--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxml2/patches/10.CVE-2011-0216.patch Wed Dec 14 10:40:21 2011 -0800
@@ -0,0 +1,22 @@
+This patch taken directly from upstream:
+http://git.gnome.org/browse/libxml2/commit/?id=69f04562f75212bfcabecd190ea8b06ace28ece2
+--- libxml2-2.7.6/encoding.c Thu Sep 24 08:31:59 2009
++++ libxml2-2.7.6/new.encoding.c Mon Oct 24 11:11:46 2011
+@@ -1771,7 +1771,7 @@
+ if (in == NULL) return(-1);
+
+ /* calculate space available */
+- written = out->size - out->use;
++ written = out->size - out->use - 1; /* count '\0' */
+ toconv = in->use;
+ /*
+ * echo '<?xml version="1.0" encoding="UCS4"?>' | wc -c => 38
+@@ -1892,7 +1892,7 @@
+ toconv = in->use;
+ if (toconv == 0)
+ return (0);
+- written = out->size - out->use;
++ written = out->size - out->use - 1; /* count '\0' */
+ if (toconv * 2 >= written) {
+ xmlBufferGrow(out, out->size + toconv * 2);
+ written = out->size - out->use - 1;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxml2/patches/11.CVE-2011-2821.patch Wed Dec 14 10:40:21 2011 -0800
@@ -0,0 +1,202 @@
+This patch taken directly from upstream:
+http://git.gnome.org/browse/libxml2/commit/?id=f5048b3e71fc30ad096970b8df6e7af073bae4cb
+--- libxml2-2.7.6/xpath.c Wed Nov 30 08:31:34 2011
++++ libxml2-2.7.6/new.xpath.c Wed Nov 30 08:30:31 2011
+@@ -252,6 +252,7 @@
+ "Encoding error\n",
+ "Char out of XML range\n",
+ "Invalid or incomplete context\n",
++ "Stack usage error\n",
+ "?? Unknown error ??\n" /* Must be last in the list! */
+ };
+ #define MAXERRNO ((int)(sizeof(xmlXPathErrorMessages) / \
+@@ -2398,6 +2399,42 @@
+ ************************************************************************/
+
+ /**
++ * xmlXPathSetFrame:
++ * @ctxt: an XPath parser context
++ *
++ * Set the callee evaluation frame
++ *
++ * Returns the previous frame value to be restored once done
++ */
++static int
++xmlXPathSetFrame(xmlXPathParserContextPtr ctxt) {
++ int ret;
++
++ if (ctxt == NULL)
++ return(0);
++ ret = ctxt->valueFrame;
++ ctxt->valueFrame = ctxt->valueNr;
++ return(ret);
++}
++
++/**
++ * xmlXPathPopFrame:
++ * @ctxt: an XPath parser context
++ * @frame: the previous frame value
++ *
++ * Remove the callee evaluation frame
++ */
++static void
++xmlXPathPopFrame(xmlXPathParserContextPtr ctxt, int frame) {
++ if (ctxt == NULL)
++ return;
++ if (ctxt->valueNr < ctxt->valueFrame) {
++ xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR);
++ }
++ ctxt->valueFrame = frame;
++}
++
++/**
+ * valuePop:
+ * @ctxt: an XPath evaluation context
+ *
+@@ -2412,6 +2449,12 @@
+
+ if ((ctxt == NULL) || (ctxt->valueNr <= 0))
+ return (NULL);
++
++ if (ctxt->valueNr <= ctxt->valueFrame) {
++ xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR);
++ return (NULL);
++ }
++
+ ctxt->valueNr--;
+ if (ctxt->valueNr > 0)
+ ctxt->value = ctxt->valueTab[ctxt->valueNr - 1];
+@@ -6154,6 +6197,7 @@
+ ret->valueNr = 0;
+ ret->valueMax = 10;
+ ret->value = NULL;
++ ret->valueFrame = 0;
+
+ ret->context = ctxt;
+ ret->comp = comp;
+@@ -11688,6 +11732,7 @@
+ xmlXPathObjectPtr contextObj = NULL, exprRes = NULL;
+ xmlNodePtr oldContextNode, contextNode = NULL;
+ xmlXPathContextPtr xpctxt = ctxt->context;
++ int frame;
+
+ #ifdef LIBXML_XPTR_ENABLED
+ /*
+@@ -11707,6 +11752,8 @@
+ */
+ exprOp = &ctxt->comp->steps[op->ch2];
+ for (i = 0; i < set->nodeNr; i++) {
++ xmlXPathObjectPtr tmp;
++
+ if (set->nodeTab[i] == NULL)
+ continue;
+
+@@ -11738,19 +11785,18 @@
+ res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
+
+ if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+- xmlXPathObjectPtr tmp;
+- /* pop the result if any */
+- tmp = valuePop(ctxt);
+- if (tmp != contextObj) {
++ while (tmp != contextObj) {
+ /*
+ * Free up the result
+ * then pop off contextObj, which will be freed later
+ */
+ xmlXPathReleaseObject(xpctxt, tmp);
+- valuePop(ctxt);
++ tmp = valuePop(ctxt);
+ }
+ goto evaluation_error;
+ }
++ /* push the result back onto the stack */
++ valuePush(ctxt, tmp);
+
+ if (res)
+ pos++;
+@@ -13354,7 +13400,9 @@
+ xmlXPathFunction func;
+ const xmlChar *oldFunc, *oldFuncURI;
+ int i;
++ int frame;
+
++ frame = xmlXPathSetFrame(ctxt);
