+++ /dev/null
---- libxml2-2.7.8/dict.c 2010-10-12 08:25:31.000000000 +0200
-+++ libxml2-2.7.8.patched/dict.c 2012-09-28 12:08:37.432414664 +0200
-@@ -2,7 +2,7 @@
- * dict.c: dictionary of reusable strings, just used to avoid allocation
- * and freeing operations.
- *
-- * Copyright (C) 2003 Daniel Veillard.
-+ * Copyright (C) 2003-2012 Daniel Veillard.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
-@@ -19,6 +19,28 @@
- #define IN_LIBXML
- #include "libxml.h"
-
-+#ifdef HAVE_STDLIB_H
-+#include <stdlib.h>
-+#endif
-+#ifdef HAVE_TIME_H
-+#include <time.h>
-+#endif
-+
-+/*
-+ * Following http://www.ocert.org/advisories/ocert-2011-003.html
-+ * it seems that having hash randomization might be a good idea
-+ * when using XML with untrusted data
-+ * Note1: that it works correctly only if compiled with WITH_BIG_KEY
-+ * which is the default.
-+ * Note2: the fast function used for a small dict won't protect very
-+ * well but since the attack is based on growing a very big hash
-+ * list we will use the BigKey algo as soon as the hash size grows
-+ * over MIN_DICT_SIZE so this actually works
-+ */
-+#if defined(HAVE_RAND) && defined(HAVE_SRAND) && defined(HAVE_TIME)
-+#define DICT_RANDOMIZATION
-+#endif
-+
- #include <string.h>
- #ifdef HAVE_STDINT_H
- #include <stdint.h>
-@@ -44,23 +66,23 @@
- #define WITH_BIG_KEY
-
- #ifdef WITH_BIG_KEY
--#define xmlDictComputeKey(dict, name, len) \
-- (((dict)->size == MIN_DICT_SIZE) ? \
-- xmlDictComputeFastKey(name, len) : \
-- xmlDictComputeBigKey(name, len))
--
--#define xmlDictComputeQKey(dict, prefix, plen, name, len) \
-- (((prefix) == NULL) ? \
-- (xmlDictComputeKey(dict, name, len)) : \
-- (((dict)->size == MIN_DICT_SIZE) ? \
-- xmlDictComputeFastQKey(prefix, plen, name, len) : \
-- xmlDictComputeBigQKey(prefix, plen, name, len)))
-+#define xmlDictComputeKey(dict, name, len) \
-+ (((dict)->size == MIN_DICT_SIZE) ? \
-+ xmlDictComputeFastKey(name, len, (dict)->seed) : \
-+ xmlDictComputeBigKey(name, len, (dict)->seed))
-+
-+#define xmlDictComputeQKey(dict, prefix, plen, name, len) \
-+ (((prefix) == NULL) ? \
-+ (xmlDictComputeKey(dict, name, len)) : \
-+ (((dict)->size == MIN_DICT_SIZE) ? \
-+ xmlDictComputeFastQKey(prefix, plen, name, len, (dict)->seed) : \
-+ xmlDictComputeBigQKey(prefix, plen, name, len, (dict)->seed)))
-
- #else /* !WITH_BIG_KEY */
--#define xmlDictComputeKey(dict, name, len) \
-- xmlDictComputeFastKey(name, len)
--#define xmlDictComputeQKey(dict, prefix, plen, name, len) \
-- xmlDictComputeFastQKey(prefix, plen, name, len)
-+#define xmlDictComputeKey(dict, name, len) \
-+ xmlDictComputeFastKey(name, len, (dict)->seed)
-+#define xmlDictComputeQKey(dict, prefix, plen, name, len) \
-+ xmlDictComputeFastQKey(prefix, plen, name, len, (dict)->seed)
- #endif /* WITH_BIG_KEY */
-
- /*
-@@ -98,6 +120,8 @@
- xmlDictStringsPtr strings;
-
- struct _xmlDict *subdict;
-+ /* used for randomization */
-+ int seed;
- };
-
- /*
-@@ -125,6 +149,9 @@
- if ((xmlDictMutex = xmlNewRMutex()) == NULL)
- return(0);
-
-+#ifdef DICT_RANDOMIZATION
-+ srand(time(NULL));
-+#endif
- xmlDictInitialized = 1;
- return(1);
- }
-@@ -277,13 +304,13 @@
- */
-
- static uint32_t
--xmlDictComputeBigKey(const xmlChar* data, int namelen) {
-+xmlDictComputeBigKey(const xmlChar* data, int namelen, int seed) {
- uint32_t hash;
- int i;
-
- if (namelen <= 0 || data == NULL) return(0);
-
-- hash = 0;
-+ hash = seed;
-
- for (i = 0;i < namelen; i++) {
- hash += data[i];
-@@ -310,12 +337,12 @@
- */
- static unsigned long
- xmlDictComputeBigQKey(const xmlChar *prefix, int plen,
-- const xmlChar *name, int len)
-+ const xmlChar *name, int len, int seed)
- {
- uint32_t hash;
- int i;
-
-- hash = 0;
-+ hash = seed;
-
- for (i = 0;i < plen; i++) {
- hash += prefix[i];
-@@ -346,8 +373,8 @@
- * for low hash table fill.
