7100337 Problem with library/libxml s11-sru S11SRU10_04
authorPetr Sumbera <petr.sumbera@oracle.com>
Mon, 23 Jul 2012 03:17:23 -0500
branchs11-sru
changeset 2313 cee15dd34514
parent 2312 7b2689ab6bcb
child 2314 3cf577077651
7100337 Problem with library/libxml 7072501 Problem with library/libxml 7131703 Problem with library/libxml 7008726 Problem with library/libxml 7171310 Problem with library/libxml 7150804 Problem with library/libxml
components/libxml2/patches/10.CVE-2011-0216.patch
components/libxml2/patches/11.CVE-2011-2821.patch
components/libxml2/patches/12.CVE-2011-2834.patch
components/libxml2/patches/13.CVE-2011-3905.patch
components/libxml2/patches/14.CVE-2011-3919.patch
components/libxml2/patches/17.CVE-2010-4008.patch
components/libxml2/patches/18.CVE-2011-3102.patch
components/libxml2/patches/19.CVE-2012-0841.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxml2/patches/10.CVE-2011-0216.patch	Mon Jul 23 03:17:23 2012 -0500
@@ -0,0 +1,22 @@
+This patch taken directly from upstream:
+http://git.gnome.org/browse/libxml2/commit/?id=69f04562f75212bfcabecd190ea8b06ace28ece2
+--- libxml2-2.7.6/encoding.c	Thu Sep 24 08:31:59 2009
++++ libxml2-2.7.6/new.encoding.c	Mon Oct 24 11:11:46 2011
[email protected]@ -1771,7 +1771,7 @@
+     if (in == NULL) return(-1);
+ 
+     /* calculate space available */
+-    written = out->size - out->use;
++    written = out->size - out->use - 1; /* count '\0' */
+     toconv = in->use;
+     /*
+      * echo '<?xml version="1.0" encoding="UCS4"?>' | wc -c => 38
[email protected]@ -1892,7 +1892,7 @@
+     toconv = in->use;
+     if (toconv == 0)
+         return (0);
+-    written = out->size - out->use;
++    written = out->size - out->use - 1; /* count '\0' */
+     if (toconv * 2 >= written) {
+         xmlBufferGrow(out, out->size + toconv * 2);
+         written = out->size - out->use - 1;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxml2/patches/11.CVE-2011-2821.patch	Mon Jul 23 03:17:23 2012 -0500
@@ -0,0 +1,221 @@
+The contents of this patch taken directly from upstream:
+http://git.gnome.org/browse/libxml2/commit/?id=f5048b3e71fc30ad096970b8df6e7af073bae4cb
+via copy/paste of the code changes into the source files from which I generated new
+patch diffs.  This explains the error of the missing 3 lines that are concatenated
+to the bottom of this patch.
+--- libxml2-2.7.6/xpath.c	Wed Nov 30 08:31:34 2011
++++ libxml2-2.7.6/new.xpath.c	Wed Nov 30 08:30:31 2011
[email protected]@ -252,6 +252,7 @@
+     "Encoding error\n",
+     "Char out of XML range\n",
+     "Invalid or incomplete context\n",
++    "Stack usage error\n",
+     "?? Unknown error ??\n"	/* Must be last in the list! */
+ };
+ #define MAXERRNO ((int)(sizeof(xmlXPathErrorMessages) /	\
[email protected]@ -2398,6 +2399,42 @@
+  ************************************************************************/
+ 
+ /**
++ * xmlXPathSetFrame:
++ * @ctxt: an XPath parser context
++ *
++ * Set the callee evaluation frame
++ *
++ * Returns the previous frame value to be restored once done
++ */
++static int
++xmlXPathSetFrame(xmlXPathParserContextPtr ctxt) {
++    int ret;
++
++    if (ctxt == NULL)
++	return(0);
++    ret = ctxt->valueFrame;
++    ctxt->valueFrame = ctxt->valueNr;
++    return(ret);
++}
++
++/**
++ * xmlXPathPopFrame:
++ * @ctxt: an XPath parser context
++ * @frame: the previous frame value
++ *
++ * Remove the callee evaluation frame
++ */
++static void
++xmlXPathPopFrame(xmlXPathParserContextPtr ctxt, int frame) {
++    if (ctxt == NULL)
++	return;
++    if (ctxt->valueNr < ctxt->valueFrame) {
++	xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR);
++    }
++    ctxt->valueFrame = frame;
++}
++
++/**
+  * valuePop:
+  * @ctxt: an XPath evaluation context
+  *
[email protected]@ -2412,6 +2449,12 @@
+ 
+     if ((ctxt == NULL) || (ctxt->valueNr <= 0))
+         return (NULL);
++
++    if (ctxt->valueNr <= ctxt->valueFrame) {
++	xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR);
++	return (NULL);
++    }
++
+     ctxt->valueNr--;
