Mail archive
alpine-aports

[alpine-aports] [PATCH] 3.1-stable/main/libxml: security fixes

From: Christian Kampka <christian_at_kampka.net>
Date: Sat, 28 Nov 2015 22:45:03 +0100

CVE-2015-8242 Buffer overead with HTML parser in push mode (Hugh Davenport)
CVE-2015-7500 Fix memory access error due to incorrect entities boundaries (Daniel Veillard)
CVE-2015-7499-2 Detect incoherency on GROW (Daniel Veillard)
CVE-2015-7499-1 Add xmlHaltParser() to stop the parser (Daniel Veillard)
CVE-2015-5312 Another entity expansion issue (David Drysdale)
CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey (David Drysdale)
CVE-2015-7498 Avoid processing entities after encoding conversion failures (Daniel Veillard)
CVE-2015-8035 Fix XZ compression support loop (Daniel Veillard)
CVE-2015-7942-2 Fix an error in previous Conditional section patch (Daniel Veillard)
CVE-2015-7942 Another variation of overflow in Conditional sections (Daniel Veillard)
CVE-2015-1819 Enforce the reader to run in constant memory (Daniel Veillard)
CVE-2015-7941_2 Cleanup conditional section error handling (Daniel Veillard)
CVE-2015-7941_1 Stop parsing on entities boundaries errors (Daniel Veillard)
---
 main/libxml2/APKBUILD              |  62 +++++++++++--
 main/libxml2/CVE-2015-1819.patch   | 176 +++++++++++++++++++++++++++++++++++++
 main/libxml2/CVE-2015-5312.patch   |  32 +++++++
 main/libxml2/CVE-2015-7497.patch   |  32 +++++++
 main/libxml2/CVE-2015-7498.patch   |  82 +++++++++++++++++
 main/libxml2/CVE-2015-7499-1.patch |  81 +++++++++++++++++
 main/libxml2/CVE-2015-7499-2.patch |  36 ++++++++
 main/libxml2/CVE-2015-7500.patch   | 106 ++++++++++++++++++++++
 main/libxml2/CVE-2015-7941_1.patch |  32 +++++++
 main/libxml2/CVE-2015-7941_2.patch |  49 +++++++++++
 main/libxml2/CVE-2015-7942-2.patch |  28 ++++++
 main/libxml2/CVE-2015-7942.patch   |  32 +++++++
 main/libxml2/CVE-2015-8035.patch   |  31 +++++++
 main/libxml2/CVE-2015-8242.patch   |  42 +++++++++
 14 files changed, 816 insertions(+), 5 deletions(-)
 create mode 100644 main/libxml2/CVE-2015-1819.patch
 create mode 100644 main/libxml2/CVE-2015-5312.patch
 create mode 100644 main/libxml2/CVE-2015-7497.patch
 create mode 100644 main/libxml2/CVE-2015-7498.patch
 create mode 100644 main/libxml2/CVE-2015-7499-1.patch
 create mode 100644 main/libxml2/CVE-2015-7499-2.patch
 create mode 100644 main/libxml2/CVE-2015-7500.patch
 create mode 100644 main/libxml2/CVE-2015-7941_1.patch
 create mode 100644 main/libxml2/CVE-2015-7941_2.patch
 create mode 100644 main/libxml2/CVE-2015-7942-2.patch
 create mode 100644 main/libxml2/CVE-2015-7942.patch
 create mode 100644 main/libxml2/CVE-2015-8035.patch
 create mode 100644 main/libxml2/CVE-2015-8242.patch
diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD
index 0335089..00e1f39 100644
--- a/main/libxml2/APKBUILD
+++ b/main/libxml2/APKBUILD
_at_@ -2,7 +2,7 @@
 # Maintainer: Carlo Landmeter <clandmeter_at_gmail.com>
 pkgname=libxml2
 pkgver=2.9.2
-pkgrel=0
+pkgrel=1
 pkgdesc="XML parsing library, version 2"
 url="http://www.xmlsoft.org/"
 arch="all"
_at_@ -14,6 +14,19 @@ subpackages="$pkgname-doc $pkgname-dev py-$pkgname:py $pkgname-utils"
 source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz
 	libxml2-pthread.patch
 	CVE-2014-0191.patch
+	CVE-2015-1819.patch
+	CVE-2015-5312.patch
+	CVE-2015-7497.patch
+	CVE-2015-7498.patch
+	CVE-2015-7499-1.patch
+	CVE-2015-7499-2.patch
+	CVE-2015-7500.patch
+	CVE-2015-7941_1.patch
+	CVE-2015-7941_2.patch
+	CVE-2015-7942.patch
+	CVE-2015-7942-2.patch
+	CVE-2015-8035.patch
+	CVE-2015-8242.patch
 	"
 
 options="!strip"
_at_@ -47,7 +60,7 @@ package() {
 	rm "$pkgdir"/usr/lib/*.la \
 		"$pkgdir"/usr/lib/python*/site-packages/*.la \
 		|| return 1
-		
+
 	install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING
 }
 
_at_@ -67,10 +80,49 @@ utils() {
 
 md5sums="9e6a9aca9d155737868b3dc5fd82f788  libxml2-2.9.2.tar.gz
 cc0da520c5296e87407d24166480da73  libxml2-pthread.patch
-e6f432aea642badcb848e5791bcf6df7  CVE-2014-0191.patch"
+e6f432aea642badcb848e5791bcf6df7  CVE-2014-0191.patch
+44b96e4a7c675f103628d7decfa56d37  CVE-2015-1819.patch
+a6fdca7e058fe6fbaa248e8c0aae7424  CVE-2015-5312.patch
+70b52327b3bbc473cfde89730f829aeb  CVE-2015-7497.patch
+5cfa24ef6c26ad780bcdd7dfad831fd1  CVE-2015-7498.patch
+d876337f727521061309722c9d16ba9a  CVE-2015-7499-1.patch
