deleted file mode 100644

@@ -1,14 +0,0 @@

-diff -dupr a/parser.c b/parser.c

-+++ b/parser.c	2017-08-09 16:30:55.562343926 -0700

-@@ -12714,6 +12714,10 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) {

- 	}

- 	ctxt->input->cur = BAD_CAST"";

- 	ctxt->input->base = ctxt->input->cur;

-+	if (ctxt->input->buf) {

-+	    xmlBufEmpty (ctxt->input->buf->buffer);

-+	} else

-+	    ctxt->input->length = 0;

-     }

- }

- 

deleted file mode 100644

@@ -1,177 +0,0 @@

-diff --git a/elfgcchack.h b/elfgcchack.h

-index 8c52884..1b81dcd 100644

-+++ b/elfgcchack.h

-@@ -6547,6 +6547,16 @@ extern __typeof (xmlNoNetExternalEntityLoader) xmlNoNetExternalEntityLoader__int

- #endif

- #endif

- 

-+#ifdef bottom_xmlIO

-+#undef xmlNoXxeExternalEntityLoader

-+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader __attribute((alias("xmlNoXxeExternalEntityLoader__internal_alias")));

-+#else

-+#ifndef xmlNoXxeExternalEntityLoader

-+extern __typeof (xmlNoXxeExternalEntityLoader) xmlNoXxeExternalEntityLoader__internal_alias __attribute((visibility("hidden")));

-+#define xmlNoXxeExternalEntityLoader xmlNoXxeExternalEntityLoader__internal_alias

-+#endif

-+#endif

-+

- #ifdef bottom_tree

- #undef xmlNodeAddContent

- extern __typeof (xmlNodeAddContent) xmlNodeAddContent __attribute((alias("xmlNodeAddContent__internal_alias")));

-diff --git a/include/libxml/parser.h b/include/libxml/parser.h

-index 47fbec0..4cced91 100644

-+++ b/include/libxml/parser.h

-@@ -1111,7 +1111,8 @@ typedef enum {

-     XML_PARSE_HUGE      = 1<<19,/* relax any hardcoded limit from the parser */

-     XML_PARSE_OLDSAX    = 1<<20,/* parse using SAX2 interface before 2.7.0 */

-     XML_PARSE_IGNORE_ENC= 1<<21,/* ignore internal document encoding hint */

--    XML_PARSE_BIG_LINES = 1<<22 /* Store big lines numbers in text PSVI field */

-+    XML_PARSE_BIG_LINES = 1<<22,/* Store big lines numbers in text PSVI field */

-+    XML_PARSE_NOXXE	= 1<<23 /* Forbid any external entity substitution */

- } xmlParserOption;

- 

- XMLPUBFUN void XMLCALL

-diff --git a/include/libxml/xmlIO.h b/include/libxml/xmlIO.h

-index 3e41744..8d3fdef 100644

-+++ b/include/libxml/xmlIO.h

-@@ -300,6 +300,14 @@ XMLPUBFUN xmlParserInputPtr XMLCALL

- 					 xmlParserCtxtPtr ctxt);

- 

- /*

-+ * A predefined entity loader external entity expansion

-+ */

-+XMLPUBFUN xmlParserInputPtr XMLCALL

-+	xmlNoXxeExternalEntityLoader	(const char *URL,

-+					 const char *ID,

-+					 xmlParserCtxtPtr ctxt);

-+

-+/*

-  * xmlNormalizeWindowsPath is obsolete, don't use it.

-  * Check xmlCanonicPath in uri.h for a better alternative.

-  */

-diff --git a/include/libxml/xmlerror.h b/include/libxml/xmlerror.h

-index 037c16d..3036062 100644

-+++ b/include/libxml/xmlerror.h

-@@ -470,6 +470,7 @@ typedef enum {

-     XML_IO_EADDRINUSE, /* 1554 */

-     XML_IO_EALREADY, /* 1555 */

-     XML_IO_EAFNOSUPPORT, /* 1556 */

-+    XML_IO_ILLEGAL_XXE, /* 1557 */

-     XML_XINCLUDE_RECURSION=1600,

-     XML_XINCLUDE_PARSE_VALUE, /* 1601 */

-     XML_XINCLUDE_ENTITY_DEF_MISMATCH, /* 1602 */

-diff --git a/parser.c b/parser.c

-index 53a6b7f..5220bd1 100644

-+++ b/parser.c

-@@ -15350,6 +15350,10 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi

- 	ctxt->options |= XML_PARSE_NONET;

