head 1.4; access; symbols pkgsrc-2015Q3:1.3.0.10 pkgsrc-2015Q3-base:1.3 pkgsrc-2015Q2:1.3.0.8 pkgsrc-2015Q2-base:1.3 pkgsrc-2015Q1:1.3.0.6 pkgsrc-2015Q1-base:1.3 pkgsrc-2014Q4:1.3.0.4 pkgsrc-2014Q4-base:1.3 pkgsrc-2014Q3:1.3.0.2 pkgsrc-2013Q2:1.2.0.4 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.2 pkgsrc-2012Q4-base:1.2 pkgsrc-2012Q2:1.1.0.2; locks; strict; comment @# @; 1.4 date 2015.11.22.23.49.03; author wiz; state dead; branches; next 1.3; commitid xoXPsTfDvILe99Ky; 1.3 date 2014.10.28.18.55.56; author drochner; state Exp; branches 1.3.2.1; next 1.2; commitid 2Ad7y42pzYl330Wx; 1.2 date 2012.09.15.10.23.39; author adam; state dead; branches; next 1.1; 1.1 date 2012.08.01.14.51.37; author drochner; state Exp; branches 1.1.2.1; next ; 1.3.2.1 date 2014.10.28.18.55.56; author tron; state dead; branches; next 1.3.2.2; commitid ToRe6fvmovhN6MWx; 1.3.2.2 date 2014.11.03.19.39.07; author tron; state Exp; branches; next ; commitid ToRe6fvmovhN6MWx; 1.1.2.1 date 2012.08.01.14.51.37; author tron; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2012.08.09.18.05.03; author tron; state Exp; branches; next ; desc @@ 1.4 log @Update libxml2 to 2.9.3. v2.9.3: Nov 20 2015 Security: CVE-2015-8242 Buffer overead with HTML parser in push mode (Hugh Davenport), CVE-2015-7500 Fix memory access error due to incorrect entities boundaries (Daniel Veillard), CVE-2015-7499-2 Detect incoherency on GROW (Daniel Veillard), CVE-2015-7499-1 Add xmlHaltParser() to stop the parser (Daniel Veillard), CVE-2015-5312 Another entity expansion issue (David Drysdale), CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey (David Drysdale), CVE-2015-7498 Avoid processing entities after encoding conversion failures (Daniel Veillard), CVE-2015-8035 Fix XZ compression support loop (Daniel Veillard), CVE-2015-7942-2 Fix an error in previous Conditional section patch (Daniel Veillard), CVE-2015-7942 Another variation of overflow in Conditional sections (Daniel Veillard), CVE-2015-1819 Enforce the reader to run in constant memory (Daniel Veillard) CVE-2015-7941_2 Cleanup conditional section error handling (Daniel Veillard), CVE-2015-7941_1 Stop parsing on entities boundaries errors (Daniel Veillard), Documentation: Correct spelling of "calling" (Alex Henrie), Fix a small error in xmllint --format description (Fabien Degomme), Avoid XSS on the search of xmlsoft.org (Daniel Veillard) Portability: threads: use forward declarations only for glibc (Michael Heimpold), Update Win32 configure.js to search for configure.ac (Daniel Veillard) Bug Fixes: Bug on creating new stream from entity (Daniel Veillard), Fix some loop issues embedding NEXT (Daniel Veillard), Do not print error context when there is none (Daniel Veillard), Avoid extra processing of MarkupDecl when EOF (Hugh Davenport), Fix parsing short unclosed comment uninitialized access (Daniel Veillard), Add missing Null check in xmlParseExternalEntityPrivate (Gaurav Gupta), Fix a bug in CData error handling in the push parser (Daniel Veillard), Fix a bug on name parsing at the end of current input buffer (Daniel Veillard), Fix the spurious ID already defined error (Daniel Veillard), Fix previous change to node sort order (Nick Wellnhofer), Fix a self assignment issue raised by clang (Scott Graham), Fail parsing early on if encoding conversion failed (Daniel Veillard), Do not process encoding values if the declaration if broken (Daniel Veillard), Silence clang's -Wunknown-attribute (Michael Catanzaro), xmlMemUsed is not thread-safe (Martin von Gagern), Fix support for except in nameclasses (Daniel Veillard), Fix order of root nodes (Nick Wellnhofer), Allow attributes on descendant-or-self axis (Nick Wellnhofer), Fix the fix to Windows locking (Steve Nairn), Fix timsort invariant loop re: Envisage article (Christopher Swenson), Don't add IDs in xmlSetTreeDoc (Nick Wellnhofer), Account for ID attributes in xmlSetTreeDoc (Nick Wellnhofer), Remove