diff -Nru libxml2-2.9.1+dfsg1/debian/changelog libxml2-2.9.1+dfsg1/debian/changelog
--- libxml2-2.9.1+dfsg1/debian/changelog 2016-01-14 18:13:10.000000000 +0000
+++ libxml2-2.9.1+dfsg1/debian/changelog 2016-06-03 16:33:08.000000000 +0000
@@ -1,3 +1,72 @@
+libxml2 (2.9.1+dfsg1-3ubuntu4.8) trusty-security; urgency=medium
+
+ * SECURITY UPDATE: heap-based buffer overread in xmlNextChar
+ - debian/patches/CVE-2016-1762.patch: return after error in parser.c.
+ - CVE-2016-1762
+ * SECURITY UPDATE: heap-based buffer overread in htmlCurrentChar
+ - debian/patches/CVE-2016-1833-pre.patch: clear up NULL deref in
+ parserInternals.c.
+ - debian/patches/CVE-2016-1833-pre2.patch: handle 0-length entities in
+ parserInternals.c.
+ - debian/patches/CVE-2016-1833.patch: fix tests in parserInternals.c.
+ - CVE-2016-1833
+ * SECURITY UPDATE: heap-buffer-overflow in xmlStrncat
+ - debian/patches/CVE-2016-1834.patch: check for negative lengths in
+ xmlstring.c.
+ - CVE-2016-1834
+ * SECURITY UPDATE: heap use-after-free in xmlSAX2AttributeNs
+ - debian/patches/CVE-2016-1835.patch: add check to parser.c, add tests
+ to result/errors/759020.xml.err, result/errors/759020.xml.str,
+ test/errors/759020.xml.
+ - CVE-2016-1835
+ * SECURITY UPDATE: heap use-after-free in xmlDictComputeFastKey
+ - debian/patches/CVE-2016-1836.patch: prevent stale pointer usage in
+ parser.c, added tests to result/errors/759398.xml.err,
+ result/errors/759398.xml.str, test/errors/759398.xml.
+ - CVE-2016-1836
+ * SECURITY UPDATE: heap use-after-free in htmlParsePubidLiteral and
+ htmlParseSystemiteral
+ - debian/patches/CVE-2016-1837.patch: prevent stable pointer usage in
+ HTMLparser.c.
+ - CVE-2016-1837
+ * SECURITY UPDATE: heap-based buffer overread in
+ xmlParserPrintFileContextInternal
+ - debian/patches/CVE-2016-1838.patch: add bounds check to parser.c,
+ add tests to result/errors/758588.xml.err,
+ result/errors/758588.xml.str, test/errors/758588.xml.
+ - CVE-2016-1838
+ * SECURITY UPDATE: heap-based buffer overread in xmlDictAddString
+ - debian/patches/CVE-2016-1839.patch: add bounds check to HTMLparser.c.
+ - CVE-2015-8806
+ - CVE-2016-1839
+ - CVE-2016-2073
+ * SECURITY UPDATE: heap-buffer-overflow in xmlFAParsePosCharGroup
+ - debian/patches/CVE-2016-1840.patch: properly handle error in
+ xmlregexp.c.
+ - CVE-2016-1840
+ * SECURITY UPDATE: avoid building recursive entities
+ - debian/patches/CVE-2016-3627.patch: properly handle recursion in
+ parser.c, tree.c.
+ - CVE-2016-3627
+ * SECURITY UPDATE: recursion depth counter issue
+ - debian/patches/CVE-2016-3705.patch: properly could recursion depth in
+ parser.c.
+ - CVE-2016-3705
+ * SECURITY UPDATE: heap-based buffer-underreads due to xmlParseName
+ - debian/patches/CVE-2016-4447.patch: improve error handling in
+ parser.c.
+ - CVE-2016-4447
+ * SECURITY UPDATE: inappropriate fetch of entities content
+ - debian/patches/CVE-2016-4449.patch: fix another external entity fetch
+ in parser.c.
+ - CVE-2016-4449
+ * SECURITY UPDATE: out of bound access when serializing malformed strings
+ - debian/patches/CVE-2016-4483.patch: improve string handling in
+ xmlsave.c.
+ - CVE-2016-4483
+
+ -- Marc Deslauriers Fri, 03 Jun 2016 08:59:55 -0400
+
libxml2 (2.9.1+dfsg1-3ubuntu4.7) trusty-security; urgency=medium
* SECURITY UPDATE: incomplete fix for out of bounds read in xmlGROW
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1762.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1762.patch
--- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1762.patch 1970-01-01 00:00:00.000000000 +0000
+++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1762.patch 2016-06-03 12:56:25.000000000 +0000
@@ -0,0 +1,30 @@
+From a7a94612aa3b16779e2c74e1fa353b5d9786c602 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard
+Date: Tue, 9 Feb 2016 12:55:29 +0100
+Subject: Heap-based buffer overread in xmlNextChar
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=759671
+
+when the end of the internal subset isn't properly detected
+xmlParseInternalSubset should just return instead of trying
+to process input further.
