diff --git a/SOURCES/libxml2-Add-missing-increments-of-recursion-depth-counter-to-XML-parser.patch b/SOURCES/libxml2-Add-missing-increments-of-recursion-depth-counter-to-XML-parser.patch
new file mode 100644
index 0000000..5f7200d
--- /dev/null
+++ b/SOURCES/libxml2-Add-missing-increments-of-recursion-depth-counter-to-XML-parser.patch
@@ -0,0 +1,72 @@
+From d88b1b5e55b9ba0962408ff5e0327bf71a79e37a Mon Sep 17 00:00:00 2001
+From: Peter Simons <psimons@suse.com>
+Date: Fri, 15 Apr 2016 11:56:55 +0200
+Subject: [PATCH] Add missing increments of recursion depth counter to XML
+ parser.
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=765207
+CVE-2016-3705
+The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
+xmlStringDecodeEntities() in a recursive context without incrementing the
+'depth' counter in the parser context. Because of that omission, the parser
+failed to detect attribute recursions in certain documents before running out
+of stack space.
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index 0accf54..32293d0 100644
+--- a/parser.c
++++ b/parser.c
+@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+
+ ent->checked = 1;
+
++ ++ctxt->depth;
+ rep = xmlStringDecodeEntities(ctxt, ent->content,
+ XML_SUBSTITUTE_REF, 0, 0, 0);
++ --ctxt->depth;
+
+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+ if (rep != NULL) {
+@@ -3963,8 +3965,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
+ * an entity declaration, it is bypassed and left as is.
+ * so XML_SUBSTITUTE_REF is not set here.
+ */
++ ++ctxt->depth;
+ ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
+ 0, 0, 0);
++ --ctxt->depth;
+ if (orig != NULL)
+ *orig = buf;
+ else
+@@ -4089,9 +4093,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ } else if ((ent != NULL) &&
+ (ctxt->replaceEntities != 0)) {
+ if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
++ ++ctxt->depth;
+ rep = xmlStringDecodeEntities(ctxt, ent->content,
+ XML_SUBSTITUTE_REF,
+ 0, 0, 0);
++ --ctxt->depth;
+ if (rep != NULL) {
+ current = rep;
+ while (*current != 0) { /* non input consuming */
+@@ -4127,8 +4133,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ (ent->content != NULL) && (ent->checked == 0)) {
+ unsigned long oldnbent = ctxt->nbentities;
+
++ ++ctxt->depth;
+ rep = xmlStringDecodeEntities(ctxt, ent->content,
+ XML_SUBSTITUTE_REF, 0, 0, 0);
++ --ctxt->depth;
+
+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+ if (rep != NULL) {
+--
+2.5.5
+
diff --git a/SOURCES/libxml2-Avoid-building-recursive-entities.patch b/SOURCES/libxml2-Avoid-building-recursive-entities.patch
new file mode 100644
index 0000000..5507537
--- /dev/null
+++ b/SOURCES/libxml2-Avoid-building-recursive-entities.patch
@@ -0,0 +1,62 @@
+From 2fc95df152622cf5cf1d478af6ed3538e170118b Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 May 2016 12:27:58 +0800
+Subject: [PATCH] Avoid building recursive entities
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=762100
+
+When we detect a recusive entity we should really not
+build the associated data, moreover if someone bypass
+libxml2 fatal errors and still tries to serialize a broken
+entity make sure we don't risk to get ito a recursion
+
+* parser.c: xmlParserEntityCheck() don't build if entity loop
+ were found and remove the associated text content
+* tree.c: xmlStringGetNodeList() avoid a potential recursion
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 6 +++++-
+ tree.c | 1 +
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 32293d0..2ae44c5 100644
+--- a/parser.c
++++ b/parser.c
+@@ -138,7 +138,8 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ * entities problems
+ */
+ if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&
+- (ent->content != NULL) && (ent->checked == 0)) {
++ (ent->content != NULL) && (ent->checked == 0) &&
++ (ctxt->errNo != XML_ERR_ENTITY_LOOP)) {
+ unsigned long oldnbent = ctxt->nbentities;
+ xmlChar *rep;
+
+@@ -148,6 +149,9 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ rep = xmlStringDecodeEntities(ctxt, ent->content,
+ XML_SUBSTITUTE_REF, 0, 0, 0);
+ --ctxt->depth;
++ if (ctxt->errNo == XML_ERR_ENTITY_LOOP) {
++ ent->content[0] = 0;
++ }
+
+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+ if (rep != NULL) {
+diff --git a/tree.c b/tree.c
+index 7e5af26..83ec66f 100644
+--- a/tree.c
++++ b/tree.c
+@@ -1588,6 +1588,7 @@ xmlStringGetNodeList(xmlDocPtr doc, const xmlChar *value) {
+ else if ((ent != NULL) && (ent->children == NULL)) {
+ xmlNodePtr temp;
+
++ ent->children = (xmlNodePtr) -1;
+ ent->children = xmlStringGetNodeList(doc,
+ (const xmlChar*)node->content);
+ ent->owner = 1;
+--
+2.5.5
+
diff --git a/SOURCES/libxml2-Bug-757711-heap-buffer-overflow-in-xmlFAParsePosCharGroup-https-bugzilla.gnome.org-show_bug.cgi-id-757711.patch b/SOURCES/libxml2-Bug-757711-heap-buffer-overflow-in-xmlFAParsePosCharGroup-https-bugzilla.gnome.org-show_bug.cgi-id-757711.patch
new file mode 100644
index 0000000..c598fd0
--- /dev/null
+++ b/SOURCES/libxml2-Bug-757711-heap-buffer-overflow-in-xmlFAParsePosCharGroup-https-bugzilla.gnome.org-show_bug.cgi-id-757711.patch
@@ -0,0 +1,38 @@
+From 367c602b42f1afe7ed50508b01491b5690d54d52 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Mon, 7 Mar 2016 06:34:26 -0800
+Subject: [PATCH] Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup
+ <https://bugzilla.gnome.org/show_bug.cgi?id=757711>
+To: libvir-list@redhat.com
+
+* xmlregexp.c:
+(xmlFAParseCharRange): Only advance to the next character if
+there is no error. Advancing to the next character in case of
+an error while parsing regexp leads to an out of bounds access.
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ xmlregexp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/xmlregexp.c b/xmlregexp.c
+index 1f9911c..eb67b74 100644
+--- a/xmlregexp.c
++++ b/xmlregexp.c
+@@ -5050,11 +5050,12 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) {
+ ERROR("Expecting the end of a char range");
+ return;
+ }
+- NEXTL(len);
++
+ /* TODO check that the values are acceptable character ranges for XML */
+ if (end < start) {
+ ERROR("End of range is before start of range");
+ } else {
++ NEXTL(len);
+ xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg,
+ XML_REGEXP_CHARVAL, start, end, NULL);
+ }
+--
+2.5.5
+
diff --git a/SOURCES/libxml2-Bug-758588-Heap-based-buffer-overread-in-xmlParserPrintFileContextInternal-https-bugzilla.gnome.org-show_bug.cgi-id-758588.patch b/SOURCES/libxml2-Bug-758588-Heap-based-buffer-overread-in-xmlParserPrintFileContextInternal-https-bugzilla.gnome.org-show_bug.cgi-id-758588.patch
new file mode 100644
index 0000000..2aba0e8
--- /dev/null
+++ b/SOURCES/libxml2-Bug-758588-Heap-based-buffer-overread-in-xmlParserPrintFileContextInternal-https-bugzilla.gnome.org-show_bug.cgi-id-758588.patch
@@ -0,0 +1,99 @@
+From 23ee7ce40943d063f1a15d672ae893e9bf1b0924 Mon Sep 17 00:00:00 2001
+From: David Kilzer <ddkilzer@apple.com>
+Date: Fri, 12 Feb 2016 09:58:29 -0800
+Subject: [PATCH] Bug 758588: Heap-based buffer overread in
+ xmlParserPrintFileContextInternal
+ <https://bugzilla.gnome.org/show_bug.cgi?id=758588>
+To: libvir-list@redhat.com
+
+* parser.c:
+(xmlParseEndTag2): Add bounds checks before dereferencing
+ctxt->input->cur past the end of the buffer, or incrementing the
+pointer past the end of the buffer.
+
+* result/errors/758588.xml: Add test result.
+* result/errors/758588.xml.err: Ditto.
+* result/errors/758588.xml.str: Ditto.
+* test/errors/758588.xml: Add regression test.
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 8 ++++++--
+ result/errors/758588.xml | 0
+ result/errors/758588.xml.err | 9 +++++++++
+ result/errors/758588.xml.str | 10 ++++++++++
+ test/errors/758588.xml | 1 +
+ 5 files changed, 26 insertions(+), 2 deletions(-)
+ create mode 100644 result/errors/758588.xml
+ create mode 100644 result/errors/758588.xml.err
+ create mode 100644 result/errors/758588.xml.str
+ create mode 100644 test/errors/758588.xml
+
+diff --git a/parser.c b/parser.c
+index b1215ca..03bc4f8 100644
+--- a/parser.c
++++ b/parser.c
+@@ -9758,6 +9758,7 @@ static void
+ xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix,
+ const xmlChar *URI, int line, int nsNr, int tlen) {
+ const xmlChar *name;
++ size_t curLength;
+
+ GROW;
+ if ((RAW != '<') || (NXT(1) != '/')) {
+@@ -9766,8 +9767,11 @@ xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix,
+ }
+ SKIP(2);
+
+- if ((tlen > 0) && (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) {
+- if (ctxt->input->cur[tlen] == '>') {
++ curLength = ctxt->input->end - ctxt->input->cur;
++ if ((tlen > 0) && (curLength >= (size_t)tlen) &&
++ (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) {
++ if ((curLength >= (size_t)(tlen + 1)) &&
++ (ctxt->input->cur[tlen] == '>')) {
+ ctxt->input->cur += tlen + 1;
+ goto done;
+ }
+diff --git a/result/errors/758588.xml.err b/result/errors/758588.xml.err
+new file mode 100644
+index 0000000..dfa59bc
+--- /dev/null
++++ b/result/errors/758588.xml.err
+@@ -0,0 +1,9 @@
++./test/errors/758588.xml:1: namespace error : Namespace prefix a-340282366920938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867261d on a is not defined
++63472597946867209384634725979468672093846347259794686720938463472597946867261d:a
++ ^
++./test/errors/758588.xml:1: parser error : expected '>'
++2597946867209384634725979468672093846347259794686720938463472597946867261d:a></a
++ ^
++./test/errors/758588.xml:1: parser error : Opening and ending tag mismatch: a line 1 and a
++2597946867209384634725979468672093846347259794686720938463472597946867261d:a></a
++ ^
+diff --git a/result/errors/758588.xml.str b/result/errors/758588.xml.str
+new file mode 100644
+index 0000000..303ee0c
+--- /dev/null
++++ b/result/errors/758588.xml.str
+@@ -0,0 +1,10 @@
++./test/errors/758588.xml:1: namespace error : Namespace prefix a-340282366920938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867261d on a is not defined
++63472597946867209384634725979468672093846347259794686720938463472597946867261d:a
++ ^
++./test/errors/758588.xml:1: parser error : expected '>'
++2597946867209384634725979468672093846347259794686720938463472597946867261d:a></a
++ ^
++./test/errors/758588.xml:1: parser error : Opening and ending tag mismatch: a line 1 and a
++2597946867209384634725979468672093846347259794686720938463472597946867261d:a></a
++ ^
++./test/errors/758588.xml : failed to parse
+diff --git a/test/errors/758588.xml b/test/errors/758588.xml
+new file mode 100644
+index 0000000..bec7e93
+--- /dev/null
++++ b/test/errors/758588.xml
+@@ -0,0 +1 @@
++<a-340282366920938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867261d:a></a
+\ No newline at end of file
+--
+2.5.5
+
diff --git a/SOURCES/libxml2-Bug-758605-Heap-based-buffer-overread-in-xmlDictAddString-https-bugzilla.gnome.org-show_bug.cgi-id-758605.patch b/SOURCES/libxml2-Bug-758605-Heap-based-buffer-overread-in-xmlDictAddString-https-bugzilla.gnome.org-show_bug.cgi-id-758605.patch
new file mode 100644
index 0000000..b7ee626
--- /dev/null
+++ b/SOURCES/libxml2-Bug-758605-Heap-based-buffer-overread-in-xmlDictAddString-https-bugzilla.gnome.org-show_bug.cgi-id-758605.patch
@@ -0,0 +1,114 @@
+commit 3018042fd3c11c3d6cda36b3cbae4f7bb4f20c3d
+Author: Pranjal Jumde <pjumde@apple.com>
+Date: Tue Mar 1 11:34:04 2016 -0800
+
+ Bug 758605: Heap-based buffer overread in xmlDictAddString <https://bugzilla.gnome.org/show_bug.cgi?id=758605>
+
+ Reviewed by David Kilzer.
+
+ * HTMLparser.c:
+ (htmlParseName): Add bounds check.
+ (htmlParseNameComplex): Ditto.
+ * result/HTML/758605.html: Added.
+ * result/HTML/758605.html.err: Added.
+ * result/HTML/758605.html.sax: Added.
+ * runtest.c:
+ (pushParseTest): The input for the new test case was so small
+ (4 bytes) that htmlParseChunk() was never called after
+ htmlCreatePushParserCtxt(), thereby creating a false positive
+ test failure. Fixed by using a do-while loop so we always call
+ htmlParseChunk() at least once.
+ * test/HTML/758605.html: Added.
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index 4331d53..a897cb0 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+@@ -2471,6 +2471,10 @@ htmlParseName(htmlParserCtxtPtr ctxt) {
+ (*in == '_') || (*in == '-') ||
+ (*in == ':') || (*in == '.'))
