diff --git a/libs/libxslt/Makefile b/libs/libxslt/Makefile index df80b65b0a..2d867c182d 100644 --- a/libs/libxslt/Makefile +++ b/libs/libxslt/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2014 OpenWrt.org +# Copyright (C) 2014 - 2018 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libxslt PKG_VERSION:=1.1.28 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ @@ -20,7 +20,7 @@ PKG_MD5SUM:=9667bf6f9310b957254fdcf6596600b7 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=COPYING -PKG_MAINTAINER:=Jiri Slachta +PKG_MAINTAINER:=Jiri Slachta PKG_FIXUP:=autoreconf PKG_INSTALL:=1 @@ -43,7 +43,7 @@ define Package/libexslt SECTION:=libs CATEGORY:=Libraries DEPENDS:=+libxslt - TITLE:=Gnome XSLT library Extention + TITLE:=Gnome XSLT library Extension URL:=http://xmlsoft.org/XSLT/EXSLT/ endef @@ -64,6 +64,7 @@ define Package/xsltproc/description endef CONFIGURE_ARGS+= \ + --disable-silent-rules \ --enable-shared \ --enable-static \ --without-python \ diff --git a/libs/libxslt/patches/0005-Fix-a-couple-of-places-where-f-printf-parameters-wer.patch b/libs/libxslt/patches/0005-Fix-a-couple-of-places-where-f-printf-parameters-wer.patch new file mode 100644 index 0000000000..2313388358 --- /dev/null +++ b/libs/libxslt/patches/0005-Fix-a-couple-of-places-where-f-printf-parameters-wer.patch @@ -0,0 +1,48 @@ +From: Daniel Veillard +Date: Wed, 30 Jan 2013 16:31:37 +0000 +Subject: Fix a couple of places where (f)printf parameters were broken + +As reported by Thomas Jarosch +--- + python/libxslt.c | 10 +++++----- + xsltproc/xsltproc.c | 2 +- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/python/libxslt.c b/python/libxslt.c +index 6a4f1c3..8dd6c78 100644 +--- a/python/libxslt.c ++++ b/python/libxslt.c +@@ -356,15 +356,15 @@ libxslt_xsltRegisterExtModuleElement(PyObject *self ATTRIBUTE_UNUSED, + PyObject *pyobj_element_f; + PyObject *pyobj_precomp_f; + +-#ifdef DEBUG_EXTENSIONS +- printf("libxslt_xsltRegisterExtModuleElement called\n", +- name, ns_uri); +-#endif +- + if (!PyArg_ParseTuple(args, (char *)"szOO:registerExtModuleElement", + &name, &ns_uri, &pyobj_precomp_f, &pyobj_element_f)) + return(NULL); + ++#ifdef DEBUG_EXTENSIONS ++ printf("libxslt_xsltRegisterExtModuleElement called: %s %s\n", ++ name, ns_uri); ++#endif ++ + if ((name == NULL) || (pyobj_element_f == NULL) || (pyobj_precomp_f == NULL)) { + py_retval = libxml_intWrap(-1); + return(py_retval); +diff --git a/xsltproc/xsltproc.c b/xsltproc/xsltproc.c +index 9ec4b76..33beddf 100644 +--- a/xsltproc/xsltproc.c ++++ b/xsltproc/xsltproc.c +@@ -319,7 +319,7 @@ static void endTimer(char *format, ...) + va_start(ap, format); + vfprintf(stderr,format,ap); + va_end(ap); +- fprintf(stderr, " was not timed\n", msec); ++ fprintf(stderr, " was not timed\n"); + #else + /* We don't have gettimeofday, time or stdarg.h, what crazy world is + * this ?! diff --git a/libs/libxslt/patches/0006-Initialize-pseudo-random-number-generator-with-curre.patch b/libs/libxslt/patches/0006-Initialize-pseudo-random-number-generator-with-curre.patch new file mode 100644 index 0000000000..2d38ba23a3 --- /dev/null +++ b/libs/libxslt/patches/0006-Initialize-pseudo-random-number-generator-with-curre.patch @@ -0,0 +1,56 @@ +From: Nils Werner +Date: Thu, 24 Jan 2013 18:44:03 +0000 +Subject: Initialize pseudo random number generator with current time or + optional command line parameter + +--- + xsltproc/xsltproc.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/xsltproc/xsltproc.c b/xsltproc/xsltproc.c +index 33beddf..7d1fe61 100644 +--- a/xsltproc/xsltproc.c ++++ b/xsltproc/xsltproc.c +@@ -514,6 +514,7 @@ static void usage(const char *name) { + printf("\t--maxdepth val : increase the maximum depth (default %d)\n", xsltMaxDepth); + printf("\t--maxvars val : increase the maximum variables (default %d)\n", xsltMaxVars); + printf("\t--maxparserdepth val : increase the maximum parser depth\n"); ++ printf("\t--seed-rand val : initialize pseudo random number generator with specific seed\n"); + #ifdef LIBXML_HTML_ENABLED + printf("\t--html: the input document is(are) an HTML file(s)\n"); + #endif +@@ -556,6 +557,7 @@ main(int argc, char **argv) + return (1); + } + ++ srand(time(NULL)); + xmlInitMemory(); + + LIBXML_TEST_VERSION +@@ -750,6 +752,15 @@ main(int argc, char **argv) + if (value > 0) + xmlParserMaxDepth = value; + } ++ } else if ((!strcmp(argv[i], "-seed-rand")) || ++ (!strcmp(argv[i], "--seed-rand"))) { ++ int