+---
+ parser.c | 1 +
+ result/errors/754946.xml.err | 10 +++++-----
+ result/errors/content1.xml.err | 2 +-
+ result/valid/t8.xml.err | 2 +-
+ result/valid/t8a.xml.err | 2 +-
+ 5 files changed, 9 insertions(+), 8 deletions(-)
+
+Index: libxml2-2.9.1+dfsg1/parser.c
+===================================================================
+--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:56:22.395000156 -0400
++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:56:22.395000156 -0400
+@@ -8449,6 +8449,7 @@
+ */
+ if (RAW != '>') {
+ xmlFatalErr(ctxt, XML_ERR_DOCTYPE_NOT_FINISHED, NULL);
++ return;
+ }
+ NEXT;
+ }
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833.patch
--- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833.patch 1970-01-01 00:00:00.000000000 +0000
+++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833.patch 2016-06-03 12:56:29.000000000 +0000
@@ -0,0 +1,247 @@
+From 0bcd05c5cd83dec3406c8f68b769b1d610c72f76 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde
+Date: Tue, 1 Mar 2016 15:18:04 -0800
+Subject: Heap-based buffer overread in htmlCurrentChar
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=758606
+
+* parserInternals.c:
+(xmlNextChar): Add an test to catch other issues on ctxt->input
+corruption proactively.
+For non-UTF-8 charsets, xmlNextChar() failed to check for the end
+of the input buffer and would continuing reading. Fix this by
+pulling out the check for the end of the input buffer into common
+code, and return if we reach the end of the input buffer
+prematurely.
+* result/HTML/758606.html: Added.
+* result/HTML/758606.html.err: Added.
+* result/HTML/758606.html.sax: Added.
+* result/HTML/758606_2.html: Added.
+* result/HTML/758606_2.html.err: Added.
+* result/HTML/758606_2.html.sax: Added.
+* test/HTML/758606.html: Added test case.
+* test/HTML/758606_2.html: Added test case.
+---
+ parserInternals.c | 172 ++++++++++++++++++++++--------------------
+ result/HTML/758606.html | 2 +
+ result/HTML/758606.html.err | 16 ++++
+ result/HTML/758606.html.sax | 10 +++
+ result/HTML/758606_2.html | 2 +
+ result/HTML/758606_2.html.err | 16 ++++
+ result/HTML/758606_2.html.sax | 17 +++++
+ test/HTML/758606.html | 1 +
+ test/HTML/758606_2.html | 1 +
+ 9 files changed, 154 insertions(+), 83 deletions(-)
+ create mode 100644 result/HTML/758606.html
+ create mode 100644 result/HTML/758606.html.err
+ create mode 100644 result/HTML/758606.html.sax
+ create mode 100644 result/HTML/758606_2.html
+ create mode 100644 result/HTML/758606_2.html.err
+ create mode 100644 result/HTML/758606_2.html.sax
+ create mode 100644 test/HTML/758606.html
+ create mode 100644 test/HTML/758606_2.html
+
+diff --git a/parserInternals.c b/parserInternals.c
+index 8c79678..bfc778a 100644
+--- a/parserInternals.c
++++ b/parserInternals.c
+@@ -55,6 +55,10 @@
+ #include
+ #include
+
++#define CUR(ctxt) ctxt->input->cur
++#define END(ctxt) ctxt->input->end
++#define VALID_CTXT(ctxt) (CUR(ctxt) <= END(ctxt))
++
+ #include "buf.h"
+ #include "enc.h"
+
+@@ -422,103 +426,105 @@ xmlNextChar(xmlParserCtxtPtr ctxt)
+ (ctxt->input == NULL))
+ return;
+
+- if (ctxt->charset == XML_CHAR_ENCODING_UTF8) {
+- if ((*ctxt->input->cur == 0) &&
+- (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0) &&
+- (ctxt->instate != XML_PARSER_COMMENT)) {
+- /*
+- * If we are at the end of the current entity and
+- * the context allows it, we pop consumed entities
+- * automatically.
+- * the auto closing should be blocked in other cases
+- */
++ if (!(VALID_CTXT(ctxt))) {
++ xmlErrInternal(ctxt, "Parser input data memory error\n", NULL);
++ ctxt->errNo = XML_ERR_INTERNAL_ERROR;
++ xmlStopParser(ctxt);
++ return;
++ }
++
++ if ((*ctxt->input->cur == 0) &&
++ (xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) {
++ if ((ctxt->instate != XML_PARSER_COMMENT))
+ xmlPopInput(ctxt);
+- } else {
+- const unsigned char *cur;
+- unsigned char c;
++ return;
++ }
+
+- /*
+- * 2.11 End-of-Line Handling
+- * the literal two-character sequence "#xD#xA" or a standalone
+- * literal #xD, an XML processor must pass to the application
+- * the single character #xA.
+- */
+- if (*(ctxt->input->cur) == '\n') {
+- ctxt->input->line++; ctxt->input->col = 1;
+- } else
+- ctxt->input->col++;
++ if (ctxt->charset == XML_CHAR_ENCODING_UTF8) {
++ const unsigned char *cur;
++ unsigned char c;
+
+- /*
+- * We are supposed to handle UTF8, check it's valid
+- * From rfc2044: encoding of the Unicode values on UTF-8:
+- *
+- * UCS-4 range (hex.) UTF-8 octet sequence (binary)
+- * 0000 0000-0000 007F 0xxxxxxx
+- * 0000 0080-0000 07FF 110xxxxx 10xxxxxx
+- * 0000 0800-0000 FFFF 1110xxxx 10xxxxxx 10xxxxxx
+- *
+- * Check for the 0x110000 limit too
+- */
+- cur = ctxt->input->cur;
++ /*
++ * 2.11 End-of-Line Handling
++ * the literal two-character sequence "#xD#xA" or a standalone
++ * literal #xD, an XML processor must pass to the application
++ * the single character #xA.