+ in++;
++
++ if (in == ctxt->input->end)
++ return(NULL);
++
+ if ((*in > 0) && (*in < 0x80)) {
+ count = in - ctxt->input->cur;
+ ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count);
+@@ -2514,6 +2518,10 @@ htmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ NEXTL(l);
+ c = CUR_CHAR(l);
+ }
++
++ if (ctxt->input->base > ctxt->input->cur - len)
++ return(NULL);
++
+ return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
+ }
+
+diff --git a/result/HTML/758605.html b/result/HTML/758605.html
+new file mode 100644
+index 0000000..a085cce
+--- /dev/null
++++ b/result/HTML/758605.html
+@@ -0,0 +1,3 @@
++<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
++<html><body><p>&
++</p></body></html>
+diff --git a/result/HTML/758605.html.err b/result/HTML/758605.html.err
+new file mode 100644
+index 0000000..2b82be6
+--- /dev/null
++++ b/result/HTML/758605.html.err
+@@ -0,0 +1,3 @@
++./test/HTML/758605.html:1: HTML parser error : htmlParseEntityRef: no name
++ê
++ ^
+diff --git a/result/HTML/758605.html.sax b/result/HTML/758605.html.sax
+new file mode 100644
+index 0000000..1f5cd32
+--- /dev/null
++++ b/result/HTML/758605.html.sax
+@@ -0,0 +1,13 @@
++SAX.setDocumentLocator()
++SAX.startDocument()
++SAX.error: htmlParseEntityRef: no name
++SAX.startElement(html)
++SAX.startElement(body)
++SAX.startElement(p)
++SAX.characters(&, 1)
++SAX.ignorableWhitespace(
++, 1)
++SAX.endElement(p)
++SAX.endElement(body)
++SAX.endElement(html)
++SAX.endDocument()
+diff --git a/runtest.c b/runtest.c
+index ccdd49b..0afa788 100644
+--- a/runtest.c
++++ b/runtest.c
+@@ -1824,7 +1824,7 @@ pushParseTest(const char *filename, const char *result,
+ ctxt = xmlCreatePushParserCtxt(NULL, NULL, base + cur, 4, filename);
+ xmlCtxtUseOptions(ctxt, options);
+ cur += 4;
+- while (cur < size) {
++ do {
+ if (cur + 1024 >= size) {
+ #ifdef LIBXML_HTML_ENABLED
+ if (options & XML_PARSE_HTML)
+@@ -1842,7 +1842,7 @@ pushParseTest(const char *filename, const char *result,
+ xmlParseChunk(ctxt, base + cur, 1024, 0);
+ cur += 1024;
+ }
+- }
++ } while (cur < size);
+ doc = ctxt->myDoc;
+ #ifdef LIBXML_HTML_ENABLED
+ if (options & XML_PARSE_HTML)
+diff --git a/test/HTML/758605.html b/test/HTML/758605.html
+new file mode 100644
+index 0000000..9b1b3c2
+--- /dev/null
++++ b/test/HTML/758605.html
+@@ -0,0 +1 @@
++&:�
diff --git a/SOURCES/libxml2-Bug-759398-Heap-use-after-free-in-xmlDictComputeFastKey-https-bugzilla.gnome.org-show_bug.cgi-id-759398.patch b/SOURCES/libxml2-Bug-759398-Heap-use-after-free-in-xmlDictComputeFastKey-https-bugzilla.gnome.org-show_bug.cgi-id-759398.patch
new file mode 100644
index 0000000..6f0e9a6
--- /dev/null
+++ b/SOURCES/libxml2-Bug-759398-Heap-use-after-free-in-xmlDictComputeFastKey-https-bugzilla.gnome.org-show_bug.cgi-id-759398.patch
@@ -0,0 +1,414 @@
+commit b226bfbe101b5160917bf649510c407ab997cb00
+Author: Pranjal Jumde <pjumde@apple.com>
+Date: Thu Mar 3 11:50:34 2016 -0800
+
+ Bug 759398: Heap use-after-free in xmlDictComputeFastKey <https://bugzilla.gnome.org/show_bug.cgi?id=759398>
+
+ * parser.c:
+ (xmlParseNCNameComplex): Store start position instead of a
+ pointer to the name since the underlying buffer may change,
+ resulting in a stale pointer being used.
+ * result/errors/759398.xml: Added.
+ * result/errors/759398.xml.err: Added.
+ * result/errors/759398.xml.str: Added.
+ * test/errors/759398.xml: Added test case.
+
+diff --git a/parser.c b/parser.c
+index 03bc4f8..46ab0e8 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2008,6 +2008,7 @@ static int spacePop(xmlParserCtxtPtr ctxt) {
+ #define CUR (*ctxt->input->cur)
+ #define NXT(val) ctxt->input->cur[(val)]
+ #define CUR_PTR ctxt->input->cur
++#define BASE_PTR ctxt->input->base
+
+ #define CMP4( s, c1, c2, c3, c4 ) \
+ ( ((unsigned char *) s)[ 0 ] == c1 && ((unsigned char *) s)[ 1 ] == c2 && \
+@@ -3465,6 +3466,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+ int len = 0, l;
+ int c;
+ int count = 0;
++ size_t startPosition = 0;
+
+ #ifdef DEBUG
+ nbParseNCNameComplex++;
+@@ -3474,6 +3476,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+ * Handler for more complex cases
+ */
+ GROW;
++ startPosition = CUR_PTR - BASE_PTR;
+ c = CUR_CHAR(l);
+ if ((c == ' ') || (c == '>') || (c == '/') || /* accelerators */
+ (!xmlIsNameStartChar(ctxt, c) || (c == ':'))) {
+@@ -3509,7 +3512,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+ return(NULL);
+ }
+- return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
++ return(xmlDictLookup(ctxt->dict, (BASE_PTR + startPosition), len));
+ }
+
+ /**
+diff --git a/result/errors/759398.xml b/result/errors/759398.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/errors/759398.xml.err b/result/errors/759398.xml.err
+new file mode 100644
+index 0000000..e08d9bf
+--- /dev/null
++++ b/result/errors/759398.xml.err
+@@ -0,0 +1,9 @@
++./test/errors/759398.xml:210: parser error : StartTag: invalid element name
++need to worry about parsers whi<! don't expand PErefs finding
++ ^
++./test/errors/759398.xml:309: parser error : Opening and ending tag mismatch: spec line 50 and termdef
++and provide access to their content and structure.</termdef> <termdef
++ ^
++./test/errors/759398.xml:309: parser error : Extra content at the end of the document
++and provide access to their content and structure.</termdef> <termdef
++ ^
+diff --git a/result/errors/759398.xml.str b/result/errors/759398.xml.str
+new file mode 100644
+index 0000000..de9a28c
+--- /dev/null
++++ b/result/errors/759398.xml.str
+@@ -0,0 +1,5 @@
++./test/errors/759398.xml:210: parser error : internal error: detected an error in element content
++
++need to worry about parsers whi<! don't expand
++ ^
++./test/errors/759398.xml : failed to parse
+diff --git a/test/errors/759398.xml b/test/errors/759398.xml
+new file mode 100755
+index 0000000..132e029
+--- /dev/null
++++ b/test/errors/759398.xml
+@@ -0,0 +1,326 @@
++<?xml version='1.0' encoding='ISO-8859-5' standalone='no'?>
++<!DOCTYPE spec SYSTEM "dtds/spec.dtd" [
++
++<!-- LAST TOUCHED BY: Tim Bray, 8 February 1997 -->
++
++<!-- The words 'FINAL EDIT' in comments mark places where changes
++need to be made after approval of the document by the ERB, before
++publication. -->
++
++<!ENTITY XML.version "1.0">
++<!ENTITY doc.date "10 February 1998">
++<!ENTITY iso6.doc.date "19980210">
++<!ENTITY w3c.doc.date "02-Feb-1998">
++<!ENTITY draft.day '10'>
++<!ENTITY draft.month 'February'>
++<!ENTITY draft.year '1998'>
++
++<!ENTITY WebSGML
++ 'WebSGML Adaptations Annex to ISO 8879'>
++
++<!ENTITY lt "<">
++<!ENTITY gt ">">
++<!ENTITY xmlpio "'<?xml'">
++<!ENTITY pic "'?>'">
++<!ENTITY br "\n">
++<!ENTITY cellback '#c0d9c0'>
++<!ENTITY mdash "--"> <!-- —, but nsgmls doesn't grok hex -->
++<!ENTITY com "--">
++<!ENTITY como "--">
++<!ENTITY comc "--">
++<!ENTITY hcro "&#x">
++<!-- <!ENTITY nbsp "�"> -->
++<!ENTITY nbsp " ">
++<!ENTITY magicents "<code>amp</code>,
++<code>lt</code>,
++<code>gt</code>,
++<code>apos</code>,
++<code>quot</code>">
++
++<!-- audience and distribution status: for use at publication time -->
++<!ENTITY doc.audience "public review and discussion">
++<!ENTITY doc.distribution "may be dislributed freely, as long as
++all text and legal notices remain intact">
++
++]>
++
++<!-- for Panorama *-->
++<?VERBATIM "eg" ?>
++
++<spec>
++<header>
++<title>Extensible Markup Language (XML) 1.0</title>
++<version></version>
++<w3c-designation>REC-xml-&iso6.doc.date;</w3c-designation>
++<w3c-doctype>W3C Recommendation</w3c-doctype>
++<pubdate><day>&draft.day;</day><month>&draft.month;</month><year>&draft.year;</year></pubdate>
++
++<publoc>
++<loc href="http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;">
++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;</loc>
++<loc href="http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.xml">
++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.xml</loc>
++<loc href="http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.html">
++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.html</loc>
++<loc href="http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.pdf">
++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.pdf</loc>
++<loc href="http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.ps">
++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.ps</loc>
++</publoc>
++<latestloc>
++<loc href="http://www.w3.org/TR/REC-xml">
++htt����www.w3.org/TR/REC-xml</loc>
++</latestloc>
++<prevlocs>
++<loc href="http://www.w3.org/TR/PR-xml-971208">
++http://www.w3.org/TR/PR-xml-971208</loc>
++<!--
++<loc href='http://www.w3.org/TR/WD-xml-961114'>
++http://www.w3.org/TR/WD-xml-961114</loc>
++<loc href='http://www.w3.org/TR/WD-xml-lang-970331'>
++http://www.w3.org/TR/WD-xml-lang-970331</loc>
++<loc href='http://www.w3.org/TR/WD-xml-lang-970630'>
++http://www.w3.org/TR/WD-xml-lang-970630</loc>
++<loc href='http://www.w3.org/TR/WD-xml-970807'>
++http://www.w3.org/TR/WD-xml-970807</loc>
++<loc href='http://www.w3.org/TR/WD-xml-971117'>
++http://www.w3.org/TR/WD-xml-971117</loc>-->
++</prevlocs>
++<authlist>
++<author><name>Tim Bray</name>
++<affiliation>Textuality and Netscape</affiliation>
++<email
++href="mailto:tbray@textuality.com">tbray@textuality.com</email></author>
++<author><name>Jean Paoli</name>
++<affiliation>Microsoft</affiliation>
++<email href="mailto:jeanpa@microsoft.com">jeanpa@microsoft.com</email></author>
++<author><name>C. M. Sperberg-McQueen</name>
++<affiliation>University of Illinois at Chicago</affiliation>
++<email href="mailto:cmsmcq@uic.edu">cmsmcq@uic.edu</email></author>
++</authlist>
++<abstract>
++<p>The Extensible Markup Language (XML) is a subset of
++SGML that is completely described in this document. Its goal is to
++enable generic SGML to be served, received, and processed on the Web
++in the way that is now possible with HTML. XML has been designed for
++ease of implementation and for interoperability with both SGML and
++HTML.</p>
++</abstract>
++<status>
++<p>This document has been reviewed by W3C Members and
++other interested parties and has been endorsed by the
++Director as a W3C Recommendation. It is a stable
++document and may be used as reference material or cited
++as a normative reference from another document. W3C's
++role in making the Recommendation is to draw attention
++to the spPcification and to promote its widespread
++deployment. This enhances the functionality and
++interoperability of the Web.</p>
++<p>
++This document specifies a syntax created by subsetting an existing,
++widely used international text processing standard (Standard
++Generalized Markup Language, ISO 8879:1986(E) as amended and
++corrected) for use on the World Wide Web. It is a product of the W3C
++XML Activity, details of which can be found at <loc
++href='http://www.w3.org/XML'>http://www.w3.org/XML</loc>. A list of
++current W3C Recommendations and other technical documents can be found
++at <loc href='http://www.w3.org/TR'>http://www.w3.org/TR</loc>.
++</p>
++<p>This specification uses the term URI, which is defined by <bibref
++ref="Berners-Lee"/>, a work in progress expected to update <bibref
++ref="RFC1738"/> and <bibref ref="RFC1808"/>.
++</p>
++<p>The list of known errors in this specification is
++available at
++<loc href='http://www.w3.org/XML/xml-19980210-errata'>http://www.w3.org/XML/xml-19980210-errata</loc>.</p>
++<p>Please report errors in this document to
++<loc href='mailto:xml-editor@w3.org'>xml-editor@w3.org</loc>.
++</p>
++</status>
++
++
++<pubstmt>
++<p>Chicago, Vancouver, Mountain View, et al.:
++World-Wide Web Consortium, XML Working Group, 1996, 1997.</p>
++</pubstmt>
++<sourcedesc>
++<p>Created in electronic form.</p>
++</sourcedesc>
++<langusage>
++<language id='EN'>English</language>
++<language id='ebnf'>Extended Backus-Naur Form (formal grammar)</language>
++</langusage>
++<revisiondesc>
++<slist>
++<sitem>1997-12-03 : CMSMcQ : yet further changes</sitem>
++<sitem>1997-12-02 : TB : further changes (see TB to XML WG,
++2 December 1997)</sitem>
++<sitem>1997-12-02 : CMSMcQ : deal with as many corrections and
++comments from the proofreaders as possible:
++entify hard-coded document date in pubdate element,
++change expansion of entity WebSGML,
++update status description as per Dan Connolly (am not sure
++about refernece to Berners-Lee et al.),
++add 'The' to abstract as per WG decision,
++move Relationship to Existing Standards to back matter and
++combine with References,
++re-order back matter so normative appendices come first,
++re-tag back matter so informative appendices are tagged informdiv1,
++remove XXX XXX from list of 'normative' specs in prose,
++move some references from Other References to Normative References,
++add RFC 1738, 1808, and 2141 to Other References (they are not
++normative since we do not require the processor to enforce any
++rules based on them),
++add reference to 'Fielding draft' (Berners-Lee et al.),
++move notation section to end of body,
++drop URIchar non-terminal and use SkipLit instead,
++lose stray reference to defunct nonterminal 'markupdecls',
++move reference to Aho et al. into appendix (Tim's right),
++add prose note saying that hash marks and fragment identifiers are
++NOT part of the URI formally speaking, and are NOT legal in
++system identifiers (processor 'may' signal an error).
++Work through:
++Tim Bray reacting to James Clark,
++Tim Bray on his own,
++Eve Maler,
++
++NOT DONE YET:
++change binary / text to unparsed / parsed.
++handle James's suggestion about < in attriubte values
++uppercase hex characters,
++namechar list,
++</sitem>
++<sitem>1997-12-01 : JB : add some column-width parameters</sitem>
++<sitem>1997-12-01 : CMSMcQ : begin round of changes to incorporate
++recent WG decisions and other corrections:
++binding sources of character encoding info (27 Aug / 3 Sept),
++correct wording of Faust quotation (restore dropped line),
++drop SDD from EncodingDecl,
++change text at version number 1.0,
++drop misleading (wrong!) sentence about ignorables and extenders,
++modify defin�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������xamples with Byte Order Mark.
++Add content model as a term and clarify that it applies to both
++mixed and element content.
++</sitem>
++<sitem>1997-06-30 : CMSMcQ : change date, some cosmetic changes,
++changes to productions for choice, seq, Mixed, NotationType,
++Enumeration. Follow James Clark's suggestion and prohibit
++conditional sections in internal subset. TO DO: simplify
++production for ignored sections as a result, since we don't
++need to worry about parsers whi<! don't expand PErefs finding
++a conditional section.</sitem>
++<sitem>1997-06-29 : TB : various edits</sitem>
++<sitem>1997-06-29 : CMSMcQ : further changes:
++Suppress old FINAL EDIT comments and some dead material.
++Revise occurrences of % in grammar to exploit Henry Thompson's pun,
++especially markupdecl and attdef.
++Remove RMD requirement relating to element content (?).
++</sitem>
++<sitem>1997-06-28 : CMSMcQ : Various changes for 1 July draft:
++Add text for draconian error handling (introduce
++the term Fatal Error).
++RE deleta est (changing wording from
++original announcement to restrict the requirement to validating
++parsers).
++Tag definition of validawwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww it meant 'may or may not'.</sitem>
++<sitem>1997-03-21 : TB : massive changes on plane flight from Chicago
++to Vancouver</sitem>
++<sitem>1997-03-21 : CMSMcQ : correct as many reported errors as possible.