-         options -= XML_PARSE_NONET;

-     }

-+    if (options & XML_PARSE_NOXXE) {

-+	ctxt->options |= XML_PARSE_NOXXE;

-+        options -= XML_PARSE_NOXXE;

-+    }

-     if (options & XML_PARSE_COMPACT) {

- 	ctxt->options |= XML_PARSE_COMPACT;

-         options -= XML_PARSE_COMPACT;

-diff --git a/xmlIO.c b/xmlIO.c

-index 300ee47..7d3d142 100644

-+++ b/xmlIO.c

-@@ -210,6 +210,7 @@ static const char *IOerr[] = {

-     "adddress in use",		/* EADDRINUSE */

-     "already in use",		/* EALREADY */

-     "unknown address familly",	/* EAFNOSUPPORT */

-+    "Attempt to load external entity %s", /* XML_IO_ILLEGAL_XXE */

- };

- 

- #if defined(_WIN32) || defined (__DJGPP__) && !defined (__CYGWIN__)

-@@ -4053,13 +4054,22 @@ xmlDefaultExternalEntityLoader(const char *URL, const char *ID,

-     xmlGenericError(xmlGenericErrorContext,

-                     "xmlDefaultExternalEntityLoader(%s, xxx)\n", URL);

- #endif

--    if ((ctxt != NULL) && (ctxt->options & XML_PARSE_NONET)) {

-+    if (ctxt != NULL) {

-         int options = ctxt->options;

- 

--	ctxt->options -= XML_PARSE_NONET;

--        ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);

--	ctxt->options = options;

--	return(ret);

-+        if (options & XML_PARSE_NOXXE) {

-+            ctxt->options -= XML_PARSE_NOXXE;

-+            ret = xmlNoXxeExternalEntityLoader(URL, ID, ctxt);

-+            ctxt->options = options;

-+            return(ret);

-+        }

-+ 

-+        if (options & XML_PARSE_NONET) {

-+            ctxt->options -= XML_PARSE_NONET;

-+            ret = xmlNoNetExternalEntityLoader(URL, ID, ctxt);

-+            ctxt->options = options;

-+            return(ret);

-+        }

-     }

- #ifdef LIBXML_CATALOG_ENABLED

-     resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);

-@@ -4160,6 +4170,13 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID,

-     xmlParserInputPtr input = NULL;

-     xmlChar *resource = NULL;

- 

-+    if (ctxt == NULL) {

-+        return(NULL);

-+    }

-+    if (ctxt->input_id == 1) {

-+        return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);

-+    }

-+

- #ifdef LIBXML_CATALOG_ENABLED

-     resource = xmlResolveResourceFromCatalog(URL, ID, ctxt);

- #endif

-@@ -4182,5 +4199,18 @@ xmlNoNetExternalEntityLoader(const char *URL, const char *ID,

-     return(input);

- }

- 

-+xmlParserInputPtr

-+xmlNoXxeExternalEntityLoader(const char *URL, const char *ID,

-+                          xmlParserCtxtPtr ctxt) {

-+    if (ctxt == NULL) {

-+        return(NULL);

-+    }

-+    if (ctxt->input_id == 1) {

-+        return xmlDefaultExternalEntityLoader((const char *) URL, ID, ctxt);

-+    }

-+    xmlIOErr(XML_IO_ILLEGAL_XXE, (const char *) URL);

-+    return(NULL);

-+}

-+

- #define bottom_xmlIO

- #include "elfgcchack.h"

-diff --git a/xmllint.c b/xmllint.c

-index 67f7adb..2252cc0 100644

-+++ b/xmllint.c

-@@ -3019,6 +3019,7 @@ static void usage(const char *name) {

-     printf("\t--path 'paths': provide a set of paths for resources\n");

-     printf("\t--load-trace : print trace of all external entities loaded\n");

-     printf("\t--nonet : refuse to fetch DTDs or entities over network\n");

-+    printf("\t--noxxe : forbid any external entity substitution\n");

-     printf("\t--nocompact : do not generate compact text nodes\n");

-     printf("\t--htmlout : output results as HTML\n");

-     printf("\t--nowrap : do not put HTML doc wrapper\n");

