Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock jessie-pu libxml2 in Jessie has CVE-2014-3600 pending to be addressed and this update includes the related regression fix as well. Also, I would like to apply some more upstream memory related patches from 2.9.2, mostly NULL checks, because there are quite a lot deeper issues hiding in libxml2's code base and those fixes shall be deemed beneficial to our support cycle. Regards, Aron Xu
diff -Nru libxml2-2.9.1+dfsg1/debian/changelog libxml2-2.9.1+dfsg1/debian/changelog
--- libxml2-2.9.1+dfsg1/debian/changelog 2014-07-09 06:49:45.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/changelog 2015-02-01 13:51:11.000000000 +0800
@@ -1,3 +1,12 @@
+libxml2 (2.9.1+dfsg1-5) testing; urgency=medium
+
+ * Add pkg-config to B-D
+ * Use -O3 for normal builds
+ * Cherry-pick upstream memory related fixes
+ - Including CVE-2014-3660 (Closes: #765722, #768089)
+
+ -- Aron Xu <aron@debian.org> Sun, 01 Feb 2015 13:48:36 +0800
+
libxml2 (2.9.1+dfsg1-4) unstable; urgency=low
[ Christian Svensson ]
diff -Nru libxml2-2.9.1+dfsg1/debian/control libxml2-2.9.1+dfsg1/debian/control
--- libxml2-2.9.1+dfsg1/debian/control 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/control 2015-02-01 13:42:06.000000000 +0800
@@ -4,7 +4,7 @@
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Uploaders: Aron Xu <aron@debian.org>, YunQiang Su <wzssyqa@gmail.com>
Standards-Version: 3.9.5
-Build-Depends: debhelper (>= 9), dh-autoreconf, autotools-dev,
+Build-Depends: debhelper (>= 9), dh-autoreconf, autotools-dev, pkg-config,
libpython-all-dev, libpython-all-dbg,
python-all-dev:any (>= 2.7.5-5~), python-all-dbg:any,
zlib1g-dev | libz-dev, liblzma-dev
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0001-modify-xml2-config-and-pkgconfig-behaviour.patch libxml2-2.9.1+dfsg1/debian/patches/0001-modify-xml2-config-and-pkgconfig-behaviour.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0001-modify-xml2-config-and-pkgconfig-behaviour.patch 2014-07-09 05:31:33.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0001-modify-xml2-config-and-pkgconfig-behaviour.patch 2015-02-01 13:50:27.000000000 +0800
@@ -3,11 +3,11 @@
Subject: modify xml2-config and pkgconfig behaviour
---
- configure.in | 2 +-
- libxml-2.0-uninstalled.pc.in | 3 ++-
- libxml-2.0.pc.in | 2 +-
- xml2-config.1 | 4 ++++
- xml2-config.in | 22 ++++++++++------------
+ configure.in | 2 +-
+ libxml-2.0-uninstalled.pc.in | 3 ++-
+ libxml-2.0.pc.in | 2 +-
+ xml2-config.1 | 4 ++++
+ xml2-config.in | 22 ++++++++++------------
5 files changed, 18 insertions(+), 15 deletions(-)
diff --git a/configure.in b/configure.in
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0002-fix-python-multiarch-includes.patch libxml2-2.9.1+dfsg1/debian/patches/0002-fix-python-multiarch-includes.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0002-fix-python-multiarch-includes.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0002-fix-python-multiarch-includes.patch 2015-02-01 13:50:27.000000000 +0800
@@ -3,8 +3,8 @@
Subject: fix python multiarch includes
---
- python/Makefile.am | 2 +-
- python/Makefile.in | 2 +-
+ python/Makefile.am | 2 +-
+ python/Makefile.in | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/python/Makefile.am b/python/Makefile.am
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch libxml2-2.9.1+dfsg1/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0003-Fix-an-error-in-xmlCleanupParser.patch 2015-02-01 13:50:27.000000000 +0800
@@ -8,7 +8,7 @@
xmlResetLastError() but the later reallocate the global
data freed by previous call. Just swap the two calls.
---
- parser.c | 2 +-
+ parser.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/parser.c b/parser.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch libxml2-2.9.1+dfsg1/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0004-Fix-missing-break-on-last-function-for-attributes.patch 2015-02-01 13:50:27.000000000 +0800
@@ -4,7 +4,7 @@
pointed out by cppcheck
---
- python/libxml.c | 1 +
+ python/libxml.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/python/libxml.c b/python/libxml.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch libxml2-2.9.1+dfsg1/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0005-xmllint-memory-should-fail-on-empty-files.patch 2015-02-01 13:50:27.000000000 +0800
@@ -5,7 +5,7 @@
Exposed by https://bugzilla.gnome.org/show_bug.cgi?id=699896
when doing analysis but a priori unrelated.
---
- xmllint.c | 5 ++++-
+ xmllint.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/xmllint.c b/xmllint.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch libxml2-2.9.1+dfsg1/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0006-properly-quote-the-namespace-uris-written-out-during.patch 2015-02-01 13:50:27.000000000 +0800
@@ -3,7 +3,7 @@
Subject: properly quote the namespace uris written out during c14n
---
- c14n.c | 9 +++++----
+ c14n.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/c14n.c b/c14n.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch libxml2-2.9.1+dfsg1/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch 2015-02-01 13:50:27.000000000 +0800
@@ -8,7 +8,7 @@
slightly when encountering CR/LF, which led to a bug when
parsing document with non-ascii Names
---
- parser.c | 6 +++++-
+ parser.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/parser.c b/parser.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0008-missing-else-in-xlink.c.patch libxml2-2.9.1+dfsg1/debian/patches/0008-missing-else-in-xlink.c.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0008-missing-else-in-xlink.c.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0008-missing-else-in-xlink.c.patch 2015-02-01 13:50:27.000000000 +0800
@@ -4,7 +4,7 @@
Obviously forgotten
---
- xlink.c | 2 +-
+ xlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xlink.c b/xlink.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch libxml2-2.9.1+dfsg1/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0009-Catch-malloc-error-and-exit-accordingly.patch 2015-02-01 13:50:27.000000000 +0800
@@ -4,7 +4,7 @@
As pointed privately by Bill Parker <wp02855@gmail.com>
---
- xmllint.c | 4 ++++
+ xmllint.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/xmllint.c b/xmllint.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0010-Fix-handling-of-mmap-errors.patch libxml2-2.9.1+dfsg1/debian/patches/0010-Fix-handling-of-mmap-errors.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0010-Fix-handling-of-mmap-errors.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0010-Fix-handling-of-mmap-errors.patch 2015-02-01 13:50:27.000000000 +0800
@@ -6,7 +6,7 @@
as raised by Gaurav <ya1gaurav@gmail.com>
---
- xmllint.c | 13 +++++++++++--
+ xmllint.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/xmllint.c b/xmllint.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0011-Avoid-crash-if-allocation-fails.patch libxml2-2.9.1+dfsg1/debian/patches/0011-Avoid-crash-if-allocation-fails.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0011-Avoid-crash-if-allocation-fails.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0011-Avoid-crash-if-allocation-fails.patch 2015-02-01 13:50:27.000000000 +0800
@@ -5,7 +5,7 @@
https://bugzilla.gnome.org/show_bug.cgi?id=704527
xmlSchemaNewValue() may fail on OOM error
---
- xmlschemastypes.c | 4 ++++
+ xmlschemastypes.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/xmlschemastypes.c b/xmlschemastypes.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0012-Fix-a-possible-NULL-dereference.patch libxml2-2.9.1+dfsg1/debian/patches/0012-Fix-a-possible-NULL-dereference.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0012-Fix-a-possible-NULL-dereference.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0012-Fix-a-possible-NULL-dereference.patch 2015-02-01 13:50:27.000000000 +0800
@@ -6,7 +6,7 @@
In case of allocation error the pointer was dereferenced before the
test for a failure
---
- SAX2.c | 4 ++--
+ SAX2.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/SAX2.c b/SAX2.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch libxml2-2.9.1+dfsg1/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0013-Clear-up-a-potential-NULL-dereference.patch 2015-02-01 13:50:27.000000000 +0800
@@ -7,7 +7,7 @@
if ctxt->node_seq.buffer is null then ctxt->node_seq.maximum ought
to be zero but it's better to clarify the check in the code directly.
