libxml2: upgrade to release 2.9.5

* drop ubsan.patch.0: presumably fixed upstream
* drop 0001-* CVE fixes: fixed upstream

Change-Id: I3e2a53b5ef82ef8edd85e812fd5dee67ab60db94
Reviewed-on: https://gerrit.libreoffice.org/41951Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Michael Stahl <mstahl@redhat.com>

download.lst

@@ -143,8 +143,8 @@ export LIBTOMMATH_SHA256SUM := 083daa92d8ee6f4af96a6143b12d7fc8fe1a547e14f862304
 export LIBTOMMATH_TARBALL := ltm-1.0.zip
 export LIBXMLSEC_SHA256SUM := 99a8643f118bb1261a72162f83e2deba0f4f690893b4b90e1be4f708e8d481cc
 export LIBXMLSEC_TARBALL := xmlsec1-1.2.24.tar.gz
-export LIBXML_SHA256SUM := ffb911191e509b966deb55de705387f14156e1a56b21824357cdf0053233633c
-export LIBXML_TARBALL := ae249165c173b1ff386ee8ad676815f5-libxml2-2.9.4.tar.gz
+export LIBXML_SHA256SUM := 4031c1ecee9ce7ba4f313e91ef6284164885cdb69937a123f6a83bb6a72dcd38
+export LIBXML_TARBALL := libxml2-2.9.5.tar.gz
 export LIBXSLT_SHA256SUM := ba65236116de8326d83378b2bd929879fa185195bc530b9d1aba72107910b6b3
 export LIBXSLT_TARBALL := libxslt-1.1.30.tar.gz
 export LPSOLVE_SHA256SUM := 171816288f14215c69e730f7a4f1c325739873e21f946ff83884b350574e6695