++ */
++ if (*(ctxt->input->cur) == '\n') {
++ ctxt->input->line++; ctxt->input->col = 1;
++ } else
++ ctxt->input->col++;
+
+- c = *cur;
+- if (c & 0x80) {
+- if (c == 0xC0)
+- goto encoding_error;
+- if (cur[1] == 0) {
++ /*
++ * We are supposed to handle UTF8, check it's valid
++ * From rfc2044: encoding of the Unicode values on UTF-8:
++ *
++ * UCS-4 range (hex.) UTF-8 octet sequence (binary)
++ * 0000 0000-0000 007F 0xxxxxxx
++ * 0000 0080-0000 07FF 110xxxxx 10xxxxxx
++ * 0000 0800-0000 FFFF 1110xxxx 10xxxxxx 10xxxxxx
++ *
++ * Check for the 0x110000 limit too
++ */
++ cur = ctxt->input->cur;
++
++ c = *cur;
++ if (c & 0x80) {
++ if (c == 0xC0)
++ goto encoding_error;
++ if (cur[1] == 0) {
++ xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
++ cur = ctxt->input->cur;
++ }
++ if ((cur[1] & 0xc0) != 0x80)
++ goto encoding_error;
++ if ((c & 0xe0) == 0xe0) {
++ unsigned int val;
++
++ if (cur[2] == 0) {
+ xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+ cur = ctxt->input->cur;
+ }
+- if ((cur[1] & 0xc0) != 0x80)
++ if ((cur[2] & 0xc0) != 0x80)
+ goto encoding_error;
+- if ((c & 0xe0) == 0xe0) {
+- unsigned int val;
+-
+- if (cur[2] == 0) {
++ if ((c & 0xf0) == 0xf0) {
++ if (cur[3] == 0) {
+ xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+ cur = ctxt->input->cur;
+ }
+- if ((cur[2] & 0xc0) != 0x80)
++ if (((c & 0xf8) != 0xf0) ||
++ ((cur[3] & 0xc0) != 0x80))
+ goto encoding_error;
+- if ((c & 0xf0) == 0xf0) {
+- if (cur[3] == 0) {
+- xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+- cur = ctxt->input->cur;
+- }
+- if (((c & 0xf8) != 0xf0) ||
+- ((cur[3] & 0xc0) != 0x80))
+- goto encoding_error;
+- /* 4-byte code */
+- ctxt->input->cur += 4;
+- val = (cur[0] & 0x7) << 18;
+- val |= (cur[1] & 0x3f) << 12;
+- val |= (cur[2] & 0x3f) << 6;
+- val |= cur[3] & 0x3f;
+- } else {
+- /* 3-byte code */
+- ctxt->input->cur += 3;
+- val = (cur[0] & 0xf) << 12;
+- val |= (cur[1] & 0x3f) << 6;
+- val |= cur[2] & 0x3f;
+- }
+- if (((val > 0xd7ff) && (val < 0xe000)) ||
+- ((val > 0xfffd) && (val < 0x10000)) ||
+- (val >= 0x110000)) {
+- xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR,
+- "Char 0x%X out of allowed range\n",
+- val);
+- }
+- } else
+- /* 2-byte code */
+- ctxt->input->cur += 2;
++ /* 4-byte code */
++ ctxt->input->cur += 4;
++ val = (cur[0] & 0x7) << 18;
++ val |= (cur[1] & 0x3f) << 12;
++ val |= (cur[2] & 0x3f) << 6;
++ val |= cur[3] & 0x3f;
++ } else {
++ /* 3-byte code */
++ ctxt->input->cur += 3;
++ val = (cur[0] & 0xf) << 12;
++ val |= (cur[1] & 0x3f) << 6;
++ val |= cur[2] & 0x3f;
++ }
++ if (((val > 0xd7ff) && (val < 0xe000)) ||
++ ((val > 0xfffd) && (val < 0x10000)) ||
++ (val >= 0x110000)) {
++ xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR,
++ "Char 0x%X out of allowed range\n",
++ val);
++ }
+ } else
+- /* 1-byte code */
+- ctxt->input->cur++;
++ /* 2-byte code */
++ ctxt->input->cur += 2;
++ } else
++ /* 1-byte code */
++ ctxt->input->cur++;
+
+- ctxt->nbChars++;
+- if (*ctxt->input->cur == 0)
+- xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+- }
++ ctxt->nbChars++;
++ if (*ctxt->input->cur == 0)
++ xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+ } else {
+ /*
+ * Assume it's a fixed length encoding (1) with
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833-pre2.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833-pre2.patch
--- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833-pre2.patch 1970-01-01 00:00:00.000000000 +0000
+++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833-pre2.patch 2016-06-03 16:32:11.000000000 +0000
@@ -0,0 +1,27 @@
+From fdfeecc1b73b0318466f0d61f0b8881ed9d92dd2 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard
+Date: Fri, 20 Nov 2015 15:07:38 +0800
+Subject: Bug on creating new stream from entity
+
+sometimes the entity could have a lenght of 0, i.e. it wasn't
+parsed or used yet, and we ended up with an incoherent input state
+---
+ parserInternals.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/parserInternals.c b/parserInternals.c
+index c8230c1..2b8646c 100644
+--- a/parserInternals.c
++++ b/parserInternals.c
+@@ -1459,6 +1459,8 @@ xmlNewEntityInputStream(xmlParserCtxtPtr ctxt, xmlEntityPtr entity) {
+ if (entity->URI != NULL)
+ input->filename = (char *) xmlStrdup((xmlChar *) entity->URI);
+ input->base = entity->content;
++ if (entity->length == 0)
++ entity->length = xmlStrlen(entity->content);
+ input->cur = entity->content;
+ input->length = entity->length;
+ input->end = &entity->content[input->length];
+--
+cgit v0.12
+
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833-pre.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833-pre.patch
--- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833-pre.patch 1970-01-01 00:00:00.000000000 +0000
+++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1833-pre.patch 2016-06-03 16:21:39.000000000 +0000
@@ -0,0 +1,27 @@
+From ff76eb28c75451bc56e3b93f44dac155ca29e7f5 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard
+Date: Sat, 3 Aug 2013 22:25:13 +0800
+Subject: Clear up a potential NULL dereference
+
+https://bugzilla.gnome.org/show_bug.cgi?id=705399
+
+if ctxt->node_seq.buffer is null then ctxt->node_seq.maximum ought
+to be zero but it's better to clarify the check in the code directly.