various unused value assignments (Philip Withnall), Fix missing entities after CVE-2014-3660 fix (Daniel Veillard), Revert "Missing initialization for the catalog module" (Daniel Veillard) Improvements: Reuse xmlHaltParser() where it makes sense (Daniel Veillard), xmlStopParser reset errNo (Daniel Veillard), Reenable xz support by default (Daniel Veillard), Recover unescaped less-than character in HTML recovery parsing (Daniel Veillard), Allow HTML serializer to output HTML5 DOCTYPE (Shaun McCance), Regression test for bug #695699 (Nick Wellnhofer), Add a couple of XPath tests (Nick Wellnhofer), Add Python 3 rpm subpackage (Tomas Radej), libxml2-config.cmake.in: update include directories (Samuel Martin), Adding example from bugs 738805 to regression tests (Daniel Veillard) @ text @$NetBSD: patch-ba,v 1.3 2014/10/28 18:55:56 drochner Exp $ https://git.gnome.org/browse/libxml2/commit/?id=f65128f38289d77ff322d63aef2858cc0a819c34 https://git.gnome.org/browse/libxml2/commit/?id=72a46a519ce7326d9a00f0b6a7f2a8e958cd1675 --- parser.c.orig 2014-10-16 05:57:40.000000000 +0000 +++ parser.c @@@@ -7235,7 +7235,8 @@@@ xmlParseReference(xmlParserCtxtPtr ctxt) * far more secure as the parser will only process data coming from * the document entity by default. */ - if ((ent->checked == 0) && + if (((ent->checked == 0) || + ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) && ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) || (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) { unsigned long oldnbent = ctxt->nbentities; @@@@ -14830,9 +14831,6 @@@@ xmlInitParser(void) { #ifdef LIBXML_XPATH_ENABLED xmlXPathInit(); #endif -#ifdef LIBXML_CATALOG_ENABLED - xmlInitializeCatalog(); -#endif xmlParserInitialized = 1; #ifdef LIBXML_THREAD_ENABLED } @ 1.3 log @pull in two patches from upstream to fix regressions: -catalog initialization problem -problem with entity expansion This hopefully fixes build failures in KDE3 packages, reported by Joerg. bump PKGREV @ text @d1 1 a1 1 $NetBSD$ @ 1.3.2.1 log @file patch-ba was added on branch pkgsrc-2014Q3 on 2014-11-03 19:39:07 +0000 @ text @d1 27 @ 1.3.2.2 log @Pullup ticket #4538 - requested by drochner textproc/libxml2: security update textproc/py-libxml2: security update Revisions pulled up: - textproc/libxml2/Makefile 1.132-1.133 - textproc/libxml2/PLIST 1.45 - textproc/libxml2/distinfo 1.104-1.105 - textproc/libxml2/patches/patch-ba 1.3 - textproc/libxml2/patches/patch-parser.c deleted - textproc/libxml2/patches/patch-xzlib.c deleted - textproc/py-libxml2/Makefile 1.50 - textproc/py-libxml2/distinfo 1.31 - textproc/py-libxml2/patches/patch-ab 1.3 - textproc/py-libxml2/patches/patch-ac 1.2 - textproc/py-libxml2/patches/patch-drv_libxml2.py deleted --- Module Name: pkgsrc Committed By: drochner Date: Fri Oct 17 15:46:47 UTC 2014 Modified Files: pkgsrc/textproc/libxml2: Makefile PLIST distinfo Removed Files: pkgsrc/textproc/libxml2/patches: patch-parser.c patch-xzlib.c Log Message: update to 2.9.2 -security fixes: -Fix for CVE-2014-3660 billion laugh variant -CVE-2014-0191 Do not fetch external parameter entities (was patched in pkgsrc) -many bugfixes, doc fixes, cleanup -added cmake macro --- Module Name: pkgsrc Committed By: drochner Date: Mon Oct 20 19:11:23 UTC 2014 Modified Files: pkgsrc/textproc/py-libxml2: Makefile distinfo pkgsrc/textproc/py-libxml2/patches: patch-ab patch-ac Removed Files: pkgsrc/textproc/py-libxml2/patches: patch-drv_libxml2.py Log Message: sync w/ base pkg --- Module Name: pkgsrc Committed By: drochner Date: Tue Oct 28 18:55:57 UTC 2014 Modified Files: pkgsrc/textproc/libxml2: Makefile distinfo Added Files: pkgsrc/textproc/libxml2/patches: patch-ba Log Message: pull in two patches from upstream to fix regressions: -catalog initialization problem -problem with entity expansion This hopefully fixes build failures in KDE3 packages, reported by Joerg. bump PKGREV @ text @a0 27 $NetBSD$ https://git.gnome.org/browse/libxml2/commit/?id=f65128f38289d77ff322d63aef2858cc0a819c34 https://git.gnome.org/browse/libxml2/commit/?id=72a46a519ce7326d9a00f0b6a7f2a8e958cd1675 --- parser.c.orig 2014-10-16 05:57:40.000000000 +0000 +++ parser.c @@@@ -7235,7 +7235,8 @@@@ xmlParseReference(xmlParserCtxtPtr ctxt) * far more secure as the parser will only process data coming from * the document entity by default. */ - if ((ent->checked == 0) && + if (((ent->checked == 0) || + ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) && ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) || (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) { unsigned long oldnbent = ctxt->nbentities; @@@@ -14830,9 +14831,6 @@@@ xmlInitParser(void) { #ifdef LIBXML_XPATH_ENABLED xmlXPathInit(); #endif -#ifdef LIBXML_CATALOG_ENABLED - xmlInitializeCatalog(); -#endif xmlParserInitialized = 1; #ifdef LIBXML_THREAD_ENABLED } @ 1.2 log @Changes 2.9.0: Features: * A few new API entry points, * More resilient push parser mode, * A lot of portability improvement, * Faster XPath evaluation @ text @d1 1 a1 1 $NetBSD: patch-ba,v 1.1 2012/08/01 14:51:37 drochner Exp $ d3 2 a4 2 upstream commit 459eeb9dc752d5185f57ff6b135027f11981a626 for CVE-2012-2807 d6 1 a6 1 --- parser.c.orig 2012-05-18 07:30:30.000000000 +0000 d8 13 a20 1 @@@@ -40,6 +40,7 @@@@ d22 6 a27 246 #include +#include #include #include #include @@@@ -117,10 +118,10 @@@@ xmlCreateEntityParserCtxtInternal(const * parser option. */ static int -xmlParserEntityCheck(xmlParserCtxtPtr ctxt, unsigned long size, +xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, xmlEntityPtr ent) { - unsigned long consumed = 0; + size_t consumed = 0; if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE)) return (0); @@@@ -2589,15 +2590,17 @@@@ xmlParserHandlePEReference(xmlParserCtxt /* * Macro used to grow the current buffer. + * buffer##_size is expected to be a size_t + * mem_error: is expected to handle memory allocation failures */ #define growBuffer(buffer, n) { \ xmlChar *tmp; \ - buffer##_size *= 2; \ - buffer##_size += n; \ - tmp = (xmlChar *) \ - xmlRealloc(buffer, buffer##_size * sizeof(xmlChar)); \ + size_t new_size = buffer##_size * 2 + n; \ + if (new_size < buffer##_size) goto mem_error; \ + tmp = (xmlChar *) xmlRealloc(buffer, new_size); \ if (tmp == NULL) goto mem_error; \ buffer = tmp; \ + buffer##_size = new_size; \ } /** @@@@ -2623,14 +2626,14 @@@@ xmlChar * xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, int what, xmlChar end, xmlChar end2, xmlChar end3) { xmlChar *buffer = NULL; - int buffer_size = 0; + size_t buffer_size = 0; + size_t nbchars = 0; xmlChar *current = NULL; xmlChar *rep = NULL; const xmlChar *last; xmlEntityPtr ent; int c,l; - int nbchars = 0; if ((ctxt == NULL) || (str == NULL) || (len < 0)) return(NULL); @@@@ -2647,7 +2650,7 @@@@ xmlStringLenDecodeEntities(xmlParserCtxt * allocate a translation buffer. */ buffer_size = XML_PARSER_BIG_BUFFER_SIZE; - buffer = (xmlChar *) xmlMallocAtomic(buffer_size * sizeof(xmlChar)); + buffer = (xmlChar *) xmlMallocAtomic(buffer_size); if (buffer == NULL) goto mem_error; /* @@@@ -2667,7 +2670,7 @@@@ xmlStringLenDecodeEntities(xmlParserCtxt if (val != 0) { COPY_BUF(0,buffer,nbchars,val); } - if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } } else if ((c == '&') && (what & XML_SUBSTITUTE_REF)) { @@@@ -2685,7 +2688,7 @@@@ xmlStringLenDecodeEntities(xmlParserCtxt (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) { if (ent->content != NULL) { COPY_BUF(0,buffer,nbchars,ent->content[0]); - if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } } else { @@@@ -2702,8 +2705,7 @@@@ xmlStringLenDecodeEntities(xmlParserCtxt current = rep; while (*current != 0) { /* non input consuming loop */ buffer[nbchars++] = *current++; - if (nbchars > - buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { if (xmlParserEntityCheck(ctxt, nbchars, ent)) goto