[arch-commits] Commit in libxml2/trunk (9 files)

Jan de Groot jgc at archlinux.org
Mon Feb 6 15:49:47 UTC 2012


    Date: Monday, February 6, 2012 @ 10:49:47
  Author: jgc
Revision: 149231

upgpkg: libxml2 2.7.8-2

Add security fixes, add check (FS#27804)

Added:
  libxml2/trunk/CVE-2011-0216.patch
  libxml2/trunk/CVE-2011-1944.patch
  libxml2/trunk/CVE-2011-2834.patch
  libxml2/trunk/CVE-2011-3905.patch
  libxml2/trunk/CVE-2011-3919.patch
  libxml2/trunk/libxml2-2.7.8-xpath-freeing.patch
  libxml2/trunk/libxml2-2.7.8-xpath-freeing2.patch
  libxml2/trunk/libxml2-2.7.8-xpath-hardening.patch
Modified:
  libxml2/trunk/PKGBUILD

-------------------------------------+
 CVE-2011-0216.patch                 |   31 ++++
 CVE-2011-1944.patch                 |  100 +++++++++++++++
 CVE-2011-2834.patch                 |   61 +++++++++
 CVE-2011-3905.patch                 |   61 +++++++++
 CVE-2011-3919.patch                 |   19 ++
 PKGBUILD                            |   43 +++++-
 libxml2-2.7.8-xpath-freeing.patch   |   30 ++++
 libxml2-2.7.8-xpath-freeing2.patch  |   26 +++
 libxml2-2.7.8-xpath-hardening.patch |  223 ++++++++++++++++++++++++++++++++++
 9 files changed, 589 insertions(+), 5 deletions(-)

Added: CVE-2011-0216.patch
===================================================================
--- CVE-2011-0216.patch	                        (rev 0)
+++ CVE-2011-0216.patch	2012-02-06 15:49:47 UTC (rev 149231)
@@ -0,0 +1,31 @@
+commit 69f04562f75212bfcabecd190ea8b06ace28ece2
+Author: Daniel Veillard <veillard at redhat.com>
+Date:   Fri Aug 19 11:05:04 2011 +0800
+
+    Fix an off by one error in encoding
+    
+    this off by one error doesn't seems to reproduce on linux
+    but the error is real.
+
+diff --git a/encoding.c b/encoding.c
+index d1140bf..fb0c38a 100644
+--- a/encoding.c
++++ b/encoding.c
+@@ -1928,7 +1928,7 @@ xmlCharEncFirstLineInt(xmlCharEncodingHandler *handler, xmlBufferPtr out,
+     if (in == NULL) return(-1);
+ 
+     /* calculate space available */
+-    written = out->size - out->use;
++    written = out->size - out->use - 1; /* count '\0' */
+     toconv = in->use;
+     /*
+      * echo '<?xml version="1.0" encoding="UCS4"?>' | wc -c => 38
+@@ -2059,7 +2059,7 @@ xmlCharEncInFunc(xmlCharEncodingHandler * handler, xmlBufferPtr out,
+     toconv = in->use;
+     if (toconv == 0)
+         return (0);
+-    written = out->size - out->use;
++    written = out->size - out->use -1; /* count '\0' */
+     if (toconv * 2 >= written) {
+         xmlBufferGrow(out, out->size + toconv * 2);
+         written = out->size - out->use - 1;

