing limits + */ + if (needSize >= XML_MAX_TEXT_LENGTH) { + xmlBufMemoryError(buf, "buffer error: text too long\n"); + return(-1); + } + } if (!xmlBufResize(buf, needSize)){ xmlBufMemoryError(buf, "growing buffer"); return XML_ERR_NO_MEMORY; @@ -938,6 +970,15 @@ } needSize = buf->use + len + 2; if (needSize > buf->size){ + if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { + /* + * Used to provide parsing limits + */ + if (needSize >= XML_MAX_TEXT_LENGTH) { + xmlBufMemoryError(buf, "buffer error: text too long\n"); + return(-1); + } + } if (!xmlBufResize(buf, needSize)){ xmlBufMemoryError(buf, "growing buffer"); return XML_ERR_NO_MEMORY; Index: libxml2-2.9.1+dfsg1/include/libxml/tree.h =================================================================== --- libxml2-2.9.1+dfsg1.orig/include/libxml/tree.h 2015-11-13 08:57:26.800279755 -0500 +++ libxml2-2.9.1+dfsg1/include/libxml/tree.h 2015-11-13 08:57:26.800279755 -0500 @@ -76,7 +76,8 @@ XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */ XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */ XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */ - XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */ + XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */ + XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */ } xmlBufferAllocationScheme; /** Index: libxml2-2.9.1+dfsg1/xmlreader.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/xmlreader.c 2015-11-13 08:57:26.800279755 -0500 +++ libxml2-2.9.1+dfsg1/xmlreader.c 2015-11-13 08:57:26.800279755 -0500 @@ -2077,6 +2077,9 @@ "xmlNewTextReader : malloc failed\n"); return(NULL); } + /* no operation on a reader should require a huge buffer */ + xmlBufSetAllocationScheme(ret->buffer, + XML_BUFFER_ALLOC_BOUNDED); ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); if (ret->sax == NULL) { xmlBufFree(ret->buffer); @@ -3602,6 +3605,7 @@ return(((xmlNsPtr) node)->href); case XML_ATTRIBUTE_NODE:{ xmlAttrPtr attr = (xmlAttrPtr) node; + const xmlChar *ret; if ((attr->children != NULL) && (attr->children->type == XML_TEXT_NODE) && @@ -3615,10 +3619,21 @@ "xmlTextReaderSetup : malloc failed\n"); return (NULL); } + xmlBufSetAllocationScheme(reader->buffer, + XML_BUFFER_ALLOC_BOUNDED); } else xmlBufEmpty(reader->buffer); xmlBufGetNodeContent(reader->buffer, node); - return(xmlBufContent(reader->buffer)); + ret = xmlBufContent(reader->buffer); + if (ret == NULL) { + /* error on the buffer best to reallocate */ + xmlBufFree(reader->buffer); + reader->buffer = xmlBufCreateSize(100); + xmlBufSetAllocationScheme(reader->buffer, + XML_BUFFER_ALLOC_BOUNDED); + ret = BAD_CAST ""; + } + return(ret); } break; } @@ -5117,6 +5132,9 @@ "xmlTextReaderSetup : malloc failed\n"); return (-1); } + /* no operation on a reader should require a huge buffer */ + xmlBufSetAllocationScheme(reader->buffer, + XML_BUFFER_ALLOC_BOUNDED); if (reader->sax == NULL) reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); if (reader->sax == NULL) { debian/patches/CVE-2017-7375.patch0000664000000000000000000000202713157057733013263 0ustar From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001 From: Neel Mehta Date: Fri, 7 Apr 2017 17:43:02 +0200 Subject: [PATCH] Prevent unwanted external entity reference For https://bugzilla.gnome.org/show_bug.cgi?id=780691 * parser.c: add a specific check to avoid PE reference CVE-2017-7375 --- parser.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/parser.c b/parser.c index 609a270..c2c812d 100644 --- a/parser.c +++ b/parser.c @@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) if (xmlPushInput(ctxt, input) < 0) return; } else { + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + ((ctxt->options & XML_PARSE_NOENT) == 0) && + ((ctxt->options & XML_PARSE_DTDVALID) == 0) && + ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && + ((ctxt->options & XML_PARSE_DTDATTR) == 0) && + (ctxt->replaceEntities == 0) && + (ctxt->validate == 0)) + return; + /* * TODO !!! * handle the extra spaces added before and after -- 2.7.4 debian/patches/CVE-2015-7499-2.patch0000664000000000000000000000260012632056677013427 0ustar From 35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Fri, 20 Nov 2015 15:04:09 +0800 Subject: Detect incoherency on GROW the current pointer to the input has to be between the base and end if not stop everything we have an internal state error. --- parser.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) Index: libxml2-2.9.1+dfsg1/parser.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 11:58:37.995284698 -0500 +++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 11:58:37.995284698 -0500 @@ -2072,9 +2072,16 @@ ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) && ((ctxt->options & XML_PARSE_HUGE) == 0)) { xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup"); - ctxt->instate = XML_PARSER_EOF; + xmlHaltParser(ctxt); + return; } xmlParserInputGrow(ctxt->input, INPUT_CHUNK); + if ((ctxt->input->cur > ctxt->input->end) || + (ctxt->input->cur < ctxt->input->base)) { + xmlHaltParser(ctxt); + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound"); + return; + } if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) && (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) xmlPopInput(ctxt); debian/patches/CVE-2015-7500.patch0000664000000000000000000000651412632056710013243 0ustar From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Fri, 20 Nov 2015 16:06:59 +0800 Subject: CVE-2015-7500 Fix memory access error due to incorrect entities boundaries For https://bugzilla.gnome.org/show_bug.cgi?id=756525 handle properly the case where we popped out of the current entity while processing a start tag Reported by Kostya Serebryany @ Google This slightly modifies the output of 754946 in regression tests --- parser.c | 28 ++++++++++++++++++++++------ result/errors/754946.xml.err | 7 +++++-- 2 files changed, 27 insertions(+), 8 deletions(-) Index: libxml2-2.9.1+dfsg1/parser.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 11:58:46.323364918 -0500 +++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 11:58:46.319364879 -0500 @@ -9302,7 +9302,7 @@ const xmlChar **atts = ctxt->atts; int maxatts = ctxt->maxatts; int nratts, nbatts, nbdef; - int i, j, nbNs, attval, oldline, oldcol; + int i, j, nbNs, attval, oldline, oldcol, inputNr; const xmlChar *base; unsigned long cur; int nsNr = ctxt->nsNr; @@ -9321,6 +9321,7 @@ SHRINK; base = ctxt->input->base; cur = ctxt->input->cur - ctxt->input->base; + inputNr = ctxt->inputNr; oldline = ctxt->input->line; oldcol = ctxt->input->col; nbatts = 0; @@ -9346,7 +9347,8 @@ */ SKIP_BLANKS; GROW; - if (ctxt->input->base != base) goto base_changed; + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) + goto base_changed; while (((RAW != '>') && ((RAW != '/') || (NXT(1) != '>')) && @@ -9357,7 +9359,7 @@ attname = xmlParseAttribute2(ctxt, prefix, localname, &aprefix, &attvalue, &len, &alloc); - if (ctxt->input->base != base) { + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) { if ((attvalue != NULL) && (alloc != 0)) xmlFree(attvalue); attvalue = NULL; @@ -9486,7 +9488,8 @@ skip_ns: if (alloc != 0) xmlFree(attvalue); SKIP_BLANKS; - if (ctxt->input->base != base) goto base_changed; + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) + goto base_changed; continue; } @@ -9523,7 +9526,8 @@ GROW if (ctxt->instate == XML_PARSER_EOF) break; - if (ctxt->input->base != base) goto base_changed; + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) + goto base_changed; if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) break; if (!IS_BLANK_CH(RAW)) { @@ -9539,7 +9543,8 @@ break; } GROW; - if (ctxt->input->base != base) goto base_changed; + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) + goto base_changed; } /* @@ -9706,6 +9711,17 @@ if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL)) xmlFree((xmlChar *) atts[i]); } + + /* + * We can't switch from one entity to another in the middle + * of a start tag + */ + if (inputNr != ctxt->inputNr) { + xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, + "Start tag doesn't start and stop in the same entity\n"); + return(NULL); + } + ctxt->input->cur = ctxt->input->base + cur; ctxt->input->line = oldline; ctxt->input->col = oldcol; debian/patches/CVE-2017-18258.patch0000664000000000000000000000165413334547046013350 0ustar From e2a9122b8dde53d320750451e9907a7dcb2ca8bb Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Thu, 7 Sep 2017 18:36:01 +0200 Subject: [PATCH] Set memory limit for LZMA decompression Otherwise malicious LZMA compressed files could consume large amounts of memory when decompressed. According to the xz man page, files compressed with `xz -9` currently require 65 MB to decompress, so set the limit to 100 MB. Should fix bug 786696. diff --git a/xzlib.c b/xzlib.c index 97af9c5..ed9f480 100644 --- a/xzlib.c +++ b/xzlib.c @@ -363,7 +363,7 @@ xz_head(xz_statep state) state->strm = init; state->strm.avail_in = 0; state->strm.next_in = NULL; - if (lzma_auto_decoder(&state->strm, UINT64_MAX, 0) != LZMA_OK) { + if (lzma_auto_decoder(&state->strm, 100000000, 0) != LZMA_OK) { xmlFree(state->out); xmlFree(state->in); state->size = 0; debian/patches/CVE-2016-1833.patch0000664000000000000000000002232712724277175013263 0ustar From 0bcd05c5cd83dec3406c8f68b769b1d610c72f76 Mon Sep 17 00:00:00 2001 From: Pranjal Jumde Date: Tue, 1 Mar 2016 15:18:04 -0800 Subject: Heap-based buffer overread in htmlCurrentChar For https://bugzilla.gnome.org/show_bug.cgi?id=758606 * parserInternals.c: (xmlNextChar): Add an test to catch other issues on ctxt->input corruption proactively. For non-UTF-8 charsets, xmlNextChar() failed to check for the end of the input buffer and would continuing reading. Fix this by pulling out the check for the end of the input buffer into common code, and return if we reach the end of the input buffer prematurely. * result/HTML/758606.html: Added. * result/HTML/758606.html.err: Added. * result/HTML/758606.html.sax: Added. * result/HTML/758606_2.html: Added. * result/HTML/758606_2.html.err: Added. * result/HTML/758606_2.html.sax: Added. * test/HTML/758606.html: Added test case. * test/HTML/758606_2.html: Added test case. --- parserInternals.c | 172 ++++++++++++++++++++++-------------------- result/HTML/758606.html | 2 + result/HTML/758606.html.err | 16 ++++ result/HTML/758606.html.sax | 10 +++ result/HTML/758606_2.html | 2 + result/HTML/758606_2.html.err | 16 ++++ result/HTML/758606_2.html.sax | 17 +++++ test/HTML/758606.html | 1 + test/HTML/758606_2.html | 1 + 9 files changed, 154 insertions(+), 83 deletions(-) create mode 100644 result/HTML/758606.html create mode 100644 result/HTML/758606.html.err create mode 100644 result/HTML/758606.html.sax create mode 100644 result/HTML/758606_2.html create mode 100644 result/HTML/758606_2.html.err create mode 100644 result/HTML/758606_2.html.sax create mode 100644 test/HTML/758606.html create mode 100644 test/HTML/758606_2.html diff --git a/parserInternals.c b/parserInternals.c index 8c79678..bfc778a 100644 --- a/parserInternals.c +++ b/parserInternals.c @@ -55,6 +55,10 @@ #include #include +#define CUR(ctxt) ctxt->input->cur +#define END(ctxt) ctxt->input->end +#define VALID_CTXT(ctxt) (CUR(ctxt) <= END(ctxt)) + #include "buf.h" #include "enc.h" @@ -422,103 +426,105 @@ xmlNextChar(xmlParserCtxtPtr ctxt) (ctxt->input == NULL)) return; - if (ctxt->charset == XML_CHAR_ENCODING_UTF8) { - if ((*ctxt->input->cur == 0) && - (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0) && - (ctxt->instate != XML_PARSER_COMMENT)) { - /* - * If we are at the end of the current entity and - * the context allows it, we pop consumed entities - * automatically. - * the auto closing should be blocked in other cases - */ + if (!