++</sitem>
++<sitem>1997-03-20 : CMSMcQ : correct typos listed in CMSMcQ hand copy of spec.</sitem>
++<sitem>1997 James Clark:
++Define the set of characters from which [^abc] subtracts.
++Charref should use just [0-9] not Digit.
++Location info needs cleaner treatment: remove? (ERB
++question).
++One example of a PI has wrong pic.
++Clarify discussion of encoding names.
++Encoding failure should lead to unspecified results; don't
++prescribe error recovery.
++Don't require exposure of entity boundaries.
++Ignore white space in element content.
++Reserve entity names of the form u-NNNN.
++Clarify relative URLs.
++And some of my own:
++Correct productions for content model: model cannot
++consist of a name, so "elements ::= cp" is no good.
++</sitem>
++<sitem>1996-11-11 : CMSMcQ : revise for style.
++Add new rhs to entity declaration, for parameter entities.</sitem>
++<sitem>1996-11-10 : CMSMcQ : revise for style.
++Fix / complete section on names, characters.
++Add sections on parameter entities, conditional sections.
++Still to do: Add compatibility note on deterministic content models.
++Finish stylistic revision.</sitem>
++<sitem>1996-10-31 : TB : Add Entity Handling section</sitem>
++<sitem>1996-10-30 : TB : Clean up term & termdef. Slip in
++ERB decision re EMPTY.</sitem>
++<sitem>1996-10-28 : TB : Change DTD. Implement some of Michael's
++suggestions. Change comments back to //. Introduce language for
++XML namespace reservation. Add section on white-space handling.
++Lots more cleanup.</sitem>
++<sitem>1996-10-24 : CMSMcQ : quick tweaks, implement some ERB
++decisions. Characters are not integers. Comments are /* */ not //.
++Add bibliographic refs to 10646, HyTime, Unicode.
++Rename old Cdata as MsData since it's <emph>only</emph> seen
++in marked sections. Call them attribute-value pairs not
++name-value pairs, except once. Internal subset is optional, needs
++'?'. Implied attributes should be signaled to the app, not
++have values supplied by processor.</sitem>
++<sitem>1996-10-16 : TB : track down & excise all DSD references;
++introduce some EBNF for entity declarations.</sitem>
++<sitem>1996-10-?? nsistency check, fix up scraps so
++they all parse, get formatter working, correct a few productions.</sitem>
++<sitem>1996-10-10/11 : CMSMcQ : various maintenance, stylistic, and
++organizational changes:
++Replace a few literals with xmlpio and
++pi""entities, to make them consistent and ensure we can change pic
++reliably when the ERB votes.
++Drop paragraph on recognizers from notation section.
++Add match, exact match to terminology.
++Move old 2.2 XML Processors and Apps into intro.
++Mention comments, PIs, and marked sections in discussion of
++delimiter escaping.
++Streamline discussion of doctype decl syntax.
++Drop old section of 'PI syntax' for doctype decl, and add
++section on partial-DTD summary PIs to end of Logical Structures
++section.
++Revise DSD syntax section to use Tim's subset-in-a-PI
++mechanism.</sitem>
++<sitem>1996-10-10 : TB : eliminate name recognizers (and more?)</sitem>
++<sitem>1996-10-09 : CMSMcQ : revise for style, consistency through 2.3
++(Characters)</sitem>
++<sitem>1996-10-09 : CMSMcQ : re-unite everything for convenience,
++at least temporarily, and revise quickly</sitem>
++<sitem>1996-10-08 : TB : first major homogenization pass</sitem>
++<sitem>1996-10-08 : TB : turn "current" attribute on div type into
++CDATA</sitem>
++<sitem>1996-10-02 : TB : remould into skeleton + entities</sitem>
++<sitem>1996-09-30 : CMSMcQ : add a few more sections prior to exchange
++ with Tim.</sitem>
++<sitem>1996-09-20 : CMSMcQ : finish transcribing notes.</sitem>
++<sitem>1996-09-19 : CMSMcQ : begin transcribing notes for draft.</sitem>
++<sitem>1996-09-13 : CMSMcQ : made outline from notes of 09-06,
++do some housekeeping</sitem>
++</slist>
++</revisiondesc>
++</header>
++<�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������m> is used to read XML documents
++and provide access to their content and structure.</termdef> <termdef
++id="dt-app" term="Application">It is @ssumed that an XML processor is
++doing its work on behalf of another module, called the
++<term>application</term>.</termdef> This specification describes the
++required beh\vior of an XML processor in terms of how it must read XML
++data and the information it must provide to the application.</p>
++
++<div2 id='sec-origin-goals'>
++<head>Origin and Goals</head>
++<p>XML was developed by an XML Working Group (orisable over the
++Internet.</p></item>
++<item><p>XML shall support a wide varie�y of applications.</p></item>
++<item><p>XML shall be compatible with SGML.</p></item>
++<item><p>It shall be easy to write programs which process XML
++documents.</p></item>
++<item><p>The number of optional features in XML is to be kept to the
++absolute minimum, ideally zero.</p></item>
++<item><p>XML documents shou
+\ No newline at end of file
diff --git a/SOURCES/libxml2-Bug-763071-heap-buffer-overflow-in-xmlStrncat-https-bugzilla.gnome.org-show_bug.cgi-id-763071.patch b/SOURCES/libxml2-Bug-763071-heap-buffer-overflow-in-xmlStrncat-https-bugzilla.gnome.org-show_bug.cgi-id-763071.patch
new file mode 100644
index 0000000..8c2865f
--- /dev/null
+++ b/SOURCES/libxml2-Bug-763071-heap-buffer-overflow-in-xmlStrncat-https-bugzilla.gnome.org-show_bug.cgi-id-763071.patch
@@ -0,0 +1,53 @@
+From b1a4e51efbfb1ae3a37a14be73d438aaab6b5c9e Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Tue, 8 Mar 2016 17:29:00 -0800
+Subject: [PATCH] Bug 763071: heap-buffer-overflow in xmlStrncat
+ <https://bugzilla.gnome.org/show_bug.cgi?id=763071>
+To: libvir-list@redhat.com
+
+* xmlstring.c:
+(xmlStrncat): Return NULL if xmlStrlen returns a negative length.
+(xmlStrncatNew): Ditto.
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ xmlstring.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/xmlstring.c b/xmlstring.c
+index a37220d..d465c23 100644
+--- a/xmlstring.c
++++ b/xmlstring.c
+@@ -457,6 +457,8 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) {
+ return(xmlStrndup(add, len));
+
+ size = xmlStrlen(cur);
++ if (size < 0)
++ return(NULL);
+ ret = (xmlChar *) xmlRealloc(cur, (size + len + 1) * sizeof(xmlChar));
+ if (ret == NULL) {
+ xmlErrMemory(NULL, NULL);
+@@ -484,14 +486,19 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) {
+ int size;
+ xmlChar *ret;
+
+- if (len < 0)
++ if (len < 0) {
+ len = xmlStrlen(str2);
++ if (len < 0)
++ return(NULL);
++ }
+ if ((str2 == NULL) || (len == 0))
+ return(xmlStrdup(str1));
+ if (str1 == NULL)
+ return(xmlStrndup(str2, len));
+
+ size = xmlStrlen(str1);
++ if (size < 0)
++ return(NULL);
+ ret = (xmlChar *) xmlMalloc((size + len + 1) * sizeof(xmlChar));
+ if (ret == NULL) {
+ xmlErrMemory(NULL, NULL);
+--
+2.5.5
+
diff --git a/SOURCES/libxml2-Fix-inappropriate-fetch-of-entities-content.patch b/SOURCES/libxml2-Fix-inappropriate-fetch-of-entities-content.patch
new file mode 100644
index 0000000..a9d6725
--- /dev/null
+++ b/SOURCES/libxml2-Fix-inappropriate-fetch-of-entities-content.patch
@@ -0,0 +1,47 @@
+From be24335cbc0019894e6222bd817e717c41550c3c Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 14 Mar 2016 17:19:44 +0800
+Subject: [PATCH] Fix inappropriate fetch of entities content
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=761430
+
+libfuzzer regression testing exposed another case where the parser would
+fetch content of an external entity while not in validating mode.
+Plug that hole
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 46ab0e8..1936599 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2854,7 +2854,21 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ ctxt->nbentities += ent->checked / 2;
+ if (ent != NULL) {
+ if (ent->content == NULL) {
+- xmlLoadEntityContent(ctxt, ent);
++ /*
++ * Note: external parsed entities will not be loaded,
++ * it is not required for a non-validating parser to
++ * complete external PEreferences coming from the
++ * internal subset
++ */
++ if (((ctxt->options & XML_PARSE_NOENT) != 0) ||
++ ((ctxt->options & XML_PARSE_DTDVALID) != 0) ||
++ (ctxt->validate != 0)) {
++ xmlLoadEntityContent(ctxt, ent);
++ } else {
++ xmlWarningMsg(ctxt, XML_ERR_ENTITY_PROCESSING,
++ "not validating will not read content for PE entity %s\n",
++ ent->name, NULL);
++ }
+ }
+ ctxt->depth++;
+ rep = xmlStringDecodeEntities(ctxt, ent->content, what,
+--
+2.5.5
+
diff --git a/SOURCES/libxml2-Fix-some-format-string-warnings-with-possible-format-string-vulnerability.patch b/SOURCES/libxml2-Fix-some-format-string-warnings-with-possible-format-string-vulnerability.patch
new file mode 100644
index 0000000..386abd4
--- /dev/null
+++ b/SOURCES/libxml2-Fix-some-format-string-warnings-with-possible-format-string-vulnerability.patch
@@ -0,0 +1,1068 @@
+From 671658873655a1bb1e478894c0c71f9c98968fff Mon Sep 17 00:00:00 2001
+From: David Kilzer <ddkilzer@webkit.org>
+Date: Fri, 13 May 2016 15:13:17 +0800
+Subject: [PATCH] Fix some format string warnings with possible format string
+ vulnerability
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=761029
+
+Decorate every method in libxml2 with the appropriate
+LIBXML_ATTR_FORMAT(fmt,args) macro and add some cleanups
+following the reports.
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ HTMLparser.c | 4 +--
+ SAX2.c | 12 ++++----
+ catalog.c | 2 +-
+ configure.in | 4 +--
+ debugXML.c | 4 +--
+ encoding.c | 2 +-
+ entities.c | 2 +-
+ error.c | 2 +-
+ include/libxml/parserInternals.h | 2 +-
+ include/libxml/xmlerror.h | 2 +-
+ include/libxml/xmlstring.h | 8 ++---
+ libxml.h | 2 +-
+ parser.c | 37 +++++++++++-----------
+ parserInternals.c | 4 +--
+ relaxng.c | 4 +--
+ schematron.c | 2 +-
+ testModule.c | 2 +-
+ valid.c | 8 ++---
+ xinclude.c | 4 +--
+ xmlIO.c | 14 ++++-----
+ xmllint.c | 20 ++++++------
+ xmlreader.c | 16 +++++++---
+ xmlschemas.c | 66 ++++++++++++++++++++--------------------
+ xmlstring.c | 4 +--
+ xmlwriter.c | 4 +--
+ xpath.c | 2 +-
+ xpointer.c | 2 +-
+ 27 files changed, 121 insertions(+), 114 deletions(-)
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index e7d802d..cd5ab05 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+@@ -105,7 +105,7 @@ htmlErrMemory(xmlParserCtxtPtr ctxt, const char *extra)
+ *
+ * Handle a fatal parser error, i.e. violating Well-Formedness constraints
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ htmlParseErr(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ const char *msg, const xmlChar *str1, const xmlChar *str2)
+ {
+@@ -132,7 +132,7 @@ htmlParseErr(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ *
+ * Handle a fatal parser error, i.e. violating Well-Formedness constraints
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ htmlParseErrInt(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ const char *msg, int val)
+ {
+diff --git a/SAX2.c b/SAX2.c
+index 4adf202..d90f449 100644
+--- a/SAX2.c
++++ b/SAX2.c
+@@ -55,7 +55,7 @@
+ * @ctxt: an XML validation parser context
+ * @msg: a string to accompany the error message
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(2,0)
+ xmlSAX2ErrMemory(xmlParserCtxtPtr ctxt, const char *msg) {
+ xmlStructuredErrorFunc schannel = NULL;
+ const char *str1 = "out of memory\n";
+@@ -93,7 +93,7 @@ xmlSAX2ErrMemory(xmlParserCtxtPtr ctxt, const char *msg) {
+ *
+ * Handle a validation error
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlErrValid(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ const char *msg, const char *str1, const char *str2)
+ {
+@@ -133,7 +133,7 @@ xmlErrValid(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ *
+ * Handle a fatal parser error, i.e. violating Well-Formedness constraints
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ const char *msg, const xmlChar *str1, const xmlChar *str2)
+ {
+@@ -164,7 +164,7 @@ xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ *
+ * Handle a parser warning
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlWarnMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ const char *msg, const xmlChar *str1)
+ {
+@@ -189,7 +189,7 @@ xmlWarnMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ *
+ * Handle a namespace error
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlNsErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ const char *msg, const xmlChar *str1, const xmlChar *str2)
+ {
+@@ -213,7 +213,7 @@ xmlNsErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ *
+ * Handle a namespace warning
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlNsWarnMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ const char *msg, const xmlChar *str1, const xmlChar *str2)
+ {
+diff --git a/catalog.c b/catalog.c
+index 8e34cd2..5c9f6de 100644
+--- a/catalog.c
++++ b/catalog.c
+@@ -238,7 +238,7 @@ xmlCatalogErrMemory(const char *extra)
+ *
+ * Handle a catalog error
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlCatalogErr(xmlCatalogEntryPtr catal, xmlNodePtr node, int error,
+ const char *msg, const xmlChar *str1, const xmlChar *str2,
+ const xmlChar *str3)
+diff --git a/configure.in b/configure.in
+index d449b11..1dee5ba 100644
+--- a/configure.in
++++ b/configure.in
+@@ -705,7 +705,7 @@ else
+ fi
+
+ # warnings we'd like to see
+- CFLAGS="${CFLAGS} -pedantic -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls"
++ CFLAGS="${CFLAGS} -pedantic -W -Wformat -Wno-format-extra-args -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls"
+ # warnings we'd like to supress
+ CFLAGS="${CFLAGS} -Wno-long-long"
+ case "${host}" in
+@@ -920,7 +920,7 @@ if [[ "${LOGNAME}" = "veillard" -a "`pwd`" = "/u/veillard/XML" ]] || \
+ fi
+ fi
+ if test "${GCC}" = "yes" ; then
+- CFLAGS="-g -O -pedantic -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wall"
++ CFLAGS="-g -O -pedantic -W -Wformat -Wno-format-extra-args -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wall"
+ fi
+ STATIC_BINARIES="-static"
+ dnl -Wcast-qual -ansi
+diff --git a/debugXML.c b/debugXML.c
+index c8efe6a..b6e7b2f 100644
+--- a/debugXML.c
++++ b/debugXML.c
+@@ -164,7 +164,7 @@ xmlDebugErr(xmlDebugCtxtPtr ctxt, int error, const char *msg)
+ NULL, NULL, NULL, 0, 0,
+ "%s", msg);
+ }
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlDebugErr2(xmlDebugCtxtPtr ctxt, int error, const char *msg, int extra)
+ {
+ ctxt->errors++;
+@@ -174,7 +174,7 @@ xmlDebugErr2(xmlDebugCtxtPtr ctxt, int error, const char *msg, int extra)
+ NULL, NULL, NULL, 0, 0,
+ msg, extra);
+ }
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlDebugErr3(xmlDebugCtxtPtr ctxt, int error, const char *msg, const char *extra)
+ {
+ ctxt->errors++;
+diff --git a/encoding.c b/encoding.c
+index 7330e90..dd62b3a 100644
+--- a/encoding.c
++++ b/encoding.c
+@@ -93,7 +93,7 @@ xmlEncodingErrMemory(const char *extra)
+ *
+ * n encoding error
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(2,0)
+ xmlEncodingErr(xmlParserErrors error, const char *msg, const char *val)
+ {
+ __xmlRaiseError(NULL, NULL, NULL, NULL, NULL,
+diff --git a/entities.c b/entities.c
+index 0c484a7..f330959 100644
+--- a/entities.c
++++ b/entities.c
+@@ -83,7 +83,7 @@ xmlEntitiesErrMemory(const char *extra)
+ *
+ * Handle an out of memory condition
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(2,0)
+ xmlEntitiesErr(xmlParserErrors code, const char *msg)
+ {
+ __xmlSimpleError(XML_FROM_TREE, code, NULL, msg, NULL);
+diff --git a/error.c b/error.c
+index 9c45040..2e8dfce 100644
+--- a/error.c
++++ b/error.c
+@@ -18,7 +18,7 @@
+
+ void XMLCDECL xmlGenericErrorDefaultFunc (void *ctx ATTRIBUTE_UNUSED,
+ const char *msg,
+- ...);
++ ...) LIBXML_ATTR_FORMAT(2,3);
+
+ #define XML_GET_VAR_STR(msg, str) { \
+ int size, prev_size = -1; \
+diff --git a/include/libxml/parserInternals.h b/include/libxml/parserInternals.h
+index 6065320..f30fc68 100644
+--- a/include/libxml/parserInternals.h
++++ b/include/libxml/parserInternals.h
+@@ -351,7 +351,7 @@ XMLPUBFUN void XMLCALL
+ xmlParserErrors xmlerr,
+ const char *msg,
+ const xmlChar * str1,
+- const xmlChar * str2);
++ const xmlChar * str2) LIBXML_ATTR_FORMAT(3,0);
+ #endif
+
+ /**
+diff --git a/include/libxml/xmlerror.h b/include/libxml/xmlerror.h
+index 537a396..acd2cd7 100644
+--- a/include/libxml/xmlerror.h
++++ b/include/libxml/xmlerror.h
+@@ -937,7 +937,7 @@ XMLPUBFUN void XMLCALL
+ int code,
+ xmlNodePtr node,
+ const char *msg,
+- const char *extra);
++ const char *extra) LIBXML_ATTR_FORMAT(4,0);
+ #endif
+ #ifdef __cplusplus
+ }
+diff --git a/include/libxml/xmlstring.h b/include/libxml/xmlstring.h
+index 2036236..2d0b2d1 100644
+--- a/include/libxml/xmlstring.h
++++ b/include/libxml/xmlstring.h
+@@ -97,13 +97,13 @@ XMLPUBFUN xmlChar * XMLCALL
+ XMLPUBFUN int XMLCALL
+ xmlStrPrintf (xmlChar *buf,
+ int len,
+- const xmlChar *msg,
+- ...);
++ const char *msg,
++ ...) LIBXML_ATTR_FORMAT(3,4);
+ XMLPUBFUN int XMLCALL
+ xmlStrVPrintf (xmlChar *buf,
+ int len,
+- const xmlChar *msg,
+- va_list ap);
++ const char *msg,
++ va_list ap) LIBXML_ATTR_FORMAT(3,0);
+
+ XMLPUBFUN int XMLCALL
+ xmlGetUTF8Char (const unsigned char *utf,
+diff --git a/libxml.h b/libxml.h
+index 2da9044..4558b70 100644
+--- a/libxml.h
++++ b/libxml.h
+@@ -68,7 +68,7 @@ extern int __xmlRegisterCallbacks;
+ * internal error reporting routines, shared but not partof the API.
