? o
Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/textproc/libxml2/Makefile,v
retrieving revision 1.155
diff -u -r1.155 Makefile
--- Makefile 24 Jan 2020 10:40:36 -0000 1.155
+++ Makefile 6 Apr 2020 09:26:54 -0000
@@ -1,7 +1,7 @@
# $NetBSD: Makefile,v 1.155 2020/01/24 10:40:36 kim Exp $
.include "../../textproc/libxml2/Makefile.common"
-PKGREVISION= 1
+PKGREVISION= 2
COMMENT= XML parser library from the GNOME project
LICENSE= modified-bsd
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/textproc/libxml2/distinfo,v
retrieving revision 1.132
diff -u -r1.132 distinfo
--- distinfo 24 Jan 2020 10:40:36 -0000 1.132
+++ distinfo 6 Apr 2020 09:26:54 -0000
@@ -14,5 +14,10 @@
SHA1 (patch-python_libxml.py) = 869a72ae5ba2e27e6d46552878890acb22337675
SHA1 (patch-python_libxml2.py) = 209d105b0f3aedb834091390a7c6819705108e34
SHA1 (patch-python_setup.py) = 7771fd02ee6779463f1d3321f099d7e6d19cd1b1
+SHA1 (patch-tree.c) = 2a0e46fa1f32c952e46e07e100025e527987658a
SHA1 (patch-xmlcatalog.c) = d65b7e3be9694147e96ce4bb70a1739e2279ba81
+SHA1 (patch-xmlregexp.c) = 59f313f9a6c9e42b062a88ab395f97be0949940d
+SHA1 (patch-xmlsave.c-1) = d423c76f5e7a64f5b090dc1ae0891f8118cd55a7
+SHA1 (patch-xmlsave.c-2) = 06702aee7cd0886fe767681245538285475483dc
SHA1 (patch-xmlschemas.c) = edd5be08e7b19ab8e35412b854e95dedbb7befdd
+SHA1 (patch-xpath.c) = ce65c126abc065c3c296c32c4e5d0c415f3e8e69
Index: patches/patch-tree.c
===================================================================
RCS file: patches/patch-tree.c
diff -N patches/patch-tree.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-tree.c 6 Apr 2020 09:26:54 -0000
@@ -0,0 +1,51 @@
+$NetBSD$
+
+Fix CVE-2020-3911
+
+https://gitlab.gnome.org/GNOME/libxml2/-/commit/b07251215ef48c70c6e56f7351406c47cfca4d5b.patch
+
+From b07251215ef48c70c6e56f7351406c47cfca4d5b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 10 Jan 2020 15:55:07 +0100
+Subject: [PATCH] Fix integer overflow in xmlBufferResize
+
+Found by OSS-Fuzz.
+---
+ tree.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 0d7fc98c..f43f6de1 100644
+--- tree.c
++++ tree.c
+@@ -7424,12 +7424,17 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
+ if (size < buf->size)
+ return 1;
+
++ if (size > UINT_MAX - 10) {
++ xmlTreeErrMemory("growing buffer");
++ return 0;
++ }
++
+ /* figure out new size */
+ switch (buf->alloc){
+ case XML_BUFFER_ALLOC_IO:
+ case XML_BUFFER_ALLOC_DOUBLEIT:
+ /*take care of empty case*/
+- newSize = (buf->size ? buf->size*2 : size + 10);
++ newSize = (buf->size ? buf->size : size + 10);
+ while (size > newSize) {
+ if (newSize > UINT_MAX / 2) {
+ xmlTreeErrMemory("growing buffer");
+@@ -7445,7 +7450,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
+ if (buf->use < BASE_BUFFER_SIZE)
+ newSize = size;
+ else {
+- newSize = buf->size * 2;
++ newSize = buf->size;
+ while (size > newSize) {
+ if (newSize > UINT_MAX / 2) {
+ xmlTreeErrMemory("growing buffer");
+--
+2.24.1
+
Index: patches/patch-xmlregexp.c
===================================================================
RCS file: patches/patch-xmlregexp.c
diff -N patches/patch-xmlregexp.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-xmlregexp.c 6 Apr 2020 09:26:54 -0000
@@ -0,0 +1,111 @@
+$NetBSD$
+
+Fix CVE-2020-3910
+
+https://gitlab.gnome.org/GNOME/libxml2/-/commit/52649b63ebd0dc45df0c5e6b209af6f6d96515ca.patch
+
+From 52649b63ebd0dc45df0c5e6b209af6f6d96515ca Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 2 Jan 2020 14:45:28 +0100
