[arch-commits] Commit in libxml2/trunk (9 files)
Jan de Groot
jgc at archlinux.org
Mon Feb 6 15:49:47 UTC 2012
Date: Monday, February 6, 2012 @ 10:49:47
Author: jgc
Revision: 149231
upgpkg: libxml2 2.7.8-2
Add security fixes, add check (FS#27804)
Added:
libxml2/trunk/CVE-2011-0216.patch
libxml2/trunk/CVE-2011-1944.patch
libxml2/trunk/CVE-2011-2834.patch
libxml2/trunk/CVE-2011-3905.patch
libxml2/trunk/CVE-2011-3919.patch
libxml2/trunk/libxml2-2.7.8-xpath-freeing.patch
libxml2/trunk/libxml2-2.7.8-xpath-freeing2.patch
libxml2/trunk/libxml2-2.7.8-xpath-hardening.patch
Modified:
libxml2/trunk/PKGBUILD
-------------------------------------+
CVE-2011-0216.patch | 31 ++++
CVE-2011-1944.patch | 100 +++++++++++++++
CVE-2011-2834.patch | 61 +++++++++
CVE-2011-3905.patch | 61 +++++++++
CVE-2011-3919.patch | 19 ++
PKGBUILD | 43 +++++-
libxml2-2.7.8-xpath-freeing.patch | 30 ++++
libxml2-2.7.8-xpath-freeing2.patch | 26 +++
libxml2-2.7.8-xpath-hardening.patch | 223 ++++++++++++++++++++++++++++++++++
9 files changed, 589 insertions(+), 5 deletions(-)
Added: CVE-2011-0216.patch
===================================================================
--- CVE-2011-0216.patch (rev 0)
+++ CVE-2011-0216.patch 2012-02-06 15:49:47 UTC (rev 149231)
@@ -0,0 +1,31 @@
+commit 69f04562f75212bfcabecd190ea8b06ace28ece2
+Author: Daniel Veillard <veillard at redhat.com>
+Date: Fri Aug 19 11:05:04 2011 +0800
+
+ Fix an off by one error in encoding
+
+ this off by one error doesn't seems to reproduce on linux
+ but the error is real.
+
+diff --git a/encoding.c b/encoding.c
+index d1140bf..fb0c38a 100644
+--- a/encoding.c
++++ b/encoding.c
+@@ -1928,7 +1928,7 @@ xmlCharEncFirstLineInt(xmlCharEncodingHandler *handler, xmlBufferPtr out,
+ if (in == NULL) return(-1);
+
+ /* calculate space available */
+- written = out->size - out->use;
++ written = out->size - out->use - 1; /* count '\0' */
+ toconv = in->use;
+ /*
+ * echo '<?xml version="1.0" encoding="UCS4"?>' | wc -c => 38
+@@ -2059,7 +2059,7 @@ xmlCharEncInFunc(xmlCharEncodingHandler * handler, xmlBufferPtr out,
+ toconv = in->use;
+ if (toconv == 0)
+ return (0);
+- written = out->size - out->use;
++ written = out->size - out->use -1; /* count '\0' */
+ if (toconv * 2 >= written) {
+ xmlBufferGrow(out, out->size + toconv * 2);
+ written = out->size - out->use - 1;
Added: CVE-2011-1944.patch
===================================================================
--- CVE-2011-1944.patch (rev 0)
+++ CVE-2011-1944.patch 2012-02-06 15:49:47 UTC (rev 149231)
@@ -0,0 +1,100 @@
+commit d7958b21e7f8c447a26bb2436f08402b2c308be4
+Author: Chris Evans <scarybeasts at gmail.com>
+Date: Wed Mar 23 08:13:06 2011 +0800
+
+ Fix some potential problems on reallocation failures
+
+ The count was incremented before the allocation
+ and not fixed in case of failure
+ * xpath.c: corrects a few instances where the available count of some
+ structure is updated before we know the allocation actually
+ succeeds
+
+diff --git a/xpath.c b/xpath.c
+index 8b56189..608fe00 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -3522,13 +3522,13 @@ xmlXPathNodeSetAddNs(xmlNodeSetPtr cur, xmlNodePtr node, xmlNsPtr ns) {
