diff --git a/SOURCES/libxml2-Add-missing-increments-of-recursion-depth-counter-to-XML-parser.patch b/SOURCES/libxml2-Add-missing-increments-of-recursion-depth-counter-to-XML-parser.patch new file mode 100644 index 0000000..5f7200d --- /dev/null +++ b/SOURCES/libxml2-Add-missing-increments-of-recursion-depth-counter-to-XML-parser.patch @@ -0,0 +1,72 @@ +From d88b1b5e55b9ba0962408ff5e0327bf71a79e37a Mon Sep 17 00:00:00 2001 +From: Peter Simons +Date: Fri, 15 Apr 2016 11:56:55 +0200 +Subject: [PATCH] Add missing increments of recursion depth counter to XML + parser. +To: libvir-list@redhat.com + +For https://bugzilla.gnome.org/show_bug.cgi?id=765207 +CVE-2016-3705 +The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call +xmlStringDecodeEntities() in a recursive context without incrementing the +'depth' counter in the parser context. Because of that omission, the parser +failed to detect attribute recursions in certain documents before running out +of stack space. + +Signed-off-by: Daniel Veillard +--- + parser.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/parser.c b/parser.c +index 0accf54..32293d0 100644 +--- a/parser.c ++++ b/parser.c +@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + + ent->checked = 1; + ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); ++ --ctxt->depth; + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { +@@ -3963,8 +3965,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { + * an entity declaration, it is bypassed and left as is. + * so XML_SUBSTITUTE_REF is not set here. + */ ++ ++ctxt->depth; + ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF, + 0, 0, 0); ++ --ctxt->depth; + if (orig != NULL) + *orig = buf; + else +@@ -4089,9 +4093,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + } else if ((ent != NULL) && + (ctxt->replaceEntities != 0)) { + if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) { ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, + 0, 0, 0); ++ --ctxt->depth; + if (rep != NULL) { + current = rep; + while (*current != 0) { /* non input consuming */ +@@ -4127,8 +4133,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + (ent->content != NULL) && (ent->checked == 0)) { + unsigned long oldnbent = ctxt->nbentities; + ++ ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); ++ --ctxt->depth; + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { +-- +2.5.5 + diff --git a/SOURCES/libxml2-Avoid-building-recursive-entities.patch b/SOURCES/libxml2-Avoid-building-recursive-entities.patch new file mode 100644 index 0000000..5507537 --- /dev/null +++ b/SOURCES/libxml2-Avoid-building-recursive-entities.patch @@ -0,0 +1,62 @@ +From 2fc95df152622cf5cf1d478af6ed3538e170118b Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 23 May 2016 12:27:58 +0800 +Subject: [PATCH] Avoid building recursive entities +To: libvir-list@redhat.com + +For https://bugzilla.gnome.org/show_bug.cgi?id=762100 + +When we detect a recusive entity we should really not +build the associated data, moreover if someone bypass +libxml2 fatal errors and still tries to serialize a broken +entity make sure we don't risk to get ito a recursion + +* parser.c: xmlParserEntityCheck() don't build if entity loop + were found and remove the associated text content +* tree.c: xmlStringGetNodeList() avoid a potential recursion + +Signed-off-by: Daniel Veillard +--- + parser.c | 6 +++++- + tree.c | 1 + + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 32293d0..2ae44c5 100644 +--- a/parser.c ++++ b/parser.c +@@ -138,7 +138,8 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + * entities problems + */ + if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) && +- (ent->content != NULL) && (ent->checked == 0)) { ++ (ent->content != NULL) && (ent->checked == 0) && ++ (ctxt->errNo != XML_ERR_ENTITY_LOOP)) { + unsigned long oldnbent = ctxt->nbentities; + xmlChar *rep; + +@@ -148,6 +149,9 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); + --ctxt->depth; ++ if (ctxt->errNo == XML_ERR_ENTITY_LOOP) { ++ ent->content[0] = 0; ++ } + + ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; + if (rep != NULL) { +diff --git a/tree.c b/tree.c +index 7e5af26..83ec66f 100644 +--- a/tree.c ++++ b/tree.c +@@ -1588,6 +1588,7 @@ xmlStringGetNodeList(xmlDocPtr doc, const xmlChar *value) { + else if ((ent != NULL) && (ent->children == NULL)) { + xmlNodePtr temp; + ++ ent->children = (xmlNodePtr) -1; + ent->children = xmlStringGetNodeList(doc, + (const xmlChar*)node->content); + ent->owner = 1; +-- +2.5.5 + diff --git a/SOURCES/libxml2-Bug-757711-heap-buffer-overflow-in-xmlFAParsePosCharGroup-https-bugzilla.gnome.org-show_bug.cgi-id-757711.patch b/SOURCES/libxml2-Bug-757711-heap-buffer-overflow-in-xmlFAParsePosCharGroup-https-bugzilla.gnome.org-show_bug.cgi-id-757711.patch new file mode 100644 index 0000000..c598fd0 --- /dev/null +++ b/SOURCES/libxml2-Bug-757711-heap-buffer-overflow-in-xmlFAParsePosCharGroup-https-bugzilla.gnome.org-show_bug.cgi-id-757711.patch @@ -0,0 +1,38 @@ +From 367c602b42f1afe7ed50508b01491b5690d54d52 Mon Sep 17 00:00:00 2001 +From: Pranjal Jumde +Date: Mon, 7 Mar 2016 06:34:26 -0800 +Subject: [PATCH] Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup + +To: libvir-list@redhat.com + +* xmlregexp.c: +(xmlFAParseCharRange): Only advance to the next character if +there is no error. Advancing to the next character in case of +an error while parsing regexp leads to an out of bounds access. + +Signed-off-by: Daniel Veillard +--- + xmlregexp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xmlregexp.c b/xmlregexp.c +index 1f9911c..eb67b74 100644 +--- a/xmlregexp.c ++++ b/xmlregexp.c +@@ -5050,11 +5050,12 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) { + ERROR("Expecting the end of a char range"); + return; + } +- NEXTL(len); ++ + /* TODO check that the values are acceptable character ranges for XML */ + if (end < start) { + ERROR("End of range is before start of range"); + } else { ++ NEXTL(len); + xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg, + XML_REGEXP_CHARVAL, start, end, NULL); + } +-- +2.5.5 + diff --git a/SOURCES/libxml2-Bug-758588-Heap-based-buffer-overread-in-xmlParserPrintFileContextInternal-https-bugzilla.gnome.org-show_bug.cgi-id-758588.patch b/SOURCES/libxml2-Bug-758588-Heap-based-buffer-overread-in-xmlParserPrintFileContextInternal-https-bugzilla.gnome.org-show_bug.cgi-id-758588.patch new file mode 100644 index 0000000..2aba0e8 --- /dev/null +++ b/SOURCES/libxml2-Bug-758588-Heap-based-buffer-overread-in-xmlParserPrintFileContextInternal-https-bugzilla.gnome.org-show_bug.cgi-id-758588.patch @@ -0,0 +1,99 @@ +From 23ee7ce40943d063f1a15d672ae893e9bf1b0924 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Fri, 12 Feb 2016 09:58:29 -0800 +Subject: [PATCH] Bug 758588: Heap-based buffer overread in + xmlParserPrintFileContextInternal + +To: libvir-list@redhat.com + +* parser.c: +(xmlParseEndTag2): Add bounds checks before dereferencing +ctxt->input->cur past the end of the buffer, or incrementing the +pointer past the end of the buffer. + +* result/errors/758588.xml: Add test result. +* result/errors/758588.xml.err: Ditto. +* result/errors/758588.xml.str: Ditto. +* test/errors/758588.xml: Add regression test. + +Signed-off-by: Daniel Veillard +--- + parser.c | 8 ++++++-- + result/errors/758588.xml | 0 + result/errors/758588.xml.err | 9 +++++++++ + result/errors/758588.xml.str | 10 ++++++++++ + test/errors/758588.xml | 1 + + 5 files changed, 26 insertions(+), 2 deletions(-) + create mode 100644 result/errors/758588.xml + create mode 100644 result/errors/758588.xml.err + create mode 100644 result/errors/758588.xml.str + create mode 100644 test/errors/758588.xml + +diff --git a/parser.c b/parser.c +index b1215ca..03bc4f8 100644 +--- a/parser.c ++++ b/parser.c +@@ -9758,6 +9758,7 @@ static void + xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix, + const xmlChar *URI, int line, int nsNr, int tlen) { + const xmlChar *name; ++ size_t curLength; + + GROW; + if ((RAW != '<') || (NXT(1) != '/')) { +@@ -9766,8 +9767,11 @@ xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix, + } + SKIP(2); + +- if ((tlen > 0) && (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) { +- if (ctxt->input->cur[tlen] == '>') { ++ curLength = ctxt->input->end - ctxt->input->cur; ++ if ((tlen > 0) && (curLength >= (size_t)tlen) && ++ (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) { ++ if ((curLength >= (size_t)(tlen + 1)) && ++ (ctxt->input->cur[tlen] == '>')) { + ctxt->input->cur += tlen + 1; + goto done; + } +diff --git a/result/errors/758588.xml.err b/result/errors/758588.xml.err +new file mode 100644 +index 0000000..dfa59bc +--- /dev/null ++++ b/result/errors/758588.xml.err +@@ -0,0 +1,9 @@ ++./test/errors/758588.xml:1: namespace error : Namespace prefix a-340282366920938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867261d on a is not defined ++63472597946867209384634725979468672093846347259794686720938463472597946867261d:a ++ ^ ++./test/errors/758588.xml:1: parser error : expected '>' ++2597946867209384634725979468672093846347259794686720938463472597946867261d:a>' ++2597946867209384634725979468672093846347259794686720938463472597946867261d:a> +Date: Tue Mar 1 11:34:04 2016 -0800 + + Bug 758605: Heap-based buffer overread in xmlDictAddString + + Reviewed by David Kilzer. + + * HTMLparser.c: + (htmlParseName): Add bounds check. + (htmlParseNameComplex): Ditto. + * result/HTML/758605.html: Added. + * result/HTML/758605.html.err: Added. + * result/HTML/758605.html.sax: Added. + * runtest.c: + (pushParseTest): The input for the new test case was so small + (4 bytes) that htmlParseChunk() was never called after + htmlCreatePushParserCtxt(), thereby creating a false positive + test failure. Fixed by using a do-while loop so we always call + htmlParseChunk() at least once. + * test/HTML/758605.html: Added. + +diff --git a/HTMLparser.c b/HTMLparser.c +index 4331d53..a897cb0 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -2471,6 +2471,10 @@ htmlParseName(htmlParserCtxtPtr ctxt) { + (*in == '_') || (*in == '-') || + (*in == ':') || (*in == '.')) + in++; ++ ++ if (in == ctxt->input->end) ++ return(NULL); ++ + if ((*in > 0) && (*in < 0x80)) { + count = in - ctxt->input->cur; + ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count); +@@ -2514,6 +2518,10 @@ htmlParseNameComplex(xmlParserCtxtPtr ctxt) { + NEXTL(l); + c = CUR_CHAR(l); + } ++ ++ if (ctxt->input->base > ctxt->input->cur - len) ++ return(NULL); ++ + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); + } + +diff --git a/result/HTML/758605.html b/result/HTML/758605.html +new file mode 100644 +index 0000000..a085cce +--- /dev/null ++++ b/result/HTML/758605.html +@@ -0,0 +1,3 @@ ++ ++