-@@ -3461,6 +3462,10 @@ main(int argc, char **argv) {

-                    (!strcmp(argv[i], "--nonet"))) {

- 	    options |= XML_PARSE_NONET;

- 	    xmlSetExternalEntityLoader(xmlNoNetExternalEntityLoader);

-+        } else if ((!strcmp(argv[i], "-noxxe")) ||

-+                   (!strcmp(argv[i], "--noxxe"))) {

-+	    options |= XML_PARSE_NOXXE;

-+	    xmlSetExternalEntityLoader(xmlNoXxeExternalEntityLoader);

-         } else if ((!strcmp(argv[i], "-nocompact")) ||

-                    (!strcmp(argv[i], "--nocompact"))) {

- 	    options &= ~XML_PARSE_COMPACT;

deleted file mode 100644

@@ -1,171 +0,0 @@

-From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001

-From: Nick Wellnhofer <wellnhofer@aevum.de>

-Date: Tue, 28 Jun 2016 14:22:23 +0200

-Subject: Fix XPointer paths beginning with range-to

-

-The old code would invoke the broken xmlXPtrRangeToFunction. range-to

-isn't really a function but a special kind of location step. Remove

-this function and always handle range-to in the XPath code.

-

-The old xmlXPtrRangeToFunction could also be abused to trigger a

-use-after-free error with the potential for remote code execution.

-

-Found with afl-fuzz.

-

-Fixes CVE-2016-5131.

- result/XPath/xptr/vidbase | 13 ++++++++

- test/XPath/xptr/vidbase   |  1 +

- xpath.c                   |  7 ++++-

- xpointer.c                | 76 ++++-------------------------------------------

- 4 files changed, 26 insertions(+), 71 deletions(-)

-

-diff --git a/result/XPath/xptr/vidbase b/result/XPath/xptr/vidbase

-index 8b9e92d..f19193e 100644

-+++ b/result/XPath/xptr/vidbase

-@@ -17,3 +17,16 @@ Object is a Location Set:

-   To node

-     ELEMENT p

- 

-+

-+========================

-+Expression: xpointer(range-to(id('chapter2')))

-+Object is a Location Set:

-+1 :   Object is a range :

-+  From node

-+     /

-+  To node

-+    ELEMENT chapter

-+      ATTRIBUTE id

-+        TEXT

-+          content=chapter2

-+

-diff --git a/test/XPath/xptr/vidbase b/test/XPath/xptr/vidbase

-index b146383..884b106 100644

-+++ b/test/XPath/xptr/vidbase

-@@ -1,2 +1,3 @@

- xpointer(id('chapter1')/p)

- xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2]))

-+xpointer(range-to(id('chapter2')))

-diff --git a/xpath.c b/xpath.c

-index d992841..5a01b1b 100644

-+++ b/xpath.c

-@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) {

- 		    lc = 1;

- 		    break;

- 		} else if ((NXT(len) == '(')) {

--		    /* Note Type or Function */

-+		    /* Node Type or Function */

- 		    if (xmlXPathIsNodeType(name)) {

- #ifdef DEBUG_STEP

- 		        xmlGenericError(xmlGenericErrorContext,

- 				"PathExpr: Type search\n");

- #endif

- 			lc = 1;

-+#ifdef LIBXML_XPTR_ENABLED

-+                    } else if (ctxt->xptr &&

-+                               xmlStrEqual(name, BAD_CAST "range-to")) {

-+                        lc = 1;

-+#endif

- 		    } else {

- #ifdef DEBUG_STEP

- 		        xmlGenericError(xmlGenericErrorContext,

-diff --git a/xpointer.c b/xpointer.c

-index 676c510..d74174a 100644

-+++ b/xpointer.c

-@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) {

-     ret->here = here;

-     ret->origin = origin;

- 

--    xmlXPathRegisterFunc(ret, (xmlChar *)"range-to",

--	                 xmlXPtrRangeToFunction);

-     xmlXPathRegisterFunc(ret, (xmlChar *)"range",

- 	                 xmlXPtrRangeFunction);

-     xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside",

-@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) {

-  * @nargs:  the number of args

-  *

-  * Implement the range-to() XPointer function

-+ *

-+ * Obsolete. range-to is not a real function but a special type of location

-+ * step which is handled in xpath.c.

