diff options
author | Vlad Glagolev | 2012-05-24 21:56:19 +0400 |
---|---|---|
committer | Vlad Glagolev | 2012-06-01 16:27:36 +0400 |
commit | 30e44e3a99dc6329fe53fb5c4e74ef53879cf967 (patch) | |
tree | 099b396304b6f2cdd48d3c0849e45789d832b79f | |
parent | 42c2c0cba0cda8edad141583c003b9e5a85463d7 (diff) |
libxml2: => 2.8.0
(cherry picked from commit fe54b76870449f3f8f4b5823ca1a913f582f3a41)
-rw-r--r-- | libs/libxml2/CVE-2011-0216.patch | 31 | ||||
-rw-r--r-- | libs/libxml2/CVE-2011-1944.patch | 100 | ||||
-rw-r--r-- | libs/libxml2/CVE-2011-2834.patch | 61 | ||||
-rw-r--r-- | libs/libxml2/CVE-2011-3102.patch | 42 | ||||
-rw-r--r-- | libs/libxml2/CVE-2011-3905.patch | 61 | ||||
-rw-r--r-- | libs/libxml2/CVE-2011-3919.patch | 19 | ||||
-rwxr-xr-x | libs/libxml2/DEPENDS | 11 | ||||
-rwxr-xr-x | libs/libxml2/DETAILS | 5 | ||||
-rw-r--r-- | libs/libxml2/HISTORY | 8 | ||||
-rwxr-xr-x | libs/libxml2/PRE_BUILD | 12 | ||||
-rw-r--r-- | libs/libxml2/libxml2-2.7.8-xpath-freeing.patch | 30 | ||||
-rw-r--r-- | libs/libxml2/libxml2-2.7.8-xpath-freeing2.patch | 26 | ||||
-rw-r--r-- | libs/libxml2/libxml2-2.7.8-xpath-hardening.patch | 223 | ||||
-rw-r--r-- | libs/libxml2/libxml2-2.7.8.patch | 21 |
14 files changed, 18 insertions, 632 deletions
diff --git a/libs/libxml2/CVE-2011-0216.patch b/libs/libxml2/CVE-2011-0216.patch deleted file mode 100644 index dfc99d4dee..0000000000 --- a/libs/libxml2/CVE-2011-0216.patch +++ /dev/null @@ -1,31 +0,0 @@ -commit 69f04562f75212bfcabecd190ea8b06ace28ece2 -Author: Daniel Veillard <veillard@redhat.com> -Date: Fri Aug 19 11:05:04 2011 +0800 - - Fix an off by one error in encoding - - this off by one error doesn't seems to reproduce on linux - but the error is real. - -diff --git a/encoding.c b/encoding.c -index d1140bf..fb0c38a 100644 ---- a/encoding.c -+++ b/encoding.c -@@ -1928,7 +1928,7 @@ xmlCharEncFirstLineInt(xmlCharEncodingHandler *handler, xmlBufferPtr out, - if (in == NULL) return(-1); - - /* calculate space available */ -- written = out->size - out->use; -+ written = out->size - out->use - 1; /* count '\0' */ - toconv = in->use; - /* - * echo '<?xml version="1.0" encoding="UCS4"?>' | wc -c => 38 -@@ -2059,7 +2059,7 @@ xmlCharEncInFunc(xmlCharEncodingHandler * handler, xmlBufferPtr out, - toconv = in->use; - if (toconv == 0) - return (0); -- written = out->size - out->use; -+ written = out->size - out->use -1; /* count '\0' */ - if (toconv * 2 >= written) { - xmlBufferGrow(out, out->size + toconv * 2); - written = out->size - out->use - 1; diff --git a/libs/libxml2/CVE-2011-1944.patch b/libs/libxml2/CVE-2011-1944.patch deleted file mode 100644 index 62dd5d2296..0000000000 --- a/libs/libxml2/CVE-2011-1944.patch +++ /dev/null @@ -1,100 +0,0 @@ -commit d7958b21e7f8c447a26bb2436f08402b2c308be4 -Author: Chris Evans <scarybeasts@gmail.com> -Date: Wed Mar 23 08:13:06 2011 +0800 - - Fix some potential problems on reallocation failures - - The count was incremented before the allocation - and not fixed in case of failure - * xpath.c: corrects a few instances where the available count of some - structure is updated before we