+2852386b8844d628e6680e054fbbba4e  CVE-2015-7499-2.patch
+0be954db9ac4cf9055b95eed5077fb2e  CVE-2015-7500.patch
+286111441eed116f2edc489e9788d573  CVE-2015-7941_1.patch
+44ad838bfb10784f016bf35ead4e1beb  CVE-2015-7941_2.patch
+7304667ea636d829feed9cc6747d5efb  CVE-2015-7942.patch
+ffdfbe9d5d7d334c5baca09060d56e78  CVE-2015-7942-2.patch
+66f5aa382028e125202f6ac70f507c0a  CVE-2015-8035.patch
+f5dc37a7162905c53ec86d06e20cb9b3  CVE-2015-8242.patch"
 sha256sums="5178c30b151d044aefb1b08bf54c3003a0ac55c59c866763997529d60770d5bc  libxml2-2.9.2.tar.gz
 97d5e152580774483c47b28483282a4180c2c375bb7716a807ec859e59c3ec2f  libxml2-pthread.patch
-288a762e8b115cecc02d920e4b36ebfa5249b8a6713a1a948e344d881d094ea8  CVE-2014-0191.patch"
+288a762e8b115cecc02d920e4b36ebfa5249b8a6713a1a948e344d881d094ea8  CVE-2014-0191.patch
+18cc94e2d1917e6e7b959d1ad1a1b1a907cdbd6fc7cfd52bfd2a7aaec7816bf2  CVE-2015-1819.patch
+8676498e81d8f973c02bb0c8d56486be593c0179a0cc9d0c6e9bcdfff068bb05  CVE-2015-5312.patch
+b63be023398e8d89068b968bacb8c50d9cac0b32eeec29c972d4b9a54f7288cd  CVE-2015-7497.patch
+56bf3c58cd388bdabf3b47613cfb2d84be564954d86836e815679ad4151923dc  CVE-2015-7498.patch
+ad99f8442cc6dc5127cb67c8b6277995f301b739ec8a60a474746c846e360ece  CVE-2015-7499-1.patch
+4c44c22a5f3156aff40a029d656caca55cc095cf3cbaeeabc0b6e09b03fcf08c  CVE-2015-7499-2.patch
+a482436a040e0c94efc669ac71bfd42427efd33a9e7d755897a6b0ae8b42e41f  CVE-2015-7500.patch
+86d575ab1273f9a182a5c589db3e7a93b7c4bed63ca3588a8a99a84235b990be  CVE-2015-7941_1.patch
+53c2adf000f8716a9e96aef9018cd824bb4cd24169d62686c1631bbee6ec60c8  CVE-2015-7941_2.patch
+9095165d17db7e66060307fea16872ce5be63bd9f52e858f05200d6f12391ee4  CVE-2015-7942.patch
+bd98845e4fb4405ae45f4dbdac097ac40db4e8ac8d2ff7194ac0997404ca37bf  CVE-2015-7942-2.patch
+3b4d7e17929e8cb4ce078a7358450b308e15c9b9aa9d125a4d945ef6623e9bae  CVE-2015-8035.patch
+e4a1441afcd4379455ed683216dfbee49b7ef5480f57c449481fb3928190b41f  CVE-2015-8242.patch"
 sha512sums="a4e3b20e2efceed39c20379b32b746d4a1cf65c0cf7719d26c9bf7483c1f04a4e5a442ae2f36dc4ae8a4d011b67cfb58d9f6d0be034fa3e897a49059c9289565  libxml2-2.9.2.tar.gz
 bda49c5e09605acc2bb36203521f750903d81345cc38af54b977e3ce71e288267fb3ab98f1813d846ab45461490482337f7af8b0f1a8a5e0b2c09e03bbadc7f7  libxml2-pthread.patch
-41b6737b5cfe6392e3d781ebde48db0bf221bde89701742408afe625a88a67f6f6aed5cf04c1983ba2e7e04c2d819a8011908d23060365225571691c5e61cf11  CVE-2014-0191.patch"
+41b6737b5cfe6392e3d781ebde48db0bf221bde89701742408afe625a88a67f6f6aed5cf04c1983ba2e7e04c2d819a8011908d23060365225571691c5e61cf11  CVE-2014-0191.patch
+61c512e2f43bd0791e05a60c6bfa41a8a53bc95b2e45f983e6a87964246a6ab596955f9c9956d1f7ffd08fff774ab8d54222eeebb1e14cd5e54378e65ff677ce  CVE-2015-1819.patch
+3a1f95a681fed8ae26327246c767d332d863d401318e246cd97b79f63ac09aef7e9a82a6185e60e7de9d4489a9f21ed519d015ea9748da2ed065ab579c596b25  CVE-2015-5312.patch
+50dcf87ddce80643d7bb0e622d3d67a095549571da5866c9b6f8867c28aa3b41fe43ae12e4c2aa2ddb4d084908dfb79cd84995089fead447c1f1db1bff6a0ca3  CVE-2015-7497.patch
+6c3c7dbc23380f53d6a5122bd2d55cf2352822974d6cf7921dbe07f11b5396cdc5f1812263e10d53c41610989bbf7c5266f6751eb987c0fd93ff068e8f4348a2  CVE-2015-7498.patch
+17c62e675e64366079a44753aaf460a026a0716b5a1bc7bace4156dc693639bf842c0be326877eebf4661943f93f43866967e1989603499233ae280f93c79d37  CVE-2015-7499-1.patch
+9a51143edb520491653bf44c8cdce3a359d4ada33bb1352b2985a1e00bf6367941f7f41983b126fb1eca531811473966b20d03338873490ab328af6647a2d4e0  CVE-2015-7499-2.patch
+1bddc8789cc37b015abee0659cafdb60936a38a4ec7d39e23ecc4c8ca0bf5fc73aefeb9a16f480749dc73bc9c752986dc5df6dc92d041d17677bce64b9d4588a  CVE-2015-7500.patch
+c86c62704b527e5b3e0834586a4a05e5acc059ececf80e45135bf9d00ed0531aa268366c9bdac1fb4f5fa98a03175f33d98e3edde4d351095b8aae456656579f  CVE-2015-7941_1.patch
+3711688706751455818ac29ecc49f221ce747173145ff076bc1a2223d8c00287362f0b5bfc6351583bc3edabe1f05546295d78633c0ccf9cfa4d48a5594e09d8  CVE-2015-7941_2.patch
+bbf93ce9f9277f049ccac6644f72e4c2d42a7513762950c928bbdab3813a9a20123a3aef5c83b8448213026761150bc4ad5a2a89dd9eb770793b642a54ca3fd0  CVE-2015-7942.patch
+40837e2cc46aa8972818aa4526926cffd213e4c5a689c66f4c4b864c339582588e03d98f4fcf5781977b3a71a2a0850de17540b0293e58755f07346471e76aa4  CVE-2015-7942-2.patch
+071577d6d2f4fa2df1894fab3379ac461f79a785a3c54b04c729a1e06982d3ae0158526d213a4b375fa878fa7bb2a257cf9070092f8228ad5dc159f99ea71ea1  CVE-2015-8035.patch
