new file mode 100644

@@ -0,0 +1,171 @@

+From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001

+From: Nick Wellnhofer <wellnhofer@aevum.de>

+Date: Tue, 28 Jun 2016 14:22:23 +0200

+Subject: Fix XPointer paths beginning with range-to

+

+The old code would invoke the broken xmlXPtrRangeToFunction. range-to

+isn't really a function but a special kind of location step. Remove

+this function and always handle range-to in the XPath code.

+

+The old xmlXPtrRangeToFunction could also be abused to trigger a

+use-after-free error with the potential for remote code execution.

+

+Found with afl-fuzz.

+

+Fixes CVE-2016-5131.

+---

+ result/XPath/xptr/vidbase | 13 ++++++++

+ test/XPath/xptr/vidbase   |  1 +

+ xpath.c                   |  7 ++++-

+ xpointer.c                | 76 ++++-------------------------------------------

+ 4 files changed, 26 insertions(+), 71 deletions(-)

+

+diff --git a/result/XPath/xptr/vidbase b/result/XPath/xptr/vidbase

+index 8b9e92d..f19193e 100644

+--- a/result/XPath/xptr/vidbase

+@@ -17,3 +17,16 @@ Object is a Location Set:

+   To node

+     ELEMENT p

+ 

++

++========================

++Expression: xpointer(range-to(id('chapter2')))

++Object is a Location Set:

++1 :   Object is a range :

++  From node

++     /

++  To node

++    ELEMENT chapter

++      ATTRIBUTE id

++        TEXT

++          content=chapter2

++

+diff --git a/test/XPath/xptr/vidbase b/test/XPath/xptr/vidbase

+index b146383..884b106 100644

+--- a/test/XPath/xptr/vidbase

+@@ -1,2 +1,3 @@

+ xpointer(id('chapter1')/p)

+ xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2]))

++xpointer(range-to(id('chapter2')))

+diff --git a/xpath.c b/xpath.c

+index d992841..5a01b1b 100644

+--- a/xpath.c

+@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) {

+ 		    lc = 1;

+ 		    break;

+ 		} else if ((NXT(len) == '(')) {

+-		    /* Note Type or Function */

++		    /* Node Type or Function */

+ 		    if (xmlXPathIsNodeType(name)) {

+ #ifdef DEBUG_STEP

+ 		        xmlGenericError(xmlGenericErrorContext,

+ 				"PathExpr: Type search\n");

+ #endif

+ 			lc = 1;

++#ifdef LIBXML_XPTR_ENABLED

++                    } else if (ctxt->xptr &&

++                               xmlStrEqual(name, BAD_CAST "range-to")) {

++                        lc = 1;

++#endif

+ 		    } else {

+ #ifdef DEBUG_STEP

+ 		        xmlGenericError(xmlGenericErrorContext,

+diff --git a/xpointer.c b/xpointer.c

+index 676c510..d74174a 100644

+--- a/xpointer.c

+@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) {

+     ret->here = here;

+     ret->origin = origin;

+ 

+-    xmlXPathRegisterFunc(ret, (xmlChar *)"range-to",

+-	                 xmlXPtrRangeToFunction);

+     xmlXPathRegisterFunc(ret, (xmlChar *)"range",

+ 	                 xmlXPtrRangeFunction);

+     xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside",

+@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) {

+  * @nargs:  the number of args

+  *

+  * Implement the range-to() XPointer function

++ *

++ * Obsolete. range-to is not a real function but a special type of location

++ * step which is handled in xpath.c.

+  */

+ void

+-xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) {

+-    xmlXPathObjectPtr range;

+-    const xmlChar *cur;

+-    xmlXPathObjectPtr res, obj;

+-    xmlXPathObjectPtr tmp;

+-    xmlLocationSetPtr newset = NULL;

+-    xmlNodeSetPtr oldset;

+-    int i;

+-

+-    if (ctxt == NULL) return;

+-    CHECK_ARITY(1);

+-    /*

+-     * Save the expression pointer since we will have to evaluate

+-     * it multiple times. Initialize the new set.

+-     */

+-    CHECK_TYPE(XPATH_NODESET);

+-    obj = valuePop(ctxt);

+-    oldset = obj->nodesetval;

+-    ctxt->context->node = NULL;

+-

+-    cur = ctxt->cur;

+-    newset = xmlXPtrLocationSetCreate(NULL);

+-

+-    for (i = 0; i < oldset->nodeNr; i++) {

+-	ctxt->cur = cur;

+-

+-	/*

+-	 * Run the evaluation with a node list made of a single item

+-	 * in the nodeset.