Added: CVE-2011-1944.patch
===================================================================
--- CVE-2011-1944.patch	                        (rev 0)
+++ CVE-2011-1944.patch	2012-02-06 15:49:47 UTC (rev 149231)
@@ -0,0 +1,100 @@
+commit d7958b21e7f8c447a26bb2436f08402b2c308be4
+Author: Chris Evans <scarybeasts at gmail.com>
+Date:   Wed Mar 23 08:13:06 2011 +0800
+
+    Fix some potential problems on reallocation failures
+    
+    The count was incremented before the allocation
+    and not fixed in case of failure
+    * xpath.c: corrects a few instances where the available count of some
+               structure is updated before we know the allocation actually
+               succeeds
+
+diff --git a/xpath.c b/xpath.c
+index 8b56189..608fe00 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -3522,13 +3522,13 @@ xmlXPathNodeSetAddNs(xmlNodeSetPtr cur, xmlNodePtr node, xmlNsPtr ns) {
+     } else if (cur->nodeNr == cur->nodeMax) {
+         xmlNodePtr *temp;
+ 
+-        cur->nodeMax *= 2;
+-	temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax *
++	temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * 2 *
+ 				      sizeof(xmlNodePtr));
+ 	if (temp == NULL) {
+ 	    xmlXPathErrMemory(NULL, "growing nodeset\n");
+ 	    return;
+ 	}
++        cur->nodeMax *= 2;
+ 	cur->nodeTab = temp;
+     }
+     cur->nodeTab[cur->nodeNr++] = xmlXPathNodeSetDupNs(node, ns);
+@@ -3627,14 +3627,14 @@ xmlXPathNodeSetAddUnique(xmlNodeSetPtr cur, xmlNodePtr val) {
+     } else if (cur->nodeNr == cur->nodeMax) {
+         xmlNodePtr *temp;
+ 
+-        cur->nodeMax *= 2;
+-	temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax *
++	temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * 2 *
+ 				      sizeof(xmlNodePtr));
+ 	if (temp == NULL) {
+ 	    xmlXPathErrMemory(NULL, "growing nodeset\n");
+ 	    return;
+ 	}
+ 	cur->nodeTab = temp;
++        cur->nodeMax *= 2;
+     }
+     if (val->type == XML_NAMESPACE_DECL) {
+ 	xmlNsPtr ns = (xmlNsPtr) val;
+@@ -3738,14 +3738,14 @@ xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) {
+ 	} else if (val1->nodeNr == val1->nodeMax) {
+ 	    xmlNodePtr *temp;
+ 
+-	    val1->nodeMax *= 2;
+-	    temp = (xmlNodePtr *) xmlRealloc(val1->nodeTab, val1->nodeMax *
++	    temp = (xmlNodePtr *) xmlRealloc(val1->nodeTab, val1->nodeMax * 2 *
+ 					     sizeof(xmlNodePtr));
+ 	    if (temp == NULL) {
+ 	        xmlXPathErrMemory(NULL, "merging nodeset\n");
+ 		return(NULL);
+ 	    }
+ 	    val1->nodeTab = temp;
++	    val1->nodeMax *= 2;
+ 	}
+ 	if (n2->type == XML_NAMESPACE_DECL) {
+ 	    xmlNsPtr ns = (xmlNsPtr) n2;
+@@ -3907,14 +3907,14 @@ xmlXPathNodeSetMergeAndClear(xmlNodeSetPtr set1, xmlNodeSetPtr set2,
+ 	    } else if (set1->nodeNr >= set1->nodeMax) {
+ 		xmlNodePtr *temp;
+ 
+-		set1->nodeMax *= 2;
+ 		temp = (xmlNodePtr *) xmlRealloc(
+-		    set1->nodeTab, set1->nodeMax * sizeof(xmlNodePtr));
++		    set1->nodeTab, set1->nodeMax * 2 * sizeof(xmlNodePtr));
+ 		if (temp == NULL) {
+ 		    xmlXPathErrMemory(NULL, "merging nodeset\n");
+ 		    return(NULL);
+ 		}
+ 		set1->nodeTab = temp;
++		set1->nodeMax *= 2;
+ 	    }
+ 	    if (n2->type == XML_NAMESPACE_DECL) {
+ 		xmlNsPtr ns = (xmlNsPtr) n2;
+@@ -3991,14 +3991,14 @@ xmlXPathNodeSetMergeAndClearNoDupls(xmlNodeSetPtr set1, xmlNodeSetPtr set2,
+ 	    } else if (set1->nodeNr >= set1->nodeMax) {
+ 		xmlNodePtr *temp;
+ 
+-		set1->nodeMax *= 2;
+ 		temp = (xmlNodePtr *) xmlRealloc(
+-		    set1->nodeTab, set1->nodeMax * sizeof(xmlNodePtr));
++		    set1->nodeTab, set1->nodeMax * 2 * sizeof(xmlNodePtr));
+ 		if (temp == NULL) {
+ 		    xmlXPathErrMemory(NULL, "merging nodeset\n");
+ 		    return(NULL);
+ 		}
+ 		set1->nodeTab = temp;
++		set1->nodeMax *= 2;
+ 	    }
+ 	    set1->nodeTab[set1->nodeNr++] = n2;
+ 	}