+ */
+ void __xmlIOErr(int domain, int code, const char *extra);
+-void __xmlLoaderErr(void *ctx, const char *msg, const char *filename);
++void __xmlLoaderErr(void *ctx, const char *msg, const char *filename) LIBXML_ATTR_FORMAT(2,0);
+ #ifdef LIBXML_HTML_ENABLED
+ /*
+ * internal function of HTML parser needed for xmlParseInNodeContext
+diff --git a/parser.c b/parser.c
+index 2ae44c5..7413596 100644
+--- a/parser.c
++++ b/parser.c
+@@ -350,7 +350,6 @@ static void
+ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info)
+ {
+ const char *errmsg;
+- char errstr[129] = "";
+
+ if ((ctxt != NULL) && (ctxt->disableSAX != 0) &&
+ (ctxt->instate == XML_PARSER_EOF))
+@@ -537,15 +536,17 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info)
+ default:
+ errmsg = "Unregistered error message";
+ }
+- if (info == NULL)
+- snprintf(errstr, 128, "%s\n", errmsg);
+- else
+- snprintf(errstr, 128, "%s: %%s\n", errmsg);
+ if (ctxt != NULL)
+ ctxt->errNo = error;
+- __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error,
+- XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, &errstr[0],
+- info);
++ if (info == NULL) {
++ __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error,
++ XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, "%s\n",
++ errmsg);
++ } else {
++ __xmlRaiseError(NULL, NULL, NULL, ctxt, NULL, XML_FROM_PARSER, error,
++ XML_ERR_FATAL, NULL, 0, info, NULL, NULL, 0, 0, "%s: %s\n",
++ errmsg, info);
++ }
+ if (ctxt != NULL) {
+ ctxt->wellFormed = 0;
+ if (ctxt->recovery == 0)
+@@ -561,7 +562,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info)
+ *
+ * Handle a fatal parser error, i.e. violating Well-Formedness constraints
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ const char *msg)
+ {
+@@ -589,7 +590,7 @@ xmlFatalErrMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ *
+ * Handle a warning.
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlWarningMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ const char *msg, const xmlChar *str1, const xmlChar *str2)
+ {
+@@ -627,7 +628,7 @@ xmlWarningMsg(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ *
+ * Handle a validity error.
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlValidityError(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ const char *msg, const xmlChar *str1, const xmlChar *str2)
+ {
+@@ -667,7 +668,7 @@ xmlValidityError(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ *
+ * Handle a fatal parser error, i.e. violating Well-Formedness constraints
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlFatalErrMsgInt(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ const char *msg, int val)
+ {
+@@ -697,7 +698,7 @@ xmlFatalErrMsgInt(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ *
+ * Handle a fatal parser error, i.e. violating Well-Formedness constraints
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlFatalErrMsgStrIntStr(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ const char *msg, const xmlChar *str1, int val,
+ const xmlChar *str2)
+@@ -727,7 +728,7 @@ xmlFatalErrMsgStrIntStr(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ *
+ * Handle a fatal parser error, i.e. violating Well-Formedness constraints
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlFatalErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ const char *msg, const xmlChar * val)
+ {
+@@ -756,7 +757,7 @@ xmlFatalErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ *
+ * Handle a non fatal parser error
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ const char *msg, const xmlChar * val)
+ {
+@@ -781,7 +782,7 @@ xmlErrMsgStr(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ *
+ * Handle a fatal parser error, i.e. violating Well-Formedness constraints
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlNsErr(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ const char *msg,
+ const xmlChar * info1, const xmlChar * info2,
+@@ -810,7 +811,7 @@ xmlNsErr(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ *
+ * Handle a namespace warning error
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlNsWarn(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ const char *msg,
+ const xmlChar * info1, const xmlChar * info2,
+@@ -5510,7 +5511,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
+ skipped = SKIP_BLANKS;
+ if (skipped == 0) {
+ xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
+- "Space required after '%'\n");
++ "Space required after '%%'\n");
+ }
+ isParameter = 1;
+ }
+diff --git a/parserInternals.c b/parserInternals.c
+index 341d6a1..aac6420 100644
+--- a/parserInternals.c
++++ b/parserInternals.c
+@@ -169,7 +169,7 @@ __xmlErrEncoding(xmlParserCtxtPtr ctxt, xmlParserErrors xmlerr,
+ *
+ * Handle an internal error
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(2,0)
+ xmlErrInternal(xmlParserCtxtPtr ctxt, const char *msg, const xmlChar * str)
+ {
+ if ((ctxt != NULL) && (ctxt->disableSAX != 0) &&
+@@ -197,7 +197,7 @@ xmlErrInternal(xmlParserCtxtPtr ctxt, const char *msg, const xmlChar * str)
+ *
+ * n encoding error
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlErrEncodingInt(xmlParserCtxtPtr ctxt, xmlParserErrors error,
+ const char *msg, int val)
+ {
+diff --git a/relaxng.c b/relaxng.c
+index 370e314..b531081 100644
+--- a/relaxng.c
++++ b/relaxng.c
+@@ -507,7 +507,7 @@ xmlRngVErrMemory(xmlRelaxNGValidCtxtPtr ctxt, const char *extra)
+ *
+ * Handle a Relax NG Parsing error
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlRngPErr(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr node, int error,
+ const char *msg, const xmlChar * str1, const xmlChar * str2)
+ {
+@@ -541,7 +541,7 @@ xmlRngPErr(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr node, int error,
+ *
+ * Handle a Relax NG Validation error
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlRngVErr(xmlRelaxNGValidCtxtPtr ctxt, xmlNodePtr node, int error,
+ const char *msg, const xmlChar * str1, const xmlChar * str2)
+ {
+diff --git a/schematron.c b/schematron.c
+index 537b868..6f80c5c 100644
+--- a/schematron.c
++++ b/schematron.c
+@@ -243,7 +243,7 @@ xmlSchematronPErrMemory(xmlSchematronParserCtxtPtr ctxt,
+ *
+ * Handle a parser error
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlSchematronPErr(xmlSchematronParserCtxtPtr ctxt, xmlNodePtr node, int error,
+ const char *msg, const xmlChar * str1, const xmlChar * str2)
+ {
+diff --git a/testModule.c b/testModule.c
+index e399f5c..77b7ba1 100644
+--- a/testModule.c
++++ b/testModule.c
+@@ -47,7 +47,7 @@ int main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) {
+
+ /* build the module filename, and confirm the module exists */
+ xmlStrPrintf(filename, sizeof(filename),
+- (const xmlChar*) "%s/testdso%s",
++ "%s/testdso%s",
+ (const xmlChar*)MODULE_PATH,
+ (const xmlChar*)LIBXML_MODULE_EXTENSION);
+
+diff --git a/valid.c b/valid.c
+index 6e53a76..657e3c8 100644
+--- a/valid.c
++++ b/valid.c
+@@ -93,7 +93,7 @@ xmlVErrMemory(xmlValidCtxtPtr ctxt, const char *extra)
+ *
+ * Handle a validation error
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlErrValid(xmlValidCtxtPtr ctxt, xmlParserErrors error,
+ const char *msg, const char *extra)
+ {
+@@ -137,7 +137,7 @@ xmlErrValid(xmlValidCtxtPtr ctxt, xmlParserErrors error,
+ *
+ * Handle a validation error, provide contextual informations
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlErrValidNode(xmlValidCtxtPtr ctxt,
+ xmlNodePtr node, xmlParserErrors error,
+ const char *msg, const xmlChar * str1,
+@@ -180,7 +180,7 @@ xmlErrValidNode(xmlValidCtxtPtr ctxt,
+ *
+ * Handle a validation error, provide contextual informations
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlErrValidNodeNr(xmlValidCtxtPtr ctxt,
+ xmlNodePtr node, xmlParserErrors error,
+ const char *msg, const xmlChar * str1,
+@@ -221,7 +221,7 @@ xmlErrValidNodeNr(xmlValidCtxtPtr ctxt,
+ *
+ * Handle a validation error, provide contextual information
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlErrValidWarning(xmlValidCtxtPtr ctxt,
+ xmlNodePtr node, xmlParserErrors error,
+ const char *msg, const xmlChar * str1,
+diff --git a/xinclude.c b/xinclude.c
+index ace005b..f56c7c4 100644
+--- a/xinclude.c
++++ b/xinclude.c
+@@ -124,7 +124,7 @@ xmlXIncludeErrMemory(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node,
+ *
+ * Handle an XInclude error
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlXIncludeErr(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node, int error,
+ const char *msg, const xmlChar *extra)
+ {
+@@ -146,7 +146,7 @@ xmlXIncludeErr(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node, int error,
+ *
+ * Emit an XInclude warning.
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlXIncludeWarn(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node, int error,
+ const char *msg, const xmlChar *extra)
+ {
+diff --git a/xmlIO.c b/xmlIO.c
+index fc4e111..90a93e3 100644
+--- a/xmlIO.c
++++ b/xmlIO.c
+@@ -1590,7 +1590,7 @@ xmlCreateZMemBuff( int compression ) {
+ xmlFreeZMemBuff( buff );
+ buff = NULL;
+ xmlStrPrintf(msg, 500,
+- (const xmlChar *) "xmlCreateZMemBuff: %s %d\n",
++ "xmlCreateZMemBuff: %s %d\n",
+ "Error initializing compression context. ZLIB error:",
+ z_err );
+ xmlIOErr(XML_IO_WRITE, (const char *) msg);
+@@ -1658,7 +1658,7 @@ xmlZMemBuffExtend( xmlZMemBuffPtr buff, size_t ext_amt ) {
+ else {
+ xmlChar msg[500];
+ xmlStrPrintf(msg, 500,
+- (const xmlChar *) "xmlZMemBuffExtend: %s %lu bytes.\n",
++ "xmlZMemBuffExtend: %s %lu bytes.\n",
+ "Allocation failure extending output buffer to",
+ new_size );
+ xmlIOErr(XML_IO_WRITE, (const char *) msg);
+@@ -1704,7 +1704,7 @@ xmlZMemBuffAppend( xmlZMemBuffPtr buff, const char * src, int len ) {
+ if ( z_err != Z_OK ) {
+ xmlChar msg[500];
+ xmlStrPrintf(msg, 500,
+- (const xmlChar *) "xmlZMemBuffAppend: %s %d %s - %d",
++ "xmlZMemBuffAppend: %s %d %s - %d",
+ "Compression error while appending",
+ len, "bytes to buffer. ZLIB error", z_err );
+ xmlIOErr(XML_IO_WRITE, (const char *) msg);
+@@ -1777,7 +1777,7 @@ xmlZMemBuffGetContent( xmlZMemBuffPtr buff, char ** data_ref ) {
+ else {
+ xmlChar msg[500];
+ xmlStrPrintf(msg, 500,
+- (const xmlChar *) "xmlZMemBuffGetContent: %s - %d\n",
++ "xmlZMemBuffGetContent: %s - %d\n",
+ "Error flushing zlib buffers. Error code", z_err );
+ xmlIOErr(XML_IO_WRITE, (const char *) msg);
+ }
+@@ -1982,7 +1982,7 @@ xmlIOHTTPWrite( void * context, const char * buffer, int len ) {
+ if ( len < 0 ) {
+ xmlChar msg[500];
+ xmlStrPrintf(msg, 500,
+- (const xmlChar *) "xmlIOHTTPWrite: %s\n%s '%s'.\n",
++ "xmlIOHTTPWrite: %s\n%s '%s'.\n",
+ "Error appending to internal buffer.",
+ "Error sending document to URI",
+ ctxt->uri );
+@@ -2054,7 +2054,7 @@ xmlIOHTTPCloseWrite( void * context, const char * http_mthd ) {
+ if ( http_content == NULL ) {
+ xmlChar msg[500];
+ xmlStrPrintf(msg, 500,
+- (const xmlChar *) "xmlIOHTTPCloseWrite: %s '%s' %s '%s'.\n",
++ "xmlIOHTTPCloseWrite: %s '%s' %s '%s'.\n",
+ "Error retrieving content.\nUnable to",
+ http_mthd, "data to URI", ctxt->uri );
+ xmlIOErr(XML_IO_WRITE, (const char *) msg);
+@@ -2126,7 +2126,7 @@ xmlIOHTTPCloseWrite( void * context, const char * http_mthd ) {
+ else {
+ xmlChar msg[500];
+ xmlStrPrintf(msg, 500,
+- (const xmlChar *) "xmlIOHTTPCloseWrite: HTTP '%s' of %d %s\n'%s' %s %d\n",
++ "xmlIOHTTPCloseWrite: HTTP '%s' of %d %s\n'%s' %s %d\n",
+ http_mthd, content_lgth,
+ "bytes to URI", ctxt->uri,
+ "failed. HTTP return code:", http_rtn );
+diff --git a/xmllint.c b/xmllint.c
+index 26d8db1..85552cf 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -449,7 +449,7 @@ startTimer(void)
+ * message about the timing performed; format is a printf
+ * type argument
+ */
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(1,2)
+ endTimer(const char *fmt, ...)