value; ++ ++ i++; ++ if (sscanf(argv[i], "%d", &value) == 1) { ++ if (value > 0) ++ srand(value); ++ } + } else if ((!strcmp(argv[i],"-dumpextensions"))|| + (!strcmp(argv[i],"--dumpextensions"))) { + dumpextensions++; +@@ -786,6 +797,10 @@ main(int argc, char **argv) + (!strcmp(argv[i], "--maxparserdepth"))) { + i++; + continue; ++ } else if ((!strcmp(argv[i], "-seed-rand")) || ++ (!strcmp(argv[i], "--seed-rand"))) { ++ i++; ++ continue; + } else if ((!strcmp(argv[i], "-o")) || + (!strcmp(argv[i], "-output")) || + (!strcmp(argv[i], "--output"))) { diff --git a/libs/libxslt/patches/0007-EXSLT-function-str-replace-is-broken-as-is.patch b/libs/libxslt/patches/0007-EXSLT-function-str-replace-is-broken-as-is.patch new file mode 100644 index 0000000000..6bb238d3ab --- /dev/null +++ b/libs/libxslt/patches/0007-EXSLT-function-str-replace-is-broken-as-is.patch @@ -0,0 +1,38 @@ +From: Nick Wellnhofer +Date: Mon, 1 Jul 2013 13:10:10 +0000 +Subject: EXSLT function str:replace() is broken as-is + +the str:replace() function is no longer usable without a transform +context. I take it from the bug report that it is not supposed to be used +from plain XPath but only from XSLT according to the EXSLT specification. + +However, the previous implementation used to work in XPath and is still +registered on an xmlXPathContext by the exsltStrXpathCtxtRegister() +function. When called from plain XPath, it results in a memory error in +line 526 (exsltStrReturnString()) of strings.c because xsltCreateRVT() +returns NULL as an error indicator due to a NULL transform context being +passed in, which was the return value from xsltXPathGetTransformContext() a +bit further up (and the code doesn't validate that). + +Since fixing the function looks impossible, best is to remove it. +--- + libexslt/strings.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/libexslt/strings.c b/libexslt/strings.c +index 045cc14..c0c7a18 100644 +--- a/libexslt/strings.c ++++ b/libexslt/strings.c +@@ -838,11 +838,7 @@ exsltStrXpathCtxtRegister (xmlXPathContextPtr ctxt, const xmlChar *prefix) + && !xmlXPathRegisterFuncNS(ctxt, + (const xmlChar *) "concat", + (const xmlChar *) EXSLT_STRINGS_NAMESPACE, +- exsltStrConcatFunction) +- && !xmlXPathRegisterFuncNS(ctxt, +- (const xmlChar *) "replace", +- (const xmlChar *) EXSLT_STRINGS_NAMESPACE, +- exsltStrReplaceFunction)) { ++ exsltStrConcatFunction)) { + return 0; + } + return -1; diff --git a/libs/libxslt/patches/0008-Fix-quoting-of-xlocale-test-program-in-configure.in.patch b/libs/libxslt/patches/0008-Fix-quoting-of-xlocale-test-program-in-configure.in.patch new file mode 100644 index 0000000000..f6ba74cb68 --- /dev/null +++ b/libs/libxslt/patches/0008-Fix-quoting-of-xlocale-test-program-in-configure.in.patch @@ -0,0 +1,43 @@ +From: Nick Wellnhofer +Date: Tue, 30 Jul 2013 11:57:28 +0000 +Subject: Fix quoting of xlocale test program in configure.in + +Double square brackets aren't needed anymore, probably due to the +changes in commit a2cd8a03. +--- + configure.in | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/configure.in b/configure.in +index 767e980..ac004fe 100644 +--- a/configure.in ++++ b/configure.in +@@ -196,21 +196,21 @@ typedef locale_t xsltLocale; + #endif + ]],[[ + xsltLocale locale; +- const char *src[[2]] = { "\xc3\x84rger", "Zeppelin" }; +- char *dst[[2]]; ++ const char *src[2] = { "\xc3\x84rger", "Zeppelin" }; ++ char *dst[2]; + size_t len, r; + int i; + + locale = newlocale(LC_COLLATE_MASK, "en_US.utf8", NULL); + if (locale == NULL) exit(1); + for (i=0; i<2; ++i) { +- len = strxfrm_l(NULL, src[[i]], 0, locale) + 1; +- dst[[i]] = malloc(len); +- if(dst[[i]] == NULL) exit(1); +- r = strxfrm_l(dst[[i]], src[[i]], len, locale); ++ len = strxfrm_l(NULL, src[i], 0, locale) + 1; ++ dst[i] = malloc(len); ++ if(dst[i] == NULL) exit(1); ++ r = strxfrm_l(dst[i], src[i], len, locale); + if(r >= len) exit(1); + } +- if (strcmp(dst[[0]], dst[[1]]) >= 0) exit(1); ++ if (strcmp(dst[0], dst[1]) >= 0) exit(1); + + exit(0); + return(0); diff --git a/libs/libxslt/patches/0009-Fix-for-type-confusion-in-preprocessing-attributes.patch b/libs/libxslt/patches/0009-Fix-for-type-confusion-in-preprocessing-attributes.patch new file mode 100644 index 0000000000..9f2d7ac3f1 --- /dev/null +++ b/libs/libxslt/patches/0009-Fix-for-type-confusion-in-preprocessing-attributes.patch @@ -0,0 +1,29 @@ +From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Thu, 