-  */

- void

--xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) {

--    xmlXPathObjectPtr range;

--    const xmlChar *cur;

--    xmlXPathObjectPtr res, obj;

--    xmlXPathObjectPtr tmp;

--    xmlLocationSetPtr newset = NULL;

--    xmlNodeSetPtr oldset;

--    int i;

--

--    if (ctxt == NULL) return;

--    CHECK_ARITY(1);

--    /*

--     * Save the expression pointer since we will have to evaluate

--     * it multiple times. Initialize the new set.

--     */

--    CHECK_TYPE(XPATH_NODESET);

--    obj = valuePop(ctxt);

--    oldset = obj->nodesetval;

--    ctxt->context->node = NULL;

--

--    cur = ctxt->cur;

--    newset = xmlXPtrLocationSetCreate(NULL);

--

--    for (i = 0; i < oldset->nodeNr; i++) {

--	ctxt->cur = cur;

--

--	/*

--	 * Run the evaluation with a node list made of a single item

--	 * in the nodeset.

--	 */

--	ctxt->context->node = oldset->nodeTab[i];

--	tmp = xmlXPathNewNodeSet(ctxt->context->node);

--	valuePush(ctxt, tmp);

--

--	xmlXPathEvalExpr(ctxt);

--	CHECK_ERROR;

--

--	/*

--	 * The result of the evaluation need to be tested to

--	 * decided whether the filter succeeded or not

--	 */

--	res = valuePop(ctxt);

--	range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res);

--	if (range != NULL) {

--	    xmlXPtrLocationSetAdd(newset, range);

--	}

--

--	/*

--	 * Cleanup

--	 */

--	if (res != NULL)

--	    xmlXPathFreeObject(res);

--	if (ctxt->value == tmp) {

--	    res = valuePop(ctxt);

--	    xmlXPathFreeObject(res);

--	}

--

--	ctxt->context->node = NULL;

--    }

--

--    /*

--     * The result is used as the new evaluation set.

--     */

--    xmlXPathFreeObject(obj);

--    ctxt->context->node = NULL;

--    ctxt->context->contextSize = -1;

--    ctxt->context->proximityPosition = -1;

--    valuePush(ctxt, xmlXPtrWrapLocationSet(newset));

-+xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt,

-+                       int nargs ATTRIBUTE_UNUSED) {

-+    XP_ERROR(XPATH_EXPR_ERROR);

- }

- 

- /**

deleted file mode 100644

@@ -1,172 +0,0 @@

-From d77e5fc4bcdb7da748c9cca116a601ae4df60d21

-To a005199330b86dada19d162cae15ef9bdcb6baa8

-Bring upstream patches to support CVE-2016-5131 fix

-as one of the tests failed with just applying the CVE fix.

-

-diff --git a/relaxng.c b/relaxng.c

-index 56a3344..3d3e69c 100644

-+++ b/relaxng.c

-@@ -2088,6 +2088,7 @@ xmlRelaxNGGetErrorString(xmlRelaxNGValidErr err, const xmlChar * arg1,

-                          const xmlChar * arg2)

- {

-     char msg[1000];

-+    xmlChar *result;

- 

-     if (arg1 == NULL)

-         arg1 = BAD_CAST "";

-@@ -2215,7 +2216,7 @@ xmlRelaxNGGetErrorString(xmlRelaxNGValidErr err, const xmlChar * arg1,

-         snprintf(msg, 1000, "Unknown error code %d\n", err);

-     }

-     msg[1000 - 1] = 0;

--    xmlChar *result = xmlCharStrdup(msg);

-+    result = xmlCharStrdup(msg);

-     return (xmlEscapeFormatString(&result));

- }

- 

-diff --git a/result/XPath/xptr/viderror b/result/XPath/xptr/viderror

-new file mode 100644

-index 0000000..d589882

-+++ b/result/XPath/xptr/viderror

-@@ -0,0 +1,4 @@

-+

-+========================

-+Expression: xpointer(non-existing-fn()/range-to(id('chapter2')))

-+Object is empty (NULL)

-diff --git a/runtest.c b/runtest.c

-index bb74d2a..1861577 100644

-+++ b/runtest.c

-@@ -2317,10 +2317,19 @@ static FILE *xpathOutput;

- static xmlDocPtr xpathDocument;