& ++

+diff --git a/result/HTML/758605.html.err b/result/HTML/758605.html.err +new file mode 100644 +index 0000000..2b82be6 +--- /dev/null ++++ b/result/HTML/758605.html.err +@@ -0,0 +1,3 @@ ++./test/HTML/758605.html:1: HTML parser error : htmlParseEntityRef: no name ++ê ++ ^ +diff --git a/result/HTML/758605.html.sax b/result/HTML/758605.html.sax +new file mode 100644 +index 0000000..1f5cd32 +--- /dev/null ++++ b/result/HTML/758605.html.sax +@@ -0,0 +1,13 @@ ++SAX.setDocumentLocator() ++SAX.startDocument() ++SAX.error: htmlParseEntityRef: no name ++SAX.startElement(html) ++SAX.startElement(body) ++SAX.startElement(p) ++SAX.characters(&, 1) ++SAX.ignorableWhitespace( ++, 1) ++SAX.endElement(p) ++SAX.endElement(body) ++SAX.endElement(html) ++SAX.endDocument() +diff --git a/runtest.c b/runtest.c +index ccdd49b..0afa788 100644 +--- a/runtest.c ++++ b/runtest.c +@@ -1824,7 +1824,7 @@ pushParseTest(const char *filename, const char *result, + ctxt = xmlCreatePushParserCtxt(NULL, NULL, base + cur, 4, filename); + xmlCtxtUseOptions(ctxt, options); + cur += 4; +- while (cur < size) { ++ do { + if (cur + 1024 >= size) { + #ifdef LIBXML_HTML_ENABLED + if (options & XML_PARSE_HTML) +@@ -1842,7 +1842,7 @@ pushParseTest(const char *filename, const char *result, + xmlParseChunk(ctxt, base + cur, 1024, 0); + cur += 1024; + } +- } ++ } while (cur < size); + doc = ctxt->myDoc; + #ifdef LIBXML_HTML_ENABLED + if (options & XML_PARSE_HTML) +diff --git a/test/HTML/758605.html b/test/HTML/758605.html +new file mode 100644 +index 0000000..9b1b3c2 +--- /dev/null ++++ b/test/HTML/758605.html +@@ -0,0 +1 @@ ++&:� diff --git a/SOURCES/libxml2-Bug-759398-Heap-use-after-free-in-xmlDictComputeFastKey-https-bugzilla.gnome.org-show_bug.cgi-id-759398.patch b/SOURCES/libxml2-Bug-759398-Heap-use-after-free-in-xmlDictComputeFastKey-https-bugzilla.gnome.org-show_bug.cgi-id-759398.patch new file mode 100644 index 0000000..6f0e9a6 --- /dev/null +++ b/SOURCES/libxml2-Bug-759398-Heap-use-after-free-in-xmlDictComputeFastKey-https-bugzilla.gnome.org-show_bug.cgi-id-759398.patch @@ -0,0 +1,414 @@ +commit b226bfbe101b5160917bf649510c407ab997cb00 +Author: Pranjal Jumde +Date: Thu Mar 3 11:50:34 2016 -0800 + + Bug 759398: Heap use-after-free in xmlDictComputeFastKey + + * parser.c: + (xmlParseNCNameComplex): Store start position instead of a + pointer to the name since the underlying buffer may change, + resulting in a stale pointer being used. + * result/errors/759398.xml: Added. + * result/errors/759398.xml.err: Added. + * result/errors/759398.xml.str: Added. + * test/errors/759398.xml: Added test case. + +diff --git a/parser.c b/parser.c +index 03bc4f8..46ab0e8 100644 +--- a/parser.c ++++ b/parser.c +@@ -2008,6 +2008,7 @@ static int spacePop(xmlParserCtxtPtr ctxt) { + #define CUR (*ctxt->input->cur) + #define NXT(val) ctxt->input->cur[(val)] + #define CUR_PTR ctxt->input->cur ++#define BASE_PTR ctxt->input->base + + #define CMP4( s, c1, c2, c3, c4 ) \ + ( ((unsigned char *) s)[ 0 ] == c1 && ((unsigned char *) s)[ 1 ] == c2 && \ +@@ -3465,6 +3466,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + int len = 0, l; + int c; + int count = 0; ++ size_t startPosition = 0; + + #ifdef DEBUG + nbParseNCNameComplex++; +@@ -3474,6 +3476,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + * Handler for more complex cases + */ + GROW; ++ startPosition = CUR_PTR - BASE_PTR; + c = CUR_CHAR(l); + if ((c == ' ') || (c == '>') || (c == '/') || /* accelerators */ + (!xmlIsNameStartChar(ctxt, c) || (c == ':'))) { +@@ -3509,7 +3512,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + return(NULL); + } +- return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); ++ return(xmlDictLookup(ctxt->dict, (BASE_PTR + startPosition), len)); + } + + /** +diff --git a/result/errors/759398.xml b/result/errors/759398.xml +new file mode 100644 +index 0000000..e69de29 +diff --git a/result/errors/759398.xml.err b/result/errors/759398.xml.err +new file mode 100644 +index 0000000..e08d9bf +--- /dev/null ++++ b/result/errors/759398.xml.err +@@ -0,0 +1,9 @@ ++./test/errors/759398.xml:210: parser error : StartTag: invalid element name ++need to worry about parsers whi ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++"> ++ ++'"> ++ ++ ++ ++ ++ ++ ++ ++ ++ ++amp, ++lt, ++gt, ++apos, ++quot"> ++ ++ ++ ++ ++ ++]> ++ ++ ++ ++ ++ ++
++Extensible Markup Language (XML) 1.0 ++ ++REC-xml-&iso6.doc.date; ++W3C Recommendation ++&draft.day;&draft.month;&draft.year; ++ ++ ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date; ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.xml ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.html ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.pdf ++ ++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.ps ++ ++ ++ ++htt����www.w3.org/TR/REC-xml ++ ++ ++ ++http://www.w3.org/TR/PR-xml-971208 ++ ++ ++ ++Tim Bray ++Textuality and Netscape ++tbray@textuality.com ++Jean Paoli ++Microsoft ++jeanpa@microsoft.com ++C. M. Sperberg-McQueen ++University of Illinois at Chicago ++cmsmcq@uic.edu ++ ++ ++

The Extensible Markup Language (XML) is a subset of ++SGML that is completely described in this document. Its goal is to ++enable generic SGML to be served, received, and processed on the Web ++in the way that is now possible with HTML. XML has been designed for ++ease of implementation and for interoperability with both SGML and ++HTML.

++ ++ ++

This document has been reviewed by W3C Members and ++other interested parties and has been endorsed by the ++Director as a W3C Recommendation. It is a stable ++document and may be used as reference material or cited ++as a normative reference from another document. W3C's ++role in making the Recommendation is to draw attention ++to the spPcification and to promote its widespread ++deployment. This enhances the functionality and ++interoperability of the Web.

++

++This document specifies a syntax created by subsetting an existing, ++widely used international text processing standard (Standard ++Generalized Markup Language, ISO 8879:1986(E) as amended and ++corrected) for use on the World Wide Web. It is a product of the W3C ++XML Activity, details of which can be found at http://www.w3.org/XML. A list of ++current W3C Recommendations and other technical documents can be found ++at http://www.w3.org/TR. ++

++

This specification uses the term URI, which is defined by , a work in progress expected to update and . ++

++

The list of known errors in this specification is ++available at ++http://www.w3.org/XML/xml-19980210-errata.

++

Please report errors in this document to ++xml-editor@w3.org. ++

++ ++ ++ ++ ++

Chicago, Vancouver, Mountain View, et al.: ++World-Wide Web Consortium, XML Working Group, 1996, 1997.