29 Oct 2015 19:33:23 +0800 +Subject: [PATCH] Fix for type confusion in preprocessing attributes + +CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10 +We need to check that the parent node is an element before dereferencing +its namespace +--- + libxslt/preproc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libxslt/preproc.c b/libxslt/preproc.c +index 0eb80a0..7f69325 100644 +--- a/libxslt/preproc.c ++++ b/libxslt/preproc.c +@@ -2249,7 +2249,8 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr inst) { + } else if (IS_XSLT_NAME(inst, "attribute")) { + xmlNodePtr parent = inst->parent; + +- if ((parent == NULL) || (parent->ns == NULL) || ++ if ((parent == NULL) || ++ (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) || + ((parent->ns != inst->ns) && + (!xmlStrEqual(parent->ns->href, inst->ns->href))) || + (!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) { +-- +2.8.1 + diff --git a/libs/libxslt/patches/0010-Always-initialize-EXSLT-month-and-day-to-1.patch b/libs/libxslt/patches/0010-Always-initialize-EXSLT-month-and-day-to-1.patch new file mode 100644 index 0000000000..183cabb52d --- /dev/null +++ b/libs/libxslt/patches/0010-Always-initialize-EXSLT-month-and-day-to-1.patch @@ -0,0 +1,62 @@ +From 3309feb654036280d2355f8025150a69bfded6e2 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 3 Jan 2016 16:45:24 +0100 +Subject: [PATCH] Always initialize EXSLT month and day to 1 + +Fixes bug #757970 +https://bugzilla.gnome.org/show_bug.cgi?id=757970 +--- + libexslt/date.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +diff --git a/libexslt/date.c b/libexslt/date.c +index 9ca993c..272c61b 100644 +--- a/libexslt/date.c ++++ b/libexslt/date.c +@@ -667,6 +667,11 @@ exsltDateCreateDate (exsltDateType type) + } + memset (ret, 0, sizeof(exsltDateVal)); + ++ if (type != XS_DURATION) { ++ ret->value.date.mon = 1; ++ ret->value.date.day = 1; ++ } ++ + if (type != EXSLT_UNKNOWN) + ret->type = type; + +@@ -1395,10 +1400,10 @@ _exsltDateTruncateDate (exsltDateValPtr dt, exsltDateType type) + } + + if ((type & XS_GDAY) != XS_GDAY) +- dt->value.date.day = 0; ++ dt->value.date.day = 1; + + if ((type & XS_GMONTH) != XS_GMONTH) +- dt->value.date.mon = 0; ++ dt->value.date.mon = 1; + + if ((type & XS_GYEAR) != XS_GYEAR) + dt->value.date.year = 0; +@@ -1473,18 +1478,10 @@ _exsltDateAdd (exsltDateValPtr dt, exsltDateValPtr dur) + d = &(dt->value.date); + u = &(dur->value.dur); + +- /* normalization */ +- if (d->mon == 0) +- d->mon = 1; +- + /* normalize for time zone offset */ + u->sec -= (d->tzo * 60); /* changed from + to - (bug 153000) */ + d->tzo = 0; + +- /* normalization */ +- if (d->day == 0) +- d->day = 1; +- + /* month */ + carry = d->mon + u->mon; + r->mon = (unsigned int)MODULO_RANGE(carry, 1, 13); +-- +2.8.1 + diff --git a/libs/libxslt/patches/0011-Fix-use-after-free-in-xsltDocumentFunctionLoadDocume.patch b/libs/libxslt/patches/0011-Fix-use-after-free-in-xsltDocumentFunctionLoadDocume.patch new file mode 100644 index 0000000000..aec622fb03 --- /dev/null +++ b/libs/libxslt/patches/0011-Fix-use-after-free-in-xsltDocumentFunctionLoadDocume.patch @@ -0,0 +1,105 @@ +From fc1ff481fd01e9a65a921c542fed68d8c965e8a3 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 25 Feb 2016 17:16:06 +0100 +Subject: [PATCH] Fix use-after-free in xsltDocumentFunctionLoadDocument + +Also fixes a memory leak in an unlikely error case. + +Fixes bug #758291 +https://bugzilla.gnome.org/show_bug.cgi?id=758291 +--- + libxslt/functions.c | 3 ++- + tests/docs/bug-185-data.xml | 5 +++++ + tests/docs/bug-185.xml | 2 ++ + tests/general/bug-185.err | 3 +++ + tests/general/bug-185.out | 0 + tests/general/bug-185.xsl | 14 ++++++++++++++ + 6 files changed, 26 insertions(+), 1 deletion(-) + create mode 100644 tests/docs/bug-185-data.xml + create mode 100644 tests/docs/bug-185.xml + create mode 100644 tests/general/bug-185.err + create mode 100644 tests/general/bug-185.out + create mode 100644 tests/general/bug-185.xsl + +diff --git a/libxslt/functions.c b/libxslt/functions.c +index 549649c..a5e7021 100644 +--- a/libxslt/functions.c ++++ b/libxslt/functions.c +@@ -180,7 +180,6 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI) + resObj = xmlXPtrEval(fragment, xptrctxt); + xmlXPathFreeContext(xptrctxt); + #endif +- xmlFree(fragment); + + if (resObj == NULL) + goto out_fragment; +@@ -204,6 +203,7 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI) + } + + valuePush(ctxt, resObj); ++ xmlFree(fragment); + return; + + out_object: +@@ -211,6 +211,7 @@ out_object: + + out_fragment: + valuePush(ctxt, xmlXPathNewNodeSet(NULL)); ++ xmlFree(fragment); + } + + /** +diff --git a/tests/docs/bug-185-data.xml b/tests/docs/bug-185-data.xml +new file mode 100644 +index 0000000..166ef17 +--- /dev/null ++++ b/tests/docs/bug-185-data.xml +@@ -0,0 +1,5 @@ ++ ] > ++ ++ ++ ++ +diff --git a/tests/docs/bug-185.xml b/tests/docs/bug-185.xml +new file mode 100644 +index 0000000..72bfdc4 +--- /dev/null ++++ b/tests/docs/bug-185.xml +@@ -0,0 +1,2 @@ ++ ++bug-185-data.xml#xpointer(id('X')/range-to(id('Y'))) +diff --git a/tests/general/bug-185.err b/tests/general/bug-185.err +new file mode 100644 +index 0000000..d7bbe92 +--- /dev/null ++++ b/tests/general/bug-185.err +@@ -0,0 +1,3 @@ ++runtime error: file ./bug-185.xsl line 7 element copy-of ++document() : XPointer does not select a node set: #xpointer(id('X')/range-to(id('Y'))) ++no result for ./../docs/bug-185.xml +diff --git a/tests/general/bug-185.out b/tests/general/bug-185.out +new file mode 100644 +index 0000000..e69de29 +diff --git a/tests/general/bug-185.xsl b/tests/general/bug-185.xsl +new file mode 100644 +index 0000000..1c5c7d1 +--- /dev/null ++++ b/tests/general/bug-185.xsl +@@ -0,0 +1,14 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +-- +2.8.1 + diff --git a/libs/libxslt/patches/0012-Fix-xsltNumberFormatGetMultipleLevel.patch b/libs/libxslt/patches/0012-Fix-xsltNumberFormatGetMultipleLevel.patch new file mode 100644 index 0000000000..871fcfbc3d --- /dev/null +++ b/libs/libxslt/patches/0012-Fix-xsltNumberFormatGetMultipleLevel.patch @@ -0,0 +1,171 @@ +From d182d8f6ba3071503d96ce17395c9d55871f0242 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 22 Mar 2016 18:20:01 +0100 +Subject: [PATCH] Fix xsltNumberFormatGetMultipleLevel + +Namespace nodes are actually an xmlNs, not an xmlNode. They must be +special-cased in xsltNumberFormatGetMultipleLevel to avoid an +out-of-bounds heap access. + +Move the test whether a node matches the "count" pattern to a separate +function to make the code more readable. As a side effect, we also +compare expanded names when walking up the ancestor axis, fixing an +insignificant bug. +--- + libxslt/numbers.c | 82 +++++++++++++++++++++++++++-------------------- + tests/docs/bug-186.xml | 4 +++ + tests/general/bug-186.out | 5 +++ + tests/general/bug-186.xsl | 7 ++++ + 4 files changed, 63 insertions(+), 35 deletions(-) + create mode 100644 tests/docs/bug-186.xml + create mode 100644 tests/general/bug-186.out + create mode 100644 tests/general/bug-186.xsl + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index e3209e0..184ee6f 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -532,6 +532,43 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data, + } + + static int ++xsltTestCompMatchCount(xsltTransformContextPtr context, ++ xmlNodePtr node, ++ xsltCompMatchPtr countPat, ++ xmlNodePtr cur) ++{ ++ if (countPat != NULL) { ++ return xsltTestCompMatchList(context, node, countPat); ++ } ++ else { ++ /* ++ * 7.7 Numbering ++ * ++ * If count attribute is not specified, then it defaults to the ++ * pattern that matches any node with the same node type as the ++ * current node and, if the current node has an expanded-name, with ++ * the same expanded-name as the current node. ++ */ ++ if (node->type != cur->type) ++ return 0; ++ if (node->type == XML_NAMESPACE_DECL) ++ /* ++ * Namespace nodes have no preceding siblings and no parents ++ * that are namespace nodes. This means that node == cur. ++ */ ++ return 1; ++ /* TODO: Skip node types without expanded names like text nodes. */ ++ if (!xmlStrEqual(node->name, cur->name)) ++ return 0; ++ if (node->ns == cur->ns) ++ return 1; ++ if ((node->ns == NULL) || (cur->ns == NULL)) ++ return 0; ++ return (xmlStrEqual(node->ns->href, cur->ns->href)); ++ } ++} ++ ++static int + xsltNumberFormatGetAnyLevel(xsltTransformContextPtr context, + xmlNodePtr node, + xsltCompMatchPtr countPat, +@@ -562,21 +599,8 @@ xsltNumberFormatGetAnyLevel(xsltTransformContextPtr context, + + while (cur != NULL) { + /* process current node */ +- if (countPat == NULL) { +- if ((node->type == cur->type) && +- /* FIXME: must use expanded-name instead of local name */ +- xmlStrEqual(node->name, cur->name)) { +- if ((node->ns == cur->ns) || +- ((node->ns != NULL) && +- (cur->ns != NULL) && +- (xmlStrEqual(node->ns->href, +- cur->ns->href) ))) +- cnt++; +- } +- } else { +- if (xsltTestCompMatchList(context, cur, countPat)) +- cnt++; +- } ++ if (xsltTestCompMatchCount(context, cur, countPat, node)) ++ cnt++; + if ((fromPat != NULL) && + xsltTestCompMatchList(context, cur, fromPat)) { + break; /* while */ +@@ -633,30 +657,18 @@ xsltNumberFormatGetMultipleLevel(xsltTransformContextPtr context, + xsltTestCompMatchList(context, ancestor, fromPat)) + break; /* for */ + +- if ((countPat == NULL && node->type == ancestor->type && +- xmlStrEqual(node->name, ancestor->name)) || +- xsltTestCompMatchList(context, ancestor, countPat)) { ++ if (xsltTestCompMatchCount(context, ancestor, countPat, node)) { + /* count(preceding-sibling::*) */ +- cnt = 0; +- for (preceding = ancestor; ++ cnt = 1; ++ for (preceding = ++ xmlXPathNextPrecedingSibling(parser, ancestor); + preceding != NULL; + preceding = + xmlXPathNextPrecedingSibling(parser, preceding)) { +- if (countPat == NULL) { +- if ((preceding->type == ancestor->type) && +- xmlStrEqual(preceding->name, ancestor->name)){ +- if ((preceding->ns == ancestor->ns) || +- ((preceding->ns != NULL) && +- (ancestor->ns != NULL) && +- (xmlStrEqual(preceding->ns->href, +- ancestor->ns->href) ))) +- cnt++; +- } +- } else { +- if (xsltTestCompMatchList(context, preceding, +- countPat)) +- cnt++; +- } ++ ++ if (xsltTestCompMatchCount(context, preceding, countPat, ++ node)) ++ cnt++; + } + array[amount++] = (double)cnt; + if (amount >= max) +diff --git a/tests/docs/bug-186.xml b/tests/docs/bug-186.xml +new file mode 100644 +index 0000000..424db6b +--- /dev/null ++++ b/tests/docs/bug-186.xml +@@ -0,0 +1,4 @@ ++ ++ ++ ++ +diff --git a/tests/general/bug-186.out b/tests/general/bug-186.out +new file mode 100644 +index 0000000..01a59f8 +--- /dev/null ++++ b/tests/general/bug-186.out +@@ -0,0 +1,5 @@ ++ ++ ++1111 ++1111 ++ +diff --git a/tests/general/bug-186.xsl b/tests/general/bug-186.xsl +new file mode 100644 +index 0000000..9c491dd +--- /dev/null ++++ b/tests/general/bug-186.xsl +@@ -0,0 +1,7 @@ ++ ++ ++ ++ ++ ++ ++ +-- +2.8.1 + diff --git a/libs/libxslt/patches/0013-Round-xsl-number-values-to-nearest-integer.patch b/libs/libxslt/patches/0013-Round-xsl-number-values-to-nearest-integer.patch new file mode 100644 index 0000000000..bed1b04eeb --- /dev/null +++ b/libs/libxslt/patches/0013-Round-xsl-number-values-to-nearest-integer.patch @@ -0,0 +1,26 @@ +From 345e0bfb1c1131155a32dfbdfc8f78d1c602dc40 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 10 Apr 2016 12:50:02 +0200 +Subject: [PATCH] Round xsl:number values to nearest integer + +This matches XSLT 2.0 behavior. +--- + libxslt/numbers.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index 184ee6f..eb087bc 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -440,6 +440,8 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data, + for (i = 0; i < numbers_max; i++) { + /* Insert number */ + number = numbers[(numbers_max - 1) - i]; ++ /* Round to nearest like XSLT 2.0 */ ++ number = floor(number + 0.5); + if (i < tokens->nTokens) { + /* + * The "n"th format token will be used to format the "n"th +-- +2.8.1 + diff --git a/libs/libxslt/patches/0014-Handle-negative-xsl-number-values.patch b/libs/libxslt/patches/0014-Handle-negative-xsl-number-values.patch new file mode 100644 index 0000000000..d5b54f4a5f --- /dev/null +++ b/libs/libxslt/patches/0014-Handle-negative-xsl-number-values.patch @@ -0,0 +1,51 @@ +From 69ec3da1b653024aca6515ddd4adc91919dd188e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 10 Apr 2016 12:51:57 +0200 +Subject: [PATCH] Handle negative xsl:number values + +According to XSLT 2.0, negative values are a non-recoverable dynamic error. +Print an error message and treat negative values as zero. + +Fixes an OOB array access in xsltNumberFormatAlpha. +--- + libxslt/numbers.