Added: CVE-2011-2834.patch
===================================================================
--- CVE-2011-2834.patch	                        (rev 0)
+++ CVE-2011-2834.patch	2012-02-06 15:49:47 UTC (rev 149231)
@@ -0,0 +1,61 @@
+commit 1d4526f6f4ec8d18c40e2a09b387652a6c1aa2cd
+Author: Daniel Veillard <veillard at redhat.com>
+Date:   Tue Oct 11 16:34:34 2011 +0800
+
+    Fix missing error status in XPath evaluation
+    
+    Started by Chris Evans, I added a few more place where the
+    error should have been set in the evaluation context.
+
+diff --git a/xpath.c b/xpath.c
+index bcee2ea..d9d902c 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -2485,6 +2485,7 @@ valuePush(xmlXPathParserContextPtr ctxt, xmlXPathObjectPtr value)
+                                              sizeof(ctxt->valueTab[0]));
+         if (tmp == NULL) {
+             xmlGenericError(xmlGenericErrorContext, "realloc failed !\n");
++            ctxt->error = XPATH_MEMORY_ERROR;
+             return (0);
+         }
+         ctxt->valueMax *= 2;
+@@ -9340,6 +9341,7 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+ 		if ( (ch & 0xc0) != 0xc0 ) {
+ 		    xmlGenericError(xmlGenericErrorContext,
+ 			"xmlXPathTranslateFunction: Invalid UTF8 string\n");
++                    /* not asserting an XPath error is probably better */
+ 		    break;
+ 		}
+ 		/* then skip over remaining bytes for this char */
+@@ -9347,6 +9349,7 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+ 		    if ( (*cptr++ & 0xc0) != 0x80 ) {
+ 			xmlGenericError(xmlGenericErrorContext,
+ 			    "xmlXPathTranslateFunction: Invalid UTF8 string\n");
++                        /* not asserting an XPath error is probably better */
+ 			break;
+ 		    }
+ 		if (ch & 0x80) /* must have had error encountered */
+@@ -13410,6 +13413,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+                         xmlGenericError(xmlGenericErrorContext,
+             "xmlXPathCompOpEval: variable %s bound to undefined prefix %s\n",
+                                     (char *) op->value4, (char *)op->value5);
++                        ctxt->error = XPATH_UNDEF_PREFIX_ERROR;
+                         return (total);
+                     }
+ 		    val = xmlXPathVariableLookupNS(ctxt->context,
+@@ -13464,6 +13468,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+             "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n",
+                                     (char *)op->value4, (char *)op->value5);
+                             xmlXPathPopFrame(ctxt, frame);
++                            ctxt->error = XPATH_UNDEF_PREFIX_ERROR;
+                             return (total);
+                         }
+                         func = xmlXPathFunctionLookupNS(ctxt->context,
+@@ -14042,6 +14047,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+     }
+     xmlGenericError(xmlGenericErrorContext,
+                     "XPath: unknown precompiled operation %d\n", op->op);
++    ctxt->error = XPATH_INVALID_OPERAND;
+     return (total);
+ }
+ 

Added: CVE-2011-3905.patch
===================================================================
--- CVE-2011-3905.patch	                        (rev 0)
+++ CVE-2011-3905.patch	2012-02-06 15:49:47 UTC (rev 149231)
@@ -0,0 +1,61 @@
+commit 77404b8b69bc122d12231807abf1a837d121b551
+Author: Chris Evans <scarybeasts at gmail.com>
+Date:   Wed Dec 14 16:18:25 2011 +0800
+
+    Make sure the parser returns when getting a Stop order
+    
+    patch backported from chromiun bug fixes, assuming author is Chris
+
+diff --git a/parser.c b/parser.c
+index 21d7aa3..4e5dcb9 100644
+--- a/parser.c
++++ b/parser.c
+@@ -4949,7 +4949,8 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
+ 		    (ctxt->sax->processingInstruction != NULL))
+ 		    ctxt->sax->processingInstruction(ctxt->userData,
+ 		                                     target, NULL);
+-		ctxt->instate = state;
++		if (ctxt->instate != XML_PARSER_EOF)
++		    ctxt->instate = state;
+ 		return;
+ 	    }
+ 	    buf = (xmlChar *) xmlMallocAtomic(size * sizeof(xmlChar));
+@@ -5029,7 +5030,8 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
+ 	} else {
+ 	    xmlFatalErr(ctxt, XML_ERR_PI_NOT_STARTED, NULL);
+ 	}
+-	ctxt->instate = state;
++	if (ctxt->instate != XML_PARSER_EOF)
++	    ctxt->instate = state;
+     }
+ }
+ 
+@@ -9589,6 +9591,8 @@ xmlParseElement(xmlParserCtxtPtr ctxt) {
+     else
+ 	name = xmlParseStartTag(ctxt);
+ #endif /* LIBXML_SAX1_ENABLED */
++    if (ctxt->instate == XML_PARSER_EOF)
++	return;
+     if (name == NULL) {
+ 	spacePop(ctxt);
+         return;
+@@ -10975,6 +10979,8 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ 		else
+ 		    name = xmlParseStartTag(ctxt);
+ #endif /* LIBXML_SAX1_ENABLED */
++		if (ctxt->instate == XML_PARSER_EOF)
++		    goto done;
+ 		if (name == NULL) {
+ 		    spacePop(ctxt);
+ 		    ctxt->instate = XML_PARSER_EOF;
+@@ -11161,7 +11167,9 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ 		  else
+ 		    xmlParseEndTag1(ctxt, 0);
+ #endif /* LIBXML_SAX1_ENABLED */
+-		if (ctxt->nameNr == 0) {
++		if (ctxt->instate == XML_PARSER_EOF) {
++		    /* Nothing */
++		} else if (ctxt->nameNr == 0) {
+ 		    ctxt->instate = XML_PARSER_EPILOG;
+ 		} else {
+ 		    ctxt->instate = XML_PARSER_CONTENT;