+98c83b942f718a765821771eb32aef70086edaedc44b83ecf291e8c65afdca63ec204b50d4dbfb87c13e6ded12cce3a7cfd3291449e9daa4d30d025525605e4d  CVE-2015-8242.patch"
diff --git a/main/libxml2/CVE-2015-1819.patch b/main/libxml2/CVE-2015-1819.patch
new file mode 100644
index 0000000..e77202b
--- /dev/null
+++ b/main/libxml2/CVE-2015-1819.patch
_at_@ -0,0 +1,176 @@
+From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard_at_redhat.com>
+Date: Tue, 14 Apr 2015 17:41:48 +0800
+Subject: CVE-2015-1819 Enforce the reader to run in constant memory
+
+One of the operation on the reader could resolve entities
+leading to the classic expansion issue. Make sure the
+buffer used for xmlreader operation is bounded.
+Introduce a new allocation type for the buffers for this effect.
+---
+ buf.c                 | 43 ++++++++++++++++++++++++++++++++++++++++++-
+ include/libxml/tree.h |  3 ++-
+ xmlreader.c           | 20 +++++++++++++++++++-
+ 3 files changed, 63 insertions(+), 3 deletions(-)
+
+diff --git a/buf.c b/buf.c
+index 6efc7b6..07922ff 100644
+--- a/buf.c
++++ b/buf.c
+_at_@ -27,6 +27,7 @@
+ #include <libxml/tree.h>
+ #include <libxml/globals.h>
+ #include <libxml/tree.h>
++#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
+ #include "buf.h"
+ 
+ #define WITH_BUFFER_COMPAT
+_at_@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,
+     if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
+         (scheme == XML_BUFFER_ALLOC_EXACT) ||
+         (scheme == XML_BUFFER_ALLOC_HYBRID) ||
+-        (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {
++        (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||
++	(scheme == XML_BUFFER_ALLOC_BOUNDED)) {
+ 	buf->alloc = scheme;
+         if (buf->buffer)
+             buf->buffer->alloc = scheme;
+_at_@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
+     size = buf->use + len + 100;
+ #endif
+ 
++    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++        /*
++	 * Used to provide parsing limits
++	 */
++        if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
++	    (buf->size >= XML_MAX_TEXT_LENGTH)) {
++	    xmlBufMemoryError(buf, "buffer error: text too long\n");
++	    return(0);
++	}
++	if (size >= XML_MAX_TEXT_LENGTH)
++	    size = XML_MAX_TEXT_LENGTH;
++    }
+     if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
+         size_t start_buf = buf->content - buf->contentIO;
+ 
+_at_@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+     CHECK_COMPAT(buf)
+ 
+     if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
++    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++        /*
++	 * Used to provide parsing limits
++	 */
++        if (size >= XML_MAX_TEXT_LENGTH) {
++	    xmlBufMemoryError(buf, "buffer error: text too long\n");
++	    return(0);
++	}
++    }
+ 
+     /* Don't resize if we don't have to */
+     if (size < buf->size)
+_at_@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
+ 
+     needSize = buf->use + len + 2;
+     if (needSize > buf->size){
++	if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++	    /*
++	     * Used to provide parsing limits
++	     */
++	    if (needSize >= XML_MAX_TEXT_LENGTH) {
++		xmlBufMemoryError(buf, "buffer error: text too long\n");
++		return(-1);
++	    }
++	}
+         if (!xmlBufResize(buf, needSize)){
+ 	    xmlBufMemoryError(buf, "growing buffer");
+             return XML_ERR_NO_MEMORY;
+_at_@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {
+     }
+     needSize = buf->use + len + 2;
+     if (needSize > buf->size){
++	if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++	    /*
++	     * Used to provide parsing limits
++	     */
++	    if (needSize >= XML_MAX_TEXT_LENGTH) {
++		xmlBufMemoryError(buf, "buffer error: text too long\n");
++		return(-1);
++	    }
++	}
+         if (!xmlBufResize(buf, needSize)){
+ 	    xmlBufMemoryError(buf, "growing buffer");
+             return XML_ERR_NO_MEMORY;
+diff --git a/include/libxml/tree.h b/include/libxml/tree.h
+index 2f90717..4a9b3bc 100644
+--- a/include/libxml/tree.h
++++ b/include/libxml/tree.h
+_at_@ -76,7 +76,8 @@ typedef enum {
+     XML_BUFFER_ALLOC_EXACT,	/* grow only to the minimal size */
+     XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
+     XML_BUFFER_ALLOC_IO,	/* special allocation scheme used for I/O */