++ ++ ++

Created in electronic form.

++ ++ ++English ++Extended Backus-Naur Form (formal grammar) ++ ++ ++ ++1997-12-03 : CMSMcQ : yet further changes ++1997-12-02 : TB : further changes (see TB to XML WG, ++2 December 1997) ++1997-12-02 : CMSMcQ : deal with as many corrections and ++comments from the proofreaders as possible: ++entify hard-coded document date in pubdate element, ++change expansion of entity WebSGML, ++update status description as per Dan Connolly (am not sure ++about refernece to Berners-Lee et al.), ++add 'The' to abstract as per WG decision, ++move Relationship to Existing Standards to back matter and ++combine with References, ++re-order back matter so normative appendices come first, ++re-tag back matter so informative appendices are tagged informdiv1, ++remove XXX XXX from list of 'normative' specs in prose, ++move some references from Other References to Normative References, ++add RFC 1738, 1808, and 2141 to Other References (they are not ++normative since we do not require the processor to enforce any ++rules based on them), ++add reference to 'Fielding draft' (Berners-Lee et al.), ++move notation section to end of body, ++drop URIchar non-terminal and use SkipLit instead, ++lose stray reference to defunct nonterminal 'markupdecls', ++move reference to Aho et al. into appendix (Tim's right), ++add prose note saying that hash marks and fragment identifiers are ++NOT part of the URI formally speaking, and are NOT legal in ++system identifiers (processor 'may' signal an error). ++Work through: ++Tim Bray reacting to James Clark, ++Tim Bray on his own, ++Eve Maler, ++ ++NOT DONE YET: ++change binary / text to unparsed / parsed. ++handle James's suggestion about < in attriubte values ++uppercase hex characters, ++namechar list, ++ ++1997-12-01 : JB : add some column-width parameters ++1997-12-01 : CMSMcQ : begin round of changes to incorporate ++recent WG decisions and other corrections: ++binding sources of character encoding info (27 Aug / 3 Sept), ++correct wording of Faust quotation (restore dropped line), ++drop SDD from EncodingDecl, ++change text at version number 1.0, ++drop misleading (wrong!) sentence about ignorables and extenders, ++modify defin�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������xamples with Byte Order Mark. ++Add content model as a term and clarify that it applies to both ++mixed and element content. ++ ++1997-06-30 : CMSMcQ : change date, some cosmetic changes, ++changes to productions for choice, seq, Mixed, NotationType, ++Enumeration. Follow James Clark's suggestion and prohibit ++conditional sections in internal subset. TO DO: simplify ++production for ignored sections as a result, since we don't ++need to worry about parsers whi ++1997-06-29 : TB : various edits ++1997-06-29 : CMSMcQ : further changes: ++Suppress old FINAL EDIT comments and some dead material. ++Revise occurrences of % in grammar to exploit Henry Thompson's pun, ++especially markupdecl and attdef. ++Remove RMD requirement relating to element content (?). ++ ++1997-06-28 : CMSMcQ : Various changes for 1 July draft: ++Add text for draconian error handling (introduce ++the term Fatal Error). ++RE deleta est (changing wording from ++original announcement to restrict the requirement to validating ++parsers). ++Tag definition of validawwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww it meant 'may or may not'. ++1997-03-21 : TB : massive changes on plane flight from Chicago ++to Vancouver ++1997-03-21 : CMSMcQ : correct as many reported errors as possible. ++ ++1997-03-20 : CMSMcQ : correct typos listed in CMSMcQ hand copy of spec. ++1997 James Clark: ++Define the set of characters from which [^abc] subtracts. ++Charref should use just [0-9] not Digit. ++Location info needs cleaner treatment: remove? (ERB ++question). ++One example of a PI has wrong pic. ++Clarify discussion of encoding names. ++Encoding failure should lead to unspecified results; don't ++prescribe error recovery. ++Don't require exposure of entity boundaries. ++Ignore white space in element content. ++Reserve entity names of the form u-NNNN. ++Clarify relative URLs. ++And some of my own: ++Correct productions for content model: model cannot ++consist of a name, so "elements ::= cp" is no good. ++ ++1996-11-11 : CMSMcQ : revise for style. ++Add new rhs to entity declaration, for parameter entities. ++1996-11-10 : CMSMcQ : revise for style. ++Fix / complete section on names, characters. ++Add sections on parameter entities, conditional sections. ++Still to do: Add compatibility note on deterministic content models. ++Finish stylistic revision. ++1996-10-31 : TB : Add Entity Handling section ++1996-10-30 : TB : Clean up term & termdef. Slip in ++ERB decision re EMPTY. ++1996-10-28 : TB : Change DTD. Implement some of Michael's ++suggestions. Change comments back to //. Introduce language for ++XML namespace reservation. Add section on white-space handling. ++Lots more cleanup. ++1996-10-24 : CMSMcQ : quick tweaks, implement some ERB ++decisions. Characters are not integers. Comments are /* */ not //. ++Add bibliographic refs to 10646, HyTime, Unicode. ++Rename old Cdata as MsData since it's only seen ++in marked sections. Call them attribute-value pairs not ++name-value pairs, except once. Internal subset is optional, needs ++'?'. Implied attributes should be signaled to the app, not ++have values supplied by processor. ++1996-10-16 : TB : track down & excise all DSD references; ++introduce some EBNF for entity declarations. ++1996-10-?? nsistency check, fix up scraps so ++they all parse, get formatter working, correct a few productions. ++1996-10-10/11 : CMSMcQ : various maintenance, stylistic, and ++organizational changes: ++Replace a few literals with xmlpio and ++pi""entities, to make them consistent and ensure we can change pic ++reliably when the ERB votes. ++Drop paragraph on recognizers from notation section. ++Add match, exact match to terminology. ++Move old 2.2 XML Processors and Apps into intro. ++Mention comments, PIs, and marked sections in discussion of ++delimiter escaping. ++Streamline discussion of doctype decl syntax. ++Drop old section of 'PI syntax' for doctype decl, and add ++section on partial-DTD summary PIs to end of Logical Structures ++section. ++Revise DSD syntax section to use Tim's subset-in-a-PI ++mechanism. ++1996-10-10 : TB : eliminate name recognizers (and more?) ++1996-10-09 : CMSMcQ : revise for style, consistency through 2.3 ++(Characters) ++1996-10-09 : CMSMcQ : re-unite everything for convenience, ++at least temporarily, and revise quickly ++1996-10-08 : TB : first major homogenization pass ++1996-10-08 : TB : turn "current" attribute on div type into ++CDATA ++1996-10-02 : TB : remould into skeleton + entities ++1996-09-30 : CMSMcQ : add a few more sections prior to exchange ++ with Tim. ++1996-09-20 : CMSMcQ : finish transcribing notes. ++1996-09-19 : CMSMcQ : begin transcribing notes for draft. ++1996-09-13 : CMSMcQ : made outline from notes of 09-06, ++do some housekeeping ++ ++ ++
++<�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������m> is used to read XML documents ++and provide access to their content and structure. It is @ssumed that an XML processor is ++doing its work on behalf of another module, called the ++application. This specification describes the ++required beh\vior of an XML processor in terms of how it must read XML ++data and the information it must provide to the application.

++ ++ ++Origin and Goals ++

XML was developed by an XML Working Group (orisable over the ++Internet.

++

XML shall support a wide varie�y of applications.

 ++

XML shall be compatible with SGML.

 ++

It shall be easy to write programs which process XML ++documents.

 ++

The number of optional features in XML is to be kept to the ++absolute minimum, ideally zero.