- 

- static void

-+ignoreGenericError(void *ctx ATTRIBUTE_UNUSED,

-+        const char *msg ATTRIBUTE_UNUSED, ...) {

-+}

-+

-+static void

- testXPath(const char *str, int xptr, int expr) {

-+    xmlGenericErrorFunc handler = ignoreGenericError;

-     xmlXPathObjectPtr res;

-     xmlXPathContextPtr ctxt;

- 

-+    /* Don't print generic errors to stderr. */

-+    initGenericErrorDefaultFunc(&handler);

-+

-     nb_tests++;

- #if defined(LIBXML_XPTR_ENABLED)

-     if (xptr) {

-@@ -2349,6 +2358,9 @@ testXPath(const char *str, int xptr, int expr) {

-     xmlXPathDebugDumpObject(xpathOutput, res, 0);

-     xmlXPathFreeObject(res);

-     xmlXPathFreeContext(ctxt);

-+

-+    /* Reset generic error handler. */

-+    initGenericErrorDefaultFunc(NULL);

- }

- 

- /**

-diff --git a/test/XPath/xptr/viderror b/test/XPath/xptr/viderror

-new file mode 100644

-index 0000000..da8c53b

-+++ b/test/XPath/xptr/viderror

-@@ -0,0 +1 @@

-+xpointer(non-existing-fn()/range-to(id('chapter2')))

-diff --git a/xmlschemas.c b/xmlschemas.c

-index e1b3a4f..d42afb7 100644

-+++ b/xmlschemas.c

-@@ -3168,8 +3168,8 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserCtxtPtr ctxt,

- 		"valid.");

- 	}

- 	if (expected) {

--	    msg = xmlStrcat(msg, BAD_CAST " Expected is '");

- 	    xmlChar *expectedEscaped = xmlCharStrdup(expected);

-+	    msg = xmlStrcat(msg, BAD_CAST " Expected is '");

- 	    msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped));

- 	    FREE_AND_NULL(expectedEscaped);

- 	    msg = xmlStrcat(msg, BAD_CAST "'.\n");

-@@ -27391,6 +27391,7 @@ xmlSchemaSAXHandleStartElementNs(void *ctx,

-     * attributes yet.

-     */

-     if (nb_attributes != 0) {

-+	int valueLen, k, l;

- 	xmlChar *value;

- 

-         for (j = 0, i = 0; i < nb_attributes; i++, j += 5) {

-@@ -27400,12 +27401,31 @@ xmlSchemaSAXHandleStartElementNs(void *ctx,

- 	    * libxml2 differs from normal SAX here in that it escapes all ampersands

- 	    * as & instead of delivering the raw converted string. Changing the

- 	    * behavior at this point would break applications that use this API, so

--	    * we are forced to work around it. There is no danger of accidentally

--	    * decoding some entity other than & in this step because without

--	    * unescaped ampersands there can be no other entities in the string.

-+	    * we are forced to work around it.

- 	    */

--	    value = xmlStringLenDecodeEntities(vctxt->parserCtxt, attributes[j+3],

--		attributes[j+4] - attributes[j+3], XML_SUBSTITUTE_REF, 0, 0, 0);

-+	    valueLen = attributes[j+4] - attributes[j+3];

-+	    value = xmlMallocAtomic(valueLen + 1);

-+	    if (value == NULL) {

-+		xmlSchemaVErrMemory(vctxt,

-+		    "allocating string for decoded attribute",

-+		    NULL);

-+		goto internal_error;

-+	    }

-+	    for (k = 0, l = 0; k < valueLen; l++) {

-+		if (k < valueLen - 4 &&

-+		    attributes[j+3][k+0] == '&' &&

-+		    attributes[j+3][k+1] == '#' &&

-+		    attributes[j+3][k+2] == '3' &&

-+		    attributes[j+3][k+3] == '8' &&

-+		    attributes[j+3][k+4] == ';') {

-+		    value[l] = '&';

-+		    k += 5;

-+		} else {

-+		    value[l] = attributes[j+3][k];

-+		    k++;

-+		}

-+	    }

-+	    value[l] = '\0';

- 	    /*

- 	    * TODO: Set the node line.