- */
- static unsigned long
--xmlDictComputeFastKey(const xmlChar *name, int namelen) {
-- unsigned long value = 0L;
-+xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
-+ unsigned long value = seed;
-
- if (name == NULL) return(0);
- value = *name;
-@@ -381,9 +408,9 @@
- */
- static unsigned long
- xmlDictComputeFastQKey(const xmlChar *prefix, int plen,
-- const xmlChar *name, int len)
-+ const xmlChar *name, int len, int seed)
- {
-- unsigned long value = 0L;
-+ unsigned long value = (unsigned long) seed;
-
- if (plen == 0)
- value += 30 * (unsigned long) ':';
-@@ -460,6 +487,11 @@
- dict->subdict = NULL;
- if (dict->dict) {
- memset(dict->dict, 0, MIN_DICT_SIZE * sizeof(xmlDictEntry));
-+#ifdef DICT_RANDOMIZATION
-+ dict->seed = rand();
-+#else
-+ dict->seed = 0;
-+#endif
- return(dict);
- }
- xmlFree(dict);
-@@ -486,6 +518,7 @@
- #ifdef DICT_DEBUG_PATTERNS
- fprintf(stderr, "R");
- #endif
-+ dict->seed = sub->seed;
- dict->subdict = sub;
- xmlDictReference(dict->subdict);
- }
---- libxml2-2.7.8/encoding.c 2010-11-04 17:40:06.000000000 +0100
-+++ libxml2-2.7.8.patched/encoding.c 2012-09-28 12:08:37.440414665 +0200
-@@ -1928,7 +1928,7 @@
- if (in == NULL) return(-1);
-
- /* calculate space available */
-- written = out->size - out->use;
-+ written = out->size - out->use - 1; /* count '\0' */
- toconv = in->use;
- /*
- * echo '<?xml version="1.0" encoding="UCS4"?>' | wc -c => 38
-@@ -2059,7 +2059,7 @@
- toconv = in->use;
- if (toconv == 0)
- return (0);
-- written = out->size - out->use;
-+ written = out->size - out->use - 1; /* count '\0' */
- if (toconv * 2 >= written) {
- xmlBufferGrow(out, out->size + toconv * 2);
- written = out->size - out->use - 1;
---- libxml2-2.7.8/entities.c 2010-10-12 08:25:32.000000000 +0200
-+++ libxml2-2.7.8.patched/entities.c 2012-09-28 12:08:37.432414664 +0200
-@@ -528,13 +528,13 @@
- * Macro used to grow the current buffer.
- */
- #define growBufferReentrant() { \
-- buffer_size *= 2; \
-- buffer = (xmlChar *) \
-- xmlRealloc(buffer, buffer_size * sizeof(xmlChar)); \
-- if (buffer == NULL) { \
-- xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");\
-- return(NULL); \
-- } \
-+ xmlChar *tmp; \
-+ size_t new_size = buffer_size * 2; \
-+ if (new_size < buffer_size) goto mem_error; \
-+ tmp = (xmlChar *) xmlRealloc(buffer, new_size); \
-+ if (tmp == NULL) goto mem_error; \
-+ buffer = tmp; \
-+ buffer_size = new_size; \
- }
-
-
-@@ -555,7 +555,7 @@
- const xmlChar *cur = input;
- xmlChar *buffer = NULL;
- xmlChar *out = NULL;
-- int buffer_size = 0;
-+ size_t buffer_size = 0;
- int html = 0;
-
- if (input == NULL) return(NULL);
-@@ -574,8 +574,8 @@
- out = buffer;
-
- while (*cur != '\0') {
-- if (out - buffer > buffer_size - 100) {
-- int indx = out - buffer;
-+ size_t indx = out - buffer;
-+ if (indx + 100 > buffer_size) {
-
- growBufferReentrant();
- out = &buffer[indx];
-@@ -692,6 +692,11 @@
- }
- *out = 0;
- return(buffer);
-+
-+mem_error:
-+ xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");
-+ xmlFree(buffer);
-+ return(NULL);
- }
-
- /**
-@@ -709,7 +714,7 @@
- const xmlChar *cur = input;
- xmlChar *buffer = NULL;
- xmlChar *out = NULL;
-- int buffer_size = 0;
-+ size_t buffer_size = 0;
- if (input == NULL) return(NULL);
-
- /*
-@@ -724,8 +729,8 @@
- out = buffer;
-
- while (*cur != '\0') {
-- if (out - buffer > buffer_size - 10) {
-- int indx = out - buffer;
-+ size_t indx = out - buffer;
-+ if (indx + 10 > buffer_size) {
-
- growBufferReentrant();
- out = &buffer[indx];
-@@ -774,6 +779,11 @@
- }
- *out = 0;
- return(buffer);
-+
-+mem_error:
-+ xmlEntitiesErrMemory("xmlEncodeSpecialChars: realloc failed");
-+ xmlFree(buffer);
-+ return(NULL);
- }
-
- /**
---- libxml2-2.7.8/hash.c 2010-10-12 08:25:32.000000000 +0200
-+++ libxml2-2.7.8.patched/hash.c 2012-09-28 12:08:37.392414663 +0200
-@@ -3,7 +3,7 @@
- *
- * Reference: Your favorite introductory book on algorithms
- *
-- * Copyright (C) 2000 Bjorn Reese and Daniel Veillard.