---
- parserInternals.c | 3 ++-
+ parserInternals.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/parserInternals.c b/parserInternals.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch libxml2-2.9.1+dfsg1/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0014-Fix-XPath-optimization-with-predicates.patch 2015-02-01 13:50:27.000000000 +0800
@@ -6,7 +6,7 @@
regression reported in bug #695699. This commit disables the
optimization for expressions of the form '//foo[predicate]'.
---
- xpath.c | 5 +++--
+ xpath.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/xpath.c b/xpath.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch libxml2-2.9.1+dfsg1/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0015-xmllint-pretty-crashed-without-following-numeric-arg.patch 2015-02-01 13:50:27.000000000 +0800
@@ -6,7 +6,7 @@
We need to check for NULL argument before calling atoi()
---
- xmllint.c | 12 +++++++-----
+ xmllint.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/xmllint.c b/xmllint.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch libxml2-2.9.1+dfsg1/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0016-Fix-potential-NULL-pointer-dereferences-in-regexp-co.patch 2015-02-01 13:50:27.000000000 +0800
@@ -6,7 +6,7 @@
Fix 3 cases where we might dereference NULL
---
- xmlregexp.c | 8 +++++---
+ xmlregexp.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/xmlregexp.c b/xmlregexp.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch libxml2-2.9.1+dfsg1/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0017-Fix-a-potential-NULL-dereference-in-tree-code.patch 2015-02-01 13:50:27.000000000 +0800
@@ -7,7 +7,7 @@
Also reported by Gaurav, simple fix to check the pointer before
dereference
---
- tree.c | 3 ++-
+ tree.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tree.c b/tree.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch libxml2-2.9.1+dfsg1/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0018-Fix-pointer-dereferenced-before-null-check.patch 2015-02-01 13:50:27.000000000 +0800
@@ -7,7 +7,7 @@
xmlValidateElementContent is a private function but should still
check the ctxt argument before dereferencing
---
- valid.c | 2 +-
+ valid.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/valid.c b/valid.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch libxml2-2.9.1+dfsg1/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0019-Fix-a-bug-loading-some-compressed-files.patch 2015-02-01 13:50:27.000000000 +0800
@@ -13,7 +13,7 @@
xz_avail which uses the state->strm stream info. This causes gz_next4 to
signal a premature EOF if the data it is fetching crosses a 1024 byte boundary.
---
- xzlib.c | 26 ++++++++++++++++++++++----
+ xzlib.c | 26 ++++++++++++++++++++++----
1 file changed, 22 insertions(+), 4 deletions(-)
diff --git a/xzlib.c b/xzlib.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch libxml2-2.9.1+dfsg1/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0020-Avoid-a-possibility-of-dangling-encoding-handler.patch 2015-02-01 13:50:27.000000000 +0800
@@ -11,7 +11,7 @@
hanldlers[i] as dangling. This may lead to crash issues at places where
handlers is read.
---
- encoding.c | 16 ++++++++++++++--
+ encoding.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/encoding.c b/encoding.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch libxml2-2.9.1+dfsg1/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0021-Fix-a-couple-of-missing-NULL-checks.patch 2015-02-01 13:50:27.000000000 +0800
@@ -4,7 +4,7 @@
For https://bugzilla.gnome.org/show_bug.cgi?id=708681
---
- tree.c | 2 ++
+ tree.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tree.c b/tree.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch libxml2-2.9.1+dfsg1/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0022-adding-init-calls-to-xml-and-html-Read-parsing-entry.patch 2015-02-01 13:50:27.000000000 +0800
@@ -6,8 +6,8 @@
some call had it other didn't, clean it up and add to all missing
ones
---
- HTMLparser.c | 6 ++++++
- parser.c | 10 ++++++++++
+ HTMLparser.c | 6 ++++++
+ parser.c | 10 ++++++++++
2 files changed, 16 insertions(+)
diff --git a/HTMLparser.c b/HTMLparser.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch libxml2-2.9.1+dfsg1/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0023-Handling-of-XPath-function-arguments-in-error-case.patch 2015-02-01 13:50:27.000000000 +0800
@@ -14,7 +14,7 @@
* Bail out early when evaluation of XPath function arguments fails.
* Make sure that there are 'nargs' arguments in the current call frame.
---
- xpath.c | 9 +++++++--
+ xpath.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/xpath.c b/xpath.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch libxml2-2.9.1+dfsg1/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0024-Missing-initialization-for-the-catalog-module.patch 2015-02-01 13:50:27.000000000 +0800
@@ -3,7 +3,7 @@
Subject: Missing initialization for the catalog module
---
- parser.c | 3 +++
+ parser.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/parser.c b/parser.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch libxml2-2.9.1+dfsg1/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0025-Fix-an-fd-leak-in-an-error-case.patch 2015-02-01 13:50:27.000000000 +0800
@@ -3,7 +3,7 @@
Subject: Fix an fd leak in an error case
---
- catalog.c | 5 +++++
+ catalog.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/catalog.c b/catalog.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch libxml2-2.9.1+dfsg1/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0026-fixing-a-ptotential-uninitialized-access.patch 2015-02-01 13:50:27.000000000 +0800
@@ -3,7 +3,7 @@
Subject: fixing a ptotential uninitialized access
---
- valid.c | 2 +-
+ valid.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/valid.c b/valid.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch libxml2-2.9.1+dfsg1/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0027-Fix-xmlTextWriterWriteElement-when-a-null-content-is.patch 2015-02-01 13:50:27.000000000 +0800
@@ -3,7 +3,7 @@
Subject: Fix xmlTextWriterWriteElement when a null content is given
---
- xmlwriter.c | 10 ++++++----
+ xmlwriter.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/xmlwriter.c b/xmlwriter.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch libxml2-2.9.1+dfsg1/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0028-Avoid-a-possible-NULL-pointer-dereference.patch 2015-02-01 13:50:27.000000000 +0800
@@ -4,7 +4,7 @@
For https://bugzilla.gnome.org/show_bug.cgi?id=708355
---
- xmlmodule.c | 2 +-
+ xmlmodule.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xmlmodule.c b/xmlmodule.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch libxml2-2.9.1+dfsg1/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0029-Do-not-fetch-external-parameter-entities.patch 2015-02-01 13:50:27.000000000 +0800
@@ -5,7 +5,7 @@
Unless explicitely asked for when validating or replacing entities
with their value. Problem pointed out by Daniel Berrange <berrange@redhat.com>
---
- parser.c | 14 ++++++++++++++
+ parser.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/parser.c b/parser.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch libxml2-2.9.1+dfsg1/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch 2015-02-01 13:50:27.000000000 +0800
@@ -5,7 +5,7 @@
Fix a use before check on pointer
For https://bugzilla.gnome.org/show_bug.cgi?id=729849
---
- xmlmemory.c | 6 ++++--
+ xmlmemory.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/xmlmemory.c b/xmlmemory.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch libxml2-2.9.1+dfsg1/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0031-xmllint-was-not-parsing-the-c14n11-flag.patch 2015-02-01 13:50:27.000000000 +0800
@@ -1,10 +1,10 @@
-From: =?UTF-8?q?S=C3=A9rgio=20Batista?= <mail@se.rg.io>