+     if (ctxt->valueNr > 0)
+         ctxt->value = ctxt->valueTab[ctxt->valueNr - 1];
[email protected]@ -6154,6 +6197,7 @@
+     ret->valueNr = 0;
+     ret->valueMax = 10;
+     ret->value = NULL;
++    ret->valueFrame = 0;
+ 
+     ret->context = ctxt;
+     ret->comp = comp;
[email protected]@ -11688,6 +11732,7 @@
+ 	xmlXPathObjectPtr contextObj = NULL, exprRes = NULL;
+ 	xmlNodePtr oldContextNode, contextNode = NULL;
+ 	xmlXPathContextPtr xpctxt = ctxt->context;
++	int frame;
+ 
+ #ifdef LIBXML_XPTR_ENABLED
+ 	    /*
[email protected]@ -11707,6 +11752,8 @@
+ 	*/
+ 	exprOp = &ctxt->comp->steps[op->ch2];
+ 	for (i = 0; i < set->nodeNr; i++) {
++	    xmlXPathObjectPtr tmp;
++
+ 	    if (set->nodeTab[i] == NULL)
+ 		continue;
+ 
[email protected]@ -11738,19 +11785,18 @@
+ 	    res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
+ 
+ 	    if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+-	        xmlXPathObjectPtr tmp;
+-		/* pop the result if any */
+-		tmp = valuePop(ctxt);
+-		if (tmp != contextObj) {
++		while (tmp != contextObj) {
+ 		   /*
+ 		    * Free up the result
+ 		    * then pop off contextObj, which will be freed later
+ 		    */
+ 		   xmlXPathReleaseObject(xpctxt, tmp);
+-		   valuePop(ctxt);
++		   tmp = valuePop(ctxt);
+ 		}
+ 		goto evaluation_error;
+ 	    }
++	    /* push the result back onto the stack */
++	    valuePush(ctxt, tmp);
+ 
+ 	    if (res)
+ 		pos++;
[email protected]@ -13354,7 +13400,9 @@
+                 xmlXPathFunction func;
+                 const xmlChar *oldFunc, *oldFuncURI;
+ 		int i;
++		int frame;
+ 
++		frame = xmlXPathSetFrame(ctxt);
+                 if (op->ch1 != -1)
+                     total +=
+                         xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
[email protected]@ -13362,15 +13410,18 @@
+ 		    xmlGenericError(xmlGenericErrorContext,
+ 			    "xmlXPathCompOpEval: parameter error\n");
+ 		    ctxt->error = XPATH_INVALID_OPERAND;
++		    xmlXPathPopFrame(ctxt, frame);
+ 		    return (total);
+ 		}
+-		for (i = 0; i < op->value; i++)
++		for (i = 0; i < op->value; i++) {
+ 		    if (ctxt->valueTab[(ctxt->valueNr - 1) - i] == NULL) {
+ 			xmlGenericError(xmlGenericErrorContext,
+ 				"xmlXPathCompOpEval: parameter error\n");
+ 			ctxt->error = XPATH_INVALID_OPERAND;
++			xmlXPathPopFrame(ctxt, frame);
+ 			return (total);
+ 		    }
++		}
+                 if (op->cache != NULL)
+                     XML_CAST_FPTR(func) = op->cache;
+                 else {
[email protected]@ -13386,6 +13437,7 @@
+                             xmlGenericError(xmlGenericErrorContext,
+             "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n",
+                                     (char *)op->value4, (char *)op->value5);
++			    xmlXPathPopFrame(ctxt, frame);
+                             return (total);
+                         }
+                         func = xmlXPathFunctionLookupNS(ctxt->context,
[email protected]@ -13407,6 +13459,7 @@
+                 func(ctxt, op->value);
+                 ctxt->context->function = oldFunc;
+                 ctxt->context->functionURI = oldFuncURI;
++		xmlXPathPopFrame(ctxt, frame);
+                 return (total);
+             }
+         case XPATH_OP_ARG:
[email protected]@ -14310,6 +14363,7 @@
+ 	ctxt->valueNr = 0;
+ 	ctxt->valueMax = 10;
+ 	ctxt->value = NULL;
++	ctxt->valueFrame = 0;
+     }
+ #ifdef XPATH_STREAMING
+     if (ctxt->comp->stream) {
+--- libxml2-2.7.6/include/libxml/xpath.h	Thu Sep 24 08:31:59 2009
++++ libxml2-2.7.6/include/libxml/new.xpath.h	Mon Oct 24 11:21:50 2011
[email protected]@ -68,7 +68,8 @@
+     XPATH_UNDEF_PREFIX_ERROR,
+     XPATH_ENCODING_ERROR,
+     XPATH_INVALID_CHAR_ERROR,
+-    XPATH_INVALID_CTXT
++    XPATH_INVALID_CTXT,
++    XPATH_STACK_ERROR
+ } xmlXPathError;
+ 
+ /*
[email protected]@ -380,6 +381,8 @@
+     xmlXPathCompExprPtr comp;		/* the precompiled expression */
+     int xptr;				/* it this an XPointer expression */
+     xmlNodePtr         ancestor;	/* used for walking preceding axis */