-+ * Copyright (C) 2000,2012 Bjorn Reese and Daniel Veillard.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
-@@ -21,6 +21,22 @@
- #include "libxml.h"
-
- #include <string.h>
-+#ifdef HAVE_STDLIB_H
-+#include <stdlib.h>
-+#endif
-+#ifdef HAVE_TIME_H
-+#include <time.h>
-+#endif
-+
-+/*
-+ * Following http://www.ocert.org/advisories/ocert-2011-003.html
-+ * it seems that having hash randomization might be a good idea
-+ * when using XML with untrusted data
-+ */
-+#if defined(HAVE_RAND) && defined(HAVE_SRAND) && defined(HAVE_TIME)
-+#define HASH_RANDOMIZATION
-+#endif
-+
- #include <libxml/parser.h>
- #include <libxml/hash.h>
- #include <libxml/xmlmemory.h>
-@@ -31,6 +47,10 @@
-
- /* #define DEBUG_GROW */
-
-+#ifdef HASH_RANDOMIZATION
-+static int hash_initialized = 0;
-+#endif
-+
- /*
- * A single entry in the hash table
- */
-@@ -53,6 +73,9 @@
- int size;
- int nbElems;
- xmlDictPtr dict;
-+#ifdef HASH_RANDOMIZATION
-+ int random_seed;
-+#endif
- };
-
- /*
-@@ -65,6 +88,9 @@
- unsigned long value = 0L;
- char ch;
-
-+#ifdef HASH_RANDOMIZATION
-+ value = table->random_seed;
-+#endif
- if (name != NULL) {
- value += 30 * (*name);
- while ((ch = *name++) != 0) {
-@@ -92,6 +118,9 @@
- unsigned long value = 0L;
- char ch;
-
-+#ifdef HASH_RANDOMIZATION
-+ value = table->random_seed;
-+#endif
- if (prefix != NULL)
- value += 30 * (*prefix);
- else
-@@ -156,6 +185,13 @@
- table->table = xmlMalloc(size * sizeof(xmlHashEntry));
- if (table->table) {
- memset(table->table, 0, size * sizeof(xmlHashEntry));
-+#ifdef HASH_RANDOMIZATION
-+ if (!hash_initialized) {
-+ srand(time(NULL));
-+ hash_initialized = 1;
-+ }
-+ table->random_seed = rand();
-+#endif
- return(table);
- }
- xmlFree(table);
---- libxml2-2.7.8/parser.c 2010-11-04 16:55:45.000000000 +0100
-+++ libxml2-2.7.8.patched/parser.c 2012-09-28 12:08:37.440414665 +0200
-@@ -40,6 +40,7 @@
- #endif
-
- #include <stdlib.h>
-+#include <limits.h>
- #include <string.h>
- #include <stdarg.h>
- #include <libxml/xmlmemory.h>
-@@ -114,10 +115,10 @@
- * parser option.
- */
- static int
--xmlParserEntityCheck(xmlParserCtxtPtr ctxt, unsigned long size,
-+xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
- xmlEntityPtr ent)
- {
-- unsigned long consumed = 0;
-+ size_t consumed = 0;
-
- if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
- return (0);
-@@ -2580,15 +2581,17 @@
-
- /*
- * Macro used to grow the current buffer.
