configure.ac | 2 1 + 1 - 0 !
libxml-2.0-uninstalled.pc.in | 3 2 + 1 - 0 !
xml2-config.1 | 4 4 + 0 - 0 !
xml2-config.in | 22 10 + 12 - 0 !
4 files changed, 17 insertions(+), 14 deletions(-)

 modify xml2-config and pkgconfig behaviour

python/Makefile.am | 2 1 + 1 - 0 !
python/Makefile.in | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 fix python multiarch includes

result/XPath/xptr/viderror | 4 4 + 0 - 0 !
test/XPath/xptr/viderror | 1 1 + 0 - 0 !
xpath.c | 7 6 + 1 - 0 !
3 files changed, 11 insertions(+), 1 deletion(-)

 fix null pointer deref in xpointer range-to

- Check for errors after evaluating first operand.
- Add sanity check for empty stack.

Found with afl-fuzz.

xpath.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] fix comparison with root node in xmlxpathcmpnodes

This change has already been made in xmlXPathCmpNodesExt but not in
xmlXPathCmpNodes.

xpath.c | 7 6 + 1 - 0 !
xpointer.c | 76 6 + 70 - 0 !
2 files changed, 12 insertions(+), 71 deletions(-)

 [patch] fix xpointer paths beginning with range-to

The old code would invoke the broken xmlXPtrRangeToFunction. range-to
isn't really a function but a special kind of location step. Remove
this function and always handle range-to in the XPath code.

The old xmlXPtrRangeToFunction could also be abused to trigger a
use-after-free error with the potential for remote code execution.

Found with afl-fuzz.

Fixes CVE-2016-5131.

xpointer.c | 149 56 + 93 - 0 !
1 file changed, 56 insertions(+), 93 deletions(-)

 [patch] disallow namespace nodes in xpointer ranges

Namespace nodes must be copied to avoid use-after-free errors.
But they don't necessarily have a physical representation in a
document, so simply disallow them in XPointer ranges.

Found with afl-fuzz.

Fixes CVE-2016-4658.

xpointer.c | 12 7 + 5 - 0 !
1 file changed, 7 insertions(+), 5 deletions(-)

 [patch] fix more null pointer derefs in xpointer.c

Found with afl-fuzz.

xmlschemas.c | 30 25 + 5 - 0 !
1 file changed, 25 insertions(+), 5 deletions(-)

 [patch] fix attribute decoding during xml schema validation

For https://bugzilla.gnome.org/show_bug.cgi?id=766834

vctxt->parserCtxt is always NULL in xmlSchemaSAXHandleStartElementNs,
so this function can't call xmlStringLenDecodeEntities to decode the
entities.

nanohttp.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 increase buffer space for port in http redirect support

parser.c | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 prevent unwanted external entity reference

Makefile.am | 18 18 + 0 - 0 !
parser.c | 18 10 + 8 - 0 !
result/errors10/781205.xml.err | 21 21 + 0 - 0 !
result/errors10/781361.xml.err | 13 13 + 0 - 0 !
result/valid/766956.xml.err | 9 9 + 0 - 0 !
result/valid/766956.xml.err.rdr | 10 10 + 0 - 0 !
runtest.c | 3 3 + 0 - 0 !
test/errors10/781205.xml | 3 3 + 0 - 0 !
test/errors10/781361.xml | 3 3 + 0 - 0 !
test/valid/766956.xml | 2 2 + 0 - 0 !
test/valid/dtds/766956.dtd | 2 2 + 0 - 0 !
11 files changed, 94 insertions(+), 8 deletions(-)

 fix handling of parameter-entity references
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

result/valid/781333.xml | 5 5 + 0 - 0 !
result/valid/781333.xml.err | 3 3 + 0 - 0 !
result/valid/781333.xml.err.rdr | 6 6 + 0 - 0 !
test/valid/781333.xml | 4 4 + 0 - 0 !
valid.c | 20 11 + 9 - 0 !
5 files changed, 29 insertions(+), 9 deletions(-)