int_error; growBuffer(buffer, XML_PARSER_BUFFER_SIZE); @@@@ -2717,7 +2719,7 @@@@ xmlStringLenDecodeEntities(xmlParserCtxt const xmlChar *cur = ent->name; buffer[nbchars++] = '&'; - if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) { + if (nbchars + i + XML_PARSER_BUFFER_SIZE > buffer_size) { growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE); } for (;i > 0;i--) @@@@ -2745,8 +2747,7 @@@@ xmlStringLenDecodeEntities(xmlParserCtxt current = rep; while (*current != 0) { /* non input consuming loop */ buffer[nbchars++] = *current++; - if (nbchars > - buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { if (xmlParserEntityCheck(ctxt, nbchars, ent)) goto int_error; growBuffer(buffer, XML_PARSER_BUFFER_SIZE); @@@@ -2759,8 +2760,8 @@@@ xmlStringLenDecodeEntities(xmlParserCtxt } else { COPY_BUF(l,buffer,nbchars,c); str += l; - if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { - growBuffer(buffer, XML_PARSER_BUFFER_SIZE); + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { + growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } } if (str < last) @@@@ -3764,8 +3765,8 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr xmlChar limit = 0; xmlChar *buf = NULL; xmlChar *rep = NULL; - int len = 0; - int buf_size = 0; + size_t len = 0; + size_t buf_size = 0; int c, l, in_space = 0; xmlChar *current = NULL; xmlEntityPtr ent; @@@@ -3787,7 +3788,7 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr * allocate a translation buffer. */ buf_size = XML_PARSER_BUFFER_SIZE; - buf = (xmlChar *) xmlMallocAtomic(buf_size * sizeof(xmlChar)); + buf = (xmlChar *) xmlMallocAtomic(buf_size); if (buf == NULL) goto mem_error; /* @@@@ -3804,7 +3805,7 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr if (val == '&') { if (ctxt->replaceEntities) { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } buf[len++] = '&'; @@@@ -3813,7 +3814,7 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr * The reparsing will be done in xmlStringGetNodeList() * called by the attribute() function in SAX.c */ - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } buf[len++] = '&'; @@@@ -3823,7 +3824,7 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr buf[len++] = ';'; } } else if (val != 0) { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } len += xmlCopyChar(0, &buf[len], val); @@@@ -3835,7 +3836,7 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt->nbentities += ent->owner; if ((ent != NULL) && (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } if ((ctxt->replaceEntities == 0) && @@@@ -3863,7 +3864,7 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr current++; } else buf[len++] = *current++; - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } } @@@@ -3871,7 +3872,7 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr rep = NULL; } } else { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } if (ent->content != NULL) @@@@ -3899,7 +3900,7 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr * Just output the reference */ buf[len++] = '&'; - while (len > buf_size - i - 10) { + while (len + i + 10 > buf_size) { growBuffer(buf, i + 10); } for (;i > 0;i--) @@@@ -3912,7 +3913,7 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr if ((len != 0) || (!normalize)) { if ((!normalize) || (!in_space)) { COPY_BUF(l,buf,len,0x20); - while (len > buf_size - 10) { + while (len + 10 > buf_size) { growBuffer(buf, 10); } } @@@@ -3921,7 +3922,7 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr } else { in_space = 0; COPY_BUF(l,buf,len,c); - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } } @@@@ -3946,7 +3947,18 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr } } else NEXT; - if (attlen != NULL) *attlen = len; + + /* + * There we potentially risk an overflow, don't allow attribute value of + * lenght more than INT_MAX it is a very reasonnable assumption ! + */ + if (len >= INT_MAX) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue lenght