-+ * buffer##_size is expected to be a size_t
-+ * mem_error: is expected to handle memory allocation failures
- */
- #define growBuffer(buffer, n) { \
- xmlChar *tmp; \
-- buffer##_size *= 2; \
-- buffer##_size += n; \
-- tmp = (xmlChar *) \
-- xmlRealloc(buffer, buffer##_size * sizeof(xmlChar)); \
-+ size_t new_size = buffer##_size * 2 + n; \
-+ if (new_size < buffer##_size) goto mem_error; \
-+ tmp = (xmlChar *) xmlRealloc(buffer, new_size); \
- if (tmp == NULL) goto mem_error; \
- buffer = tmp; \
-+ buffer##_size = new_size; \
- }
-
- /**
-@@ -2614,14 +2617,14 @@
- xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
- int what, xmlChar end, xmlChar end2, xmlChar end3) {
- xmlChar *buffer = NULL;
-- int buffer_size = 0;
-+ size_t buffer_size = 0;
-+ size_t nbchars = 0;
-
- xmlChar *current = NULL;
- xmlChar *rep = NULL;
- const xmlChar *last;
- xmlEntityPtr ent;
- int c,l;
-- int nbchars = 0;
-
- if ((ctxt == NULL) || (str == NULL) || (len < 0))
- return(NULL);
-@@ -2638,7 +2641,7 @@
- * allocate a translation buffer.
- */
- buffer_size = XML_PARSER_BIG_BUFFER_SIZE;
-- buffer = (xmlChar *) xmlMallocAtomic(buffer_size * sizeof(xmlChar));
-+ buffer = (xmlChar *) xmlMallocAtomic(buffer_size);
- if (buffer == NULL) goto mem_error;
-
- /*
-@@ -2658,7 +2661,7 @@
- if (val != 0) {
- COPY_BUF(0,buffer,nbchars,val);
- }
-- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
-+ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
- growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
- }
- } else if ((c == '&') && (what & XML_SUBSTITUTE_REF)) {
-@@ -2676,7 +2679,7 @@
- (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
- if (ent->content != NULL) {
- COPY_BUF(0,buffer,nbchars,ent->content[0]);
-- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
-+ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
- growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
- }
- } else {
-@@ -2693,8 +2696,7 @@
- current = rep;
- while (*current != 0) { /* non input consuming loop */
- buffer[nbchars++] = *current++;
-- if (nbchars >
-- buffer_size - XML_PARSER_BUFFER_SIZE) {
-+ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
- if (xmlParserEntityCheck(ctxt, nbchars, ent))
- goto int_error;
- growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
-@@ -2708,8 +2710,8 @@
- const xmlChar *cur = ent->name;
-
- buffer[nbchars++] = '&';
-- if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) {
-- growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
-+ if (nbchars + i + XML_PARSER_BUFFER_SIZE > buffer_size) {
-+ growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE);
- }
- for (;i > 0;i--)
- buffer[nbchars++] = *cur++;
-@@ -2736,8 +2738,7 @@
- current = rep;
- while (*current != 0) { /* non input consuming loop */
- buffer[nbchars++] = *current++;
-- if (nbchars >
-- buffer_size - XML_PARSER_BUFFER_SIZE) {
-+ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
- if (xmlParserEntityCheck(ctxt, nbchars, ent))
- goto int_error;
- growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
-@@ -2750,8 +2751,8 @@
- } else {
- COPY_BUF(l,buffer,nbchars,c);
- str += l;
-- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
-- growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
-+ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
-+ growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
- }
- }
- if (str < last)
-@@ -3755,8 +3756,8 @@
- xmlChar limit = 0;
- xmlChar *buf = NULL;
- xmlChar *rep = NULL;
-- int len = 0;
-- int buf_size = 0;
-+ size_t len = 0;
-+ size_t buf_size = 0;
- int c, l, in_space = 0;
- xmlChar *current = NULL;
- xmlEntityPtr ent;
-@@ -3778,7 +3779,7 @@
- * allocate a translation buffer.