+---
+ parserInternals.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: libxml2-2.9.1+dfsg1/parserInternals.c
+===================================================================
+--- libxml2-2.9.1+dfsg1.orig/parserInternals.c 2016-06-03 12:21:37.899991664 -0400
++++ libxml2-2.9.1+dfsg1/parserInternals.c 2016-06-03 12:21:37.899991664 -0400
+@@ -1999,7 +1999,8 @@
+
+ /* Otherwise, we need to add new node to buffer */
+ else {
+- if (ctxt->node_seq.length + 1 > ctxt->node_seq.maximum) {
++ if ((ctxt->node_seq.length + 1 > ctxt->node_seq.maximum) ||
++ (ctxt->node_seq.buffer == NULL)) {
+ xmlParserNodeInfo *tmp_buffer;
+ unsigned int byte_size;
+
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1834.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1834.patch
--- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1834.patch 1970-01-01 00:00:00.000000000 +0000
+++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1834.patch 2016-06-03 12:56:33.000000000 +0000
@@ -0,0 +1,50 @@
+From 8fbbf5513d609c1770b391b99e33314cd0742704 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde
+Date: Tue, 8 Mar 2016 17:29:00 -0800
+Subject: Bug 763071: heap-buffer-overflow in xmlStrncat
+
+
+* xmlstring.c:
+(xmlStrncat): Return NULL if xmlStrlen returns a negative length.
+(xmlStrncatNew): Ditto.
+---
+ xmlstring.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/xmlstring.c b/xmlstring.c
+index b89c9e9..00287d4 100644
+--- a/xmlstring.c
++++ b/xmlstring.c
+@@ -457,6 +457,8 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) {
+ return(xmlStrndup(add, len));
+
+ size = xmlStrlen(cur);
++ if (size < 0)
++ return(NULL);
+ ret = (xmlChar *) xmlRealloc(cur, (size + len + 1) * sizeof(xmlChar));
+ if (ret == NULL) {
+ xmlErrMemory(NULL, NULL);
+@@ -484,14 +486,19 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) {
+ int size;
+ xmlChar *ret;
+
+- if (len < 0)
++ if (len < 0) {
+ len = xmlStrlen(str2);
++ if (len < 0)
++ return(NULL);
++ }
+ if ((str2 == NULL) || (len == 0))
+ return(xmlStrdup(str1));
+ if (str1 == NULL)
+ return(xmlStrndup(str2, len));
+
+ size = xmlStrlen(str1);
++ if (size < 0)
++ return(NULL);
+ ret = (xmlChar *) xmlMalloc((size + len + 1) * sizeof(xmlChar));
+ if (ret == NULL) {
+ xmlErrMemory(NULL, NULL);
+--
+cgit v0.12
+
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1835.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1835.patch
--- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1835.patch 1970-01-01 00:00:00.000000000 +0000
+++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1835.patch 2016-06-03 12:58:00.000000000 +0000
@@ -0,0 +1,135 @@
+Backport of:
+
+From 38eae571111db3b43ffdeb05487c9f60551906fb Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde
+Date: Mon, 7 Mar 2016 14:04:08 -0800
+Subject: Heap use-after-free in xmlSAX2AttributeNs
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=759020
+
+* parser.c:
+(xmlParseStartTag2): Attribute strings are only valid if the
+base does not change, so add another check where the base may
+change. Make sure to set 'attvalue' to NULL after freeing it.
+* result/errors/759020.xml: Added.
+* result/errors/759020.xml.err: Added.
+* result/errors/759020.xml.str: Added.
+* test/errors/759020.xml: Added test case.