+ } else if (cur->nodeNr == cur->nodeMax) {
+ xmlNodePtr *temp;
+
+- cur->nodeMax *= 2;
+- temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax *
++ temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * 2 *
+ sizeof(xmlNodePtr));
+ if (temp == NULL) {
+ xmlXPathErrMemory(NULL, "growing nodeset\n");
+ return;
+ }
++ cur->nodeMax *= 2;
+ cur->nodeTab = temp;
+ }
+ cur->nodeTab[cur->nodeNr++] = xmlXPathNodeSetDupNs(node, ns);
+@@ -3627,14 +3627,14 @@ xmlXPathNodeSetAddUnique(xmlNodeSetPtr cur, xmlNodePtr val) {
+ } else if (cur->nodeNr == cur->nodeMax) {
+ xmlNodePtr *temp;
+
+- cur->nodeMax *= 2;
+- temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax *
++ temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * 2 *
+ sizeof(xmlNodePtr));
+ if (temp == NULL) {
+ xmlXPathErrMemory(NULL, "growing nodeset\n");
+ return;
+ }
+ cur->nodeTab = temp;
++ cur->nodeMax *= 2;
+ }
+ if (val->type == XML_NAMESPACE_DECL) {
+ xmlNsPtr ns = (xmlNsPtr) val;
+@@ -3738,14 +3738,14 @@ xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) {
+ } else if (val1->nodeNr == val1->nodeMax) {
+ xmlNodePtr *temp;
+
+- val1->nodeMax *= 2;
+- temp = (xmlNodePtr *) xmlRealloc(val1->nodeTab, val1->nodeMax *
++ temp = (xmlNodePtr *) xmlRealloc(val1->nodeTab, val1->nodeMax * 2 *
+ sizeof(xmlNodePtr));
+ if (temp == NULL) {
+ xmlXPathErrMemory(NULL, "merging nodeset\n");
+ return(NULL);
+ }
+ val1->nodeTab = temp;
++ val1->nodeMax *= 2;
+ }
+ if (n2->type == XML_NAMESPACE_DECL) {
+ xmlNsPtr ns = (xmlNsPtr) n2;
+@@ -3907,14 +3907,14 @@ xmlXPathNodeSetMergeAndClear(xmlNodeSetPtr set1, xmlNodeSetPtr set2,
+ } else if (set1->nodeNr >= set1->nodeMax) {
+ xmlNodePtr *temp;
+
+- set1->nodeMax *= 2;
+ temp = (xmlNodePtr *) xmlRealloc(
+- set1->nodeTab, set1->nodeMax * sizeof(xmlNodePtr));
++ set1->nodeTab, set1->nodeMax * 2 * sizeof(xmlNodePtr));
+ if (temp == NULL) {
+ xmlXPathErrMemory(NULL, "merging nodeset\n");
+ return(NULL);
+ }
+ set1->nodeTab = temp;
++ set1->nodeMax *= 2;
+ }
+ if (n2->type == XML_NAMESPACE_DECL) {
+ xmlNsPtr ns = (xmlNsPtr) n2;
+@@ -3991,14 +3991,14 @@ xmlXPathNodeSetMergeAndClearNoDupls(xmlNodeSetPtr set1, xmlNodeSetPtr set2,
+ } else if (set1->nodeNr >= set1->nodeMax) {
+ xmlNodePtr *temp;
+
+- set1->nodeMax *= 2;
+ temp = (xmlNodePtr *) xmlRealloc(
+- set1->nodeTab, set1->nodeMax * sizeof(xmlNodePtr));
++ set1->nodeTab, set1->nodeMax * 2 * sizeof(xmlNodePtr));
+ if (temp == NULL) {
+ xmlXPathErrMemory(NULL, "merging nodeset\n");
+ return(NULL);
+ }
+ set1->nodeTab = temp;
++ set1->nodeMax *= 2;
+ }
+ set1->nodeTab[set1->nodeNr++] = n2;
+ }
Added: CVE-2011-2834.patch
===================================================================
--- CVE-2011-2834.patch (rev 0)
+++ CVE-2011-2834.patch 2012-02-06 15:49:47 UTC (rev 149231)
@@ -0,0 +1,61 @@
+commit 1d4526f6f4ec8d18c40e2a09b387652a6c1aa2cd
+Author: Daniel Veillard <veillard at redhat.com>
+Date: Tue Oct 11 16:34:34 2011 +0800
+
+ Fix missing error status in XPath evaluation
+
+ Started by Chris Evans, I added a few more place where the
+ error should have been set in the evaluation context.
