? o
Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/textproc/libxml2/Makefile,v
retrieving revision 1.155
diff -u -r1.155 Makefile
--- Makefile	24 Jan 2020 10:40:36 -0000	1.155
+++ Makefile	6 Apr 2020 09:26:54 -0000
@@ -1,7 +1,7 @@
 # $NetBSD: Makefile,v 1.155 2020/01/24 10:40:36 kim Exp $
 
 .include "../../textproc/libxml2/Makefile.common"
-PKGREVISION=	1
+PKGREVISION=	2
 
 COMMENT=	XML parser library from the GNOME project
 LICENSE=	modified-bsd
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/textproc/libxml2/distinfo,v
retrieving revision 1.132
diff -u -r1.132 distinfo
--- distinfo	24 Jan 2020 10:40:36 -0000	1.132
+++ distinfo	6 Apr 2020 09:26:54 -0000
@@ -14,5 +14,10 @@
 SHA1 (patch-python_libxml.py) = 869a72ae5ba2e27e6d46552878890acb22337675
 SHA1 (patch-python_libxml2.py) = 209d105b0f3aedb834091390a7c6819705108e34
 SHA1 (patch-python_setup.py) = 7771fd02ee6779463f1d3321f099d7e6d19cd1b1
+SHA1 (patch-tree.c) = 2a0e46fa1f32c952e46e07e100025e527987658a
 SHA1 (patch-xmlcatalog.c) = d65b7e3be9694147e96ce4bb70a1739e2279ba81
+SHA1 (patch-xmlregexp.c) = 59f313f9a6c9e42b062a88ab395f97be0949940d
+SHA1 (patch-xmlsave.c-1) = d423c76f5e7a64f5b090dc1ae0891f8118cd55a7
+SHA1 (patch-xmlsave.c-2) = 06702aee7cd0886fe767681245538285475483dc
 SHA1 (patch-xmlschemas.c) = edd5be08e7b19ab8e35412b854e95dedbb7befdd
+SHA1 (patch-xpath.c) = ce65c126abc065c3c296c32c4e5d0c415f3e8e69
Index: patches/patch-tree.c
===================================================================
RCS file: patches/patch-tree.c
diff -N patches/patch-tree.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ patches/patch-tree.c	6 Apr 2020 09:26:54 -0000
@@ -0,0 +1,51 @@
+$NetBSD$
+
+Fix CVE-2020-3911
+
+https://gitlab.gnome.org/GNOME/libxml2/-/commit/b07251215ef48c70c6e56f7351406c47cfca4d5b.patch
+
+From b07251215ef48c70c6e56f7351406c47cfca4d5b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 10 Jan 2020 15:55:07 +0100
+Subject: [PATCH] Fix integer overflow in xmlBufferResize
+
+Found by OSS-Fuzz.
+---
+ tree.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 0d7fc98c..f43f6de1 100644
+--- tree.c
++++ tree.c
+@@ -7424,12 +7424,17 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
+     if (size < buf->size)
+         return 1;
+ 
++    if (size > UINT_MAX - 10) {
++        xmlTreeErrMemory("growing buffer");
++        return 0;
++    }
++
+     /* figure out new size */
+     switch (buf->alloc){
+ 	case XML_BUFFER_ALLOC_IO:
+ 	case XML_BUFFER_ALLOC_DOUBLEIT:
+ 	    /*take care of empty case*/
+-	    newSize = (buf->size ? buf->size*2 : size + 10);
++	    newSize = (buf->size ? buf->size : size + 10);
+ 	    while (size > newSize) {
+ 	        if (newSize > UINT_MAX / 2) {
+ 	            xmlTreeErrMemory("growing buffer");
+@@ -7445,7 +7450,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
+             if (buf->use < BASE_BUFFER_SIZE)
+                 newSize = size;
+             else {
+-                newSize = buf->size * 2;
++                newSize = buf->size;
+                 while (size > newSize) {
+                     if (newSize > UINT_MAX / 2) {
+                         xmlTreeErrMemory("growing buffer");
+-- 
+2.24.1
+
Index: patches/patch-xmlregexp.c
===================================================================
RCS file: patches/patch-xmlregexp.c
diff -N patches/patch-xmlregexp.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ patches/patch-xmlregexp.c	6 Apr 2020 09:26:54 -0000
@@ -0,0 +1,111 @@
+$NetBSD$
+
+Fix CVE-2020-3910
+
+https://gitlab.gnome.org/GNOME/libxml2/-/commit/52649b63ebd0dc45df0c5e6b209af6f6d96515ca.patch
+
+From 52649b63ebd0dc45df0c5e6b209af6f6d96515ca Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 2 Jan 2020 14:45:28 +0100
+Subject: [PATCH] Check for overflow when allocating two-dimensional arrays