Added: CVE-2011-3919.patch
===================================================================
--- CVE-2011-3919.patch	                        (rev 0)
+++ CVE-2011-3919.patch	2012-02-06 15:49:47 UTC (rev 149231)
@@ -0,0 +1,19 @@
+commit 5bd3c061823a8499b27422aee04ea20aae24f03e
+Author: Daniel Veillard <veillard at redhat.com>
+Date:   Fri Dec 16 18:53:35 2011 +0800
+
+    Fix an allocation error when copying entities
+
+diff --git a/parser.c b/parser.c
+index 4e5dcb9..c55e41d 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2709,7 +2709,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 
+ 		buffer[nbchars++] = '&';
+ 		if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) {
+-		    growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
++		    growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE);
+ 		}
+ 		for (;i > 0;i--)
+ 		    buffer[nbchars++] = *cur++;

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2012-02-06 14:31:53 UTC (rev 149230)
+++ PKGBUILD	2012-02-06 15:49:47 UTC (rev 149231)
@@ -4,7 +4,7 @@
 
 pkgname=libxml2
 pkgver=2.7.8
-pkgrel=1
+pkgrel=2
 pkgdesc="XML parsing library, version 2"
 arch=(i686 x86_64)
 license=('custom')
@@ -13,24 +13,57 @@
 options=('!libtool')
 url="http://www.xmlsoft.org/"
 source=(ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz
-        largefile64.patch shared_library_versionning.patch)
+        http://www.w3.org/XML/Test/xmlts20080205.tar.gz
+        largefile64.patch
+        shared_library_versionning.patch
+        libxml2-2.7.8-xpath-freeing.patch
+        libxml2-2.7.8-xpath-freeing2.patch
+        CVE-2011-1944.patch
+        libxml2-2.7.8-xpath-hardening.patch
+        CVE-2011-0216.patch
+        CVE-2011-2834.patch
+        CVE-2011-3905.patch
+        CVE-2011-3919.patch)
 md5sums=('8127a65e8c3b08856093099b52599c86'
+         'b255be9a1c7f7021e52448e4ec8d7a0d'
          '5ad4915665608ebfa5b89f7908467a72'
-         '84aeb7c6db023eae044e95d9211dba53')
+         '84aeb7c6db023eae044e95d9211dba53'
+         'f1df70c66dac94233932baf2737465e0'
+         'c22af2643840da65dea618bf6cd33b25'
+         'd2b2b362a8681c30be98c4a2e7f2d2ea'
+         '5709a1408becc1f0c6f1c7513a254dd2'
+         '4f0f2d3a11329ebee0907be6002a160e'
+         '88e9c95a813d4f0cb392acc000bae366'
+         '28f3022a0d63ee408774eb5e4914b07e'
+         'a9b901d9ff095a266d3a5c601db142b1')
 