+From: =?utf-8?q?S=C3=A9rgio_Batista?= <mail@se.rg.io>
Date: Mon, 9 Jun 2014 22:10:15 +0800
Subject: xmllint was not parsing the --c14n11 flag
Cut and paste error, using the wrong variable
---
- xmllint.c | 2 +-
+ xmllint.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xmllint.c b/xmllint.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch libxml2-2.9.1+dfsg1/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch 2015-02-01 13:50:27.000000000 +0800
@@ -8,7 +8,7 @@
https://bugzilla.gnome.org/show_bug.cgi?id=730290
and other reports on list, off-list and on Red Hat bugzilla
---
- parser.c | 13 +++++++++++--
+ parser.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/parser.c b/parser.c
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0033-Adding-some-missing-NULL-checks.patch libxml2-2.9.1+dfsg1/debian/patches/0033-Adding-some-missing-NULL-checks.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0033-Adding-some-missing-NULL-checks.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0033-Adding-some-missing-NULL-checks.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,57 @@
+From: Gaurav <g.gupta@samsung.com>
+Date: Fri, 13 Jun 2014 14:45:20 +0800
+Subject: Adding some missing NULL checks
+
+in SAX2 DOM building code and in the HTML parser
+---
+ HTMLparser.c | 4 ++--
+ SAX2.c | 9 +++++++++
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index 44c1a3c..79b1adf 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+@@ -3671,13 +3671,13 @@ htmlParseStartTag(htmlParserCtxtPtr ctxt) {
+ int i;
+ int discardtag = 0;
+
+- if (ctxt->instate == XML_PARSER_EOF)
+- return(-1);
+ if ((ctxt == NULL) || (ctxt->input == NULL)) {
+ htmlParseErr(ctxt, XML_ERR_INTERNAL_ERROR,
+ "htmlParseStartTag: context error\n", NULL, NULL);
+ return -1;
+ }
++ if (ctxt->instate == XML_PARSER_EOF)
++ return(-1);
+ if (CUR != '<') return -1;
+ NEXT;
+
+diff --git a/SAX2.c b/SAX2.c
+index 33d167e..76b7158 100644
+--- a/SAX2.c
++++ b/SAX2.c
+@@ -1177,6 +1177,12 @@ xmlSAX2AttributeInternal(void *ctx, const xmlChar *fullname,
+ val = xmlStringDecodeEntities(ctxt, value, XML_SUBSTITUTE_REF,
+ 0,0,0);
+ ctxt->depth--;
++ if (val == NULL) {
++ xmlSAX2ErrMemory(ctxt, "xmlSAX2StartElement");
++ if (name != NULL)
++ xmlFree(name);
++ return;
++ }
+ } else {
+ val = (xmlChar *) value;
+ }
+@@ -2570,6 +2576,9 @@ xmlSAX2Characters(void *ctx, const xmlChar *ch, int len)
+ (xmlDictOwns(ctxt->dict, lastChild->content))) {
+ lastChild->content = xmlStrdup(lastChild->content);
+ }
++ if (lastChild->content == NULL) {
++ xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: xmlStrdup returned NULL");
++ }
+ if (((size_t)ctxt->nodelen + (size_t)len > XML_MAX_TEXT_LENGTH) &&
+ ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+ xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: huge text node");
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0034-xmlSaveUri-incorrectly-recomposes-URIs-with-rootless.patch libxml2-2.9.1+dfsg1/debian/patches/0034-xmlSaveUri-incorrectly-recomposes-URIs-with-rootless.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0034-xmlSaveUri-incorrectly-recomposes-URIs-with-rootless.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0034-xmlSaveUri-incorrectly-recomposes-URIs-with-rootless.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,27 @@
+From: Dennis Filder <d.filder@web.de>
+Date: Fri, 13 Jun 2014 14:56:14 +0800
+Subject: xmlSaveUri() incorrectly recomposes URIs with rootless paths
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=731063
+
+xmlSaveUri() of libxml2 (snapshot 2014-05-31 and earlier) returns
+bogus values when called with URIs that have rootless paths
+(e.g. "urx:b:b" becomes "urx://b%3Ab" where "urx:b%3Ab" would be
+correct)
+---
+ uri.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/uri.c b/uri.c
+index 4ab0ce2..d4dcd2f 100644
+--- a/uri.c
++++ b/uri.c
+@@ -1194,8 +1194,6 @@ xmlSaveUri(xmlURIPtr uri) {
+ if (temp == NULL) goto mem_error;
+ ret = temp;
+ }
+- ret[len++] = '/';
+- ret[len++] = '/';
+ }
+ if (uri->path != NULL) {
+ p = uri->path;
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0035-Adding-a-check-in-case-of-allocation-error.patch libxml2-2.9.1+dfsg1/debian/patches/0035-Adding-a-check-in-case-of-allocation-error.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0035-Adding-a-check-in-case-of-allocation-error.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0035-Adding-a-check-in-case-of-allocation-error.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,28 @@
+From: Gaurav Gupta <g.gupta@samsung.com>
+Date: Mon, 14 Jul 2014 16:01:10 +0800
+Subject: Adding a check in case of allocation error
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=733043
+
+There is missing Null condition in xmlRelaxNGValidateInterleave of
+relaxng.c
+Dereferencing it may cause a crash.
+---
+ relaxng.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/relaxng.c b/relaxng.c
+index 370e314..3d8524d 100644
+--- a/relaxng.c
++++ b/relaxng.c
+@@ -9409,6 +9409,10 @@ xmlRelaxNGValidateInterleave(xmlRelaxNGValidCtxtPtr ctxt,
+ oldstate = ctxt->state;
+ for (i = 0; i < nbgroups; i++) {
+ ctxt->state = xmlRelaxNGCopyValidState(ctxt, oldstate);
++ if (ctxt->state == NULL) {
++ ret = -1;
++ break;
++ }
+ group = partitions->groups[i];
+ if (lasts[i] != NULL) {
+ last = lasts[i]->next;
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0036-Add-a-missing-argument-check.patch libxml2-2.9.1+dfsg1/debian/patches/0036-Add-a-missing-argument-check.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0036-Add-a-missing-argument-check.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0036-Add-a-missing-argument-check.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,24 @@
+From: Gaurav Gupta <g.gupta@samsung.com>
+Date: Mon, 14 Jul 2014 16:08:28 +0800
+Subject: Add a missing argument check
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=733042
+
+the states argument of xmlRelaxNGAddStates() ought to be checked too
+---
+ relaxng.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/relaxng.c b/relaxng.c
+index 3d8524d..89fcc4e 100644
+--- a/relaxng.c
++++ b/relaxng.c
+@@ -1095,7 +1095,7 @@ xmlRelaxNGAddStates(xmlRelaxNGValidCtxtPtr ctxt,
+ {
+ int i;
+
+- if (state == NULL) {
++ if (state == NULL || states == NULL) {
+ return (-1);
+ }
+ if (states->nbState >= states->maxState) {
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0037-Add-a-couple-of-misisng-check-in-xmlRelaxNGCleanupTr.patch libxml2-2.9.1+dfsg1/debian/patches/0037-Add-a-couple-of-misisng-check-in-xmlRelaxNGCleanupTr.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0037-Add-a-couple-of-misisng-check-in-xmlRelaxNGCleanupTr.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0037-Add-a-couple-of-misisng-check-in-xmlRelaxNGCleanupTr.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,43 @@
+From: Gaurav Gupta <g.gupta@samsung.com>
+Date: Mon, 14 Jul 2014 16:14:44 +0800
+Subject: Add a couple of misisng check in xmlRelaxNGCleanupTree
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=733041
+
+check cur->parent before dereferencing the pointer even if
+a null parent there should not happen
+Also fix a typo
+---
+ relaxng.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/relaxng.c b/relaxng.c
+index 89fcc4e..33fc71a 100644
+--- a/relaxng.c
++++ b/relaxng.c
+@@ -7346,13 +7346,13 @@ xmlRelaxNGCleanupTree(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr root)
+ if (ns != NULL)
+ xmlFree(ns);
+ /*
+- * Since we are about to delete cur, if it's nsDef is non-NULL we
++ * Since we are about to delete cur, if its nsDef is non-NULL we
+ * need to preserve it (it contains the ns definitions for the
+ * children we just moved). We'll just stick it on to the end
+ * of cur->parent's list, since it's never going to be re-serialized
+ * (bug 143738).