(VALID_CTXT(ctxt))) { + xmlErrInternal(ctxt, "Parser input data memory error\n", NULL); + ctxt->errNo = XML_ERR_INTERNAL_ERROR; + xmlStopParser(ctxt); + return; + } + + if ((*ctxt->input->cur == 0) && + (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) { + if ((ctxt->instate != XML_PARSER_COMMENT)) xmlPopInput(ctxt); - } else { - const unsigned char *cur; - unsigned char c; + return; + } - /* - * 2.11 End-of-Line Handling - * the literal two-character sequence "#xD#xA" or a standalone - * literal #xD, an XML processor must pass to the application - * the single character #xA. - */ - if (*(ctxt->input->cur) == '\n') { - ctxt->input->line++; ctxt->input->col = 1; - } else - ctxt->input->col++; + if (ctxt->charset == XML_CHAR_ENCODING_UTF8) { + const unsigned char *cur; + unsigned char c; - /* - * We are supposed to handle UTF8, check it's valid - * From rfc2044: encoding of the Unicode values on UTF-8: - * - * UCS-4 range (hex.) UTF-8 octet sequence (binary) - * 0000 0000-0000 007F 0xxxxxxx - * 0000 0080-0000 07FF 110xxxxx 10xxxxxx - * 0000 0800-0000 FFFF 1110xxxx 10xxxxxx 10xxxxxx - * - * Check for the 0x110000 limit too - */ - cur = ctxt->input->cur; + /* + * 2.11 End-of-Line Handling + * the literal two-character sequence "#xD#xA" or a standalone + * literal #xD, an XML processor must pass to the application + * the single character #xA. + */ + if (*(ctxt->input->cur) == '\n') { + ctxt->input->line++; ctxt->input->col = 1; + } else + ctxt->input->col++; - c = *cur; - if (c & 0x80) { - if (c == 0xC0) - goto encoding_error; - if (cur[1] == 0) { + /* + * We are supposed to handle UTF8, check it's valid + * From rfc2044: encoding of the Unicode values on UTF-8: + * + * UCS-4 range (hex.) UTF-8 octet sequence (binary) + * 0000 0000-0000 007F 0xxxxxxx + * 0000 0080-0000 07FF 110xxxxx 10xxxxxx + * 0000 0800-0000 FFFF 1110xxxx 10xxxxxx 10xxxxxx + * + * Check for the 0x110000 limit too + */ + cur = ctxt->input->cur; + + c = *cur; + if (c & 0x80) { + if (c == 0xC0) + goto encoding_error; + if (cur[1] == 0) { + xmlParserInputGrow(ctxt->input, INPUT_CHUNK); + cur = ctxt->input->cur; + } + if ((cur[1] & 0xc0) != 0x80) + goto encoding_error; + if ((c & 0xe0) == 0xe0) { + unsigned int val; + + if (cur[2] == 0) { xmlParserInputGrow(ctxt->input, INPUT_CHUNK); cur = ctxt->input->cur; } - if ((cur[1] & 0xc0) != 0x80) + if ((cur[2] & 0xc0) != 0x80) goto encoding_error; - if ((c & 0xe0) == 0xe0) { - unsigned int val; - - if (cur[2] == 0) { + if ((c & 0xf0) == 0xf0) { + if (cur[3] == 0) { xmlParserInputGrow(ctxt->input, INPUT_CHUNK); cur = ctxt->input->cur; } - if ((cur[2] & 0xc0) != 0x80) + if (((c & 0xf8) != 0xf0) || + ((cur[3] & 0xc0) != 0x80)) goto encoding_error; - if ((c & 0xf0) == 0xf0) { - if (cur[3] == 0) { - xmlParserInputGrow(ctxt->input, INPUT_CHUNK); - cur = ctxt->input->cur; - } - if (((c & 0xf8) != 0xf0) || - ((cur[3] & 0xc0) != 0x80)) - goto encoding_error; - /* 4-byte code */ - ctxt->input->cur += 4; - val = (cur[0] & 0x7) << 18; - val |= (cur[1] & 0x3f) << 12; - val |= (cur[2] & 0x3f) << 6; - val |= cur[3] & 0x3f; - } else { - /* 3-byte code */ - ctxt->input->cur += 3; - val = (cur[0] & 0xf) << 12; - val |= (cur[1] & 0x3f) << 6; - val |= cur[2] & 0x3f; - } - if (((val > 0xd7ff) && (val < 0xe000)) || - ((val > 0xfffd) && (val < 0x10000)) || - (val >= 0x110000)) { - xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR, - "Char 0x%X out of allowed range\n", - val); - } - } else - /* 2-byte code */ - ctxt->input->cur += 2; + /* 4-byte code */ + ctxt->input->cur += 4; + val = (cur[0] & 0x7) << 18; + val |= (cur[1] & 0x3f) << 12; + val |= (cur[2] & 0x3f) << 6; + val |= cur[3] & 0x3f; + } else { + /* 3-byte code */ + ctxt->input->cur += 3; + val = (cur[0] & 0xf) << 12; + val |= (cur[1] & 0x3f) << 6; + val |= cur[2] & 0x3f; + } + if (((val > 0xd7ff) && (val < 0xe000)) || + ((val > 0xfffd) && (val < 0x10000)) || + (val >= 0x110000)) { + xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR, + "Char 0x%X out of allowed range\n", + val); + } } else - /* 1-byte code */ - ctxt->input->cur++; + /* 2-byte code */ + ctxt->input->cur += 2; + } else + /* 1-byte code */ + ctxt->input->cur++; - ctxt->nbChars++; - if (*ctxt->input->cur == 0) - xmlParserInputGrow(ctxt->input, INPUT_CHUNK); - } + ctxt->nbChars++; + if (*ctxt->input->cur == 0) + xmlParserInputGrow(ctxt->input, INPUT_CHUNK); } else { /* * Assume it's a fixed length encoding (1) with debian/patches/CVE-2016-5131-2.patch0000664000000000000000000000176613062225560013404 0ustar From a005199330b86dada19d162cae15ef9bdcb6baa8 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Tue, 28 Jun 2016 14:19:58 +0200 Subject: Fix comparison with root node in xmlXPathCmpNodes This change has already been made in xmlXPathCmpNodesExt but not in xmlXPathCmpNodes. --- xpath.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: libxml2-2.9.1+dfsg1/xpath.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/xpath.c 2017-03-15 07:54:22.159812800 -0400 +++ libxml2-2.9.1+dfsg1/xpath.c 2017-03-15 07:54:22.159812800 -0400 @@ -3337,13 +3337,13 @@ * compute depth to root */ for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) { - if (cur == node1) + if (cur->parent == node1) return(1); depth2++; } root = cur; for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) { - if (cur == node2) + if (cur->parent == node2) return(-1); depth1++; } debian/patches/CVE-2015-8317-2.patch0000664000000000000000000000227512632057050013407 0ustar From 709a952110e98621c9b78c4f26462a9d8333102e Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Mon, 29 Jun 2015 16:10:26 +0800 Subject: Fail parsing early on if encoding conversion failed For https://bugzilla.gnome.org/show_bug.cgi?id=751631 If we fail conversing the current input stream while processing the encoding declaration of the XMLDecl then it's safer to just abort there and not try to report further errors. --- parser.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) Index: libxml2-2.9.1+dfsg1/parser.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 12:00:21.000271438 -0500 +++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 12:00:20.996271400 -0500 @@ -10461,7 +10461,11 @@ handler = xmlFindCharEncodingHandler((const char *) encoding); if (handler != NULL) { - xmlSwitchToEncoding(ctxt, handler); + if (xmlSwitchToEncoding(ctxt, handler) < 0) { + /* failed to convert */ + ctxt->errNo = XML_ERR_UNSUPPORTED_ENCODING; + return(NULL); + } } else { xmlFatalErrMsgStr(ctxt, XML_ERR_UNSUPPORTED_ENCODING, "Unsupported encoding %s\n", encoding); debian/patches/CVE-2018-14567.patch0000664000000000000000000000304013334547071013335 0ustar From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Mon, 30 Jul 2018 13:14:11 +0200 Subject: [PATCH] Fix infinite loop in LZMA decompression MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Check the liblzma error code more thoroughly to avoid infinite loops. Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13 Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914 This is CVE-2018-9251 and CVE-2018-14567. Thanks to Dongliang Mu and Simon Wörner for the reports. diff --git a/xzlib.c b/xzlib.c index ed9f480..8ad24c4 100644 --- a/xzlib.c +++ b/xzlib.c @@ -517,6 +517,10 @@ xz_decomp(xz_statep state) "internal error: inflate stream corrupt"); return -1; } + /* + * FIXME: Remapping a couple of error codes and falling through + * to the LZMA error handling looks fragile. + */ if (ret == Z_MEM_ERROR) ret = LZMA_MEM_ERROR; if (ret == Z_DATA_ERROR) @@ -542,6 +546,11 @@ xz_decomp(xz_statep state) xz_error(state, LZMA_PROG_ERROR, "compression error"); return -1; } + if ((state->how != GZIP) && + (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) { + xz_error(state, ret, "lzma error"); + return -1; + } } while (strm->avail_out && ret != LZMA_STREAM_END); /* update available output and crc check value */ debian/patches/CVE-2016-9318.patch0000664000000000000000000000373313334367434013265 0ustar From ad88b54f1a28a8565964a370b5d387927b633c0d Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Fri, 8 Dec 2017 09:42:31 +0100 Subject: [PATCH] Improve handling of context input_id For https://bugzilla.gnome.org/show_bug.cgi?id=772726 This was used in xmlsec to detect issues with accessing external entities and prevent them, but was unreliable, based on a patch from Aleksey Sanin * parser.c: make sure input_id is incremented when creating sub-entities for parsing or when parsing out of context diff --git a/parser.c b/parser.c index 536f2d8..773ba77 100644 --- a/parser.c +++ b/parser.c @@ -13567,6 +13567,7 @@ xmlParseBalancedChunkMemoryInternal(xmlParserCtxtPtr oldctxt, ctxt->userData = ctxt; if (ctxt->dict != NULL) xmlDictFree(ctxt->dict); ctxt->dict = oldctxt->dict; + ctxt->input_id = oldctxt->input_id + 1; ctxt->str_xml = xmlDictLookup(ctxt->dict, BAD_CAST "xml", 3); ctxt->str_xmlns = xmlDictLookup(ctxt->dict, BAD_CAST "xmlns", 5); ctxt->str_xml_ns = xmlDictLookup(ctxt->dict, XML_XML_NAMESPACE, 36); @@ -13819,6 +13820,7 @@ xmlParseInNodeContext(xmlNodePtr node, const char *data, int datalen, xmlCtxtUseOptionsInternal(ctxt, options, NULL); xmlDetectSAX2(ctxt); ctxt->myDoc = doc; + ctxt->input_id = 2; fake = xmlNewComment(NULL); if (fake == NULL) { @@ -14031,6 +14033,7 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax, newDoc->oldNs = doc->oldNs; } ctxt->instate = XML_PARSER_CONTENT; + ctxt->input_id = 2; ctxt->depth = depth; /* @@ -14191,6 +14194,11 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, if (pctx != NULL) { ctxt->options = pctx->options; ctxt->_private = pctx->_private; + /* + * this is a subparser of pctx, so the input_id should be + * incremented to distinguish from main entity + */ + ctxt->input_id = pctx->input_id + 1; } uri = xmlBuildURI(URL, base); debian/patches/CVE-2016-4448-1.patch0000664000000000000000000011101613062225463013405 0ustar Backport of: From 4472c3a5a5b516aaf59b89be602fbce52756c3e9 Mon Sep 17 00:00:00 2001 From: David Kilzer Date: Fri, 13 May 2016 15:13:17 +0800 Subject: Fix some format string warnings with possible format string vulnerability For https://bugzilla.gnome.org/show_bug.cgi?id=761029 Decorate every method in libxml2 with the appropriate LIBXML_ATTR_FORMAT(fmt,args) macro and add some cleanups following the reports. --- HTMLparser.c | 4 +-- SAX2.c | 12 ++++---- catalog.c | 2 +- configure.ac | 4 +-- debugXML.c | 4 +-- encoding.c | 2 +- entities.c | 2 +- error.c | 2 +- include/libxml/parserInternals.h | 2 +- include/libxml/xmlerror.h | 2 +- include/libxml/xmlstring.h | 8 ++--- libxml.h | 2 +- parser.c | 37 +++++++++++----------- parserInternals.c | 4 +-- relaxng.c | 4 +-- schematron.c | 2 +- testModule.c | 2 +- valid.c | 8 ++--- xinclude.c | 4 +-- xmlIO.c | 14 ++++----- xmllint.c | 20 ++++++------ xmlreader.c | 16 +++++++--- xmlschemas.c | 66 ++++++++++++++++++++-------------------- xmlstring.c | 4 +-- xmlwriter.c | 4 +-- xpath.c | 2 +- xpointer.c | 2 +- 27 files changed, 121 insertions(+), 114 deletions(-) Index: libxml2-2.9.1+dfsg1/HTMLparser.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/HTMLparser.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/HTMLparser.c 2017-03-15 07:51:31.193944133 -0400 @@ -105,7 +105,7 @@ * * Handle a fatal parser error, i.e. violating Well-Formedness constraints */ -static void +static void LIBXML_ATTR_FORMAT(3,0) htmlParseErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const xmlChar *str1, const xmlChar *str2) { @@ -132,7 +132,7 @@ * * Handle a fatal parser error, i.e. violating Well-Formedness constraints */ -static void +static void LIBXML_ATTR_FORMAT(3,0) htmlParseErrInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, int val) { Index: libxml2-2.9.1+dfsg1/SAX2.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/SAX2.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/SAX2.c 2017-03-15 07:51:31.193944133 -0400 @@ -55,7 +55,7 @@ * @ctxt: an XML validation parser context * @msg: a string to accompany the error message */ -static void +static void LIBXML_ATTR_FORMAT(2,0) xmlSAX2ErrMemory(xmlParserCtxtPtr ctxt, const char *msg) { xmlStructuredErrorFunc schannel = NULL; const char *str1 = "out of memory\n"; @@ -93,7 +93,7 @@ * * Handle a validation error */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlErrValid(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const char *str1, const char *str2) { @@ -133,7 +133,7 @@ * * Handle a fatal parser error, i.e. violating Well-Formedness constraints */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const xmlChar *str1, const xmlChar *str2) { @@ -164,7 +164,7 @@ * * Handle a parser warning */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlWarnMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const xmlChar *str1) { @@ -189,7 +189,7 @@ * * Handle a namespace error */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlNsErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const xmlChar *str1, const xmlChar *str2) { @@ -213,7 +213,7 @@ * * Handle a namespace warning */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlNsWarnMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const xmlChar *str1, const xmlChar *str2) { Index: libxml2-2.9.1+dfsg1/catalog.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/catalog.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/catalog.c 2017-03-15 07:51:31.193944133 -0400 @@ -238,7 +238,7 @@ * * Handle a catalog error */ -static void +static void LIBXML_ATTR_FORMAT(4,0) xmlCatalogErr(xmlCatalogEntryPtr catal, xmlNodePtr node, int error, const char *msg, const xmlChar *str1, const xmlChar *str2, const xmlChar *str3) Index: libxml2-2.9.1+dfsg1/debugXML.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/debugXML.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/debugXML.c 2017-03-15 07:51:31.197944177 -0400 @@ -164,7 +164,7 @@ NULL, NULL, NULL, 0, 0, "%s", msg); } -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlDebugErr2(xmlDebugCtxtPtr ctxt, int error, const char *msg, int extra) { ctxt->errors++; @@ -174,7 +174,7 @@ NULL, NULL, NULL, 0, 0, msg, extra); } -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlDebugErr3(xmlDebugCtxtPtr ctxt, int error, const char *msg, const char *extra) { ctxt->errors++; Index: libxml2-2.9.1+dfsg1/encoding.