 build() {
   cd "${srcdir}/${pkgname}-${pkgver}"
   patch -Np1 -i "${srcdir}/largefile64.patch"
   patch -Np1 -i "${srcdir}/shared_library_versionning.patch"
+  patch -Np1 -i "${srcdir}/libxml2-2.7.8-xpath-freeing.patch"
+  patch -Np1 -i "${srcdir}/libxml2-2.7.8-xpath-freeing2.patch"
+  patch -Np1 -i "${srcdir}/CVE-2011-1944.patch"
+  patch -Np1 -i "${srcdir}/libxml2-2.7.8-xpath-hardening.patch"
+  patch -Np1 -i "${srcdir}/CVE-2011-0216.patch"
+  patch -Np1 -i "${srcdir}/CVE-2011-2834.patch"
+  patch -Np1 -i "${srcdir}/CVE-2011-3905.patch"
+  patch -Np1 -i "${srcdir}/CVE-2011-3919.patch"
   autoreconf -fi
+  sed -e 's|/usr/bin/python -u|/usr/bin/python2 -u|g' -e 's|/usr/bin/python$|/usr/bin/python2|g' -i python/tests/*.py
   ./configure --prefix=/usr --with-threads --with-history \
-     --with-python=/usr/bin/python2.7
+     --with-python=/usr/bin/python2
   make
 }
 
+check() {
+  cd "${srcdir}/${pkgname}-${pkgver}"
+  mv "${srcdir}/xmlconf" .
+  make check
+}
+
 package() {
   cd "${srcdir}/${pkgname}-${pkgver}"
   make DESTDIR="${pkgdir}" install
   install -Dm644 COPYING "${pkgdir}/usr/share/licenses/${pkgname}/COPYING"
 }
-

Added: libxml2-2.7.8-xpath-freeing.patch
===================================================================
--- libxml2-2.7.8-xpath-freeing.patch	                        (rev 0)
+++ libxml2-2.7.8-xpath-freeing.patch	2012-02-06 15:49:47 UTC (rev 149231)
@@ -0,0 +1,30 @@
+commit df83c17e5a2646bd923f75e5e507bc80d73c9722
+Author: Daniel Veillard <veillard at redhat.com>
+Date:   Wed Nov 17 14:12:14 2010 +0100
+
+    Fix a potential freeing error in XPath
+
+diff --git a/xpath.c b/xpath.c
+index 81e33f6..1447be5 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -11763,11 +11763,15 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+ 
+ 	    if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+ 	        xmlXPathObjectPtr tmp;
+-		/* pop the result */
++		/* pop the result if any */
+ 		tmp = valuePop(ctxt);
+-		xmlXPathReleaseObject(xpctxt, tmp);
+-		/* then pop off contextObj, which will be freed later */
+-		valuePop(ctxt);
++                if (tmp != contextObj)
++                    /*
++                     * Free up the result
++                     * then pop off contextObj, which will be freed later
++                     */
++                    xmlXPathReleaseObject(xpctxt, tmp);
++                    valuePop(ctxt);
+ 		goto evaluation_error;
+ 	    }
+ 

Added: libxml2-2.7.8-xpath-freeing2.patch
===================================================================
--- libxml2-2.7.8-xpath-freeing2.patch	                        (rev 0)
+++ libxml2-2.7.8-xpath-freeing2.patch	2012-02-06 15:49:47 UTC (rev 149231)
@@ -0,0 +1,26 @@
+commit fec31bcd452e77c10579467ca87a785b41115de6
+Author: Daniel Veillard <veillard at redhat.com>
+Date:   Thu Nov 18 11:07:24 2010 +0100
+
+    Small fix for previous commit
+
+diff --git a/xpath.c b/xpath.c
+index 1447be5..8b56189 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -11765,13 +11765,14 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+ 	        xmlXPathObjectPtr tmp;
+ 		/* pop the result if any */
+ 		tmp = valuePop(ctxt);
+-                if (tmp != contextObj)
++                if (tmp != contextObj) {
+                     /*
+                      * Free up the result
+                      * then pop off contextObj, which will be freed later
+                      */
+                     xmlXPathReleaseObject(xpctxt, tmp);
+                     valuePop(ctxt);
++                }
+ 		goto evaluation_error;
+ 	    }
+ 