external/libxml2/0001-Fix-handling-of-parameter-entity-references.patch.1

-From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Mon, 5 Jun 2017 15:37:17 +0200
-Subject: [PATCH] Fix handling of parameter-entity references
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-There were two bugs where parameter-entity references could lead to an
-unexpected change of the input buffer in xmlParseNameComplex and
-xmlDictLookup being called with an invalid pointer.
-
-Percent sign in DTD Names
-=========================
-
-The NEXTL macro used to call xmlParserHandlePEReference. When parsing
-"complex" names inside the DTD, this could result in entity expansion
-which created a new input buffer. The fix is to simply remove the call
-to xmlParserHandlePEReference from the NEXTL macro. This is safe because
-no users of the macro require expansion of parameter entities.
-
-- xmlParseNameComplex
-- xmlParseNCNameComplex
-- xmlParseNmtoken
-
-The percent sign is not allowed in names, which are grammatical tokens.
-
-- xmlParseEntityValue
-
-Parameter-entity references in entity values are expanded but this
-happens in a separate step in this function.
-
-- xmlParseSystemLiteral
-
-Parameter-entity references are ignored in the system literal.
-
-- xmlParseAttValueComplex
-- xmlParseCharDataComplex
-- xmlParseCommentComplex
-- xmlParsePI
-- xmlParseCDSect
-
-Parameter-entity references are ignored outside the DTD.
-
-- xmlLoadEntityContent
-
-This function is only called from xmlStringLenDecodeEntities and
-entities are replaced in a separate step immediately after the function
-call.
-
-This bug could also be triggered with an internal subset and double
-entity expansion.
-
-This fixes bug 766956 initially reported by Wei Lei and independently by
-Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
-involved.
-
-xmlParseNameComplex with XML_PARSE_OLD10
-========================================
-
-When parsing Names inside an expanded parameter entity with the
-XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the
-GROW macro if the input buffer was exhausted. At the end of the
-parameter entity's replacement text, this function would then call
-xmlPopInput which invalidated the input buffer.
-
-There should be no need to invoke GROW in this situation because the
-buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,
-at least for UTF-8, in xmlCurrentChar. This also matches the code path
-executed when XML_PARSE_OLD10 is not set.
-
-This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
-Thanks to Marcel Böhme and Thuan Pham for the report.
-
-Additional hardening
-====================
-
-A separate check was added in xmlParseNameComplex to validate the
-buffer size.
----
- Makefile.am                     | 18 ++++++++++++++++++
- parser.c                        | 18 ++++++++++--------
- result/errors10/781205.xml      |  0
- result/errors10/781205.xml.err  | 21 +++++++++++++++++++++
- result/errors10/781361.xml      |  0
- result/errors10/781361.xml.err  | 13 +++++++++++++
- result/valid/766956.xml         |  0
- result/valid/766956.xml.err     |  9 +++++++++
- result/valid/766956.xml.err.rdr | 10 ++++++++++
- runtest.c                       |  3 +++
- test/errors10/781205.xml        |  3 +++
- test/errors10/781361.xml        |  3 +++
- test/valid/766956.xml           |  2 ++
- test/valid/dtds/766956.dtd      |  2 ++
- 14 files changed, 94 insertions(+), 8 deletions(-)
- create mode 100644 result/errors10/781205.xml
- create mode 100644 result/errors10/781205.xml.err
- create mode 100644 result/errors10/781361.xml
- create mode 100644 result/errors10/781361.xml.err
- create mode 100644 result/valid/766956.xml
- create mode 100644 result/valid/766956.xml.err
- create mode 100644 result/valid/766956.xml.err.rdr
- create mode 100644 test/errors10/781205.xml
- create mode 100644 test/errors10/781361.xml
- create mode 100644 test/valid/766956.xml
- create mode 100644 test/valid/dtds/766956.dtd
-
-diff --git a/parser.c b/parser.c
-index df2efa55..a175ac4e 100644
---- a/parser.c
-+++ b/parser.c
-@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
- 	ctxt->input->line++; ctxt->input->col = 1;			\
-     } else ctxt->input->col++;						\
-     ctxt->input->cur += l;				\
--    if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt);	\
-   } while (0)
- 
- #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
-@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
- 	    len += l;
- 	    NEXTL(l);
- 	    c = CUR_CHAR(l);
--	    if (c == 0) {
--		count = 0;
--		GROW;
