? o Index: Makefile =================================================================== RCS file: /cvsroot/pkgsrc/textproc/libxml2/Makefile,v retrieving revision 1.155 diff -u -r1.155 Makefile --- Makefile 24 Jan 2020 10:40:36 -0000 1.155 +++ Makefile 6 Apr 2020 09:26:54 -0000 @@ -1,7 +1,7 @@ # $NetBSD: Makefile,v 1.155 2020/01/24 10:40:36 kim Exp $ .include "../../textproc/libxml2/Makefile.common" -PKGREVISION= 1 +PKGREVISION= 2 COMMENT= XML parser library from the GNOME project LICENSE= modified-bsd Index: distinfo =================================================================== RCS file: /cvsroot/pkgsrc/textproc/libxml2/distinfo,v retrieving revision 1.132 diff -u -r1.132 distinfo --- distinfo 24 Jan 2020 10:40:36 -0000 1.132 +++ distinfo 6 Apr 2020 09:26:54 -0000 @@ -14,5 +14,10 @@ SHA1 (patch-python_libxml.py) = 869a72ae5ba2e27e6d46552878890acb22337675 SHA1 (patch-python_libxml2.py) = 209d105b0f3aedb834091390a7c6819705108e34 SHA1 (patch-python_setup.py) = 7771fd02ee6779463f1d3321f099d7e6d19cd1b1 +SHA1 (patch-tree.c) = 2a0e46fa1f32c952e46e07e100025e527987658a SHA1 (patch-xmlcatalog.c) = d65b7e3be9694147e96ce4bb70a1739e2279ba81 +SHA1 (patch-xmlregexp.c) = 59f313f9a6c9e42b062a88ab395f97be0949940d +SHA1 (patch-xmlsave.c-1) = d423c76f5e7a64f5b090dc1ae0891f8118cd55a7 +SHA1 (patch-xmlsave.c-2) = 06702aee7cd0886fe767681245538285475483dc SHA1 (patch-xmlschemas.c) = edd5be08e7b19ab8e35412b854e95dedbb7befdd +SHA1 (patch-xpath.c) = ce65c126abc065c3c296c32c4e5d0c415f3e8e69 Index: patches/patch-tree.c =================================================================== RCS file: patches/patch-tree.c diff -N patches/patch-tree.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-tree.c 6 Apr 2020 09:26:54 -0000 @@ -0,0 +1,51 @@ +$NetBSD$ + +Fix CVE-2020-3911 + +https://gitlab.gnome.org/GNOME/libxml2/-/commit/b07251215ef48c70c6e56f7351406c47cfca4d5b.patch + +From b07251215ef48c70c6e56f7351406c47cfca4d5b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 10 Jan 2020 15:55:07 +0100 +Subject: [PATCH] Fix integer overflow in xmlBufferResize + +Found by OSS-Fuzz. +--- + tree.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/tree.c b/tree.c +index 0d7fc98c..f43f6de1 100644 +--- tree.c ++++ tree.c +@@ -7424,12 +7424,17 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size) + if (size < buf->size) + return 1; + ++ if (size > UINT_MAX - 10) { ++ xmlTreeErrMemory("growing buffer"); ++ return 0; ++ } ++ + /* figure out new size */ + switch (buf->alloc){ + case XML_BUFFER_ALLOC_IO: + case XML_BUFFER_ALLOC_DOUBLEIT: + /*take care of empty case*/ +- newSize = (buf->size ? buf->size*2 : size + 10); ++ newSize = (buf->size ? buf->size : size + 10); + while (size > newSize) { + if (newSize > UINT_MAX / 2) { + xmlTreeErrMemory("growing buffer"); +@@ -7445,7 +7450,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size) + if (buf->use < BASE_BUFFER_SIZE) + newSize = size; + else { +- newSize = buf->size * 2; ++ newSize = buf->size; + while (size > newSize) { + if (newSize > UINT_MAX / 2) { + xmlTreeErrMemory("growing buffer"); +-- +2.24.1 + Index: patches/patch-xmlregexp.c =================================================================== RCS file: patches/patch-xmlregexp.c diff -N patches/patch-xmlregexp.