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index eb087bc..a3cabcf 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -246,7 +246,7 @@ xsltNumberFormatAlpha(xmlBufferPtr buffer, + number--; + *(--pointer) = alpha_list[((int)fmod(number, alpha_size))]; + number /= alpha_size; +- if (fabs(number) < 1.0) ++ if (number < 1.0) + break; /* for */ + } + xmlBufferCCat(buffer, pointer); +@@ -442,6 +442,21 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data, + number = numbers[(numbers_max - 1) - i]; + /* Round to nearest like XSLT 2.0 */ + number = floor(number + 0.5); ++ /* ++ * XSLT 1.0 isn't clear on how to handle negative numbers, but XSLT ++ * 2.0 says: ++ * ++ * It is a non-recoverable dynamic error if any undiscarded item ++ * in the atomized sequence supplied as the value of the value ++ * attribute of xsl:number cannot be converted to an integer, or ++ * if the resulting integer is less than 0 (zero). ++ */ ++ if (number < 0.0) { ++ xsltTransformError(NULL, NULL, NULL, ++ "xsl-number : negative value\n"); ++ /* Recover by treating negative values as zero. */ ++ number = 0.0; ++ } + if (i < tokens->nTokens) { + /* + * The "n"th format token will be used to format the "n"th +-- +2.8.1 + diff --git a/libs/libxslt/patches/0015-Lower-bound-for-format-token-a.patch b/libs/libxslt/patches/0015-Lower-bound-for-format-token-a.patch new file mode 100644 index 0000000000..e5149a9ccc --- /dev/null +++ b/libs/libxslt/patches/0015-Lower-bound-for-format-token-a.patch @@ -0,0 +1,75 @@ +From 405034286fbdd6166229335b7203a41bf53b40fc Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 10 Apr 2016 13:11:31 +0200 +Subject: [PATCH] Lower bound for format token "a" + +Handle xsl:number with format "a" and value 0 according to XSLT 2.0. + +Fixes an OOB array access in xsltNumberFormatAlpha. +--- + libxslt/numbers.c | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index a3cabcf..af52883 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -227,7 +227,8 @@ xsltNumberFormatDecimal(xmlBufferPtr buffer, + } + + static void +-xsltNumberFormatAlpha(xmlBufferPtr buffer, ++xsltNumberFormatAlpha(xsltNumberDataPtr data, ++ xmlBufferPtr buffer, + double number, + int is_upper) + { +@@ -237,6 +238,26 @@ xsltNumberFormatAlpha(xmlBufferPtr buffer, + char *alpha_list; + double alpha_size = (double)(sizeof(alpha_upper_list) - 1); + ++ /* ++ * XSLT 1.0 isn't clear on how to handle zero, but XSLT 2.0 says: ++ * ++ * For all format tokens other than the first kind above (one that ++ * consists of decimal digits), there may be implementation-defined ++ * lower and upper bounds on the range of numbers that can be ++ * formatted using this format token; indeed, for some numbering ++ * sequences there may be intrinsic limits. [...] Numbers that fall ++ * outside this range must be formatted using the format token 1. ++ * ++ * The "a" token has an intrinsic lower limit of 1. ++ */ ++ if (number < 1.0) { ++ xsltNumberFormatDecimal(buffer, number, '0', 1, ++ data->digitsPerGroup, ++ data->groupingCharacter, ++ data->groupingCharacterLen); ++ return; ++ } ++ + /* Build buffer from back */ + pointer = &temp_string[sizeof(temp_string)]; + *(--pointer) = 0; +@@ -500,16 +521,10 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data, + + switch (token->token) { + case 'A': +- xsltNumberFormatAlpha(buffer, +- number, +- TRUE); +- ++ xsltNumberFormatAlpha(data, buffer, number, TRUE); + break; + case 'a': +- xsltNumberFormatAlpha(buffer, +- number, +- FALSE); +- ++ xsltNumberFormatAlpha(data, buffer, number, FALSE); + break; + case 'I': + xsltNumberFormatRoman(buffer, +-- +2.8.1 + diff --git a/libs/libxslt/patches/0016-Lower-and-upper-bound-for-format-token-i.patch b/libs/libxslt/patches/0016-Lower-and-upper-bound-for-format-token-i.patch new file mode 100644 index 0000000000..d000c45cdf --- /dev/null +++ b/libs/libxslt/patches/0016-Lower-and-upper-bound-for-format-token-i.patch @@ -0,0 +1,64 @@ +From 91d0540ac9beaa86719a05b749219a69baa0dd8d Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 10 Apr 2016 13:12:28 +0200 +Subject: [PATCH] Lower and upper bound for format token "i" + +Handle xsl:number with format "i" and value 0 according to XSLT 2.0. + +Also introduce an upper bound to fix a denial of service. +--- + libxslt/numbers.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index af52883..e769c42 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -274,11 +274,24 @@ xsltNumberFormatAlpha(xsltNumberDataPtr data, + } + + static void +-xsltNumberFormatRoman(xmlBufferPtr buffer, ++xsltNumberFormatRoman(xsltNumberDataPtr data, ++ xmlBufferPtr buffer, + double number, + int is_upper) + { + /* ++ * See discussion in xsltNumberFormatAlpha. Also use a reasonable upper ++ * bound to avoid denial of service. ++ */ ++ if (number < 1.0 || number > 5000.0) { ++ xsltNumberFormatDecimal(buffer, number, '0', 1, ++ data->digitsPerGroup, ++ data->groupingCharacter, ++ data->groupingCharacterLen); ++ return; ++ } ++ ++ /* + * Based on an example by Jim Walsh + */ + while (number >= 1000.0) { +@@ -527,16 +540,10 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data, + xsltNumberFormatAlpha(data, buffer, number, FALSE); + break; + case 'I': +- xsltNumberFormatRoman(buffer, +- number, +- TRUE); +- ++ xsltNumberFormatRoman(data, buffer, number, TRUE); + break; + case 'i': +- xsltNumberFormatRoman(buffer, +- number, +- FALSE); +- ++ xsltNumberFormatRoman(data, buffer, number, FALSE); + break; + default: + if (IS_DIGIT_ZERO(token->token)) { +-- +2.8.1 + diff --git a/libs/libxslt/patches/0017-Fix-double-free-in-libexslt-hash-functions.patch b/libs/libxslt/patches/0017-Fix-double-free-in-libexslt-hash-functions.patch new file mode 100644 index 0000000000..eafdee1695 --- /dev/null +++ b/libs/libxslt/patches/0017-Fix-double-free-in-libexslt-hash-functions.patch @@ -0,0 +1,62 @@ +From d8862309f08054218b28e2c8f5fb3cb2f650cac7 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 20 Apr 2016 14:35:43 +0200 +Subject: [PATCH] Fix double free in libexslt hash functions + +Thanks to Nicolas Gregoire for the report. + +Fixes bug #765271: + +https://bugzilla.gnome.org/show_bug.cgi?id=765271 +--- + libexslt/crypto.c | 15 +++------------ + tests/exslt/crypto/hash.1.out | 2 ++ + tests/exslt/crypto/hash.1.xml | 5 +++++ + 3 files changed, 10 insertions(+), 12 deletions(-) + +diff --git a/libexslt/crypto.c b/libexslt/crypto.c +index 6aa9dd2..e13db8b 100644 +--- a/libexslt/crypto.c ++++ b/libexslt/crypto.c +@@ -499,11 +499,8 @@ exsltCryptoMd4Function (xmlXPathParserContextPtr ctxt, int nargs) { + unsigned char hex[MD5_DIGEST_LENGTH * 2 + 1]; + + str_len = exsltCryptoPopString (ctxt, nargs, &str); +- if (str_len == 0) { +- xmlXPathReturnEmptyString (ctxt); +- xmlFree (str); ++ if (str_len == 0) + return; +- } + + PLATFORM_HASH (ctxt, PLATFORM_MD4, (const char *) str, str_len, + (char *) hash); +@@ -532,11 +529,8 @@ exsltCryptoMd5Function (xmlXPathParserContextPtr ctxt, int nargs) { + unsigned char hex[MD5_DIGEST_LENGTH * 2 + 1]; + + str_len = exsltCryptoPopString (ctxt, nargs, &str); +- if (str_len == 0) { +- xmlXPathReturnEmptyString (ctxt); +- xmlFree (str); ++ if (str_len == 0) + return; +- } + + PLATFORM_HASH (ctxt, PLATFORM_MD5, (const char *) str, str_len, + (char *) hash); +@@ -565,11 +559,8 @@ exsltCryptoSha1Function (xmlXPathParserContextPtr ctxt, int nargs) { + unsigned char hex[SHA1_DIGEST_LENGTH * 2 + 1]; + + str_len = exsltCryptoPopString (ctxt, nargs, &str); +- if (str_len == 0) { +- xmlXPathReturnEmptyString (ctxt); +- xmlFree (str); ++ if (str_len == 0) + return; +- } + + PLATFORM_HASH (ctxt, PLATFORM_SHA1, (const char *) str, str_len, + (char *) hash); +-- +2.8.1 + diff --git a/libs/libxslt/patches/0018-Fix-buffer-overflow-in-exsltDateFormat.patch b/libs/libxslt/patches/0018-Fix-buffer-overflow-in-exsltDateFormat.patch new file mode 100644 index 0000000000..3125c33280 --- /dev/null +++ b/libs/libxslt/patches/0018-Fix-buffer-overflow-in-exsltDateFormat.patch @@ -0,0 +1,33 @@ +From 5d0c6565bab5b9b7efceb33b626916d22b4101a7 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 28 Apr 2016 17:34:27 +0200 +Subject: [PATCH] Fix buffer overflow in exsltDateFormat + +Long years can overflow a stack-based buffer on 64-bit platforms by +up to four bytes. + +Thanks to Nicolas Gregoire for the report. + +Fixes bug #765380: + +https://bugzilla.gnome.org/show_bug.cgi?id=765380 +--- + libexslt/date.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libexslt/date.c b/libexslt/date.c +index 272c61b..12c9919 100644 +--- a/libexslt/date.c ++++ b/libexslt/date.c +@@ -1283,7 +1283,7 @@ exsltDateFormat (const exsltDateValPtr dt) + } + + if (dt->type & XS_GYEAR) { +- xmlChar buf[20], *cur = buf; ++ xmlChar buf[100], *cur = buf; + + FORMAT_GYEAR(dt->value.date.year, cur); + if (dt->type == XS_GYEARMONTH) { +-- +2.8.1 + diff --git a/libs/libxslt/patches/0019-Fix-OOB-heap-read-in-xsltExtModuleRegisterDynamic.patch b/libs/libxslt/patches/0019-Fix-OOB-heap-read-in-xsltExtModuleRegisterDynamic.patch new file mode 100644 index 0000000000..cddc2a68c8 --- /dev/null +++ b/libs/libxslt/patches/0019-Fix-OOB-heap-read-in-xsltExtModuleRegisterDynamic.patch @@ -0,0 +1,36 @@ +From 87c3d9ea214fc0503fd8130b6dd97431d69cc066 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 5 May 2016 15:12:48 +0200 +Subject: [PATCH] Fix OOB heap read in xsltExtModuleRegisterDynamic + +xsltExtModuleRegisterDynamic would read a byte before the start of a +string under certain circumstances. I looks like this piece code was +supposed to strip characters from the end of the extension name, but +it didn't have any effect. Don't read beyond the beginning of the +string and actually strip unwanted characters. + +Found with afl-fuzz and ASan. +--- + libxslt/extensions.