- */
- buf_size = XML_PARSER_BUFFER_SIZE;
-- buf = (xmlChar *) xmlMallocAtomic(buf_size * sizeof(xmlChar));
-+ buf = (xmlChar *) xmlMallocAtomic(buf_size);
- if (buf == NULL) goto mem_error;
-
- /*
-@@ -3795,7 +3796,7 @@
-
- if (val == '&') {
- if (ctxt->replaceEntities) {
-- if (len > buf_size - 10) {
-+ if (len + 10 > buf_size) {
- growBuffer(buf, 10);
- }
- buf[len++] = '&';
-@@ -3804,7 +3805,7 @@
- * The reparsing will be done in xmlStringGetNodeList()
- * called by the attribute() function in SAX.c
- */
-- if (len > buf_size - 10) {
-+ if (len + 10 > buf_size) {
- growBuffer(buf, 10);
- }
- buf[len++] = '&';
-@@ -3814,7 +3815,7 @@
- buf[len++] = ';';
- }
- } else if (val != 0) {
-- if (len > buf_size - 10) {
-+ if (len + 10 > buf_size) {
- growBuffer(buf, 10);
- }
- len += xmlCopyChar(0, &buf[len], val);
-@@ -3826,7 +3827,7 @@
- ctxt->nbentities += ent->owner;
- if ((ent != NULL) &&
- (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
-- if (len > buf_size - 10) {
-+ if (len + 10 > buf_size) {
- growBuffer(buf, 10);
- }
- if ((ctxt->replaceEntities == 0) &&
-@@ -3854,7 +3855,7 @@
- current++;
- } else
- buf[len++] = *current++;
-- if (len > buf_size - 10) {
-+ if (len + 10 > buf_size) {
- growBuffer(buf, 10);
- }
- }
-@@ -3862,7 +3863,7 @@
- rep = NULL;
- }
- } else {
-- if (len > buf_size - 10) {
-+ if (len + 10 > buf_size) {
- growBuffer(buf, 10);
- }
- if (ent->content != NULL)
-@@ -3890,7 +3891,7 @@
- * Just output the reference
- */
- buf[len++] = '&';
-- while (len > buf_size - i - 10) {
-+ while (len + i + 10 > buf_size) {
- growBuffer(buf, i + 10);
- }
- for (;i > 0;i--)
-@@ -3903,7 +3904,7 @@
- if ((len != 0) || (!normalize)) {
- if ((!normalize) || (!in_space)) {
- COPY_BUF(l,buf,len,0x20);
-- while (len > buf_size - 10) {
-+ while (len + 10 > buf_size) {
- growBuffer(buf, 10);
- }
- }
-@@ -3912,7 +3913,7 @@
- } else {
- in_space = 0;
- COPY_BUF(l,buf,len,c);
-- if (len > buf_size - 10) {
-+ if (len + 10 > buf_size) {
- growBuffer(buf, 10);
- }
- }
-@@ -3937,7 +3938,18 @@
- }
- } else
- NEXT;
-- if (attlen != NULL) *attlen = len;
-+
-+ /*
-+ * There we potentially risk an overflow, don't allow attribute value of
-+ * lenght more than INT_MAX it is a very reasonnable assumption !
-+ */
-+ if (len >= INT_MAX) {
-+ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
-+ "AttValue lenght too long\n");
-+ goto mem_error;
-+ }
-+
-+ if (attlen != NULL) *attlen = (int) len;
- return(buf);
-
- mem_error:
-@@ -4949,7 +4961,8 @@
- (ctxt->sax->processingInstruction != NULL))
- ctxt->sax->processingInstruction(ctxt->userData,
- target, NULL);
-- ctxt->instate = state;
-+ if (ctxt->instate != XML_PARSER_EOF)
-+ ctxt->instate = state;
- return;
- }
- buf = (xmlChar *) xmlMallocAtomic(size * sizeof(xmlChar));
-@@ -5029,7 +5042,8 @@
- } else {
- xmlFatalErr(ctxt, XML_ERR_PI_NOT_STARTED, NULL);
- }
-- ctxt->instate = state;
-+ if (ctxt->instate != XML_PARSER_EOF)
-+ ctxt->instate = state;
- }
- }
-
-@@ -9588,6 +9602,8 @@
- else
- name = xmlParseStartTag(ctxt);
- #endif /* LIBXML_SAX1_ENABLED */
-+ if (ctxt->instate == XML_PARSER_EOF)
-+ return;
- if (name == NULL) {
- spacePop(ctxt);
- return;
-@@ -10967,6 +10983,8 @@
- else
- name = xmlParseStartTag(ctxt);
- #endif /* LIBXML_SAX1_ENABLED */
-+ if (ctxt->instate == XML_PARSER_EOF)
-+ goto done;
- if (name == NULL) {
- spacePop(ctxt);
- ctxt->instate = XML_PARSER_EOF;
-@@ -11153,7 +11171,9 @@
- else
- xmlParseEndTag1(ctxt, 0);
- #endif /* LIBXML_SAX1_ENABLED */