+Subject: [PATCH] Check for overflow when allocating two-dimensional arrays
+
+Found by lgtm.com
+---
+ xmlregexp.c | 46 +++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 37 insertions(+), 9 deletions(-)
+
+diff --git a/xmlregexp.c b/xmlregexp.c
+index 5a2deb9e..0bd938f7 100644
+--- xmlregexp.c
++++ xmlregexp.c
+@@ -26,6 +26,9 @@
+ #ifdef HAVE_LIMITS_H
+ #include <limits.h>
+ #endif
++#ifdef HAVE_STDINT_H
++#include <stdint.h>
++#endif
+
+ #include <libxml/tree.h>
+ #include <libxml/parserInternals.h>
+@@ -36,6 +39,9 @@
+ #ifndef INT_MAX
+ #define INT_MAX 123456789 /* easy to flag and big enough for our needs */
+ #endif
++#ifndef SIZE_MAX
++#define SIZE_MAX ((size_t) -1)
++#endif
+
+ /* #define DEBUG_REGEXP_GRAPH */
+ /* #define DEBUG_REGEXP_EXEC */
+@@ -418,6 +424,32 @@ xmlRegexpErrCompile(xmlRegParserCtxtPtr ctxt, const char *extra)
+ ************************************************************************/
+
+ static int xmlFAComputesDeterminism(xmlRegParserCtxtPtr ctxt);
++
++/**
++ * xmlRegCalloc2:
++ * @dim1: size of first dimension
++ * @dim2: size of second dimension
++ * @elemSize: size of element
++ *
++ * Allocate a two-dimensional array and set all elements to zero.
++ *
++ * Returns the new array or NULL in case of error.
++ */
++static void*
++xmlRegCalloc2(size_t dim1, size_t dim2, size_t elemSize) {
++ size_t totalSize;
++ void *ret;
++
++ /* Check for overflow */
++ if (dim1 > SIZE_MAX / dim2 / elemSize)
++ return (NULL);
++ totalSize = dim1 * dim2 * elemSize;
++ ret = xmlMalloc(totalSize);
++ if (ret != NULL)
++ memset(ret, 0, totalSize);
++ return (ret);
++}
++
+ /**
+ * xmlRegEpxFromParse:
+ * @ctxt: the parser context used to build it
+@@ -540,8 +572,8 @@ xmlRegEpxFromParse(xmlRegParserCtxtPtr ctxt) {
+ #ifdef DEBUG_COMPACTION
+ printf("Final: %d atoms\n", nbatoms);
+ #endif
+- transitions = (int *) xmlMalloc((nbstates + 1) *
+- (nbatoms + 1) * sizeof(int));
++ transitions = (int *) xmlRegCalloc2(nbstates + 1, nbatoms + 1,
++ sizeof(int));
+ if (transitions == NULL) {
+ xmlFree(stateRemap);
+ xmlFree(stringRemap);
+@@ -551,7 +583,6 @@ xmlRegEpxFromParse(xmlRegParserCtxtPtr ctxt) {
+ xmlFree(ret);
+ return(NULL);
+ }
+- memset(transitions, 0, (nbstates + 1) * (nbatoms + 1) * sizeof(int));
+
+ /*
+ * Allocate the transition table. The first entry for each
+@@ -577,12 +608,9 @@ xmlRegEpxFromParse(xmlRegParserCtxtPtr ctxt) {
+ continue;
+ atomno = stringRemap[trans->atom->no];
+ if ((trans->atom->data != NULL) && (transdata == NULL)) {
+- transdata = (void **) xmlMalloc(nbstates * nbatoms *
+- sizeof(void *));
+- if (transdata != NULL)
+- memset(transdata, 0,
+- nbstates * nbatoms * sizeof(void *));
+- else {
++ transdata = (void **) xmlRegCalloc2(nbstates, nbatoms,
++ sizeof(void *));
++ if (transdata == NULL) {
+ xmlRegexpErrMemory(ctxt, "compiling regexp");
+ break;
+ }
+--
+2.24.1
+
Index: patches/patch-xmlsave.c-1
===================================================================
RCS file: patches/patch-xmlsave.c-1
diff -N patches/patch-xmlsave.c-1
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-xmlsave.c-1 6 Apr 2020 09:26:54 -0000
@@ -0,0 +1,83 @@
+$NetBSD$
+
+https://gitlab.gnome.org/GNOME/libxml2/-/commit/42942066e1f6422e26cd162a6014b19ac215083f.patch
+
+From 42942066e1f6422e26cd162a6014b19ac215083f Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 11 Nov 2019 13:49:11 +0100
+Subject: [PATCH] Fix memory leaks of encoding handlers in xmlsave.c
+
+Fix leak of iconv/ICU encoding handler in xmlSaveToBuffer.