++
++    int              valueFrame;	/* used to limit Pop on the stack */
+ };
+ 
+ /************************************************************************
+--- libxml2-2.7.6/xpointer.c	Mon Oct 24 11:18:07 2011
++++ libxml2-2.7.6/new.xpointer.c	Mon Oct 24 11:42:52 2011
[email protected]@ -1269,6 +1269,7 @@
+ 	ctxt->valueNr = 0;
+ 	ctxt->valueMax = 10;
+ 	ctxt->value = NULL;
++	ctxt->valueFrame = 0;
+     }
+     SKIP_BLANKS;
+     if (CUR == '/') {
+
+--- libxml2-2.7.6/xpath.c	Thu Jan  5 10:51:16 2012
++++ libxml2-2.7.6/xpath.c.new	Thu Jan  5 11:00:39 2012
[email protected]@ -11781,8 +11781,11 @@
+ 		xmlXPathNodeSetAddUnique(contextObj->nodesetval,
+ 		    contextNode);
+ 
++	    frame = xmlXPathSetFrame(ctxt);
+ 	    valuePush(ctxt, contextObj);
+ 	    res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
++	    tmp = valuePop(ctxt);
++	    xmlXPathPopFrame(ctxt, frame);
+ 
+ 	    if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+ 		while (tmp != contextObj) {
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxml2/patches/12.CVE-2011-2834.patch	Mon Jul 23 03:17:23 2012 -0500
@@ -0,0 +1,52 @@
+This patch taken directly from upstream:
+http://git.gnome.org/browse/libxml2/commit/?id=1d4526f6f4ec8d18c40e2a09b387652a6c1aa2cd
+--- libxml2-2.7.6/xpath.c	Fri Dec  9 06:34:26 2011
++++ libxml2-2.7.6/new.xpath.c	Fri Dec  9 06:43:12 2011
[email protected]@ -2485,6 +2485,7 @@
+                                              sizeof(ctxt->valueTab[0]));
+         if (tmp == NULL) {
+             xmlGenericError(xmlGenericErrorContext, "realloc failed !\n");
++	    ctxt->error = XPATH_MEMORY_ERROR;
+             return (0);
+         }
+         ctxt->valueMax *= 2;
[email protected]@ -9327,6 +9328,7 @@
+ 		if ( (ch & 0xc0) != 0xc0 ) {
+ 		    xmlGenericError(xmlGenericErrorContext,
+ 			"xmlXPathTranslateFunction: Invalid UTF8 string\n");
++		    /* not asserting an XPath error is probably better */
+ 		    break;
+ 		}
+ 		/* then skip over remaining bytes for this char */
[email protected]@ -9334,6 +9336,7 @@
+ 		    if ( (*cptr++ & 0xc0) != 0x80 ) {
+ 			xmlGenericError(xmlGenericErrorContext,
+ 			    "xmlXPathTranslateFunction: Invalid UTF8 string\n");
++			/* not asserting an XPath error is probably better */
+ 			break;
+ 		    }
+ 		if (ch & 0x80) /* must have had error encountered */
[email protected]@ -13384,6 +13387,7 @@
+                         xmlGenericError(xmlGenericErrorContext,
+             "xmlXPathCompOpEval: variable %s bound to undefined prefix %s\n",
+                                     (char *) op->value4, (char *)op->value5);
++			ctxt->error = XPATH_UNDEF_PREFIX_ERROR;
+                         return (total);
+                     }
+ 		    val = xmlXPathVariableLookupNS(ctxt->context,
[email protected]@ -13438,6 +13442,7 @@
+             "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n",
+                                     (char *)op->value4, (char *)op->value5);
+ 			    xmlXPathPopFrame(ctxt, frame);
++			    ctxt->error = XPATH_UNDEF_PREFIX_ERROR;
+                             return (total);
+                         }
+                         func = xmlXPathFunctionLookupNS(ctxt->context,
[email protected]@ -14016,6 +14021,7 @@
+     }
+     xmlGenericError(xmlGenericErrorContext,
+                     "XPath: unknown precompiled operation %d\n", op->op);
++    ctxt->error = XPATH_INVALID_OPERAND;
+     return (total);
+ }
+ 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxml2/patches/13.CVE-2011-3905.patch	Mon Jul 23 03:17:23 2012 -0500
@@ -0,0 +1,66 @@
+This patch copied/pasted from this link:
+http://git.gnome.org/browse/libxml2/patch/?id=77404b8b69bc122d12231807abf1a837d121b551
+----------------------------------------------------------------------
+From 77404b8b69bc122d12231807abf1a837d121b551 Mon Sep 17 00:00:00 2001
+From: Chris Evans <[email protected]>
+Date: Wed, 14 Dec 2011 08:18:25 +0000
+Subject: Make sure the parser returns when getting a Stop order
+
