libexslt.pc.in | 1 1 + 0 - 0 !
libxslt.pc.in | 1 1 + 0 - 0 !
xslt-config.in | 14 12 + 2 - 0 !
3 files changed, 14 insertions(+), 2 deletions(-)

 patch xslt-config to add private libraries

configure.in | 9 5 + 4 - 0 !
1 file changed, 5 insertions(+), 4 deletions(-)

 fix autoconf automake

doc/APIchunk6.html | 2 1 + 1 - 0 !
doc/APIchunk8.html | 2 1 + 1 - 0 !
doc/EXSLT/bugs.html | 8 4 + 4 - 0 !
doc/EXSLT/exslt.html | 8 4 + 4 - 0 !
doc/apibuild.py | 2 1 + 1 - 0 !
doc/html/libxslt-extra.html | 2 1 + 1 - 0 !
doc/html/libxslt-imports.html | 2 1 + 1 - 0 !
doc/html/libxslt-xsltInternals.html | 6 3 + 3 - 0 !
doc/html/libxslt-xsltutils.html | 6 3 + 3 - 0 !
doc/libxslt-api.xml | 20 10 + 10 - 0 !
doc/libxslt-refs.xml | 4 2 + 2 - 0 !
libexslt/exsltconfig.h.in | 2 1 + 1 - 0 !
libxslt/extensions.c | 2 1 + 1 - 0 !
libxslt/extra.c | 2 1 + 1 - 0 !
libxslt/imports.c | 2 1 + 1 - 0 !
libxslt/numbers.c | 4 2 + 2 - 0 !
libxslt/xsltInternals.h | 6 3 + 3 - 0 !
libxslt/xsltconfig.h | 4 2 + 2 - 0 !
libxslt/xsltconfig.h.in | 4 2 + 2 - 0 !
libxslt/xsltutils.c | 14 7 + 7 - 0 !
libxslt/xsltwin32config.h | 4 2 + 2 - 0 !
libxslt/xsltwin32config.h.in | 4 2 + 2 - 0 !
python/tests/pyxsltproc.py | 4 2 + 2 - 0 !
tests/docbook/result/fo/gdp-handbook.fo | 2 1 + 1 - 0 !
tests/docbook/result/html/gdp-handbook.html | 2 1 + 1 - 0 !
tests/docbook/result/xhtml/gdp-handbook.xhtml | 2 1 + 1 - 0 !
tests/docbook/test/gdp-handbook.xml | 2 1 + 1 - 0 !
tests/plugins/testplugin.c | 2 1 + 1 - 0 !
xsltproc/xsltproc.c | 2 1 + 1 - 0 !
29 files changed, 63 insertions(+), 63 deletions(-)

 fix typo

NEWS | 23 23 + 0 - 0 !
doc/libxslt.xsa | 87 80 + 7 - 0 !
doc/news.html | 25 24 + 1 - 0 !
doc/xslt.html | 25 25 + 0 - 0 !
4 files changed, 152 insertions(+), 8 deletions(-)

 adding doc update related to 1.1.28

python/libxslt.c | 10 5 + 5 - 0 !
xsltproc/xsltproc.c | 2 1 + 1 - 0 !
2 files changed, 6 insertions(+), 6 deletions(-)

 fix a couple of places where (f)printf parameters were broken

As reported by Thomas Jarosch <thomas.jarosch@intra2net.com>

xsltproc/xsltproc.c | 15 15 + 0 - 0 !
1 file changed, 15 insertions(+)

 initialize pseudo random number generator with current time or
 optional command line parameter

libexslt/strings.c | 6 1 + 5 - 0 !
1 file changed, 1 insertion(+), 5 deletions(-)

 exslt function str:replace() is broken as-is

the str:replace() function is no longer usable without a transform
context. I take it from the bug report that it is not supposed to be used
from plain XPath but only from XSLT according to the EXSLT specification.

However, the previous implementation used to work in XPath and is still
registered on an xmlXPathContext by the exsltStrXpathCtxtRegister()
function. When called from plain XPath, it results in a memory error in
line 526 (exsltStrReturnString()) of strings.c because xsltCreateRVT()
returns NULL as an error indicator due to a NULL transform context being
passed in, which was the return value from xsltXPathGetTransformContext() a
bit further up (and the code doesn't validate that).