+-    XML_BUFFER_ALLOC_HYBRID	/* exact up to a threshold, and doubleit thereafter */
++    XML_BUFFER_ALLOC_HYBRID,	/* exact up to a threshold, and doubleit thereafter */
++    XML_BUFFER_ALLOC_BOUNDED	/* limit the upper size of the buffer */
+ } xmlBufferAllocationScheme;
+ 
+ /**
+diff --git a/xmlreader.c b/xmlreader.c
+index f19e123..471e7e2 100644
+--- a/xmlreader.c
++++ b/xmlreader.c
+_at_@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {
+ 		"xmlNewTextReader : malloc failed\n");
+ 	return(NULL);
+     }
++    /* no operation on a reader should require a huge buffer */
++    xmlBufSetAllocationScheme(ret->buffer,
++			      XML_BUFFER_ALLOC_BOUNDED);
+     ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
+     if (ret->sax == NULL) {
+ 	xmlBufFree(ret->buffer);
+_at_@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
+ 	    return(((xmlNsPtr) node)->href);
+         case XML_ATTRIBUTE_NODE:{
+ 	    xmlAttrPtr attr = (xmlAttrPtr) node;
++	    const xmlChar *ret;
+ 
+ 	    if ((attr->children != NULL) &&
+ 	        (attr->children->type == XML_TEXT_NODE) &&
+_at_@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
+                                         "xmlTextReaderSetup : malloc failed\n");
+                         return (NULL);
+                     }
++		    xmlBufSetAllocationScheme(reader->buffer,
++		                              XML_BUFFER_ALLOC_BOUNDED);
+                 } else
+                     xmlBufEmpty(reader->buffer);
+ 	        xmlBufGetNodeContent(reader->buffer, node);
+-		return(xmlBufContent(reader->buffer));
++		ret = xmlBufContent(reader->buffer);
++		if (ret == NULL) {
++		    /* error on the buffer best to reallocate */
++		    xmlBufFree(reader->buffer);
++		    reader->buffer = xmlBufCreateSize(100);
++		    xmlBufSetAllocationScheme(reader->buffer,
++		                              XML_BUFFER_ALLOC_BOUNDED);
++		    ret = BAD_CAST "";
++		}
++		return(ret);
+ 	    }
+ 	    break;
+ 	}
+_at_@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,
+                         "xmlTextReaderSetup : malloc failed\n");
+         return (-1);
+     }
++    /* no operation on a reader should require a huge buffer */
++    xmlBufSetAllocationScheme(reader->buffer,
++			      XML_BUFFER_ALLOC_BOUNDED);
+     if (reader->sax == NULL)
+ 	reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
+     if (reader->sax == NULL) {
+-- 
+cgit v0.11.2
+
diff --git a/main/libxml2/CVE-2015-5312.patch b/main/libxml2/CVE-2015-5312.patch
new file mode 100644
index 0000000..ab9f31f
--- /dev/null
+++ b/main/libxml2/CVE-2015-5312.patch
_at_@ -0,0 +1,32 @@
+From 69030714cde66d525a8884bda01b9e8f0abf8e1e Mon Sep 17 00:00:00 2001
+From: David Drysdale <drysdale_at_google.com>
+Date: Fri, 20 Nov 2015 11:13:45 +0800
+Subject: CVE-2015-5312 Another entity expansion issue
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756733
+It is one case where the code in place to detect entities expansions
+failed to exit when the situation was detected, leading to DoS
+Problem reported by Kostya Serebryany _at_ Google
+Patch provided by David Drysdale _at_ Google
+---
+ parser.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index b7b6668..da6e729 100644
+--- a/parser.c
++++ b/parser.c
+_at_@ -2806,6 +2806,10 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 			                      0, 0, 0);
+ 		ctxt->depth--;
+ 
++		if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) ||
++		    (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR))
++		    goto int_error;
++
+ 		if (rep != NULL) {
+ 		    current = rep;
+ 		    while (*current != 0) { /* non input consuming loop */
+-- 
+cgit v0.11.2
+
diff --git a/main/libxml2/CVE-2015-7497.patch b/main/libxml2/CVE-2015-7497.patch
new file mode 100644
index 0000000..d734c60
--- /dev/null
+++ b/main/libxml2/CVE-2015-7497.patch
_at_@ -0,0 +1,32 @@
+From 6360a31a84efe69d155ed96306b9a931a40beab9 Mon Sep 17 00:00:00 2001
+From: David Drysdale <drysdale_at_google.com>
+Date: Fri, 20 Nov 2015 10:47:12 +0800
+Subject: CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756528
+It was possible to hit a negative offset in the name indexing
+used to randomize the dictionary key generation
+Reported and fix provided by David Drysdale _at_ Google
+---
+ dict.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/dict.c b/dict.c