+
+Found by lgtm.com
+---
+ xmlregexp.c | 46 +++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 37 insertions(+), 9 deletions(-)
+
+diff --git a/xmlregexp.c b/xmlregexp.c
+index 5a2deb9e..0bd938f7 100644
+--- xmlregexp.c
++++ xmlregexp.c
+@@ -26,6 +26,9 @@
+ #ifdef HAVE_LIMITS_H
+ #include <limits.h>
+ #endif
++#ifdef HAVE_STDINT_H
++#include <stdint.h>
++#endif
+ 
+ #include <libxml/tree.h>
+ #include <libxml/parserInternals.h>
+@@ -36,6 +39,9 @@
+ #ifndef INT_MAX
+ #define INT_MAX 123456789 /* easy to flag and big enough for our needs */
+ #endif
++#ifndef SIZE_MAX
++#define SIZE_MAX ((size_t) -1)
++#endif
+ 
+ /* #define DEBUG_REGEXP_GRAPH */
+ /* #define DEBUG_REGEXP_EXEC */
+@@ -418,6 +424,32 @@ xmlRegexpErrCompile(xmlRegParserCtxtPtr ctxt, const char *extra)
+  ************************************************************************/
+ 
+ static int xmlFAComputesDeterminism(xmlRegParserCtxtPtr ctxt);
++
++/**
++ * xmlRegCalloc2:
++ * @dim1:  size of first dimension
++ * @dim2:  size of second dimension
++ * @elemSize:  size of element
++ *
++ * Allocate a two-dimensional array and set all elements to zero.
++ *
++ * Returns the new array or NULL in case of error.
++ */
++static void*
++xmlRegCalloc2(size_t dim1, size_t dim2, size_t elemSize) {
++    size_t totalSize;
++    void *ret;
++
++    /* Check for overflow */
++    if (dim1 > SIZE_MAX / dim2 / elemSize)
++        return (NULL);
++    totalSize = dim1 * dim2 * elemSize;
++    ret = xmlMalloc(totalSize);
++    if (ret != NULL)
++        memset(ret, 0, totalSize);
++    return (ret);
++}
++
+ /**
+  * xmlRegEpxFromParse:
+  * @ctxt:  the parser context used to build it
+@@ -540,8 +572,8 @@ xmlRegEpxFromParse(xmlRegParserCtxtPtr ctxt) {
+ #ifdef DEBUG_COMPACTION
+ 	printf("Final: %d atoms\n", nbatoms);
+ #endif
+-	transitions = (int *) xmlMalloc((nbstates + 1) *
+-	                                (nbatoms + 1) * sizeof(int));
++	transitions = (int *) xmlRegCalloc2(nbstates + 1, nbatoms + 1,
++                                            sizeof(int));
+ 	if (transitions == NULL) {
+ 	    xmlFree(stateRemap);
+ 	    xmlFree(stringRemap);
+@@ -551,7 +583,6 @@ xmlRegEpxFromParse(xmlRegParserCtxtPtr ctxt) {
+ 	    xmlFree(ret);
+ 	    return(NULL);
+ 	}
+-	memset(transitions, 0, (nbstates + 1) * (nbatoms + 1) * sizeof(int));
+ 
+ 	/*
+ 	 * Allocate the transition table. The first entry for each
+@@ -577,12 +608,9 @@ xmlRegEpxFromParse(xmlRegParserCtxtPtr ctxt) {
+ 		    continue;
+                 atomno = stringRemap[trans->atom->no];
+ 		if ((trans->atom->data != NULL) && (transdata == NULL)) {
+-		    transdata = (void **) xmlMalloc(nbstates * nbatoms *
+-			                            sizeof(void *));
+-		    if (transdata != NULL)
+-			memset(transdata, 0,
+-			       nbstates * nbatoms * sizeof(void *));
+-		    else {
++		    transdata = (void **) xmlRegCalloc2(nbstates, nbatoms,
++			                                sizeof(void *));
++		    if (transdata == NULL) {
+ 			xmlRegexpErrMemory(ctxt, "compiling regexp");
+ 			break;
+ 		    }
+-- 
+2.24.1
+
Index: patches/patch-xmlsave.c-1
===================================================================
RCS file: patches/patch-xmlsave.c-1
diff -N patches/patch-xmlsave.c-1
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ patches/patch-xmlsave.c-1	6 Apr 2020 09:26:54 -0000
@@ -0,0 +1,83 @@
+$NetBSD$
+
+https://gitlab.gnome.org/GNOME/libxml2/-/commit/42942066e1f6422e26cd162a6014b19ac215083f.patch
+
+From 42942066e1f6422e26cd162a6014b19ac215083f Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 11 Nov 2019 13:49:11 +0100
+Subject: [PATCH] Fix memory leaks of encoding handlers in xmlsave.c
+
+Fix leak of iconv/ICU encoding handler in xmlSaveToBuffer.