+
+diff --git a/xpath.c b/xpath.c
+index bcee2ea..d9d902c 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -2485,6 +2485,7 @@ valuePush(xmlXPathParserContextPtr ctxt, xmlXPathObjectPtr value)
+ sizeof(ctxt->valueTab[0]));
+ if (tmp == NULL) {
+ xmlGenericError(xmlGenericErrorContext, "realloc failed !\n");
++ ctxt->error = XPATH_MEMORY_ERROR;
+ return (0);
+ }
+ ctxt->valueMax *= 2;
+@@ -9340,6 +9341,7 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+ if ( (ch & 0xc0) != 0xc0 ) {
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlXPathTranslateFunction: Invalid UTF8 string\n");
++ /* not asserting an XPath error is probably better */
+ break;
+ }
+ /* then skip over remaining bytes for this char */
+@@ -9347,6 +9349,7 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+ if ( (*cptr++ & 0xc0) != 0x80 ) {
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlXPathTranslateFunction: Invalid UTF8 string\n");
++ /* not asserting an XPath error is probably better */
+ break;
+ }
+ if (ch & 0x80) /* must have had error encountered */
+@@ -13410,6 +13413,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlXPathCompOpEval: variable %s bound to undefined prefix %s\n",
+ (char *) op->value4, (char *)op->value5);
++ ctxt->error = XPATH_UNDEF_PREFIX_ERROR;
+ return (total);
+ }
+ val = xmlXPathVariableLookupNS(ctxt->context,
+@@ -13464,6 +13468,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n",
+ (char *)op->value4, (char *)op->value5);
+ xmlXPathPopFrame(ctxt, frame);
++ ctxt->error = XPATH_UNDEF_PREFIX_ERROR;
+ return (total);
+ }
+ func = xmlXPathFunctionLookupNS(ctxt->context,
+@@ -14042,6 +14047,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ }
+ xmlGenericError(xmlGenericErrorContext,
+ "XPath: unknown precompiled operation %d\n", op->op);
++ ctxt->error = XPATH_INVALID_OPERAND;
+ return (total);
+ }
+
Added: CVE-2011-3905.patch
===================================================================
--- CVE-2011-3905.patch (rev 0)
+++ CVE-2011-3905.patch 2012-02-06 15:49:47 UTC (rev 149231)
@@ -0,0 +1,61 @@
+commit 77404b8b69bc122d12231807abf1a837d121b551
+Author: Chris Evans <scarybeasts at gmail.com>
+Date: Wed Dec 14 16:18:25 2011 +0800
+
+ Make sure the parser returns when getting a Stop order
+
+ patch backported from chromiun bug fixes, assuming author is Chris
+
+diff --git a/parser.c b/parser.c
+index 21d7aa3..4e5dcb9 100644
+--- a/parser.c
++++ b/parser.c
+@@ -4949,7 +4949,8 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
+ (ctxt->sax->processingInstruction != NULL))
+ ctxt->sax->processingInstruction(ctxt->userData,
+ target, NULL);
+- ctxt->instate = state;
++ if (ctxt->instate != XML_PARSER_EOF)
++ ctxt->instate = state;
+ return;
+ }
+ buf = (xmlChar *) xmlMallocAtomic(size * sizeof(xmlChar));
+@@ -5029,7 +5030,8 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
+ } else {
+ xmlFatalErr(ctxt, XML_ERR_PI_NOT_STARTED, NULL);
+ }
+- ctxt->instate = state;
++ if (ctxt->instate != XML_PARSER_EOF)
++ ctxt->instate = state;
+ }
+ }
+
+@@ -9589,6 +9591,8 @@ xmlParseElement(xmlParserCtxtPtr ctxt) {
+ else
+ name = xmlParseStartTag(ctxt);
+ #endif /* LIBXML_SAX1_ENABLED */
++ if (ctxt->instate == XML_PARSER_EOF)
++ return;
+ if (name == NULL) {
+ spacePop(ctxt);
+ return;
+@@ -10975,6 +10979,8 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ else
+ name = xmlParseStartTag(ctxt);
+ #endif /* LIBXML_SAX1_ENABLED */
++ if (ctxt->instate == XML_PARSER_EOF)
++ goto done;