too long\n"); + goto mem_error; + } + + if (attlen != NULL) *attlen = (int) len; return(buf); mem_error: @ 1.1 log @add patches from upstream to fix integer overflows which can cause DOS or possibly other corruption (CVE-2012-2807) bump PKGREV @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-ba was added on branch pkgsrc-2012Q2 on 2012-08-09 18:05:03 +0000 @ text @d1 255 @ 1.1.2.2 log @Pullup ticket #3890 - requested by drochner textproc/libxml2: security patch Revisions pulled up: - textproc/libxml2/Makefile 1.119 - textproc/libxml2/distinfo 1.94 - textproc/libxml2/patches/patch-ba 1.1 - textproc/libxml2/patches/patch-bb 1.1 --- Module Name: pkgsrc Committed By: drochner Date: Wed Aug 1 14:51:37 UTC 2012 Modified Files: pkgsrc/textproc/libxml2: Makefile distinfo Added Files: pkgsrc/textproc/libxml2/patches: patch-ba patch-bb Log Message: add patches from upstream to fix integer overflows which can cause DOS or possibly other corruption (CVE-2012-2807) bump PKGREV @ text @a0 255 $NetBSD$ upstream commit 459eeb9dc752d5185f57ff6b135027f11981a626 for CVE-2012-2807 --- parser.c.orig 2012-05-18 07:30:30.000000000 +0000 +++ parser.c @@@@ -40,6 +40,7 @@@@ #endif #include +#include #include #include #include @@@@ -117,10 +118,10 @@@@ xmlCreateEntityParserCtxtInternal(const * parser option. */ static int -xmlParserEntityCheck(xmlParserCtxtPtr ctxt, unsigned long size, +xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, xmlEntityPtr ent) { - unsigned long consumed = 0; + size_t consumed = 0; if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE)) return (0); @@@@ -2589,15 +2590,17 @@@@ xmlParserHandlePEReference(xmlParserCtxt /* * Macro used to grow the current buffer. + * buffer##_size is expected to be a size_t + * mem_error: is expected to handle memory allocation failures */ #define growBuffer(buffer, n) { \ xmlChar *tmp; \ - buffer##_size *= 2; \ - buffer##_size += n; \ - tmp = (xmlChar *) \ - xmlRealloc(buffer, buffer##_size * sizeof(xmlChar)); \ + size_t new_size = buffer##_size * 2 + n; \ + if (new_size < buffer##_size) goto mem_error; \ + tmp = (xmlChar *) xmlRealloc(buffer, new_size); \ if (tmp == NULL) goto mem_error; \ buffer = tmp; \ + buffer##_size = new_size; \ } /** @@@@ -2623,14 +2626,14 @@@@ xmlChar * xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, int what, xmlChar end, xmlChar end2, xmlChar end3) { xmlChar *buffer = NULL; - int buffer_size = 0; + size_t buffer_size = 0; + size_t nbchars = 0; xmlChar *current = NULL; xmlChar *rep = NULL; const xmlChar *last; xmlEntityPtr ent; int c,l; - int nbchars = 0; if ((ctxt == NULL) || (str == NULL) || (len < 0)) return(NULL); @@@@ -2647,7 +2650,7 @@@@ xmlStringLenDecodeEntities(xmlParserCtxt * allocate a translation buffer. */ buffer_size = XML_PARSER_BIG_BUFFER_SIZE; - buffer = (xmlChar *) xmlMallocAtomic(buffer_size * sizeof(xmlChar)); + buffer = (xmlChar *) xmlMallocAtomic(buffer_size); if (buffer == NULL) goto mem_error; /* @@@@ -2667,7 +2670,7 @@@@ xmlStringLenDecodeEntities(xmlParserCtxt if (val != 0) { COPY_BUF(0,buffer,nbchars,val); } - if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } } else if ((c == '&') && (what & XML_SUBSTITUTE_REF)) { @@@@ -2685,7 +2688,7 @@@@ xmlStringLenDecodeEntities(xmlParserCtxt (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) { if (ent->content != NULL) { COPY_BUF(0,buffer,nbchars,ent->content[0]); - if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } } else { @@@@ -2702,8 +2705,7 @@@@ xmlStringLenDecodeEntities(xmlParserCtxt current = rep; while (*current != 0) { /* non input consuming loop */ buffer[nbchars++] = *current++; - if (nbchars > - buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { if (xmlParserEntityCheck(ctxt, nbchars, ent)) goto int_error; growBuffer(buffer, XML_PARSER_BUFFER_SIZE); @@@@ -2717,7 +2719,7 @@@@ xmlStringLenDecodeEntities(xmlParserCtxt const xmlChar *cur = ent->name; buffer[nbchars++] = '&'; - if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) { + if (nbchars + i + XML_PARSER_BUFFER_SIZE > buffer_size) { growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE); } for (;i > 0;i--) @@@@ -2745,8 +2747,7 @@@@ xmlStringLenDecodeEntities(xmlParserCtxt current = rep; while (*current != 0) { /* non input consuming loop */ buffer[nbchars++] = *current++; - if (nbchars > - buffer_size - XML_PARSER_BUFFER_SIZE) { + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { if (xmlParserEntityCheck(ctxt, nbchars, ent)) goto int_error; growBuffer(buffer, XML_PARSER_BUFFER_SIZE); @@@@ -2759,8 +2760,8 @@@@ xmlStringLenDecodeEntities(xmlParserCtxt } else { COPY_BUF(l,buffer,nbchars,c); str += l; - if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { - growBuffer(buffer, XML_PARSER_BUFFER_SIZE); + if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { + growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } } if (str < last) @@@@ -3764,8 +3765,8 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr xmlChar limit = 0; xmlChar *buf = NULL; xmlChar *rep = NULL; - int len = 0; - int buf_size = 0; + size_t len = 0; + size_t buf_size = 0; int c, l, in_space = 0; xmlChar *current = NULL; xmlEntityPtr ent; @@@@ -3787,7 +3788,7 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr * allocate a translation buffer. */ buf_size = XML_PARSER_BUFFER_SIZE; - buf = (xmlChar *) xmlMallocAtomic(buf_size * sizeof(xmlChar)); + buf = (xmlChar *) xmlMallocAtomic(buf_size); if (buf == NULL) goto mem_error; /* @@@@ -3804,7 +3805,7 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr if (val == '&') { if (ctxt->replaceEntities) { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } buf[len++] = '&'; @@@@ -3813,7 +3814,7 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr * The reparsing will be done in xmlStringGetNodeList() * called by the attribute() function in SAX.c */ - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } buf[len++] = '&'; @@@@ -3823,7 +3824,7 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr buf[len++] = ';'; } } else if (val != 0) { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } len += xmlCopyChar(0, &buf[len], val); @@@@ -3835,7 +3836,7 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt->nbentities += ent->owner; if ((ent != NULL) && (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } if ((ctxt->replaceEntities == 0) && @@@@ -3863,7 +3864,7 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr current++; } else buf[len++] = *current++; - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } } @@@@ -3871,7 +3872,7 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr rep = NULL; } } else { - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } if (ent->content != NULL) @@@@ -3899,7 +3900,7 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr * Just output the reference */ buf[len++] = '&'; - while (len > buf_size - i - 10) { + while (len + i + 10 > buf_size) { growBuffer(buf, i + 10); } for (;i > 0;i--) @@@@ -3912,7 +3913,7 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr if ((len != 0) || (!normalize)) { if ((!normalize) || (!in_space)) { COPY_BUF(l,buf,len,0x20); - while (len > buf_size - 10) { + while (len + 10 > buf_size) { growBuffer(buf, 10); } } @@@@ -3921,7 +3922,7 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr } else { in_space = 0; COPY_BUF(l,buf,len,c); - if (len > buf_size - 10) { + if (len + 10 > buf_size) { growBuffer(buf, 10); } } @@@@ -3946,7 +3947,18 @@@@ xmlParseAttValueComplex(xmlParserCtxtPtr } } else NEXT; - if (attlen != NULL) *attlen = len; + + /* + * There we potentially risk an overflow, don't allow attribute value of + * lenght more than INT_MAX it is a very reasonnable assumption ! + */ + if (len >= INT_MAX) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue lenght too long\n"); + goto mem_error; + } + + if (attlen != NULL) *attlen = (int) len; return(buf); mem_error: @