+
+Fix leaks of iconv/ICU encoding handlers in xmlSaveTo* error paths.
+
+Closes #127.
+---
+ xmlsave.c | 26 ++++++++------------------
+ 1 file changed, 8 insertions(+), 18 deletions(-)
+
+diff --git a/xmlsave.c b/xmlsave.c
+index fa009153..7158c26b 100644
+--- xmlsave.c
++++ xmlsave.c
+@@ -1802,6 +1802,7 @@ xmlSaveToFd(int fd, const char *encoding, int options)
+ if (ret == NULL) return(NULL);
+ ret->buf = xmlOutputBufferCreateFd(fd, ret->handler);
+ if (ret->buf == NULL) {
++ xmlCharEncCloseFunc(ret->handler);
+ xmlFreeSaveCtxt(ret);
+ return(NULL);
+ }
+@@ -1831,6 +1832,7 @@ xmlSaveToFilename(const char *filename, const char *encoding, int options)
+ ret->buf = xmlOutputBufferCreateFilename(filename, ret->handler,
+ compression);
+ if (ret->buf == NULL) {
++ xmlCharEncCloseFunc(ret->handler);
+ xmlFreeSaveCtxt(ret);
+ return(NULL);
+ }
+@@ -1853,28 +1855,15 @@ xmlSaveCtxtPtr
+ xmlSaveToBuffer(xmlBufferPtr buffer, const char *encoding, int options)
+ {
+ xmlSaveCtxtPtr ret;
+- xmlOutputBufferPtr out_buff;
+- xmlCharEncodingHandlerPtr handler;
+
+ ret = xmlNewSaveCtxt(encoding, options);
+ if (ret == NULL) return(NULL);
+-
+- if (encoding != NULL) {
+- handler = xmlFindCharEncodingHandler(encoding);
+- if (handler == NULL) {
+- xmlFree(ret);
+- return(NULL);
+- }
+- } else
+- handler = NULL;
+- out_buff = xmlOutputBufferCreateBuffer(buffer, handler);
+- if (out_buff == NULL) {
+- xmlFree(ret);
+- if (handler) xmlCharEncCloseFunc(handler);
+- return(NULL);
++ ret->buf = xmlOutputBufferCreateBuffer(buffer, ret->handler);
++ if (ret->buf == NULL) {
++ xmlCharEncCloseFunc(ret->handler);
++ xmlFreeSaveCtxt(ret);
++ return(NULL);
+ }
+-
+- ret->buf = out_buff;
+ return(ret);
+ }
+
+@@ -1902,6 +1891,7 @@ xmlSaveToIO(xmlOutputWriteCallback iowrite,
+ if (ret == NULL) return(NULL);
+ ret->buf = xmlOutputBufferCreateIO(iowrite, ioclose, ioctx, ret->handler);
+ if (ret->buf == NULL) {
++ xmlCharEncCloseFunc(ret->handler);
+ xmlFreeSaveCtxt(ret);
+ return(NULL);
+ }
+--
+2.24.1
+
Index: patches/patch-xmlsave.c-2
===================================================================
RCS file: patches/patch-xmlsave.c-2
diff -N patches/patch-xmlsave.c-2
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-xmlsave.c-2 6 Apr 2020 09:26:54 -0000
@@ -0,0 +1,35 @@
+$NetBSD$
+
+Fix CVE-2020-3909
+
+https://gitlab.gnome.org/GNOME/libxml2/-/commit/c9faa29259ac23b5fbf945f61056288e413dae81.patch
+
+From c9faa29259ac23b5fbf945f61056288e413dae81 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 2 Jan 2020 14:12:39 +0100
+Subject: [PATCH] Fix overflow check in xmlNodeDump
+
+Store return value of xmlBufNodeDump in a size_t before checking for
+integer overflow.