Since fixing the function looks impossible, best is to remove it.

configure.in | 14 7 + 7 - 0 !
1 file changed, 7 insertions(+), 7 deletions(-)

 fix quoting of xlocale test program in configure.in

Double square brackets aren't needed anymore, probably due to the
changes in commit a2cd8a03.

libxslt/preproc.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] fix for type confusion in preprocessing attributes

CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10
We need to check that the parent node is an element before dereferencing
its namespace

libexslt/date.c | 17 7 + 10 - 0 !
1 file changed, 7 insertions(+), 10 deletions(-)

 [patch] always initialize exslt month and day to 1

Fixes bug #757970
https://bugzilla.gnome.org/show_bug.cgi?id=757970

libxslt/functions.c | 3 2 + 1 - 0 !
tests/docs/bug-185-data.xml | 5 5 + 0 - 0 !
tests/docs/bug-185.xml | 2 2 + 0 - 0 !
tests/general/bug-185.err | 3 3 + 0 - 0 !
tests/general/bug-185.xsl | 14 14 + 0 - 0 !
5 files changed, 26 insertions(+), 1 deletion(-)

 [patch] fix use-after-free in xsltdocumentfunctionloaddocument

Also fixes a memory leak in an unlikely error case.

Fixes bug #758291
https://bugzilla.gnome.org/show_bug.cgi?id=758291

libxslt/numbers.c | 82 47 + 35 - 0 !
tests/docs/bug-186.xml | 4 4 + 0 - 0 !
tests/general/bug-186.out | 5 5 + 0 - 0 !
tests/general/bug-186.xsl | 7 7 + 0 - 0 !
4 files changed, 63 insertions(+), 35 deletions(-)

 [patch] fix xsltnumberformatgetmultiplelevel

Namespace nodes are actually an xmlNs, not an xmlNode. They must be
special-cased in xsltNumberFormatGetMultipleLevel to avoid an
out-of-bounds heap access.

Move the test whether a node matches the "count" pattern to a separate
function to make the code more readable. As a side effect, we also
compare expanded names when walking up the ancestor axis, fixing an
insignificant bug.

libxslt/numbers.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] round xsl:number values to nearest integer

This matches XSLT 2.0 behavior.

libxslt/numbers.c | 17 16 + 1 - 0 !
1 file changed, 16 insertions(+), 1 deletion(-)

 [patch] handle negative xsl:number values

According to XSLT 2.0, negative values are a non-recoverable dynamic error.
Print an error message and treat negative values as zero.

Fixes an OOB array access in xsltNumberFormatAlpha.

libxslt/numbers.c | 33 24 + 9 - 0 !
1 file changed, 24 insertions(+), 9 deletions(-)

 [patch] lower bound for format token "a"

Handle xsl:number with format "a" and value 0 according to XSLT 2.0.

Fixes an OOB array access in xsltNumberFormatAlpha.

libxslt/numbers.c | 25 16 + 9 - 0 !
1 file changed, 16 insertions(+), 9 deletions(-)

 [patch] lower and upper bound for format token "i"

Handle xsl:number with format "i" and value 0 according to XSLT 2.0.

Also introduce an upper bound to fix a denial of service.

libexslt/crypto.c | 15 3 + 12 - 0 !
1 file changed, 3 insertions(+), 12 deletions(-)

 [patch] fix double free in libexslt hash functions

Thanks to Nicolas Gregoire for the report.

Fixes bug #765271:

https://bugzilla.gnome.org/show_bug.cgi?id=765271

libexslt/date.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] fix buffer overflow in exsltdateformat

Long years can overflow a stack-based buffer on 64-bit platforms by
up to four bytes.

Thanks to Nicolas Gregoire for the report.

Fixes bug #765380:

https://bugzilla.gnome.org/show_bug.cgi?id=765380

libxslt/extensions.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 [patch] fix oob heap read in xsltextmoduleregisterdynamic

xsltExtModuleRegisterDynamic would read a byte before the start of a
string under certain circumstances. I looks like this piece code was
supposed to strip characters from the end of the extension name, but
it didn't have any effect. Don't read beyond the beginning of the
string and actually strip unwanted characters.

Found with afl-fuzz and ASan.

libxslt/numbers.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] fix heap overread in xsltformatnumberconversion

An empty decimal-separator could cause a heap overread. This can be
exploited to leak a couple of bytes after the buffer that holds the
pattern string.

Found with afl-fuzz and ASan.

libxslt/transform.c | 25 22 + 3 - 0 !
libxslt/xsltInternals.h | 4 2 + 2 - 0 !
2 files changed, 24 insertions(+), 5 deletions(-)

 [patch] check for integer overflow in xsltaddtextstring

Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
exploited to trigger an out of bounds write on 64-bit systems.

Originally reported to Chromium:

https://crbug.com/676623