+-	 */

+-	ctxt->context->node = oldset->nodeTab[i];

+-	tmp = xmlXPathNewNodeSet(ctxt->context->node);

+-	valuePush(ctxt, tmp);

+-

+-	xmlXPathEvalExpr(ctxt);

+-	CHECK_ERROR;

+-

+-	/*

+-	 * The result of the evaluation need to be tested to

+-	 * decided whether the filter succeeded or not

+-	 */

+-	res = valuePop(ctxt);

+-	range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res);

+-	if (range != NULL) {

+-	    xmlXPtrLocationSetAdd(newset, range);

+-	}

+-

+-	/*

+-	 * Cleanup

+-	 */

+-	if (res != NULL)

+-	    xmlXPathFreeObject(res);

+-	if (ctxt->value == tmp) {

+-	    res = valuePop(ctxt);

+-	    xmlXPathFreeObject(res);

+-	}

+-

+-	ctxt->context->node = NULL;

+-    }

+-

+-    /*

+-     * The result is used as the new evaluation set.

+-     */

+-    xmlXPathFreeObject(obj);

+-    ctxt->context->node = NULL;

+-    ctxt->context->contextSize = -1;

+-    ctxt->context->proximityPosition = -1;

+-    valuePush(ctxt, xmlXPtrWrapLocationSet(newset));

++xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt,

++                       int nargs ATTRIBUTE_UNUSED) {

++    XP_ERROR(XPATH_EXPR_ERROR);

+ }

+ 

+ /**

new file mode 100644

@@ -0,0 +1,172 @@

+From d77e5fc4bcdb7da748c9cca116a601ae4df60d21

+To a005199330b86dada19d162cae15ef9bdcb6baa8

+Bring upstream patches to support CVE-2016-5131 fix

+as one of the tests failed with just applying the CVE fix.

+

+diff --git a/relaxng.c b/relaxng.c

+index 56a3344..3d3e69c 100644

+--- a/relaxng.c

+@@ -2088,6 +2088,7 @@ xmlRelaxNGGetErrorString(xmlRelaxNGValidErr err, const xmlChar * arg1,

+                          const xmlChar * arg2)

+ {

+     char msg[1000];

++    xmlChar *result;

+ 

+     if (arg1 == NULL)

+         arg1 = BAD_CAST "";

+@@ -2215,7 +2216,7 @@ xmlRelaxNGGetErrorString(xmlRelaxNGValidErr err, const xmlChar * arg1,

+         snprintf(msg, 1000, "Unknown error code %d\n", err);

+     }

+     msg[1000 - 1] = 0;

+-    xmlChar *result = xmlCharStrdup(msg);

++    result = xmlCharStrdup(msg);

+     return (xmlEscapeFormatString(&result));

+ }

+ 

+diff --git a/result/XPath/xptr/viderror b/result/XPath/xptr/viderror

+new file mode 100644

+index 0000000..d589882

+--- /dev/null

+@@ -0,0 +1,4 @@

++

++========================

++Expression: xpointer(non-existing-fn()/range-to(id('chapter2')))

++Object is empty (NULL)

+diff --git a/runtest.c b/runtest.c

+index bb74d2a..1861577 100644

+--- a/runtest.c

+@@ -2317,10 +2317,19 @@ static FILE *xpathOutput;

+ static xmlDocPtr xpathDocument;

+ 

+ static void

++ignoreGenericError(void *ctx ATTRIBUTE_UNUSED,

++        const char *msg ATTRIBUTE_UNUSED, ...) {

++}

++

++static void

+ testXPath(const char *str, int xptr, int expr) {

++    xmlGenericErrorFunc handler = ignoreGenericError;

+     xmlXPathObjectPtr res;

+     xmlXPathContextPtr ctxt;

+ 

++    /* Don't print generic errors to stderr. */

++    initGenericErrorDefaultFunc(&handler);

++

+     nb_tests++;

+ #if defined(LIBXML_XPTR_ENABLED)

+     if (xptr) {

+@@ -2349,6 +2358,9 @@ testXPath(const char *str, int xptr, int expr) {

+     xmlXPathDebugDumpObject(xpathOutput, res, 0);

+     xmlXPathFreeObject(res);

+     xmlXPathFreeContext(ctxt);

++

++    /* Reset generic error handler. */

++    initGenericErrorDefaultFunc(NULL);

+ }

+ 

+ /**

+diff --git a/test/XPath/xptr/viderror b/test/XPath/xptr/viderror

+new file mode 100644

+index 0000000..da8c53b

+--- /dev/null

+@@ -0,0 +1 @@

++xpointer(non-existing-fn()/range-to(id('chapter2')))

+diff --git a/xmlschemas.c b/xmlschemas.c

+index e1b3a4f..d42afb7 100644

+--- a/xmlschemas.c

+@@ -3168,8 +3168,8 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserCtxtPtr ctxt,

+ 		"valid.");

+ 	}

+ 	if (expected) {

+-	    msg = xmlStrcat(msg, BAD_CAST " Expected is '");

+ 	    xmlChar *expectedEscaped = xmlCharStrdup(expected);

++	    msg = xmlStrcat(msg, BAD_CAST " Expected is '");

+ 	    msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped));

+ 	    FREE_AND_NULL(expectedEscaped);

+ 	    msg = xmlStrcat(msg, BAD_CAST "'.\n");

+@@ -27391,6 +27391,7 @@ xmlSchemaSAXHandleStartElementNs(void *ctx,

+     * attributes yet.