+index 5f71d55..8c8f931 100644
+--- a/dict.c
++++ b/dict.c
+_at_@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen,
+ 	value += 30 * (*prefix);
+ 
+     if (len > 10) {
+-        value += name[len - (plen + 1 + 1)];
++        int offset = len - (plen + 1 + 1);
++	if (offset < 0)
++	    offset = len - (10 + 1);
++	value += name[offset];
+         len = 10;
+ 	if (plen > 10)
+ 	    plen = 10;
+-- 
+cgit v0.11.2
+
diff --git a/main/libxml2/CVE-2015-7498.patch b/main/libxml2/CVE-2015-7498.patch
new file mode 100644
index 0000000..9682926
--- /dev/null
+++ b/main/libxml2/CVE-2015-7498.patch
_at_@ -0,0 +1,82 @@
+From afd27c21f6b36e22682b7da20d726bce2dcb2f43 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard_at_redhat.com>
+Date: Mon, 9 Nov 2015 18:07:18 +0800
+Subject: Avoid processing entities after encoding conversion failures
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756527
+and was also raised by Chromium team in the past
+
+When we hit a convwersion failure when switching encoding
+it is bestter to stop parsing there, this was treated as a
+fatal error but the parser was continuing to process to extract
+more errors, unfortunately that makes little sense as the data
+is obviously corrupt and can potentially lead to unexpected behaviour.
+---
+ parser.c          |  7 +++++--
+ parserInternals.c | 11 ++++++++++-
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index 134afe7..c79b4e8 100644
+--- a/parser.c
++++ b/parser.c
+_at_@ -10665,7 +10665,8 @@ xmlParseXMLDecl(xmlParserCtxtPtr ctxt) {
+ 	xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n");
+     }
+     xmlParseEncodingDecl(ctxt);
+-    if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {
++    if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) ||
++         (ctxt->instate == XML_PARSER_EOF)) {
+ 	/*
+ 	 * The XML REC instructs us to stop parsing right here
+ 	 */
+_at_@ -10789,6 +10790,7 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
+ 
+     if (CUR == 0) {
+ 	xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);
++	return(-1);
+     }
+ 
+     /*
+_at_@ -10806,7 +10808,8 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) {
+ 	 * Note that we will switch encoding on the fly.
+ 	 */
+ 	xmlParseXMLDecl(ctxt);
+-	if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) {
++	if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) ||
++	    (ctxt->instate == XML_PARSER_EOF)) {
+ 	    /*
+ 	     * The XML REC instructs us to stop parsing right here
+ 	     */
+diff --git a/parserInternals.c b/parserInternals.c
+index df204fd..c8230c1 100644
+--- a/parserInternals.c
++++ b/parserInternals.c
+_at_@ -937,6 +937,7 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc)
+ {
+     xmlCharEncodingHandlerPtr handler;
+     int len = -1;
++    int ret;
+ 
+     if (ctxt == NULL) return(-1);
+     switch (enc) {
+_at_@ -1097,7 +1098,15 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc)
+     if (handler == NULL)
+ 	return(-1);
+     ctxt->charset = XML_CHAR_ENCODING_UTF8;
+-    return(xmlSwitchToEncodingInt(ctxt, handler, len));
++    ret = xmlSwitchToEncodingInt(ctxt, handler, len);
++    if ((ret < 0) || (ctxt->errNo == XML_I18N_CONV_FAILED)) {
++        /*
++	 * on encoding conversion errors, stop the parser
++	 */
++        xmlStopParser(ctxt);
++	ctxt->errNo = XML_I18N_CONV_FAILED;
++    }
++    return(ret);
+ }
+ 
+ /**
+-- 
+cgit v0.11.2
+
diff --git a/main/libxml2/CVE-2015-7499-1.patch b/main/libxml2/CVE-2015-7499-1.patch
new file mode 100644
index 0000000..d3e95d8
--- /dev/null
+++ b/main/libxml2/CVE-2015-7499-1.patch
_at_@ -0,0 +1,81 @@
+From 28cd9cb747a94483f4aea7f0968d202c20bb4cfc Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard_at_redhat.com>
+Date: Fri, 20 Nov 2015 14:55:30 +0800
+Subject: Add xmlHaltParser() to stop the parser
+
+The problem is doing it in a consistent and safe fashion
+It's more complex than just setting ctxt->instate = XML_PARSER_EOF
+Update the public function to reuse that new internal routine
+---
+ parser.c | 34 +++++++++++++++++++++++++++++-----
+ 1 file changed, 29 insertions(+), 5 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index da6e729..b6e99b1 100644
+--- a/parser.c
++++ b/parser.c
+_at_@ -94,6 +94,8 @@ static xmlParserCtxtPtr
+ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID,