+ if (name == NULL) {
+ spacePop(ctxt);
+ ctxt->instate = XML_PARSER_EOF;
+@@ -11161,7 +11167,9 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ else
+ xmlParseEndTag1(ctxt, 0);
+ #endif /* LIBXML_SAX1_ENABLED */
+- if (ctxt->nameNr == 0) {
++ if (ctxt->instate == XML_PARSER_EOF) {
++ /* Nothing */
++ } else if (ctxt->nameNr == 0) {
+ ctxt->instate = XML_PARSER_EPILOG;
+ } else {
+ ctxt->instate = XML_PARSER_CONTENT;
Added: CVE-2011-3919.patch
===================================================================
--- CVE-2011-3919.patch (rev 0)
+++ CVE-2011-3919.patch 2012-02-06 15:49:47 UTC (rev 149231)
@@ -0,0 +1,19 @@
+commit 5bd3c061823a8499b27422aee04ea20aae24f03e
+Author: Daniel Veillard <veillard at redhat.com>
+Date: Fri Dec 16 18:53:35 2011 +0800
+
+ Fix an allocation error when copying entities
+
+diff --git a/parser.c b/parser.c
+index 4e5dcb9..c55e41d 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2709,7 +2709,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+
+ buffer[nbchars++] = '&';
+ if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) {
+- growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
++ growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE);
+ }
+ for (;i > 0;i--)
+ buffer[nbchars++] = *cur++;
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2012-02-06 14:31:53 UTC (rev 149230)
+++ PKGBUILD 2012-02-06 15:49:47 UTC (rev 149231)
@@ -4,7 +4,7 @@
pkgname=libxml2
pkgver=2.7.8
-pkgrel=1
+pkgrel=2
pkgdesc="XML parsing library, version 2"
arch=(i686 x86_64)
license=('custom')
@@ -13,24 +13,57 @@
options=('!libtool')
url="http://www.xmlsoft.org/"
source=(ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz
- largefile64.patch shared_library_versionning.patch)
+ http://www.w3.org/XML/Test/xmlts20080205.tar.gz
+ largefile64.patch
+ shared_library_versionning.patch
+ libxml2-2.7.8-xpath-freeing.patch
+ libxml2-2.7.8-xpath-freeing2.patch
+ CVE-2011-1944.patch
+ libxml2-2.7.8-xpath-hardening.patch
+ CVE-2011-0216.patch
+ CVE-2011-2834.patch
+ CVE-2011-3905.patch
+ CVE-2011-3919.patch)
md5sums=('8127a65e8c3b08856093099b52599c86'
+ 'b255be9a1c7f7021e52448e4ec8d7a0d'
'5ad4915665608ebfa5b89f7908467a72'
- '84aeb7c6db023eae044e95d9211dba53')
+ '84aeb7c6db023eae044e95d9211dba53'
+ 'f1df70c66dac94233932baf2737465e0'
+ 'c22af2643840da65dea618bf6cd33b25'
+ 'd2b2b362a8681c30be98c4a2e7f2d2ea'
+ '5709a1408becc1f0c6f1c7513a254dd2'
+ '4f0f2d3a11329ebee0907be6002a160e'
+ '88e9c95a813d4f0cb392acc000bae366'
+ '28f3022a0d63ee408774eb5e4914b07e'
+ 'a9b901d9ff095a266d3a5c601db142b1')
build() {
cd "${srcdir}/${pkgname}-${pkgver}"
patch -Np1 -i "${srcdir}/largefile64.patch"
patch -Np1 -i "${srcdir}/shared_library_versionning.patch"
+ patch -Np1 -i "${srcdir}/libxml2-2.7.8-xpath-freeing.patch"
+ patch -Np1 -i "${srcdir}/libxml2-2.7.8-xpath-freeing2.patch"
+ patch -Np1 -i "${srcdir}/CVE-2011-1944.patch"
+ patch -Np1 -i "${srcdir}/libxml2-2.7.8-xpath-hardening.patch"
+ patch -Np1 -i "${srcdir}/CVE-2011-0216.patch"
+ patch -Np1 -i "${srcdir}/CVE-2011-2834.patch"
+ patch -Np1 -i "${srcdir}/CVE-2011-3905.patch"
+ patch -Np1 -i "${srcdir}/CVE-2011-3919.patch"
autoreconf -fi
+ sed -e 's|/usr/bin/python -u|/usr/bin/python2 -u|g' -e 's|/usr/bin/python$|/usr/bin/python2|g' -i python/tests/*.py
./configure --prefix=/usr --with-threads --with-history \
- --with-python=/usr/bin/python2.7
+ --with-python=/usr/bin/python2
make
}
+check() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+ mv "${srcdir}/xmlconf" .