+patch backported from chromiun bug fixes, assuming author is Chris
+---
+diff --git a/parser.c b/parser.c
+index 21d7aa3..4e5dcb9 100644
+--- a/parser.c
++++ b/parser.c
[email protected]@ -4949,7 +4949,8 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
+ 		    (ctxt->sax->processingInstruction != NULL))
+ 		    ctxt->sax->processingInstruction(ctxt->userData,
+ 		                                     target, NULL);
+-		ctxt->instate = state;
++		if (ctxt->instate != XML_PARSER_EOF)
++		    ctxt->instate = state;
+ 		return;
+ 	    }
+ 	    buf = (xmlChar *) xmlMallocAtomic(size * sizeof(xmlChar));
[email protected]@ -5029,7 +5030,8 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
+ 	} else {
+ 	    xmlFatalErr(ctxt, XML_ERR_PI_NOT_STARTED, NULL);
+ 	}
+-	ctxt->instate = state;
++	if (ctxt->instate != XML_PARSER_EOF)
++	    ctxt->instate = state;
+     }
+ }
+ 
[email protected]@ -9589,6 +9591,8 @@ xmlParseElement(xmlParserCtxtPtr ctxt) {
+     else
+ 	name = xmlParseStartTag(ctxt);
+ #endif /* LIBXML_SAX1_ENABLED */
++    if (ctxt->instate == XML_PARSER_EOF)
++	return;
+     if (name == NULL) {
+ 	spacePop(ctxt);
+         return;
[email protected]@ -10975,6 +10979,8 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ 		else
+ 		    name = xmlParseStartTag(ctxt);
+ #endif /* LIBXML_SAX1_ENABLED */
++		if (ctxt->instate == XML_PARSER_EOF)
++		    goto done;
+ 		if (name == NULL) {
+ 		    spacePop(ctxt);
+ 		    ctxt->instate = XML_PARSER_EOF;
[email protected]@ -11161,7 +11167,9 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ 		  else
+ 		    xmlParseEndTag1(ctxt, 0);
+ #endif /* LIBXML_SAX1_ENABLED */
+-		if (ctxt->nameNr == 0) {
++		if (ctxt->instate == XML_PARSER_EOF) {
++		    /* Nothing */
++		} else if (ctxt->nameNr == 0) {
+ 		    ctxt->instate = XML_PARSER_EPILOG;
+ 		} else {
+ 		    ctxt->instate = XML_PARSER_CONTENT;
+--
+cgit v0.9.0.2
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxml2/patches/14.CVE-2011-3919.patch	Mon Jul 23 03:17:23 2012 -0500
@@ -0,0 +1,25 @@
+This patch copied/pasted from this link:
+http://git.gnome.org/browse/libxml2/patch/?id=5bd3c061823a8499b27422aee04ea20aae24f03e
+----------------------------------------------------------------------
+From 5bd3c061823a8499b27422aee04ea20aae24f03e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <[email protected]>
+Date: Fri, 16 Dec 2011 10:53:35 +0000
+Subject: Fix an allocation error when copying entities
+
+---
+diff --git a/parser.c b/parser.c
+index 4e5dcb9..c55e41d 100644
+--- a/parser.c
++++ b/parser.c
[email protected]@ -2709,7 +2709,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 
+ 		buffer[nbchars++] = '&';
+ 		if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) {
+-		    growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
++		    growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE);
+ 		}
+ 		for (;i > 0;i--)
+ 		    buffer[nbchars++] = *cur++;
+--
+cgit v0.9.0.2
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxml2/patches/17.CVE-2010-4008.patch	Mon Jul 23 03:17:23 2012 -0500
@@ -0,0 +1,143 @@
+There are 2 patches in a row to the same section of code here, they are copied/pasted
+directly from:
+http://git.gnome.org/browse/libxml2/patch/?id=91d19754d46acd4a639a8b9e31f50f31c78f8c9c
+http://git.gnome.org/browse/libxml2/patch/?id=ea90b894146030c214a7df6d8375310174f134b9
+--------------------------------------------------------------------------------------
+From 91d19754d46acd4a639a8b9e31f50f31c78f8c9c Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <[email protected]>
+Date: Fri, 15 Oct 2010 12:30:52 +0000
+Subject: Fix the semantic of XPath axis for namespace/attribute context nodes
+
+The processing of namespace and attributes nodes was not compliant
+to the XPath-1.0 specification
+---
+diff --git a/xpath.c b/xpath.c
+index b24ca69..8b77af3 100644
+--- a/xpath.c
++++ b/xpath.c
[email protected]@ -8106,8 +8106,16 @@ xmlXPathNextPrecedingSibling(xmlXPathParserContextPtr ctxt, xmlNodePtr cur) {
+ xmlNodePtr