+ {
+ long msec;
+@@ -485,7 +485,7 @@ startTimer(void)
+ {
+ begin = clock();
+ }
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(1,2)
+ endTimer(const char *fmt, ...)
+ {
+ long msec;
+@@ -514,7 +514,7 @@ startTimer(void)
+ * Do nothing
+ */
+ }
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(1,2)
+ endTimer(char *format, ...)
+ {
+ /*
+@@ -634,7 +634,7 @@ xmlHTMLPrintFileContext(xmlParserInputPtr input) {
+ * Display and format an error messages, gives file, line, position and
+ * extra parameters.
+ */
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3)
+ xmlHTMLError(void *ctx, const char *msg, ...)
+ {
+ xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx;
+@@ -671,7 +671,7 @@ xmlHTMLError(void *ctx, const char *msg, ...)
+ * Display and format a warning messages, gives file, line, position and
+ * extra parameters.
+ */
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3)
+ xmlHTMLWarning(void *ctx, const char *msg, ...)
+ {
+ xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx;
+@@ -709,7 +709,7 @@ xmlHTMLWarning(void *ctx, const char *msg, ...)
+ * Display and format an validity error messages, gives file,
+ * line, position and extra parameters.
+ */
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3)
+ xmlHTMLValidityError(void *ctx, const char *msg, ...)
+ {
+ xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx;
+@@ -746,7 +746,7 @@ xmlHTMLValidityError(void *ctx, const char *msg, ...)
+ * Display and format a validity warning messages, gives file, line,
+ * position and extra parameters.
+ */
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3)
+ xmlHTMLValidityWarning(void *ctx, const char *msg, ...)
+ {
+ xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx;
+@@ -1410,7 +1410,7 @@ commentDebug(void *ctx ATTRIBUTE_UNUSED, const xmlChar *value)
+ * Display and format a warning messages, gives file, line, position and
+ * extra parameters.
+ */
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3)
+ warningDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...)
+ {
+ va_list args;
+@@ -1433,7 +1433,7 @@ warningDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...)
+ * Display and format a error messages, gives file, line, position and
+ * extra parameters.
+ */
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3)
+ errorDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...)
+ {
+ va_list args;
+@@ -1456,7 +1456,7 @@ errorDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...)
+ * Display and format a fatalError messages, gives file, line, position and
+ * extra parameters.
+ */
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3)
+ fatalErrorDebug(void *ctx ATTRIBUTE_UNUSED, const char *msg, ...)
+ {
+ va_list args;
+diff --git a/xmlreader.c b/xmlreader.c
+index 4fabaa9..d72129b 100644
+--- a/xmlreader.c
++++ b/xmlreader.c
+@@ -4036,13 +4036,19 @@ xmlTextReaderCurrentDoc(xmlTextReaderPtr reader) {
+ }
+
+ #ifdef LIBXML_SCHEMAS_ENABLED
+-static char *xmlTextReaderBuildMessage(const char *msg, va_list ap);
++static char *xmlTextReaderBuildMessage(const char *msg, va_list ap) LIBXML_ATTR_FORMAT(1,0);
+
+ static void XMLCDECL
+-xmlTextReaderValidityError(void *ctxt, const char *msg, ...);
++xmlTextReaderValidityError(void *ctxt, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3);
+
+ static void XMLCDECL
+-xmlTextReaderValidityWarning(void *ctxt, const char *msg, ...);
++xmlTextReaderValidityWarning(void *ctxt, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3);
++
++static void XMLCDECL
++xmlTextReaderValidityErrorRelay(void *ctx, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3);
++
++static void XMLCDECL
++xmlTextReaderValidityWarningRelay(void *ctx, const char *msg, ...) LIBXML_ATTR_FORMAT(2,3);
+
+ static void XMLCDECL
+ xmlTextReaderValidityErrorRelay(void *ctx, const char *msg, ...)
+@@ -4836,7 +4842,7 @@ xmlTextReaderStructuredError(void *ctxt, xmlErrorPtr error)
+ }
+ }
+
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3)
+ xmlTextReaderError(void *ctxt, const char *msg, ...)
+ {
+ va_list ap;
+@@ -4849,7 +4855,7 @@ xmlTextReaderError(void *ctxt, const char *msg, ...)
+
+ }
+
+-static void XMLCDECL
++static void XMLCDECL LIBXML_ATTR_FORMAT(2,3)
+ xmlTextReaderWarning(void *ctxt, const char *msg, ...)
+ {
+ va_list ap;
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 121533f..398cdd8 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -1085,7 +1085,7 @@ xmlSchemaGetUnionSimpleTypeMemberTypes(xmlSchemaTypePtr type);
+ static void
+ xmlSchemaInternalErr(xmlSchemaAbstractCtxtPtr actxt,
+ const char *funcName,
+- const char *message);
++ const char *message) LIBXML_ATTR_FORMAT(3,0);
+ static int
+ xmlSchemaCheckCOSSTDerivedOK(xmlSchemaAbstractCtxtPtr ctxt,
+ xmlSchemaTypePtr type,
+@@ -1889,7 +1889,7 @@ xmlSchemaPErrMemory(xmlSchemaParserCtxtPtr ctxt,
+ *
+ * Handle a parser error
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlSchemaPErr(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, int error,
+ const char *msg, const xmlChar * str1, const xmlChar * str2)
+ {
+@@ -1922,7 +1922,7 @@ xmlSchemaPErr(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, int error,
+ *
+ * Handle a parser error
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(5,0)
+ xmlSchemaPErr2(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node,
+ xmlNodePtr child, int error,
+ const char *msg, const xmlChar * str1, const xmlChar * str2)
+@@ -1951,7 +1951,7 @@ xmlSchemaPErr2(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node,
+ *
+ * Handle a parser error
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(7,0)
+ xmlSchemaPErrExt(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, int error,
+ const xmlChar * strData1, const xmlChar * strData2,
+ const xmlChar * strData3, const char *msg, const xmlChar * str1,
+@@ -2002,7 +2002,7 @@ xmlSchemaVErrMemory(xmlSchemaValidCtxtPtr ctxt,
+ extra);
+ }
+
+-static void
++static void LIBXML_ATTR_FORMAT(2,0)
+ xmlSchemaPSimpleInternalErr(xmlNodePtr node,
+ const char *msg, const xmlChar *str)
+ {
+@@ -2013,18 +2013,21 @@ xmlSchemaPSimpleInternalErr(xmlNodePtr node,
+ #define WXS_ERROR_TYPE_ERROR 1
+ #define WXS_ERROR_TYPE_WARNING 2
+ /**
+- * xmlSchemaErr3:
++ * xmlSchemaErr4Line:
+ * @ctxt: the validation context
+- * @node: the context node
++ * @errorLevel: the error level
+ * @error: the error code
++ * @node: the context node
++ * @line: the line number
+ * @msg: the error message
+ * @str1: extra data
+ * @str2: extra data
+ * @str3: extra data
++ * @str4: extra data
+ *
+ * Handle a validation error
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(6,0)
+ xmlSchemaErr4Line(xmlSchemaAbstractCtxtPtr ctxt,
+ xmlErrorLevel errorLevel,
+ int error, xmlNodePtr node, int line, const char *msg,
+@@ -2137,7 +2140,7 @@ xmlSchemaErr4Line(xmlSchemaAbstractCtxtPtr ctxt,
+ *
+ * Handle a validation error
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlSchemaErr3(xmlSchemaAbstractCtxtPtr actxt,
+ int error, xmlNodePtr node, const char *msg,
+ const xmlChar *str1, const xmlChar *str2, const xmlChar *str3)
+@@ -2146,7 +2149,7 @@ xmlSchemaErr3(xmlSchemaAbstractCtxtPtr actxt,
+ msg, str1, str2, str3, NULL);
+ }
+
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlSchemaErr4(xmlSchemaAbstractCtxtPtr actxt,
+ int error, xmlNodePtr node, const char *msg,
+ const xmlChar *str1, const xmlChar *str2,
+@@ -2156,7 +2159,7 @@ xmlSchemaErr4(xmlSchemaAbstractCtxtPtr actxt,
+ msg, str1, str2, str3, str4);
+ }
+
+-static void
++static void LIBXML_ATTR_FORMAT(4,0)
+ xmlSchemaErr(xmlSchemaAbstractCtxtPtr actxt,
+ int error, xmlNodePtr node, const char *msg,
+ const xmlChar *str1, const xmlChar *str2)
+@@ -2179,7 +2182,7 @@ xmlSchemaFormatNodeForError(xmlChar ** msg,
+ /*
+ * Don't try to format other nodes than element and
+ * attribute nodes.
+- * Play save and return an empty string.
++ * Play safe and return an empty string.
+ */
+ *msg = xmlStrdup(BAD_CAST "");
+ return(*msg);
+@@ -2260,7 +2263,7 @@ xmlSchemaFormatNodeForError(xmlChar ** msg,
+ return (*msg);
+ }
+
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlSchemaInternalErr2(xmlSchemaAbstractCtxtPtr actxt,
+ const char *funcName,
+ const char *message,
+@@ -2271,24 +2274,21 @@ xmlSchemaInternalErr2(xmlSchemaAbstractCtxtPtr actxt,
+
+ if (actxt == NULL)
+ return;
+- msg = xmlStrdup(BAD_CAST "Internal error: ");
+- msg = xmlStrcat(msg, BAD_CAST funcName);
+- msg = xmlStrcat(msg, BAD_CAST ", ");
++ msg = xmlStrdup(BAD_CAST "Internal error: %s, ");
+ msg = xmlStrcat(msg, BAD_CAST message);
+ msg = xmlStrcat(msg, BAD_CAST ".\n");
+
+ if (actxt->type == XML_SCHEMA_CTXT_VALIDATOR)
+- xmlSchemaErr(actxt, XML_SCHEMAV_INTERNAL, NULL,
+- (const char *) msg, str1, str2);
+-
++ xmlSchemaErr3(actxt, XML_SCHEMAV_INTERNAL, NULL,
++ (const char *) msg, (const xmlChar *) funcName, str1, str2);
+ else if (actxt->type == XML_SCHEMA_CTXT_PARSER)
+- xmlSchemaErr(actxt, XML_SCHEMAP_INTERNAL, NULL,
+- (const char *) msg, str1, str2);
++ xmlSchemaErr3(actxt, XML_SCHEMAP_INTERNAL, NULL,
++ (const char *) msg, (const xmlChar *) funcName, str1, str2);
+
+ FREE_AND_NULL(msg)
+ }
+
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlSchemaInternalErr(xmlSchemaAbstractCtxtPtr actxt,
+ const char *funcName,
+ const char *message)
+@@ -2297,7 +2297,7 @@ xmlSchemaInternalErr(xmlSchemaAbstractCtxtPtr actxt,
+ }
+
+ #if 0
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlSchemaPInternalErr(xmlSchemaParserCtxtPtr pctxt,
+ const char *funcName,
+ const char *message,
+@@ -2309,7 +2309,7 @@ xmlSchemaPInternalErr(xmlSchemaParserCtxtPtr pctxt,
+ }
+ #endif
+
+-static void
++static void LIBXML_ATTR_FORMAT(5,0)
+ xmlSchemaCustomErr4(xmlSchemaAbstractCtxtPtr actxt,
+ xmlParserErrors error,
+ xmlNodePtr node,
+@@ -2334,7 +2334,7 @@ xmlSchemaCustomErr4(xmlSchemaAbstractCtxtPtr actxt,
+ FREE_AND_NULL(msg)
+ }
+
+-static void
++static void LIBXML_ATTR_FORMAT(5,0)
+ xmlSchemaCustomErr(xmlSchemaAbstractCtxtPtr actxt,
+ xmlParserErrors error,
+ xmlNodePtr node,
+@@ -2349,7 +2349,7 @@ xmlSchemaCustomErr(xmlSchemaAbstractCtxtPtr actxt,
+
+
+
+-static void
++static void LIBXML_ATTR_FORMAT(5,0)
+ xmlSchemaCustomWarning(xmlSchemaAbstractCtxtPtr actxt,
+ xmlParserErrors error,
+ xmlNodePtr node,
+@@ -2374,7 +2374,7 @@ xmlSchemaCustomWarning(xmlSchemaAbstractCtxtPtr actxt,
+
+
+
+-static void
++static void LIBXML_ATTR_FORMAT(5,0)
+ xmlSchemaKeyrefErr(xmlSchemaValidCtxtPtr vctxt,
+ xmlParserErrors error,
+ xmlSchemaPSVIIDCNodePtr idcNode,
+@@ -2523,7 +2523,7 @@ xmlSchemaIllegalAttrErr(xmlSchemaAbstractCtxtPtr actxt,
+ FREE_AND_NULL(msg)
+ }
+
+-static void
++static void LIBXML_ATTR_FORMAT(5,0)
+ xmlSchemaComplexTypeErr(xmlSchemaAbstractCtxtPtr actxt,
+ xmlParserErrors error,
+ xmlNodePtr node,
+@@ -2623,7 +2623,7 @@ xmlSchemaComplexTypeErr(xmlSchemaAbstractCtxtPtr actxt,
+ xmlFree(msg);
+ }
+
+-static void
++static void LIBXML_ATTR_FORMAT(8,0)
+ xmlSchemaFacetErr(xmlSchemaAbstractCtxtPtr actxt,
+ xmlParserErrors error,
+ xmlNodePtr node,
+@@ -2914,7 +2914,7 @@ xmlSchemaPIllegalAttrErr(xmlSchemaParserCtxtPtr ctxt,
+ *
+ * Reports an error during parsing.
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(5,0)
+ xmlSchemaPCustomErrExt(xmlSchemaParserCtxtPtr ctxt,
+ xmlParserErrors error,
+ xmlSchemaBasicItemPtr item,
+@@ -2950,7 +2950,7 @@ xmlSchemaPCustomErrExt(xmlSchemaParserCtxtPtr ctxt,
+ *
+ * Reports an error during parsing.