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/encoding.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/encoding.c 2017-03-15 07:51:31.197944177 -0400 @@ -93,7 +93,7 @@ * * n encoding error */ -static void +static void LIBXML_ATTR_FORMAT(2,0) xmlEncodingErr(xmlParserErrors error, const char *msg, const char *val) { __xmlRaiseError(NULL, NULL, NULL, NULL, NULL, Index: libxml2-2.9.1+dfsg1/entities.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/entities.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/entities.c 2017-03-15 07:51:31.197944177 -0400 @@ -83,7 +83,7 @@ * * Handle an out of memory condition */ -static void +static void LIBXML_ATTR_FORMAT(2,0) xmlEntitiesErr(xmlParserErrors code, const char *msg) { __xmlSimpleError(XML_FROM_TREE, code, NULL, msg, NULL); Index: libxml2-2.9.1+dfsg1/error.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/error.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/error.c 2017-03-15 07:51:31.197944177 -0400 @@ -18,7 +18,7 @@ void XMLCDECL xmlGenericErrorDefaultFunc (void *ctx ATTRIBUTE_UNUSED, const char *msg, - ...); + ...) LIBXML_ATTR_FORMAT(2,3); #define XML_GET_VAR_STR(msg, str) { \ int size, prev_size = -1; \ Index: libxml2-2.9.1+dfsg1/include/libxml/parserInternals.h =================================================================== --- libxml2-2.9.1+dfsg1.orig/include/libxml/parserInternals.h 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/include/libxml/parserInternals.h 2017-03-15 07:51:31.197944177 -0400 @@ -351,7 +351,7 @@ xmlParserErrors xmlerr, const char *msg, const xmlChar * str1, - const xmlChar * str2); + const xmlChar * str2) LIBXML_ATTR_FORMAT(3,0); #endif /** Index: libxml2-2.9.1+dfsg1/include/libxml/xmlerror.h =================================================================== --- libxml2-2.9.1+dfsg1.orig/include/libxml/xmlerror.h 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/include/libxml/xmlerror.h 2017-03-15 07:51:31.197944177 -0400 @@ -937,7 +937,7 @@ int code, xmlNodePtr node, const char *msg, - const char *extra); + const char *extra) LIBXML_ATTR_FORMAT(4,0); #endif #ifdef __cplusplus } Index: libxml2-2.9.1+dfsg1/include/libxml/xmlstring.h =================================================================== --- libxml2-2.9.1+dfsg1.orig/include/libxml/xmlstring.h 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/include/libxml/xmlstring.h 2017-03-15 07:51:31.197944177 -0400 @@ -97,13 +97,13 @@ XMLPUBFUN int XMLCALL xmlStrPrintf (xmlChar *buf, int len, - const xmlChar *msg, - ...); + const char *msg, + ...) LIBXML_ATTR_FORMAT(3,4); XMLPUBFUN int XMLCALL xmlStrVPrintf (xmlChar *buf, int len, - const xmlChar *msg, - va_list ap); + const char *msg, + va_list ap) LIBXML_ATTR_FORMAT(3,0); XMLPUBFUN int XMLCALL xmlGetUTF8Char (const unsigned char *utf, Index: libxml2-2.9.1+dfsg1/libxml.h =================================================================== --- libxml2-2.9.1+dfsg1.orig/libxml.h 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/libxml.h 2017-03-15 07:51:31.197944177 -0400 @@ -68,7 +68,7 @@ * internal error reporting routines, shared but not partof the API. */ void __xmlIOErr(int domain, int code, const char *extra); -void __xmlLoaderErr(void *ctx, const char *msg, const char *filename); +void __xmlLoaderErr(void *ctx, const char *msg, const char *filename) LIBXML_ATTR_FORMAT(2,0); #ifdef LIBXML_HTML_ENABLED /* * internal function of HTML parser needed for xmlParseInNodeContext Index: libxml2-2.9.1+dfsg1/parser.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/parser.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/parser.c 2017-03-15 07:51:31.197944177 -0400 @@ -350,7 +350,6 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info) { const char *errmsg; - char errstr[129] = ""; if ((ctxt != NULL) && (ctxt->disableSAX != 0) && (ctxt->instate == XML_PARSER_EOF)) @@ -537,15 +536,17 @@ default: errmsg = "Unregistered error message"; } - if (info == NULL) - snprintf(errstr, 128, "%s\n", errmsg); - else - snprintf(errstr, 128, "%s: %%s\n", errmsg); if (ctxt != NULL) ctxt->errNo = error; - __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error, - XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, &errstr[0], - info); + if (info == NULL) { + __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error, + XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, "%s\n", + errmsg); + } else { + __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error, + XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, "%s: %s\n", + errmsg, info); + } if (ctxt != NULL) { ctxt->wellFormed = 0; if (ctxt->recovery == 0) @@ -561,7 +562,7 @@ * * Handle a fatal parser error, i.e. violating Well-Formedness constraints */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg) { @@ -589,7 +590,7 @@ * * Handle a warning. */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlWarningMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const xmlChar *str1, const xmlChar *str2) { @@ -627,7 +628,7 @@ * * Handle a validity error. */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlValidityError(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const xmlChar *str1, const xmlChar *str2) { @@ -667,7 +668,7 @@ * * Handle a fatal parser error, i.e. violating Well-Formedness constraints */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlFatalErrMsgInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, int val) { @@ -697,7 +698,7 @@ * * Handle a fatal parser error, i.e. violating Well-Formedness constraints */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlFatalErrMsgStrIntStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const xmlChar *str1, int val, const xmlChar *str2) @@ -727,7 +728,7 @@ * * Handle a fatal parser error, i.e. violating Well-Formedness constraints */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlFatalErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const xmlChar * val) { @@ -756,7 +757,7 @@ * * Handle a non fatal parser error */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const xmlChar * val) { @@ -781,7 +782,7 @@ * * Handle a fatal parser error, i.e. violating Well-Formedness constraints */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlNsErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const xmlChar * info1, const xmlChar * info2, @@ -810,7 +811,7 @@ * * Handle a namespace warning error */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlNsWarn(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, const xmlChar * info1, const xmlChar * info2, @@ -5508,7 +5509,7 @@ skipped = SKIP_BLANKS; if (skipped == 0) { xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, - "Space required after '%'\n"); + "Space required after '%%'\n"); } isParameter = 1; } Index: libxml2-2.9.1+dfsg1/parserInternals.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/parserInternals.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/parserInternals.c 2017-03-15 07:51:31.201944221 -0400 @@ -169,7 +169,7 @@ * * Handle an internal error */ -static void +static void LIBXML_ATTR_FORMAT(2,0) xmlErrInternal(xmlParserCtxtPtr ctxt, const char *msg, const xmlChar * str) { if ((ctxt != NULL) && (ctxt->disableSAX != 0) && @@ -197,7 +197,7 @@ * * n encoding error */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlErrEncodingInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *msg, int val) { Index: libxml2-2.9.1+dfsg1/relaxng.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/relaxng.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/relaxng.c 2017-03-15 07:51:31.201944221 -0400 @@ -507,7 +507,7 @@ * * Handle a Relax NG Parsing error */ -static void +static void LIBXML_ATTR_FORMAT(4,0) xmlRngPErr(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr node, int error, const char *msg, const xmlChar * str1, const xmlChar * str2) { @@ -541,7 +541,7 @@ * * Handle a Relax NG Validation error */ -static void +static void LIBXML_ATTR_FORMAT(4,0) xmlRngVErr(xmlRelaxNGValidCtxtPtr ctxt, xmlNodePtr node, int error, const char *msg, const xmlChar * str1, const xmlChar * str2) { Index: libxml2-2.9.1+dfsg1/schematron.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/schematron.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/schematron.c 2017-03-15 07:51:31.201944221 -0400 @@ -243,7 +243,7 @@ * * Handle a parser error */ -static void +static void LIBXML_ATTR_FORMAT(4,0) xmlSchematronPErr(xmlSchematronParserCtxtPtr ctxt, xmlNodePtr node, int error, const char *msg, const xmlChar * str1, const xmlChar * str2) { Index: libxml2-2.9.1+dfsg1/testModule.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/testModule.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/testModule.c 2017-03-15 07:51:31.201944221 -0400 @@ -47,7 +47,7 @@ /* build the module filename, and confirm the module exists */ xmlStrPrintf(filename, sizeof(filename), - (const xmlChar*) "%s/testdso%s", + "%s/testdso%s", (const xmlChar*)MODULE_PATH, (const xmlChar*)LIBXML_MODULE_EXTENSION); Index: libxml2-2.9.1+dfsg1/valid.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/valid.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/valid.c 2017-03-15 07:51:31.201944221 -0400 @@ -93,7 +93,7 @@ * * Handle a validation error */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlErrValid(xmlValidCtxtPtr ctxt, xmlParserErrors error, const char *msg, const char *extra) { @@ -137,7 +137,7 @@ * * Handle a validation error, provide contextual informations */ -static void +static void LIBXML_ATTR_FORMAT(4,0) xmlErrValidNode(xmlValidCtxtPtr ctxt, xmlNodePtr node, xmlParserErrors error, const char *msg, const xmlChar * str1, @@ -180,7 +180,7 @@ * * Handle a validation error, provide contextual informations */ -static void +static void LIBXML_ATTR_FORMAT(4,0) xmlErrValidNodeNr(xmlValidCtxtPtr ctxt, xmlNodePtr node, xmlParserErrors error, const char *msg, const xmlChar * str1, @@ -221,7 +221,7 @@ * * Handle a validation error, provide contextual information */ -static void +static void LIBXML_ATTR_FORMAT(4,0) xmlErrValidWarning(xmlValidCtxtPtr ctxt, xmlNodePtr node, xmlParserErrors error, const char *msg, const xmlChar * str1, Index: libxml2-2.9.1+dfsg1/xinclude.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/xinclude.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/xinclude.c 2017-03-15 07:51:31.201944221 -0400 @@ -124,7 +124,7 @@ * * Handle an XInclude error */ -static void +static void LIBXML_ATTR_FORMAT(4,0) xmlXIncludeErr(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node, int error, const char *msg, const xmlChar *extra) { @@ -146,7 +146,7 @@ * * Emit an XInclude warning. */ -static void +static void LIBXML_ATTR_FORMAT(4,0) xmlXIncludeWarn(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node, int error, const char *msg, const xmlChar *extra) { Index: libxml2-2.9.1+dfsg1/xmlIO.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/xmlIO.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/xmlIO.c 2017-03-15 07:51:31.205944265 -0400 @@ -1590,7 +1590,7 @@ xmlFreeZMemBuff( buff ); buff = NULL; xmlStrPrintf(msg, 500, - (const xmlChar *) "xmlCreateZMemBuff: %s %d\n", + "xmlCreateZMemBuff: %s %d\n", "Error initializing compression context. ZLIB error:", z_err ); xmlIOErr(XML_IO_WRITE, (const char *) msg); @@ -1658,7 +1658,7 @@ else { xmlChar msg[500]; xmlStrPrintf(msg, 500, - (const xmlChar *) "xmlZMemBuffExtend: %s %lu bytes.\n", + "xmlZMemBuffExtend: %s %lu bytes.\n", "Allocation failure extending output buffer to", new_size ); xmlIOErr(XML_IO_WRITE, (const char *) msg); @@ -1704,7 +1704,7 @@ if ( z_err != Z_OK ) { xmlChar msg[500]; xmlStrPrintf(msg, 500, - (const xmlChar *) "xmlZMemBuffAppend: %s %d %s - %d", + "xmlZMemBuffAppend: %s %d %s - %d", "Compression error while appending", len, "bytes to buffer. ZLIB error", z_err ); xmlIOErr(XML_IO_WRITE, (const char *) msg); @@ -1777,7 +1777,7 @@ else { xmlChar msg[500]; xmlStrPrintf(msg, 500, - (const xmlChar *) "xmlZMemBuffGetContent: %s - %d\n", + "xmlZMemBuffGetContent: %s - %d\n", "Error flushing zlib buffers. Error code", z_err ); xmlIOErr(XML_IO_WRITE, (const char *) msg); } @@ -1982,7 +1982,7 @@ if ( len < 0 ) { xmlChar msg[500]; xmlStrPrintf(msg, 500, - (const xmlChar *) "xmlIOHTTPWrite: %s\n%s '%s'.\n", + "xmlIOHTTPWrite: %s\n%s '%s'.\n", "Error appending to internal buffer.", "Error sending document to URI", ctxt->uri ); @@ -2054,7 +2054,7 @@ if ( http_content == NULL ) { xmlChar msg[500]; xmlStrPrintf(msg, 500, - (const xmlChar *) "xmlIOHTTPCloseWrite: %s '%s' %s '%s'.\n", + "xmlIOHTTPCloseWrite: %s '%s' %s '%s'.\n", "Error retrieving content.