+ xmlXPathNextFollowing(xmlXPathParserContextPtr ctxt, xmlNodePtr cur) {
+     if ((ctxt == NULL) || (ctxt->context == NULL)) return(NULL);
+-    if (cur != NULL && cur->children != NULL)
+-        return cur->children ;
++    if ((ctxt->context->node->type == XML_ATTRIBUTE_NODE) ||
++	(ctxt->context->node->type == XML_NAMESPACE_DECL))
++	return(NULL);
++    if (cur != NULL) {
++        if ((cur->type == XML_ATTRIBUTE_NODE) ||
++            (cur->type == XML_NAMESPACE_DECL))
++            return(NULL);
++        if (cur->children != NULL)
++            return cur->children ;
++    }
+     if (cur == NULL) cur = ctxt->context->node;
+     if (cur == NULL) return(NULL) ; /* ERROR */
+     if (cur->next != NULL) return(cur->next) ;
[email protected]@ -8162,6 +8170,9 @@ xmlNodePtr
+ xmlXPathNextPreceding(xmlXPathParserContextPtr ctxt, xmlNodePtr cur)
+ {
+     if ((ctxt == NULL) || (ctxt->context == NULL)) return(NULL);
++    if ((ctxt->context->node->type == XML_ATTRIBUTE_NODE) ||
++	(ctxt->context->node->type == XML_NAMESPACE_DECL))
++	return(NULL);
+     if (cur == NULL)
+         cur = ctxt->context->node;
+     if (cur == NULL)
[email protected]@ -8203,12 +8214,13 @@ xmlXPathNextPrecedingInternal(xmlXPathParserContextPtr ctxt,
+                               xmlNodePtr cur)
+ {
+     if ((ctxt == NULL) || (ctxt->context == NULL)) return(NULL);
++    if ((ctxt->context->node->type == XML_ATTRIBUTE_NODE) ||
++	(ctxt->context->node->type == XML_NAMESPACE_DECL))
++	return(NULL);
+     if (cur == NULL) {
+         cur = ctxt->context->node;
+         if (cur == NULL)
+             return (NULL);
+-	if (cur->type == XML_NAMESPACE_DECL)
+-	    cur = (xmlNodePtr)((xmlNsPtr)cur)->next;
+         ctxt->ancestor = cur->parent;
+     }
+     if ((cur->prev != NULL) && (cur->prev->type == XML_DTD_NODE))
+--
+cgit v0.9.0.2
+
+From ea90b894146030c214a7df6d8375310174f134b9 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <[email protected]>
+Date: Fri, 22 Oct 2010 13:50:50 +0000
+Subject: Fix a change of semantic on XPath preceding and following axis
+
+This was introduced in the prevous fix, while preceding-sibling and
+following sibling axis are empty for attributes and namespaces,
+preceding and following axis should still work based on the parent
+element. However the parent element is not available for a namespace
+node, so we keep the axis empty in that case.
+---
+diff --git a/xpath.c b/xpath.c
+index 9d47618..3352a5e 100644
+--- a/xpath.c
++++ b/xpath.c
[email protected]@ -8106,17 +8106,17 @@ xmlXPathNextPrecedingSibling(xmlXPathParserContextPtr ctxt, xmlNodePtr cur) {
+ xmlNodePtr
+ xmlXPathNextFollowing(xmlXPathParserContextPtr ctxt, xmlNodePtr cur) {
+     if ((ctxt == NULL) || (ctxt->context == NULL)) return(NULL);
+-    if ((ctxt->context->node->type == XML_ATTRIBUTE_NODE) ||
+-	(ctxt->context->node->type == XML_NAMESPACE_DECL))
+-	return(NULL);
+-    if (cur != NULL) {
+-        if ((cur->type == XML_ATTRIBUTE_NODE) ||
+-            (cur->type == XML_NAMESPACE_DECL))
++    if ((cur != NULL) && (cur->type  != XML_ATTRIBUTE_NODE) &&
++        (cur->type != XML_NAMESPACE_DECL) && (cur->children != NULL))
++        return(cur->children);
++
++    if (cur == NULL) {
++        cur = ctxt->context->node;
++        if (cur->type == XML_NAMESPACE_DECL)
+             return(NULL);
+-        if (cur->children != NULL)
+-            return cur->children ;
++        if (cur->type == XML_ATTRIBUTE_NODE)
++            cur = cur->parent;
+     }
+-    if (cur == NULL) cur = ctxt->context->node;
+     if (cur == NULL) return(NULL) ; /* ERROR */
+     if (cur->next != NULL) return(cur->next) ;
+     do {
[email protected]@ -8170,11 +8170,13 @@ xmlNodePtr
+ xmlXPathNextPreceding(xmlXPathParserContextPtr ctxt, xmlNodePtr cur)
+ {
+     if ((ctxt == NULL) || (ctxt->context == NULL)) return(NULL);
+-    if ((ctxt->context->node->type == XML_ATTRIBUTE_NODE) ||
+-	(ctxt->context->node->type == XML_NAMESPACE_DECL))
+-	return(NULL);
+-    if (cur == NULL)
++    if (cur == NULL) {
+         cur = ctxt->context->node;