--                if (ctxt->instate == XML_PARSER_EOF)
--                    return(NULL);
--		c = CUR_CHAR(l);
--	    }
- 	}
-     }
-     if ((len > XML_MAX_NAME_LENGTH) &&
-@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
-         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
-         return(NULL);
-     }
-+    if (ctxt->input->cur - ctxt->input->base < len) {
-+        /*
-+         * There were a couple of bugs where PERefs lead to to a change
-+         * of the buffer. Check the buffer size to avoid passing an invalid
-+         * pointer to xmlDictLookup.
-+         */
-+        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
-+                    "unexpected change of input buffer");
-+        return (NULL);
-+    }
-     if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
-         return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
-     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
-diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml
-new file mode 100644
-index 00000000..e69de29b
-diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err
-new file mode 100644
-index 00000000..da15c3f7
---- /dev/null
-+++ b/result/errors10/781205.xml.err
-@@ -0,0 +1,21 @@
-+Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
-+
-+ %a; 
-+    ^
-+Entity: line 1: 
-+<:0000
-+^
-+Entity: line 1: parser error : DOCTYPE improperly terminated
-+ %a; 
-+    ^
-+Entity: line 1: 
-+<:0000
-+^
-+namespace error : Failed to parse QName ':0000'
-+ %a; 
-+    ^
-+<:0000
-+      ^
-+./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1
-+
-+^
-diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml
-new file mode 100644
-index 00000000..e69de29b
-diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err
-new file mode 100644
-index 00000000..655f41a2
---- /dev/null
-+++ b/result/errors10/781361.xml.err
-@@ -0,0 +1,13 @@
-+./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected
-+
-+^
-+./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
-+
-+
-+^
-+./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated
-+
-+^
-+./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found
-+
-+^
-diff --git a/result/valid/766956.xml b/result/valid/766956.xml
-new file mode 100644
-index 00000000..e69de29b
-diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err
-new file mode 100644
-index 00000000..34b1dae6
---- /dev/null
-+++ b/result/valid/766956.xml.err
-@@ -0,0 +1,9 @@
-+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
-+%ä%ent;
-+   ^
-+Entity: line 1: parser error : Content error in the external subset
-+ %ent; 
-+      ^
-+Entity: line 1: 
-+value
-+^
-diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr
-new file mode 100644
-index 00000000..77603462
---- /dev/null
-+++ b/result/valid/766956.xml.err.rdr
-@@ -0,0 +1,10 @@
-+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
-+%ä%ent;
-+   ^
-+Entity: line 1: parser error : Content error in the external subset
-+ %ent; 
-+      ^
-+Entity: line 1: 
-+value
-+^
-+./test/valid/766956.xml : failed to parse
-diff --git a/runtest.c b/runtest.c
-index b2ce693b..378b38e3 100644
---- a/runtest.c
-+++ b/runtest.c
-@@ -4214,6 +4214,9 @@ testDesc testDescriptions[] = {
-     { "Error cases regression tests",
-       errParseTest, "./test/errors/*.xml", "result/errors/", "", ".err",
-       0 },
-+    { "Error cases regression tests (old 1.0)",
-+      errParseTest, "./test/errors10/*.xml", "result/errors10/", "", ".err",
-+      XML_PARSE_OLD10 },
- #ifdef LIBXML_READER_ENABLED
-     { "Error cases stream regression tests",
-       streamParseTest, "./test/errors/*.xml", "result/errors/", NULL, ".str",
-diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml
-new file mode 100644
-index 00000000..d9e9e839
---- /dev/null
-+++ b/test/errors10/781205.xml
-@@ -0,0 +1,3 @@
-+<!DOCTYPE D [
-+  <!ENTITY % a "<:0000">
-+  %a;
-diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml
-new file mode 100644
-index 00000000..67476bcb
---- /dev/null
-+++ b/test/errors10/781361.xml
-@@ -0,0 +1,3 @@
-+<!DOCTYPE doc [
-+  <!ENTITY % elem "<!ELEMENT e0000000000">
-+  %elem;
-diff --git a/test/valid/766956.xml b/test/valid/766956.xml
-new file mode 100644
-index 00000000..19a95a0e
---- /dev/null
-+++ b/test/valid/766956.xml
-@@ -0,0 +1,2 @@
-+<!DOCTYPE test SYSTEM "dtds/766956.dtd">
-+<test/>
-diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd
-new file mode 100644
-index 00000000..dddde68b
---- /dev/null
-+++ b/test/valid/dtds/766956.dtd
-@@ -0,0 +1,2 @@
-+<!ENTITY % ent "value">
-+%ä%ent;
--- 
-2.13.5
-

