doc/Makefile.am | 48 47 + 1 - 0 !
1 file changed, 47 insertions(+), 1 deletion(-)

 install *all* the html docs
 The relevant makefile target was never updated since 2004..
 Should probably look for a nicer way to do this than the current list before forwarding.

xml2-config.in | 16 2 + 14 - 0 !
1 file changed, 2 insertions(+), 14 deletions(-)

 display dynamic linking information with --libs, not static
 Don't bother about keeping support for the static variant, it's not needed
 in debian directly.

python/libxml.c | 11 10 + 1 - 0 !
1 file changed, 10 insertions(+), 1 deletion(-)

---

parser.c | 233 121 + 112 - 0 !
1 file changed, 121 insertions(+), 112 deletions(-)

 [cve-2022-40303] fix integer overflows with xml_parse_huge

entities.c | 55 16 + 39 - 0 !
1 file changed, 16 insertions(+), 39 deletions(-)

 [cve-2022-40304] fix dict corruption caused by entity reference
 cycles

result/schemas/oss-fuzz-51295_0_0.err | 2 2 + 0 - 0 !
test/schemas/oss-fuzz-51295_0.xml | 1 1 + 0 - 0 !
test/schemas/oss-fuzz-51295_0.xsd | 4 4 + 0 - 0 !
xmlschemas.c | 15 13 + 2 - 0 !
4 files changed, 20 insertions(+), 2 deletions(-)

 schemas: fix null-pointer-deref in xmlschemacheckcosstderivedok

result/schemas/issue491_0_0.err | 1 1 + 0 - 0 !
test/schemas/issue491_0.xml | 1 1 + 0 - 0 !
test/schemas/issue491_0.xsd | 18 18 + 0 - 0 !
xmlschemas.c | 2 1 + 1 - 0 !
4 files changed, 21 insertions(+), 1 deletion(-)

 [cve-2023-28484] fix null deref in xmlschemafixupcomplextype

dict.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [cve-2023-29469] hashing of empty dict strings isn't deterministic

parser.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 reset nsnr in xmlctxtreset

HTMLparser.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 also reset nsnr in htmlctxtreset

xinclude.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] malloc-fail: fix use-after-free in xmlxincludeaddnode

Found with libFuzzer, see #344.

xmllint.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] [cve-2024-34459] fix buffer overread with `xmllint --htmlout`

Add a missing bounds check.

xmlschemas.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [patch] [cve-2024-56171] fix use-after-free after
 xmlSchemaItemListAdd

xmlSchemaItemListAdd can reallocate the items array. Update local
variables after adding item in

- xmlSchemaIDCFillNodeTables
- xmlSchemaBubbleIDCNodeTables

Fixes #828.

valid.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] valid: check for null node->name in xmlsnprintfelements

Unfortunately, we can have NULL element names if xmlSetTreeDoc fails.

valid.c | 22 11 + 11 - 0 !
1 file changed, 11 insertions(+), 11 deletions(-)

 [patch] [cve-2025-24928] fix stack-buffer-overflow in
 xmlSnprintfElements

Fixes #847.

pattern.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] pattern: fix compilation of explicit child axis

The child axis is the default axis and should generate XML_OP_ELEM like
the case without an axis.

parser.c | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 [patch] parser: fix old sax1 parser with custom callbacks

For some reason, xmlCtxtUseOptionsInternal set the start and end element
SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1
was specified. This means that custom SAX handlers could never work with
that flag because these functions would receive the wrong user data
argument and crash immediately.

Fixes #535.

SAX2.c | 11 7 + 4 - 0 !
parser.c | 5 1 + 4 - 0 !
2 files changed, 8 insertions(+), 8 deletions(-)

 [patch] sax: always initialize sax1 element handlers

Follow-up to commit d0c3f01e. A parser context will be initialized to
SAX version 2, but this can be overridden with XML_PARSE_SAX1 later,
so we must initialize the SAX1 element handlers as well.

Change the check in xmlDetectSAX2 to only look for XML_SAX2_MAGIC, so
we don't switch to SAX1 if the SAX2 element handlers are NULL.

tree.c | 7 5 + 2 - 0 !
1 file changed, 5 insertions(+), 2 deletions(-)

 [patch] tree: fix #583 again

Only set doc->intSubset after successful copy to avoid dangling pointers
in error case.

xmlreader.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch] [cve-2024-25062] xmlreader: don't expand xincludes when
 backtracking

Fixes a use-after-free if XML Reader if used with DTD validation and
XInclude expansion.