+---
+ parser.c | 12 ++++++++++--
+ result/errors/759020.xml | 0
+ result/errors/759020.xml.err | 6 ++++++
+ result/errors/759020.xml.str | 7 +++++++
+ test/errors/759020.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 69 insertions(+), 2 deletions(-)
+ create mode 100644 result/errors/759020.xml
+ create mode 100644 result/errors/759020.xml.err
+ create mode 100644 result/errors/759020.xml.str
+ create mode 100644 test/errors/759020.xml
+
+Index: libxml2-2.9.1+dfsg1/parser.c
+===================================================================
+--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:56:43.215265543 -0400
++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:57:36.535944954 -0400
+@@ -9422,8 +9422,13 @@
+ else
+ if (nsPush(ctxt, NULL, URL) > 0) nbNs++;
+ skip_default_ns:
+- if (alloc != 0) xmlFree(attvalue);
++ if ((attvalue != NULL) && (alloc != 0)) {
++ xmlFree(attvalue);
++ attvalue = NULL;
++ }
+ SKIP_BLANKS;
++ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
++ goto base_changed;
+ continue;
+ }
+ if (aprefix == ctxt->str_xmlns) {
+@@ -9495,7 +9500,10 @@
+ else
+ if (nsPush(ctxt, attname, URL) > 0) nbNs++;
+ skip_ns:
+- if (alloc != 0) xmlFree(attvalue);
++ if ((attvalue != NULL) && (alloc != 0)) {
++ xmlFree(attvalue);
++ attvalue = NULL;
++ }
+ SKIP_BLANKS;
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+ goto base_changed;
+Index: libxml2-2.9.1+dfsg1/result/errors/759020.xml.err
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ libxml2-2.9.1+dfsg1/result/errors/759020.xml.err 2016-06-03 08:56:43.211265492 -0400
+@@ -0,0 +1,6 @@
++./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
++0000000000000000000000000000000000000000000000000000000000000000000000000000000'
++ ^
++./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2
++
++ ^
+Index: libxml2-2.9.1+dfsg1/result/errors/759020.xml.str
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ libxml2-2.9.1+dfsg1/result/errors/759020.xml.str 2016-06-03 08:56:43.211265492 -0400
+@@ -0,0 +1,7 @@
++./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
++0000000000000000000000000000000000000000000000000000000000000000000000000000000'
++ ^
++./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00
++
++ ^
++./test/errors/759020.xml : failed to parse
+Index: libxml2-2.9.1+dfsg1/test/errors/759020.xml
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ libxml2-2.9.1+dfsg1/test/errors/759020.xml 2016-06-03 08:56:43.211265492 -0400
+@@ -0,0 +1,46 @@
++
++
+Date: Thu, 3 Mar 2016 11:50:34 -0800
+Subject: Bug 759398: Heap use-after-free in xmlDictComputeFastKey
+
+
+* parser.c:
+(xmlParseNCNameComplex): Store start position instead of a
+pointer to the name since the underlying buffer may change,
+resulting in a stale pointer being used.
+* result/errors/759398.xml: Added.
+* result/errors/759398.xml.err: Added.
+* result/errors/759398.xml.str: Added.
+* test/errors/759398.xml: Added test case.
+---
+ parser.c | 9 +-
+ result/errors/759398.xml | 0
+ result/errors/759398.xml.err | 9 ++
+ result/errors/759398.xml.str | 5 +
+ test/errors/759398.xml | 326 +++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 344 insertions(+), 5 deletions(-)
+ create mode 100644 result/errors/759398.xml
+ create mode 100644 result/errors/759398.xml.err
+ create mode 100644 result/errors/759398.xml.str
+ create mode 100755 test/errors/759398.xml
+
+Index: libxml2-2.9.1+dfsg1/parser.c
+===================================================================
+--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:58:10.916382845 -0400
++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:58:10.916382845 -0400
+@@ -2008,6 +2008,7 @@
+ #define CUR (*ctxt->input->cur)
+ #define NXT(val) ctxt->input->cur[(val)]
+ #define CUR_PTR ctxt->input->cur
++#define BASE_PTR ctxt->input->base
+
+ #define CMP4( s, c1, c2, c3, c4 ) \
+ ( ((unsigned char *) s)[ 0 ] == c1 && ((unsigned char *) s)[ 1 ] == c2 && \
+@@ -3463,7 +3464,7 @@
+ int len = 0, l;
+ int c;
+ int count = 0;
+- const xmlChar *end; /* needed because CUR_CHAR() can move cur on \r\n */
++ size_t startPosition = 0;
+
+ #ifdef DEBUG
+ nbParseNCNameComplex++;
+@@ -3473,7 +3474,7 @@
+ * Handler for more complex cases
+ */
+ GROW;
+- end = ctxt->input->cur;
++ startPosition = CUR_PTR - BASE_PTR;
+ c = CUR_CHAR(l);
+ if ((c == ' ') || (c == '>') || (c == '/') || /* accelerators */
+ (!xmlIsNameStartChar(ctxt, c) || (c == ':'))) {
+@@ -3495,14 +3496,12 @@
+ }
+ len += l;
+ NEXTL(l);
+- end = ctxt->input->cur;
+ c = CUR_CHAR(l);
+ if (c == 0) {
+ count = 0;
+ GROW;
+ if (ctxt->instate == XML_PARSER_EOF)
+ return(NULL);
+- end = ctxt->input->cur;
+ c = CUR_CHAR(l);
+ }
+ }
+@@ -3511,7 +3510,7 @@
+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+ return(NULL);
+ }
+- return(xmlDictLookup(ctxt->dict, end - len, len));
++ return(xmlDictLookup(ctxt->dict, (BASE_PTR + startPosition), len));
+ }
+
+ /**
+Index: libxml2-2.9.1+dfsg1/result/errors/759398.xml.err
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ libxml2-2.9.1+dfsg1/result/errors/759398.xml.err 2016-06-03 08:58:10.916382845 -0400
+@@ -0,0 +1,9 @@
++./test/errors/759398.xml:210: parser error : StartTag: invalid element name
++need to worry about parsers whi
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++">
++
++'">
++
++
++
++
++
++
++
++
++
++amp,
++lt
,
++gt
,
++apos
,
++quot
">
++
++
++
++
++
++]>
++
++
++
++
++
++
++Extensible Markup Language (XML) 1.0
++
++REC-xml-&iso6.doc.date;
++W3C Recommendation
++&draft.day;&draft.month;&draft.year;
++
++
++
++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;
++
++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.xml
++
++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.html
++
++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.pdf
++
++http://www.w3.org/TR/1998/REC-xml-&iso6.doc.date;.ps
++
++
++
++httwww.w3.org/TR/REC-xml
++
++
++
++http://www.w3.org/TR/PR-xml-971208
++
++
++
++Tim Bray
++Textuality and Netscape
++tbray@textuality.com
++Jean Paoli
++Microsoft
++jeanpa@microsoft.com
++C. M. Sperberg-McQueen
++University of Illinois at Chicago
++cmsmcq@uic.edu
++
++
++The Extensible Markup Language (XML) is a subset of
++SGML that is completely described in this document. Its goal is to
++enable generic SGML to be served, received, and processed on the Web
++in the way that is now possible with HTML. XML has been designed for
++ease of implementation and for interoperability with both SGML and
++HTML.