++        if (cur->type == XML_NAMESPACE_DECL)
++            return(NULL);
++        if (cur->type == XML_ATTRIBUTE_NODE)
++            return(cur->parent);
++    }
+     if (cur == NULL)
+ 	return (NULL);
+     if ((cur->prev != NULL) && (cur->prev->type == XML_DTD_NODE))
[email protected]@ -8214,13 +8216,12 @@ xmlXPathNextPrecedingInternal(xmlXPathParserContextPtr ctxt,
+                               xmlNodePtr cur)
+ {
+     if ((ctxt == NULL) || (ctxt->context == NULL)) return(NULL);
+-    if ((ctxt->context->node->type == XML_ATTRIBUTE_NODE) ||
+-	(ctxt->context->node->type == XML_NAMESPACE_DECL))
+-	return(NULL);
+     if (cur == NULL) {
+         cur = ctxt->context->node;
+         if (cur == NULL)
+             return (NULL);
++        if (cur->type == XML_NAMESPACE_DECL)
++            return (NULL);
+         ctxt->ancestor = cur->parent;
+     }
+     if ((cur->prev != NULL) && (cur->prev->type == XML_DTD_NODE))
+--
+cgit v0.9.0.2
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxml2/patches/18.CVE-2011-3102.patch	Mon Jul 23 03:17:23 2012 -0500
@@ -0,0 +1,42 @@
+This patch copied/pasted from this link:
+http://git.gnome.org/browse/libxml2/patch/?id=d8e1faeaa99c7a7c07af01c1c72de352eb590a3e
+----------------------------------------------------------------------
+From d8e1faeaa99c7a7c07af01c1c72de352eb590a3e Mon Sep 17 00:00:00 2001
+From: Jüri Aedla <[email protected]>
+Date: Mon, 07 May 2012 07:06:56 +0000
+Subject: Fix an off by one pointer access
+
+getting out of the range of memory allocated for xpointer decoding
+---
+diff --git a/xpointer.c b/xpointer.c
+index 37afa3a..0b463dd 100644
+--- a/xpointer.c
++++ b/xpointer.c
[email protected]@ -1007,21 +1007,14 @@ xmlXPtrEvalXPtrPart(xmlXPathParserContextPtr ctxt, xmlChar *name) {
+ 		NEXT;
+ 		break;
+ 	    }
+-	    *cur++ = CUR;
+ 	} else if (CUR == '(') {
+ 	    level++;
+-	    *cur++ = CUR;
+ 	} else if (CUR == '^') {
+-	    NEXT;
+-	    if ((CUR == ')') || (CUR == '(') || (CUR == '^')) {
+-		*cur++ = CUR;
+-	    } else {
+-		*cur++ = '^';
+-		*cur++ = CUR;
+-	    }
+-	} else {
+-	    *cur++ = CUR;
++            if ((NXT(1) == ')') || (NXT(1) == '(') || (NXT(1) == '^')) {
++                NEXT;
++            }
+ 	}
++        *cur++ = CUR;
+ 	NEXT;
+     }
+     *cur = 0;
+--
+cgit v0.9.0.2
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxml2/patches/19.CVE-2012-0841.patch	Mon Jul 23 03:17:23 2012 -0500
@@ -0,0 +1,294 @@
+This patch copied/pasted from this link:
+http://git.gnome.org/browse/libxml2/patch/?id=8973d58b7498fa5100a876815476b81fd1a2412a
+----------------------------------------------------------------------
+From 8973d58b7498fa5100a876815476b81fd1a2412a Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <[email protected]>
+Date: Sat, 04 Feb 2012 11:07:44 +0000
+Subject: Add hash randomization to hash and dict structures
+
+Following http://www.ocert.org/advisories/ocert-2011-003.html
+it seems that having hash randomization might be a good idea
+when using XML with untrusted data
+* configure.in: lookup for rand, srand and time
+* dict.c: add randomization to dictionaries hash tables
+* hash.c: add randomization to normal hash tables
+---
+diff --git a/configure.in b/configure.in
+index fa80375..828b66a 100644
+--- a/configure.in
++++ b/configure.in
[email protected]@ -512,6 +512,7 @@ AC_CHECK_FUNCS(strdup strndup strerror)
+ AC_CHECK_FUNCS(finite isnand fp_class class fpclass)
+ AC_CHECK_FUNCS(strftime localtime gettimeofday ftime)
+ AC_CHECK_FUNCS(stat _stat signal)
++AC_CHECK_FUNCS(rand srand time)
+ 
+ dnl Checking the standard string functions availability
+ AC_CHECK_FUNCS(printf sprintf fprintf snprintf vfprintf vsprintf vsnprintf sscanf,,
+diff --git a/dict.c b/dict.c
+index 3eff231..ae4966b 100644
+--- a/dict.c
++++ b/dict.c
[email protected]@ -2,7 +2,7 @@
+  * dict.c: dictionary of reusable strings, just used to avoid allocation
+  *         and freeing operations.
+  *
+- * Copyright (C) 2003 Daniel Veillard.
++ * Copyright (C) 2003-2012 Daniel Veillard.