+ 	                  const xmlChar *base, xmlParserCtxtPtr pctx);
+ 
++static void xmlHaltParser(xmlParserCtxtPtr ctxt);
++
+ /************************************************************************
+  *									*
+  *	Arbitrary limits set in the parser. See XML_PARSE_HUGE		*
+_at_@ -12625,25 +12627,47 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr sax, void *user_data,
+ #endif /* LIBXML_PUSH_ENABLED */
+ 
+ /**
+- * xmlStopParser:
++ * xmlHaltParser:
+  * _at_ctxt:  an XML parser context
+  *
+- * Blocks further parser processing
++ * Blocks further parser processing don't override error
++ * for internal use
+  */
+-void
+-xmlStopParser(xmlParserCtxtPtr ctxt) {
++static void
++xmlHaltParser(xmlParserCtxtPtr ctxt) {
+     if (ctxt == NULL)
+         return;
+     ctxt->instate = XML_PARSER_EOF;
+-    ctxt->errNo = XML_ERR_USER_STOP;
+     ctxt->disableSAX = 1;
+     if (ctxt->input != NULL) {
++        /*
++	 * in case there was a specific allocation deallocate before
++	 * overriding base
++	 */
++        if (ctxt->input->free != NULL) {
++	    ctxt->input->free((xmlChar *) ctxt->input->base);
++	    ctxt->input->free = NULL;
++	}
+ 	ctxt->input->cur = BAD_CAST"";
+ 	ctxt->input->base = ctxt->input->cur;
+     }
+ }
+ 
+ /**
++ * xmlStopParser:
++ * _at_ctxt:  an XML parser context
++ *
++ * Blocks further parser processing
++ */
++void
++xmlStopParser(xmlParserCtxtPtr ctxt) {
++    if (ctxt == NULL)
++        return;
++    xmlHaltParser(ctxt);
++    ctxt->errNo = XML_ERR_USER_STOP;
++}
++
++/**
+  * xmlCreateIOParserCtxt:
+  * _at_sax:  a SAX handler
+  * _at_user_data:  The user data returned on SAX callbacks
+-- 
+cgit v0.11.2
+
diff --git a/main/libxml2/CVE-2015-7499-2.patch b/main/libxml2/CVE-2015-7499-2.patch
new file mode 100644
index 0000000..741b81b
--- /dev/null
+++ b/main/libxml2/CVE-2015-7499-2.patch
_at_@ -0,0 +1,36 @@
+From 35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard_at_redhat.com>
+Date: Fri, 20 Nov 2015 15:04:09 +0800
+Subject: Detect incoherency on GROW
+
+the current pointer to the input has to be between the base and end
+if not stop everything we have an internal state error.
+---
+ parser.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 1810f99..ab007aa 100644
+--- a/parser.c
++++ b/parser.c
+_at_@ -2075,9 +2075,16 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
+          ((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) &&
+         ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+         xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup");
+-        ctxt->instate = XML_PARSER_EOF;
++        xmlHaltParser(ctxt);
++	return;
+     }
+     xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
++    if ((ctxt->input->cur > ctxt->input->end) ||
++        (ctxt->input->cur < ctxt->input->base)) {
++        xmlHaltParser(ctxt);
++        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound");
++	return;
++    }
+     if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) &&
+         (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0))
+ 	    xmlPopInput(ctxt);
+-- 
+cgit v0.11.2
+
diff --git a/main/libxml2/CVE-2015-7500.patch b/main/libxml2/CVE-2015-7500.patch
new file mode 100644
index 0000000..1c031e2
--- /dev/null
+++ b/main/libxml2/CVE-2015-7500.patch
_at_@ -0,0 +1,106 @@
+From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard_at_redhat.com>
+Date: Fri, 20 Nov 2015 16:06:59 +0800
+Subject: CVE-2015-7500 Fix memory access error due to incorrect entities
+ boundaries
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756525
+handle properly the case where we popped out of the current entity
+while processing a start tag
+Reported by Kostya Serebryany _at_ Google
+
+This slightly modifies the output of 754946 in regression tests
+---
+ parser.c                     | 28 ++++++++++++++++++++++------
+ 1 files changed, 22 insertions(+), 6 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index c7e4574..c5741e3 100644
+--- a/parser.c
++++ b/parser.c
+_at_@ -9348,7 +9348,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,
+     const xmlChar **atts = ctxt->atts;
+     int maxatts = ctxt->maxatts;
+     int nratts, nbatts, nbdef;
+-    int i, j, nbNs, attval, oldline, oldcol;
++    int i, j, nbNs, attval, oldline, oldcol, inputNr;
+     const xmlChar *base;