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(5,0)
+ xmlSchemaPCustomErr(xmlSchemaParserCtxtPtr ctxt,
+ xmlParserErrors error,
+ xmlSchemaBasicItemPtr item,
+@@ -2975,7 +2975,7 @@ xmlSchemaPCustomErr(xmlSchemaParserCtxtPtr ctxt,
+ *
+ * Reports an attribute use error during parsing.
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(6,0)
+ xmlSchemaPAttrUseErr4(xmlSchemaParserCtxtPtr ctxt,
+ xmlParserErrors error,
+ xmlNodePtr node,
+@@ -3097,7 +3097,7 @@ xmlSchemaPMutualExclAttrErr(xmlSchemaParserCtxtPtr ctxt,
+ * Reports a simple type validation error.
+ * TODO: Should this report the value of an element as well?
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(8,0)
+ xmlSchemaPSimpleTypeErr(xmlSchemaParserCtxtPtr ctxt,
+ xmlParserErrors error,
+ xmlSchemaBasicItemPtr ownerItem ATTRIBUTE_UNUSED,
+diff --git a/xmlstring.c b/xmlstring.c
+index d465c23..c66eef3 100644
+--- a/xmlstring.c
++++ b/xmlstring.c
+@@ -545,7 +545,7 @@ xmlStrcat(xmlChar *cur, const xmlChar *add) {
+ * Returns the number of characters written to @buf or -1 if an error occurs.
+ */
+ int XMLCDECL
+-xmlStrPrintf(xmlChar *buf, int len, const xmlChar *msg, ...) {
++xmlStrPrintf(xmlChar *buf, int len, const char *msg, ...) {
+ va_list args;
+ int ret;
+
+@@ -573,7 +573,7 @@ xmlStrPrintf(xmlChar *buf, int len, const xmlChar *msg, ...) {
+ * Returns the number of characters written to @buf or -1 if an error occurs.
+ */
+ int
+-xmlStrVPrintf(xmlChar *buf, int len, const xmlChar *msg, va_list ap) {
++xmlStrVPrintf(xmlChar *buf, int len, const char *msg, va_list ap) {
+ int ret;
+
+ if((buf == NULL) || (msg == NULL)) {
+diff --git a/xmlwriter.c b/xmlwriter.c
+index d3f29f8..92c4bb2 100644
+--- a/xmlwriter.c
++++ b/xmlwriter.c
+@@ -109,7 +109,7 @@ static int xmlTextWriterWriteDocCallback(void *context,
+ const xmlChar * str, int len);
+ static int xmlTextWriterCloseDocCallback(void *context);
+
+-static xmlChar *xmlTextWriterVSprintf(const char *format, va_list argptr);
++static xmlChar *xmlTextWriterVSprintf(const char *format, va_list argptr) LIBXML_ATTR_FORMAT(1,0);
+ static int xmlOutputBufferWriteBase64(xmlOutputBufferPtr out, int len,
+ const unsigned char *data);
+ static void xmlTextWriterStartDocumentCallback(void *ctx);
+@@ -149,7 +149,7 @@ xmlWriterErrMsg(xmlTextWriterPtr ctxt, xmlParserErrors error,
+ *
+ * Handle a writer error
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlWriterErrMsgInt(xmlTextWriterPtr ctxt, xmlParserErrors error,
+ const char *msg, int val)
+ {
+diff --git a/xpath.c b/xpath.c
+index 97410e7..6ddf491 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -348,7 +348,7 @@ xmlXPathErrMemory(xmlXPathContextPtr ctxt, const char *extra)
+ xmlChar buf[200];
+
+ xmlStrPrintf(buf, 200,
+- BAD_CAST "Memory allocation failed : %s\n",
++ "Memory allocation failed : %s\n",
+ extra);
+ ctxt->lastError.message = (char *) xmlStrdup(buf);
+ } else {
+diff --git a/xpointer.c b/xpointer.c
+index 46f11e8..1a48812 100644
+--- a/xpointer.c
++++ b/xpointer.c
+@@ -85,7 +85,7 @@ xmlXPtrErrMemory(const char *extra)
+ *
+ * Handle a redefinition of attribute error
+ */
+-static void
++static void LIBXML_ATTR_FORMAT(3,0)
+ xmlXPtrErr(xmlXPathParserContextPtr ctxt, int error,
+ const char * msg, const xmlChar *extra)
+ {
+--
+2.5.5
+
diff --git a/SOURCES/libxml2-Heap-based-buffer-overread-in-htmlCurrentChar.patch b/SOURCES/libxml2-Heap-based-buffer-overread-in-htmlCurrentChar.patch
new file mode 100644
index 0000000..2180697
--- /dev/null
+++ b/SOURCES/libxml2-Heap-based-buffer-overread-in-htmlCurrentChar.patch
@@ -0,0 +1,342 @@
+commit c26d0004e779316830d93120dbfe98f6eee0783b
+Author: Pranjal Jumde <pjumde@apple.com>
+Date: Tue Mar 1 15:18:04 2016 -0800
+
+ Heap-based buffer overread in htmlCurrentChar
+
+ For https://bugzilla.gnome.org/show_bug.cgi?id=758606
+
+ * parserInternals.c:
+ (xmlNextChar): Add an test to catch other issues on ctxt->input
+ corruption proactively.
+ For non-UTF-8 charsets, xmlNextChar() failed to check for the end
+ of the input buffer and would continuing reading. Fix this by
+ pulling out the check for the end of the input buffer into common
+ code, and return if we reach the end of the input buffer
+ prematurely.
+ * result/HTML/758606.html: Added.
+ * result/HTML/758606.html.err: Added.
+ * result/HTML/758606.html.sax: Added.
+ * result/HTML/758606_2.html: Added.
+ * result/HTML/758606_2.html.err: Added.
+ * result/HTML/758606_2.html.sax: Added.
+ * test/HTML/758606.html: Added test case.
+ * test/HTML/758606_2.html: Added test case.
+
+diff --git a/parserInternals.c b/parserInternals.c
+index 1fe1f6a..341d6a1 100644
+--- a/parserInternals.c
++++ b/parserInternals.c
+@@ -55,6 +55,10 @@
+ #include <libxml/globals.h>
+ #include <libxml/chvalid.h>
+
++#define CUR(ctxt) ctxt->input->cur
++#define END(ctxt) ctxt->input->end
++#define VALID_CTXT(ctxt) (CUR(ctxt) <= END(ctxt))
++
+ #include "buf.h"
+ #include "enc.h"
+
+@@ -422,103 +426,105 @@ xmlNextChar(xmlParserCtxtPtr ctxt)
+ (ctxt->input == NULL))
+ return;
+
+- if (ctxt->charset == XML_CHAR_ENCODING_UTF8) {
+- if ((*ctxt->input->cur == 0) &&
+- (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0) &&
+- (ctxt->instate != XML_PARSER_COMMENT)) {
+- /*
+- * If we are at the end of the current entity and
+- * the context allows it, we pop consumed entities
+- * automatically.
+- * the auto closing should be blocked in other cases
+- */
++ if (!(VALID_CTXT(ctxt))) {
++ xmlErrInternal(ctxt, "Parser input data memory error\n", NULL);
++ ctxt->errNo = XML_ERR_INTERNAL_ERROR;
++ xmlStopParser(ctxt);
++ return;
++ }
++
++ if ((*ctxt->input->cur == 0) &&
++ (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) {
++ if ((ctxt->instate != XML_PARSER_COMMENT))
+ xmlPopInput(ctxt);
+- } else {
+- const unsigned char *cur;
+- unsigned char c;
++ return;
++ }
+
+- /*
+- * 2.11 End-of-Line Handling
+- * the literal two-character sequence "#xD#xA" or a standalone
+- * literal #xD, an XML processor must pass to the application
+- * the single character #xA.
+- */
+- if (*(ctxt->input->cur) == '\n') {
+- ctxt->input->line++; ctxt->input->col = 1;
+- } else
+- ctxt->input->col++;
++ if (ctxt->charset == XML_CHAR_ENCODING_UTF8) {
++ const unsigned char *cur;
++ unsigned char c;
+
+- /*
+- * We are supposed to handle UTF8, check it's valid
+- * From rfc2044: encoding of the Unicode values on UTF-8:
+- *
+- * UCS-4 range (hex.) UTF-8 octet sequence (binary)
+- * 0000 0000-0000 007F 0xxxxxxx
+- * 0000 0080-0000 07FF 110xxxxx 10xxxxxx
+- * 0000 0800-0000 FFFF 1110xxxx 10xxxxxx 10xxxxxx
+- *
+- * Check for the 0x110000 limit too
+- */
+- cur = ctxt->input->cur;
++ /*
++ * 2.11 End-of-Line Handling
++ * the literal two-character sequence "#xD#xA" or a standalone
++ * literal #xD, an XML processor must pass to the application
++ * the single character #xA.
++ */
++ if (*(ctxt->input->cur) == '\n') {
++ ctxt->input->line++; ctxt->input->col = 1;
++ } else
++ ctxt->input->col++;
+
+- c = *cur;
+- if (c & 0x80) {
+- if (c == 0xC0)
+- goto encoding_error;
+- if (cur[1] == 0) {
++ /*
++ * We are supposed to handle UTF8, check it's valid
++ * From rfc2044: encoding of the Unicode values on UTF-8:
++ *
++ * UCS-4 range (hex.) UTF-8 octet sequence (binary)
++ * 0000 0000-0000 007F 0xxxxxxx
++ * 0000 0080-0000 07FF 110xxxxx 10xxxxxx
++ * 0000 0800-0000 FFFF 1110xxxx 10xxxxxx 10xxxxxx
++ *
++ * Check for the 0x110000 limit too
++ */
++ cur = ctxt->input->cur;
++
++ c = *cur;
++ if (c & 0x80) {
++ if (c == 0xC0)
++ goto encoding_error;
++ if (cur[1] == 0) {
++ xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
++ cur = ctxt->input->cur;
++ }
++ if ((cur[1] & 0xc0) != 0x80)
++ goto encoding_error;
++ if ((c & 0xe0) == 0xe0) {
++ unsigned int val;
++
++ if (cur[2] == 0) {
+ xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+ cur = ctxt->input->cur;
+ }
+- if ((cur[1] & 0xc0) != 0x80)
++ if ((cur[2] & 0xc0) != 0x80)
+ goto encoding_error;
+- if ((c & 0xe0) == 0xe0) {
+- unsigned int val;
+-
+- if (cur[2] == 0) {
++ if ((c & 0xf0) == 0xf0) {
++ if (cur[3] == 0) {
+ xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+ cur = ctxt->input->cur;
+ }
+- if ((cur[2] & 0xc0) != 0x80)
++ if (((c & 0xf8) != 0xf0) ||
++ ((cur[3] & 0xc0) != 0x80))
+ goto encoding_error;
+- if ((c & 0xf0) == 0xf0) {
+- if (cur[3] == 0) {
+- xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+- cur = ctxt->input->cur;
+- }
+- if (((c & 0xf8) != 0xf0) ||
+- ((cur[3] & 0xc0) != 0x80))
+- goto encoding_error;
+- /* 4-byte code */
+- ctxt->input->cur += 4;
+- val = (cur[0] & 0x7) << 18;
+- val |= (cur[1] & 0x3f) << 12;
+- val |= (cur[2] & 0x3f) << 6;
+- val |= cur[3] & 0x3f;
+- } else {
+- /* 3-byte code */
+- ctxt->input->cur += 3;
+- val = (cur[0] & 0xf) << 12;
+- val |= (cur[1] & 0x3f) << 6;
+- val |= cur[2] & 0x3f;
+- }
+- if (((val > 0xd7ff) && (val < 0xe000)) ||
+- ((val > 0xfffd) && (val < 0x10000)) ||
+- (val >= 0x110000)) {
+- xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR,
+- "Char 0x%X out of allowed range\n",
+- val);
+- }
+- } else
+- /* 2-byte code */
+- ctxt->input->cur += 2;
++ /* 4-byte code */
++ ctxt->input->cur += 4;
++ val = (cur[0] & 0x7) << 18;
++ val |= (cur[1] & 0x3f) << 12;
++ val |= (cur[2] & 0x3f) << 6;
++ val |= cur[3] & 0x3f;
++ } else {
++ /* 3-byte code */
++ ctxt->input->cur += 3;
++ val = (cur[0] & 0xf) << 12;
++ val |= (cur[1] & 0x3f) << 6;
++ val |= cur[2] & 0x3f;
++ }
++ if (((val > 0xd7ff) && (val < 0xe000)) ||
++ ((val > 0xfffd) && (val < 0x10000)) ||
++ (val >= 0x110000)) {
++ xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR,
++ "Char 0x%X out of allowed range\n",
++ val);
++ }
+ } else
+- /* 1-byte code */
+- ctxt->input->cur++;
++ /* 2-byte code */
++ ctxt->input->cur += 2;
++ } else
++ /* 1-byte code */
++ ctxt->input->cur++;
+
+- ctxt->nbChars++;
+- if (*ctxt->input->cur == 0)
+- xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+- }
++ ctxt->nbChars++;
++ if (*ctxt->input->cur == 0)
++ xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+ } else {
+ /*
+ * Assume it's a fixed length encoding (1) with
+diff --git a/result/HTML/758606.html b/result/HTML/758606.html
+new file mode 100644
+index 0000000..4f21f62
+--- /dev/null
++++ b/result/HTML/758606.html
+@@ -0,0 +1,2 @@
++<!DOCTYPE >
++
+diff --git a/result/HTML/758606.html.err b/result/HTML/758606.html.err
+new file mode 100644
+index 0000000..060433a
+--- /dev/null
++++ b/result/HTML/758606.html.err
+@@ -0,0 +1,16 @@
++./test/HTML/758606.html:1: HTML parser error : Comment not terminated
++<!--
++<!--�<!doctype
++ ^
++./test/HTML/758606.html:1: HTML parser error : Invalid char in CDATA 0xC
++<!--�<!doctype
++ ^
++./test/HTML/758606.html:1: HTML parser error : Misplaced DOCTYPE declaration
++<!--�<!doctype
++ ^
++./test/HTML/758606.html:2: HTML parser error : htmlParseDocTypeDecl : no DOCTYPE name !
++
++^
++./test/HTML/758606.html:2: HTML parser error : DOCTYPE improperly terminated
++
++^
+diff --git a/result/HTML/758606.html.sax b/result/HTML/758606.html.sax
+new file mode 100644
+index 0000000..d44a5cf
+--- /dev/null
++++ b/result/HTML/758606.html.sax
+@@ -0,0 +1,10 @@
++SAX.setDocumentLocator()
++SAX.startDocument()
++SAX.error: Comment not terminated
++<!--
++SAX.error: Invalid char in CDATA 0xC
++SAX.error: Misplaced DOCTYPE declaration
++SAX.error: htmlParseDocTypeDecl : no DOCTYPE name !
++SAX.error: DOCTYPE improperly terminated
++SAX.internalSubset((null), , )
++SAX.endDocument()
+diff --git a/result/HTML/758606_2.html b/result/HTML/758606_2.html
+new file mode 100644
+index 0000000..273816a
+--- /dev/null
++++ b/result/HTML/758606_2.html
+@@ -0,0 +1,2 @@
++<!DOCTYPE >
++<html><body><p>‘</p></body></html>
+diff --git a/result/HTML/758606_2.html.err b/result/HTML/758606_2.html.err
+new file mode 100644
+index 0000000..4be039f
+--- /dev/null
++++ b/result/HTML/758606_2.html.err
+@@ -0,0 +1,16 @@
++./test/HTML/758606_2.html:1: HTML parser error : Comment not terminated
++<!--
++<!--��<!dOctYPE
++ ^
++./test/HTML/758606_2.html:1: HTML parser error : Invalid char in CDATA 0xC
++<!--��<!dOctYPE
++ ^
++./test/HTML/758606_2.html:1: HTML parser error : Misplaced DOCTYPE declaration
++<!dOctYPE
++ ^
++./test/HTML/758606_2.html:2: HTML parser error : htmlParseDocTypeDecl : no DOCTYPE name !