+  *
+  * Permission to use, copy, modify, and distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
[email protected]@ -19,6 +19,28 @@
+ #define IN_LIBXML
+ #include "libxml.h"
+ 
++#ifdef HAVE_STDLIB_H
++#include <stdlib.h>
++#endif
++#ifdef HAVE_TIME_H
++#include <time.h>
++#endif
++
++/*
++ * Following http://www.ocert.org/advisories/ocert-2011-003.html
++ * it seems that having hash randomization might be a good idea
++ * when using XML with untrusted data
++ * Note1: that it works correctly only if compiled with WITH_BIG_KEY
++ *  which is the default.
++ * Note2: the fast function used for a small dict won't protect very
++ *  well but since the attack is based on growing a very big hash
++ *  list we will use the BigKey algo as soon as the hash size grows
++ *  over MIN_DICT_SIZE so this actually works
++ */
++#if defined(HAVE_RAND) && defined(HAVE_SRAND) && defined(HAVE_TIME)
++#define DICT_RANDOMIZATION
++#endif
++
+ #include <string.h>
+ #ifdef HAVE_STDINT_H
+ #include <stdint.h>
[email protected]@ -44,23 +66,23 @@ typedef unsigned __int32 uint32_t;
+ #define WITH_BIG_KEY
+ 
+ #ifdef WITH_BIG_KEY
+-#define xmlDictComputeKey(dict, name, len)			\
+-    (((dict)->size == MIN_DICT_SIZE) ?				\
+-     xmlDictComputeFastKey(name, len) :				\
+-     xmlDictComputeBigKey(name, len))
+-
+-#define xmlDictComputeQKey(dict, prefix, plen, name, len)	\
+-    (((prefix) == NULL) ?					\
+-      (xmlDictComputeKey(dict, name, len)) :			\
+-      (((dict)->size == MIN_DICT_SIZE) ?			\
+-       xmlDictComputeFastQKey(prefix, plen, name, len) :	\
+-       xmlDictComputeBigQKey(prefix, plen, name, len)))
++#define xmlDictComputeKey(dict, name, len)                              \
++    (((dict)->size == MIN_DICT_SIZE) ?                                  \
++     xmlDictComputeFastKey(name, len, (dict)->seed) :                   \
++     xmlDictComputeBigKey(name, len, (dict)->seed))
++
++#define xmlDictComputeQKey(dict, prefix, plen, name, len)               \
++    (((prefix) == NULL) ?                                               \
++      (xmlDictComputeKey(dict, name, len)) :                             \
++      (((dict)->size == MIN_DICT_SIZE) ?                                \
++       xmlDictComputeFastQKey(prefix, plen, name, len, (dict)->seed) :	\
++       xmlDictComputeBigQKey(prefix, plen, name, len, (dict)->seed)))
+ 
+ #else /* !WITH_BIG_KEY */
+-#define xmlDictComputeKey(dict, name, len)			\
+-        xmlDictComputeFastKey(name, len)
+-#define xmlDictComputeQKey(dict, prefix, plen, name, len)	\
+-        xmlDictComputeFastQKey(prefix, plen, name, len)
++#define xmlDictComputeKey(dict, name, len)                              \
++        xmlDictComputeFastKey(name, len, (dict)->seed)
++#define xmlDictComputeQKey(dict, prefix, plen, name, len)               \
++        xmlDictComputeFastQKey(prefix, plen, name, len, (dict)->seed)
+ #endif /* WITH_BIG_KEY */
+ 
+ /*
[email protected]@ -98,6 +120,8 @@ struct _xmlDict {
+     xmlDictStringsPtr strings;
+ 
+     struct _xmlDict *subdict;
++    /* used for randomization */
++    int seed;
+ };
+ 
+ /*
[email protected]@ -125,6 +149,9 @@ static int xmlInitializeDict(void) {
+     if ((xmlDictMutex = xmlNewRMutex()) == NULL)
+         return(0);
+ 
++#ifdef DICT_RANDOMIZATION
++    srand(time(NULL));
++#endif
+     xmlDictInitialized = 1;
+     return(1);
+ }
[email protected]@ -277,13 +304,13 @@ found_pool:
+  */
+ 
+ static uint32_t
+-xmlDictComputeBigKey(const xmlChar* data, int namelen) {
++xmlDictComputeBigKey(const xmlChar* data, int namelen, int seed) {
+     uint32_t hash;
+     int i;
+ 
+     if (namelen <= 0 || data == NULL) return(0);
+ 
+-    hash = 0;
++    hash = seed;
+ 
+     for (i = 0;i < namelen; i++) {
+         hash += data[i];
[email protected]@ -310,12 +337,12 @@ xmlDictComputeBigKey(const xmlChar* data, int namelen) {
+  */
+ static unsigned long
+ xmlDictComputeBigQKey(const xmlChar *prefix, int plen,
+-                      const xmlChar *name, int len)
++                      const xmlChar *name, int len, int seed)
+ {
+     uint32_t hash;
+     int i;
+ 
+-    hash = 0;
++    hash = seed;
+ 
+     for (i = 0;i < plen; i++) {
+         hash += prefix[i];
[email protected]@ -346,8 +373,8 @@ xmlDictComputeBigQKey(const xmlChar *prefix, int plen,
+  * for low hash table fill.