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libxslt/extensions.c b/libxslt/extensions.c +index 5ad73cb..ae6eef0 100644 +--- a/libxslt/extensions.c ++++ b/libxslt/extensions.c +@@ -367,8 +367,11 @@ xsltExtModuleRegisterDynamic(const xmlChar * URI) + i++; + } + +- if (*(i - 1) == '_') ++ /* Strip underscores from end of string. */ ++ while (i > ext_name && *(i - 1) == '_') { ++ i--; + *i = '\0'; ++ } + + /* determine module directory */ + ext_directory = (xmlChar *) getenv("LIBXSLT_PLUGINS_PATH"); +-- +2.8.1 + diff --git a/libs/libxslt/patches/0020-Fix-heap-overread-in-xsltFormatNumberConversion.patch b/libs/libxslt/patches/0020-Fix-heap-overread-in-xsltFormatNumberConversion.patch new file mode 100644 index 0000000000..60ead15226 --- /dev/null +++ b/libs/libxslt/patches/0020-Fix-heap-overread-in-xsltFormatNumberConversion.patch @@ -0,0 +1,31 @@ +From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 10 Jun 2016 14:23:58 +0200 +Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion + +An empty decimal-separator could cause a heap overread. This can be +exploited to leak a couple of bytes after the buffer that holds the +pattern string. + +Found with afl-fuzz and ASan. +--- + libxslt/numbers.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index d1549b4..e78c46b 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self, + } + + /* We have finished the integer part, now work on fraction */ +- if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) { ++ if ( (*the_format != 0) && ++ (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) { + format_info.add_decimal = TRUE; + the_format += xsltUTF8Size(the_format); /* Skip over the decimal */ + } +-- +2.10.2 + diff --git a/libs/libxslt/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch b/libs/libxslt/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch new file mode 100644 index 0000000000..ea941db4ce --- /dev/null +++ b/libs/libxslt/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch @@ -0,0 +1,74 @@ +From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 12 Jan 2017 15:39:52 +0100 +Subject: [PATCH] Check for integer overflow in xsltAddTextString + +Limit buffer size in xsltAddTextString to INT_MAX. The issue can be +exploited to trigger an out of bounds write on 64-bit systems. + +Originally reported to Chromium: + +https://crbug.com/676623 +--- + libxslt/transform.c | 25 ++++++++++++++++++++++--- + libxslt/xsltInternals.h | 4 ++-- + 2 files changed, 24 insertions(+), 5 deletions(-) + +diff --git a/libxslt/transform.c b/libxslt/transform.c +index 519133fc..02bff34a 100644 +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target, + return(target); + + if (ctxt->lasttext == target->content) { ++ int minSize; + +- if (ctxt->lasttuse + len >= ctxt->lasttsize) { ++ /* Check for integer overflow accounting for NUL terminator. */ ++ if (len >= INT_MAX - ctxt->lasttuse) { ++ xsltTransformError(ctxt, NULL, target, ++ "xsltCopyText: text allocation failed\n"); ++ return(NULL); ++ } ++ minSize = ctxt->lasttuse + len + 1; ++ ++ if (ctxt->lasttsize < minSize) { + xmlChar *newbuf; + int size; ++ int extra; ++ ++ /* Double buffer size but increase by at least 100 bytes. */ ++ extra = minSize < 100 ? 100 : minSize; ++ ++ /* Check for integer overflow. */ ++ if (extra > INT_MAX - ctxt->lasttsize) { ++ size = INT_MAX; ++ } ++ else { ++ size = ctxt->lasttsize + extra; ++ } + +- size = ctxt->lasttsize + len + 100; +- size *= 2; + newbuf = (xmlChar *) xmlRealloc(target->content,size); + if (newbuf == NULL) { + xsltTransformError(ctxt, NULL, target, +diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h +index 060b1783..5ad17719 100644 +--- a/libxslt/xsltInternals.h ++++ b/libxslt/xsltInternals.h +@@ -1754,8 +1754,8 @@ struct _xsltTransformContext { + * Speed optimization when coalescing text nodes + */ + const xmlChar *lasttext; /* last text node content */ +- unsigned int lasttsize; /* last text node size */ +- unsigned int lasttuse; /* last text node use */ ++ int lasttsize; /* last text node size */ ++ int lasttuse; /* last text node use */ + /* + * Per Context Debugging + */ +-- +2.11.0 +