know the allocation actually - succeeds - -diff --git a/xpath.c b/xpath.c -index 8b56189..608fe00 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -3522,13 +3522,13 @@ xmlXPathNodeSetAddNs(xmlNodeSetPtr cur, xmlNodePtr node, xmlNsPtr ns) { - } else if (cur->nodeNr == cur->nodeMax) { - xmlNodePtr *temp; - -- cur->nodeMax *= 2; -- temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * -+ temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * 2 * - sizeof(xmlNodePtr)); - if (temp == NULL) { - xmlXPathErrMemory(NULL, "growing nodeset\n"); - return; - } -+ cur->nodeMax *= 2; - cur->nodeTab = temp; - } - cur->nodeTab[cur->nodeNr++] = xmlXPathNodeSetDupNs(node, ns); -@@ -3627,14 +3627,14 @@ xmlXPathNodeSetAddUnique(xmlNodeSetPtr cur, xmlNodePtr val) { - } else if (cur->nodeNr == cur->nodeMax) { - xmlNodePtr *temp; - -- cur->nodeMax *= 2; -- temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * -+ temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * 2 * - sizeof(xmlNodePtr)); - if (temp == NULL) { - xmlXPathErrMemory(NULL, "growing nodeset\n"); - return; - } - cur->nodeTab = temp; -+ cur->nodeMax *= 2; - } - if (val->type == XML_NAMESPACE_DECL) { - xmlNsPtr ns = (xmlNsPtr) val; -@@ -3738,14 +3738,14 @@ xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) { - } else if (val1->nodeNr == val1->nodeMax) { - xmlNodePtr *temp; - -- val1->nodeMax *= 2; -- temp = (xmlNodePtr *) xmlRealloc(val1->nodeTab, val1->nodeMax * -+ temp = (xmlNodePtr *) xmlRealloc(val1->nodeTab, val1->nodeMax * 2 * - sizeof(xmlNodePtr)); - if (temp == NULL) { - xmlXPathErrMemory(NULL, "merging nodeset\n"); - return(NULL); - } - val1->nodeTab = temp; -+ val1->nodeMax *= 2; - } - if (n2->type == XML_NAMESPACE_DECL) { - xmlNsPtr ns = (xmlNsPtr) n2; -@@ -3907,14 +3907,14 @@ xmlXPathNodeSetMergeAndClear(xmlNodeSetPtr set1, xmlNodeSetPtr set2, - } else if (set1->nodeNr >= set1->nodeMax) { - xmlNodePtr *temp; - -- set1->nodeMax *= 2; - temp = (xmlNodePtr *) xmlRealloc( -- set1->nodeTab, set1->nodeMax * sizeof(xmlNodePtr)); -+ set1->nodeTab, set1->nodeMax * 2 * sizeof(xmlNodePtr)); - if (temp == NULL) { - xmlXPathErrMemory(NULL, "merging nodeset\n"); - return(NULL); - } - set1->nodeTab = temp; -+ set1->nodeMax *= 2; - } - if (n2->type == XML_NAMESPACE_DECL) { - xmlNsPtr ns = (xmlNsPtr) n2; -@@ -3991,14 +3991,14 @@ xmlXPathNodeSetMergeAndClearNoDupls(xmlNodeSetPtr set1, xmlNodeSetPtr set2, - } else if (set1->nodeNr >= set1->nodeMax) { - xmlNodePtr *temp; - -- set1->nodeMax *= 2; - temp = (xmlNodePtr *) xmlRealloc( -- set1->nodeTab, set1->nodeMax * sizeof(xmlNodePtr)); -+ set1->nodeTab, set1->nodeMax * 2 * sizeof(xmlNodePtr)); - if (temp == NULL) { - xmlXPathErrMemory(NULL, "merging nodeset\n"); - return(NULL); - } - set1->nodeTab = temp; -+ set1->nodeMax *= 2; - } - set1->nodeTab[set1->nodeNr++] = n2; - } diff --git a/libs/libxml2/CVE-2011-2834.patch b/libs/libxml2/CVE-2011-2834.patch deleted file mode 100644 index cfc61e0c9a..0000000000 --- a/libs/libxml2/CVE-2011-2834.patch +++ /dev/null @@ -1,61 +0,0 @@ -commit 1d4526f6f4ec8d18c40e2a09b387652a6c1aa2cd -Author: Daniel