 ++

XML documents shou +\ No newline at end of file diff --git a/SOURCES/libxml2-Bug-763071-heap-buffer-overflow-in-xmlStrncat-https-bugzilla.gnome.org-show_bug.cgi-id-763071.patch b/SOURCES/libxml2-Bug-763071-heap-buffer-overflow-in-xmlStrncat-https-bugzilla.gnome.org-show_bug.cgi-id-763071.patch new file mode 100644 index 0000000..8c2865f --- /dev/null +++ b/SOURCES/libxml2-Bug-763071-heap-buffer-overflow-in-xmlStrncat-https-bugzilla.gnome.org-show_bug.cgi-id-763071.patch @@ -0,0 +1,53 @@ +From b1a4e51efbfb1ae3a37a14be73d438aaab6b5c9e Mon Sep 17 00:00:00 2001 +From: Pranjal Jumde +Date: Tue, 8 Mar 2016 17:29:00 -0800 +Subject: [PATCH] Bug 763071: heap-buffer-overflow in xmlStrncat + +To: libvir-list@redhat.com + +* xmlstring.c: +(xmlStrncat): Return NULL if xmlStrlen returns a negative length. +(xmlStrncatNew): Ditto. + +Signed-off-by: Daniel Veillard +--- + xmlstring.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/xmlstring.c b/xmlstring.c +index a37220d..d465c23 100644 +--- a/xmlstring.c ++++ b/xmlstring.c +@@ -457,6 +457,8 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) { + return(xmlStrndup(add, len)); + + size = xmlStrlen(cur); ++ if (size < 0) ++ return(NULL); + ret = (xmlChar *) xmlRealloc(cur, (size + len + 1) * sizeof(xmlChar)); + if (ret == NULL) { + xmlErrMemory(NULL, NULL); +@@ -484,14 +486,19 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) { + int size; + xmlChar *ret; + +- if (len < 0) ++ if (len < 0) { + len = xmlStrlen(str2); ++ if (len < 0) ++ return(NULL); ++ } + if ((str2 == NULL) || (len == 0)) + return(xmlStrdup(str1)); + if (str1 == NULL) + return(xmlStrndup(str2, len)); + + size = xmlStrlen(str1); ++ if (size < 0) ++ return(NULL); + ret = (xmlChar *) xmlMalloc((size + len + 1) * sizeof(xmlChar)); + if (ret == NULL) { + xmlErrMemory(NULL, NULL); +-- +2.5.5 + diff --git a/SOURCES/libxml2-Fix-inappropriate-fetch-of-entities-content.patch b/SOURCES/libxml2-Fix-inappropriate-fetch-of-entities-content.patch new file mode 100644 index 0000000..a9d6725 --- /dev/null +++ b/SOURCES/libxml2-Fix-inappropriate-fetch-of-entities-content.patch @@ -0,0 +1,47 @@ +From be24335cbc0019894e6222bd817e717c41550c3c Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 14 Mar 2016 17:19:44 +0800 +Subject: [PATCH] Fix inappropriate fetch of entities content +To: libvir-list@redhat.com + +For https://bugzilla.gnome.org/show_bug.cgi?id=761430 + +libfuzzer regression testing exposed another case where the parser would +fetch content of an external entity while not in validating mode. +Plug that hole + +Signed-off-by: Daniel Veillard +--- + parser.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 46ab0e8..1936599 100644 +--- a/parser.c ++++ b/parser.c +@@ -2854,7 +2854,21 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + ctxt->nbentities += ent->checked / 2; + if (ent != NULL) { + if (ent->content == NULL) { +- xmlLoadEntityContent(ctxt, ent); ++ /* ++ * Note: external parsed entities will not be loaded, ++ * it is not required for a non-validating parser to ++ * complete external PEreferences coming from the ++ * internal subset ++ */ ++ if (((ctxt->options & XML_PARSE_NOENT) != 0) || ++ ((ctxt->options & XML_PARSE_DTDVALID) != 0) || ++ (ctxt->validate != 0)) { ++ xmlLoadEntityContent(ctxt, ent); ++ } else { ++ xmlWarningMsg(ctxt, XML_ERR_ENTITY_PROCESSING, ++ "not validating will not read content for PE entity %s\n", ++ ent->name, NULL); ++ } + } + ctxt->depth++; + rep = xmlStringDecodeEntities(ctxt, ent->content, what, +-- +2.5.5 + diff --git a/SOURCES/libxml2-Fix-some-format-string-warnings-with-possible-format-string-vulnerability.patch b/SOURCES/libxml2-Fix-some-format-string-warnings-with-possible-format-string-vulnerability.patch new file mode 100644 index 0000000..386abd4 --- /dev/null +++ b/SOURCES/libxml2-Fix-some-format-string-warnings-with-possible-format-string-vulnerability.patch @@ -0,0 +1,1068 @@ +From 671658873655a1bb1e478894c0c71f9c98968fff Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Fri, 13 May 2016 15:13:17 +0800 +Subject: [PATCH] Fix some format string warnings with possible format string + vulnerability +To: libvir-list@redhat.com + +For https://bugzilla.gnome.org/show_bug.cgi?id=761029 + +Decorate every method in libxml2 with the appropriate +LIBXML_ATTR_FORMAT(fmt,args) macro and add some cleanups +following the reports. + +Signed-off-by: Daniel Veillard +--- + HTMLparser.c | 4 +-- + SAX2.c | 12 ++++---- + catalog.c | 2 +- + configure.in | 4 +-- + debugXML.c | 4 +-- + encoding.c | 2 +- + entities.c | 2 +- + error.c | 2 +- + include/libxml/parserInternals.h | 2 +- + include/libxml/xmlerror.h | 2 +- + include/libxml/xmlstring.h | 8 ++--- + libxml.h | 2 +- + parser.c | 37 +++++++++++----------- + parserInternals.c | 4 +-- + relaxng.c | 4 +-- + schematron.c | 2 +- + testModule.c | 2 +- + valid.c | 8 ++--- + xinclude.c | 4 +-- + xmlIO.c | 14 ++++----- + xmllint.c | 20 ++++++------ + xmlreader.c | 16 +++++++--- + xmlschemas.c | 66 ++++++++++++++++++++-------------------- + xmlstring.c | 4 +-- + xmlwriter.c | 4 +-- + xpath.c | 2 +- + xpointer.c | 2 +- + 27 files changed, 121 insertions(+), 114 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index e7d802d..cd5ab05 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -105,7 +105,7 @@ htmlErrMemory(xmlParserCtxtPtr ctxt, const char *extra) + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + htmlParseErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +@@ -132,7 +132,7 @@ htmlParseErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + htmlParseErrInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, int val) + { +diff --git a/SAX2.c b/SAX2.c +index 4adf202..d90f449 100644 +--- a/SAX2.c ++++ b/SAX2.c +@@ -55,7 +55,7 @@ + * @ctxt: an XML validation parser context + * @msg: a string to accompany the error message + */ +-static void ++static void LIBXML_ATTR_FORMAT(2,0) + xmlSAX2ErrMemory(xmlParserCtxtPtr ctxt, const char *msg) { + xmlStructuredErrorFunc schannel = NULL; + const char *str1 = "out of memory\n"; +@@ -93,7 +93,7 @@ xmlSAX2ErrMemory(xmlParserCtxtPtr ctxt, const char *msg) { + * + * Handle a validation error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlErrValid(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const char *str1, const char *str2) + { +@@ -133,7 +133,7 @@ xmlErrValid(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +@@ -164,7 +164,7 @@ xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a parser warning + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlWarnMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1) + { +@@ -189,7 +189,7 @@ xmlWarnMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a namespace error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlNsErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +@@ -213,7 +213,7 @@ xmlNsErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a namespace warning + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlNsWarnMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +diff --git a/catalog.c b/catalog.c +index 8e34cd2..5c9f6de 100644 +--- a/catalog.c ++++ b/catalog.c +@@ -238,7 +238,7 @@ xmlCatalogErrMemory(const char *extra) + * + * Handle a catalog error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlCatalogErr(xmlCatalogEntryPtr catal, xmlNodePtr node, int error, + const char *msg, const xmlChar *str1, const xmlChar *str2, + const xmlChar *str3) +diff --git a/configure.in b/configure.in +index d449b11..1dee5ba 100644 +--- a/configure.in ++++ b/configure.in +@@ -705,7 +705,7 @@ else + fi + + # warnings we'd like to see +- CFLAGS="${CFLAGS} -pedantic -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls" ++ CFLAGS="${CFLAGS} -pedantic -W -Wformat -Wno-format-extra-args -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls" + # warnings we'd like to supress + CFLAGS="${CFLAGS} -Wno-long-long" + case "${host}" in +@@ -920,7 +920,7 @@ if [[ "${LOGNAME}" = "veillard" -a "`pwd`" = "/u/veillard/XML" ]] || \ + fi + fi + if test "${GCC}" = "yes" ; then +- CFLAGS="-g -O -pedantic -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wall" ++ CFLAGS="-g -O -pedantic -W -Wformat -Wno-format-extra-args -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wall" + fi + STATIC_BINARIES="-static" + dnl -Wcast-qual -ansi +diff --git a/debugXML.c b/debugXML.c +index c8efe6a..b6e7b2f 100644 +--- a/debugXML.c ++++ b/debugXML.c +@@ -164,7 +164,7 @@ xmlDebugErr(xmlDebugCtxtPtr ctxt, int error, const char *msg) + NULL, NULL, NULL, 0, 0, + "%s", msg); + } +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlDebugErr2(xmlDebugCtxtPtr ctxt, int error, const char *msg, int extra) + { + ctxt->errors++; +@@ -174,7 +174,7 @@ xmlDebugErr2(xmlDebugCtxtPtr ctxt, int error, const char *msg, int extra) + NULL, NULL, NULL, 