++
++
++This document has been reviewed by W3C Members and
++other interested parties and has been endorsed by the
++Director as a W3C Recommendation. It is a stable
++document and may be used as reference material or cited
++as a normative reference from another document. W3C's
++role in making the Recommendation is to draw attention
++to the spPcification and to promote its widespread
++deployment. This enhances the functionality and
++interoperability of the Web.
++
++This document specifies a syntax created by subsetting an existing,
++widely used international text processing standard (Standard
++Generalized Markup Language, ISO 8879:1986(E) as amended and
++corrected) for use on the World Wide Web. It is a product of the W3C
++XML Activity, details of which can be found at http://www.w3.org/XML. A list of
++current W3C Recommendations and other technical documents can be found
++at http://www.w3.org/TR.
++
++This specification uses the term URI, which is defined by , a work in progress expected to update and .
++
++The list of known errors in this specification is
++available at
++http://www.w3.org/XML/xml-19980210-errata.
++Please report errors in this document to
++xml-editor@w3.org.
++
++
++
++
++
++Chicago, Vancouver, Mountain View, et al.:
++World-Wide Web Consortium, XML Working Group, 1996, 1997.
++
++
++Created in electronic form.
++
++
++English
++Extended Backus-Naur Form (formal grammar)
++
++
++
++1997-12-03 : CMSMcQ : yet further changes
++1997-12-02 : TB : further changes (see TB to XML WG,
++2 December 1997)
++1997-12-02 : CMSMcQ : deal with as many corrections and
++comments from the proofreaders as possible:
++entify hard-coded document date in pubdate element,
++change expansion of entity WebSGML,
++update status description as per Dan Connolly (am not sure
++about refernece to Berners-Lee et al.),
++add 'The' to abstract as per WG decision,
++move Relationship to Existing Standards to back matter and
++combine with References,
++re-order back matter so normative appendices come first,
++re-tag back matter so informative appendices are tagged informdiv1,
++remove XXX XXX from list of 'normative' specs in prose,
++move some references from Other References to Normative References,
++add RFC 1738, 1808, and 2141 to Other References (they are not
++normative since we do not require the processor to enforce any
++rules based on them),
++add reference to 'Fielding draft' (Berners-Lee et al.),
++move notation section to end of body,
++drop URIchar non-terminal and use SkipLit instead,
++lose stray reference to defunct nonterminal 'markupdecls',
++move reference to Aho et al. into appendix (Tim's right),
++add prose note saying that hash marks and fragment identifiers are
++NOT part of the URI formally speaking, and are NOT legal in
++system identifiers (processor 'may' signal an error).
++Work through:
++Tim Bray reacting to James Clark,
++Tim Bray on his own,
++Eve Maler,
++
++NOT DONE YET:
++change binary / text to unparsed / parsed.
++handle James's suggestion about < in attriubte values
++uppercase hex characters,
++namechar list,
++
++1997-12-01 : JB : add some column-width parameters
++1997-12-01 : CMSMcQ : begin round of changes to incorporate
++recent WG decisions and other corrections:
++binding sources of character encoding info (27 Aug / 3 Sept),
++correct wording of Faust quotation (restore dropped line),
++drop SDD from EncodingDecl,
++change text at version number 1.0,
++drop misleading (wrong!) sentence about ignorables and extenders,
++modify definxamples with Byte Order Mark.
++Add content model as a term and clarify that it applies to both
++mixed and element content.
++
++1997-06-30 : CMSMcQ : change date, some cosmetic changes,
++changes to productions for choice, seq, Mixed, NotationType,
++Enumeration. Follow James Clark's suggestion and prohibit
++conditional sections in internal subset. TO DO: simplify
++production for ignored sections as a result, since we don't
++need to worry about parsers whi
++1997-06-29 : TB : various edits
++1997-06-29 : CMSMcQ : further changes:
++Suppress old FINAL EDIT comments and some dead material.
++Revise occurrences of % in grammar to exploit Henry Thompson's pun,
++especially markupdecl and attdef.
++Remove RMD requirement relating to element content (?).
++
++1997-06-28 : CMSMcQ : Various changes for 1 July draft:
++Add text for draconian error handling (introduce
++the term Fatal Error).
++RE deleta est (changing wording from
++original announcement to restrict the requirement to validating
++parsers).