\nUnable to", http_mthd, "data to URI", ctxt->uri ); xmlIOErr(XML_IO_WRITE, (const char *) msg); @@ -2126,7 +2126,7 @@ else { xmlChar msg[500]; xmlStrPrintf(msg, 500, - (const xmlChar *) "xmlIOHTTPCloseWrite: HTTP '%s' of %d %s\n'%s' %s %d\n", + "xmlIOHTTPCloseWrite: HTTP '%s' of %d %s\n'%s' %s %d\n", http_mthd, content_lgth, "bytes to URI", ctxt->uri, "failed. HTTP return code:", http_rtn ); Index: libxml2-2.9.1+dfsg1/xmllint.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/xmllint.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/xmllint.c 2017-03-15 07:51:31.205944265 -0400 @@ -449,7 +449,7 @@ * message about the timing performed; format is a printf * type argument */ -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(1,2) endTimer(const char *fmt, ...) { long msec; @@ -485,7 +485,7 @@ { begin = clock(); } -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(1,2) endTimer(const char *fmt, ...) { long msec; @@ -514,7 +514,7 @@ * Do nothing */ } -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(1,2) endTimer(char *format, ...) { /* @@ -634,7 +634,7 @@ * Display and format an error messages, gives file, line, position and * extra parameters. */ -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) xmlHTMLError(void *ctx, const char *msg, ...) { xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; @@ -671,7 +671,7 @@ * Display and format a warning messages, gives file, line, position and * extra parameters. */ -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) xmlHTMLWarning(void *ctx, const char *msg, ...) { xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; @@ -709,7 +709,7 @@ * Display and format an validity error messages, gives file, * line, position and extra parameters. */ -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) xmlHTMLValidityError(void *ctx, const char *msg, ...) { xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; @@ -746,7 +746,7 @@ * Display and format a validity warning messages, gives file, line, * position and extra parameters. */ -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) xmlHTMLValidityWarning(void *ctx, const char *msg, ...) { xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; @@ -1410,7 +1410,7 @@ * Display and format a warning messages, gives file, line, position and * extra parameters. */ -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) warningDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) { va_list args; @@ -1433,7 +1433,7 @@ * Display and format a error messages, gives file, line, position and * extra parameters. */ -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) errorDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) { va_list args; @@ -1456,7 +1456,7 @@ * Display and format a fatalError messages, gives file, line, position and * extra parameters. */ -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) fatalErrorDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) { va_list args; Index: libxml2-2.9.1+dfsg1/xmlreader.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/xmlreader.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/xmlreader.c 2017-03-15 07:51:31.205944265 -0400 @@ -4036,13 +4036,19 @@ } #ifdef LIBXML_SCHEMAS_ENABLED -static char *xmlTextReaderBuildMessage(const char *msg, va_list ap); +static char *xmlTextReaderBuildMessage(const char *msg, va_list ap) LIBXML_ATTR_FORMAT(1,0); static void XMLCDECL -xmlTextReaderValidityError(void *ctxt, const char *msg, ...); +xmlTextReaderValidityError(void *ctxt, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3); static void XMLCDECL -xmlTextReaderValidityWarning(void *ctxt, const char *msg, ...); +xmlTextReaderValidityWarning(void *ctxt, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3); + +static void XMLCDECL +xmlTextReaderValidityErrorRelay(void *ctx, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3); + +static void XMLCDECL +xmlTextReaderValidityWarningRelay(void *ctx, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3); static void XMLCDECL xmlTextReaderValidityErrorRelay(void *ctx, const char *msg, ...) @@ -4836,7 +4842,7 @@ } } -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) xmlTextReaderError(void *ctxt, const char *msg, ...) { va_list ap; @@ -4849,7 +4855,7 @@ } -static void XMLCDECL +static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) xmlTextReaderWarning(void *ctxt, const char *msg, ...) { va_list ap; Index: libxml2-2.9.1+dfsg1/xmlschemas.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/xmlschemas.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/xmlschemas.c 2017-03-15 07:51:31.209944309 -0400 @@ -1085,7 +1085,7 @@ static void xmlSchemaInternalErr(xmlSchemaAbstractCtxtPtr actxt, const char *funcName, - const char *message); + const char *message) LIBXML_ATTR_FORMAT(3,0); static int xmlSchemaCheckCOSSTDerivedOK(xmlSchemaAbstractCtxtPtr ctxt, xmlSchemaTypePtr type, @@ -1889,7 +1889,7 @@ * * Handle a parser error */ -static void +static void LIBXML_ATTR_FORMAT(4,0) xmlSchemaPErr(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, int error, const char *msg, const xmlChar * str1, const xmlChar * str2) { @@ -1922,7 +1922,7 @@ * * Handle a parser error */ -static void +static void LIBXML_ATTR_FORMAT(5,0) xmlSchemaPErr2(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, xmlNodePtr child, int error, const char *msg, const xmlChar * str1, const xmlChar * str2) @@ -1951,7 +1951,7 @@ * * Handle a parser error */ -static void +static void LIBXML_ATTR_FORMAT(7,0) xmlSchemaPErrExt(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, int error, const xmlChar * strData1, const xmlChar * strData2, const xmlChar * strData3, const char *msg, const xmlChar * str1, @@ -2002,7 +2002,7 @@ extra); } -static void +static void LIBXML_ATTR_FORMAT(2,0) xmlSchemaPSimpleInternalErr(xmlNodePtr node, const char *msg, const xmlChar *str) { @@ -2013,18 +2013,21 @@ #define WXS_ERROR_TYPE_ERROR 1 #define WXS_ERROR_TYPE_WARNING 2 /** - * xmlSchemaErr3: + * xmlSchemaErr4Line: * @ctxt: the validation context - * @node: the context node + * @errorLevel: the error level * @error: the error code + * @node: the context node + * @line: the line number * @msg: the error message * @str1: extra data * @str2: extra data * @str3: extra data + * @str4: extra data * * Handle a validation error */ -static void +static void LIBXML_ATTR_FORMAT(6,0) xmlSchemaErr4Line(xmlSchemaAbstractCtxtPtr ctxt, xmlErrorLevel errorLevel, int error, xmlNodePtr node, int line, const char *msg, @@ -2137,7 +2140,7 @@ * * Handle a validation error */ -static void +static void LIBXML_ATTR_FORMAT(4,0) xmlSchemaErr3(xmlSchemaAbstractCtxtPtr actxt, int error, xmlNodePtr node, const char *msg, const xmlChar *str1, const xmlChar *str2, const xmlChar *str3) @@ -2146,7 +2149,7 @@ msg, str1, str2, str3, NULL); } -static void +static void LIBXML_ATTR_FORMAT(4,0) xmlSchemaErr4(xmlSchemaAbstractCtxtPtr actxt, int error, xmlNodePtr node, const char *msg, const xmlChar *str1, const xmlChar *str2, @@ -2156,7 +2159,7 @@ msg, str1, str2, str3, str4); } -static void +static void LIBXML_ATTR_FORMAT(4,0) xmlSchemaErr(xmlSchemaAbstractCtxtPtr actxt, int error, xmlNodePtr node, const char *msg, const xmlChar *str1, const xmlChar *str2) @@ -2179,7 +2182,7 @@ /* * Don't try to format other nodes than element and * attribute nodes. - * Play save and return an empty string. + * Play safe and return an empty string. */ *msg = xmlStrdup(BAD_CAST ""); return(*msg); @@ -2260,7 +2263,7 @@ return (*msg); } -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlSchemaInternalErr2(xmlSchemaAbstractCtxtPtr actxt, const char *funcName, const char *message, @@ -2271,24 +2274,21 @@ if (actxt == NULL) return; - msg = xmlStrdup(BAD_CAST "Internal error: "); - msg = xmlStrcat(msg, BAD_CAST funcName); - msg = xmlStrcat(msg, BAD_CAST ", "); + msg = xmlStrdup(BAD_CAST "Internal error: %s, "); msg = xmlStrcat(msg, BAD_CAST message); msg = xmlStrcat(msg, BAD_CAST ".\n"); if (actxt->type == XML_SCHEMA_CTXT_VALIDATOR) - xmlSchemaErr(actxt, XML_SCHEMAV_INTERNAL, NULL, - (const char *) msg, str1, str2); - + xmlSchemaErr3(actxt, XML_SCHEMAV_INTERNAL, NULL, + (const char *) msg, (const xmlChar *) funcName, str1, str2); else if (actxt->type == XML_SCHEMA_CTXT_PARSER) - xmlSchemaErr(actxt, XML_SCHEMAP_INTERNAL, NULL, - (const char *) msg, str1, str2); + xmlSchemaErr3(actxt, XML_SCHEMAP_INTERNAL, NULL, + (const char *) msg, (const xmlChar *) funcName, str1, str2); FREE_AND_NULL(msg) } -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlSchemaInternalErr(xmlSchemaAbstractCtxtPtr actxt, const char *funcName, const char *message) @@ -2297,7 +2297,7 @@ } #if 0 -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlSchemaPInternalErr(xmlSchemaParserCtxtPtr pctxt, const char *funcName, const char *message, @@ -2309,7 +2309,7 @@ } #endif -static void +static void LIBXML_ATTR_FORMAT(5,0) xmlSchemaCustomErr4(xmlSchemaAbstractCtxtPtr actxt, xmlParserErrors error, xmlNodePtr node, @@ -2334,7 +2334,7 @@ FREE_AND_NULL(msg) } -static void +static void LIBXML_ATTR_FORMAT(5,0) xmlSchemaCustomErr(xmlSchemaAbstractCtxtPtr actxt, xmlParserErrors error, xmlNodePtr node, @@ -2349,7 +2349,7 @@ -static void +static void LIBXML_ATTR_FORMAT(5,0) xmlSchemaCustomWarning(xmlSchemaAbstractCtxtPtr actxt, xmlParserErrors error, xmlNodePtr node, @@ -2374,7 +2374,7 @@ -static void +static void LIBXML_ATTR_FORMAT(5,0) xmlSchemaKeyrefErr(xmlSchemaValidCtxtPtr vctxt, xmlParserErrors error, xmlSchemaPSVIIDCNodePtr idcNode, @@ -2523,7 +2523,7 @@ FREE_AND_NULL(msg) } -static void +static void LIBXML_ATTR_FORMAT(5,0) xmlSchemaComplexTypeErr(xmlSchemaAbstractCtxtPtr actxt, xmlParserErrors error, xmlNodePtr node, @@ -2623,7 +2623,7 @@ xmlFree(msg); } -static void +static void LIBXML_ATTR_FORMAT(8,0) xmlSchemaFacetErr(xmlSchemaAbstractCtxtPtr actxt, xmlParserErrors error, xmlNodePtr node, @@ -2914,7 +2914,7 @@ * * Reports an error during parsing. */ -static void +static void LIBXML_ATTR_FORMAT(5,0) xmlSchemaPCustomErrExt(xmlSchemaParserCtxtPtr ctxt, xmlParserErrors error, xmlSchemaBasicItemPtr item, @@ -2950,7 +2950,7 @@ * * Reports an error during parsing. */ -static void +static void LIBXML_ATTR_FORMAT(5,0) xmlSchemaPCustomErr(xmlSchemaParserCtxtPtr ctxt, xmlParserErrors error, xmlSchemaBasicItemPtr item, @@ -2975,7 +2975,7 @@ * * Reports an attribute use error during parsing. */ -static void +static void LIBXML_ATTR_FORMAT(6,0) xmlSchemaPAttrUseErr4(xmlSchemaParserCtxtPtr ctxt, xmlParserErrors error, xmlNodePtr node, @@ -3097,7 +3097,7 @@ * Reports a simple type validation error. * TODO: Should this report the value of an element as well? */ -static void +static void LIBXML_ATTR_FORMAT(8,0) xmlSchemaPSimpleTypeErr(xmlSchemaParserCtxtPtr ctxt, xmlParserErrors error, xmlSchemaBasicItemPtr ownerItem ATTRIBUTE_UNUSED, Index: libxml2-2.9.1+dfsg1/xmlstring.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/xmlstring.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/xmlstring.c 2017-03-15 07:51:31.209944309 -0400 @@ -545,7 +545,7 @@ * Returns the number of characters written to @buf or -1 if an error occurs. */ int XMLCDECL -xmlStrPrintf(xmlChar *buf, int len, const xmlChar *msg, ...) { +xmlStrPrintf(xmlChar *buf, int len, const char *msg, ...) { va_list args; int ret; @@ -573,7 +573,7 @@ * Returns the number of characters written to @buf or -1 if an error occurs. */ int -xmlStrVPrintf(xmlChar *buf, int len, const xmlChar *msg, va_list ap) { +xmlStrVPrintf(xmlChar *buf, int len, const char *msg, va_list ap) { int ret; if((buf == NULL) || (msg == NULL)) { Index: libxml2-2.9.1+dfsg1/xmlwriter.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/xmlwriter.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/xmlwriter.c 2017-03-15 07:51:31.209944309 -0400 @@ -109,7 +109,7 @@ const xmlChar * str, int len); static int xmlTextWriterCloseDocCallback(void *context); -static xmlChar *xmlTextWriterVSprintf(const char *format, va_list argptr); +static xmlChar *xmlTextWriterVSprintf(const char *format, va_list argptr) LIBXML_ATTR_FORMAT(1,0); static int xmlOutputBufferWriteBase64(xmlOutputBufferPtr out, int len, const unsigned char *data); static void xmlTextWriterStartDocumentCallback(void *ctx); @@ -149,7 +149,7 @@ * * Handle a writer error */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlWriterErrMsgInt(xmlTextWriterPtr ctxt, xmlParserErrors error, const char *msg, int val) { Index: libxml2-2.9.1+dfsg1/xpath.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/xpath.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/xpath.c 2017-03-15 07:51:31.213944352 -0400 @@ -348,7 +348,7 @@ xmlChar buf[200]; xmlStrPrintf(buf, 200, - BAD_CAST "Memory allocation failed : %s\n", + "Memory allocation failed : %s\n", extra); ctxt->lastError.message = (char *) xmlStrdup(buf); } else { Index: libxml2-2.9.1+dfsg1/xpointer.