+ make check
+}
+
package() {
cd "${srcdir}/${pkgname}-${pkgver}"
make DESTDIR="${pkgdir}" install
install -Dm644 COPYING "${pkgdir}/usr/share/licenses/${pkgname}/COPYING"
}
-
Added: libxml2-2.7.8-xpath-freeing.patch
===================================================================
--- libxml2-2.7.8-xpath-freeing.patch (rev 0)
+++ libxml2-2.7.8-xpath-freeing.patch 2012-02-06 15:49:47 UTC (rev 149231)
@@ -0,0 +1,30 @@
+commit df83c17e5a2646bd923f75e5e507bc80d73c9722
+Author: Daniel Veillard <veillard at redhat.com>
+Date: Wed Nov 17 14:12:14 2010 +0100
+
+ Fix a potential freeing error in XPath
+
+diff --git a/xpath.c b/xpath.c
+index 81e33f6..1447be5 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -11763,11 +11763,15 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+
+ if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+ xmlXPathObjectPtr tmp;
+- /* pop the result */
++ /* pop the result if any */
+ tmp = valuePop(ctxt);
+- xmlXPathReleaseObject(xpctxt, tmp);
+- /* then pop off contextObj, which will be freed later */
+- valuePop(ctxt);
++ if (tmp != contextObj)
++ /*
++ * Free up the result
++ * then pop off contextObj, which will be freed later
++ */
++ xmlXPathReleaseObject(xpctxt, tmp);
++ valuePop(ctxt);
+ goto evaluation_error;
+ }
+
Added: libxml2-2.7.8-xpath-freeing2.patch
===================================================================
--- libxml2-2.7.8-xpath-freeing2.patch (rev 0)
+++ libxml2-2.7.8-xpath-freeing2.patch 2012-02-06 15:49:47 UTC (rev 149231)
@@ -0,0 +1,26 @@
+commit fec31bcd452e77c10579467ca87a785b41115de6
+Author: Daniel Veillard <veillard at redhat.com>
+Date: Thu Nov 18 11:07:24 2010 +0100
+
+ Small fix for previous commit
+
+diff --git a/xpath.c b/xpath.c
+index 1447be5..8b56189 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -11765,13 +11765,14 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+ xmlXPathObjectPtr tmp;
+ /* pop the result if any */
+ tmp = valuePop(ctxt);
+- if (tmp != contextObj)
++ if (tmp != contextObj) {
+ /*
+ * Free up the result
+ * then pop off contextObj, which will be freed later
+ */
+ xmlXPathReleaseObject(xpctxt, tmp);
+ valuePop(ctxt);
++ }
+ goto evaluation_error;
+ }
+
Added: libxml2-2.7.8-xpath-hardening.patch
===================================================================
--- libxml2-2.7.8-xpath-hardening.patch (rev 0)
+++ libxml2-2.7.8-xpath-hardening.patch 2012-02-06 15:49:47 UTC (rev 149231)
@@ -0,0 +1,223 @@
+commit 0f136dcd18c287073a4d67b03fdb9696d7010940
+Author: Daniel Veillard <veillard at redhat.com>
+Date: Thu Aug 18 17:10:13 2011 +0800
+
+ Hardening of XPath evaluation
+
+ Add a mechanism of frame for XPath evaluation when entering a function
+ or a scoped evaluation, also fix a potential problem in predicate
+ evaluation.