-- if (ctxt->nameNr == 0) {
-+ if (ctxt->instate == XML_PARSER_EOF) {
-+ /* Nothing */
-+ } else if (ctxt->nameNr == 0) {
- ctxt->instate = XML_PARSER_EPILOG;
- } else {
- ctxt->instate = XML_PARSER_CONTENT;
---- libxml2-2.7.8/xmllint.c 2010-11-03 15:49:11.000000000 +0100
-+++ libxml2-2.7.8.patched/xmllint.c 2012-09-28 12:08:37.436414665 +0200
-@@ -2976,7 +2976,7 @@
- printf("\t--huge : remove any internal arbitrary parser limits\n");
- printf("\t--noent : substitute entity references by their value\n");
- printf("\t--noout : don't output the result tree\n");
-- printf("\t--path 'paths': provide a set of paths for resources\n");
-+ printf("\t--path 'paths' : provide a set of paths for resources\n");
- printf("\t--load-trace : print trace of all external entites loaded\n");
- printf("\t--nonet : refuse to fetch DTDs or entities over network\n");
- printf("\t--nocompact : do not generate compact text nodes\n");
-@@ -3032,7 +3032,7 @@
- printf("\t--catalogs : use SGML catalogs from $SGML_CATALOG_FILES\n");
- printf("\t otherwise XML Catalogs starting from \n");
- printf("\t %s are activated by default\n", XML_XML_DEFAULT_CATALOG);
-- printf("\t--nocatalogs: deactivate all catalogs\n");
-+ printf("\t--nocatalogs : deactivate all catalogs\n");
- #endif
- printf("\t--auto : generate a small doc on the fly\n");
- #ifdef LIBXML_XINCLUDE_ENABLED
---- libxml2-2.7.8/xpath.c 2010-11-03 20:18:27.000000000 +0100
-+++ libxml2-2.7.8.patched/xpath.c 2012-09-28 12:08:37.444414664 +0200
-@@ -252,6 +252,7 @@
- "Encoding error\n",
- "Char out of XML range\n",
- "Invalid or incomplete context\n",
-+ "Stack usage errror\n",
- "?? Unknown error ??\n" /* Must be last in the list! */
- };
- #define MAXERRNO ((int)(sizeof(xmlXPathErrorMessages) / \
-@@ -2398,6 +2399,42 @@
- ************************************************************************/
-
- /**
-+ * xmlXPathSetFrame:
-+ * @ctxt: an XPath parser context
-+ *
-+ * Set the callee evaluation frame
-+ *
-+ * Returns the previous frame value to be restored once done
-+ */
-+static int
-+xmlXPathSetFrame(xmlXPathParserContextPtr ctxt) {
-+ int ret;
-+
-+ if (ctxt == NULL)
-+ return(0);
-+ ret = ctxt->valueFrame;
-+ ctxt->valueFrame = ctxt->valueNr;
-+ return(ret);
-+}
-+
-+/**
-+ * xmlXPathPopFrame:
-+ * @ctxt: an XPath parser context
-+ * @frame: the previous frame value
-+ *
-+ * Remove the callee evaluation frame
-+ */
-+static void
-+xmlXPathPopFrame(xmlXPathParserContextPtr ctxt, int frame) {
-+ if (ctxt == NULL)
-+ return;
-+ if (ctxt->valueNr < ctxt->valueFrame) {
-+ xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR);
-+ }
-+ ctxt->valueFrame = frame;
-+}
-+
-+/**
- * valuePop:
- * @ctxt: an XPath evaluation context
- *
-@@ -2412,6 +2449,12 @@
-
- if ((ctxt == NULL) || (ctxt->valueNr <= 0))
- return (NULL);
-+
-+ if (ctxt->valueNr <= ctxt->valueFrame) {
-+ xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR);
-+ return (NULL);
-+ }
-+
- ctxt->valueNr--;
- if (ctxt->valueNr > 0)
- ctxt->value = ctxt->valueTab[ctxt->valueNr - 1];
-@@ -3522,13 +3565,13 @@
- } else if (cur->nodeNr == cur->nodeMax) {
- xmlNodePtr *temp;
-
-- cur->nodeMax *= 2;
-- temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax *
-+ temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * 2 *
- sizeof(xmlNodePtr));
- if (temp == NULL) {
- xmlXPathErrMemory(NULL, "growing nodeset\n");
- return;
- }
-+ cur->nodeMax *= 2;
- cur->nodeTab = temp;
- }
- cur->nodeTab[cur->nodeNr++] = xmlXPathNodeSetDupNs(node, ns);