++
++^
++./test/HTML/758606_2.html:2: HTML parser error : DOCTYPE improperly terminated
++
++^
+diff --git a/result/HTML/758606_2.html.sax b/result/HTML/758606_2.html.sax
+new file mode 100644
+index 0000000..80ff3d7
+--- /dev/null
++++ b/result/HTML/758606_2.html.sax
+@@ -0,0 +1,17 @@
++SAX.setDocumentLocator()
++SAX.startDocument()
++SAX.error: Comment not terminated
++<!--
++SAX.error: Invalid char in CDATA 0xC
++SAX.startElement(html)
++SAX.startElement(body)
++SAX.startElement(p)
++SAX.characters(‘, 2)
++SAX.error: Misplaced DOCTYPE declaration
++SAX.error: htmlParseDocTypeDecl : no DOCTYPE name !
++SAX.error: DOCTYPE improperly terminated
++SAX.internalSubset((null), , )
++SAX.endElement(p)
++SAX.endElement(body)
++SAX.endElement(html)
++SAX.endDocument()
+diff --git a/test/HTML/758606.html b/test/HTML/758606.html
+new file mode 100644
+index 0000000..01a013c
+--- /dev/null
++++ b/test/HTML/758606.html
+@@ -0,0 +1 @@
++<!--�<!doctype
+diff --git a/test/HTML/758606_2.html b/test/HTML/758606_2.html
+new file mode 100644
+index 0000000..daa185b
+--- /dev/null
++++ b/test/HTML/758606_2.html
+@@ -0,0 +1 @@
++<!--��<!dOctYPE
diff --git a/SOURCES/libxml2-Heap-based-buffer-overread-in-xmlNextChar.patch b/SOURCES/libxml2-Heap-based-buffer-overread-in-xmlNextChar.patch
new file mode 100644
index 0000000..f053c0d
--- /dev/null
+++ b/SOURCES/libxml2-Heap-based-buffer-overread-in-xmlNextChar.patch
@@ -0,0 +1,24 @@
+commit 498a54c26abd0fbd6f7d02b6b6f0275b4390d821
+Author: Daniel Veillard <veillard@redhat.com>
+Date: Tue Feb 9 12:55:29 2016 +0100
+
+ Heap-based buffer overread in xmlNextChar
+
+ For https://bugzilla.gnome.org/show_bug.cgi?id=759671
+
+ when the end of the internal subset isn't properly detected
+ xmlParseInternalSubset should just return instead of trying
+ to process input further.
+
+diff --git a/parser.c b/parser.c
+index f4fc310..b1215ca 100644
+--- a/parser.c
++++ b/parser.c
+@@ -8448,6 +8448,7 @@ xmlParseInternalSubset(xmlParserCtxtPtr ctxt) {
+ */
+ if (RAW != '>') {
+ xmlFatalErr(ctxt, XML_ERR_DOCTYPE_NOT_FINISHED, NULL);
++ return;
+ }
+ NEXT;
+ }
diff --git a/SOURCES/libxml2-Heap-based-buffer-underreads-due-to-xmlParseName.patch b/SOURCES/libxml2-Heap-based-buffer-underreads-due-to-xmlParseName.patch
new file mode 100644
index 0000000..ab48aaa
--- /dev/null
+++ b/SOURCES/libxml2-Heap-based-buffer-underreads-due-to-xmlParseName.patch
@@ -0,0 +1,119 @@
+From 7d23a33fbf8fe09fe52f9abafeafb9f438229603 Mon Sep 17 00:00:00 2001
+From: David Kilzer <ddkilzer@apple.com>
+Date: Tue, 26 Jan 2016 16:57:03 -0800
+Subject: [PATCH] Heap-based buffer-underreads due to xmlParseName
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=759573
+
+* parser.c:
+(xmlParseElementDecl): Return early on invalid input to fix
+non-minimized test case (759573-2.xml). Otherwise the parser
+gets into a bad state in SKIP(3) at the end of the function.
+(xmlParseConditionalSections): Halt parsing when hitting invalid
+input that would otherwise caused xmlParserHandlePEReference()
+to recurse unexpectedly. This fixes the minimized test case
+(759573.xml).
+
+* result/errors/759573-2.xml: Add.
+* result/errors/759573-2.xml.err: Add.
+* result/errors/759573-2.xml.str: Add.
+* result/errors/759573.xml: Add.
+* result/errors/759573.xml.err: Add.
+* result/errors/759573.xml.str: Add.
+* test/errors/759573-2.xml: Add.
+* test/errors/759573.xml: Add.
+
+Had to fixup by removing test 759573-2
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 2 ++
+ result/errors/759573.xml | 0
+ result/errors/759573.xml.err | 31 +++++++++++++++++++++++++++++++
+ result/errors/759573.xml.str | 4 ++++
+ test/errors/759573.xml | 1 +
+ 5 files changed, 38 insertions(+)
+ create mode 100644 result/errors/759573.xml
+ create mode 100644 result/errors/759573.xml.err
+ create mode 100644 result/errors/759573.xml.str
+ create mode 100644 test/errors/759573.xml
+
+diff --git a/parser.c b/parser.c
+index 133df95..0accf54 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6683,6 +6683,7 @@ xmlParseElementDecl(xmlParserCtxtPtr ctxt) {
+ if (!IS_BLANK_CH(CUR)) {
+ xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
+ "Space required after 'ELEMENT'\n");
++ return(-1);
+ }
+ SKIP_BLANKS;
+ name = xmlParseName(ctxt);
+@@ -6834,6 +6835,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+
+ if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) {
+ xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL);
++ xmlHaltParser(ctxt);
+ break;
+ }
+ }
+diff --git a/result/errors/759573.xml.err b/result/errors/759573.xml.err
+new file mode 100644
+index 0000000..2c21e9a
+--- /dev/null
++++ b/result/errors/759573.xml.err
+@@ -0,0 +1,31 @@
++./test/errors/759573.xml:1: parser error : Space required after '<!ENTITY'
++ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITY
++ ^
++./test/errors/759573.xml:1: parser error : Space required after the entity name
++LEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz
++ ^
++./test/errors/759573.xml:1: parser error : Entity value required
++LEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz
++ ^
++Entity: line 1: parser error : PEReference: no name
++ %xx;
++ ^
++Entity: line 1:
++%<![INCLUDE[000%ஸ000%z;
++ ^
++Entity: line 1: parser error : Content error in the external subset
++ %xx;
++ ^
++Entity: line 1:
++%<![INCLUDE[000%ஸ000%z;
++ ^
++./test/errors/759573.xml:1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
++
++T t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz>%xx;
++ ^
++./test/errors/759573.xml:1: parser error : DOCTYPE improperly terminated
++T t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz>%xx;
++ ^
++./test/errors/759573.xml:1: parser error : Start tag expected, '<' not found
++T t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz>%xx;
++ ^
+diff --git a/result/errors/759573.xml.str b/result/errors/759573.xml.str
+new file mode 100644
+index 0000000..1b6addb
+--- /dev/null
++++ b/result/errors/759573.xml.str
+@@ -0,0 +1,4 @@
++./test/errors/759573.xml:1: parser error : Extra content at the end of the document
++<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ00
++ ^
++./test/errors/759573.xml : failed to parse
+diff --git a/test/errors/759573.xml b/test/errors/759573.xml
+new file mode 100644
+index 0000000..69ebb57
+--- /dev/null
++++ b/test/errors/759573.xml
+@@ -0,0 +1 @@
++<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz>%xx;
+\ No newline at end of file
+--
+2.5.5
+
diff --git a/SOURCES/libxml2-Heap-use-after-free-in-htmlParsePubidLiteral-and-htmlParseSystemiteral.patch b/SOURCES/libxml2-Heap-use-after-free-in-htmlParsePubidLiteral-and-htmlParseSystemiteral.patch
new file mode 100644
index 0000000..d22d988
--- /dev/null
+++ b/SOURCES/libxml2-Heap-use-after-free-in-htmlParsePubidLiteral-and-htmlParseSystemiteral.patch
@@ -0,0 +1,143 @@
+From 7012970b0d005f440e8326e37844a834f67a8c64 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Wed, 2 Mar 2016 15:52:24 -0800
+Subject: [PATCH] Heap use-after-free in htmlParsePubidLiteral and
+ htmlParseSystemiteral
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=760263
+
+* HTMLparser.c: Add BASE_PTR convenience macro.
+(htmlParseSystemLiteral): Store length and start position instead
+of a pointer while iterating through the public identifier since
+the underlying buffer may change, resulting in a stale pointer
+being used.
+(htmlParsePubidLiteral): Ditto.
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ HTMLparser.c | 58 +++++++++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 43 insertions(+), 15 deletions(-)
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index a897cb0..e7d802d 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+@@ -303,6 +303,7 @@ htmlNodeInfoPop(htmlParserCtxtPtr ctxt)
+ #define UPP(val) (toupper(ctxt->input->cur[(val)]))
+
+ #define CUR_PTR ctxt->input->cur
++#define BASE_PTR ctxt->input->base
+
+ #define SHRINK if ((ctxt->input->cur - ctxt->input->base > 2 * INPUT_CHUNK) && \
+ (ctxt->input->end - ctxt->input->cur < 2 * INPUT_CHUNK)) \
+@@ -2773,31 +2774,43 @@ htmlParseAttValue(htmlParserCtxtPtr ctxt) {
+
+ static xmlChar *
+ htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) {
+- const xmlChar *q;
++ size_t len = 0, startPosition = 0;
+ xmlChar *ret = NULL;
+
+ if (CUR == '"') {
+ NEXT;
+- q = CUR_PTR;
+- while ((IS_CHAR_CH(CUR)) && (CUR != '"'))
++
++ if (CUR_PTR < BASE_PTR)
++ return(ret);
++ startPosition = CUR_PTR - BASE_PTR;
++
++ while ((IS_CHAR_CH(CUR)) && (CUR != '"')) {
+ NEXT;
++ len++;
++ }
+ if (!IS_CHAR_CH(CUR)) {
+ htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+ "Unfinished SystemLiteral\n", NULL, NULL);
+ } else {
+- ret = xmlStrndup(q, CUR_PTR - q);
++ ret = xmlStrndup((BASE_PTR+startPosition), len);
+ NEXT;
+ }
+ } else if (CUR == '\'') {
+ NEXT;
+- q = CUR_PTR;
+- while ((IS_CHAR_CH(CUR)) && (CUR != '\''))
++
++ if (CUR_PTR < BASE_PTR)
++ return(ret);
++ startPosition = CUR_PTR - BASE_PTR;
++
++ while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) {
+ NEXT;
++ len++;
++ }
+ if (!IS_CHAR_CH(CUR)) {
+ htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+ "Unfinished SystemLiteral\n", NULL, NULL);
+ } else {
+- ret = xmlStrndup(q, CUR_PTR - q);
++ ret = xmlStrndup((BASE_PTR+startPosition), len);
+ NEXT;
+ }
+ } else {
+@@ -2821,32 +2834,47 @@ htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) {
+
+ static xmlChar *
+ htmlParsePubidLiteral(htmlParserCtxtPtr ctxt) {
+- const xmlChar *q;
++ size_t len = 0, startPosition = 0;
+ xmlChar *ret = NULL;
+ /*
+ * Name ::= (Letter | '_') (NameChar)*
+ */
+ if (CUR == '"') {
+ NEXT;
+- q = CUR_PTR;
+- while (IS_PUBIDCHAR_CH(CUR)) NEXT;
++
++ if (CUR_PTR < BASE_PTR)
++ return(ret);
++ startPosition = CUR_PTR - BASE_PTR;
++
++ while (IS_PUBIDCHAR_CH(CUR)) {
++ len++;
++ NEXT;
++ }
++
+ if (CUR != '"') {
+ htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+ "Unfinished PubidLiteral\n", NULL, NULL);
+ } else {
+- ret = xmlStrndup(q, CUR_PTR - q);
++ ret = xmlStrndup((BASE_PTR + startPosition), len);
+ NEXT;
+ }
+ } else if (CUR == '\'') {
+ NEXT;
+- q = CUR_PTR;
+- while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\''))
+- NEXT;
++
++ if (CUR_PTR < BASE_PTR)
++ return(ret);
++ startPosition = CUR_PTR - BASE_PTR;
++
++ while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')){
++ len++;
++ NEXT;
++ }
++
+ if (CUR != '\'') {
+ htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+ "Unfinished PubidLiteral\n", NULL, NULL);
+ } else {
+- ret = xmlStrndup(q, CUR_PTR - q);
++ ret = xmlStrndup((BASE_PTR + startPosition), len);
+ NEXT;
+ }
+ } else {
+--
+2.5.5
+
diff --git a/SOURCES/libxml2-Heap-use-after-free-in-xmlSAX2AttributeNs.patch b/SOURCES/libxml2-Heap-use-after-free-in-xmlSAX2AttributeNs.patch
new file mode 100644
index 0000000..3ec83c9
--- /dev/null
+++ b/SOURCES/libxml2-Heap-use-after-free-in-xmlSAX2AttributeNs.patch
@@ -0,0 +1,156 @@
+From 7eca8fef0d19c65bd2004ba73347575a38e8d08e Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde <pjumde@apple.com>
+Date: Mon, 7 Mar 2016 14:04:08 -0800
+Subject: [PATCH] Heap use-after-free in xmlSAX2AttributeNs
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=759020
+
+* parser.c:
+(xmlParseStartTag2): Attribute strings are only valid if the
+base does not change, so add another check where the base may
+change. Make sure to set 'attvalue' to NULL after freeing it.
+* result/errors/759020.xml: Added.
+* result/errors/759020.xml.err: Added.
+* result/errors/759020.xml.str: Added.
+* test/errors/759020.xml: Added test case.