external/libxml2/0001-Fix-type-confusion-in-xmlValidateOneNamespace.patch.1

-From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 6 Jun 2017 12:56:28 +0200
-Subject: [PATCH] Fix type confusion in xmlValidateOneNamespace
-
-Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on
-namespace declarations make no practical sense anyway.
-
-Fixes bug 780228.
-
-Found with libFuzzer and ASan.
----
- valid.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/valid.c b/valid.c
-index 8075d3a0..c51ea290 100644
---- a/valid.c
-+++ b/valid.c
-@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
- 	}
-     }
- 
-+    /*
-+     * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
-+     * xmlAddID and xmlAddRef for namespace declarations, but it makes
-+     * no practical sense to use ID types anyway.
-+     */
-+#if 0
-     /* Validity Constraint: ID uniqueness */
-     if (attrDecl->atype == XML_ATTRIBUTE_ID) {
-         if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
-@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
-         if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
- 	    ret = 0;
-     }
-+#endif
- 
-     /* Validity Constraint: Notation Attributes */
-     if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
--- 
-2.13.5
-

external/libxml2/0001-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch.1

-From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001
-From: Daniel Veillard <veillard@redhat.com>
-Date: Fri, 7 Apr 2017 17:13:28 +0200
-Subject: [PATCH] Increase buffer space for port in HTTP redirect support
-
-For https://bugzilla.gnome.org/show_bug.cgi?id=780690
-
-nanohttp.c: the code wrongly assumed a short int port value.
----
- nanohttp.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/nanohttp.c b/nanohttp.c
-index e109ad75..373425de 100644
---- a/nanohttp.c
-+++ b/nanohttp.c
-@@ -1423,9 +1423,9 @@ retry:
-     if (ctxt->port != 80) {
- 	/* reserve space for ':xxxxx', incl. potential proxy */
- 	if (proxy)
--	    blen += 12;
-+	    blen += 17;
- 	else
--	    blen += 6;
-+	    blen += 11;
-     }
-     bp = (char*)xmlMallocAtomic(blen);
-     if ( bp == NULL ) {
--- 
-2.13.5
-

external/libxml2/0001-Prevent-unwanted-external-entity-reference.patch.1

-From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001
-From: Neel Mehta <nmehta@google.com>
-Date: Fri, 7 Apr 2017 17:43:02 +0200
-Subject: [PATCH] Prevent unwanted external entity reference
-
-For https://bugzilla.gnome.org/show_bug.cgi?id=780691
-
-* parser.c: add a specific check to avoid PE reference
----
- parser.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/parser.c b/parser.c
-index 609a2703..c2c812de 100644
---- a/parser.c
-+++ b/parser.c
-@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
- 	    if (xmlPushInput(ctxt, input) < 0)
- 		return;
- 	} else {
-+	    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
-+	        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
-+		((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
-+		((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
-+		((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
-+		(ctxt->replaceEntities == 0) &&
-+		(ctxt->validate == 0))
-+		return;
-+
- 	    /*
- 	     * TODO !!!
- 	     * handle the extra spaces added before and after
--- 
-2.13.5
-

external/libxml2/ExternalPackage_xml2.mk

@@ -21,7 +21,7 @@ else # COM=MSC
 $(eval $(call gb_ExternalPackage_add_file,xml2,$(LIBO_URE_LIB_FOLDER)/libxml2.dll,win32/bin.msvc/libxml2.dll))
 endif
 else # OS!=WNT
-$(eval $(call gb_ExternalPackage_add_file,xml2,$(LIBO_URE_LIB_FOLDER)/libxml2.so.2,.libs/libxml2.so.2.9.4))
+$(eval $(call gb_ExternalPackage_add_file,xml2,$(LIBO_URE_LIB_FOLDER)/libxml2.so.2,.libs/libxml2.so.2.9.5))
 endif
 endif # DISABLE_DYNLOADING
 

external/libxml2/UnpackedTarball_xml2.mk

@@ -17,13 +17,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,xml2,\
 	external/libxml2/libxml2-vc10.patch \
 	$(if $(filter ANDROID,$(OS)),external/libxml2/libxml2-android.patch) \
 	external/libxml2/libxml2-icu.patch.0 \
-	external/libxml2/ubsan.patch.0 \
 	external/libxml2/libxml2-iOS.patch.0 \
-	external/libxml2/0001-Fix-type-confusion-in-xmlValidateOneNamespace.patch.1 \
-	external/libxml2/0001-Prevent-unwanted-external-entity-reference.patch.1 \
-	external/libxml2/0001-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch.1 \
-	external/libxml2/0001-Fix-buffer-size-checks-in-xmlSnprintfElementContent.patch.1 \
-	external/libxml2/0001-Fix-handling-of-parameter-entity-references.patch.1 \
 ))
 
 # vim: set noet sw=4 ts=4:

external/libxml2/libxml2-android.patch

@@ -13,7 +13,7 @@
 --- misc/libxml2-2.7.6/Makefile.in
 +++ misc/build/libxml2-2.7.6/Makefile.in
 @@ -1635,7 +1635,7 @@
- check-am: all-am
+ 	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
  check: $(BUILT_SOURCES)
  	$(MAKE) $(AM_MAKEFLAGS) check-recursive
 -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(SCRIPTS) $(MANS) $(DATA) \