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/xpointer.c 2017-03-15 07:51:31.217944396 -0400 +++ libxml2-2.9.1+dfsg1/xpointer.c 2017-03-15 07:51:31.213944352 -0400 @@ -85,7 +85,7 @@ * * Handle a redefinition of attribute error */ -static void +static void LIBXML_ATTR_FORMAT(3,0) xmlXPtrErr(xmlXPathParserContextPtr ctxt, int error, const char * msg, const xmlChar *extra) { Index: libxml2-2.9.1+dfsg1/configure.in =================================================================== --- libxml2-2.9.1+dfsg1.orig/configure.in 2017-03-15 07:51:09.000000000 -0400 +++ libxml2-2.9.1+dfsg1/configure.in 2017-03-15 07:52:19.030466989 -0400 @@ -705,7 +705,7 @@ fi # warnings we'd like to see - CFLAGS="${CFLAGS} -pedantic -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls" + CFLAGS="${CFLAGS} -pedantic -W -Wformat -Wno-format-extra-args -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls" # warnings we'd like to supress CFLAGS="${CFLAGS} -Wno-long-long" case "${host}" in @@ -920,7 +920,7 @@ fi fi if test "${GCC}" = "yes" ; then - CFLAGS="-g -O -pedantic -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wall" + CFLAGS="-g -O -pedantic -W -Wformat -Wno-format-extra-args -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wall" fi STATIC_BINARIES="-static" dnl -Wcast-qual -ansi debian/patches/CVE-2015-7499-4.patch0000664000000000000000000000150412645762454013434 0ustar From ce0b0d0d81fdbb5f722a890432b52d363e4de57b Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Fri, 20 Nov 2015 15:01:22 +0800 Subject: Do not print error context when there is none Which now happens more frequently du to xmlHaltParser use --- error.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/error.c b/error.c index cbcf5c9..9c45040 100644 --- a/error.c +++ b/error.c @@ -177,7 +177,9 @@ xmlParserPrintFileContextInternal(xmlParserInputPtr input , xmlChar content[81]; /* space for 80 chars + line terminator */ xmlChar *ctnt; - if (input == NULL) return; + if ((input == NULL) || (input->cur == NULL) || + (*input->cur == 0)) return; + cur = input->cur; base = input->base; /* skip backwards over any end-of-lines */ -- cgit v0.11.2 debian/patches/CVE-2016-1837.patch0000664000000000000000000000755712724277351013273 0ustar From 11ed4a7a90d5ce156a18980a4ad4e53e77384852 Mon Sep 17 00:00:00 2001 From: Pranjal Jumde Date: Wed, 2 Mar 2016 15:52:24 -0800 Subject: Heap use-after-free in htmlParsePubidLiteral and htmlParseSystemiteral For https://bugzilla.gnome.org/show_bug.cgi?id=760263 * HTMLparser.c: Add BASE_PTR convenience macro. (htmlParseSystemLiteral): Store length and start position instead of a pointer while iterating through the public identifier since the underlying buffer may change, resulting in a stale pointer being used. (htmlParsePubidLiteral): Ditto. --- HTMLparser.c | 58 +++++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 43 insertions(+), 15 deletions(-) Index: libxml2-2.9.3+dfsg1/HTMLparser.c =================================================================== --- libxml2-2.9.3+dfsg1.orig/HTMLparser.c 2016-06-03 08:00:33.892487010 -0400 +++ libxml2-2.9.3+dfsg1/HTMLparser.c 2016-06-03 08:00:33.888486962 -0400 @@ -303,6 +303,7 @@ #define UPP(val) (toupper(ctxt->input->cur[(val)])) #define CUR_PTR ctxt->input->cur +#define BASE_PTR ctxt->input->base #define SHRINK if ((ctxt->input->cur - ctxt->input->base > 2 * INPUT_CHUNK) && \ (ctxt->input->end - ctxt->input->cur < 2 * INPUT_CHUNK)) \ @@ -2765,31 +2766,43 @@ static xmlChar * htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) { - const xmlChar *q; + size_t len = 0, startPosition = 0; xmlChar *ret = NULL; if (CUR == '"') { NEXT; - q = CUR_PTR; - while ((IS_CHAR_CH(CUR)) && (CUR != '"')) + + if (CUR_PTR < BASE_PTR) + return(ret); + startPosition = CUR_PTR - BASE_PTR; + + while ((IS_CHAR_CH(CUR)) && (CUR != '"')) { NEXT; + len++; + } if (!IS_CHAR_CH(CUR)) { htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, "Unfinished SystemLiteral\n", NULL, NULL); } else { - ret = xmlStrndup(q, CUR_PTR - q); + ret = xmlStrndup((BASE_PTR+startPosition), len); NEXT; } } else if (CUR == '\'') { NEXT; - q = CUR_PTR; - while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) + + if (CUR_PTR < BASE_PTR) + return(ret); + startPosition = CUR_PTR - BASE_PTR; + + while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) { NEXT; + len++; + } if (!IS_CHAR_CH(CUR)) { htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, "Unfinished SystemLiteral\n", NULL, NULL); } else { - ret = xmlStrndup(q, CUR_PTR - q); + ret = xmlStrndup((BASE_PTR+startPosition), len); NEXT; } } else { @@ -2813,32 +2826,47 @@ static xmlChar * htmlParsePubidLiteral(htmlParserCtxtPtr ctxt) { - const xmlChar *q; + size_t len = 0, startPosition = 0; xmlChar *ret = NULL; /* * Name ::= (Letter | '_') (NameChar)* */ if (CUR == '"') { NEXT; - q = CUR_PTR; - while (IS_PUBIDCHAR_CH(CUR)) NEXT; + + if (CUR_PTR < BASE_PTR) + return(ret); + startPosition = CUR_PTR - BASE_PTR; + + while (IS_PUBIDCHAR_CH(CUR)) { + len++; + NEXT; + } + if (CUR != '"') { htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, "Unfinished PubidLiteral\n", NULL, NULL); } else { - ret = xmlStrndup(q, CUR_PTR - q); + ret = xmlStrndup((BASE_PTR + startPosition), len); NEXT; } } else if (CUR == '\'') { NEXT; - q = CUR_PTR; - while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')) - NEXT; + + if (CUR_PTR < BASE_PTR) + return(ret); + startPosition = CUR_PTR - BASE_PTR; + + while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')){ + len++; + NEXT; + } + if (CUR != '\'') { htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, "Unfinished PubidLiteral\n", NULL, NULL); } else { - ret = xmlStrndup(q, CUR_PTR - q); + ret = xmlStrndup((BASE_PTR + startPosition), len); NEXT; } } else { debian/patches/xmllint_pretty.patch0000664000000000000000000000101412205472617014740 0ustar --- a/xmllint.c +++ b/xmllint.c @@ -3375,11 +3375,13 @@ (!strcmp(argv[i], "--pretty"))) { i++; #ifdef LIBXML_OUTPUT_ENABLED - format = atoi(argv[i]); - if (format == 1) { - noblanks++; - xmlKeepBlanksDefault(0); - } + if (argv[i] != NULL) { + format = atoi(argv[i]); + if (format == 1) { + noblanks++; + xmlKeepBlanksDefault(0); + } + } #endif /* LIBXML_OUTPUT_ENABLED */ } #ifdef LIBXML_READER_ENABLED debian/patches/CVE-2014-3660.patch0000664000000000000000000001007712420016343013235 0ustar From be2a7edaf289c5da74a4f9ed3a0b6c733e775230 Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Thu, 16 Oct 2014 13:59:47 +0800 Subject: Fix for CVE-2014-3660 Issues related to the billion laugh entity expansion which happened to escape the initial set of fixes Index: libxml2-2.9.1+dfsg1/parser.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/parser.c 2014-10-16 15:30:40.885274343 -0400 +++ libxml2-2.9.1+dfsg1/parser.c 2014-10-16 15:30:40.881274311 -0400 @@ -130,6 +130,29 @@ return (0); if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) return (1); + + /* + * This may look absurd but is needed to detect + * entities problems + */ + if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) && + (ent->content != NULL) && (ent->checked == 0)) { + unsigned long oldnbent = ctxt->nbentities; + xmlChar *rep; + + ent->checked = 1; + + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { + if (xmlStrchr(rep, '<')) + ent->checked |= 1; + xmlFree(rep); + rep = NULL; + } + } if (replacement != 0) { if (replacement < XML_MAX_TEXT_LENGTH) return(0); @@ -189,9 +212,12 @@ return (0); } else { /* - * strange we got no data for checking just return + * strange we got no data for checking */ - return (0); + if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) && + (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) || + (ctxt->nbentities <= 10000)) + return (0); } xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); return (1); @@ -2584,6 +2610,7 @@ name, NULL); ctxt->valid = 0; } + xmlParserEntityCheck(ctxt, 0, NULL, 0); } else if (ctxt->input->free != deallocblankswrapper) { input = xmlNewBlanksWrapperInputStream(ctxt, entity); if (xmlPushInput(ctxt, input) < 0) @@ -2754,6 +2781,7 @@ if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) goto int_error; + xmlParserEntityCheck(ctxt, 0, ent, 0); if (ent != NULL) ctxt->nbentities += ent->checked / 2; if ((ent != NULL) && @@ -2805,6 +2833,7 @@ ent = xmlParseStringPEReference(ctxt, &str); if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) goto int_error; + xmlParserEntityCheck(ctxt, 0, ent, 0); if (ent != NULL) ctxt->nbentities += ent->checked / 2; if (ent != NULL) { @@ -7307,6 +7336,7 @@ (ret != XML_WAR_UNDECLARED_ENTITY)) { xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY, "Entity '%s' failed to parse\n", ent->name); + xmlParserEntityCheck(ctxt, 0, ent, 0); } else if (list != NULL) { xmlFreeNodeList(list); list = NULL; @@ -7413,7 +7443,7 @@ /* * We are copying here, make sure there is no abuse */ - ctxt->sizeentcopy += ent->length; + ctxt->sizeentcopy += ent->length + 5; if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) return; @@ -7461,7 +7491,7 @@ /* * We are copying here, make sure there is no abuse */ - ctxt->sizeentcopy += ent->length; + ctxt->sizeentcopy += ent->length + 5; if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) return; @@ -7647,6 +7677,7 @@ ctxt->sax->reference(ctxt->userData, name); } } + xmlParserEntityCheck(ctxt, 0, ent, 0); ctxt->valid = 0; } @@ -7840,6 +7871,7 @@ "Entity '%s' not defined\n", name); } + xmlParserEntityCheck(ctxt, 0, ent, 0); /* TODO ? check regressions ctxt->valid = 0; */ } @@ -7999,6 +8031,7 @@ name, NULL); ctxt->valid = 0; } + xmlParserEntityCheck(ctxt, 0, NULL, 0); } else { /* * Internal checking in case the entity quest barfed @@ -8238,6 +8271,7 @@ name, NULL); ctxt->valid = 0; } + xmlParserEntityCheck(ctxt, 0, NULL, 0); } else { /* * Internal checking in case the entity quest barfed debian/patches/CVE-2015-7941.patch0000664000000000000000000000307512621366125013255 0ustar Description: fix denial of service via out-of-bounds read Origin: upstream, https://git.gnome.org/browse/libxml2/commit/?id=a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Origin: upstream, https://git.gnome.org/browse/libxml2/commit/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489 Bug: https://bugzilla.gnome.org/show_bug.cgi?id=744980 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783010 Index: libxml2-2.9.1+dfsg1/parser.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/parser.c 2015-11-13 08:57:39.460444801 -0500 +++ libxml2-2.9.1+dfsg1/parser.c 2015-11-13 08:57:39.460444801 -0500 @@ -5653,6 +5653,7 @@ if (RAW != '>') { xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED, "xmlParseEntityDecl: entity %s not terminated\n", name); + xmlStopParser(ctxt); } else { if (input != ctxt->input) { xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, @@ -6764,6 +6765,8 @@ SKIP_BLANKS; if (RAW != '[') { xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); + xmlStopParser(ctxt); + return; } else { if (ctxt->input->id != id) { xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, @@ -6824,6 +6827,8 @@ SKIP_BLANKS; if (RAW != '[') { xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); + xmlStopParser(ctxt); + return; } else { if (ctxt->input->id != id) { xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, @@ -6879,6 +6884,8 @@ } else { xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); + xmlStopParser(ctxt); + return; } if (RAW == 0) debian/patches/CVE-2015-8242.patch0000664000000000000000000000262312632057026013245 0ustar From 8fb4a770075628d6441fb17a1e435100e2f3b1a2 Mon Sep 17 00:00:00 2001 From: Hugh Davenport Date: Fri, 20 Nov 2015 17:16:06 +0800 Subject: CVE-2015-8242 Buffer overead with HTML parser in push mode For https://bugzilla.gnome.org/show_bug.cgi?id=756372 Error in the code pointing to the codepoint in the stack for the current char value instead of the pointer in the input that the SAX callback expects Reported and fixed by Hugh Davenport --- HTMLparser.