Added: libxml2-2.7.8-xpath-hardening.patch
===================================================================
--- libxml2-2.7.8-xpath-hardening.patch	                        (rev 0)
+++ libxml2-2.7.8-xpath-hardening.patch	2012-02-06 15:49:47 UTC (rev 149231)
@@ -0,0 +1,223 @@
+commit 0f136dcd18c287073a4d67b03fdb9696d7010940
+Author: Daniel Veillard <veillard at redhat.com>
+Date:   Thu Aug 18 17:10:13 2011 +0800
+
+    Hardening of XPath evaluation
+    
+    Add a mechanism of frame for XPath evaluation when entering a function
+    or a scoped evaluation, also fix a potential problem in predicate
+    evaluation.
+
+diff --git a/include/libxml/xpath.h b/include/libxml/xpath.h
+index 1a9e30e..ddd9dd8 100644
+--- a/include/libxml/xpath.h
++++ b/include/libxml/xpath.h
+@@ -68,7 +68,8 @@ typedef enum {
+     XPATH_UNDEF_PREFIX_ERROR,
+     XPATH_ENCODING_ERROR,
+     XPATH_INVALID_CHAR_ERROR,
+-    XPATH_INVALID_CTXT
++    XPATH_INVALID_CTXT,
++    XPATH_STACK_ERROR
+ } xmlXPathError;
+ 
+ /*
+@@ -380,6 +381,8 @@ struct _xmlXPathParserContext {
+     xmlXPathCompExprPtr comp;		/* the precompiled expression */
+     int xptr;				/* it this an XPointer expression */
+     xmlNodePtr         ancestor;	/* used for walking preceding axis */
++
++    int              valueFrame;        /* used to limit Pop on the stack */
+ };
+ 
+ /************************************************************************
+diff --git a/xpath.c b/xpath.c
+index b59ac5a..bcee2ea 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -252,6 +252,7 @@ static const char *xmlXPathErrorMessages[] = {
+     "Encoding error\n",
+     "Char out of XML range\n",
+     "Invalid or incomplete context\n",
++    "Stack usage errror\n",
+     "?? Unknown error ??\n"	/* Must be last in the list! */
+ };
+ #define MAXERRNO ((int)(sizeof(xmlXPathErrorMessages) /	\
+@@ -2398,6 +2399,42 @@ xmlXPathCacheConvertNumber(xmlXPathContextPtr ctxt, xmlXPathObjectPtr val) {
+  ************************************************************************/
+ 
+ /**
++ * xmlXPathSetFrame:
++ * @ctxt: an XPath parser context
++ *
++ * Set the callee evaluation frame
++ *
++ * Returns the previous frame value to be restored once done
++ */
++static int
++xmlXPathSetFrame(xmlXPathParserContextPtr ctxt) {
++    int ret;
++
++    if (ctxt == NULL)
++        return(0);
++    ret = ctxt->valueFrame;
++    ctxt->valueFrame = ctxt->valueNr;
++    return(ret);
++}
++
++/**
++ * xmlXPathPopFrame:
++ * @ctxt: an XPath parser context
++ * @frame: the previous frame value
++ *
++ * Remove the callee evaluation frame
++ */
++static void
++xmlXPathPopFrame(xmlXPathParserContextPtr ctxt, int frame) {
++    if (ctxt == NULL)
++        return;
++    if (ctxt->valueNr < ctxt->valueFrame) {
++        xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR);
++    }
++    ctxt->valueFrame = frame;
++}
++
++/**
+  * valuePop:
+  * @ctxt: an XPath evaluation context
+  *
+@@ -2412,6 +2449,12 @@ valuePop(xmlXPathParserContextPtr ctxt)
+ 
+     if ((ctxt == NULL) || (ctxt->valueNr <= 0))
+         return (NULL);
++
++    if (ctxt->valueNr <= ctxt->valueFrame) {
++        xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR);
++        return (NULL);
++    }
++
+     ctxt->valueNr--;
+     if (ctxt->valueNr > 0)
+         ctxt->value = ctxt->valueTab[ctxt->valueNr - 1];
+@@ -6154,6 +6197,7 @@ xmlXPathCompParserContext(xmlXPathCompExprPtr comp, xmlXPathContextPtr ctxt) {
+     ret->valueNr = 0;
+     ret->valueMax = 10;
+     ret->value = NULL;
++    ret->valueFrame = 0;
+ 
+     ret->context = ctxt;
+     ret->comp = comp;
+@@ -11711,6 +11755,7 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+ 	xmlXPathObjectPtr contextObj = NULL, exprRes = NULL;
+ 	xmlNodePtr oldContextNode, contextNode = NULL;
+ 	xmlXPathContextPtr xpctxt = ctxt->context;
++        int frame;
+ 
+ #ifdef LIBXML_XPTR_ENABLED
+ 	    /*
+@@ -11730,6 +11775,8 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+ 	*/