external/libxml2/ubsan.patch.0

---- parser.c
-+++ parser.c
-@@ -1052,7 +1052,7 @@
- struct _xmlDefAttrs {
-     int nbAttrs;	/* number of defaulted attributes on that element */
-     int maxAttrs;       /* the size of the array */
--    const xmlChar *values[5]; /* array of localname/prefix/values/external */
-+    const xmlChar *values[1][5]; /* array of localname/prefix/values/external */
- };
- 
- /**
-@@ -1244,17 +1244,17 @@
- 	prefix = xmlDictLookup(ctxt->dict, fullattr, len);
-     }
- 
--    defaults->values[5 * defaults->nbAttrs] = name;
--    defaults->values[5 * defaults->nbAttrs + 1] = prefix;
-+    defaults->values[defaults->nbAttrs][0] = name;
-+    defaults->values[defaults->nbAttrs][1] = prefix;
-     /* intern the string and precompute the end */
-     len = xmlStrlen(value);
-     value = xmlDictLookup(ctxt->dict, value, len);
--    defaults->values[5 * defaults->nbAttrs + 2] = value;
--    defaults->values[5 * defaults->nbAttrs + 3] = value + len;
-+    defaults->values[defaults->nbAttrs][2] = value;
-+    defaults->values[defaults->nbAttrs][3] = value + len;
-     if (ctxt->external)
--        defaults->values[5 * defaults->nbAttrs + 4] = BAD_CAST "external";
-+        defaults->values[defaults->nbAttrs][4] = BAD_CAST "external";
-     else
--        defaults->values[5 * defaults->nbAttrs + 4] = NULL;
-+        defaults->values[defaults->nbAttrs][4] = NULL;
-     defaults->nbAttrs++;
- 
-     return;
-@@ -9474,8 +9474,8 @@
- 	defaults = xmlHashLookup2(ctxt->attsDefault, localname, prefix);
- 	if (defaults != NULL) {
- 	    for (i = 0;i < defaults->nbAttrs;i++) {
--	        attname = defaults->values[5 * i];
--		aprefix = defaults->values[5 * i + 1];
-+	        attname = defaults->values[i][0];
-+		aprefix = defaults->values[i][1];
- 
-                 /*
- 		 * special work for namespaces defaulted defs
-@@ -9490,9 +9490,9 @@
- 	            if (j <= nbNs) continue;
- 
- 		    nsname = xmlGetNamespace(ctxt, NULL);
--		    if (nsname != defaults->values[5 * i + 2]) {
-+		    if (nsname != defaults->values[i][2]) {
- 			if (nsPush(ctxt, NULL,
--			           defaults->values[5 * i + 2]) > 0)
-+			           defaults->values[i][2]) > 0)
- 			    nbNs++;
- 		    }
- 		} else if (aprefix == ctxt->str_xmlns) {
-@@ -9505,9 +9505,9 @@
- 	            if (j <= nbNs) continue;
- 
- 		    nsname = xmlGetNamespace(ctxt, attname);
--		    if (nsname != defaults->values[2]) {
-+		    if (nsname != defaults->values[0][2]) {
- 			if (nsPush(ctxt, attname,
--			           defaults->values[5 * i + 2]) > 0)
-+			           defaults->values[i][2]) > 0)
- 			    nbNs++;
- 		    }
- 		} else {
-@@ -9533,10 +9533,10 @@
- 			atts[nbatts++] = NULL;
- 		    else
- 		        atts[nbatts++] = xmlGetNamespace(ctxt, aprefix);
--		    atts[nbatts++] = defaults->values[5 * i + 2];
--		    atts[nbatts++] = defaults->values[5 * i + 3];
-+		    atts[nbatts++] = defaults->values[i][2];
-+		    atts[nbatts++] = defaults->values[i][3];
- 		    if ((ctxt->standalone == 1) &&
--		        (defaults->values[5 * i + 4] != NULL)) {
-+		        (defaults->values[i][4] != NULL)) {
- 			xmlValidityError(ctxt, XML_DTD_STANDALONE_DEFAULTED,
- 	  "standalone: attribute %s on %s defaulted from external subset\n",
- 	                                 attname, localname);