+  */
+ static unsigned long
+-xmlDictComputeFastKey(const xmlChar *name, int namelen) {
+-    unsigned long value = 0L;
++xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
++    unsigned long value = seed;
+ 
+     if (name == NULL) return(0);
+     value = *name;
[email protected]@ -381,9 +408,9 @@ xmlDictComputeFastKey(const xmlChar *name, int namelen) {
+  */
+ static unsigned long
+ xmlDictComputeFastQKey(const xmlChar *prefix, int plen,
+-                       const xmlChar *name, int len)
++                       const xmlChar *name, int len, int seed)
+ {
+-    unsigned long value = 0L;
++    unsigned long value = (unsigned long) seed;
+ 
+     if (plen == 0)
+ 	value += 30 * (unsigned long) ':';
[email protected]@ -460,6 +487,11 @@ xmlDictCreate(void) {
+ 	dict->subdict = NULL;
+         if (dict->dict) {
+ 	    memset(dict->dict, 0, MIN_DICT_SIZE * sizeof(xmlDictEntry));
++#ifdef DICT_RANDOMIZATION
++            dict->seed = rand();
++#else
++            dict->seed = 0;
++#endif
+ 	    return(dict);
+         }
+         xmlFree(dict);
[email protected]@ -486,6 +518,7 @@ xmlDictCreateSub(xmlDictPtr sub) {
+ #ifdef DICT_DEBUG_PATTERNS
+         fprintf(stderr, "R");
+ #endif
++        dict->seed = sub->seed;
+         dict->subdict = sub;
+ 	xmlDictReference(dict->subdict);
+     }
+diff --git a/hash.c b/hash.c
+index b78bc2d..fe1424f 100644
+--- a/hash.c
++++ b/hash.c
[email protected]@ -3,7 +3,7 @@
+  *
+  * Reference: Your favorite introductory book on algorithms
+  *
+- * Copyright (C) 2000 Bjorn Reese and Daniel Veillard.
++ * Copyright (C) 2000,2012 Bjorn Reese and Daniel Veillard.
+  *
+  * Permission to use, copy, modify, and distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
[email protected]@ -21,6 +21,22 @@
+ #include "libxml.h"
+ 
+ #include <string.h>
++#ifdef HAVE_STDLIB_H
++#include <stdlib.h>
++#endif
++#ifdef HAVE_TIME_H
++#include <time.h>
++#endif
++
++/*
++ * Following http://www.ocert.org/advisories/ocert-2011-003.html
++ * it seems that having hash randomization might be a good idea
++ * when using XML with untrusted data
++ */
++#if defined(HAVE_RAND) && defined(HAVE_SRAND) && defined(HAVE_TIME)
++#define HASH_RANDOMIZATION
++#endif
++
+ #include <libxml/parser.h>
+ #include <libxml/hash.h>
+ #include <libxml/xmlmemory.h>
[email protected]@ -31,6 +47,10 @@
+ 
+ /* #define DEBUG_GROW */
+ 
++#ifdef HASH_RANDOMIZATION
++static int hash_initialized = 0;
++#endif
++
+ /*
+  * A single entry in the hash table
+  */
[email protected]@ -53,6 +73,9 @@ struct _xmlHashTable {
+     int size;
+     int nbElems;
+     xmlDictPtr dict;
++#ifdef HASH_RANDOMIZATION
++    int random_seed;
++#endif
+ };
+ 
+ /*
[email protected]@ -65,6 +88,9 @@ xmlHashComputeKey(xmlHashTablePtr table, const xmlChar *name,
+     unsigned long value = 0L;
+     char ch;
+     
++#ifdef HASH_RANDOMIZATION
++    value = table->random_seed;
++#endif
+     if (name != NULL) {
+ 	value += 30 * (*name);
+ 	while ((ch = *name++) != 0) {
[email protected]@ -92,6 +118,9 @@ xmlHashComputeQKey(xmlHashTablePtr table,
+     unsigned long value = 0L;
+     char ch;
+     
++#ifdef HASH_RANDOMIZATION
++    value = table->random_seed;
++#endif
+     if (prefix != NULL)
+ 	value += 30 * (*prefix);
+     else
[email protected]@ -156,6 +185,13 @@ xmlHashCreate(int size) {
+         table->table = xmlMalloc(size * sizeof(xmlHashEntry));
+         if (table->table) {
+   	    memset(table->table, 0, size * sizeof(xmlHashEntry));
++#ifdef HASH_RANDOMIZATION
++            if (!hash_initialized) {
++                srand(time(NULL));
++                hash_initialized = 1;
++            }
++            table->random_seed = rand();
++#endif
+   	    return(table);
+         }
+         xmlFree(table);
+--
+cgit v0.9.0.2