Fixes #604.

python/libxml.c | 28 18 + 10 - 0 !
1 file changed, 18 insertions(+), 10 deletions(-)

---

xmlschemas.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] [cve-2025-32415] schemas: fix heap buffer overflow in
 xmlSchemaIDCFillNodeTables

Don't use local variable which could contain a stale value.

Fixes #890.

tree.c | 12 9 + 3 - 0 !
1 file changed, 9 insertions(+), 3 deletions(-)

 tree: fix integer overflow in xmlbuildqname

debugXML.c | 15 10 + 5 - 0 !
result/scripts/long_command | 8 8 + 0 - 0 !
test/scripts/long_command.script | 6 6 + 0 - 0 !
test/scripts/long_command.xml | 1 1 + 0 - 0 !
4 files changed, 25 insertions(+), 5 deletions(-)

 fix potential buffer overflows of interactive shell

result/schematron/cve-2025-49794_0.err | 3 3 + 0 - 0 !
result/schematron/cve-2025-49796_0.err | 3 3 + 0 - 0 !
schematron.c | 54 29 + 25 - 0 !
test/schematron/cve-2025-49794.sct | 10 10 + 0 - 0 !
test/schematron/cve-2025-49794_0.xml | 6 6 + 0 - 0 !
test/schematron/cve-2025-49796.sct | 9 9 + 0 - 0 !
test/schematron/cve-2025-49796_0.xml | 3 3 + 0 - 0 !
7 files changed, 63 insertions(+), 25 deletions(-)

 schematron: fix memory safety issues in xmlschematronreportoutput

Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796)
in xmlSchematronReportOutput.

HTMLparser.c | 1 1 + 0 - 0 !
SAX2.c | 6 3 + 3 - 0 !
include/libxml/tree.h | 14 13 + 1 - 0 !
parser.c | 8 4 + 4 - 0 !
runxmlconf.c | 4 2 + 2 - 0 !
tree.c | 20 10 + 10 - 0 !
valid.c | 68 34 + 34 - 0 !
xmlreader.c | 30 15 + 15 - 0 !
xmlschemas.c | 4 2 + 2 - 0 !
xmlschemastypes.c | 12 6 + 6 - 0 !
10 files changed, 90 insertions(+), 77 deletions(-)

 [patch] libxslt: heap-use-after-free in xmlfreeid caused by `atype`
 corruption

* include/libxml/tree.h:
(XML_ATTR_CLEAR_ATYPE): Add.
(XML_ATTR_GET_ATYPE): Add.
(XML_ATTR_SET_ATYPE): Add.
(XML_NODE_ADD_EXTRA): Add.
(XML_NODE_CLEAR_EXTRA): Add.
(XML_NODE_GET_EXTRA): Add.
(XML_NODE_SET_EXTRA): Add.
(XML_DOC_ADD_PROPERTIES): Add.
(XML_DOC_CLEAR_PROPERTIES): Add.
(XML_DOC_GET_PROPERTIES): Add.
(XML_DOC_SET_PROPERTIES): Add.
- Add macros for accessing fields with upper bits that may be set by
  libxslt.

* HTMLparser.c:
(htmlNewDocNoDtD):
* SAX2.c:
(xmlSAX2StartDocument):
(xmlSAX2EndDocument):
* parser.c:
(xmlParseEntityDecl):
(xmlParseExternalSubset):
(xmlParseReference):
(xmlCtxtParseDtd):
* runxmlconf.c:
(xmlconfTestInvalid):
(xmlconfTestValid):
* tree.c:
(xmlNewDoc):
(xmlFreeProp):
(xmlNodeSetDoc):
(xmlSetNsProp):
(xmlDOMWrapAdoptBranch):
* valid.c:
(xmlFreeID):
(xmlAddIDInternal):
(xmlValidateAttributeValueInternal):
(xmlValidateOneAttribute):
(xmlValidateRef):
* xmlreader.c:
(xmlTextReaderStartElement):
(xmlTextReaderStartElementNs):
(xmlTextReaderValidateEntity):
(xmlTextReaderRead):
(xmlTextReaderNext):
(xmlTextReaderIsEmptyElement):
(xmlTextReaderPreserve):
* xmlschemas.c:
(xmlSchemaPValAttrNodeID):
* xmlschemastypes.c:
(xmlSchemaValAtomicType):
- Adopt macros by renaming the struct fields, recompiling and fixing
  compiler failures, then changing the struct field names back.