+     unsigned long cur;
+     int nsNr = ctxt->nsNr;
+_at_@ -9367,6 +9367,7 @@ reparse:
+     SHRINK;
+     base = ctxt->input->base;
+     cur = ctxt->input->cur - ctxt->input->base;
++    inputNr = ctxt->inputNr;
+     oldline = ctxt->input->line;
+     oldcol = ctxt->input->col;
+     nbatts = 0;
+_at_@ -9392,7 +9393,8 @@ reparse:
+      */
+     SKIP_BLANKS;
+     GROW;
+-    if (ctxt->input->base != base) goto base_changed;
++    if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++        goto base_changed;
+
+     while (((RAW != '>') &&
+ 	   ((RAW != '/') || (NXT(1) != '>')) &&
+_at_@ -9403,7 +9405,7 @@ reparse:
+
+ 	attname = xmlParseAttribute2(ctxt, prefix, localname,
+ 	                             &aprefix, &attvalue, &len, &alloc);
+-	if (ctxt->input->base != base) {
++	if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) {
+ 	    if ((attvalue != NULL) && (alloc != 0))
+ 	        xmlFree(attvalue);
+ 	    attvalue = NULL;
+_at_@ -9552,7 +9554,8 @@ skip_ns:
+ 		    break;
+ 		}
+ 		SKIP_BLANKS;
+-		if (ctxt->input->base != base) goto base_changed;
++		if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++		    goto base_changed;
+ 		continue;
+ 	    }
+
+_at_@ -9589,7 +9592,8 @@ failed:
+ 	GROW
+         if (ctxt->instate == XML_PARSER_EOF)
+             break;
+-	if (ctxt->input->base != base) goto base_changed;
++	if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++	    goto base_changed;
+ 	if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+ 	    break;
+ 	if (!IS_BLANK_CH(RAW)) {
+_at_@ -9605,7 +9609,8 @@ failed:
+ 	    break;
+ 	}
+         GROW;
+-	if (ctxt->input->base != base) goto base_changed;
++	if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++	    goto base_changed;
+     }
+
+     /*
+_at_@ -9772,6 +9777,17 @@ base_changed:
+ 	    if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL))
+ 	        xmlFree((xmlChar *) atts[i]);
+     }
++
++    /*
++     * We can't switch from one entity to another in the middle
++     * of a start tag
++     */
++    if (inputNr != ctxt->inputNr) {
++        xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
++		    "Start tag doesn't start and stop in the same entity\n");
++	return(NULL);
++    }
++
+     ctxt->input->cur = ctxt->input->base + cur;
+     ctxt->input->line = oldline;
+     ctxt->input->col = oldcol;
+--
+cgit v0.11.2
diff --git a/main/libxml2/CVE-2015-7941_1.patch b/main/libxml2/CVE-2015-7941_1.patch
new file mode 100644
index 0000000..d688149
--- /dev/null
+++ b/main/libxml2/CVE-2015-7941_1.patch
_at_@ -0,0 +1,32 @@
+From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard_at_redhat.com>
+Date: Mon, 23 Feb 2015 11:17:35 +0800
+Subject: Stop parsing on entities boundaries errors
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+There are times, like on unterminated entities that it's preferable to
+stop parsing, even if that means less error reporting. Entities are
+feeding the parser on further processing, and if they are ill defined
+then it's possible to get the parser to bug. Also do the same on
+Conditional Sections if the input is broken, as the structure of
+the document can't be guessed.
+---
+ parser.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/parser.c b/parser.c
+index a8d1b67..bbe97eb 100644
+--- a/parser.c
++++ b/parser.c
+_at_@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
+ 	if (RAW != '>') {
+ 	    xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
+ 	            "xmlParseEntityDecl: entity %s not terminated\n", name);
++	    xmlStopParser(ctxt);
+ 	} else {
+ 	    if (input != ctxt->input) {
+ 		xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
+-- 
+cgit v0.11.2
+
diff --git a/main/libxml2/CVE-2015-7941_2.patch b/main/libxml2/CVE-2015-7941_2.patch
new file mode 100644
index 0000000..36b43ba
--- /dev/null
+++ b/main/libxml2/CVE-2015-7941_2.patch
_at_@ -0,0 +1,49 @@
+From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard_at_redhat.com>
+Date: Mon, 23 Feb 2015 11:29:20 +0800
+Subject: Cleanup conditional section error handling
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+The error handling of Conditional Section also need to be
+straightened as the structure of the document can't be
+guessed on a failure there and it's better to stop parsing
+as further errors are likely to be irrelevant.
