configure.ac | 2 1 + 1 - 0 !
libxml-2.0-uninstalled.pc.in | 3 2 + 1 - 0 !
xml2-config.1 | 4 4 + 0 - 0 !
xml2-config.in | 22 10 + 12 - 0 !
4 files changed, 17 insertions(+), 14 deletions(-)

 modify xml2-config and pkgconfig behaviour

python/Makefile.am | 2 1 + 1 - 0 !
python/Makefile.in | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 fix python multiarch includes

result/XPath/xptr/viderror | 4 4 + 0 - 0 !
test/XPath/xptr/viderror | 1 1 + 0 - 0 !
xpath.c | 7 6 + 1 - 0 !
3 files changed, 11 insertions(+), 1 deletion(-)

 fix null pointer deref in xpointer range-to

- Check for errors after evaluating first operand.
- Add sanity check for empty stack.

Found with afl-fuzz.

xpath.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] fix comparison with root node in xmlxpathcmpnodes

This change has already been made in xmlXPathCmpNodesExt but not in
xmlXPathCmpNodes.

xpath.c | 7 6 + 1 - 0 !
xpointer.c | 76 6 + 70 - 0 !
2 files changed, 12 insertions(+), 71 deletions(-)

 [patch] fix xpointer paths beginning with range-to

The old code would invoke the broken xmlXPtrRangeToFunction. range-to
isn't really a function but a special kind of location step. Remove
this function and always handle range-to in the XPath code.

The old xmlXPtrRangeToFunction could also be abused to trigger a
use-after-free error with the potential for remote code execution.

Found with afl-fuzz.

Fixes CVE-2016-5131.

xpointer.c | 149 56 + 93 - 0 !
1 file changed, 56 insertions(+), 93 deletions(-)

 [patch] disallow namespace nodes in xpointer ranges

Namespace nodes must be copied to avoid use-after-free errors.
But they don't necessarily have a physical representation in a
document, so simply disallow them in XPointer ranges.

Found with afl-fuzz.

Fixes CVE-2016-4658.

xpointer.c | 12 7 + 5 - 0 !
1 file changed, 7 insertions(+), 5 deletions(-)

 [patch] fix more null pointer derefs in xpointer.c

Found with afl-fuzz.

xmlschemas.c | 30 25 + 5 - 0 !
1 file changed, 25 insertions(+), 5 deletions(-)

 [patch] fix attribute decoding during xml schema validation

For https://bugzilla.gnome.org/show_bug.cgi?id=766834

vctxt->parserCtxt is always NULL in xmlSchemaSAXHandleStartElementNs,
so this function can't call xmlStringLenDecodeEntities to decode the
entities.

nanohttp.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 increase buffer space for port in http redirect support

parser.c | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 prevent unwanted external entity reference

Makefile.am | 18 18 + 0 - 0 !
parser.c | 18 10 + 8 - 0 !
result/errors10/781205.xml.err | 21 21 + 0 - 0 !
result/errors10/781361.xml.err | 13 13 + 0 - 0 !
result/valid/766956.xml.err | 9 9 + 0 - 0 !
result/valid/766956.xml.err.rdr | 10 10 + 0 - 0 !
runtest.c | 3 3 + 0 - 0 !
test/errors10/781205.xml | 3 3 + 0 - 0 !
test/errors10/781361.xml | 3 3 + 0 - 0 !
test/valid/766956.xml | 2 2 + 0 - 0 !
test/valid/dtds/766956.dtd | 2 2 + 0 - 0 !
11 files changed, 94 insertions(+), 8 deletions(-)

 fix handling of parameter-entity references
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

result/valid/781333.xml | 5 5 + 0 - 0 !
result/valid/781333.xml.err | 3 3 + 0 - 0 !
result/valid/781333.xml.err.rdr | 6 6 + 0 - 0 !
test/valid/781333.xml | 4 4 + 0 - 0 !
valid.c | 20 11 + 9 - 0 !
5 files changed, 29 insertions(+), 9 deletions(-)

 fix buffer size checks in xmlsnprintfelementcontent
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

valid.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 fix type confusion in xmlvalidateonenamespace

xpath.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 fix xpath stack frame logic