+ if (op->ch1 != -1)
+ total +=
+ xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
+@@ -13362,15 +13410,18 @@
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlXPathCompOpEval: parameter error\n");
+ ctxt->error = XPATH_INVALID_OPERAND;
++ xmlXPathPopFrame(ctxt, frame);
+ return (total);
+ }
+- for (i = 0; i < op->value; i++)
++ for (i = 0; i < op->value; i++) {
+ if (ctxt->valueTab[(ctxt->valueNr - 1) - i] == NULL) {
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlXPathCompOpEval: parameter error\n");
+ ctxt->error = XPATH_INVALID_OPERAND;
++ xmlXPathPopFrame(ctxt, frame);
+ return (total);
+ }
++ }
+ if (op->cache != NULL)
+ XML_CAST_FPTR(func) = op->cache;
+ else {
+@@ -13386,6 +13437,7 @@
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n",
+ (char *)op->value4, (char *)op->value5);
++ xmlXPathPopFrame(ctxt, frame);
+ return (total);
+ }
+ func = xmlXPathFunctionLookupNS(ctxt->context,
+@@ -13407,6 +13459,7 @@
+ func(ctxt, op->value);
+ ctxt->context->function = oldFunc;
+ ctxt->context->functionURI = oldFuncURI;
++ xmlXPathPopFrame(ctxt, frame);
+ return (total);
+ }
+ case XPATH_OP_ARG:
+@@ -14310,6 +14363,7 @@
+ ctxt->valueNr = 0;
+ ctxt->valueMax = 10;
+ ctxt->value = NULL;
++ ctxt->valueFrame = 0;
+ }
+ #ifdef XPATH_STREAMING
+ if (ctxt->comp->stream) {
+--- libxml2-2.7.6/include/libxml/xpath.h Thu Sep 24 08:31:59 2009
++++ libxml2-2.7.6/include/libxml/new.xpath.h Mon Oct 24 11:21:50 2011
+@@ -68,7 +68,8 @@
+ XPATH_UNDEF_PREFIX_ERROR,
+ XPATH_ENCODING_ERROR,
+ XPATH_INVALID_CHAR_ERROR,
+- XPATH_INVALID_CTXT
++ XPATH_INVALID_CTXT,
++ XPATH_STACK_ERROR
+ } xmlXPathError;
+
+ /*
+@@ -380,6 +381,8 @@
+ xmlXPathCompExprPtr comp; /* the precompiled expression */
+ int xptr; /* it this an XPointer expression */
+ xmlNodePtr ancestor; /* used for walking preceding axis */
++
++ int valueFrame; /* used to limit Pop on the stack */
+ };
+
+ /************************************************************************
+--- libxml2-2.7.6/xpointer.c Mon Oct 24 11:18:07 2011
++++ libxml2-2.7.6/new.xpointer.c Mon Oct 24 11:42:52 2011
+@@ -1269,6 +1269,7 @@
+ ctxt->valueNr = 0;
+ ctxt->valueMax = 10;
+ ctxt->value = NULL;
++ ctxt->valueFrame = 0;
+ }
+ SKIP_BLANKS;
+ if (CUR == '/') {
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxml2/patches/12.CVE-2011-2834.patch Wed Dec 14 10:40:21 2011 -0800
@@ -0,0 +1,52 @@
+This patch taken directly from upstream:
+http://git.gnome.org/browse/libxml2/commit/?id=1d4526f6f4ec8d18c40e2a09b387652a6c1aa2cd
+--- libxml2-2.7.6/xpath.c Fri Dec 9 06:34:26 2011
++++ libxml2-2.7.6/new.xpath.c Fri Dec 9 06:43:12 2011
+@@ -2485,6 +2485,7 @@
+ sizeof(ctxt->valueTab[0]));
+ if (tmp == NULL) {
+ xmlGenericError(xmlGenericErrorContext, "realloc failed !\n");
++ ctxt->error = XPATH_MEMORY_ERROR;
+ return (0);
+ }
+ ctxt->valueMax *= 2;
+@@ -9327,6 +9328,7 @@
+ if ( (ch & 0xc0) != 0xc0 ) {
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlXPathTranslateFunction: Invalid UTF8 string\n");
++ /* not asserting an XPath error is probably better */
+ break;
+ }
+ /* then skip over remaining bytes for this char */
+@@ -9334,6 +9336,7 @@
+ if ( (*cptr++ & 0xc0) != 0x80 ) {
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlXPathTranslateFunction: Invalid UTF8 string\n");
++ /* not asserting an XPath error is probably better */
+ break;
+ }
+ if (ch & 0x80) /* must have had error encountered */
+@@ -13384,6 +13387,7 @@
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlXPathCompOpEval: variable %s bound to undefined prefix %s\n",
+ (char *) op->value4, (char *)op->value5);
++ ctxt->error = XPATH_UNDEF_PREFIX_ERROR;
+ return (total);
+ }
+ val = xmlXPathVariableLookupNS(ctxt->context,
+@@ -13438,6 +13442,7 @@
+ "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n",
+ (char *)op->value4, (char *)op->value5);
+ xmlXPathPopFrame(ctxt, frame);
++ ctxt->error = XPATH_UNDEF_PREFIX_ERROR;
+ return (total);
+ }
+ func = xmlXPathFunctionLookupNS(ctxt->context,
+@@ -14016,6 +14021,7 @@
+ }
+ xmlGenericError(xmlGenericErrorContext,
+ "XPath: unknown precompiled operation %d\n", op->op);
++ ctxt->error = XPATH_INVALID_OPERAND;
+ return (total);
+ }
+