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) Index: libxml2-2.9.2+zdfsg1/HTMLparser.c =================================================================== --- libxml2-2.9.2+zdfsg1.orig/HTMLparser.c 2015-12-09 10:07:19.961212325 -0500 +++ libxml2-2.9.2+zdfsg1/HTMLparser.c 2015-12-09 10:07:19.961212325 -0500 @@ -5701,17 +5701,17 @@ if (ctxt->keepBlanks) { if (ctxt->sax->characters != NULL) ctxt->sax->characters( - ctxt->userData, &cur, 1); + ctxt->userData, &in->cur[0], 1); } else { if (ctxt->sax->ignorableWhitespace != NULL) ctxt->sax->ignorableWhitespace( - ctxt->userData, &cur, 1); + ctxt->userData, &in->cur[0], 1); } } else { htmlCheckParagraph(ctxt); if (ctxt->sax->characters != NULL) ctxt->sax->characters( - ctxt->userData, &cur, 1); + ctxt->userData, &in->cur[0], 1); } } ctxt->token = 0; debian/patches/CVE-2016-4447.patch0000664000000000000000000000463712724277462013272 0ustar From 00906759053986b8079985644172085f74331f83 Mon Sep 17 00:00:00 2001 From: David Kilzer Date: Tue, 26 Jan 2016 16:57:03 -0800 Subject: Heap-based buffer-underreads due to xmlParseName For https://bugzilla.gnome.org/show_bug.cgi?id=759573 * parser.c: (xmlParseElementDecl): Return early on invalid input to fix non-minimized test case (759573-2.xml). Otherwise the parser gets into a bad state in SKIP(3) at the end of the function. (xmlParseConditionalSections): Halt parsing when hitting invalid input that would otherwise caused xmlParserHandlePEReference() to recurse unexpectedly. This fixes the minimized test case (759573.xml). * result/errors/759573-2.xml: Add. * result/errors/759573-2.xml.err: Add. * result/errors/759573-2.xml.str: Add. * result/errors/759573.xml: Add. * result/errors/759573.xml.err: Add. * result/errors/759573.xml.str: Add. * test/errors/759573-2.xml: Add. * test/errors/759573.xml: Add. --- parser.c | 2 ++ result/errors/759573-2.xml | 0 result/errors/759573-2.xml.err | 58 ++++++++++++++++++++++++++++++++++++++++++ result/errors/759573-2.xml.str | 4 +++ result/errors/759573.xml | 0 result/errors/759573.xml.err | 31 ++++++++++++++++++++++ result/errors/759573.xml.str | 4 +++ test/errors/759573-2.xml | 9 +++++++ test/errors/759573.xml | 1 + 9 files changed, 109 insertions(+) create mode 100644 result/errors/759573-2.xml create mode 100644 result/errors/759573-2.xml.err create mode 100644 result/errors/759573-2.xml.str create mode 100644 result/errors/759573.xml create mode 100644 result/errors/759573.xml.err create mode 100644 result/errors/759573.xml.str create mode 100644 test/errors/759573-2.xml create mode 100644 test/errors/759573.xml Index: libxml2-2.9.1+dfsg1/parser.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:59:27.601359045 -0400 +++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:59:27.601359045 -0400 @@ -6675,6 +6675,7 @@ if (!IS_BLANK_CH(CUR)) { xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Space required after 'ELEMENT'\n"); + return(-1); } SKIP_BLANKS; name = xmlParseName(ctxt); @@ -6826,6 +6827,7 @@ if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) { xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL); + xmlHaltParser(ctxt); break; } } debian/patches/CVE-2017-7376.patch0000664000000000000000000000146713157057745013276 0ustar From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Fri, 7 Apr 2017 17:13:28 +0200 Subject: [PATCH] Increase buffer space for port in HTTP redirect support For https://bugzilla.gnome.org/show_bug.cgi?id=780690 nanohttp.c: the code wrongly assumed a short int port value. CVE-2017-7376 --- nanohttp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nanohttp.c b/nanohttp.c index e109ad7..373425d 100644 --- a/nanohttp.c +++ b/nanohttp.c @@ -1423,9 +1423,9 @@ retry: if (ctxt->port != 80) { /* reserve space for ':xxxxx', incl. potential proxy */ if (proxy) - blen += 12; + blen += 17; else - blen += 6; + blen += 11; } bp = (char*)xmlMallocAtomic(blen); if ( bp == NULL ) { -- 2.7.4 debian/patches/CVE-2015-5312.patch0000664000000000000000000000212512632056641013237 0ustar From 69030714cde66d525a8884bda01b9e8f0abf8e1e Mon Sep 17 00:00:00 2001 From: David Drysdale Date: Fri, 20 Nov 2015 11:13:45 +0800 Subject: CVE-2015-5312 Another entity expansion issue For https://bugzilla.gnome.org/show_bug.cgi?id=756733 It is one case where the code in place to detect entities expansions failed to exit when the situation was detected, leading to DoS Problem reported by Kostya Serebryany @ Google Patch provided by David Drysdale @ Google --- parser.c | 4 ++++ 1 file changed, 4 insertions(+) Index: libxml2-2.9.1+dfsg1/parser.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 11:58:07.110986471 -0500 +++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 11:58:07.110986471 -0500 @@ -2801,6 +2801,10 @@ 0, 0, 0); ctxt->depth--; + if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || + (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) + goto int_error; + if (rep != NULL) { current = rep; while (*current != 0) { /* non input consuming loop */ debian/patches/CVE-2016-1834.patch0000664000000000000000000000270212724277201013245 0ustar From 8fbbf5513d609c1770b391b99e33314cd0742704 Mon Sep 17 00:00:00 2001 From: Pranjal Jumde Date: Tue, 8 Mar 2016 17:29:00 -0800 Subject: Bug 763071: heap-buffer-overflow in xmlStrncat * xmlstring.c: (xmlStrncat): Return NULL if xmlStrlen returns a negative length. (xmlStrncatNew): Ditto. --- xmlstring.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/xmlstring.c b/xmlstring.c index b89c9e9..00287d4 100644 --- a/xmlstring.c +++ b/xmlstring.c @@ -457,6 +457,8 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) { return(xmlStrndup(add, len)); size = xmlStrlen(cur); + if (size < 0) + return(NULL); ret = (xmlChar *) xmlRealloc(cur, (size + len + 1) * sizeof(xmlChar)); if (ret == NULL) { xmlErrMemory(NULL, NULL); @@ -484,14 +486,19 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) { int size; xmlChar *ret; - if (len < 0) + if (len < 0) { len = xmlStrlen(str2); + if (len < 0) + return(NULL); + } if ((str2 == NULL) || (len == 0)) return(xmlStrdup(str1)); if (str1 == NULL) return(xmlStrndup(str2, len)); size = xmlStrlen(str1); + if (size < 0) + return(NULL); ret = (xmlChar *) xmlMalloc((size + len + 1) * sizeof(xmlChar)); if (ret == NULL) { xmlErrMemory(NULL, NULL); -- cgit v0.12 debian/patches/CVE-2016-5131-1.patch0000664000000000000000000001040213062225552013367 0ustar From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Tue, 28 Jun 2016 14:22:23 +0200 Subject: Fix XPointer paths beginning with range-to The old code would invoke the broken xmlXPtrRangeToFunction. range-to isn't really a function but a special kind of location step. Remove this function and always handle range-to in the XPath code. The old xmlXPtrRangeToFunction could also be abused to trigger a use-after-free error with the potential for remote code execution. Found with afl-fuzz. Fixes CVE-2016-5131. --- result/XPath/xptr/vidbase | 13 ++++++++ test/XPath/xptr/vidbase | 1 + xpath.c | 7 ++++- xpointer.c | 76 ++++------------------------------------------- 4 files changed, 26 insertions(+), 71 deletions(-) Index: libxml2-2.9.1+dfsg1/xpath.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/xpath.c 2017-03-15 07:54:15.755742804 -0400 +++ libxml2-2.9.1+dfsg1/xpath.c 2017-03-15 07:54:15.751742760 -0400 @@ -10686,13 +10686,18 @@ lc = 1; break; } else if ((NXT(len) == '(')) { - /* Note Type or Function */ + /* Node Type or Function */ if (xmlXPathIsNodeType(name)) { #ifdef DEBUG_STEP xmlGenericError(xmlGenericErrorContext, "PathExpr: Type search\n"); #endif lc = 1; +#ifdef LIBXML_XPTR_ENABLED + } else if (ctxt->xptr && + xmlStrEqual(name, BAD_CAST "range-to")) { + lc = 1; +#endif } else { #ifdef DEBUG_STEP xmlGenericError(xmlGenericErrorContext, Index: libxml2-2.9.1+dfsg1/xpointer.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/xpointer.c 2017-03-15 07:54:15.755742804 -0400 +++ libxml2-2.9.1+dfsg1/xpointer.c 2017-03-15 07:54:15.751742760 -0400 @@ -1295,8 +1295,6 @@ ret->here = here; ret->origin = origin; - xmlXPathRegisterFunc(ret, (xmlChar *)"range-to", - xmlXPtrRangeToFunction); xmlXPathRegisterFunc(ret, (xmlChar *)"range", xmlXPtrRangeFunction); xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside", @@ -2184,76 +2182,14 @@ * @nargs: the number of args * * Implement the range-to() XPointer function + * + * Obsolete. range-to is not a real function but a special type of location + * step which is handled in xpath.c. */ void -xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) { - xmlXPathObjectPtr range; - const xmlChar *cur; - xmlXPathObjectPtr res, obj; - xmlXPathObjectPtr tmp; - xmlLocationSetPtr newset = NULL; - xmlNodeSetPtr oldset; - int i; - - if (ctxt == NULL) return; - CHECK_ARITY(1); - /* - * Save the expression pointer since we will have to evaluate - * it multiple times. Initialize the new set. - */ - CHECK_TYPE(XPATH_NODESET); - obj = valuePop(ctxt); - oldset = obj->nodesetval; - ctxt->context->node = NULL; - - cur = ctxt->cur; - newset = xmlXPtrLocationSetCreate(NULL); - - for (i = 0; i < oldset->nodeNr; i++) { - ctxt->cur = cur; - - /* - * Run the evaluation with a node list made of a single item - * in the nodeset. - */ - ctxt->context->node = oldset->nodeTab[i]; - tmp = xmlXPathNewNodeSet(ctxt->context->node); - valuePush(ctxt, tmp); - - xmlXPathEvalExpr(ctxt); - CHECK_ERROR; - - /* - * The result of the evaluation need to be tested to - * decided whether the filter succeeded or not - */ - res = valuePop(ctxt); - range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res); - if (range != NULL) { - xmlXPtrLocationSetAdd(newset, range); - } - - /* - * Cleanup - */ - if (res != NULL) - xmlXPathFreeObject(res); - if (ctxt->value == tmp) { - res = valuePop(ctxt); - xmlXPathFreeObject(res); - } - - ctxt->context->node = NULL; - } - - /* - * The result is used as the new evaluation set. - */ - xmlXPathFreeObject(obj); - ctxt->context->node = NULL; - ctxt->context->contextSize = -1; - ctxt->context->proximityPosition = -1; - valuePush(ctxt, xmlXPtrWrapLocationSet(newset)); +xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, + int nargs ATTRIBUTE_UNUSED) { + XP_ERROR(XPATH_EXPR_ERROR); } /** debian/patches/CVE-2016-3705.patch0000664000000000000000000000430512724277451013254 0ustar From 8f30bdff69edac9075f4663ce3b56b0c52d48ce6 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Fri, 15 Apr 2016 11:56:55 +0200 Subject: Add missing increments of recursion depth counter to XML parser. For https://bugzilla.gnome.org/show_bug.cgi?id=765207 CVE-2016-3705 The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call xmlStringDecodeEntities() in a recursive context without incrementing the 'depth' counter in the parser context. Because of that omission, the parser failed to detect attribute recursions in certain documents before running out of stack space. --- parser.c | 8 ++++++++ 1 file changed, 8 insertions(+) Index: libxml2-2.9.1+dfsg1/parser.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:59:18.205239470 -0400 +++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:59:18.205239470 -0400 @@ -144,8 +144,10 @@ ent->checked = 1; + ++ctxt->depth; rep = xmlStringDecodeEntities(ctxt, ent->content, XML_SUBSTITUTE_REF, 0, 0, 0); + --ctxt->depth; ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; if (rep != NULL) { @@ -3947,8 +3949,10 @@ * an entity declaration, it is bypassed and left as is. * so XML_SUBSTITUTE_REF is not set here. */ + ++ctxt->depth; ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF, 0, 0, 0); + --ctxt->depth; if (orig != NULL) *orig = buf; else @@ -4073,9 +4077,11 @@ } else if ((ent != NULL) && (ctxt->replaceEntities != 0)) { if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) { + ++ctxt->depth; rep = xmlStringDecodeEntities(ctxt, ent->content, XML_SUBSTITUTE_REF, 0, 0, 0); + --ctxt->depth; if (rep != NULL) { current = rep; while (*current != 0) { /* non input consuming */ @@ -4111,8 +4117,10 @@ (ent->content != NULL) && (ent->checked == 0)) { unsigned long oldnbent = ctxt->nbentities; + ++ctxt->depth; rep = xmlStringDecodeEntities(ctxt, ent->content, XML_SUBSTITUTE_REF, 0, 0, 0); + --ctxt->depth; ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; if (rep != NULL) { debian/patches/CVE-2016-4449.patch0000664000000000000000000000307012724277471013262 0ustar From b1d34de46a11323fccffa9fadeb33be670d602f5 Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Mon, 14 Mar 2016 17:19:44 +0800 Subject: Fix inappropriate fetch of entities content For https://bugzilla.gnome.org/show_bug.cgi?id=761430 libfuzzer regression testing exposed another case where the parser would fetch content of an external entity while not in validating mode. Plug that hole --- parser.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) Index: libxml2-2.9.1+dfsg1/parser.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:59:34.933452346 -0400 +++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:59:34.933452346 -0400 @@ -2854,7 +2854,21 @@ ctxt->nbentities += ent->checked / 2; if (ent != NULL) { if (ent->content == NULL) { - xmlLoadEntityContent(ctxt, ent); + /* + * Note: external parsed entities will not be loaded, + * it is not required for a non-validating parser to + * complete external PEreferences coming from the + * internal subset + */ + if (((ctxt->options & XML_PARSE_NOENT) != 0) || + ((ctxt->options & XML_PARSE_DTDVALID) != 0) || + (ctxt->validate != 0)) { + xmlLoadEntityContent(ctxt, ent); + } else { + xmlWarningMsg(ctxt, XML_ERR_ENTITY_PROCESSING, + "not validating will not read content for PE entity %s\n", + ent->name, NULL); + } } ctxt->depth++; rep = xmlStringDecodeEntities(ctxt, ent->content, what, debian/patches/CVE-2014-0191.patch0000664000000000000000000000255512332746276013254 0ustar From 9cd1c3cfbd32655d60572c0a413e017260c854df Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Tue, 22 Apr 2014 15:30:56 +0800 Subject: Do not fetch external parameter entities Unless explicitely asked for when validating or replacing entities with their value. Problem pointed out by Daniel Berrange Index: libxml2-2.9.1+dfsg1/parser.