- 	    */

-diff --git a/xpath.c b/xpath.c

-index 113bce6..d992841 100644

-+++ b/xpath.c

-@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) {

-      * compute depth to root

-      */

-     for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {

--	if (cur == node1)

-+	if (cur->parent == node1)

- 	    return(1);

- 	depth2++;

-     }

-     root = cur;

-     for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {

--	if (cur == node2)

-+	if (cur->parent == node2)

- 	    return(-1);

- 	depth1++;

-     }

-@@ -14005,9 +14005,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)

-                 xmlNodeSetPtr oldset;

-                 int i, j;

- 

--                if (op->ch1 != -1)

-+                if (op->ch1 != -1) {

-                     total +=

-                         xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);

-+                    CHECK_ERROR0;

-+                }

-+                if (ctxt->value == NULL) {

-+                    XP_ERROR0(XPATH_INVALID_OPERAND);

-+                }

-                 if (op->ch2 == -1)

-                     return (total);

- 

deleted file mode 100644

@@ -1,116 +0,0 @@

-From 932cc9896ab41475d4aa429c27d9afd175959d74 Mon Sep 17 00:00:00 2001

-From: Nick Wellnhofer <wellnhofer@aevum.de>

-Date: Sat, 3 Jun 2017 02:01:29 +0200

-Subject: Fix buffer size checks in xmlSnprintfElementContent

-MIME-Version: 1.0

-Content-Type: text/plain; charset=UTF-8

-Content-Transfer-Encoding: 8bit

-

-xmlSnprintfElementContent failed to correctly check the available

-buffer space in two locations.

-

-Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).

-

-Thanks to Marcel Böhme and Thuan Pham for the report.

- result/valid/781333.xml         |  5 +++++

- result/valid/781333.xml.err     |  3 +++

- result/valid/781333.xml.err.rdr |  6 ++++++

- test/valid/781333.xml           |  4 ++++

- valid.c                         | 20 +++++++++++---------

- 5 files changed, 29 insertions(+), 9 deletions(-)

- create mode 100644 result/valid/781333.xml

- create mode 100644 result/valid/781333.xml.err

- create mode 100644 result/valid/781333.xml.err.rdr

- create mode 100644 test/valid/781333.xml

-

-diff --git a/result/valid/781333.xml b/result/valid/781333.xml

-new file mode 100644

-index 0000000..45dc451

-+++ b/result/valid/781333.xml

-@@ -0,0 +1,5 @@

-+<?xml version="1.0"?>

-+<!DOCTYPE a [

-+<!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)>

-+]>

-+<a/>

-diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err

-new file mode 100644

-index 0000000..b401b49

-+++ b/result/valid/781333.xml.err

-@@ -0,0 +1,3 @@

-+./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got 

-+<a/>

-+    ^

-diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr

-new file mode 100644

-index 0000000..5ff5699

-+++ b/result/valid/781333.xml.err.rdr

-@@ -0,0 +1,6 @@

-+./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got 

-+<a/>

-+    ^

-+./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child

-+

-+^

-diff --git a/test/valid/781333.xml b/test/valid/781333.xml

-new file mode 100644

-index 0000000..b29e5a6

-+++ b/test/valid/781333.xml

-@@ -0,0 +1,4 @@

-+<!DOCTYPE a [

-+    <!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)>

-+]>

-+<a/>

-diff --git a/valid.c b/valid.c

-index 19f84b8..9b2df56 100644

-+++ b/valid.c

-@@ -1262,22 +1262,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int

-         case XML_ELEMENT_CONTENT_PCDATA:

-             strcat(buf, "#PCDATA");

- 	    break;

--	case XML_ELEMENT_CONTENT_ELEMENT:

-+	case XML_ELEMENT_CONTENT_ELEMENT: {

-+            int qnameLen = xmlStrlen(content->name);

-+

-+	    if (content->prefix != NULL)

-+                qnameLen += xmlStrlen(content->prefix) + 1;

-+	    if (size - len < qnameLen + 10) {

-+		strcat(buf, " ...");

-+		return;

-+	    }

- 	    if (content->prefix != NULL) {

--		if (size - len < xmlStrlen(content->prefix) + 10) {

--		    strcat(buf, " ...");

--		    return;

--		}

- 		strcat(buf, (char *) content->prefix);

- 		strcat(buf, ":");

- 	    }

--	    if (size - len < xmlStrlen(content->name) + 10) {

--		strcat(buf, " ...");

--		return;

--	    }

- 	    if (content->name != NULL)