+
+Fix leaks of iconv/ICU encoding handlers in xmlSaveTo* error paths.
+
+Closes #127.
+---
+ xmlsave.c | 26 ++++++++------------------
+ 1 file changed, 8 insertions(+), 18 deletions(-)
+
+diff --git a/xmlsave.c b/xmlsave.c
+index fa009153..7158c26b 100644
+--- xmlsave.c
++++ xmlsave.c
+@@ -1802,6 +1802,7 @@ xmlSaveToFd(int fd, const char *encoding, int options)
+     if (ret == NULL) return(NULL);
+     ret->buf = xmlOutputBufferCreateFd(fd, ret->handler);
+     if (ret->buf == NULL) {
++        xmlCharEncCloseFunc(ret->handler);
+ 	xmlFreeSaveCtxt(ret);
+ 	return(NULL);
+     }
+@@ -1831,6 +1832,7 @@ xmlSaveToFilename(const char *filename, const char *encoding, int options)
+     ret->buf = xmlOutputBufferCreateFilename(filename, ret->handler,
+                                              compression);
+     if (ret->buf == NULL) {
++        xmlCharEncCloseFunc(ret->handler);
+ 	xmlFreeSaveCtxt(ret);
+ 	return(NULL);
+     }
+@@ -1853,28 +1855,15 @@ xmlSaveCtxtPtr
+ xmlSaveToBuffer(xmlBufferPtr buffer, const char *encoding, int options)
+ {
+     xmlSaveCtxtPtr ret;
+-    xmlOutputBufferPtr out_buff;
+-    xmlCharEncodingHandlerPtr handler;
+ 
+     ret = xmlNewSaveCtxt(encoding, options);
+     if (ret == NULL) return(NULL);
+-
+-    if (encoding != NULL) {
+-        handler = xmlFindCharEncodingHandler(encoding);
+-        if (handler == NULL) {
+-            xmlFree(ret);
+-            return(NULL);
+-        }
+-    } else
+-        handler = NULL;
+-    out_buff = xmlOutputBufferCreateBuffer(buffer, handler);
+-    if (out_buff == NULL) {
+-        xmlFree(ret);
+-        if (handler) xmlCharEncCloseFunc(handler);
+-        return(NULL);
++    ret->buf = xmlOutputBufferCreateBuffer(buffer, ret->handler);
++    if (ret->buf == NULL) {
++        xmlCharEncCloseFunc(ret->handler);
++	xmlFreeSaveCtxt(ret);
++	return(NULL);
+     }
+-
+-    ret->buf = out_buff;
+     return(ret);
+ }
+ 
+@@ -1902,6 +1891,7 @@ xmlSaveToIO(xmlOutputWriteCallback iowrite,
+     if (ret == NULL) return(NULL);
+     ret->buf = xmlOutputBufferCreateIO(iowrite, ioclose, ioctx, ret->handler);
+     if (ret->buf == NULL) {
++        xmlCharEncCloseFunc(ret->handler);
+ 	xmlFreeSaveCtxt(ret);
+ 	return(NULL);
+     }
+-- 
+2.24.1
+
Index: patches/patch-xmlsave.c-2
===================================================================
RCS file: patches/patch-xmlsave.c-2
diff -N patches/patch-xmlsave.c-2
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ patches/patch-xmlsave.c-2	6 Apr 2020 09:26:54 -0000
@@ -0,0 +1,35 @@
+$NetBSD$
+
+Fix CVE-2020-3909
+
+https://gitlab.gnome.org/GNOME/libxml2/-/commit/c9faa29259ac23b5fbf945f61056288e413dae81.patch
+
+From c9faa29259ac23b5fbf945f61056288e413dae81 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 2 Jan 2020 14:12:39 +0100
+Subject: [PATCH] Fix overflow check in xmlNodeDump
+
+Store return value of xmlBufNodeDump in a size_t before checking for
+integer overflow.