-@@ -3627,14 +3670,14 @@
- } else if (cur->nodeNr == cur->nodeMax) {
- xmlNodePtr *temp;
-
-- cur->nodeMax *= 2;
-- temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax *
-+ temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * 2 *
- sizeof(xmlNodePtr));
- if (temp == NULL) {
- xmlXPathErrMemory(NULL, "growing nodeset\n");
- return;
- }
- cur->nodeTab = temp;
-+ cur->nodeMax *= 2;
- }
- if (val->type == XML_NAMESPACE_DECL) {
- xmlNsPtr ns = (xmlNsPtr) val;
-@@ -3738,14 +3781,14 @@
- } else if (val1->nodeNr == val1->nodeMax) {
- xmlNodePtr *temp;
-
-- val1->nodeMax *= 2;
-- temp = (xmlNodePtr *) xmlRealloc(val1->nodeTab, val1->nodeMax *
-+ temp = (xmlNodePtr *) xmlRealloc(val1->nodeTab, val1->nodeMax * 2 *
- sizeof(xmlNodePtr));
- if (temp == NULL) {
- xmlXPathErrMemory(NULL, "merging nodeset\n");
- return(NULL);
- }
- val1->nodeTab = temp;
-+ val1->nodeMax *= 2;
- }
- if (n2->type == XML_NAMESPACE_DECL) {
- xmlNsPtr ns = (xmlNsPtr) n2;
-@@ -3907,14 +3950,14 @@
- } else if (set1->nodeNr >= set1->nodeMax) {
- xmlNodePtr *temp;
-
-- set1->nodeMax *= 2;
- temp = (xmlNodePtr *) xmlRealloc(
-- set1->nodeTab, set1->nodeMax * sizeof(xmlNodePtr));
-+ set1->nodeTab, set1->nodeMax * 2 * sizeof(xmlNodePtr));
- if (temp == NULL) {
- xmlXPathErrMemory(NULL, "merging nodeset\n");
- return(NULL);
- }
- set1->nodeTab = temp;
-+ set1->nodeMax *= 2;
- }
- if (n2->type == XML_NAMESPACE_DECL) {
- xmlNsPtr ns = (xmlNsPtr) n2;
-@@ -3991,14 +4034,14 @@
- } else if (set1->nodeNr >= set1->nodeMax) {
- xmlNodePtr *temp;
-
-- set1->nodeMax *= 2;
- temp = (xmlNodePtr *) xmlRealloc(
-- set1->nodeTab, set1->nodeMax * sizeof(xmlNodePtr));
-+ set1->nodeTab, set1->nodeMax * 2 * sizeof(xmlNodePtr));
- if (temp == NULL) {
- xmlXPathErrMemory(NULL, "merging nodeset\n");
- return(NULL);
- }
- set1->nodeTab = temp;
-+ set1->nodeMax *= 2;
- }
- set1->nodeTab[set1->nodeNr++] = n2;
- }
-@@ -6154,6 +6197,7 @@
- ret->valueNr = 0;
- ret->valueMax = 10;
- ret->value = NULL;
-+ ret->valueFrame = 0;
-
- ret->context = ctxt;
- ret->comp = comp;
-@@ -11712,6 +11756,7 @@
- xmlXPathObjectPtr contextObj = NULL, exprRes = NULL;
- xmlNodePtr oldContextNode, contextNode = NULL;
- xmlXPathContextPtr xpctxt = ctxt->context;
-+ int frame;
-
- #ifdef LIBXML_XPTR_ENABLED
- /*
-@@ -11731,6 +11776,8 @@
- */
- exprOp = &ctxt->comp->steps[op->ch2];
- for (i = 0; i < set->nodeNr; i++) {
-+ xmlXPathObjectPtr tmp;
-+
- if (set->nodeTab[i] == NULL)
- continue;
-
-@@ -11758,18 +11805,25 @@
- xmlXPathNodeSetAddUnique(contextObj->nodesetval,
- contextNode);
-
-+ frame = xmlXPathSetFrame(ctxt);
- valuePush(ctxt, contextObj);
- res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
-+ tmp = valuePop(ctxt);
-+ xmlXPathPopFrame(ctxt, frame);
-
- if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
-- xmlXPathObjectPtr tmp;
-- /* pop the result */
-- tmp = valuePop(ctxt);
-- xmlXPathReleaseObject(xpctxt, tmp);
-- /* then pop off contextObj, which will be freed later */
-- valuePop(ctxt);
-+ while (tmp != contextObj) {
-+ /*
-+ * Free up the result
-+ * then pop off contextObj, which will be freed later
-+ */
-+ xmlXPathReleaseObject(xpctxt, tmp);
-+ tmp = valuePop(ctxt);
-+ }
- goto evaluation_error;
- }
-+ /* push the result back onto the stack */
-+ valuePush(ctxt, tmp);
-
- if (res)
- pos++;
-@@ -13357,6 +13411,7 @@
- xmlGenericError(xmlGenericErrorContext,
- "xmlXPathCompOpEval: variable %s bound to undefined prefix %s\n",