- 		strcat(buf, (char *) content->name);

- 	    break;

-+        }

- 	case XML_ELEMENT_CONTENT_SEQ:

- 	    if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||

- 	        (content->c1->type == XML_ELEMENT_CONTENT_SEQ))

-@@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int

- 		xmlSnprintfElementContent(buf, size, content->c2, 0);

- 	    break;

-     }

-+    if (size - strlen(buf) <= 2) return;

-     if (englob)

-         strcat(buf, ")");

-     switch (content->ocur) {

-cgit v0.12

-

deleted file mode 100644

@@ -1,10 +0,0 @@

-+++ b/result/errors10/781205.xml.err	2017-08-08 01:17:16.715694488 +0000

-@@ -16,6 +16,6 @@

-     ^

- <:0000

-       ^

--./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1

-+./test/errors10/781205.xml:4: parser error : Start tag doesn't start and stop in the same entity

- 

- ^

deleted file mode 100644

@@ -1,316 +0,0 @@

-From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001

-From: Nick Wellnhofer <wellnhofer@aevum.de>

-Date: Mon, 5 Jun 2017 15:37:17 +0200

-Subject: Fix handling of parameter-entity references

-MIME-Version: 1.0

-Content-Type: text/plain; charset=UTF-8

-Content-Transfer-Encoding: 8bit

-

-There were two bugs where parameter-entity references could lead to an

-unexpected change of the input buffer in xmlParseNameComplex and

-xmlDictLookup being called with an invalid pointer.

-

-Percent sign in DTD Names

-=========================

-

-The NEXTL macro used to call xmlParserHandlePEReference. When parsing

-"complex" names inside the DTD, this could result in entity expansion

-which created a new input buffer. The fix is to simply remove the call

-to xmlParserHandlePEReference from the NEXTL macro. This is safe because

-no users of the macro require expansion of parameter entities.

-

-- xmlParseNameComplex

-- xmlParseNCNameComplex

-- xmlParseNmtoken

-

-The percent sign is not allowed in names, which are grammatical tokens.

-

-- xmlParseEntityValue

-

-Parameter-entity references in entity values are expanded but this

-happens in a separate step in this function.

-

-- xmlParseSystemLiteral

-

-Parameter-entity references are ignored in the system literal.

-

-- xmlParseAttValueComplex

-- xmlParseCharDataComplex

-- xmlParseCommentComplex

-- xmlParsePI

-- xmlParseCDSect

-

-Parameter-entity references are ignored outside the DTD.

-

-- xmlLoadEntityContent

-

-This function is only called from xmlStringLenDecodeEntities and

-entities are replaced in a separate step immediately after the function

-call.

-

-This bug could also be triggered with an internal subset and double

-entity expansion.

-

-This fixes bug 766956 initially reported by Wei Lei and independently by

-Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone

-involved.

-

-xmlParseNameComplex with XML_PARSE_OLD10

-========================================

-

-When parsing Names inside an expanded parameter entity with the

-XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the

-GROW macro if the input buffer was exhausted. At the end of the

-parameter entity's replacement text, this function would then call

-xmlPopInput which invalidated the input buffer.

-

-There should be no need to invoke GROW in this situation because the

-buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,

-at least for UTF-8, in xmlCurrentChar. This also matches the code path

-executed when XML_PARSE_OLD10 is not set.

-

-This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).

-Thanks to Marcel Böhme and Thuan Pham for the report.

-

-Additional hardening

-====================

-

-A separate check was added in xmlParseNameComplex to validate the

-buffer size.

- Makefile.am                     | 18 ++++++++++++++++++

- parser.c                        | 18 ++++++++++--------

- result/errors10/781205.xml      |  0

- result/errors10/781205.xml.err  | 21 +++++++++++++++++++++

- result/errors10/781361.xml      |  0

- result/errors10/781361.xml.err  | 13 +++++++++++++

- result/valid/766956.xml         |  0

- result/valid/766956.xml.err     |  9 +++++++++

- result/valid/766956.xml.err.rdr | 10 ++++++++++

- runtest.c                       |  3 +++

- test/errors10/781205.xml        |  3 +++

- test/errors10/781361.xml        |  3 +++

- test/valid/766956.xml           |  2 ++

- test/valid/dtds/766956.dtd      |  2 ++

- 14 files changed, 94 insertions(+), 8 deletions(-)