+
+Found by lgtm.com
+---
+ xmlsave.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xmlsave.c b/xmlsave.c
+index 7158c26b..b06e24d9 100644
+--- xmlsave.c
++++ xmlsave.c
+@@ -2187,7 +2187,7 @@ xmlNodeDump(xmlBufferPtr buf, xmlDocPtr doc, xmlNodePtr cur, int level,
+             int format)
+ {
+     xmlBufPtr buffer;
+-    int ret;
++    size_t ret;
+ 
+     if ((buf == NULL) || (cur == NULL))
+         return(-1);
+-- 
+2.24.1
+
Index: patches/patch-xpath.c
===================================================================
RCS file: patches/patch-xpath.c
diff -N patches/patch-xpath.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ patches/patch-xpath.c	6 Apr 2020 09:26:54 -0000
@@ -0,0 +1,80 @@
+$NetBSD$
+
+https://gitlab.gnome.org/GNOME/libxml2/-/commit/2c80fc911678adc9dcf252b3bc71cce101c8728e.patch
+
+From 2c80fc911678adc9dcf252b3bc71cce101c8728e Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 2 Dec 2019 11:30:30 +0100
+Subject: [PATCH] Fix more memory leaks in error paths of XPath parser
+
+Found by OSS-Fuzz.
+---
+ xpath.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index ff1137f0..030bab35 100644
+--- xpath.c
++++ xpath.c
+@@ -10300,8 +10300,10 @@ xmlXPathCompVariableReference(xmlXPathParserContextPtr ctxt) {
+ 	XP_ERROR(XPATH_VARIABLE_REF_ERROR);
+     }
+     ctxt->comp->last = -1;
+-    PUSH_LONG_EXPR(XPATH_OP_VARIABLE, 0, 0, 0,
+-	           name, prefix);
++    if (PUSH_LONG_EXPR(XPATH_OP_VARIABLE, 0, 0, 0, name, prefix) == -1) {
++        xmlFree(prefix);
++        xmlFree(name);
++    }
+     SKIP_BLANKS;
+     if ((ctxt->context != NULL) && (ctxt->context->flags & XML_XPATH_NOVAR)) {
+ 	XP_ERROR(XPATH_FORBID_VARIABLE_ERROR);
+@@ -10408,8 +10410,10 @@ xmlXPathCompFunctionCall(xmlXPathParserContextPtr ctxt) {
+ 	    SKIP_BLANKS;
+ 	}
+     }
+-    PUSH_LONG_EXPR(XPATH_OP_FUNCTION, nbargs, 0, 0,
+-	           name, prefix);
++    if (PUSH_LONG_EXPR(XPATH_OP_FUNCTION, nbargs, 0, 0, name, prefix) == -1) {
++        xmlFree(prefix);
++        xmlFree(name);
++    }
+     NEXT;
+     SKIP_BLANKS;
+ }
+@@ -11050,7 +11054,7 @@ xmlXPathCompPredicate(xmlXPathParserContextPtr ctxt, int filter) {
+  */
+ static xmlChar *
+ xmlXPathCompNodeTest(xmlXPathParserContextPtr ctxt, xmlXPathTestVal *test,
+-	             xmlXPathTypeVal *type, const xmlChar **prefix,
++	             xmlXPathTypeVal *type, xmlChar **prefix,
+ 		     xmlChar *name) {
+     int blanks;
+ 
+@@ -11281,7 +11285,7 @@ xmlXPathCompStep(xmlXPathParserContextPtr ctxt) {
+ 	SKIP_BLANKS;
+     } else {
+ 	xmlChar *name = NULL;
+-	const xmlChar *prefix = NULL;
++	xmlChar *prefix = NULL;
+ 	xmlXPathTestVal test = (xmlXPathTestVal) 0;
+ 	xmlXPathAxisVal axis = (xmlXPathAxisVal) 0;
+ 	xmlXPathTypeVal type = (xmlXPathTypeVal) 0;
+@@ -11391,9 +11395,11 @@ eval_predicates:
+ 	    PUSH_BINARY_EXPR(XPATH_OP_RANGETO, op2, op1, 0, 0);
+ 	} else
+ #endif
+-	    PUSH_FULL_EXPR(XPATH_OP_COLLECT, op1, ctxt->comp->last, axis,
+-			   test, type, (void *)prefix, (void *)name);
+-
++        if (PUSH_FULL_EXPR(XPATH_OP_COLLECT, op1, ctxt->comp->last, axis,
++                           test, type, (void *)prefix, (void *)name) == -1) {
++            xmlFree(prefix);
++            xmlFree(name);
++        }
+     }
+ #ifdef DEBUG_STEP
+     xmlGenericError(xmlGenericErrorContext, "Step : ");
+-- 
+2.24.1
+