+
+Found by lgtm.com
+---
+ xmlsave.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xmlsave.c b/xmlsave.c
+index 7158c26b..b06e24d9 100644
+--- xmlsave.c
++++ xmlsave.c
+@@ -2187,7 +2187,7 @@ xmlNodeDump(xmlBufferPtr buf, xmlDocPtr doc, xmlNodePtr cur, int level,
+ int format)
+ {
+ xmlBufPtr buffer;
+- int ret;
++ size_t ret;
+
+ if ((buf == NULL) || (cur == NULL))
+ return(-1);
+--
+2.24.1
+
Index: patches/patch-xpath.c
===================================================================
RCS file: patches/patch-xpath.c
diff -N patches/patch-xpath.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-xpath.c 6 Apr 2020 09:26:54 -0000
@@ -0,0 +1,80 @@
+$NetBSD$
+
+https://gitlab.gnome.org/GNOME/libxml2/-/commit/2c80fc911678adc9dcf252b3bc71cce101c8728e.patch
+
+From 2c80fc911678adc9dcf252b3bc71cce101c8728e Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 2 Dec 2019 11:30:30 +0100
+Subject: [PATCH] Fix more memory leaks in error paths of XPath parser
+
+Found by OSS-Fuzz.
+---
+ xpath.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index ff1137f0..030bab35 100644
+--- xpath.c
++++ xpath.c
+@@ -10300,8 +10300,10 @@ xmlXPathCompVariableReference(xmlXPathParserContextPtr ctxt) {
+ XP_ERROR(XPATH_VARIABLE_REF_ERROR);
+ }
+ ctxt->comp->last = -1;
+- PUSH_LONG_EXPR(XPATH_OP_VARIABLE, 0, 0, 0,
+- name, prefix);
++ if (PUSH_LONG_EXPR(XPATH_OP_VARIABLE, 0, 0, 0, name, prefix) == -1) {
++ xmlFree(prefix);
++ xmlFree(name);
++ }
+ SKIP_BLANKS;
+ if ((ctxt->context != NULL) && (ctxt->context->flags & XML_XPATH_NOVAR)) {
+ XP_ERROR(XPATH_FORBID_VARIABLE_ERROR);
+@@ -10408,8 +10410,10 @@ xmlXPathCompFunctionCall(xmlXPathParserContextPtr ctxt) {
+ SKIP_BLANKS;
+ }
+ }
+- PUSH_LONG_EXPR(XPATH_OP_FUNCTION, nbargs, 0, 0,
+- name, prefix);
++ if (PUSH_LONG_EXPR(XPATH_OP_FUNCTION, nbargs, 0, 0, name, prefix) == -1) {
++ xmlFree(prefix);
++ xmlFree(name);
++ }
+ NEXT;
+ SKIP_BLANKS;
+ }
+@@ -11050,7 +11054,7 @@ xmlXPathCompPredicate(xmlXPathParserContextPtr ctxt, int filter) {
+ */
+ static xmlChar *
+ xmlXPathCompNodeTest(xmlXPathParserContextPtr ctxt, xmlXPathTestVal *test,
+- xmlXPathTypeVal *type, const xmlChar **prefix,
++ xmlXPathTypeVal *type, xmlChar **prefix,
+ xmlChar *name) {
+ int blanks;
+
+@@ -11281,7 +11285,7 @@ xmlXPathCompStep(xmlXPathParserContextPtr ctxt) {
+ SKIP_BLANKS;
+ } else {
+ xmlChar *name = NULL;
+- const xmlChar *prefix = NULL;
++ xmlChar *prefix = NULL;
+ xmlXPathTestVal test = (xmlXPathTestVal) 0;
+ xmlXPathAxisVal axis = (xmlXPathAxisVal) 0;
+ xmlXPathTypeVal type = (xmlXPathTypeVal) 0;
+@@ -11391,9 +11395,11 @@ eval_predicates:
+ PUSH_BINARY_EXPR(XPATH_OP_RANGETO, op2, op1, 0, 0);
+ } else
+ #endif
+- PUSH_FULL_EXPR(XPATH_OP_COLLECT, op1, ctxt->comp->last, axis,
+- test, type, (void *)prefix, (void *)name);
+-
++ if (PUSH_FULL_EXPR(XPATH_OP_COLLECT, op1, ctxt->comp->last, axis,
++ test, type, (void *)prefix, (void *)name) == -1) {
++ xmlFree(prefix);
++ xmlFree(name);
++ }
+ }
+ #ifdef DEBUG_STEP
+ xmlGenericError(xmlGenericErrorContext, "Step : ");
+--
+2.24.1
+