+ 	exprOp = &ctxt->comp->steps[op->ch2];
+ 	for (i = 0; i < set->nodeNr; i++) {
++            xmlXPathObjectPtr tmp;
++
+ 	    if (set->nodeTab[i] == NULL)
+ 		continue;
+ 
+@@ -11757,23 +11804,25 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+ 		xmlXPathNodeSetAddUnique(contextObj->nodesetval,
+ 		    contextNode);
+ 
++            frame = xmlXPathSetFrame(ctxt);
+ 	    valuePush(ctxt, contextObj);
+ 	    res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
++            tmp = valuePop(ctxt);
++            xmlXPathPopFrame(ctxt, frame);
+ 
+ 	    if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+-	        xmlXPathObjectPtr tmp;
+-		/* pop the result if any */
+-		tmp = valuePop(ctxt);
+-                if (tmp != contextObj) {
++                while (tmp != contextObj) {
+                     /*
+                      * Free up the result
+                      * then pop off contextObj, which will be freed later
+                      */
+                     xmlXPathReleaseObject(xpctxt, tmp);
+-                    valuePop(ctxt);
++                    tmp = valuePop(ctxt);
+                 }
+ 		goto evaluation_error;
+ 	    }
++            /* push the result back onto the stack */
++            valuePush(ctxt, tmp);
+ 
+ 	    if (res)
+ 		pos++;
+@@ -13377,7 +13426,9 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+                 xmlXPathFunction func;
+                 const xmlChar *oldFunc, *oldFuncURI;
+ 		int i;
++                int frame;
+ 
++                frame = xmlXPathSetFrame(ctxt);
+                 if (op->ch1 != -1)
+                     total +=
+                         xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
+@@ -13385,15 +13436,18 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ 		    xmlGenericError(xmlGenericErrorContext,
+ 			    "xmlXPathCompOpEval: parameter error\n");
+ 		    ctxt->error = XPATH_INVALID_OPERAND;
++                    xmlXPathPopFrame(ctxt, frame);
+ 		    return (total);
+ 		}
+-		for (i = 0; i < op->value; i++)
++		for (i = 0; i < op->value; i++) {
+ 		    if (ctxt->valueTab[(ctxt->valueNr - 1) - i] == NULL) {
+ 			xmlGenericError(xmlGenericErrorContext,
+ 				"xmlXPathCompOpEval: parameter error\n");
+ 			ctxt->error = XPATH_INVALID_OPERAND;
++                        xmlXPathPopFrame(ctxt, frame);
+ 			return (total);
+ 		    }
++                }
+                 if (op->cache != NULL)
+                     XML_CAST_FPTR(func) = op->cache;
+                 else {
+@@ -13409,6 +13463,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+                             xmlGenericError(xmlGenericErrorContext,
+             "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n",
+                                     (char *)op->value4, (char *)op->value5);
++                            xmlXPathPopFrame(ctxt, frame);
+                             return (total);
+                         }
+                         func = xmlXPathFunctionLookupNS(ctxt->context,
+@@ -13430,6 +13485,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+                 func(ctxt, op->value);
+                 ctxt->context->function = oldFunc;
+                 ctxt->context->functionURI = oldFuncURI;
++                xmlXPathPopFrame(ctxt, frame);
+                 return (total);
+             }
+         case XPATH_OP_ARG:
+@@ -14333,6 +14389,7 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool)
+ 	ctxt->valueNr = 0;
+ 	ctxt->valueMax = 10;
+ 	ctxt->value = NULL;
++        ctxt->valueFrame = 0;
+     }
+ #ifdef XPATH_STREAMING
+     if (ctxt->comp->stream) {
+diff --git a/xpointer.c b/xpointer.c
+index 7a42d02..37afa3a 100644
+--- a/xpointer.c
++++ b/xpointer.c
+@@ -1269,6 +1269,7 @@ xmlXPtrEvalXPointer(xmlXPathParserContextPtr ctxt) {
+ 	ctxt->valueNr = 0;
+ 	ctxt->valueMax = 10;
+ 	ctxt->value = NULL;
++	ctxt->valueFrame = 0;
+     }
+     SKIP_BLANKS;
+     if (CUR == '/') {




More information about the arch-commits mailing list