++Tag definition of validawwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww it meant 'may or may not'.
++1997-03-21 : TB : massive changes on plane flight from Chicago
++to Vancouver
++1997-03-21 : CMSMcQ : correct as many reported errors as possible.
++
++1997-03-20 : CMSMcQ : correct typos listed in CMSMcQ hand copy of spec.
++1997 James Clark:
++Define the set of characters from which [^abc] subtracts.
++Charref should use just [0-9] not Digit.
++Location info needs cleaner treatment: remove? (ERB
++question).
++One example of a PI has wrong pic.
++Clarify discussion of encoding names.
++Encoding failure should lead to unspecified results; don't
++prescribe error recovery.
++Don't require exposure of entity boundaries.
++Ignore white space in element content.
++Reserve entity names of the form u-NNNN.
++Clarify relative URLs.
++And some of my own:
++Correct productions for content model: model cannot
++consist of a name, so "elements ::= cp" is no good.
++
++1996-11-11 : CMSMcQ : revise for style.
++Add new rhs to entity declaration, for parameter entities.
++1996-11-10 : CMSMcQ : revise for style.
++Fix / complete section on names, characters.
++Add sections on parameter entities, conditional sections.
++Still to do: Add compatibility note on deterministic content models.
++Finish stylistic revision.
++1996-10-31 : TB : Add Entity Handling section
++1996-10-30 : TB : Clean up term & termdef. Slip in
++ERB decision re EMPTY.
++1996-10-28 : TB : Change DTD. Implement some of Michael's
++suggestions. Change comments back to //. Introduce language for
++XML namespace reservation. Add section on white-space handling.
++Lots more cleanup.
++1996-10-24 : CMSMcQ : quick tweaks, implement some ERB
++decisions. Characters are not integers. Comments are /* */ not //.
++Add bibliographic refs to 10646, HyTime, Unicode.
++Rename old Cdata as MsData since it's only seen
++in marked sections. Call them attribute-value pairs not
++name-value pairs, except once. Internal subset is optional, needs
++'?'. Implied attributes should be signaled to the app, not
++have values supplied by processor.
++1996-10-16 : TB : track down & excise all DSD references;
++introduce some EBNF for entity declarations.
++1996-10-?? nsistency check, fix up scraps so
++they all parse, get formatter working, correct a few productions.
++1996-10-10/11 : CMSMcQ : various maintenance, stylistic, and
++organizational changes:
++Replace a few literals with xmlpio and
++pi""entities, to make them consistent and ensure we can change pic
++reliably when the ERB votes.
++Drop paragraph on recognizers from notation section.
++Add match, exact match to terminology.
++Move old 2.2 XML Processors and Apps into intro.
++Mention comments, PIs, and marked sections in discussion of
++delimiter escaping.
++Streamline discussion of doctype decl syntax.
++Drop old section of 'PI syntax' for doctype decl, and add
++section on partial-DTD summary PIs to end of Logical Structures
++section.
++Revise DSD syntax section to use Tim's subset-in-a-PI
++mechanism.
++1996-10-10 : TB : eliminate name recognizers (and more?)
++1996-10-09 : CMSMcQ : revise for style, consistency through 2.3
++(Characters)
++1996-10-09 : CMSMcQ : re-unite everything for convenience,
++at least temporarily, and revise quickly
++1996-10-08 : TB : first major homogenization pass
++1996-10-08 : TB : turn "current" attribute on div type into
++CDATA
++1996-10-02 : TB : remould into skeleton + entities
++1996-09-30 : CMSMcQ : add a few more sections prior to exchange
++ with Tim.
++1996-09-20 : CMSMcQ : finish transcribing notes.
++1996-09-19 : CMSMcQ : begin transcribing notes for draft.
++1996-09-13 : CMSMcQ : made outline from notes of 09-06,
++do some housekeeping
++
++
++
++ is used to read XML documents
++and provide access to their content and structure. It is @ssumed that an XML processor is
++doing its work on behalf of another module, called the
++application. This specification describes the
++required beh\vior of an XML processor in terms of how it must read XML
++data and the information it must provide to the application.
++
++
++Origin and Goals
++XML was developed by an XML Working Group (orisable over the
++Internet.
++XML shall support a wide variey of applications.
++XML shall be compatible with SGML.
++It shall be easy to write programs which process XML
++documents.
++The number of optional features in XML is to be kept to the
++absolute minimum, ideally zero.
++XML documents shou
+\ No newline at end of file
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1837.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1837.patch
--- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1837.patch 1970-01-01 00:00:00.000000000 +0000
+++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1837.patch 2016-06-03 12:58:17.000000000 +0000
@@ -0,0 +1,137 @@
+From 11ed4a7a90d5ce156a18980a4ad4e53e77384852 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde
+Date: Wed, 2 Mar 2016 15:52:24 -0800
+Subject: Heap use-after-free in htmlParsePubidLiteral and
+ htmlParseSystemiteral
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=760263
+
+* HTMLparser.c: Add BASE_PTR convenience macro.
+(htmlParseSystemLiteral): Store length and start position instead
+of a pointer while iterating through the public identifier since
+the underlying buffer may change, resulting in a stale pointer
+being used.
+(htmlParsePubidLiteral): Ditto.