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-xmlregexp.c 6 Apr 2020 09:26:54 -0000 @@ -0,0 +1,111 @@ +$NetBSD$ + +Fix CVE-2020-3910 + +https://gitlab.gnome.org/GNOME/libxml2/-/commit/52649b63ebd0dc45df0c5e6b209af6f6d96515ca.patch + +From 52649b63ebd0dc45df0c5e6b209af6f6d96515ca Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 2 Jan 2020 14:45:28 +0100 +Subject: [PATCH] Check for overflow when allocating two-dimensional arrays + +Found by lgtm.com +--- + xmlregexp.c | 46 +++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 37 insertions(+), 9 deletions(-) + +diff --git a/xmlregexp.c b/xmlregexp.c +index 5a2deb9e..0bd938f7 100644 +--- xmlregexp.c ++++ xmlregexp.c +@@ -26,6 +26,9 @@ + #ifdef HAVE_LIMITS_H + #include + #endif ++#ifdef HAVE_STDINT_H ++#include ++#endif + + #include + #include +@@ -36,6 +39,9 @@ + #ifndef INT_MAX + #define INT_MAX 123456789 /* easy to flag and big enough for our needs */ + #endif ++#ifndef SIZE_MAX ++#define SIZE_MAX ((size_t) -1) ++#endif + + /* #define DEBUG_REGEXP_GRAPH */ + /* #define DEBUG_REGEXP_EXEC */ +@@ -418,6 +424,32 @@ xmlRegexpErrCompile(xmlRegParserCtxtPtr ctxt, const char *extra) + ************************************************************************/ + + static int xmlFAComputesDeterminism(xmlRegParserCtxtPtr ctxt); ++ ++/** ++ * xmlRegCalloc2: ++ * @dim1: size of first dimension ++ * @dim2: size of second dimension ++ * @elemSize: size of element ++ * ++ * Allocate a two-dimensional array and set all elements to zero. ++ * ++ * Returns the new array or NULL in case of error. ++ */ ++static void* ++xmlRegCalloc2(size_t dim1, size_t dim2, size_t elemSize) { ++ size_t totalSize; ++ void *ret; ++ ++ /* Check for overflow */ ++ if (dim1 > SIZE_MAX / dim2 / elemSize) ++ return (NULL); ++ totalSize = dim1 * dim2 * elemSize; ++ ret = xmlMalloc(totalSize); ++ if (ret != NULL) ++ memset(ret, 0, totalSize); ++ return (ret); ++} ++ + /** + * xmlRegEpxFromParse: + * @ctxt: the parser context used to build it +@@ -540,8 +572,8 @@ xmlRegEpxFromParse(xmlRegParserCtxtPtr ctxt) { + #ifdef DEBUG_COMPACTION + printf("Final: %d atoms\n", nbatoms); + #endif +- transitions = (int *) xmlMalloc((nbstates + 1) * +- (nbatoms + 1) * sizeof(int)); ++ transitions = (int *) xmlRegCalloc2(nbstates + 1, nbatoms + 1, ++ sizeof(int)); + if (transitions == NULL) { + xmlFree(stateRemap); + xmlFree(stringRemap); +@@ -551,7 +583,6 @@ xmlRegEpxFromParse(xmlRegParserCtxtPtr ctxt) { + xmlFree(ret); + return(NULL); + } +- memset(transitions, 0, (nbstates + 1) * (nbatoms + 1) * sizeof(int)); + + /* + * Allocate the transition table. The first entry for each +@@ -577,12 +608,9 @@ xmlRegEpxFromParse(xmlRegParserCtxtPtr ctxt) { + continue; + atomno = stringRemap[trans->atom->no]; + if ((trans->atom->data != NULL) && (transdata == NULL)) { +- transdata = (void **) xmlMalloc(nbstates * nbatoms * +- sizeof(void *)); +- if (transdata != NULL) +- memset(transdata, 0, +- nbstates * nbatoms * sizeof(void *)); +- else { ++ transdata = (void **) xmlRegCalloc2(nbstates, nbatoms, ++ sizeof(void *)); ++ if (transdata == NULL) { + xmlRegexpErrMemory(ctxt, "compiling regexp"); + break; + } +-- +2.24.1 + Index: patches/patch-xmlsave.c-1 =================================================================== RCS file: patches/patch-xmlsave.c-1 diff -N patches/patch-xmlsave.c-1 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-xmlsave.c-1 6 Apr 2020 09:26:54 -0000 @@ -0,0 +1,83 @@ +$NetBSD$ + +https://gitlab.gnome.org/GNOME/libxml2/-/commit/42942066e1f6422e26cd162a6014b19ac215083f.patch + +From 42942066e1f6422e26cd162a6014b19ac215083f Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 11 Nov 2019 13:49:11 +0100 +Subject: [PATCH] Fix memory leaks of encoding handlers in xmlsave.c + +Fix leak of iconv/ICU encoding handler in xmlSaveToBuffer. + +Fix leaks of iconv/ICU encoding handlers in xmlSaveTo* error paths. + +Closes #127. +--- + xmlsave.c | 26 ++++++++------------------ + 1 file changed, 8 insertions(+), 18 deletions(-) + +diff --git a/xmlsave.c b/xmlsave.c +index fa009153..7158c26b 100644 +--- xmlsave.c ++++ xmlsave.c +@@ -1802,6 +1802,7 @@ xmlSaveToFd(int fd, const char *encoding, int options) + if (ret == NULL) return(NULL); + ret->buf = xmlOutputBufferCreateFd(fd, ret->handler); + if (ret->buf == NULL) { ++ xmlCharEncCloseFunc(ret->handler); + xmlFreeSaveCtxt(ret); + return(NULL); + } +@@ -1831,6 +1832,7 @@ xmlSaveToFilename(const char *filename, const char *encoding, int options) + ret->buf = xmlOutputBufferCreateFilename(filename, ret->handler, + compression); + if (ret->buf == NULL) { ++ xmlCharEncCloseFunc(ret->handler); + xmlFreeSaveCtxt(ret); + return(NULL); + } +@@ -1853,28 +1855,15 @@ xmlSaveCtxtPtr + xmlSaveToBuffer(xmlBufferPtr buffer, const char *encoding, int options) + { + xmlSaveCtxtPtr ret; +- xmlOutputBufferPtr out_buff; +- xmlCharEncodingHandlerPtr handler; + + ret = xmlNewSaveCtxt(encoding, options); + if (ret == NULL) return(NULL); +- +- if (encoding != NULL) { +- handler = xmlFindCharEncodingHandler(encoding); +- if (handler == NULL) { +- xmlFree(ret); +- return(NULL); +- } +- } else +- handler = NULL; +- out_buff = xmlOutputBufferCreateBuffer(buffer, handler); +- if (out_buff == NULL) { +- xmlFree(ret); +- if (handler) xmlCharEncCloseFunc(handler); +- return(NULL); ++ ret->buf = xmlOutputBufferCreateBuffer(buffer, ret->handler); ++ if (ret->buf == NULL) { ++ xmlCharEncCloseFunc(ret->handler); ++ xmlFreeSaveCtxt(ret); ++ return(NULL); + } +- +- ret->buf = out_buff; + return(ret); + } + +@@ -1902,6 +1891,7 @@ xmlSaveToIO(xmlOutputWriteCallback iowrite, + if (ret == NULL) return(NULL); + ret->buf = xmlOutputBufferCreateIO(iowrite, ioclose, ioctx, ret->handler); + if (ret->buf == NULL) { ++ xmlCharEncCloseFunc(ret->handler); + xmlFreeSaveCtxt(ret); + return(NULL); + } +-- +2.24.1 + Index: patches/patch-xmlsave.c-2 =================================================================== RCS file: patches/patch-xmlsave.c-2 diff -N patches/patch-xmlsave.c-2 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-xmlsave.c-2 6 Apr 2020 09:26:54 -0000 @@ -0,0 +1,35 @@ +$NetBSD$ + +Fix CVE-2020-3909 + +https://gitlab.gnome.org/GNOME/libxml2/-/commit/c9faa29259ac23b5fbf945f61056288e413dae81.patch + +From c9faa29259ac23b5fbf945f61056288e413dae81 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 2 Jan 2020 14:12:39 +0100 +Subject: [PATCH] Fix overflow check in xmlNodeDump + +Store return value of xmlBufNodeDump in a size_t before checking for +integer overflow. + +Found by lgtm.com +--- + xmlsave.