- create mode 100644 result/errors10/781205.xml

- create mode 100644 result/errors10/781205.xml.err

- create mode 100644 result/errors10/781361.xml

- create mode 100644 result/errors10/781361.xml.err

- create mode 100644 result/valid/766956.xml

- create mode 100644 result/valid/766956.xml.err

- create mode 100644 result/valid/766956.xml.err.rdr

- create mode 100644 test/errors10/781205.xml

- create mode 100644 test/errors10/781361.xml

- create mode 100644 test/valid/766956.xml

- create mode 100644 test/valid/dtds/766956.dtd

-

-diff --git a/Makefile.am b/Makefile.am

-index 6fc8ffa..10e716a 100644

-+++ b/Makefile.am

-@@ -422,6 +422,24 @@

- 	      if [ -n "$$log" ] ; then echo $$name result ; echo $$log ; fi ; \

- 	      rm result.$$name error.$$name ; \

- 	  fi ; fi ; done)

-+	@echo "## Error cases regression tests (old 1.0)"

-+	-@(for i in $(srcdir)/test/errors10/*.xml ; do \

-+	  name=`basename $$i`; \

-+	  if [ ! -d $$i ] ; then \

-+	  if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \

-+	      echo New test file $$name ; \

-+	      $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \

-+	         2> $(srcdir)/result/errors10/$$name.err \

-+		 > $(srcdir)/result/errors10/$$name ; \

-+	      grep "MORY ALLO" .memdump  | grep -v "MEMORY ALLOCATED : 0"; \

-+	  else \

-+	      log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \

-+	      grep "MORY ALLO" .memdump  | grep -v "MEMORY ALLOCATED : 0"; \

-+	      diff $(srcdir)/result/errors10/$$name result.$$name ; \

-+	      diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \

-+	      if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \

-+	      rm result.$$name error.$$name ; \

-+	  fi ; fi ; done)

- 	@echo "## Error cases stream regression tests"

- 	-@(for i in $(srcdir)/test/errors/*.xml ; do \

- 	  name=`basename $$i`; \

-diff --git a/parser.c b/parser.c

-index df2efa5..a175ac4 100644

-+++ b/parser.c

-@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {

- 	ctxt->input->line++; ctxt->input->col = 1;			\

-     } else ctxt->input->col++;						\

-     ctxt->input->cur += l;				\

--    if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt);	\

-   } while (0)

- 

- #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)

-@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {

- 	    len += l;

- 	    NEXTL(l);

- 	    c = CUR_CHAR(l);

--	    if (c == 0) {

--		count = 0;

--		GROW;

--                if (ctxt->instate == XML_PARSER_EOF)

--                    return(NULL);

--		c = CUR_CHAR(l);

--	    }

- 	}

-     }

-     if ((len > XML_MAX_NAME_LENGTH) &&

-@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {

-         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");

-         return(NULL);

-     }

-+    if (ctxt->input->cur - ctxt->input->base < len) {

-+        /*

-+         * There were a couple of bugs where PERefs lead to to a change

-+         * of the buffer. Check the buffer size to avoid passing an invalid

-+         * pointer to xmlDictLookup.

-+         */

-+        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,

-+                    "unexpected change of input buffer");

-+        return (NULL);

-+    }

-     if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))

-         return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));

-     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));

-diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml

-new file mode 100644

-index 0000000..e69de29

-diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err

-new file mode 100644

-index 0000000..da15c3f

-+++ b/result/errors10/781205.xml.err

-@@ -0,0 +1,21 @@

-+Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration

-+

-+ %a; 

-+    ^

-+Entity: line 1: 

-+<:0000

-+^

-+Entity: line 1: parser error : DOCTYPE improperly terminated

-+ %a; 

-+    ^

-+Entity: line 1: 

-+<:0000

-+^

-+namespace error : Failed to parse QName ':0000'

-+ %a; 

-+    ^

-+<:0000

-+      ^

-+./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1

-+

-+^

-diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml

-new file mode 100644

-index 0000000..e69de29

-diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err

-new file mode 100644

-index 0000000..655f41a

-+++ b/result/errors10/781361.xml.err

-@@ -0,0 +1,13 @@

-+./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected

-+

-+^

-+./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration

-+

-+

-+^

-+./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated

-+

-+^

-+./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found

-+

-+^