+ */
+- if (cur->nsDef != NULL) {
++ if ((cur->nsDef != NULL) && (cur->parent != NULL)) {
+ xmlNsPtr parDef = (xmlNsPtr)&cur->parent->nsDef;
+ while (parDef->next != NULL)
+ parDef = parDef->next;
+@@ -7370,7 +7370,8 @@ xmlRelaxNGCleanupTree(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr root)
+ else if ((cur->type == XML_TEXT_NODE) ||
+ (cur->type == XML_CDATA_SECTION_NODE)) {
+ if (IS_BLANK_NODE(cur)) {
+- if (cur->parent->type == XML_ELEMENT_NODE) {
++ if ((cur->parent != NULL) &&
++ (cur->parent->type == XML_ELEMENT_NODE)) {
+ if ((!xmlStrEqual(cur->parent->name, BAD_CAST "value"))
+ &&
+ (!xmlStrEqual
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0038-Fix-a-potential-NULL-dereference.patch libxml2-2.9.1+dfsg1/debian/patches/0038-Fix-a-potential-NULL-dereference.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0038-Fix-a-potential-NULL-dereference.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0038-Fix-a-potential-NULL-dereference.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,29 @@
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 14 Jul 2014 16:39:50 +0800
+Subject: Fix a potential NULL dereference
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=733040
+
+xmlDictLookup() may return NULL in case of allocation error,
+though very unlikely it need to be checked.
+---
+ parser.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index ea0ea65..b02333b 100644
+--- a/parser.c
++++ b/parser.c
+@@ -9313,6 +9313,12 @@ reparse:
+ const xmlChar *URL = xmlDictLookup(ctxt->dict, attvalue, len);
+ xmlURIPtr uri;
+
++ if (URL == NULL) {
++ xmlErrMemory(ctxt, "dictionary allocation failure");
++ if ((attvalue != NULL) && (alloc != 0))
++ xmlFree(attvalue);
++ return(NULL);
++ }
+ if (*URL != 0) {
+ uri = xmlParseURI((const char *) URL);
+ if (uri == NULL) {
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0039-Fix-processing-in-SAX2-in-case-of-an-allocation-fail.patch libxml2-2.9.1+dfsg1/debian/patches/0039-Fix-processing-in-SAX2-in-case-of-an-allocation-fail.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0039-Fix-processing-in-SAX2-in-case-of-an-allocation-fail.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0039-Fix-processing-in-SAX2-in-case-of-an-allocation-fail.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,21 @@
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 14 Jul 2014 20:29:34 +0800
+Subject: Fix processing in SAX2 in case of an allocation failure
+
+Related to https://bugzilla.gnome.org/show_bug.cgi?id=731360
+---
+ SAX2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/SAX2.c b/SAX2.c
+index 76b7158..791992c 100644
+--- a/SAX2.c
++++ b/SAX2.c
+@@ -2578,6 +2578,7 @@ xmlSAX2Characters(void *ctx, const xmlChar *ch, int len)
+ }
+ if (lastChild->content == NULL) {
+ xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: xmlStrdup returned NULL");
++ return;
+ }
+ if (((size_t)ctxt->nodelen + (size_t)len > XML_MAX_TEXT_LENGTH) &&
+ ((ctxt->options & XML_PARSE_HUGE) == 0)) {
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0040-Avoid-Possible-Null-Pointer-in-trio.c.patch libxml2-2.9.1+dfsg1/debian/patches/0040-Avoid-Possible-Null-Pointer-in-trio.c.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0040-Avoid-Possible-Null-Pointer-in-trio.c.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0040-Avoid-Possible-Null-Pointer-in-trio.c.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,47 @@
+From: Gaurav Gupta <g.gupta@samsung.com>
+Date: Mon, 14 Jul 2014 21:22:07 +0800
+Subject: Avoid Possible Null Pointer in trio.c
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=730005
+While using assert in libxml2 is really not a good idea, it's
+still better to assert than crash
+---
+ trio.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/trio.c b/trio.c
+index d885db9..1bf99e3 100644
+--- a/trio.c
++++ b/trio.c
+@@ -6418,11 +6418,14 @@ TRIO_ARGS2((self, intPointer),
+ trio_class_t *self,
+ int *intPointer)
+ {
+- FILE *file = (FILE *)self->location;
++ FILE *file;
+
+ assert(VALID(self));
++ assert(VALID(self->location));
+ assert(VALID(file));
+
++ file = (FILE *)self->location;
++
+ self->current = fgetc(file);
+ if (self->current == EOF)
+ {
+@@ -6451,11 +6454,14 @@ TRIO_ARGS2((self, intPointer),
+ trio_class_t *self,
+ int *intPointer)
+ {
+- int fd = *((int *)self->location);
++ int fd;
+ int size;
+ unsigned char input;
+
+ assert(VALID(self));
++ assert(VALID(self->location));
++
++ fd = *((int *)self->location);
+
+ size = read(fd, &input, sizeof(char));
+ if (size == -1)
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0041-Check-for-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch libxml2-2.9.1+dfsg1/debian/patches/0041-Check-for-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0041-Check-for-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0041-Check-for-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,32 @@
+From: David Kilzer <ddkilzer@kilzer.net>
+Date: Mon, 14 Jul 2014 22:29:56 +0800
+Subject: Check for tmon in _xmlSchemaDateAdd() is incorrect
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=732705
+In _xmlSchemaDateAdd(), the check for |tmon| should be the following
+since MAX_DAYINMONTH() expects a month in the range [1,12]:
+
+ if (tmon < 1)
+ tmon = 1;
+
+Regression introduced in
+https://git.gnome.org/browse/libxml2/commit/?id=14b5643947845df089376106517c4f7ba061e4b0
+---
+ xmlschemastypes.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xmlschemastypes.c b/xmlschemastypes.c
+index ec403e8..7e1d54a 100644
+--- a/xmlschemastypes.c
++++ b/xmlschemastypes.c
+@@ -3848,8 +3848,8 @@ _xmlSchemaDateAdd (xmlSchemaValPtr dt, xmlSchemaValPtr dur)
+ * Coverity detected an overrun in daysInMonth
+ * of size 12 at position 12 with index variable "((r)->mon - 1)"
+ */
+- if (tmon < 0)
+- tmon = 0;
++ if (tmon < 1)
++ tmon = 1;
+ if (tmon > 12)
+ tmon = 12;
+ tempdays += MAX_DAYINMONTH(tyr, tmon);
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0042-HTMLparser-Correctly-initialise-a-stack-allocated-st.patch libxml2-2.9.1+dfsg1/debian/patches/0042-HTMLparser-Correctly-initialise-a-stack-allocated-st.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0042-HTMLparser-Correctly-initialise-a-stack-allocated-st.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0042-HTMLparser-Correctly-initialise-a-stack-allocated-st.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,29 @@
+From: Philip Withnall <philip.withnall@collabora.co.uk>
+Date: Fri, 20 Jun 2014 21:03:42 +0100
+Subject: HTMLparser: Correctly initialise a stack allocated structure
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+If not initialised, the ‘node’ member remains undefined.