+
+diff --git a/include/libxml/xpath.h b/include/libxml/xpath.h
+index 1a9e30e..ddd9dd8 100644
+--- a/include/libxml/xpath.h
++++ b/include/libxml/xpath.h
+@@ -68,7 +68,8 @@ typedef enum {
+ XPATH_UNDEF_PREFIX_ERROR,
+ XPATH_ENCODING_ERROR,
+ XPATH_INVALID_CHAR_ERROR,
+- XPATH_INVALID_CTXT
++ XPATH_INVALID_CTXT,
++ XPATH_STACK_ERROR
+ } xmlXPathError;
+
+ /*
+@@ -380,6 +381,8 @@ struct _xmlXPathParserContext {
+ xmlXPathCompExprPtr comp; /* the precompiled expression */
+ int xptr; /* it this an XPointer expression */
+ xmlNodePtr ancestor; /* used for walking preceding axis */
++
++ int valueFrame; /* used to limit Pop on the stack */
+ };
+
+ /************************************************************************
+diff --git a/xpath.c b/xpath.c
+index b59ac5a..bcee2ea 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -252,6 +252,7 @@ static const char *xmlXPathErrorMessages[] = {
+ "Encoding error\n",
+ "Char out of XML range\n",
+ "Invalid or incomplete context\n",
++ "Stack usage errror\n",
+ "?? Unknown error ??\n" /* Must be last in the list! */
+ };
+ #define MAXERRNO ((int)(sizeof(xmlXPathErrorMessages) / \
+@@ -2398,6 +2399,42 @@ xmlXPathCacheConvertNumber(xmlXPathContextPtr ctxt, xmlXPathObjectPtr val) {
+ ************************************************************************/
+
+ /**
++ * xmlXPathSetFrame:
++ * @ctxt: an XPath parser context
++ *
++ * Set the callee evaluation frame
++ *
++ * Returns the previous frame value to be restored once done
++ */
++static int
++xmlXPathSetFrame(xmlXPathParserContextPtr ctxt) {
++ int ret;
++
++ if (ctxt == NULL)
++ return(0);
++ ret = ctxt->valueFrame;
++ ctxt->valueFrame = ctxt->valueNr;
++ return(ret);
++}
++
++/**
++ * xmlXPathPopFrame:
++ * @ctxt: an XPath parser context
++ * @frame: the previous frame value
++ *
++ * Remove the callee evaluation frame
++ */
++static void
++xmlXPathPopFrame(xmlXPathParserContextPtr ctxt, int frame) {
++ if (ctxt == NULL)
++ return;
++ if (ctxt->valueNr < ctxt->valueFrame) {
++ xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR);
++ }
++ ctxt->valueFrame = frame;
++}
++
++/**
+ * valuePop:
+ * @ctxt: an XPath evaluation context
+ *
+@@ -2412,6 +2449,12 @@ valuePop(xmlXPathParserContextPtr ctxt)
+
+ if ((ctxt == NULL) || (ctxt->valueNr <= 0))
+ return (NULL);
++
++ if (ctxt->valueNr <= ctxt->valueFrame) {
++ xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR);
++ return (NULL);
++ }
++
+ ctxt->valueNr--;
+ if (ctxt->valueNr > 0)
+ ctxt->value = ctxt->valueTab[ctxt->valueNr - 1];
+@@ -6154,6 +6197,7 @@ xmlXPathCompParserContext(xmlXPathCompExprPtr comp, xmlXPathContextPtr ctxt) {
+ ret->valueNr = 0;
+ ret->valueMax = 10;
+ ret->value = NULL;
++ ret->valueFrame = 0;
+
+ ret->context = ctxt;
+ ret->comp = comp;
+@@ -11711,6 +11755,7 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+ xmlXPathObjectPtr contextObj = NULL, exprRes = NULL;
+ xmlNodePtr oldContextNode, contextNode = NULL;
+ xmlXPathContextPtr xpctxt = ctxt->context;
++ int frame;
+
+ #ifdef LIBXML_XPTR_ENABLED
+ /*