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ parser.c | 26 +++++++++++++++++++++++--
+ result/errors/759020.xml | 0
+ result/errors/759020.xml.err | 6 ++++++
+ result/errors/759020.xml.str | 7 +++++++
+ test/errors/759020.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 83 insertions(+), 2 deletions(-)
+ create mode 100644 result/errors/759020.xml
+ create mode 100644 result/errors/759020.xml.err
+ create mode 100644 result/errors/759020.xml.str
+ create mode 100644 test/errors/759020.xml
+
+diff --git a/parser.c b/parser.c
+index 1936599..133df95 100644
+--- a/parser.c
++++ b/parser.c
+@@ -9438,8 +9438,20 @@ reparse:
+ else
+ if (nsPush(ctxt, NULL, URL) > 0) nbNs++;
+ skip_default_ns:
+- if (alloc != 0) xmlFree(attvalue);
++ if ((attvalue != NULL) && (alloc != 0)) {
++ xmlFree(attvalue);
++ attvalue = NULL;
++ }
++ if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
++ break;
++ if (!IS_BLANK_CH(RAW)) {
++ xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
++ "attributes construct error\n");
++ break;
++ }
+ SKIP_BLANKS;
++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++ goto base_changed;
+ continue;
+ }
+ if (aprefix == ctxt->str_xmlns) {
+@@ -9511,7 +9523,17 @@ skip_default_ns:
+ else
+ if (nsPush(ctxt, attname, URL) > 0) nbNs++;
+ skip_ns:
+- if (alloc != 0) xmlFree(attvalue);
++ if ((attvalue != NULL) && (alloc != 0)) {
++ xmlFree(attvalue);
++ attvalue = NULL;
++ }
++ if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
++ break;
++ if (!IS_BLANK_CH(RAW)) {
++ xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
++ "attributes construct error\n");
++ break;
++ }
+ SKIP_BLANKS;
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+ goto base_changed;
+diff --git a/result/errors/759020.xml.err b/result/errors/759020.xml.err
+new file mode 100644
+index 0000000..a0d3051
+--- /dev/null
++++ b/result/errors/759020.xml.err
+@@ -0,0 +1,6 @@
++./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
++0000000000000000000000000000000000000000000000000000000000000000000000000000000'
++ ^
++./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2
++
++ ^
+diff --git a/result/errors/759020.xml.str b/result/errors/759020.xml.str
+new file mode 100644
+index 0000000..998d6d2
+--- /dev/null
++++ b/result/errors/759020.xml.str
+@@ -0,0 +1,7 @@
++./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
++0000000000000000000000000000000000000000000000000000000000000000000000000000000'
++ ^
++./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00
++
++ ^
++./test/errors/759020.xml : failed to parse
+diff --git a/test/errors/759020.xml b/test/errors/759020.xml
+new file mode 100644
+index 0000000..db23275
+--- /dev/null
++++ b/test/errors/759020.xml
+@@ -0,0 +1,46 @@
++<?l 00000000000000000000000000000?>
++<s00 w0000="000" h00000="000"
++ xmlns = '00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
+\ No newline at end of file
+--
+2.5.5
+
diff --git a/SOURCES/libxml2-More-format-string-warnings-with-possible-format-string-vulnerability.patch b/SOURCES/libxml2-More-format-string-warnings-with-possible-format-string-vulnerability.patch
new file mode 100644
index 0000000..37bfcaa
--- /dev/null
+++ b/SOURCES/libxml2-More-format-string-warnings-with-possible-format-string-vulnerability.patch
@@ -0,0 +1,208 @@
+From 6a2a4e753bbba26b2de3d32f11c28691bec967dc Mon Sep 17 00:00:00 2001
+From: David Kilzer <ddkilzer@apple.com>
+Date: Mon, 23 May 2016 14:58:41 +0800
+Subject: [PATCH] More format string warnings with possible format string
+ vulnerability
+To: libvir-list@redhat.com
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=761029
+
+adds a new xmlEscapeFormatString() function to escape composed format
+strings
+
+Signed-off-by: Daniel Veillard <veillard@redhat.com>
+---
+ libxml.h | 3 +++
+ relaxng.c | 3 ++-
+ xmlschemas.c | 39 ++++++++++++++++++++++++++-------------
+ xmlstring.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 86 insertions(+), 14 deletions(-)
+
+diff --git a/libxml.h b/libxml.h
+index 4558b70..88e515f 100644
+--- a/libxml.h
++++ b/libxml.h
+@@ -9,6 +9,8 @@
+ #ifndef __XML_LIBXML_H__
+ #define __XML_LIBXML_H__
+
++#include <libxml/xmlstring.h>
++
+ #ifndef NO_LARGEFILE_SOURCE
+ #ifndef _LARGEFILE_SOURCE
+ #define _LARGEFILE_SOURCE
+@@ -93,6 +95,7 @@ int __xmlInitializeDict(void);
+ int __xmlRandom(void);
+ #endif
+
++XMLPUBFUN xmlChar * XMLCALL xmlEscapeFormatString(xmlChar **msg);
+ int xmlNop(void);
+
+ #ifdef IN_LIBXML
+diff --git a/relaxng.c b/relaxng.c
+index b531081..99e9901 100644
+--- a/relaxng.c
++++ b/relaxng.c
+@@ -2215,7 +2215,8 @@ xmlRelaxNGGetErrorString(xmlRelaxNGValidErr err, const xmlChar * arg1,
+ snprintf(msg, 1000, "Unknown error code %d\n", err);
+ }
+ msg[1000 - 1] = 0;
+- return (xmlStrdup((xmlChar *) msg));
++ xmlChar *result = xmlCharStrdup(msg);
++ return (xmlEscapeFormatString(&result));
+ }
+
+ /**
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 398cdd8..1bcb0f0 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -1769,7 +1769,7 @@ xmlSchemaFormatItemForReport(xmlChar **buf,
+ }
+ FREE_AND_NULL(str)
+
+- return (*buf);
++ return (xmlEscapeFormatString(buf));
+ }
+
+ /**
+@@ -2247,6 +2247,13 @@ xmlSchemaFormatNodeForError(xmlChar ** msg,
+ TODO
+ return (NULL);
+ }
++
++ /*
++ * xmlSchemaFormatItemForReport() also returns an escaped format
++ * string, so do this before calling it below (in the future).
++ */
++ xmlEscapeFormatString(msg);
++
+ /*
+ * VAL TODO: The output of the given schema component is currently
+ * disabled.
+@@ -2474,11 +2481,13 @@ xmlSchemaSimpleTypeErr(xmlSchemaAbstractCtxtPtr actxt,
+ msg = xmlStrcat(msg, BAD_CAST " '");
+ if (type->builtInType != 0) {
+ msg = xmlStrcat(msg, BAD_CAST "xs:");
+- msg = xmlStrcat(msg, type->name);
+- } else
+- msg = xmlStrcat(msg,
+- xmlSchemaFormatQName(&str,
+- type->targetNamespace, type->name));
++ str = xmlStrdup(type->name);
++ } else {
++ const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name);
++ if (!str)
++ str = xmlStrdup(qName);
++ }
++ msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
+ msg = xmlStrcat(msg, BAD_CAST "'");
+ FREE_AND_NULL(str);
+ }
+@@ -2615,7 +2624,7 @@ xmlSchemaComplexTypeErr(xmlSchemaAbstractCtxtPtr actxt,
+ str = xmlStrcat(str, BAD_CAST ", ");
+ }
+ str = xmlStrcat(str, BAD_CAST " ).\n");
+- msg = xmlStrcat(msg, BAD_CAST str);
++ msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
+ FREE_AND_NULL(str)
+ } else
+ msg = xmlStrcat(msg, BAD_CAST "\n");
+@@ -3139,11 +3148,13 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserCtxtPtr ctxt,
+ msg = xmlStrcat(msg, BAD_CAST " '");
+ if (type->builtInType != 0) {
+ msg = xmlStrcat(msg, BAD_CAST "xs:");
+- msg = xmlStrcat(msg, type->name);
+- } else
+- msg = xmlStrcat(msg,
+- xmlSchemaFormatQName(&str,
+- type->targetNamespace, type->name));
++ str = xmlStrdup(type->name);
++ } else {
++ const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name);
++ if (!str)
++ str = xmlStrdup(qName);
++ }
++ msg = xmlStrcat(msg, xmlEscapeFormatString(&str));
+ msg = xmlStrcat(msg, BAD_CAST "'.");
+ FREE_AND_NULL(str);
+ }
+@@ -3156,7 +3167,9 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserCtxtPtr ctxt,
+ }
+ if (expected) {
+ msg = xmlStrcat(msg, BAD_CAST " Expected is '");
+- msg = xmlStrcat(msg, BAD_CAST expected);
++ xmlChar *expectedEscaped = xmlCharStrdup(expected);
++ msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped));
++ FREE_AND_NULL(expectedEscaped);
+ msg = xmlStrcat(msg, BAD_CAST "'.\n");
+ } else
+ msg = xmlStrcat(msg, BAD_CAST "\n");
+diff --git a/xmlstring.c b/xmlstring.c
+index c66eef3..9164d2e 100644
+--- a/xmlstring.c
++++ b/xmlstring.c
+@@ -987,5 +987,60 @@ xmlUTF8Strsub(const xmlChar *utf, int start, int len) {
+ return(xmlUTF8Strndup(utf, len));
+ }
+
++/**
++ * xmlEscapeFormatString:
++ * @msg: a pointer to the string in which to escape '%' characters.
++ * Must be a heap-allocated buffer created by libxml2 that may be
++ * returned, or that may be freed and replaced.
++ *
++ * Replaces the string pointed to by 'msg' with an escaped string.
++ * Returns the same string with all '%' characters escaped.
++ */
++xmlChar *
++xmlEscapeFormatString(xmlChar **msg)
++{
++ xmlChar *msgPtr = NULL;
++ xmlChar *result = NULL;
++ xmlChar *resultPtr = NULL;
++ size_t count = 0;
++ size_t msgLen = 0;
++ size_t resultLen = 0;
++
++ if (!msg || !*msg)
++ return(NULL);
++
++ for (msgPtr = *msg; *msgPtr != '\0'; ++msgPtr) {
++ ++msgLen;
++ if (*msgPtr == '%')
++ ++count;
++ }
++
++ if (count == 0)
++ return(*msg);
++
++ resultLen = msgLen + count + 1;
++ result = (xmlChar *) xmlMallocAtomic(resultLen * sizeof(xmlChar));
++ if (result == NULL) {
++ /* Clear *msg to prevent format string vulnerabilities in
++ out-of-memory situations. */
++ xmlFree(*msg);
++ *msg = NULL;
++ xmlErrMemory(NULL, NULL);
++ return(NULL);
++ }
++
++ for (msgPtr = *msg, resultPtr = result; *msgPtr != '\0'; ++msgPtr, ++resultPtr) {
++ *resultPtr = *msgPtr;
++ if (*msgPtr == '%')
++ *(++resultPtr) = '%';
++ }
++ result[resultLen - 1] = '\0';
++
++ xmlFree(*msg);
++ *msg = result;
++
++ return *msg;
++}
++
+ #define bottom_xmlstring
+ #include "elfgcchack.h"
+--
+2.5.5
+
diff --git a/SPECS/libxml2.spec b/SPECS/libxml2.spec
index 1c28885..96cb4d2 100644
--- a/SPECS/libxml2.spec
+++ b/SPECS/libxml2.spec
@@ -4,7 +4,7 @@
Summary: Library providing XML and HTML support
Name: libxml2
Version: 2.9.1
-Release: 6%{?dist}%{?extra_release}.2
+Release: 6%{?dist}%{?extra_release}.3
License: MIT
Group: Development/Libraries
Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@@ -39,6 +39,22 @@ Patch121: libxml2-Bug-on-creating-new-stream-from-entity.patch
Patch122: libxml2-CVE-2015-7500-Fix-memory-access-error-due-to-incorrect-entities-boundaries.patch
Patch123: libxml2-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-push-mode.patch
Patch124: libxml2-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-memory.patch
+patch125: libxml2-Add-missing-increments-of-recursion-depth-counter-to-XML-parser.patch
+patch126: libxml2-Avoid-building-recursive-entities.patch
+patch127: libxml2-Bug-757711-heap-buffer-overflow-in-xmlFAParsePosCharGroup-https-bugzilla.gnome.org-show_bug.cgi-id-757711.patch
+patch128: libxml2-Bug-758588-Heap-based-buffer-overread-in-xmlParserPrintFileContextInternal-https-bugzilla.gnome.org-show_bug.cgi-id-758588.patch
+patch129: libxml2-Bug-758605-Heap-based-buffer-overread-in-xmlDictAddString-https-bugzilla.gnome.org-show_bug.cgi-id-758605.patch
+patch130: libxml2-Bug-759398-Heap-use-after-free-in-xmlDictComputeFastKey-https-bugzilla.gnome.org-show_bug.cgi-id-759398.patch
+patch131: libxml2-Bug-763071-heap-buffer-overflow-in-xmlStrncat-https-bugzilla.gnome.org-show_bug.cgi-id-763071.patch
+patch132: libxml2-Fix-inappropriate-fetch-of-entities-content.patch
+patch133: libxml2-Fix-some-format-string-warnings-with-possible-format-string-vulnerability.patch
+patch134: libxml2-Heap-based-buffer-overread-in-htmlCurrentChar.patch
+patch135: libxml2-Heap-based-buffer-overread-in-xmlNextChar.patch
+patch136: libxml2-Heap-based-buffer-underreads-due-to-xmlParseName.patch
+patch137: libxml2-Heap-use-after-free-in-htmlParsePubidLiteral-and-htmlParseSystemiteral.patch
+patch138: libxml2-Heap-use-after-free-in-xmlSAX2AttributeNs.patch
+patch139: libxml2-More-format-string-warnings-with-possible-format-string-vulnerability.patch
+
%description
This library allows to manipulate XML files. It includes support
@@ -126,6 +142,21 @@ at parse time or later once the document has been modified.
%patch122 -p1
%patch123 -p1
%patch124 -p1
+%patch125 -p1
+%patch126 -p1
+%patch127 -p1
+%patch128 -p1
+%patch129 -p1
+%patch130 -p1
+%patch131 -p1
+%patch132 -p1
+%patch133 -p1
+%patch134 -p1
+%patch135 -p1
+%patch136 -p1
+%patch137 -p1
+%patch138 -p1
+%patch139 -p1
%build
%configure
@@ -208,6 +239,23 @@ rm -fr %{buildroot}
%doc doc/python.html
%changelog
+* Mon Jun 6 2016 Daniel Veillard <veillard@redhat.com> - libxml2-2.9.1-6.3
+- Heap-based buffer overread in xmlNextChar (CVE-2016-1762)
+- Bug 763071: Heap-buffer-overflow in xmlStrncat <https://bugzilla.gnome.org/show_bug.cgi?id=763071> (CVE-2016-1834)
+- Bug 757711: Heap-buffer-overflow in xmlFAParsePosCharGroup <https://bugzilla.gnome.org/show_bug.cgi?id=757711> (CVE-2016-1840)
+- Bug 758588: Heap-based buffer overread in xmlParserPrintFileContextInternal <https://bugzilla.gnome.org/show_bug.cgi?id=758588> (CVE-2016-1838)
+- Bug 758605: Heap-based buffer overread in xmlDictAddString <https://bugzilla.gnome.org/show_bug.cgi?id=758605> (CVE-2016-1839)
+- Bug 759398: Heap use-after-free in xmlDictComputeFastKey <https://bugzilla.gnome.org/show_bug.cgi?id=759398> (CVE-2016-1836)
+- Fix inappropriate fetch of entities content (CVE-2016-4449)
+- Heap use-after-free in htmlParsePubidLiteral and htmlParseSystemiteral (CVE-2016-1837)
+- Heap use-after-free in xmlSAX2AttributeNs (CVE-2016-1835)
+- Heap-based buffer-underreads due to xmlParseName (CVE-2016-4447)
+- Heap-based buffer overread in htmlCurrentChar (CVE-2016-1833)
+- Add missing increments of recursion depth counter to XML parser. (CVE-2016-3705)
+- Avoid building recursive entities (CVE-2016-3627)
+- Fix some format string warnings with possible format string vulnerability (CVE-2016-4448)
+- More format string warnings with possible format string vulnerability (CVE-2016-4448)
+
* Mon Nov 30 2015 Daniel Veillard <veillard@redhat.com> - 2.9.1-6.2
- Fix a series of CVEs (rhbz#1286496)
- CVE-2015-7941 Stop parsing on entities boundaries errors