 fix buffer size checks in xmlsnprintfelementcontent
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

valid.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 fix type confusion in xmlvalidateonenamespace

valid.c | 24 14 + 10 - 0 !
1 file changed, 14 insertions(+), 10 deletions(-)

 fix null pointer deref in xmldumpelementcontent

xmlmemory.c | 21 21 + 0 - 0 !
1 file changed, 21 insertions(+)

 check for integer overflow in memory debug code

xmlmemory.c | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 fix copy-paste errors in error messages

python/types.c | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 python: remove single use of _pyverify_fd

xpath.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 fix xpath stack frame logic

parser.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 out-of-bounds read in htmlparsetryorfinish

xzlib.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] set memory limit for lzma decompression

Otherwise malicious LZMA compressed files could consume large amounts
of memory when decompressed.

According to the xz man page, files compressed with `xz -9` currently
require 65 MB to decompress, so set the limit to 100 MB.

Should fix bug 786696.

xpath.c | 10 4 + 6 - 0 !
1 file changed, 4 insertions(+), 6 deletions(-)

 [patch] fix nullptr deref with xpath logic ops

If the XPath stack is corrupted, for example by a misbehaving extension
function, the "and" and "or" XPath operators could dereference NULL
pointers. Check that the XPath stack isn't empty and optimize the
logic operators slightly.

Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5

Also see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
https://bugzilla.redhat.com/show_bug.cgi?id=1595985

This is CVE-2018-14404.

Thanks to Guy Inbar for the report.

xzlib.c | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 [patch] fix infinite loop in lzma decompression
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Check the liblzma error code more thoroughly to avoid infinite loops.

Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914

This is CVE-2018-9251 and CVE-2018-14567.

Thanks to Dongliang Mu and Simon Wrner for the reports.

parser.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] fix memory leak in xmlparsebalancedchunkmemoryrecover

When doc is NULL, namespace created in xmlTreeEnsureXMLDecl
is bind to newDoc->oldNs, in this case, set newDoc->oldNs to
NULL and free newDoc will cause a memory leak.

Found with libFuzzer.

Closes #82.

xmlschemas.c | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 [patch] fix memory leak in xmlschemavalidatestream

When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun
alloc a new schema for ctxt->schema and set vctxt->xsiAssemble
to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize
vctxt->xsiAssemble to 0 again which cause the alloced schema
can not be freed anymore.

Found with libFuzzer.

Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>

parser.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] fix infinite loop in xmlstringlendecodeentities

When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
return NULL which cause a infinite loop in xmlStringLenDecodeEntities

Found with libFuzzer.

Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>

xmllint.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 fix out-of-bounds read with 'xmllint --htmlout'

xmllint.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix use-after-free with `xmllint --html --push`

entities.c | 16 15 + 1 - 0 !
1 file changed, 15 insertions(+), 1 deletion(-)

 validate utf8 in xmlencodeentities

xinclude.c | 5 2 + 3 - 0 !
1 file changed, 2 insertions(+), 3 deletions(-)

 fix user-after-free with `xmllint --xinclude --dropdtd`

parser.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 propagate error in xmlparseelementchildrencontentdeclpriv

parser.c | 26 26 + 0 - 0 !
1 file changed, 26 insertions(+)

 patch for security issue cve-2021-3541

valid.c | 88 55 + 33 - 0 !
1 file changed, 55 insertions(+), 33 deletions(-)

 [cve-2022-23308] use-after-free of id and idref attributes

tree.c | 9 7 + 2 - 0 !
1 file changed, 7 insertions(+), 2 deletions(-)

 fix integer overflow in xmlbufferresize

buf.c | 86 34 + 52 - 0 !
tree.c | 72 27 + 45 - 0 !
2 files changed, 61 insertions(+), 97 deletions(-)

 [cve-2022-29824] fix integer overflows in xmlbuf and xmlbuffer