+
+Coverity issue: #60466
+
+https://bugzilla.gnome.org/show_bug.cgi?id=731990
+---
+ HTMLparser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index 79b1adf..4c51cc5 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+@@ -4366,7 +4366,7 @@ static void
+ htmlParseElementInternal(htmlParserCtxtPtr ctxt) {
+ const xmlChar *name;
+ const htmlElemDesc * info;
+- htmlParserNodeInfo node_info;
++ htmlParserNodeInfo node_info = { 0, };
+ int failed;
+
+ if ((ctxt == NULL) || (ctxt->input == NULL)) {
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch libxml2-2.9.1+dfsg1/debian/patches/0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,34 @@
+From: Philip Withnall <philip.withnall@collabora.co.uk>
+Date: Fri, 20 Jun 2014 21:05:33 +0100
+Subject: xmlcatalog: Fix a memory leak on quit
+
+Coverity issue: #60442
+
+https://bugzilla.gnome.org/show_bug.cgi?id=731990
+---
+ xmlcatalog.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/xmlcatalog.c b/xmlcatalog.c
+index 43f455a..b9ed6a4 100644
+--- a/xmlcatalog.c
++++ b/xmlcatalog.c
+@@ -181,12 +181,13 @@ static void usershell(void) {
+ /*
+ * start interpreting the command
+ */
+- if (!strcmp(command, "exit"))
+- break;
+- if (!strcmp(command, "quit"))
+- break;
+- if (!strcmp(command, "bye"))
++ if (!strcmp(command, "exit") ||
++ !strcmp(command, "quit") ||
++ !strcmp(command, "bye")) {
++ free(cmdline);
+ break;
++ }
++
+ if (!strcmp(command, "public")) {
+ if (nbargs != 1) {
+ printf("public requires 1 arguments\n");
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0044-xmlschemastypes-Fix-potential-array-overflow.patch libxml2-2.9.1+dfsg1/debian/patches/0044-xmlschemastypes-Fix-potential-array-overflow.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0044-xmlschemastypes-Fix-potential-array-overflow.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0044-xmlschemastypes-Fix-potential-array-overflow.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,28 @@
+From: Philip Withnall <philip.withnall@collabora.co.uk>
+Date: Fri, 20 Jun 2014 21:37:21 +0100
+Subject: xmlschemastypes: Fix potential array overflow
+
+The year and month need validating before being put into the
+MAX_DAYINMONTH macro.
+
+Coverity issue: #60436
+
+https://bugzilla.gnome.org/show_bug.cgi?id=731990
+---
+ xmlschemastypes.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/xmlschemastypes.c b/xmlschemastypes.c
+index 7e1d54a..6e8bb70 100644
+--- a/xmlschemastypes.c
++++ b/xmlschemastypes.c
+@@ -3854,7 +3854,8 @@ _xmlSchemaDateAdd (xmlSchemaValPtr dt, xmlSchemaValPtr dur)
+ tmon = 12;
+ tempdays += MAX_DAYINMONTH(tyr, tmon);
+ carry = -1;
+- } else if (tempdays > (long) MAX_DAYINMONTH(r->year, r->mon)) {
++ } else if (VALID_YEAR(r->year) && VALID_MONTH(r->mon) &&
++ tempdays > (long) MAX_DAYINMONTH(r->year, r->mon)) {
+ tempdays = tempdays - MAX_DAYINMONTH(r->year, r->mon);
+ carry = 1;
+ } else
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0045-Add-couple-of-missing-Null-checks.patch libxml2-2.9.1+dfsg1/debian/patches/0045-Add-couple-of-missing-Null-checks.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0045-Add-couple-of-missing-Null-checks.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0045-Add-couple-of-missing-Null-checks.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,49 @@
+From: Daniel Veillard <veillard@redhat.com>
+Date: Sat, 26 Jul 2014 21:04:54 +0800
+Subject: Add couple of missing Null checks
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=733710
+Reported by Gaurav but with slightly different fixes
+---
+ relaxng.c | 7 ++++++-
+ tree.c | 4 ++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/relaxng.c b/relaxng.c
+index 33fc71a..936f657 100644
+--- a/relaxng.c
++++ b/relaxng.c
+@@ -6655,12 +6655,17 @@ xmlRelaxNGParseDocument(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr node)
+ ctxt->define = NULL;
+ if (IS_RELAXNG(node, "grammar")) {
+ schema->topgrammar = xmlRelaxNGParseGrammar(ctxt, node->children);
++ if (schema->topgrammar == NULL) {
++ xmlRelaxNGFree(schema);
++ return (NULL);
++ }
+ } else {
+ xmlRelaxNGGrammarPtr tmp, ret;
+
+ schema->topgrammar = ret = xmlRelaxNGNewGrammar(ctxt);
+ if (schema->topgrammar == NULL) {
+- return (schema);
++ xmlRelaxNGFree(schema);
++ return (NULL);
+ }
+ /*
+ * Link the new grammar in the tree
+diff --git a/tree.c b/tree.c
+index 43c3c57..967c6a4 100644
+--- a/tree.c
++++ b/tree.c
+@@ -4509,6 +4509,10 @@ xmlCopyDoc(xmlDocPtr doc, int recursive) {
+ #ifdef LIBXML_TREE_ENABLED
+ if (doc->intSubset != NULL) {
+ ret->intSubset = xmlCopyDtd(doc->intSubset);
++ if (ret->intSubset == NULL) {
++ xmlFreeDoc(ret);
++ return(NULL);
++ }
+ xmlSetTreeDoc((xmlNodePtr)ret->intSubset, ret);
+ ret->intSubset->parent = ret;
+ }
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0046-Couple-of-Missing-Null-checks.patch libxml2-2.9.1+dfsg1/debian/patches/0046-Couple-of-Missing-Null-checks.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0046-Couple-of-Missing-Null-checks.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0046-Couple-of-Missing-Null-checks.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,35 @@
+From: Gaurav Gupta <g.gupta@samsung.com>
+Date: Thu, 7 Aug 2014 11:19:03 +0800
+Subject: Couple of Missing Null checks
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=734328
+
+Missing Null check could cause crash, if a pointer is dereferenced.
+
+Found problem at two places in valid.c
+---
+ valid.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/valid.c b/valid.c
+index 114bb72..6255b5b 100644
+--- a/valid.c
++++ b/valid.c
+@@ -1798,6 +1798,7 @@ xmlCopyEnumeration(xmlEnumerationPtr cur) {
+
+ if (cur == NULL) return(NULL);
+ ret = xmlCreateEnumeration((xmlChar *) cur->name);
++ if (ret == NULL) return(NULL);
+
+ if (cur->next != NULL) ret->next = xmlCopyEnumeration(cur->next);
+ else ret->next = NULL;
+@@ -6998,6 +6999,9 @@ xmlValidGetValidElements(xmlNode *prev, xmlNode *next, const xmlChar **names,
+ * Creates a dummy node and insert it into the tree
+ */
+ test_node = xmlNewDocNode (ref_node->doc, NULL, BAD_CAST "<!dummy?>", NULL);
++ if (test_node == NULL)
++ return(-1);
++
+ test_node->parent = parent;
+ test_node->prev = prev;
+ test_node->next = next;
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0047-Fix-Enum-check-and-missing-break.patch libxml2-2.9.1+dfsg1/debian/patches/0047-Fix-Enum-check-and-missing-break.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0047-Fix-Enum-check-and-missing-break.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0047-Fix-Enum-check-and-missing-break.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,43 @@
+From: Gaurav Gupta <g.gupta@samsung.com>
+Date: Mon, 6 Oct 2014 12:24:17 +0800
+Subject: Fix Enum check and missing break
+
+for https://bugzilla.gnome.org/show_bug.cgi?id=737403
+
+In file xmlreader.c
+1. An enum is checked to proper value instead of checking like a boolean.
+2. Missing break statement added.