Veillard <veillard@redhat.com> -Date: Tue Oct 11 16:34:34 2011 +0800 - - Fix missing error status in XPath evaluation - - Started by Chris Evans, I added a few more place where the - error should have been set in the evaluation context. - -diff --git a/xpath.c b/xpath.c -index bcee2ea..d9d902c 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -2485,6 +2485,7 @@ valuePush(xmlXPathParserContextPtr ctxt, xmlXPathObjectPtr value) - sizeof(ctxt->valueTab[0])); - if (tmp == NULL) { - xmlGenericError(xmlGenericErrorContext, "realloc failed !\n"); -+ ctxt->error = XPATH_MEMORY_ERROR; - return (0); - } - ctxt->valueMax *= 2; -@@ -9340,6 +9341,7 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) { - if ( (ch & 0xc0) != 0xc0 ) { - xmlGenericError(xmlGenericErrorContext, - "xmlXPathTranslateFunction: Invalid UTF8 string\n"); -+ /* not asserting an XPath error is probably better */ - break; - } - /* then skip over remaining bytes for this char */ -@@ -9347,6 +9349,7 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) { - if ( (*cptr++ & 0xc0) != 0x80 ) { - xmlGenericError(xmlGenericErrorContext, - "xmlXPathTranslateFunction: Invalid UTF8 string\n"); -+ /* not asserting an XPath error is probably better */ - break; - } - if (ch & 0x80) /* must have had error encountered */ -@@ -13410,6 +13413,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) - xmlGenericError(xmlGenericErrorContext, - "xmlXPathCompOpEval: variable %s bound to undefined prefix %s\n", - (char *) op->value4, (char *)op->value5); -+ ctxt->error = XPATH_UNDEF_PREFIX_ERROR; - return (total); - } - val = xmlXPathVariableLookupNS(ctxt->context, -@@ -13464,6 +13468,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) - "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n", - (char *)op->value4, (char *)op->value5); - xmlXPathPopFrame(ctxt, frame); -+ ctxt->error = XPATH_UNDEF_PREFIX_ERROR; - return (total); - } - func = xmlXPathFunctionLookupNS(ctxt->context, -@@ -14042,6 +14047,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) - } - xmlGenericError(xmlGenericErrorContext, - "XPath: unknown precompiled operation %d\n", op->op); -+ ctxt->error = XPATH_INVALID_OPERAND; - return (total); - } - diff --git a/libs/libxml2/CVE-2011-3102.patch b/libs/libxml2/CVE-2011-3102.patch deleted file mode 100644 index ca3715cc8f..0000000000 --- a/libs/libxml2/CVE-2011-3102.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 39ef0e0c0a73d19d63a731525ce1f9de0c4a7d92 Mon Sep 17 00:00:00 2001 -From: Florian Franzmann <siflfran@hawo.stw.uni-erlangen.de> -Date: Wed, 23 May 2012 09:57:06 +0200 -Subject: [PATCH] fix CVE-2011-3102 - ---- - xpointer.c | 15 ++++----------- - 1 file changed, 4 insertions(+), 11 deletions(-) - -diff --git a/xpointer.c b/xpointer.c -index 37afa3a..d37f0b1 100644 ---- a/xpointer.c -+++ b/xpointer.c -@@ -1007,21 +1007,14 @@ xmlXPtrEvalXPtrPart(xmlXPathParserContextPtr ctxt, xmlChar *name) { - NEXT; - break; - } -- *cur++ = CUR; - } else if (CUR == '(') { - level++; -- *cur++ = CUR; - } else if (CUR == '^') { -- NEXT; -- if ((CUR == ')') || (CUR == '(') || (CUR == '^')) { -- *cur++ = CUR; -- } else { -- *cur++ = '^'; -- *cur++ = CUR; -- } -- } else { -- *cur++ = CUR; -+ if ((NXT(1) == ')') || (NXT(1) == '(') || (NXT(1) == '^')) { -+ NEXT; -+ } - } -+ *cur++ = CUR; - NEXT; - } - *cur = 0; --- -1.7.10.1 - diff --git a/libs/libxml2/CVE-2011-3905.patch b/libs/libxml2/CVE-2011-3905.patch deleted file mode 100644 index 53373b7da7..0000000000 --- a/libs/libxml2/CVE-2011-3905.patch +++ /dev/null @@ -1,61 +0,0 @@ -commit 77404b8b69bc122d12231807abf1a837d121b551 -Author: Chris Evans <scarybeasts@gmail.com> -Date: Wed Dec 14 16:18:25 2011 +0800 - - Make sure the parser returns when getting a Stop order - - patch backported from chromiun bug fixes, assuming author is Chris - -diff --git a/parser.c b/parser.c -index 21d7aa3..4e5dcb9 100644 ---- a/parser.c -+++ b/parser.c -@@ -4949,7 +4949,8 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { - (ctxt->sax->processingInstruction != NULL)) - ctxt->sax->processingInstruction(ctxt->userData, - target, NULL); -- ctxt->instate = state; -+ if (ctxt->instate != XML_PARSER_EOF) -+ ctxt->instate = state; - return; - } - buf = (xmlChar *) xmlMallocAtomic(size * sizeof(xmlChar)); -@@ -5029,7 +5030,8 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { - } else { - xmlFatalErr(ctxt, XML_ERR_PI_NOT_STARTED, NULL); - } -- ctxt->instate = state; -+ if (ctxt->instate != XML_PARSER_EOF) -+ ctxt->instate = state; - } - } - -@@ -9589,6 +9591,8 @@ xmlParseElement(xmlParserCtxtPtr ctxt) { - else - name = xmlParseStartTag(ctxt); - #endif /* LIBXML_SAX1_ENABLED */ -+ if (ctxt->instate == XML_PARSER_EOF) -+ return; - if (name == NULL) { - spacePop(ctxt); - return; -@@ -10975,6 +10979,8 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) { - else - name = xmlParseStartTag(ctxt); - #endif /* LIBXML_SAX1_ENABLED */ -+ if (ctxt->instate == XML_PARSER_EOF) -+ goto done; - if (name == NULL) { - spacePop(ctxt); - ctxt->instate = XML_PARSER_EOF; -@@ -11161,7 +11167,9 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) { - else - xmlParseEndTag1(ctxt, 0); - #endif /* LIBXML_SAX1_ENABLED */ -- if (ctxt->nameNr == 0) { -+ if (ctxt->instate == XML_PARSER_EOF) { -+ /* Nothing */ -+ } else if (ctxt->nameNr == 0) { - ctxt->instate = XML_PARSER_EPILOG; - } else { - ctxt->instate = XML_PARSER_CONTENT; diff --git a/libs/libxml2/CVE-2011-3919.patch b/libs/libxml2/CVE-2011-3919.patch deleted file mode 100644 index b307e57d25..0000000000 --- a/libs/libxml2/CVE-2011-3919.patch +++ /dev/null @@ -1,19 +0,0 @@ -commit 5bd3c061823a8499b27422aee04ea20aae24f03e -Author: Daniel Veillard <veillard@redhat.com> -Date: Fri Dec 16 18:53:35 2011 +0800 - - Fix an allocation error when copying entities - -diff --git a/parser.c b/parser.c -index 4e5dcb9..c55e41d 100644 ---- a/parser.c -+++ b/parser.c -@@ -2709,7 +2709,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, - - buffer[nbchars++] = '&'; - if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) { -- growBuffer(buffer, XML_PARSER_BUFFER_SIZE); -+ growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE); - } - for (;i > 0;i--) - buffer[nbchars++] = *cur++; diff --git a/libs/libxml2/DEPENDS b/libs/libxml2/DEPENDS index 14e1e4b1de..65e7151fd6 100755 --- a/libs/libxml2/DEPENDS +++ b/libs/libxml2/DEPENDS @@ -1,13 +1,18 @@ optional_depends icu \ - "--with-icu" \ - "--without-icu" \ - "Unicode support" && + "--with-icu" \ + "--without-icu" \ + "Unicode support" && optional_depends zlib \ "--with-zlib=${INSTALL_ROOT}/lib" \ "--without-zlib" \ "to build with zlib support" && +optional_depends xz-utils \ + "--with-lzma=${INSTALL_ROOT}/usr/lib" \ + "--without-lzma" \ + "to build with LZMA support" && + optional_depends python \ "--with-python" \ "--without-python" \ diff --git a/libs/libxml2/DETAILS b/libs/libxml2/DETAILS index c3837e7b52..b094dd4b0a 100755 --- a/libs/libxml2/DETAILS +++ b/libs/libxml2/DETAILS @@ -1,8 +1,7 @@ SPELL=libxml2 - VERSION=2.7.8 - PATCHLEVEL=1 + VERSION=2.8.0 SECURITY_PATCH=7 - SOURCE_HASH=sha512:cb5d88f95feffde6a805a7583306864ad9cc909e958a1044afc6d5864ec480da545343f25c10bba99be59c2344e98d4cd2dcc8a152407a0ce581a51ce214d6bc + SOURCE_HASH=sha512:e36ca96e5ba18f767346f1310c43d3c8c9a35c53252de18ad63ebce7f1f8df7ae40dd0719b2c6d78f5a64e61be154eec63a36ae738d29e93a9139c524a289ad4 SOURCE=$SPELL-$VERSION.tar.gz SOURCE_DIRECTORY="$BUILD_DIRECTORY/$SPELL-$VERSION" SOURCE_URL[0]=ftp://xmlsoft.org/$SPELL/$SOURCE diff --git a/libs/libxml2/HISTORY b/libs/libxml2/HISTORY index c6f9c6f18a..d1aaa7ff5d 100644 --- a/libs/libxml2/HISTORY +++ b/libs/libxml2/HISTORY @@ -1,3 +1,11 @@ +2012-05-24 Vlad Glagolev <stealth@sourcemage.org> + * DETAILS: updated spell to 2.8.0 + * DEPENDS: added xz-utils opt dep for LZMA support + * PRE_BUILD, CVE-2011-0216.patch, CVE-2011-1944.patch, + CVE-2011-2834.patch, CVE-2011-3102.patch, CVE-2011-3905.patch, + CVE-2011-3919.patch, libxml2-2.7.8-xpath-freeing{,2}.patch, + libxml2-2.7.8-xpath-hardening.patch, libxml2-2.7.8.patch: dropped + 2012-05-23 Florian Franzmann <siflfran@hawo.stw.uni-erlangen.de> * PRE_BUILD, CVE-2011-0216.patch, CVE-2011-1944.patch, CVE-2011-2834.patch, diff --git a/libs/libxml2/PRE_BUILD b/libs/libxml2/PRE_BUILD deleted file mode 100755 index bc044af1bb..0000000000 --- a/libs/libxml2/PRE_BUILD +++ /dev/null @@ -1,12 +0,0 @@ -default_pre_build && -cd $SOURCE_DIRECTORY && -patch -p1 < $SPELL_DIRECTORY/libxml2-2.7.8.patch && -patch -p1 < $SPELL_DIRECTORY/libxml2-2.7.8-xpath-freeing.patch && -patch -p1 < $SPELL_DIRECTORY/libxml2-2.7.8-xpath-freeing2.patch && -patch -p1 < $SPELL_DIRECTORY/CVE-2011-1944.patch && -patch -p1 < $SPELL_DIRECTORY/libxml2-2.7.8-xpath-hardening.patch && -patch -p1 < $SPELL_DIRECTORY/CVE-2011-0216.patch && -patch -p1 < $SPELL_DIRECTORY/CVE-2011-2834.patch && -patch -p1 < $SPELL_DIRECTORY/CVE-2011-3905.patch && -patch -p1 < $SPELL_DIRECTORY/CVE-2011-3919.patch && -patch -p1 < $SPELL_DIRECTORY/CVE-2011-3102.patch diff --git a/libs/libxml2/libxml2-2.7.8-xpath-freeing.patch b/libs/libxml2/libxml2-2.7.8-xpath-freeing.patch deleted file mode 100644 index 2844f4a749..0000000000 --- a/libs/libxml2/libxml2-2.7.8-xpath-freeing.patch +++ /dev/null @@ -1,30 +0,0 @@ -commit df83c17e5a2646bd923f75e5e507bc80d73c9722 -Author: Daniel Veillard <veillard@redhat.com> -Date: Wed Nov 17 14:12:14 2010 +0100 - - Fix a potential freeing error in XPath - -diff --git a/xpath.c b/xpath.c -index 81e33f6..1447be5 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -11763,11 +11763,15 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, - - if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) { - xmlXPathObjectPtr tmp; -- /* pop the result */ -+ /* pop the result if any */ - tmp = valuePop(ctxt); -- xmlXPathReleaseObject(xpctxt, tmp); -- /* then pop off contextObj, which will be freed later */ -- valuePop(ctxt); -+ if (tmp != contextObj) -+ /* -+ * Free up the result -+ * then pop off contextObj, which will be freed later -+ */ -+ xmlXPathReleaseObject(xpctxt, tmp); -+ valuePop(ctxt); - goto evaluation_error; - } - diff --git a/libs/libxml2/libxml2-2.7.8-xpath-freeing2.patch b/libs/libxml2/libxml2-2.7.8-xpath-freeing2.patch deleted file mode 100644 index 714954dba2..0000000000 --- a/libs/libxml2/libxml2-2.7.8-xpath-freeing2.patch +++ /dev/null @@ -1,26 +0,0 @@ -commit fec31bcd452e77c10579467ca87a785b41115de6 -Author: Daniel Veillard <veillard@redhat.com> -Date: Thu Nov 18 11:07:24 2010 +0100 - - Small fix for previous commit - -diff --git a/xpath.c b/xpath.c -index 1447be5..8b56189 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -11765,13 +11765,14 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, - xmlXPathObjectPtr tmp; - /* pop the result if any */ - tmp = valuePop(ctxt); -- if (tmp != contextObj) -+ if (tmp != contextObj) { - /* - * Free up the result - * then pop off contextObj, which will be freed later - */ - xmlXPathReleaseObject(xpctxt, tmp); - valuePop(ctxt); -+ } - goto evaluation_error; - } - diff --git a/libs/libxml2/libxml2-2.7.8-xpath-hardening.patch b/libs/libxml2/libxml2-2.7.8-xpath-hardening.patch deleted file mode 100644 index 7a4ad86597..0000000000 --- a/libs/libxml2/libxml2-2.7.8-xpath-hardening.patch +++ /dev/null @@ -1,223 +0,0 @@ -commit 0f136dcd18c287073a4d67b03fdb9696d7010940 -Author: Daniel Veillard <veillard@redhat.com> -Date: Thu Aug 18 17:10:13 2011 +0800 - - Hardening of XPath evaluation - - Add a mechanism of frame for XPath evaluation when entering a function - or a scoped evaluation, also fix a potential problem in predicate - evaluation. - -diff --git a/include/libxml/xpath.h b/include/libxml/xpath.h -index 1a9e30e..ddd9dd8 100644 ---- a/include/libxml/xpath.h -+++ b/include/libxml/xpath.h -@@ -68,7 +68,8 @@ typedef enum { - XPATH_UNDEF_PREFIX_ERROR, - XPATH_ENCODING_ERROR, - XPATH_INVALID_CHAR_ERROR, -- XPATH_INVALID_CTXT -+ XPATH_INVALID_CTXT, -+ XPATH_STACK_ERROR - } xmlXPathError; - - /* -@@ -380,6 +381,8 @@ struct _xmlXPathParserContext { - xmlXPathCompExprPtr comp; /* the precompiled expression */ - int xptr; /* it this an XPointer expression */ - xmlNodePtr ancestor; /* used for walking preceding axis */ -+ -+ int valueFrame; /* used to limit Pop on the stack */ - }; - - /************************************************************************ -diff --git a/xpath.c b/xpath.c -index b59ac5a..bcee2ea 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -252,6 +252,7 @@ static const char *xmlXPathErrorMessages[] = { - "Encoding error\n", - "Char out of XML range\n", - "Invalid or incomplete context\n", -+ "Stack usage errror\n", - "?? Unknown error ??