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmlsave.c b/xmlsave.c +index 7158c26b..b06e24d9 100644 +--- xmlsave.c ++++ xmlsave.c +@@ -2187,7 +2187,7 @@ xmlNodeDump(xmlBufferPtr buf, xmlDocPtr doc, xmlNodePtr cur, int level, + int format) + { + xmlBufPtr buffer; +- int ret; ++ size_t ret; + + if ((buf == NULL) || (cur == NULL)) + return(-1); +-- +2.24.1 + Index: patches/patch-xpath.c =================================================================== RCS file: patches/patch-xpath.c diff -N patches/patch-xpath.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-xpath.c 6 Apr 2020 09:26:54 -0000 @@ -0,0 +1,80 @@ +$NetBSD$ + +https://gitlab.gnome.org/GNOME/libxml2/-/commit/2c80fc911678adc9dcf252b3bc71cce101c8728e.patch + +From 2c80fc911678adc9dcf252b3bc71cce101c8728e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 2 Dec 2019 11:30:30 +0100 +Subject: [PATCH] Fix more memory leaks in error paths of XPath parser + +Found by OSS-Fuzz. +--- + xpath.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +diff --git a/xpath.c b/xpath.c +index ff1137f0..030bab35 100644 +--- xpath.c ++++ xpath.c +@@ -10300,8 +10300,10 @@ xmlXPathCompVariableReference(xmlXPathParserContextPtr ctxt) { + XP_ERROR(XPATH_VARIABLE_REF_ERROR); + } + ctxt->comp->last = -1; +- PUSH_LONG_EXPR(XPATH_OP_VARIABLE, 0, 0, 0, +- name, prefix); ++ if (PUSH_LONG_EXPR(XPATH_OP_VARIABLE, 0, 0, 0, name, prefix) == -1) { ++ xmlFree(prefix); ++ xmlFree(name); ++ } + SKIP_BLANKS; + if ((ctxt->context != NULL) && (ctxt->context->flags & XML_XPATH_NOVAR)) { + XP_ERROR(XPATH_FORBID_VARIABLE_ERROR); +@@ -10408,8 +10410,10 @@ xmlXPathCompFunctionCall(xmlXPathParserContextPtr ctxt) { + SKIP_BLANKS; + } + } +- PUSH_LONG_EXPR(XPATH_OP_FUNCTION, nbargs, 0, 0, +- name, prefix); ++ if (PUSH_LONG_EXPR(XPATH_OP_FUNCTION, nbargs, 0, 0, name, prefix) == -1) { ++ xmlFree(prefix); ++ xmlFree(name); ++ } + NEXT; + SKIP_BLANKS; + } +@@ -11050,7 +11054,7 @@ xmlXPathCompPredicate(xmlXPathParserContextPtr ctxt, int filter) { + */ + static xmlChar * + xmlXPathCompNodeTest(xmlXPathParserContextPtr ctxt, xmlXPathTestVal *test, +- xmlXPathTypeVal *type, const xmlChar **prefix, ++ xmlXPathTypeVal *type, xmlChar **prefix, + xmlChar *name) { + int blanks; + +@@ -11281,7 +11285,7 @@ xmlXPathCompStep(xmlXPathParserContextPtr ctxt) { + SKIP_BLANKS; + } else { + xmlChar *name = NULL; +- const xmlChar *prefix = NULL; ++ xmlChar *prefix = NULL; + xmlXPathTestVal test = (xmlXPathTestVal) 0; + xmlXPathAxisVal axis = (xmlXPathAxisVal) 0; + xmlXPathTypeVal type = (xmlXPathTypeVal) 0; +@@ -11391,9 +11395,11 @@ eval_predicates: + PUSH_BINARY_EXPR(XPATH_OP_RANGETO, op2, op1, 0, 0); + } else + #endif +- PUSH_FULL_EXPR(XPATH_OP_COLLECT, op1, ctxt->comp->last, axis, +- test, type, (void *)prefix, (void *)name); +- ++ if (PUSH_FULL_EXPR(XPATH_OP_COLLECT, op1, ctxt->comp->last, axis, ++ test, type, (void *)prefix, (void *)name) == -1) { ++ xmlFree(prefix); ++ xmlFree(name); ++ } + } + #ifdef DEBUG_STEP + xmlGenericError(xmlGenericErrorContext, "Step : "); +-- +2.24.1 +