+@@ -11730,6 +11775,8 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+ */
+ exprOp = &ctxt->comp->steps[op->ch2];
+ for (i = 0; i < set->nodeNr; i++) {
++ xmlXPathObjectPtr tmp;
++
+ if (set->nodeTab[i] == NULL)
+ continue;
+
+@@ -11757,23 +11804,25 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+ xmlXPathNodeSetAddUnique(contextObj->nodesetval,
+ contextNode);
+
++ frame = xmlXPathSetFrame(ctxt);
+ valuePush(ctxt, contextObj);
+ res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
++ tmp = valuePop(ctxt);
++ xmlXPathPopFrame(ctxt, frame);
+
+ if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+- xmlXPathObjectPtr tmp;
+- /* pop the result if any */
+- tmp = valuePop(ctxt);
+- if (tmp != contextObj) {
++ while (tmp != contextObj) {
+ /*
+ * Free up the result
+ * then pop off contextObj, which will be freed later
+ */
+ xmlXPathReleaseObject(xpctxt, tmp);
+- valuePop(ctxt);
++ tmp = valuePop(ctxt);
+ }
+ goto evaluation_error;
+ }
++ /* push the result back onto the stack */
++ valuePush(ctxt, tmp);
+
+ if (res)
+ pos++;
+@@ -13377,7 +13426,9 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ xmlXPathFunction func;
+ const xmlChar *oldFunc, *oldFuncURI;
+ int i;
++ int frame;
+
++ frame = xmlXPathSetFrame(ctxt);
+ if (op->ch1 != -1)
+ total +=
+ xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
+@@ -13385,15 +13436,18 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlXPathCompOpEval: parameter error\n");
+ ctxt->error = XPATH_INVALID_OPERAND;
++ xmlXPathPopFrame(ctxt, frame);
+ return (total);
+ }
+- for (i = 0; i < op->value; i++)
++ for (i = 0; i < op->value; i++) {
+ if (ctxt->valueTab[(ctxt->valueNr - 1) - i] == NULL) {
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlXPathCompOpEval: parameter error\n");
+ ctxt->error = XPATH_INVALID_OPERAND;
++ xmlXPathPopFrame(ctxt, frame);
+ return (total);
+ }
++ }
+ if (op->cache != NULL)
+ XML_CAST_FPTR(func) = op->cache;
+ else {
+@@ -13409,6 +13463,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ xmlGenericError(xmlGenericErrorContext,
+ "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n",
+ (char *)op->value4, (char *)op->value5);
++ xmlXPathPopFrame(ctxt, frame);
+ return (total);
+ }
+ func = xmlXPathFunctionLookupNS(ctxt->context,
+@@ -13430,6 +13485,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ func(ctxt, op->value);
+ ctxt->context->function = oldFunc;
+ ctxt->context->functionURI = oldFuncURI;
++ xmlXPathPopFrame(ctxt, frame);
+ return (total);
+ }
+ case XPATH_OP_ARG:
+@@ -14333,6 +14389,7 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool)
+ ctxt->valueNr = 0;
+ ctxt->valueMax = 10;
+ ctxt->value = NULL;
++ ctxt->valueFrame = 0;
+ }
+ #ifdef XPATH_STREAMING
+ if (ctxt->comp->stream) {
+diff --git a/xpointer.c b/xpointer.c
+index 7a42d02..37afa3a 100644
+--- a/xpointer.c
++++ b/xpointer.c
+@@ -1269,6 +1269,7 @@ xmlXPtrEvalXPointer(xmlXPathParserContextPtr ctxt) {
+ ctxt->valueNr = 0;
+ ctxt->valueMax = 10;
+ ctxt->value = NULL;
++ ctxt->valueFrame = 0;
+ }
+ SKIP_BLANKS;
+ if (CUR == '/') {
More information about the arch-commits
mailing list