+---
+ xmlreader.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/xmlreader.c b/xmlreader.c
+index 00083d0..9620f52 100644
+--- a/xmlreader.c
++++ b/xmlreader.c
+@@ -1427,7 +1427,7 @@ get_next_node:
+ goto node_found;
+ }
+ #ifdef LIBXML_REGEXP_ENABLED
+- if ((reader->validate) && (reader->node->type == XML_ELEMENT_NODE))
++ if ((reader->validate != XML_TEXTREADER_NOT_VALIDATE) && (reader->node->type == XML_ELEMENT_NODE))
+ xmlTextReaderValidatePop(reader);
+ #endif /* LIBXML_REGEXP_ENABLED */
+ if ((reader->preserves > 0) &&
+@@ -1560,7 +1560,7 @@ node_found:
+ goto get_next_node;
+ }
+ #ifdef LIBXML_REGEXP_ENABLED
+- if ((reader->validate) && (reader->node != NULL)) {
++ if ((reader->validate != XML_TEXTREADER_NOT_VALIDATE) && (reader->node != NULL)) {
+ xmlNodePtr node = reader->node;
+
+ if ((node->type == XML_ELEMENT_NODE) &&
+@@ -1790,6 +1790,7 @@ xmlTextReaderReadString(xmlTextReaderPtr reader)
+ if (xmlTextReaderDoExpand(reader) != -1) {
+ return xmlTextReaderCollectSiblings(node->children);
+ }
++ break;
+ case XML_ATTRIBUTE_NODE:
+ TODO
+ break;
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch libxml2-2.9.1+dfsg1/debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0048-Possible-overflow-in-HTMLParser.c.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,38 @@
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 6 Oct 2014 18:51:04 +0800
+Subject: Possible overflow in HTMLParser.c
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=720615
+
+make sure that the encoding string passed is of reasonable size
+---
+ HTMLparser.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index 4c51cc5..8d34fd1 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+@@ -6288,12 +6288,16 @@ htmlCreateFileParserCtxt(const char *filename, const char *encoding)
+
+ /* set encoding */
+ if (encoding) {
+- content = xmlMallocAtomic (xmlStrlen(content_line) + strlen(encoding) + 1);
+- if (content) {
+- strcpy ((char *)content, (char *)content_line);
+- strcat ((char *)content, (char *)encoding);
+- htmlCheckEncoding (ctxt, content);
+- xmlFree (content);
++ size_t l = strlen(encoding);
++
++ if (l < 1000) {
++ content = xmlMallocAtomic (xmlStrlen(content_line) + l + 1);
++ if (content) {
++ strcpy ((char *)content, (char *)content_line);
++ strcat ((char *)content, (char *)encoding);
++ htmlCheckEncoding (ctxt, content);
++ xmlFree (content);
++ }
+ }
+ }
+
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0049-Leak-of-struct-addrinfo-in-xmlNanoFTPConnect.patch libxml2-2.9.1+dfsg1/debian/patches/0049-Leak-of-struct-addrinfo-in-xmlNanoFTPConnect.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0049-Leak-of-struct-addrinfo-in-xmlNanoFTPConnect.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0049-Leak-of-struct-addrinfo-in-xmlNanoFTPConnect.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,25 @@
+From: Gaurav Gupta <g.gupta@samsung.com>
+Date: Mon, 6 Oct 2014 19:28:29 +0800
+Subject: Leak of struct addrinfo in xmlNanoFTPConnect()
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=732352
+
+in case of error condition in IPv6 support, the early return here
+doesn't call freeaddrinfo(result), thus leaking memory.
+---
+ nanoftp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/nanoftp.c b/nanoftp.c
+index 077bfe2..010e0b1 100644
+--- a/nanoftp.c
++++ b/nanoftp.c
+@@ -908,6 +908,8 @@ xmlNanoFTPConnect(void *ctx) {
+ return (-1);
+ }
+ if (tmp->ai_addrlen > sizeof(ctxt->ftpAddr)) {
++ if (result)
++ freeaddrinfo (result);
+ __xmlIOErr(XML_FROM_FTP, 0, "gethostbyname address mismatch");
+ return (-1);
+ }
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0050-Pointer-dereferenced-before-null-check.patch libxml2-2.9.1+dfsg1/debian/patches/0050-Pointer-dereferenced-before-null-check.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0050-Pointer-dereferenced-before-null-check.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0050-Pointer-dereferenced-before-null-check.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,61 @@
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 6 Oct 2014 20:07:19 +0800
+Subject: Pointer dereferenced before null check
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=707027
+
+A few pointer dereference before NULL check fixed.
+Removed a useless test
+---
+ xmlreader.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/xmlreader.c b/xmlreader.c
+index 9620f52..8834f50 100644
+--- a/xmlreader.c
++++ b/xmlreader.c
+@@ -282,7 +282,10 @@ static void
+ xmlTextReaderFreeProp(xmlTextReaderPtr reader, xmlAttrPtr cur) {
+ xmlDictPtr dict;
+
+- dict = reader->ctxt->dict;
++ if ((reader != NULL) && (reader->ctxt != NULL))
++ dict = reader->ctxt->dict;
++ else
++ dict = NULL;
+ if (cur == NULL) return;
+
+ if ((__xmlRegisterCallbacks) && (xmlDeregisterNodeDefaultValue))
+@@ -319,7 +322,7 @@ xmlTextReaderFreeProp(xmlTextReaderPtr reader, xmlAttrPtr cur) {
+ static void
+ xmlTextReaderFreePropList(xmlTextReaderPtr reader, xmlAttrPtr cur) {
+ xmlAttrPtr next;
+- if (cur == NULL) return;
++
+ while (cur != NULL) {
+ next = cur->next;
+ xmlTextReaderFreeProp(reader, cur);
+@@ -340,7 +343,10 @@ xmlTextReaderFreeNodeList(xmlTextReaderPtr reader, xmlNodePtr cur) {
+ xmlNodePtr next;
+ xmlDictPtr dict;
+
+- dict = reader->ctxt->dict;
++ if ((reader != NULL) && (reader->ctxt != NULL))
++ dict = reader->ctxt->dict;
++ else
++ dict = NULL;
+ if (cur == NULL) return;
+ if (cur->type == XML_NAMESPACE_DECL) {
+ xmlFreeNsList((xmlNsPtr) cur);
+@@ -417,7 +423,10 @@ static void
+ xmlTextReaderFreeNode(xmlTextReaderPtr reader, xmlNodePtr cur) {
+ xmlDictPtr dict;
+
+- dict = reader->ctxt->dict;
++ if ((reader != NULL) && (reader->ctxt != NULL))
++ dict = reader->ctxt->dict;
++ else
++ dict = NULL;
+ if (cur->type == XML_DTD_NODE) {
+ xmlFreeDtd((xmlDtdPtr) cur);
+ return;
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0051-xpointer-fixing-Null-Pointers.patch libxml2-2.9.1+dfsg1/debian/patches/0051-xpointer-fixing-Null-Pointers.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0051-xpointer-fixing-Null-Pointers.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0051-xpointer-fixing-Null-Pointers.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,110 @@
+From: Gaurav Gupta <g.gupta@samsung.com>
+Date: Tue, 7 Oct 2014 17:09:35 +0800
+Subject: xpointer : fixing Null Pointers
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=738053
+At many places in xpointer.c
+Null check is missing which is dereferenced at later places.