- (char *) op->value4, (char *)op->value5);
-+ ctxt->error = XPATH_UNDEF_PREFIX_ERROR;
- return (total);
- }
- val = xmlXPathVariableLookupNS(ctxt->context,
-@@ -13373,7 +13428,9 @@
- xmlXPathFunction func;
- const xmlChar *oldFunc, *oldFuncURI;
- int i;
-+ int frame;
-
-+ frame = xmlXPathSetFrame(ctxt);
- if (op->ch1 != -1)
- total +=
- xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
-@@ -13381,15 +13438,18 @@
- xmlGenericError(xmlGenericErrorContext,
- "xmlXPathCompOpEval: parameter error\n");
- ctxt->error = XPATH_INVALID_OPERAND;
-+ xmlXPathPopFrame(ctxt, frame);
- return (total);
- }
-- for (i = 0; i < op->value; i++)
-+ for (i = 0; i < op->value; i++) {
- if (ctxt->valueTab[(ctxt->valueNr - 1) - i] == NULL) {
- xmlGenericError(xmlGenericErrorContext,
- "xmlXPathCompOpEval: parameter error\n");
- ctxt->error = XPATH_INVALID_OPERAND;
-+ xmlXPathPopFrame(ctxt, frame);
- return (total);
- }
-+ }
- if (op->cache != NULL)
- XML_CAST_FPTR(func) = op->cache;
- else {
-@@ -13405,6 +13465,8 @@
- xmlGenericError(xmlGenericErrorContext,
- "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n",
- (char *)op->value4, (char *)op->value5);
-+ ctxt->error = XPATH_UNDEF_PREFIX_ERROR;
-+ xmlXPathPopFrame(ctxt, frame);
- return (total);
- }
- func = xmlXPathFunctionLookupNS(ctxt->context,
-@@ -13426,6 +13488,7 @@
- func(ctxt, op->value);
- ctxt->context->function = oldFunc;
- ctxt->context->functionURI = oldFuncURI;
-+ xmlXPathPopFrame(ctxt, frame);
- return (total);
- }
- case XPATH_OP_ARG:
-@@ -14329,6 +14392,7 @@
- ctxt->valueNr = 0;
- ctxt->valueMax = 10;
- ctxt->value = NULL;
-+ ctxt->valueFrame = 0;
- }
- #ifdef XPATH_STREAMING
- if (ctxt->comp->stream) {
---- libxml2-2.7.8/xpointer.c 2010-10-12 08:25:33.000000000 +0200
-+++ libxml2-2.7.8.patched/xpointer.c 2012-09-28 12:08:37.428414664 +0200
-@@ -1007,21 +1007,14 @@
- NEXT;
- break;
- }
-- *cur++ = CUR;
- } else if (CUR == '(') {
- level++;
-- *cur++ = CUR;
- } else if (CUR == '^') {
-- NEXT;
-- if ((CUR == ')') || (CUR == '(') || (CUR == '^')) {
-- *cur++ = CUR;
-- } else {
-- *cur++ = '^';
-- *cur++ = CUR;
-- }
-- } else {
-- *cur++ = CUR;
-+ if ((NXT(1) == ')') || (NXT(1) == '(') || (NXT(1) == '^')) {
-+ NEXT;
-+ }
- }
-+ *cur++ = CUR;
- NEXT;
- }
- *cur = 0;
-@@ -1269,6 +1262,7 @@
- ctxt->valueNr = 0;
- ctxt->valueMax = 10;
- ctxt->value = NULL;
-+ ctxt->valueFrame = 0;
- }
- SKIP_BLANKS;
- if (CUR == '/') {
---- libxml2-2.7.8/libxml.h 2010-10-12 08:25:32.000000000 +0200
-+++ libxml2-2.7.8.patched/libxml.h 2012-09-28 12:08:37.432414664 +0200
-@@ -13,6 +13,9 @@
- #ifndef _LARGEFILE_SOURCE
- #define _LARGEFILE_SOURCE
- #endif
-+#ifndef _LARGEFILE64_SOURCE
-+#define _LARGEFILE64_SOURCE
-+#endif
- #ifndef _FILE_OFFSET_BITS
- #define _FILE_OFFSET_BITS 64
- #endif
---- libxml2-2.7.8/include/libxml/xpath.h 2010-10-12 08:25:32.000000000 +0200
-+++ libxml2-2.7.8.patched/include/libxml/xpath.h 2012-09-28 12:08:37.456414665 +0200
-@@ -68,7 +68,8 @@
- XPATH_UNDEF_PREFIX_ERROR,
- XPATH_ENCODING_ERROR,
- XPATH_INVALID_CHAR_ERROR,
-- XPATH_INVALID_CTXT
-+ XPATH_INVALID_CTXT,
-+ XPATH_STACK_ERROR
- } xmlXPathError;
-
- /*
-@@ -380,6 +381,8 @@
- xmlXPathCompExprPtr comp; /* the precompiled expression */
- int xptr; /* it this an XPointer expression */
- xmlNodePtr ancestor; /* used for walking preceding axis */
-+
-+ int valueFrame; /* used to limit Pop on the stack */
- };
-
- /************************************************************************
projects / packages.git / commitdiff