93 lines
2.9 KiB
Text
93 lines
2.9 KiB
Text
$NetBSD: patch-al,v 1.3 2012/01/17 14:43:44 drochner Exp $
|
|
|
|
-from gnome git: Fix some potential problems on reallocation failures
|
|
-CVE-2011-3919
|
|
-from gnome git: Fix memory corruption
|
|
-CVE-2011-3905
|
|
|
|
--- parser.c.orig 2012-01-17 10:21:47.000000000 +0000
|
|
+++ parser.c
|
|
@@ -1819,15 +1819,14 @@ namePush(xmlParserCtxtPtr ctxt, const xm
|
|
|
|
if (ctxt->nameNr >= ctxt->nameMax) {
|
|
const xmlChar * *tmp;
|
|
- ctxt->nameMax *= 2;
|
|
tmp = (const xmlChar * *) xmlRealloc((xmlChar * *)ctxt->nameTab,
|
|
- ctxt->nameMax *
|
|
+ ctxt->nameMax * 2 *
|
|
sizeof(ctxt->nameTab[0]));
|
|
if (tmp == NULL) {
|
|
- ctxt->nameMax /= 2;
|
|
goto mem_error;
|
|
}
|
|
ctxt->nameTab = tmp;
|
|
+ ctxt->nameMax *= 2;
|
|
}
|
|
ctxt->nameTab[ctxt->nameNr] = value;
|
|
ctxt->name = value;
|
|
@@ -2709,7 +2708,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
|
|
|
|
buffer[nbchars++] = '&';
|
|
if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) {
|
|
- growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
|
|
+ growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE);
|
|
}
|
|
for (;i > 0;i--)
|
|
buffer[nbchars++] = *cur++;
|
|
@@ -4949,7 +4948,8 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
|
|
(ctxt->sax->processingInstruction != NULL))
|
|
ctxt->sax->processingInstruction(ctxt->userData,
|
|
target, NULL);
|
|
- ctxt->instate = state;
|
|
+ if (ctxt->instate != XML_PARSER_EOF)
|
|
+ ctxt->instate = state;
|
|
return;
|
|
}
|
|
buf = (xmlChar *) xmlMallocAtomic(size * sizeof(xmlChar));
|
|
@@ -5029,7 +5029,8 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
|
|
} else {
|
|
xmlFatalErr(ctxt, XML_ERR_PI_NOT_STARTED, NULL);
|
|
}
|
|
- ctxt->instate = state;
|
|
+ if (ctxt->instate != XML_PARSER_EOF)
|
|
+ ctxt->instate = state;
|
|
}
|
|
}
|
|
|
|
@@ -6992,6 +6993,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
|
|
ent->owner = 1;
|
|
while (list != NULL) {
|
|
list->parent = (xmlNodePtr) ent;
|
|
+ xmlSetTreeDoc(list, ent->doc);
|
|
if (list->next == NULL)
|
|
ent->last = list;
|
|
list = list->next;
|
|
@@ -9588,6 +9590,8 @@ xmlParseElement(xmlParserCtxtPtr ctxt) {
|
|
else
|
|
name = xmlParseStartTag(ctxt);
|
|
#endif /* LIBXML_SAX1_ENABLED */
|
|
+ if (ctxt->instate == XML_PARSER_EOF)
|
|
+ return;
|
|
if (name == NULL) {
|
|
spacePop(ctxt);
|
|
return;
|
|
@@ -10967,6 +10971,8 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctx
|
|
else
|
|
name = xmlParseStartTag(ctxt);
|
|
#endif /* LIBXML_SAX1_ENABLED */
|
|
+ if (ctxt->instate == XML_PARSER_EOF)
|
|
+ goto done;
|
|
if (name == NULL) {
|
|
spacePop(ctxt);
|
|
ctxt->instate = XML_PARSER_EOF;
|
|
@@ -11153,7 +11159,9 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctx
|
|
else
|
|
xmlParseEndTag1(ctxt, 0);
|
|
#endif /* LIBXML_SAX1_ENABLED */
|
|
- if (ctxt->nameNr == 0) {
|
|
+ if (ctxt->instate == XML_PARSER_EOF) {
|
|
+ /* Nothing */
|
|
+ } else if (ctxt->nameNr == 0) {
|
|
ctxt->instate = XML_PARSER_EPILOG;
|
|
} else {
|
|
ctxt->instate = XML_PARSER_CONTENT;
|