+---
+ xpointer.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/xpointer.c b/xpointer.c
+index 46f11e8..1ae2e53 100644
+--- a/xpointer.c
++++ b/xpointer.c
+@@ -1375,6 +1375,8 @@ xmlXPtrEval(const xmlChar *str, xmlXPathContextPtr ctx) {
+ return(NULL);
+
+ ctxt = xmlXPathNewParserContext(str, ctx);
++ if (ctxt == NULL)
++ return(NULL);
+ ctxt->xptr = 1;
+ xmlXPtrEvalXPointer(ctxt);
+
+@@ -1807,6 +1809,8 @@ xmlXPtrStartPointFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+ */
+ tmp = xmlXPtrNewLocationSetNodeSet(obj->nodesetval);
+ xmlXPathFreeObject(obj);
++ if (tmp == NULL)
++ XP_ERROR(XPATH_MEMORY_ERROR)
+ obj = tmp;
+ }
+
+@@ -1901,10 +1905,16 @@ xmlXPtrEndPointFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+ */
+ tmp = xmlXPtrNewLocationSetNodeSet(obj->nodesetval);
+ xmlXPathFreeObject(obj);
++ if (tmp == NULL)
++ XP_ERROR(XPATH_MEMORY_ERROR)
+ obj = tmp;
+ }
+
+ newset = xmlXPtrLocationSetCreate(NULL);
++ if (newset == NULL) {
++ xmlXPathFreeObject(obj);
++ XP_ERROR(XPATH_MEMORY_ERROR);
++ }
+ oldset = (xmlLocationSetPtr) obj->user;
+ if (oldset != NULL) {
+ int i;
+@@ -2049,6 +2059,8 @@ xmlXPtrRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+ */
+ tmp = xmlXPtrNewLocationSetNodeSet(set->nodesetval);
+ xmlXPathFreeObject(set);
++ if (tmp == NULL)
++ XP_ERROR(XPATH_MEMORY_ERROR)
+ set = tmp;
+ }
+ oldset = (xmlLocationSetPtr) set->user;
+@@ -2057,6 +2069,10 @@ xmlXPtrRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+ * The loop is to compute the covering range for each item and add it
+ */
+ newset = xmlXPtrLocationSetCreate(NULL);
++ if (newset == NULL) {
++ xmlXPathFreeObject(set);
++ XP_ERROR(XPATH_MEMORY_ERROR);
++ }
+ for (i = 0;i < oldset->locNr;i++) {
+ xmlXPtrLocationSetAdd(newset,
+ xmlXPtrCoveringRange(ctxt, oldset->locTab[i]));
+@@ -2195,6 +2211,8 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+ */
+ tmp = xmlXPtrNewLocationSetNodeSet(set->nodesetval);
+ xmlXPathFreeObject(set);
++ if (tmp == NULL)
++ XP_ERROR(XPATH_MEMORY_ERROR)
+ set = tmp;
+ }
+ oldset = (xmlLocationSetPtr) set->user;
+@@ -2203,6 +2221,10 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+ * The loop is to compute the covering range for each item and add it
+ */
+ newset = xmlXPtrLocationSetCreate(NULL);
++ if (newset == NULL) {
++ xmlXPathFreeObject(set);
++ XP_ERROR(XPATH_MEMORY_ERROR);
++ }
+ for (i = 0;i < oldset->locNr;i++) {
+ xmlXPtrLocationSetAdd(newset,
+ xmlXPtrInsideRange(ctxt, oldset->locTab[i]));
+@@ -2798,6 +2820,10 @@ xmlXPtrStringRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+
+ set = valuePop(ctxt);
+ newset = xmlXPtrLocationSetCreate(NULL);
++ if (newset == NULL) {
++ xmlXPathFreeObject(set);
++ XP_ERROR(XPATH_MEMORY_ERROR);
++ }
+ if (set->nodesetval == NULL) {
+ goto error;
+ }
+@@ -2809,6 +2835,8 @@ xmlXPtrStringRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+ */
+ tmp = xmlXPtrNewLocationSetNodeSet(set->nodesetval);
+ xmlXPathFreeObject(set);
++ if (tmp == NULL)
++ XP_ERROR(XPATH_MEMORY_ERROR)
+ set = tmp;
+ }
+ oldset = (xmlLocationSetPtr) set->user;
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0052-xmlmemory-handle-realloc-properly.patch libxml2-2.9.1+dfsg1/debian/patches/0052-xmlmemory-handle-realloc-properly.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0052-xmlmemory-handle-realloc-properly.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0052-xmlmemory-handle-realloc-properly.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,39 @@
+From: Yegor Yefremov <yegorslists@googlemail.com>
+Date: Fri, 10 Oct 2014 12:23:09 +0200
+Subject: xmlmemory: handle realloc properly
+
+If realloc fails, free original pointer.
+
+Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
+---
+ xmlmemory.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/xmlmemory.c b/xmlmemory.c
+index 37dcf3b..6110849 100644
+--- a/xmlmemory.c
++++ b/xmlmemory.c
+@@ -313,7 +313,7 @@ xmlMemMalloc(size_t size)
+ void *
+ xmlReallocLoc(void *ptr,size_t size, const char * file, int line)
+ {
+- MEMHDR *p;
++ MEMHDR *p, *tmp;
+ unsigned long number;
+ #ifdef DEBUG_MEMORY
+ size_t oldsize;
+@@ -344,10 +344,12 @@ xmlReallocLoc(void *ptr,size_t size, const char * file, int line)
+ #endif
+ xmlMutexUnlock(xmlMemMutex);
+
+- p = (MEMHDR *) realloc(p,RESERVE_SIZE+size);
+- if (!p) {
++ tmp = (MEMHDR *) realloc(p,RESERVE_SIZE+size);
++ if (!tmp) {
++ free(p);
+ goto error;
+ }
++ p = tmp;
+ if (xmlMemTraceBlockAt == ptr) {
+ xmlGenericError(xmlGenericErrorContext,
+ "%p : Realloced(%lu -> %lu) Ok\n",
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch libxml2-2.9.1+dfsg1/debian/patches/0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,50 @@
+From: Bart De Schuymer <deschuyb@b-virtual.org>
+Date: Thu, 16 Oct 2014 12:17:20 +0800
+Subject: fix memory leak xml header encoding field with XML_PARSE_IGNORE_ENC
+
+When the xml parser encounters an xml encoding in an xml header while
+configured with option XML_PARSE_IGNORE_ENC, it fails to free memory
+allocated for storing the encoding.
+The patch below fixes this.
+How to reproduce:
+1. Change doc/examples/parse4.c to add xmlCtxtUseOptions(ctxt,
+XML_PARSE_IGNORE_ENC); after the call to xmlCreatePushParserCtxt.
+2. Rebuild
+3. run the following command from the top libxml2 directory:
+LD_LIBRARY_PATH=.libs/ valgrind --leak-check=full
+./doc/examples/.libs/parse4 ./test.xml , where test.xml contains
+following
+input:
+<?xml version="1.0" encoding="UTF-81" ?><hi/>
+valgrind will report:
+==1964== 10 bytes in 1 blocks are definitely lost in loss record 1 of 1
+==1964== at 0x4C272DB: malloc (in
+/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+==1964== by 0x4E88497: xmlParseEncName (parser.c:10224)
+==1964== by 0x4E888FE: xmlParseEncodingDecl (parser.c:10295)
+==1964== by 0x4E89630: xmlParseXMLDecl (parser.c:10534)
+==1964== by 0x4E8B737: xmlParseTryOrFinish (parser.c:11293)
+==1964== by 0x4E8E775: xmlParseChunk (parser.c:12283)
+
+Signed-off-by: Bart De Schuymer <bart at amplidata com>
+---
+ parser.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index b02333b..ab69d56 100644
+--- a/parser.c
++++ b/parser.c
+@@ -10338,8 +10338,10 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) {
+ /*
+ * Non standard parsing, allowing the user to ignore encoding
+ */
+- if (ctxt->options & XML_PARSE_IGNORE_ENC)
+- return(encoding);
++ if (ctxt->options & XML_PARSE_IGNORE_ENC) {
++ xmlFree((xmlChar *) encoding);
++ return(NULL);
++ }
+
+ /*
+ * UTF-16 encoding stwich has already taken place at this stage,
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0054-Fix-for-CVE-2014-3660.patch libxml2-2.9.1+dfsg1/debian/patches/0054-Fix-for-CVE-2014-3660.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0054-Fix-for-CVE-2014-3660.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0054-Fix-for-CVE-2014-3660.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,141 @@
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 16 Oct 2014 13:59:47 +0800
+Subject: Fix for CVE-2014-3660
+
+Issues related to the billion laugh entity expansion which happened to
+escape the initial set of fixes
+---
+ parser.c | 42 ++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 38 insertions(+), 4 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index ab69d56..b7f3c03 100644
+--- a/parser.c
++++ b/parser.c
+@@ -130,6 +130,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ return (0);