0, 0, + msg, extra); + } +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlDebugErr3(xmlDebugCtxtPtr ctxt, int error, const char *msg, const char *extra) + { + ctxt->errors++; +diff --git a/encoding.c b/encoding.c +index 7330e90..dd62b3a 100644 +--- a/encoding.c ++++ b/encoding.c +@@ -93,7 +93,7 @@ xmlEncodingErrMemory(const char *extra) + * + * n encoding error + */ +-static void ++static void LIBXML_ATTR_FORMAT(2,0) + xmlEncodingErr(xmlParserErrors error, const char *msg, const char *val) + { + __xmlRaiseError(NULL, NULL, NULL, NULL, NULL, +diff --git a/entities.c b/entities.c +index 0c484a7..f330959 100644 +--- a/entities.c ++++ b/entities.c +@@ -83,7 +83,7 @@ xmlEntitiesErrMemory(const char *extra) + * + * Handle an out of memory condition + */ +-static void ++static void LIBXML_ATTR_FORMAT(2,0) + xmlEntitiesErr(xmlParserErrors code, const char *msg) + { + __xmlSimpleError(XML_FROM_TREE, code, NULL, msg, NULL); +diff --git a/error.c b/error.c +index 9c45040..2e8dfce 100644 +--- a/error.c ++++ b/error.c +@@ -18,7 +18,7 @@ + + void XMLCDECL xmlGenericErrorDefaultFunc (void *ctx ATTRIBUTE_UNUSED, + const char *msg, +- ...); ++ ...) LIBXML_ATTR_FORMAT(2,3); + + #define XML_GET_VAR_STR(msg, str) { \ + int size, prev_size = -1; \ +diff --git a/include/libxml/parserInternals.h b/include/libxml/parserInternals.h +index 6065320..f30fc68 100644 +--- a/include/libxml/parserInternals.h ++++ b/include/libxml/parserInternals.h +@@ -351,7 +351,7 @@ XMLPUBFUN void XMLCALL + xmlParserErrors xmlerr, + const char *msg, + const xmlChar * str1, +- const xmlChar * str2); ++ const xmlChar * str2) LIBXML_ATTR_FORMAT(3,0); + #endif + + /** +diff --git a/include/libxml/xmlerror.h b/include/libxml/xmlerror.h +index 537a396..acd2cd7 100644 +--- a/include/libxml/xmlerror.h ++++ b/include/libxml/xmlerror.h +@@ -937,7 +937,7 @@ XMLPUBFUN void XMLCALL + int code, + xmlNodePtr node, + const char *msg, +- const char *extra); ++ const char *extra) LIBXML_ATTR_FORMAT(4,0); + #endif + #ifdef __cplusplus + } +diff --git a/include/libxml/xmlstring.h b/include/libxml/xmlstring.h +index 2036236..2d0b2d1 100644 +--- a/include/libxml/xmlstring.h ++++ b/include/libxml/xmlstring.h +@@ -97,13 +97,13 @@ XMLPUBFUN xmlChar * XMLCALL + XMLPUBFUN int XMLCALL + xmlStrPrintf (xmlChar *buf, + int len, +- const xmlChar *msg, +- ...); ++ const char *msg, ++ ...) LIBXML_ATTR_FORMAT(3,4); + XMLPUBFUN int XMLCALL + xmlStrVPrintf (xmlChar *buf, + int len, +- const xmlChar *msg, +- va_list ap); ++ const char *msg, ++ va_list ap) LIBXML_ATTR_FORMAT(3,0); + + XMLPUBFUN int XMLCALL + xmlGetUTF8Char (const unsigned char *utf, +diff --git a/libxml.h b/libxml.h +index 2da9044..4558b70 100644 +--- a/libxml.h ++++ b/libxml.h +@@ -68,7 +68,7 @@ extern int __xmlRegisterCallbacks; + * internal error reporting routines, shared but not partof the API. + */ + void __xmlIOErr(int domain, int code, const char *extra); +-void __xmlLoaderErr(void *ctx, const char *msg, const char *filename); ++void __xmlLoaderErr(void *ctx, const char *msg, const char *filename) LIBXML_ATTR_FORMAT(2,0); + #ifdef LIBXML_HTML_ENABLED + /* + * internal function of HTML parser needed for xmlParseInNodeContext +diff --git a/parser.c b/parser.c +index 2ae44c5..7413596 100644 +--- a/parser.c ++++ b/parser.c +@@ -350,7 +350,6 @@ static void + xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info) + { + const char *errmsg; +- char errstr[129] = ""; + + if ((ctxt != NULL) && (ctxt->disableSAX != 0) && + (ctxt->instate == XML_PARSER_EOF)) +@@ -537,15 +536,17 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info) + default: + errmsg = "Unregistered error message"; + } +- if (info == NULL) +- snprintf(errstr, 128, "%s\n", errmsg); +- else +- snprintf(errstr, 128, "%s: %%s\n", errmsg); + if (ctxt != NULL) + ctxt->errNo = error; +- __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error, +- XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, &errstr[0], +- info); ++ if (info == NULL) { ++ __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error, ++ XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, "%s\n", ++ errmsg); ++ } else { ++ __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error, ++ XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, "%s: %s\n", ++ errmsg, info); ++ } + if (ctxt != NULL) { + ctxt->wellFormed = 0; + if (ctxt->recovery == 0) +@@ -561,7 +562,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info) + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg) + { +@@ -589,7 +590,7 @@ xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a warning. + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlWarningMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +@@ -627,7 +628,7 @@ xmlWarningMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a validity error. + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlValidityError(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, const xmlChar *str2) + { +@@ -667,7 +668,7 @@ xmlValidityError(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlFatalErrMsgInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, int val) + { +@@ -697,7 +698,7 @@ xmlFatalErrMsgInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlFatalErrMsgStrIntStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar *str1, int val, + const xmlChar *str2) +@@ -727,7 +728,7 @@ xmlFatalErrMsgStrIntStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlFatalErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar * val) + { +@@ -756,7 +757,7 @@ xmlFatalErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a non fatal parser error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const xmlChar * val) + { +@@ -781,7 +782,7 @@ xmlErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a fatal parser error, i.e. violating Well-Formedness constraints + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlNsErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, + const xmlChar * info1, const xmlChar * info2, +@@ -810,7 +811,7 @@ xmlNsErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a namespace warning error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlNsWarn(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, + const xmlChar * info1, const xmlChar * info2, +@@ -5510,7 +5511,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) { + skipped = SKIP_BLANKS; + if (skipped == 0) { + xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, +- "Space required after '%'\n"); ++ "Space required after '%%'\n"); + } + isParameter = 1; + } +diff --git a/parserInternals.c b/parserInternals.c +index 341d6a1..aac6420 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -169,7 +169,7 @@ __xmlErrEncoding(xmlParserCtxtPtr ctxt, xmlParserErrors xmlerr, + * + * Handle an internal error + */ +-static void ++static void LIBXML_ATTR_FORMAT(2,0) + xmlErrInternal(xmlParserCtxtPtr ctxt, const char *msg, const xmlChar * str) + { + if ((ctxt != NULL) && (ctxt->disableSAX != 0) && +@@ -197,7 +197,7 @@ xmlErrInternal(xmlParserCtxtPtr ctxt, const char *msg, const xmlChar * str) + * + * n encoding error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlErrEncodingInt(xmlParserCtxtPtr ctxt, xmlParserErrors error, + const char *msg, int val) + { +diff --git a/relaxng.c b/relaxng.c +index 370e314..b531081 100644 +--- a/relaxng.c ++++ b/relaxng.c +@@ -507,7 +507,7 @@ xmlRngVErrMemory(xmlRelaxNGValidCtxtPtr ctxt, const char *extra) + * + * Handle a Relax NG Parsing error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlRngPErr(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar * str1, const xmlChar * str2) + { +@@ -541,7 +541,7 @@ xmlRngPErr(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr node, int error, + * + * Handle a Relax NG Validation error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlRngVErr(xmlRelaxNGValidCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar * str1, const xmlChar * str2) + { +diff --git a/schematron.c b/schematron.c +index 537b868..6f80c5c 100644 +--- a/schematron.c ++++ b/schematron.c +@@ -243,7 +243,7 @@ xmlSchematronPErrMemory(xmlSchematronParserCtxtPtr ctxt, + * + * Handle a parser error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlSchematronPErr(xmlSchematronParserCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar * str1, const xmlChar * str2) + { +diff --git a/testModule.c b/testModule.c +index e399f5c..77b7ba1 100644 +--- a/testModule.c ++++ b/testModule.c +@@ -47,7 +47,7 @@ int main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) { + + /* build the module filename, and confirm the module exists */ + xmlStrPrintf(filename, sizeof(filename), +- (const xmlChar*) "%s/testdso%s", ++ "%s/testdso%s", + (const xmlChar*)MODULE_PATH, + (const xmlChar*)LIBXML_MODULE_EXTENSION); + +diff --git a/valid.c b/valid.c +index 6e53a76..657e3c8 100644 +--- a/valid.c ++++ b/valid.c +@@ -93,7 +93,7 @@ xmlVErrMemory(xmlValidCtxtPtr ctxt, const char *extra) + * + * Handle a validation error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlErrValid(xmlValidCtxtPtr ctxt, xmlParserErrors error, + const char *msg, const char *extra) + { +@@ -137,7 +137,7 @@ xmlErrValid(xmlValidCtxtPtr ctxt, xmlParserErrors error, + * + * Handle a validation error, provide contextual informations + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlErrValidNode(xmlValidCtxtPtr ctxt, + xmlNodePtr node, xmlParserErrors error, + const char *msg, const xmlChar * str1, +@@ -180,7 +180,7 @@ xmlErrValidNode(xmlValidCtxtPtr ctxt, + * + * Handle a validation error, provide contextual informations + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlErrValidNodeNr(xmlValidCtxtPtr ctxt, + xmlNodePtr node, xmlParserErrors error, + const char *msg, const xmlChar * str1, +@@ -221,7 +221,7 @@ xmlErrValidNodeNr(xmlValidCtxtPtr ctxt, + * + * Handle a validation error, provide contextual information + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlErrValidWarning(xmlValidCtxtPtr ctxt, + xmlNodePtr node, xmlParserErrors error, + const char *msg, const xmlChar * str1, +diff --git a/xinclude.c b/xinclude.c +index ace005b..f56c7c4 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -124,7 +124,7 @@ xmlXIncludeErrMemory(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node, + * + * Handle an XInclude error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlXIncludeErr(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar *extra) + { +@@ -146,7 +146,7 @@ xmlXIncludeErr(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node, int error, + * + * Emit an XInclude warning. + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlXIncludeWarn(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar *extra) + { +diff --git a/xmlIO.c b/xmlIO.c +index fc4e111..90a93e3 100644 +--- a/xmlIO.c ++++ b/xmlIO.c +@@ -1590,7 +1590,7 @@ xmlCreateZMemBuff( int compression ) { + xmlFreeZMemBuff( buff ); + buff = NULL; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlCreateZMemBuff: %s %d\n", ++ "xmlCreateZMemBuff: %s %d\n", + "Error initializing compression context. ZLIB error:", + z_err ); + xmlIOErr(XML_IO_WRITE, (const char *) msg); +@@ -1658,7 +1658,7 @@ xmlZMemBuffExtend( xmlZMemBuffPtr buff, size_t ext_amt ) { + else { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlZMemBuffExtend: %s %lu bytes.\n", ++ "xmlZMemBuffExtend: %s %lu bytes.\n", + "Allocation failure extending output buffer to", + new_size ); + xmlIOErr(XML_IO_WRITE, (const char *) msg); +@@ -1704,7 +1704,7 @@ xmlZMemBuffAppend( xmlZMemBuffPtr buff, const char * src, int len ) { + if ( z_err != Z_OK ) { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlZMemBuffAppend: %s %d %s - %d", ++ "xmlZMemBuffAppend: %s %d %s - %d", + "Compression error while appending", + len, "bytes to buffer. ZLIB error", z_err ); + xmlIOErr(XML_IO_WRITE, (const char *) msg); +@@ -1777,7 +1777,7 @@ xmlZMemBuffGetContent( xmlZMemBuffPtr buff, char ** data_ref ) { + else { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlZMemBuffGetContent: %s - %d\n", ++ "xmlZMemBuffGetContent: %s - %d\n", + "Error flushing zlib buffers. Error code", z_err ); + xmlIOErr(XML_IO_WRITE, (const char *) msg); + } +@@ -1982,7 +1982,7 @@ xmlIOHTTPWrite( void * context, const char * buffer, int len ) { + if ( len < 0 ) { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlIOHTTPWrite: %s\n%s '%s'.\n", ++ "xmlIOHTTPWrite: %s\n%s '%s'.\n", + "Error appending to internal buffer.", + "Error sending document to URI", + ctxt->uri ); +@@ -2054,7 +2054,7 @@ xmlIOHTTPCloseWrite( void * context, const char * http_mthd ) { + if ( http_content == NULL ) { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlIOHTTPCloseWrite: %s '%s' %s '%s'.\n", ++ "xmlIOHTTPCloseWrite: %s '%s' %s '%s'.\n", + "Error retrieving content.\nUnable to", + http_mthd, "data to URI", ctxt->uri ); + xmlIOErr(XML_IO_WRITE, (const char *) msg); +@@ -2126,7 +2126,7 @@ xmlIOHTTPCloseWrite( void * context, const char * http_mthd ) { + else { + xmlChar msg[500]; + xmlStrPrintf(msg, 500, +- (const xmlChar *) "xmlIOHTTPCloseWrite: HTTP '%s' of %d %s\n'%s' %s %d\n", ++ "xmlIOHTTPCloseWrite: HTTP '%s' of %d %s\n'%s' %s %d\n", + http_mthd, content_lgth, + "bytes to URI", ctxt->uri, + "failed. HTTP return code:", http_rtn ); +diff --git a/xmllint.c b/xmllint.c +index 26d8db1..85552cf 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -449,7 +449,7 @@ startTimer(void) + * message about the timing performed; format is a printf + * type argument + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(1,2) + endTimer(const char *fmt, ...) + { + long msec; +@@ -485,7 +485,7 @@ startTimer(void) + { + begin = clock(); + } +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(1,2) + endTimer(const char *fmt, ...) + { + long msec; +@@ -514,7 +514,7 @@ startTimer(void) + * Do nothing + */ + } +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(1,2) + endTimer(char *format, ...) + { + /* +@@ -634,7 +634,7 @@ xmlHTMLPrintFileContext(xmlParserInputPtr input) { + * Display and format an error messages, gives file, line, position and + * extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlHTMLError(void *ctx, const char *msg, ...) + { + xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; +@@ -671,7 +671,7 @@ xmlHTMLError(void *ctx, const char *msg, ...) + * Display and format a warning messages, gives file, line, position and + * extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlHTMLWarning(void *ctx, const char *msg, ...) + { + xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; +@@ -709,7 +709,7 @@ xmlHTMLWarning(void *ctx, const char *msg, ...) + * Display and format an validity error messages, gives file, + * line, position and extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlHTMLValidityError(void *ctx, const char *msg, ...) + { + xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; +@@ -746,7 +746,7 @@ xmlHTMLValidityError(void *ctx, const char *msg, ...) + * Display and format a validity warning messages, gives file, line, + * position and extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlHTMLValidityWarning(void *ctx, const char *msg, ...) + { + xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx; +@@ -1410,7 +1410,7 @@ commentDebug(void *ctx ATTRIBUTE_UNUSED, const xmlChar *value) + * Display and format a warning messages, gives file, line, position and + * extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + warningDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) + { + va_list args; +@@ -1433,7 +1433,7 @@ warningDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) + * Display and format a error messages, gives file, line, position and + * extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + errorDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) + { + va_list args; +@@ -1456,7 +1456,7 @@ errorDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) + * Display and format a fatalError messages, gives file, line, position and + * extra parameters. + */ +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + fatalErrorDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...) + { + va_list args; +diff --git a/xmlreader.c b/xmlreader.c +index 4fabaa9..d72129b 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -4036,13 +4036,19 @@ xmlTextReaderCurrentDoc(xmlTextReaderPtr reader) { + } + + #ifdef LIBXML_SCHEMAS_ENABLED +-static char *xmlTextReaderBuildMessage(const char *msg, va_list ap); ++static char *xmlTextReaderBuildMessage(const char *msg, va_list ap) LIBXML_ATTR_FORMAT(1,0); + + static void XMLCDECL +-xmlTextReaderValidityError(void *ctxt, const char *msg, ...); ++xmlTextReaderValidityError(void *ctxt, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3); + + static void XMLCDECL +-xmlTextReaderValidityWarning(void *ctxt, const char *msg, ...); ++xmlTextReaderValidityWarning(void *ctxt, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3); ++ ++static void XMLCDECL ++xmlTextReaderValidityErrorRelay(void *ctx, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3); ++ ++static void XMLCDECL ++xmlTextReaderValidityWarningRelay(void *ctx, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3); + + static void XMLCDECL + xmlTextReaderValidityErrorRelay(void *ctx, const char *msg, ...) +@@ -4836,7 +4842,7 @@ xmlTextReaderStructuredError(void *ctxt, xmlErrorPtr error) + } + } + +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlTextReaderError(void *ctxt, const char *msg, ...) + { + va_list ap; +@@ -4849,7 +4855,7 @@ xmlTextReaderError(void *ctxt, const char *msg, ...) + + } + +-static void XMLCDECL ++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3) + xmlTextReaderWarning(void *ctxt, const char *msg, ...) + { + va_list ap; +diff --git a/xmlschemas.c b/xmlschemas.c +index 121533f..398cdd8 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -1085,7 +1085,7 @@ xmlSchemaGetUnionSimpleTypeMemberTypes(xmlSchemaTypePtr type); + static void + xmlSchemaInternalErr(xmlSchemaAbstractCtxtPtr actxt, + const char *funcName, +- const char *message); ++ const char *message) LIBXML_ATTR_FORMAT(3,0); + static int + xmlSchemaCheckCOSSTDerivedOK(xmlSchemaAbstractCtxtPtr ctxt, + xmlSchemaTypePtr type, +@@ -1889,7 +1889,7 @@ xmlSchemaPErrMemory(xmlSchemaParserCtxtPtr ctxt, + * + * Handle a parser error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlSchemaPErr(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, int error, + const char *msg, const xmlChar * str1, const xmlChar * str2) + { +@@ -1922,7 +1922,7 @@ xmlSchemaPErr(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, int error, + * + * Handle a parser error + */ +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaPErr2(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, + xmlNodePtr child, int error, + const char *msg, const xmlChar * str1, const xmlChar * str2) +@@ -1951,7 +1951,7 @@ xmlSchemaPErr2(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, + * + * Handle a parser error + */ +-static void ++static void LIBXML_ATTR_FORMAT(7,0) + xmlSchemaPErrExt(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, int error, + const xmlChar * strData1, const xmlChar * strData2, + const xmlChar * strData3, const char *msg, const xmlChar * str1, +@@ -2002,7 +2002,7 @@ xmlSchemaVErrMemory(xmlSchemaValidCtxtPtr ctxt, + extra); + } + +-static void ++static void LIBXML_ATTR_FORMAT(2,0) + xmlSchemaPSimpleInternalErr(xmlNodePtr node, + const char *msg, const xmlChar *str) + { +@@ -2013,18 +2013,21 @@ xmlSchemaPSimpleInternalErr(xmlNodePtr node, + #define WXS_ERROR_TYPE_ERROR 1 + #define WXS_ERROR_TYPE_WARNING 2 + /** +- * xmlSchemaErr3: ++ * xmlSchemaErr4Line: + * @ctxt: the validation context +- * @node: the context node ++ * @errorLevel: the error level + * @error: the error code ++ * @node: the context node ++ * @line: the line number + * @msg: the error message + * @str1: extra data + * @str2: extra data + * @str3: extra data ++ * @str4: extra data + * + * Handle a validation error + */ +-static void ++static void LIBXML_ATTR_FORMAT(6,0) + xmlSchemaErr4Line(xmlSchemaAbstractCtxtPtr ctxt, + xmlErrorLevel errorLevel, + int error, xmlNodePtr node, int line, const char *msg, +@@ -2137,7 +2140,7 @@ xmlSchemaErr4Line(xmlSchemaAbstractCtxtPtr ctxt, + * + * Handle a validation error + */ +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlSchemaErr3(xmlSchemaAbstractCtxtPtr actxt, + int error, xmlNodePtr node, const char *msg, + const xmlChar *str1, const xmlChar *str2, const xmlChar *str3) +@@ -2146,7 +2149,7 @@ xmlSchemaErr3(xmlSchemaAbstractCtxtPtr actxt, + msg, str1, str2, str3, NULL); + } + +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlSchemaErr4(xmlSchemaAbstractCtxtPtr actxt, + int error, xmlNodePtr node, const char *msg, + const xmlChar *str1, const xmlChar *str2, +@@ -2156,7 +2159,7 @@ xmlSchemaErr4(xmlSchemaAbstractCtxtPtr actxt, + msg, str1, str2, str3, str4); + } + +-static void ++static void LIBXML_ATTR_FORMAT(4,0) + xmlSchemaErr(xmlSchemaAbstractCtxtPtr actxt, + int error, xmlNodePtr node, const char *msg, + const xmlChar *str1, const xmlChar *str2) +@@ -2179,7 +2182,7 @@ xmlSchemaFormatNodeForError(xmlChar ** msg, + /* + * Don't try to format other nodes than element and + * attribute nodes. +- * Play save and return an empty string. ++ * Play safe and return an empty string. + */ + *msg = xmlStrdup(BAD_CAST ""); + return(*msg); +@@ -2260,7 +2263,7 @@ xmlSchemaFormatNodeForError(xmlChar ** msg, + return (*msg); + } + +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlSchemaInternalErr2(xmlSchemaAbstractCtxtPtr actxt, + const char *funcName, + const char *message, +@@ -2271,24 +2274,21 @@ xmlSchemaInternalErr2(xmlSchemaAbstractCtxtPtr actxt, + + if (actxt == NULL) + return; +- msg = xmlStrdup(BAD_CAST "Internal error: "); +- msg = xmlStrcat(msg, BAD_CAST funcName); +- msg = xmlStrcat(msg, BAD_CAST ", "); ++ msg = xmlStrdup(BAD_CAST "Internal error: %s, "); + msg = xmlStrcat(msg, BAD_CAST message); + msg = xmlStrcat(msg, BAD_CAST ".\n"); + + if (actxt->type == XML_SCHEMA_CTXT_VALIDATOR) +- xmlSchemaErr(actxt, XML_SCHEMAV_INTERNAL, NULL, +- (const char *) msg, str1, str2); +- ++ xmlSchemaErr3(actxt, XML_SCHEMAV_INTERNAL, NULL, ++ (const char *) msg, (const xmlChar *) funcName, str1, str2); + else if (actxt->type == XML_SCHEMA_CTXT_PARSER) +- xmlSchemaErr(actxt, XML_SCHEMAP_INTERNAL, NULL, +- (const char *) msg, str1, str2); ++ xmlSchemaErr3(actxt, XML_SCHEMAP_INTERNAL, NULL, ++ (const char *) msg, (const xmlChar *) funcName, str1, str2); + + FREE_AND_NULL(msg) + } + +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlSchemaInternalErr(xmlSchemaAbstractCtxtPtr actxt, + const char *funcName, + const char *message) +@@ -2297,7 +2297,7 @@ xmlSchemaInternalErr(xmlSchemaAbstractCtxtPtr actxt, + } + + #if 0 +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlSchemaPInternalErr(xmlSchemaParserCtxtPtr pctxt, + const char *funcName, + const char *message, +@@ -2309,7 +2309,7 @@ xmlSchemaPInternalErr(xmlSchemaParserCtxtPtr pctxt, + } + #endif + +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaCustomErr4(xmlSchemaAbstractCtxtPtr actxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -2334,7 +2334,7 @@ xmlSchemaCustomErr4(xmlSchemaAbstractCtxtPtr actxt, + FREE_AND_NULL(msg) + } + +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaCustomErr(xmlSchemaAbstractCtxtPtr actxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -2349,7 +2349,7 @@ xmlSchemaCustomErr(xmlSchemaAbstractCtxtPtr actxt, + + + +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaCustomWarning(xmlSchemaAbstractCtxtPtr actxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -2374,7 +2374,7 @@ xmlSchemaCustomWarning(xmlSchemaAbstractCtxtPtr actxt, + + + +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaKeyrefErr(xmlSchemaValidCtxtPtr vctxt, + xmlParserErrors error, + xmlSchemaPSVIIDCNodePtr idcNode, +@@ -2523,7 +2523,7 @@ xmlSchemaIllegalAttrErr(xmlSchemaAbstractCtxtPtr actxt, + FREE_AND_NULL(msg) + } + +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaComplexTypeErr(xmlSchemaAbstractCtxtPtr actxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -2623,7 +2623,7 @@ xmlSchemaComplexTypeErr(xmlSchemaAbstractCtxtPtr actxt, + xmlFree(msg); + } + +-static void ++static void LIBXML_ATTR_FORMAT(8,0) + xmlSchemaFacetErr(xmlSchemaAbstractCtxtPtr actxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -2914,7 +2914,7 @@ xmlSchemaPIllegalAttrErr(xmlSchemaParserCtxtPtr ctxt, + * + * Reports an error during parsing. + */ +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaPCustomErrExt(xmlSchemaParserCtxtPtr ctxt, + xmlParserErrors error, + xmlSchemaBasicItemPtr item, +@@ -2950,7 +2950,7 @@ xmlSchemaPCustomErrExt(xmlSchemaParserCtxtPtr ctxt, + * + * Reports an error during parsing. + */ +-static void ++static void LIBXML_ATTR_FORMAT(5,0) + xmlSchemaPCustomErr(xmlSchemaParserCtxtPtr ctxt, + xmlParserErrors error, + xmlSchemaBasicItemPtr item, +@@ -2975,7 +2975,7 @@ xmlSchemaPCustomErr(xmlSchemaParserCtxtPtr ctxt, + * + * Reports an attribute use error during parsing. + */ +-static void ++static void LIBXML_ATTR_FORMAT(6,0) + xmlSchemaPAttrUseErr4(xmlSchemaParserCtxtPtr ctxt, + xmlParserErrors error, + xmlNodePtr node, +@@ -3097,7 +3097,7 @@ xmlSchemaPMutualExclAttrErr(xmlSchemaParserCtxtPtr ctxt, + * Reports a simple type validation error. + * TODO: Should this report the value of an element as well? + */ +-static void ++static void LIBXML_ATTR_FORMAT(8,0) + xmlSchemaPSimpleTypeErr(xmlSchemaParserCtxtPtr ctxt, + xmlParserErrors error, + xmlSchemaBasicItemPtr ownerItem ATTRIBUTE_UNUSED, +diff --git a/xmlstring.c b/xmlstring.c +index d465c23..c66eef3 100644 +--- a/xmlstring.c ++++ b/xmlstring.c +@@ -545,7 +545,7 @@ xmlStrcat(xmlChar *cur, const xmlChar *add) { + * Returns the number of characters written to @buf or -1 if an error occurs. + */ + int XMLCDECL +-xmlStrPrintf(xmlChar *buf, int len, const xmlChar *msg, ...) { ++xmlStrPrintf(xmlChar *buf, int len, const char *msg, ...) { + va_list args; + int ret; + +@@ -573,7 +573,7 @@ xmlStrPrintf(xmlChar *buf, int len, const xmlChar *msg, ...) { + * Returns the number of characters written to @buf or -1 if an error occurs. + */ + int +-xmlStrVPrintf(xmlChar *buf, int len, const xmlChar *msg, va_list ap) { ++xmlStrVPrintf(xmlChar *buf, int len, const char *msg, va_list ap) { + int ret; + + if((buf == NULL) || (msg == NULL)) { +diff --git a/xmlwriter.c b/xmlwriter.c +index d3f29f8..92c4bb2 100644 +--- a/xmlwriter.c ++++ b/xmlwriter.c +@@ -109,7 +109,7 @@ static int xmlTextWriterWriteDocCallback(void *context, + const xmlChar * str, int len); + static int xmlTextWriterCloseDocCallback(void *context); + +-static xmlChar *xmlTextWriterVSprintf(const char *format, va_list argptr); ++static xmlChar *xmlTextWriterVSprintf(const char *format, va_list argptr) LIBXML_ATTR_FORMAT(1,0); + static int xmlOutputBufferWriteBase64(xmlOutputBufferPtr out, int len, + const unsigned char *data); + static void xmlTextWriterStartDocumentCallback(void *ctx); +@@ -149,7 +149,7 @@ xmlWriterErrMsg(xmlTextWriterPtr ctxt, xmlParserErrors error, + * + * Handle a writer error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlWriterErrMsgInt(xmlTextWriterPtr ctxt, xmlParserErrors error, + const char *msg, int val) + { +diff --git a/xpath.c b/xpath.c +index 97410e7..6ddf491 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -348,7 +348,7 @@ xmlXPathErrMemory(xmlXPathContextPtr ctxt, const char *extra) + xmlChar buf[200]; + + xmlStrPrintf(buf, 200, +- BAD_CAST "Memory allocation failed : %s\n", ++ "Memory allocation failed : %s\n", + extra); + ctxt->lastError.message = (char *) xmlStrdup(buf); + } else { +diff --git a/xpointer.c b/xpointer.c +index 46f11e8..1a48812 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -85,7 +85,7 @@ xmlXPtrErrMemory(const char *extra) + * + * Handle a redefinition of attribute error + */ +-static void ++static void LIBXML_ATTR_FORMAT(3,0) + xmlXPtrErr(xmlXPathParserContextPtr ctxt, int error, + const char * msg, const xmlChar *extra) + { +-- +2.5.5 + diff --git a/SOURCES/libxml2-Heap-based-buffer-overread-in-htmlCurrentChar.patch b/SOURCES/libxml2-Heap-based-buffer-overread-in-htmlCurrentChar.patch new file mode 100644 index 0000000..2180697 --- /dev/null +++ b/SOURCES/libxml2-Heap-based-buffer-overread-in-htmlCurrentChar.patch @@ -0,0 +1,342 @@ +commit c26d0004e779316830d93120dbfe98f6eee0783b +Author: Pranjal Jumde +Date: Tue Mar 1 15:18:04 2016 -0800 + + Heap-based buffer overread in htmlCurrentChar + + For https://bugzilla.gnome.org/show_bug.cgi?id=758606 + + * parserInternals.c: + (xmlNextChar): Add an test to catch other issues on ctxt->input + corruption proactively. + For non-UTF-8 charsets, xmlNextChar() failed to check for the end + of the input buffer and would continuing reading. Fix this by + pulling out the check for the end of the input buffer into common + code, and return if we reach the end of the input buffer + prematurely. + * result/HTML/758606.html: Added. + * result/HTML/758606.html.err: Added. + * result/HTML/758606.html.sax: Added. + * result/HTML/758606_2.html: Added. + * result/HTML/758606_2.html.err: Added. + * result/HTML/758606_2.html.sax: Added. + * test/HTML/758606.html: Added test case. + * test/HTML/758606_2.html: Added test case. + +diff --git a/parserInternals.c b/parserInternals.c +index 1fe1f6a..341d6a1 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -55,6 +55,10 @@ + #include + #include + ++#define CUR(ctxt) ctxt->input->cur ++#define END(ctxt) ctxt->input->end ++#define VALID_CTXT(ctxt) (CUR(ctxt) <= END(ctxt)) ++ + #include "buf.h" + #include "enc.h" + +@@ -422,103 +426,105 @@ xmlNextChar(xmlParserCtxtPtr ctxt) + (ctxt->input == NULL)) + return; + +- if (ctxt->charset == XML_CHAR_ENCODING_UTF8) { +- if ((*ctxt->input->cur == 0) && +- (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0) && +- (ctxt->instate != XML_PARSER_COMMENT)) { +- /* +- * If we are at the end of the current entity and +- * the context allows it, we pop consumed entities +- * automatically. +- * the auto closing should be blocked in other cases +- */ ++ if (!(VALID_CTXT(ctxt))) { ++ xmlErrInternal(ctxt, "Parser input data memory error\n", NULL); ++ ctxt->errNo = XML_ERR_INTERNAL_ERROR; ++ xmlStopParser(ctxt); ++ return; ++ } ++ ++ if ((*ctxt->input->cur == 0) && ++ (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) { ++ if ((ctxt->instate != XML_PARSER_COMMENT)) + xmlPopInput(ctxt); +- } else { +- const unsigned char *cur; +- unsigned char c; ++ return; ++ } + +- /* +- * 2.11 End-of-Line Handling +- * the literal two-character sequence "#xD#xA" or a standalone +- * literal #xD, an XML processor must pass to the application +- * the single character #xA. +- */ +- if (*(ctxt->input->cur) == '\n') { +- ctxt->input->line++; ctxt->input->col = 1; +- } else +- ctxt->input->col++; ++ if (ctxt->charset == XML_CHAR_ENCODING_UTF8) { ++ const unsigned char *cur; ++ unsigned char c; + +- /* +- * We are supposed to handle UTF8, check it's valid +- * From rfc2044: encoding of the Unicode values on UTF-8: +- * +- * UCS-4 range (hex.) UTF-8 octet sequence (binary) +- * 0000 0000-0000 007F 0xxxxxxx +- * 0000 0080-0000 07FF 110xxxxx 10xxxxxx +- * 0000 0800-0000 FFFF 1110xxxx 10xxxxxx 10xxxxxx +- * +- * Check for the 0x110000 limit too +- */ +- cur = ctxt->input->cur; ++ /* ++ * 2.11 End-of-Line Handling ++ * the literal two-character sequence "#xD#xA" or a standalone ++ * literal #xD, an XML processor must pass to the application ++ * the single character #xA. ++ */ ++ if (*(ctxt->input->cur) == '\n') { ++ ctxt->input->line++; ctxt->input->col = 1; ++ } else ++ ctxt->input->col++; + +- c = *cur; +- if (c & 0x80) { +- if (c == 0xC0) +- goto encoding_error; +- if (cur[1] == 0) { ++ /* ++ * We are supposed to handle UTF8, check it's valid ++ * From rfc2044: encoding of the Unicode values on UTF-8: ++ * ++ * UCS-4 range (hex.) UTF-8 octet sequence (binary) ++ * 0000 0000-0000 007F 0xxxxxxx ++ * 0000 0080-0000 07FF 110xxxxx 10xxxxxx ++ * 0000 0800-0000 FFFF 1110xxxx 10xxxxxx 10xxxxxx ++ * ++ * Check for the 0x110000 limit too ++ */ ++ cur = ctxt->input->cur; ++ ++ c = *cur; ++ if (c & 0x80) { ++ if (c == 0xC0) ++ goto encoding_error; ++ if (cur[1] == 0) { ++ xmlParserInputGrow(ctxt->input, INPUT_CHUNK); ++ cur = ctxt->input->cur; ++ } ++ if ((cur[1] & 0xc0) != 0x80) ++ goto encoding_error; ++ if ((c & 0xe0) == 0xe0) { ++ unsigned int val; ++ ++ if (cur[2] == 0) { + xmlParserInputGrow(ctxt->input, INPUT_CHUNK); + cur = ctxt->input->cur; + } +- if ((cur[1] & 0xc0) != 0x80) ++ if ((cur[2] & 0xc0) != 0x80) + goto encoding_error; +- if ((c & 0xe0) == 0xe0) { +- unsigned int val; +- +- if (cur[2] == 0) { ++ if ((c & 0xf0) == 0xf0) { ++ if (cur[3] == 0) { + xmlParserInputGrow(ctxt->input, INPUT_CHUNK); + cur = ctxt->input->cur; + } +- if ((cur[2] & 0xc0) != 0x80) ++ if (((c & 0xf8) != 0xf0) || ++ ((cur[3] & 0xc0) != 0x80)) + goto encoding_error; +- if ((c & 0xf0) == 0xf0) { +- if (cur[3] == 0) { +- xmlParserInputGrow(ctxt->input, INPUT_CHUNK); +- cur = ctxt->input->cur; +- } +- if (((c & 0xf8) != 0xf0) || +- ((cur[3] & 0xc0) != 0x80)) +- goto encoding_error; +- /* 4-byte code */ +- ctxt->input->cur += 4; +- val = (cur[0] & 0x7) << 18; +- val |= (cur[1] & 0x3f) << 12; +- val |= (cur[2] & 0x3f) << 6; +- val |= cur[3] & 0x3f; +- } else { +- /* 3-byte code */ +- ctxt->input->cur += 3; +- val = (cur[0] & 0xf) << 12; +- val |= (cur[1] & 0x3f) << 6; +- val |= cur[2] & 0x3f; +- } +- if (((val > 0xd7ff) && (val < 0xe000)) || +- ((val > 0xfffd) && (val < 0x10000)) || +- (val >= 0x110000)) { +- xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR, +- "Char 0x%X out of allowed range\n", +- val); +- } +- } else +- /* 2-byte code */ +- ctxt->input->cur += 2; ++ /* 4-byte code */ ++ ctxt->input->cur += 4; ++ val = (cur[0] & 0x7) << 18; ++ val |= (cur[1] & 0x3f) << 12; ++ val |= (cur[2] & 0x3f) << 6; ++ val |= cur[3] & 0x3f; ++ } else { ++ /* 3-byte code */ ++ ctxt->input->cur += 3; ++ val = (cur[0] & 0xf) << 12; ++ val |= (cur[1] & 0x3f) << 6; ++ val |= cur[2] & 0x3f; ++ } ++ if (((val > 0xd7ff) && (val < 0xe000)) || ++ ((val > 0xfffd) && (val < 0x10000)) || ++ (val >= 0x110000)) { ++ xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR, ++ "Char 0x%X out of allowed range\n", ++ val); ++ } + } else +- /* 1-byte code */ +- ctxt->input->cur++; ++ /* 2-byte code */ ++ ctxt->input->cur += 2; ++ } else ++ /* 1-byte code */ ++ ctxt->input->cur++; + +- ctxt->nbChars++; +- if (*ctxt->input->cur == 0) +- xmlParserInputGrow(ctxt->input, INPUT_CHUNK); +- } ++ ctxt->nbChars++; ++ if (*ctxt->input->cur == 0) ++ xmlParserInputGrow(ctxt->input, INPUT_CHUNK); + } else { + /* + * Assume it's a fixed length encoding (1) with +diff --git a/result/HTML/758606.html b/result/HTML/758606.html +new file mode 100644 +index 0000000..4f21f62 +--- /dev/null ++++ b/result/HTML/758606.html +@@ -0,0 +1,2 @@ ++ ++ +diff --git a/result/HTML/758606.html.err b/result/HTML/758606.html.err +new file mode 100644 +index 0000000..060433a +--- /dev/null ++++ b/result/HTML/758606.html.err +@@ -0,0 +1,16 @@ ++./test/HTML/758606.html:1: HTML parser error : Comment not terminated ++