+     */

+     if (nb_attributes != 0) {

++	int valueLen, k, l;

+ 	xmlChar *value;

+ 

+         for (j = 0, i = 0; i < nb_attributes; i++, j += 5) {

+@@ -27400,12 +27401,31 @@ xmlSchemaSAXHandleStartElementNs(void *ctx,

+ 	    * libxml2 differs from normal SAX here in that it escapes all ampersands

+ 	    * as & instead of delivering the raw converted string. Changing the

+ 	    * behavior at this point would break applications that use this API, so

+-	    * we are forced to work around it. There is no danger of accidentally

+-	    * decoding some entity other than & in this step because without

+-	    * unescaped ampersands there can be no other entities in the string.

++	    * we are forced to work around it.

+ 	    */

+-	    value = xmlStringLenDecodeEntities(vctxt->parserCtxt, attributes[j+3],

+-		attributes[j+4] - attributes[j+3], XML_SUBSTITUTE_REF, 0, 0, 0);

++	    valueLen = attributes[j+4] - attributes[j+3];

++	    value = xmlMallocAtomic(valueLen + 1);

++	    if (value == NULL) {

++		xmlSchemaVErrMemory(vctxt,

++		    "allocating string for decoded attribute",

++		    NULL);

++		goto internal_error;

++	    }

++	    for (k = 0, l = 0; k < valueLen; l++) {

++		if (k < valueLen - 4 &&

++		    attributes[j+3][k+0] == '&' &&

++		    attributes[j+3][k+1] == '#' &&

++		    attributes[j+3][k+2] == '3' &&

++		    attributes[j+3][k+3] == '8' &&

++		    attributes[j+3][k+4] == ';') {

++		    value[l] = '&';

++		    k += 5;

++		} else {

++		    value[l] = attributes[j+3][k];

++		    k++;

++		}

++	    }

++	    value[l] = '\0';

+ 	    /*

+ 	    * TODO: Set the node line.

+ 	    */

+diff --git a/xpath.c b/xpath.c

+index 113bce6..d992841 100644

+--- a/xpath.c

+@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) {

+      * compute depth to root

+      */

+     for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {

+-	if (cur == node1)

++	if (cur->parent == node1)

+ 	    return(1);

+ 	depth2++;

+     }

+     root = cur;

+     for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {

+-	if (cur == node2)

++	if (cur->parent == node2)

+ 	    return(-1);

+ 	depth1++;

+     }

+@@ -14005,9 +14005,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)

+                 xmlNodeSetPtr oldset;

+                 int i, j;

+ 

+-                if (op->ch1 != -1)

++                if (op->ch1 != -1) {

+                     total +=

+                         xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);

++                    CHECK_ERROR0;

++                }

++                if (ctxt->value == NULL) {

++                    XP_ERROR0(XPATH_INVALID_OPERAND);

++                }

+                 if (op->ch2 == -1)

+                     return (total);

+ 

@@ -1,13 +1,15 @@

 Summary:	Libxml2

 Name:		libxml2

 Version:	2.9.4

-Release:	2%{?dist}

+Release:	3%{?dist}

 License:	MIT

 URL:		http://xmlsoft.org/

 Group:		System Environment/General Libraries

 Vendor:		VMware, Inc.

 Distribution: 	Photon

 Source0:	ftp://xmlsoft.org/libxml2/%{name}-%{version}.tar.gz

+Patch0:         libxml2-2.9.4-support-cve-2016-5131.patch

+Patch1:         libxml2-2.9.4-cve-2016-5131.patch

 %define sha1 libxml2=958ae70baf186263a4bd801a81dd5d682aedd1db

 Requires:	python2

 BuildRequires:	python2-devel

@@ -37,6 +39,8 @@ Static libraries and header files for the support library for libxml

 %prep

 %setup -q

+%patch0 -p1

+%patch1 -p1

 sed \

   -e /xmlInitializeCatalog/d \

   -e 's/((ent->checked =.*&&/(((ent->checked == 0) ||\

@@ -86,6 +90,8 @@ rm -rf %{buildroot}/*

 %changelog

+*	Thu Oct 20 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.9.4-3

+-	Apply patch for CVE-2016-5131

 *       Mon Oct 03 2016 Chang Lee <changlee@vmware.com> 2.9.4-2

 -       Modified check

 *       Wed Jun 01 2016 Anish Swaminathan <anishs@vmware.com> 2.9.4-1