+---
+ parser.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index bbe97eb..fe603ac 100644
+--- a/parser.c
++++ b/parser.c
+_at_@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	SKIP_BLANKS;
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++	    xmlStopParser(ctxt);
++	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+ 		xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+_at_@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	SKIP_BLANKS;
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++	    xmlStopParser(ctxt);
++	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+ 		xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+_at_@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 
+     } else {
+ 	xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
++	xmlStopParser(ctxt);
++	return;
+     }
+ 
+     if (RAW == 0)
+-- 
+cgit v0.11.2
+
diff --git a/main/libxml2/CVE-2015-7942-2.patch b/main/libxml2/CVE-2015-7942-2.patch
new file mode 100644
index 0000000..1a059fe
--- /dev/null
+++ b/main/libxml2/CVE-2015-7942-2.patch
_at_@ -0,0 +1,28 @@
+From 41ac9049a27f52e7a1f3b341f8714149fc88d450 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard_at_redhat.com>
+Date: Tue, 27 Oct 2015 10:53:44 +0800
+Subject: Fix an error in previous Conditional section patch
+
+an off by one mistake in the change, led to error on correct
+document where the end of the included entity was exactly
+the end of the conditional section, leading to regtest failure
+---
+ parser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index b9217ff..d67b300 100644
+--- a/parser.c
++++ b/parser.c
+_at_@ -6916,7 +6916,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 				 NULL, NULL);
+ 	}
+ 	if ((ctxt-> instate != XML_PARSER_EOF) &&
+-	    ((ctxt->input->cur + 3) < ctxt->input->end))
++	    ((ctxt->input->cur + 3) <= ctxt->input->end))
+ 	    SKIP(3);
+     }
+ }
+-- 
+cgit v0.11.2
+
diff --git a/main/libxml2/CVE-2015-7942.patch b/main/libxml2/CVE-2015-7942.patch
new file mode 100644
index 0000000..bb0766a
--- /dev/null
+++ b/main/libxml2/CVE-2015-7942.patch
_at_@ -0,0 +1,32 @@
+From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard_at_redhat.com>
+Date: Fri, 23 Oct 2015 19:02:28 +0800
+Subject: Another variation of overflow in Conditional sections
+
+Which happen after the previous fix to
+https://bugzilla.gnome.org/show_bug.cgi?id=756456
+
+But stopping the parser and exiting we didn't pop the intermediary entities
+and doing the SKIP there applies on an input which may be too small
+---
+ parser.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index a65e4cc..b9217ff 100644
+--- a/parser.c
++++ b/parser.c
+_at_@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	"All markup of the conditional section is not in the same entity\n",
+ 				 NULL, NULL);
+ 	}
+-        SKIP(3);
++	if ((ctxt-> instate != XML_PARSER_EOF) &&
++	    ((ctxt->input->cur + 3) < ctxt->input->end))
++	    SKIP(3);
+     }
+ }
+ 
+-- 
+cgit v0.11.2
+
diff --git a/main/libxml2/CVE-2015-8035.patch b/main/libxml2/CVE-2015-8035.patch
new file mode 100644
index 0000000..92c26ca
--- /dev/null
+++ b/main/libxml2/CVE-2015-8035.patch
_at_@ -0,0 +1,31 @@
+From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard_at_redhat.com>
+Date: Tue, 3 Nov 2015 15:31:25 +0800
+Subject: CVE-2015-8035 Fix XZ compression support loop
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=757466
+DoS when parsing specially crafted XML document if XZ support
+is compiled in (which wasn't the case for 2.9.2 and master since
+Nov 2013, fixed in next commit !)
+---
+ xzlib.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/xzlib.c b/xzlib.c
+index 0dcb9f4..1fab546 100644
+--- a/xzlib.c
++++ b/xzlib.c
+_at_@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
+             xz_error(state, LZMA_DATA_ERROR, "compressed data error");
+             return -1;
+         }
++        if (ret == LZMA_PROG_ERROR) {
++            xz_error(state, LZMA_PROG_ERROR, "compression error");
++            return -1;
++        }
+     } while (strm->avail_out && ret != LZMA_STREAM_END);
+ 
+     /* update available output and crc check value */
+-- 
+cgit v0.11.2
+
diff --git a/main/libxml2/CVE-2015-8242.patch b/main/libxml2/CVE-2015-8242.patch
new file mode 100644
index 0000000..b009ae1
--- /dev/null
+++ b/main/libxml2/CVE-2015-8242.patch
_at_@ -0,0 +1,42 @@
+From 8fb4a770075628d6441fb17a1e435100e2f3b1a2 Mon Sep 17 00:00:00 2001
+From: Hugh Davenport <hugh_at_allthethings.co.nz>
+Date: Fri, 20 Nov 2015 17:16:06 +0800
+Subject: CVE-2015-8242 Buffer overead with HTML parser in push mode
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756372
+Error in the code pointing to the codepoint in the stack for the
+current char value instead of the pointer in the input that the SAX
+callback expects
+Reported and fixed by Hugh Davenport
+---
+ HTMLparser.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index bdf7807..b729197 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+_at_@ -5735,17 +5735,17 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
+ 				if (ctxt->keepBlanks) {
+ 				    if (ctxt->sax->characters != NULL)
+ 					ctxt->sax->characters(
+-						ctxt->userData, &cur, 1);
++						ctxt->userData, &in->cur[0], 1);
+ 				} else {
+ 				    if (ctxt->sax->ignorableWhitespace != NULL)
+ 					ctxt->sax->ignorableWhitespace(
+-						ctxt->userData, &cur, 1);
++						ctxt->userData, &in->cur[0], 1);
+ 				}
+ 			    } else {
+ 				htmlCheckParagraph(ctxt);
+ 				if (ctxt->sax->characters != NULL)
+ 				    ctxt->sax->characters(
+-					    ctxt->userData, &cur, 1);
++					    ctxt->userData, &in->cur[0], 1);
+ 			    }
+ 			}
+ 			ctxt->token = 0;
+-- 
+cgit v0.11.2
+
-- 
2.6.2
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Sat Nov 28 2015 - 22:45:03 GMT