\n" /* Must be last in the list! */ - }; - #define MAXERRNO ((int)(sizeof(xmlXPathErrorMessages) / \ -@@ -2398,6 +2399,42 @@ xmlXPathCacheConvertNumber(xmlXPathContextPtr ctxt, xmlXPathObjectPtr val) { - ************************************************************************/ - - /** -+ * xmlXPathSetFrame: -+ * @ctxt: an XPath parser context -+ * -+ * Set the callee evaluation frame -+ * -+ * Returns the previous frame value to be restored once done -+ */ -+static int -+xmlXPathSetFrame(xmlXPathParserContextPtr ctxt) { -+ int ret; -+ -+ if (ctxt == NULL) -+ return(0); -+ ret = ctxt->valueFrame; -+ ctxt->valueFrame = ctxt->valueNr; -+ return(ret); -+} -+ -+/** -+ * xmlXPathPopFrame: -+ * @ctxt: an XPath parser context -+ * @frame: the previous frame value -+ * -+ * Remove the callee evaluation frame -+ */ -+static void -+xmlXPathPopFrame(xmlXPathParserContextPtr ctxt, int frame) { -+ if (ctxt == NULL) -+ return; -+ if (ctxt->valueNr < ctxt->valueFrame) { -+ xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR); -+ } -+ ctxt->valueFrame = frame; -+} -+ -+/** - * valuePop: - * @ctxt: an XPath evaluation context - * -@@ -2412,6 +2449,12 @@ valuePop(xmlXPathParserContextPtr ctxt) - - if ((ctxt == NULL) || (ctxt->valueNr <= 0)) - return (NULL); -+ -+ if (ctxt->valueNr <= ctxt->valueFrame) { -+ xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR); -+ return (NULL); -+ } -+ - ctxt->valueNr--; - if (ctxt->valueNr > 0) - ctxt->value = ctxt->valueTab[ctxt->valueNr - 1]; -@@ -6154,6 +6197,7 @@ xmlXPathCompParserContext(xmlXPathCompExprPtr comp, xmlXPathContextPtr ctxt) { - ret->valueNr = 0; - ret->valueMax = 10; - ret->value = NULL; -+ ret->valueFrame = 0; - - ret->context = ctxt; - ret->comp = comp; -@@ -11711,6 +11755,7 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, - xmlXPathObjectPtr contextObj = NULL, exprRes = NULL; - xmlNodePtr oldContextNode, contextNode = NULL; - xmlXPathContextPtr xpctxt = ctxt->context; -+ int frame; - - #ifdef LIBXML_XPTR_ENABLED - /* -@@ -11730,6 +11775,8 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, - */ - exprOp = &ctxt->comp->steps[op->ch2]; - for (i = 0; i < set->nodeNr; i++) { -+ xmlXPathObjectPtr tmp; -+ - if (set->nodeTab[i] == NULL) - continue; - -@@ -11757,23 +11804,25 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, - xmlXPathNodeSetAddUnique(contextObj->nodesetval, - contextNode); - -+ frame = xmlXPathSetFrame(ctxt); - valuePush(ctxt, contextObj); - res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1); -+ tmp = valuePop(ctxt); -+ xmlXPathPopFrame(ctxt, frame); - - if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) { -- xmlXPathObjectPtr tmp; -- /* pop the result if any */ -- tmp = valuePop(ctxt); -- if (tmp != contextObj) { -+ while (tmp != contextObj) { - /* - * Free up the result - * then pop off contextObj, which will be freed later - */ - xmlXPathReleaseObject(xpctxt, tmp); -- valuePop(ctxt); -+ tmp = valuePop(ctxt); - } - goto evaluation_error; - } -+ /* push the result back onto the stack */ -+ valuePush(ctxt, tmp); - - if (res) - pos++; -@@ -13377,7 +13426,9 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) - xmlXPathFunction func; - const xmlChar *oldFunc, *oldFuncURI; - int i; -+ int frame; - -+ frame = xmlXPathSetFrame(ctxt); - if (op->ch1 != -1) - total += - xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]); -@@ -13385,15 +13436,18 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) - xmlGenericError(xmlGenericErrorContext, - "xmlXPathCompOpEval: parameter error\n"); - ctxt->error = XPATH_INVALID_OPERAND; -+ xmlXPathPopFrame(ctxt, frame); - return (total); - } -- for (i = 0; i < op->value; i++) -+ for (i = 0; i < op->value; i++) { - if (ctxt->valueTab[(ctxt->valueNr - 1) - i] == NULL) { - xmlGenericError(xmlGenericErrorContext, - "xmlXPathCompOpEval: parameter error\n"); - ctxt->error = XPATH_INVALID_OPERAND; -+ xmlXPathPopFrame(ctxt, frame); - return (total); - } -+ } - if (op->cache != NULL) - XML_CAST_FPTR(func) = op->cache; - else { -@@ -13409,6 +13463,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) - xmlGenericError(xmlGenericErrorContext, - "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n", - (char *)op->value4, (char *)op->value5); -+ xmlXPathPopFrame(ctxt, frame); - return (total); - } - func = xmlXPathFunctionLookupNS(ctxt->context, -@@ -13430,6 +13485,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) - func(ctxt, op->value); - ctxt->context->function = oldFunc; - ctxt->context->functionURI = oldFuncURI; -+ xmlXPathPopFrame(ctxt, frame); - return (total); - } - case XPATH_OP_ARG: -@@ -14333,6 +14389,7 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool) - ctxt->valueNr = 0; - ctxt->valueMax = 10; - ctxt->value = NULL; -+ ctxt->valueFrame = 0; - } - #ifdef XPATH_STREAMING - if (ctxt->comp->stream) { -diff --git a/xpointer.c b/xpointer.c -index 7a42d02..37afa3a 100644 ---- a/xpointer.c -+++ b/xpointer.c -@@ -1269,6 +1269,7 @@ xmlXPtrEvalXPointer(xmlXPathParserContextPtr ctxt) { - ctxt->valueNr = 0; - ctxt->valueMax = 10; - ctxt->value = NULL; -+ ctxt->valueFrame = 0; - } - SKIP_BLANKS; - if (CUR == '/') { diff --git a/libs/libxml2/libxml2-2.7.8.patch b/libs/libxml2/libxml2-2.7.8.patch deleted file mode 100644 index a0b62bca98..0000000000 --- a/libs/libxml2/libxml2-2.7.8.patch +++ /dev/null @@ -1,21 +0,0 @@ -From 00819877651b87842ed878898ba17dba489820f0 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard <veillard@redhat.com> -Date: Thu, 04 Nov 2010 20:53:14 +0000 -Subject: Reactivate the shared library versionning script - ---- -diff --git a/configure.in b/configure.in -index 59d0629..a1d2c89 100644 ---- a/configure.in -+++ b/configure.in -@@ -84,7 +84,7 @@ else - esac - fi - AC_SUBST(VERSION_SCRIPT_FLAGS) --AM_CONDITIONAL([USE_VERSION_SCRIPT], [test -z "$VERSION_SCRIPT_FLAGS"]) -+AM_CONDITIONAL([USE_VERSION_SCRIPT], [test -n "$VERSION_SCRIPT_FLAGS"]) - - dnl - dnl We process the AC_ARG_WITH first so that later we can modify --- -cgit v0.8.3.1 |