+ if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
+ return (1);
++
++ /*
++ * This may look absurd but is needed to detect
++ * entities problems
++ */
++ if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&
++ (ent->content != NULL) && (ent->checked == 0)) {
++ unsigned long oldnbent = ctxt->nbentities;
++ xmlChar *rep;
++
++ ent->checked = 1;
++
++ rep = xmlStringDecodeEntities(ctxt, ent->content,
++ XML_SUBSTITUTE_REF, 0, 0, 0);
++
++ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
++ if (rep != NULL) {
++ if (xmlStrchr(rep, '<'))
++ ent->checked |= 1;
++ xmlFree(rep);
++ rep = NULL;
++ }
++ }
+ if (replacement != 0) {
+ if (replacement < XML_MAX_TEXT_LENGTH)
+ return(0);
+@@ -189,9 +212,12 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ return (0);
+ } else {
+ /*
+- * strange we got no data for checking just return
++ * strange we got no data for checking
+ */
+- return (0);
++ if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) &&
++ (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) ||
++ (ctxt->nbentities <= 10000))
++ return (0);
+ }
+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+ return (1);
+@@ -2584,6 +2610,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
+ name, NULL);
+ ctxt->valid = 0;
+ }
++ xmlParserEntityCheck(ctxt, 0, NULL, 0);
+ } else if (ctxt->input->free != deallocblankswrapper) {
+ input = xmlNewBlanksWrapperInputStream(ctxt, entity);
+ if (xmlPushInput(ctxt, input) < 0)
+@@ -2754,6 +2781,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) ||
+ (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR))
+ goto int_error;
++ xmlParserEntityCheck(ctxt, 0, ent, 0);
+ if (ent != NULL)
+ ctxt->nbentities += ent->checked / 2;
+ if ((ent != NULL) &&
+@@ -2805,6 +2833,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ ent = xmlParseStringPEReference(ctxt, &str);
+ if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
+ goto int_error;
++ xmlParserEntityCheck(ctxt, 0, ent, 0);
+ if (ent != NULL)
+ ctxt->nbentities += ent->checked / 2;
+ if (ent != NULL) {
+@@ -7307,6 +7336,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ (ret != XML_WAR_UNDECLARED_ENTITY)) {
+ xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY,
+ "Entity '%s' failed to parse\n", ent->name);
++ xmlParserEntityCheck(ctxt, 0, ent, 0);
+ } else if (list != NULL) {
+ xmlFreeNodeList(list);
+ list = NULL;
+@@ -7413,7 +7443,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ /*
+ * We are copying here, make sure there is no abuse
+ */
+- ctxt->sizeentcopy += ent->length;
++ ctxt->sizeentcopy += ent->length + 5;
+ if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
+ return;
+
+@@ -7461,7 +7491,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ /*
+ * We are copying here, make sure there is no abuse
+ */
+- ctxt->sizeentcopy += ent->length;
++ ctxt->sizeentcopy += ent->length + 5;
+ if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
+ return;
+
+@@ -7647,6 +7677,7 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) {
+ ctxt->sax->reference(ctxt->userData, name);
+ }
+ }
++ xmlParserEntityCheck(ctxt, 0, ent, 0);
+ ctxt->valid = 0;
+ }
+
+@@ -7840,6 +7871,7 @@ xmlParseStringEntityRef(xmlParserCtxtPtr ctxt, const xmlChar ** str) {
+ "Entity '%s' not defined\n",
+ name);
+ }
++ xmlParserEntityCheck(ctxt, 0, ent, 0);
+ /* TODO ? check regressions ctxt->valid = 0; */
+ }
+
+@@ -7999,6 +8031,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+ name, NULL);
+ ctxt->valid = 0;
+ }
++ xmlParserEntityCheck(ctxt, 0, NULL, 0);
+ } else {
+ /*
+ * Internal checking in case the entity quest barfed
+@@ -8238,6 +8271,7 @@ xmlParseStringPEReference(xmlParserCtxtPtr ctxt, const xmlChar **str) {
+ name, NULL);
+ ctxt->valid = 0;
+ }
++ xmlParserEntityCheck(ctxt, 0, NULL, 0);
+ } else {
+ /*
+ * Internal checking in case the entity quest barfed
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch libxml2-2.9.1+dfsg1/debian/patches/0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch
--- libxml2-2.9.1+dfsg1/debian/patches/0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch 1970-01-01 08:00:00.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch 2015-02-01 13:50:27.000000000 +0800
@@ -0,0 +1,27 @@
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 23 Oct 2014 11:35:36 +0800
+Subject: Fix missing entities after CVE-2014-3660 fix
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=738805
+
+The fix for CVE-2014-3660 introduced a regression in some case
+where entity substitution is required and the entity is used
+first in anotther entity referenced from an attribute value
+---
+ parser.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index b7f3c03..c187327 100644
+--- a/parser.c
++++ b/parser.c
+@@ -7230,7 +7230,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ * far more secure as the parser will only process data coming from
+ * the document entity by default.
+ */
+- if ((ent->checked == 0) &&
++ if (((ent->checked == 0) ||
++ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) &&
+ ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) ||
+ (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) {
+ unsigned long oldnbent = ctxt->nbentities;
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/series libxml2-2.9.1+dfsg1/debian/patches/series
--- libxml2-2.9.1+dfsg1/debian/patches/series 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/patches/series 2015-02-01 13:50:27.000000000 +0800
@@ -30,3 +30,26 @@
0030-Avoid-Possible-null-pointer-dereference-in-memory-de.patch
0031-xmllint-was-not-parsing-the-c14n11-flag.patch
0032-Fix-regressions-introduced-by-CVE-2014-0191-patch.patch
+0033-Adding-some-missing-NULL-checks.patch
+0034-xmlSaveUri-incorrectly-recomposes-URIs-with-rootless.patch
+0035-Adding-a-check-in-case-of-allocation-error.patch
+0036-Add-a-missing-argument-check.patch
+0037-Add-a-couple-of-misisng-check-in-xmlRelaxNGCleanupTr.patch
+0038-Fix-a-potential-NULL-dereference.patch
+0039-Fix-processing-in-SAX2-in-case-of-an-allocation-fail.patch
+0040-Avoid-Possible-Null-Pointer-in-trio.c.patch
+0041-Check-for-tmon-in-_xmlSchemaDateAdd-is-incorrect.patch
+0042-HTMLparser-Correctly-initialise-a-stack-allocated-st.patch
+0043-xmlcatalog-Fix-a-memory-leak-on-quit.patch
+0044-xmlschemastypes-Fix-potential-array-overflow.patch
+0045-Add-couple-of-missing-Null-checks.patch
+0046-Couple-of-Missing-Null-checks.patch
+0047-Fix-Enum-check-and-missing-break.patch
+0048-Possible-overflow-in-HTMLParser.c.patch
+0049-Leak-of-struct-addrinfo-in-xmlNanoFTPConnect.patch
+0050-Pointer-dereferenced-before-null-check.patch
+0051-xpointer-fixing-Null-Pointers.patch
+0052-xmlmemory-handle-realloc-properly.patch
+0053-fix-memory-leak-xml-header-encoding-field-with-XML_P.patch
+0054-Fix-for-CVE-2014-3660.patch
+0055-Fix-missing-entities-after-CVE-2014-3660-fix.patch
diff -Nru libxml2-2.9.1+dfsg1/debian/rules libxml2-2.9.1+dfsg1/debian/rules
--- libxml2-2.9.1+dfsg1/debian/rules 2014-07-09 06:46:15.000000000 +0800
+++ libxml2-2.9.1+dfsg1/debian/rules 2015-02-01 13:42:06.000000000 +0800
@@ -11,7 +11,7 @@
DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
CC = $(DEB_HOST_GNU_TYPE)-gcc
-CFLAGS = `dpkg-buildflags --get CFLAGS` -Wall
+CFLAGS = `dpkg-buildflags --get CFLAGS` -Wall -O3
LDFLAGS = `dpkg-buildflags --get LDFLAGS` -Wl,--as-needed
CPPFLAGS = `dpkg-buildflags --get CPPFLAGS`
Attachment:
signature.asc
Description: Digital signature