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/parser.c 2014-05-08 14:25:10.667020623 -0400 +++ libxml2-2.9.1+dfsg1/parser.c 2014-05-08 14:25:10.663020622 -0400 @@ -2595,6 +2595,20 @@ xmlCharEncoding enc; /* + * Note: external parsed entities will not be loaded, it is + * not required for a non-validating parser, unless the + * option of validating, or substituting entities were + * given. Doing so is far more secure as the parser will + * only process data coming from the document entity by + * default. + */ + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + ((ctxt->options & XML_PARSE_NOENT) == 0) && + ((ctxt->options & XML_PARSE_DTDVALID) == 0) && + (ctxt->validate == 0)) + return; + + /* * handle the extra spaces added before and after * c.f. http://www.w3.org/TR/REC-xml#as-PE * this is done independently. debian/patches/CVE-2016-1833-pre.patch0000664000000000000000000000210612724327223014026 0ustar From ff76eb28c75451bc56e3b93f44dac155ca29e7f5 Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Sat, 3 Aug 2013 22:25:13 +0800 Subject: Clear up a potential NULL dereference https://bugzilla.gnome.org/show_bug.cgi?id=705399 if ctxt->node_seq.buffer is null then ctxt->node_seq.maximum ought to be zero but it's better to clarify the check in the code directly. --- parserInternals.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) Index: libxml2-2.9.1+dfsg1/parserInternals.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/parserInternals.c 2016-06-03 12:21:37.899991664 -0400 +++ libxml2-2.9.1+dfsg1/parserInternals.c 2016-06-03 12:21:37.899991664 -0400 @@ -1999,7 +1999,8 @@ /* Otherwise, we need to add new node to buffer */ else { - if (ctxt->node_seq.length + 1 > ctxt->node_seq.maximum) { + if ((ctxt->node_seq.length + 1 > ctxt->node_seq.maximum) || + (ctxt->node_seq.buffer == NULL)) { xmlParserNodeInfo *tmp_buffer; unsigned int byte_size; debian/patches/0001-modify-xml2-config-and-pkgconfig-behaviour.patch0000664000000000000000000000751112177612662022335 0ustar From: Aron Xu Date: Fri, 21 Sep 2012 00:19:41 +0800 Subject: modify xml2-config and pkgconfig behaviour --- configure.in | 2 +- libxml-2.0-uninstalled.pc.in | 3 ++- libxml-2.0.pc.in | 2 +- xml2-config.1 | 4 ++++ xml2-config.in | 22 ++++++++++------------ 5 files changed, 18 insertions(+), 15 deletions(-) diff --git a/configure.in b/configure.in index d449b11..668f233 100644 --- a/configure.in +++ b/configure.in @@ -1380,7 +1380,7 @@ case "$host" in *) M_LIBS="-lm" ;; esac -XML_LIBS="-lxml2 $Z_LIBS $THREAD_LIBS $ICONV_LIBS $M_LIBS $LIBS" +XML_LIBS="-lxml2" XML_LIBTOOLLIBS="libxml2.la" AC_SUBST(WITH_ICONV) diff --git a/libxml-2.0-uninstalled.pc.in b/libxml-2.0-uninstalled.pc.in index cab6834..af16ebc 100644 --- a/libxml-2.0-uninstalled.pc.in +++ b/libxml-2.0-uninstalled.pc.in @@ -8,5 +8,6 @@ Name: libXML Version: @VERSION@ Description: libXML library version2. Requires: -Libs: -L${libdir} -lxml2 @ICU_LIBS@ @THREAD_LIBS@ @Z_LIBS@ @ICONV_LIBS@ @M_LIBS@ @LIBS@ +Libs: -L${libdir} -lxml2 +Libs.private: @BASE_THREAD_LIBS@ @THREAD_LIBS@ @Z_LIBS@ @ICONV_LIBS@ @M_LIBS@ @LIBS@ Cflags: -I${includedir} @XML_INCLUDEDIR@ @XML_CFLAGS@ diff --git a/libxml-2.0.pc.in b/libxml-2.0.pc.in index f5f5f03..0de667b 100644 --- a/libxml-2.0.pc.in +++ b/libxml-2.0.pc.in @@ -9,5 +9,5 @@ Version: @VERSION@ Description: libXML library version2. Requires: Libs: -L${libdir} -lxml2 -Libs.private: @ICU_LIBS@ @THREAD_LIBS@ @Z_LIBS@ @ICONV_LIBS@ @M_LIBS@ @WIN32_EXTRA_LIBADD@ @LIBS@ +Libs.private: @ICU_LIBS@ @THREAD_LIBS@ @Z_LIBS@ @ICONV_LIBS@ @M_LIBS@ @WIN32_EXTRA_LIBADD@ @LIBS@ @LZMA_LIBS@ Cflags: @XML_INCLUDEDIR@ @XML_CFLAGS@ diff --git a/xml2-config.1 b/xml2-config.1 index 8cf9858..7b4195d 100644 --- a/xml2-config.1 +++ b/xml2-config.1 @@ -8,11 +8,15 @@ xml-config - script to get information about the installed version of GNOME-XML \fIxml-config\fP is a tool that is used to determine the compile and linker flags that should be used to compile and link programs that use \fIGNOME-XML\fP. +It is highly recommended to use pkg-config instead because building in a +multi-arch environment is not well supported in this script. .SH OPTIONS \fIxml-config\fP accepts the following options: .TP 8 .B \-\-version Print the currently installed version of \fIGNOME-XML\fP on the standard output. +Add the \fB\-\-static\fP option to print the linker flags that are necessary +to \fBstatically\fP link a \fIGNOME-XML\fP program. .TP 8 .B \-\-libs Print the linker flags that are necessary to link a \fIGNOME-XML\fP program. diff --git a/xml2-config.in b/xml2-config.in index 1957486..b764d83 100644 --- a/xml2-config.in +++ b/xml2-config.in @@ -15,6 +15,8 @@ Known values for OPTION are: --prefix=DIR change libxml prefix [default $prefix] --exec-prefix=DIR change libxml exec prefix [default $exec_prefix] --libs print library linking information + add --static to print static library linking + information --cflags print pre-processor and compiler flags --modules module support enabled --help display this help and exit @@ -82,18 +84,14 @@ while test $# -gt 0; do ;; --libs) - if [ "`uname`" = "Linux" ] - then - if [ "@XML_LIBDIR@" = "-L/usr/lib" -o "@XML_LIBDIR@" = "-L/usr/lib64" ] - then - echo @XML_LIBS@ @MODULE_PLATFORM_LIBS@ - else - echo @XML_LIBDIR@ @XML_LIBS@ @MODULE_PLATFORM_LIBS@ - fi - else - echo @XML_LIBDIR@ @XML_LIBS@ @MODULE_PLATFORM_LIBS@ @WIN32_EXTRA_LIBADD@ - fi - ;; + LIBS="@XML_LIBS@ @WIN32_EXTRA_LIBADD@" + if [ "$2" = "--static" ] + then + shift + LIBS="${LIBS} @Z_LIBS@ @BASE_THREAD_LIBS@@THREAD_LIBS@ @ICONV_LIBS@ @M_LIBS@ @LIBS@" + fi + echo ${LIBS} + ;; *) usage debian/patches/CVE-2017-9047-9048.patch0000664000000000000000000003652213157057761013673 0ustar From 932cc9896ab41475d4aa429c27d9afd175959d74 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Sat, 3 Jun 2017 02:01:29 +0200 Subject: [PATCH] Fix buffer size checks in xmlSnprintfElementContent MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit xmlSnprintfElementContent failed to correctly check the available buffer space in two locations. Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048). Thanks to Marcel Böhme and Thuan Pham for the report. CVE-2017-9047, CVE-2017-9048 --- result/valid/781333.xml | 5 +++++ result/valid/781333.xml.err | 3 +++ result/valid/781333.xml.err.rdr | 6 ++++++ test/valid/781333.xml | 4 ++++ valid.c | 20 +++++++++++--------- 5 files changed, 29 insertions(+), 9 deletions(-) create mode 100644 result/valid/781333.xml create mode 100644 result/valid/781333.xml.err create mode 100644 result/valid/781333.xml.err.rdr create mode 100644 test/valid/781333.xml diff --git a/result/valid/781333.xml b/result/valid/781333.xml new file mode 100644 index 0000000..45dc451 --- /dev/null +++ b/result/valid/781333.xml @@ -0,0 +1,5 @@ + + +]> + diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err new file mode 100644 index 0000000..b401b49 --- /dev/null +++ b/result/valid/781333.xml.err @@ -0,0 +1,3 @@ +./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got + + ^ diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr new file mode 100644 index 0000000..5ff5699 --- /dev/null +++ b/result/valid/781333.xml.err.rdr @@ -0,0 +1,6 @@ +./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got + + ^ +./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child + +^ diff --git a/test/valid/781333.xml b/test/valid/781333.xml new file mode 100644 index 0000000..b29e5a6 --- /dev/null +++ b/test/valid/781333.xml @@ -0,0 +1,4 @@ + +]> + diff --git a/valid.c b/valid.c index 19f84b8..9b2df56 100644 --- a/valid.c +++ b/valid.c @@ -1262,22 +1262,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int case XML_ELEMENT_CONTENT_PCDATA: strcat(buf, "#PCDATA"); break; - case XML_ELEMENT_CONTENT_ELEMENT: + case XML_ELEMENT_CONTENT_ELEMENT: { + int qnameLen = xmlStrlen(content->name); + + if (content->prefix != NULL) + qnameLen += xmlStrlen(content->prefix) + 1; + if (size - len < qnameLen + 10) { + strcat(buf, " ..."); + return; + } if (content->prefix != NULL) { - if (size - len < xmlStrlen(content->prefix) + 10) { - strcat(buf, " ..."); - return; - } strcat(buf, (char *) content->prefix); strcat(buf, ":"); } - if (size - len < xmlStrlen(content->name) + 10) { - strcat(buf, " ..."); - return; - } if (content->name != NULL) strcat(buf, (char *) content->name); break; + } case XML_ELEMENT_CONTENT_SEQ: if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) @@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int xmlSnprintfElementContent(buf, size, content->c2, 0); break; } + if (size - strlen(buf) <= 2) return; if (englob) strcat(buf, ")"); switch (content->ocur) { -- 2.7.4 debian/patches/CVE-2015-8035.patch0000664000000000000000000000212412621366160013241 0ustar From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Tue, 3 Nov 2015 15:31:25 +0800 Subject: CVE-2015-8035 Fix XZ compression support loop For https://bugzilla.gnome.org/show_bug.cgi?id=757466 DoS when parsing specially crafted XML document if XZ support is compiled in (which wasn't the case for 2.9.2 and master since Nov 2013, fixed in next commit !) --- xzlib.c | 4 ++++ 1 file changed, 4 insertions(+) Index: libxml2-2.9.1+dfsg1/xzlib.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/xzlib.c 2015-11-13 08:58:06.384794119 -0500 +++ libxml2-2.9.1+dfsg1/xzlib.c 2015-11-13 08:58:06.380794067 -0500 @@ -538,6 +538,10 @@ xz_error(state, LZMA_DATA_ERROR, "compressed data error"); return -1; } + if (ret == LZMA_PROG_ERROR) { + xz_error(state, LZMA_PROG_ERROR, "compression error"); + return -1; + } } while (strm->avail_out && ret != LZMA_STREAM_END); /* update available output and crc check value */ debian/patches/CVE-2016-4658.patch0000664000000000000000000001622613062225537013263 0ustar From c1d1f7121194036608bf555f08d3062a36fd344b Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Tue, 28 Jun 2016 18:34:52 +0200 Subject: Disallow namespace nodes in XPointer ranges Namespace nodes must be copied to avoid use-after-free errors. But they don't necessarily have a physical representation in a document, so simply disallow them in XPointer ranges. Found with afl-fuzz. Fixes CVE-2016-4658. --- xpointer.c | 149 +++++++++++++++++++++++-------------------------------------- 1 file changed, 56 insertions(+), 93 deletions(-) diff --git a/xpointer.c b/xpointer.c index a7b03fb..694d120 100644 --- a/xpointer.c +++ b/xpointer.c @@ -320,6 +320,45 @@ xmlXPtrRangesEqual(xmlXPathObjectPtr range1, xmlXPathObjectPtr range2) { } /** + * xmlXPtrNewRangeInternal: + * @start: the starting node + * @startindex: the start index + * @end: the ending point + * @endindex: the ending index + * + * Internal function to create a new xmlXPathObjectPtr of type range + * + * Returns the newly created object. + */ +static xmlXPathObjectPtr +xmlXPtrNewRangeInternal(xmlNodePtr start, int startindex, + xmlNodePtr end, int endindex) { + xmlXPathObjectPtr ret; + + /* + * Namespace nodes must be copied (see xmlXPathNodeSetDupNs). + * Disallow them for now. + */ + if ((start != NULL) && (start->type == XML_NAMESPACE_DECL)) + return(NULL); + if ((end != NULL) && (end->type == XML_NAMESPACE_DECL)) + return(NULL); + + ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); + if (ret == NULL) { + xmlXPtrErrMemory("allocating range"); + return(NULL); + } + memset(ret, 0, sizeof(xmlXPathObject)); + ret->type = XPATH_RANGE; + ret->user = start; + ret->index = startindex; + ret->user2 = end; + ret->index2 = endindex; + return(ret); +} + +/** * xmlXPtrNewRange: * @start: the starting node * @startindex: the start index @@ -344,17 +383,7 @@ xmlXPtrNewRange(xmlNodePtr start, int startindex, if (endindex < 0) return(NULL); - ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); - if (ret == NULL) { - xmlXPtrErrMemory("allocating range"); - return(NULL); - } - memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); - ret->type = XPATH_RANGE; - ret->user = start; - ret->index = startindex; - ret->user2 = end; - ret->index2 = endindex; + ret = xmlXPtrNewRangeInternal(start, startindex, end, endindex); xmlXPtrRangeCheckOrder(ret); return(ret); } @@ -381,17 +410,8 @@ xmlXPtrNewRangePoints(xmlXPathObjectPtr start, xmlXPathObjectPtr end) { if (end->type != XPATH_POINT) return(NULL); - ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); - if (ret == NULL) { - xmlXPtrErrMemory("allocating range"); - return(NULL); - } - memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); - ret->type = XPATH_RANGE; - ret->user = start->user; - ret->index = start->index; - ret->user2 = end->user; - ret->index2 = end->index; + ret = xmlXPtrNewRangeInternal(start->user, start->index, end->user, + end->index); xmlXPtrRangeCheckOrder(ret); return(ret); } @@ -416,17 +436,7 @@ xmlXPtrNewRangePointNode(xmlXPathObjectPtr start, xmlNodePtr end) { if (start->type != XPATH_POINT) return(NULL); - ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); - if (ret == NULL) { - xmlXPtrErrMemory("allocating range"); - return(NULL); - } - memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); - ret->type = XPATH_RANGE; - ret->user = start->user; - ret->index = start->index; - ret->user2 = end; - ret->index2 = -1; + ret = xmlXPtrNewRangeInternal(start->user, start->index, end, -1); xmlXPtrRangeCheckOrder(ret); return(ret); } @@ -453,17 +463,7 @@ xmlXPtrNewRangeNodePoint(xmlNodePtr start, xmlXPathObjectPtr end) { if (end->type != XPATH_POINT) return(NULL); - ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); - if (ret == NULL) { - xmlXPtrErrMemory("allocating range"); - return(NULL); - } - memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); - ret->type = XPATH_RANGE; - ret->user = start; - ret->index = -1; - ret->user2 = end->user; - ret->index2 = end->index; + ret = xmlXPtrNewRangeInternal(start, -1, end->user, end->index); xmlXPtrRangeCheckOrder(ret); return(ret); } @@ -486,17 +486,7 @@ xmlXPtrNewRangeNodes(xmlNodePtr start, xmlNodePtr end) { if (end == NULL) return(NULL); - ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); - if (ret == NULL) { - xmlXPtrErrMemory("allocating range"); - return(NULL); - } - memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); - ret->type = XPATH_RANGE; - ret->user = start; - ret->index = -1; - ret->user2 = end; - ret->index2 = -1; + ret = xmlXPtrNewRangeInternal(start, -1, end, -1); xmlXPtrRangeCheckOrder(ret); return(ret); } @@ -516,17 +506,7 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) { if (start == NULL) return(NULL); - ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); - if (ret == NULL) { - xmlXPtrErrMemory("allocating range"); - return(NULL); - } - memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); - ret->type = XPATH_RANGE; - ret->user = start; - ret->index = -1; - ret->user2 = NULL; - ret->index2 = -1; + ret = xmlXPtrNewRangeInternal(start, -1, NULL, -1); return(ret); } @@ -541,6 +521,8 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) { */ xmlXPathObjectPtr xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { + xmlNodePtr endNode; + int endIndex; xmlXPathObjectPtr ret; if (start == NULL) @@ -549,7 +531,12 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { return(NULL); switch (end->type) { case XPATH_POINT: + endNode = end->user; + endIndex = end->index; + break; case XPATH_RANGE: + endNode = end->user2; + endIndex = end->index2; break; case XPATH_NODESET: /* @@ -557,39 +544,15 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) { */ if (end->nodesetval->nodeNr <= 0) return(NULL); + endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1]; + endIndex = -1; break; default: /* TODO */ return(NULL); } - ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject)); - if (ret == NULL) { - xmlXPtrErrMemory("allocating range"); - return(NULL); - } - memset(ret, 0 , (size_t) sizeof(xmlXPathObject)); - ret->type = XPATH_RANGE; - ret->user = start; - ret->index = -1; - switch (end->type) { - case XPATH_POINT: - ret->user2 = end->user; - ret->index2 = end->index; - break; - case XPATH_RANGE: - ret->user2 = end->user2; - ret->index2 = end->index2; - break; - case XPATH_NODESET: { - ret->user2 = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1]; - ret->index2 = -1; - break; - } - default: - STRANGE - return(NULL); - } + ret = xmlXPtrNewRangeInternal(start, -1, endNode, endIndex); xmlXPtrRangeCheckOrder(ret); return(ret); } -- cgit v0.12 debian/patches/0003-Fix-missing-break-on-last-function-for-attributes.patch0000664000000000000000000000110512177612662023654 0ustar From: dcb Date: Thu, 2 May 2013 08:11:46 +0000 Subject: Fix missing break on last() function for attributes pointed out by cppcheck --- python/libxml.c | 1 + 1 file changed, 1 insertion(+) diff --git a/python/libxml.c b/python/libxml.c index 03cfb9f..3338b83 100644 --- a/python/libxml.c +++ b/python/libxml.c @@ -2683,6 +2683,7 @@ libxml_last(ATTRIBUTE_UNUSED PyObject * self, PyObject * args) xmlAttrPtr attr = (xmlAttrPtr) cur; res = attr->last; + break; } default: res = NULL; debian/patches/CVE-2017-15412.patch0000664000000000000000000000227713213531342013323 0ustar From 0f3b843b3534784ef57a4f9b874238aa1fda5a73 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Thu, 1 Jun 2017 23:12:19 +0200 Subject: Fix XPath stack frame logic Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in xmlXPathCompOpEvalPositionalPredicate to make sure that the context object on the stack is actually protected. Otherwise, memory corruption can occur when calling sloppily coded XPath extension functions. Fixes bug 783160. --- xpath.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: libxml2-2.9.1+dfsg1/xpath.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/xpath.c +++ libxml2-2.9.1+dfsg1/xpath.c @@ -11910,11 +11910,11 @@ xmlXPathCompOpEvalPositionalPredicate(xm } } - frame = xmlXPathSetFrame(ctxt); valuePush(ctxt, contextObj); + frame = xmlXPathSetFrame(ctxt); res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1); - tmp = valuePop(ctxt); xmlXPathPopFrame(ctxt, frame); + tmp = valuePop(ctxt); if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) { while (tmp != contextObj) { debian/patches/0006-fix-python-multiarch-includes.patch0000664000000000000000000000245212203634233020123 0ustar Description: fix python multi-arch include issues. . libxml2 (2.9.0+dfsg1-4ubuntu1) raring; urgency=low . * Fix python multi-arch includes issues. Author: Chris J Arges Index: libxml2-2.9.1+dfsg1/python/Makefile.am =================================================================== --- libxml2-2.9.1+dfsg1.orig/python/Makefile.am 2013-07-11 10:00:34.032015469 -0400 +++ libxml2-2.9.1+dfsg1/python/Makefile.am 2013-07-11 10:00:34.028015468 -0400 @@ -19,7 +19,7 @@ AM_CPPFLAGS = \ -I$(top_builddir)/include \ -I$(top_srcdir)/include \ - -I$(PYTHON_INCLUDES) + $(PYTHON_INCLUDES) python_LTLIBRARIES = libxml2mod.la Index: libxml2-2.9.1+dfsg1/python/Makefile.in =================================================================== --- libxml2-2.9.1+dfsg1.orig/python/Makefile.in 2013-07-11 10:00:34.032015469 -0400 +++ libxml2-2.9.1+dfsg1/python/Makefile.in 2013-07-11 10:00:34.028015468 -0400 @@ -430,7 +430,7 @@ @WITH_PYTHON_TRUE@AM_CPPFLAGS = \ @WITH_PYTHON_TRUE@ -I$(top_builddir)/include \ @WITH_PYTHON_TRUE@ -I$(top_srcdir)/include \ -@WITH_PYTHON_TRUE@ -I$(PYTHON_INCLUDES) +@WITH_PYTHON_TRUE@ $(PYTHON_INCLUDES) @WITH_PYTHON_TRUE@python_LTLIBRARIES = libxml2mod.la @WITH_PYTHON_TRUE@libxml2mod_la_SOURCES = libxml.c libxml_wrap.h libxml2-py.h libxml2-py.c types.c debian/patches/CVE-2015-8317-1.patch0000664000000000000000000000220112632057041013373 0ustar From 9aa37588ee78a06ca1379a9d9356eab16686099c Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Mon, 29 Jun 2015 09:08:25 +0800 Subject: Do not process encoding values if the declaration if broken For https://bugzilla.gnome.org/show_bug.cgi?id=751603 If the string is not properly terminated do not try to convert to the given encoding. --- parser.c | 4 ++++ 1 file changed, 4 insertions(+) Index: libxml2-2.9.1+dfsg1/parser.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/parser.c 2015-12-09 12:00:15.124215449 -0500 +++ libxml2-2.9.1+dfsg1/parser.c 2015-12-09 12:00:15.124215449 -0500 @@ -10396,6 +10396,8 @@ encoding = xmlParseEncName(ctxt); if (RAW != '"') { xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL); + xmlFree((xmlChar *) encoding); + return(NULL); } else NEXT; } else if (RAW == '\''){ @@ -10403,6 +10405,8 @@ encoding = xmlParseEncName(ctxt); if (RAW != '\'') { xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL); + xmlFree((xmlChar *) encoding); + return(NULL); } else NEXT; } else { debian/patches/0005-properly-quote-the-namespace-uris-written-out-during.patch0000664000000000000000000000210612177612662024517 0ustar From: Aleksey Sanin Date: Thu, 9 May 2013 16:02:16 +0000 Subject: properly quote the namespace uris written out during c14n --- c14n.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/c14n.c b/c14n.c index afd95b3..ca77f92 100644 --- a/c14n.c +++ b/c14n.c @@ -547,14 +547,15 @@ xmlC14NPrintNamespaces(const xmlNsPtr ns, xmlC14NCtxPtr ctx) if (ns->prefix != NULL) { xmlOutputBufferWriteString(ctx->buf, " xmlns:"); xmlOutputBufferWriteString(ctx->buf, (const char *) ns->prefix); - xmlOutputBufferWriteString(ctx->buf, "=\""); + xmlOutputBufferWriteString(ctx->buf, "="); } else { - xmlOutputBufferWriteString(ctx->buf, " xmlns=\""); + xmlOutputBufferWriteString(ctx->buf, " xmlns="); } if(ns->href != NULL) { - xmlOutputBufferWriteString(ctx->buf, (const char *) ns->href); + xmlBufWriteQuotedString(ctx->buf->buffer, ns->href); + } else { + xmlOutputBufferWriteString(ctx->buf, "\"\""); } - xmlOutputBufferWriteString(ctx->buf, "\""); return (1); } debian/patches/CVE-2016-1835.patch0000664000000000000000000002302312724277330013250 0ustar Backport of: From 38eae571111db3b43ffdeb05487c9f60551906fb Mon Sep 17 00:00:00 2001 From: Pranjal Jumde Date: Mon, 7 Mar 2016 14:04:08 -0800 Subject: Heap use-after-free in xmlSAX2AttributeNs For https://bugzilla.gnome.org/show_bug.cgi?id=759020 * parser.c: (xmlParseStartTag2): Attribute strings are only valid if the base does not change, so add another check where the base may change. Make sure to set 'attvalue' to NULL after freeing it. * result/errors/759020.xml: Added. * result/errors/759020.xml.err: Added. * result/errors/759020.xml.str: Added. * test/errors/759020.xml: Added test case. --- parser.c | 12 ++++++++++-- result/errors/759020.xml | 0 result/errors/759020.xml.err | 6 ++++++ result/errors/759020.xml.str | 7 +++++++ test/errors/759020.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 69 insertions(+), 2 deletions(-) create mode 100644 result/errors/759020.xml create mode 100644 result/errors/759020.xml.err create mode 100644 result/errors/759020.xml.str create mode 100644 test/errors/759020.xml Index: libxml2-2.9.1+dfsg1/parser.c =================================================================== --- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:56:43.215265543 -0400 +++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:57:36.535944954 -0400 @@ -9422,8 +9422,13 @@ else if (nsPush(ctxt, NULL, URL) > 0) nbNs++; skip_default_ns: - if (alloc != 0) xmlFree(attvalue); + if ((attvalue != NULL) && (alloc != 0)) { + xmlFree(attvalue); + attvalue = NULL; + } SKIP_BLANKS; + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) + goto base_changed; continue; } if (aprefix == ctxt->str_xmlns) { @@ -9495,7 +9500,10 @@ else if (nsPush(ctxt, attname, URL) > 0) nbNs++; skip_ns: - if (alloc != 0) xmlFree(attvalue); + if ((attvalue != NULL) && (alloc != 0)) { + xmlFree(attvalue); + attvalue = NULL; + } SKIP_BLANKS; if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) goto base_changed; Index: libxml2-2.9.1+dfsg1/result/errors/759020.xml.err =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/result/errors/759020.xml.err 2016-06-03 08:56:43.211265492 -0400 @@ -0,0 +1,6 @@ +./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute +0000000000000000000000000000000000000000000000000000000000000000000000000000000' + ^ +./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2 + + ^ Index: libxml2-2.9.1+dfsg1/result/errors/759020.xml.str =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/result/errors/759020.xml.str 2016-06-03 08:56:43.211265492 -0400 @@ -0,0 +1,7 @@ +./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute +0000000000000000000000000000000000000000000000000000000000000000000000000000000' + ^ +./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 + + ^ +./test/errors/759020.xml : failed to parse Index: libxml2-2.9.1+dfsg1/test/errors/759020.xml =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.1+dfsg1/test/errors/759020.xml 2016-06-03 08:56:43.211265492 -0400 @@ -0,0 +1,46 @@ + + Date: Fri, 30 Oct 2015 21:14:55 +0800 Subject: Fix parsing short unclosed comment uninitialized access For https://bugzilla.gnome.org/show_bug.cgi?id=746048 The HTML parser was too optimistic when processing comments and didn't check for the end of the stream on the first 2 characters --- HTMLparser.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) Index: libxml2-2.9.2+zdfsg1/HTMLparser.c =================================================================== --- libxml2-2.9.2+zdfsg1.orig/HTMLparser.c 2016-01-14 08:59:21.702167883 -0500 +++ libxml2-2.9.2+zdfsg1/HTMLparser.c 2016-01-14 08:59:21.698167840 -0500 @@ -3245,12 +3245,17 @@ ctxt->instate = state; return; } + len = 0; + buf[len] = 0; q = CUR_CHAR(ql); + if (!IS_CHAR(q)) + goto unfinished; NEXTL(ql); r = CUR_CHAR(rl); + if (!IS_CHAR(r)) + goto unfinished; NEXTL(rl); cur = CUR_CHAR(l); - len = 0; while (IS_CHAR(cur) && ((cur != '>') || (r != '-') || (q != '-'))) { @@ -3281,18 +3286,20 @@ } } buf[len] = 0; - if (!IS_CHAR(cur)) { - htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, - "Comment not terminated \n