+---
+ HTMLparser.c | 58 +++++++++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 43 insertions(+), 15 deletions(-)
+
+Index: libxml2-2.9.3+dfsg1/HTMLparser.c
+===================================================================
+--- libxml2-2.9.3+dfsg1.orig/HTMLparser.c 2016-06-03 08:00:33.892487010 -0400
++++ libxml2-2.9.3+dfsg1/HTMLparser.c 2016-06-03 08:00:33.888486962 -0400
+@@ -303,6 +303,7 @@
+ #define UPP(val) (toupper(ctxt->input->cur[(val)]))
+
+ #define CUR_PTR ctxt->input->cur
++#define BASE_PTR ctxt->input->base
+
+ #define SHRINK if ((ctxt->input->cur - ctxt->input->base > 2 * INPUT_CHUNK) && \
+ (ctxt->input->end - ctxt->input->cur < 2 * INPUT_CHUNK)) \
+@@ -2765,31 +2766,43 @@
+
+ static xmlChar *
+ htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) {
+- const xmlChar *q;
++ size_t len = 0, startPosition = 0;
+ xmlChar *ret = NULL;
+
+ if (CUR == '"') {
+ NEXT;
+- q = CUR_PTR;
+- while ((IS_CHAR_CH(CUR)) && (CUR != '"'))
++
++ if (CUR_PTR < BASE_PTR)
++ return(ret);
++ startPosition = CUR_PTR - BASE_PTR;
++
++ while ((IS_CHAR_CH(CUR)) && (CUR != '"')) {
+ NEXT;
++ len++;
++ }
+ if (!IS_CHAR_CH(CUR)) {
+ htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+ "Unfinished SystemLiteral\n", NULL, NULL);
+ } else {
+- ret = xmlStrndup(q, CUR_PTR - q);
++ ret = xmlStrndup((BASE_PTR+startPosition), len);
+ NEXT;
+ }
+ } else if (CUR == '\'') {
+ NEXT;
+- q = CUR_PTR;
+- while ((IS_CHAR_CH(CUR)) && (CUR != '\''))
++
++ if (CUR_PTR < BASE_PTR)
++ return(ret);
++ startPosition = CUR_PTR - BASE_PTR;
++
++ while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) {
+ NEXT;
++ len++;
++ }
+ if (!IS_CHAR_CH(CUR)) {
+ htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+ "Unfinished SystemLiteral\n", NULL, NULL);
+ } else {
+- ret = xmlStrndup(q, CUR_PTR - q);
++ ret = xmlStrndup((BASE_PTR+startPosition), len);
+ NEXT;
+ }
+ } else {
+@@ -2813,32 +2826,47 @@
+
+ static xmlChar *
+ htmlParsePubidLiteral(htmlParserCtxtPtr ctxt) {
+- const xmlChar *q;
++ size_t len = 0, startPosition = 0;
+ xmlChar *ret = NULL;
+ /*
+ * Name ::= (Letter | '_') (NameChar)*
+ */
+ if (CUR == '"') {
+ NEXT;
+- q = CUR_PTR;
+- while (IS_PUBIDCHAR_CH(CUR)) NEXT;
++
++ if (CUR_PTR < BASE_PTR)
++ return(ret);
++ startPosition = CUR_PTR - BASE_PTR;
++
++ while (IS_PUBIDCHAR_CH(CUR)) {
++ len++;
++ NEXT;
++ }
++
+ if (CUR != '"') {
+ htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+ "Unfinished PubidLiteral\n", NULL, NULL);
+ } else {
+- ret = xmlStrndup(q, CUR_PTR - q);
++ ret = xmlStrndup((BASE_PTR + startPosition), len);
+ NEXT;
+ }
+ } else if (CUR == '\'') {
+ NEXT;
+- q = CUR_PTR;
+- while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\''))
+- NEXT;
++
++ if (CUR_PTR < BASE_PTR)
++ return(ret);
++ startPosition = CUR_PTR - BASE_PTR;
++
++ while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')){
++ len++;
++ NEXT;
++ }
++
+ if (CUR != '\'') {
+ htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED,
+ "Unfinished PubidLiteral\n", NULL, NULL);
+ } else {
+- ret = xmlStrndup(q, CUR_PTR - q);
++ ret = xmlStrndup((BASE_PTR + startPosition), len);
+ NEXT;
+ }
+ } else {
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1838.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1838.patch
--- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1838.patch 1970-01-01 00:00:00.000000000 +0000
+++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1838.patch 2016-06-03 12:58:26.000000000 +0000
@@ -0,0 +1,90 @@
+From db07dd613e461df93dde7902c6505629bf0734e9 Mon Sep 17 00:00:00 2001
+From: David Kilzer
+Date: Fri, 12 Feb 2016 09:58:29 -0800
+Subject: Bug 758588: Heap-based buffer overread in
+ xmlParserPrintFileContextInternal
+
+
+* parser.c:
+(xmlParseEndTag2): Add bounds checks before dereferencing
+ctxt->input->cur past the end of the buffer, or incrementing the
+pointer past the end of the buffer.
+
+* result/errors/758588.xml: Add test result.
+* result/errors/758588.xml.err: Ditto.
+* result/errors/758588.xml.str: Ditto.
+* test/errors/758588.xml: Add regression test.
+---
+ parser.c | 8 ++++++--
+ result/errors/758588.xml | 0
+ result/errors/758588.xml.err | 9 +++++++++
+ result/errors/758588.xml.str | 10 ++++++++++
+ test/errors/758588.xml | 1 +
+ 5 files changed, 26 insertions(+), 2 deletions(-)
+ create mode 100644 result/errors/758588.xml
+ create mode 100644 result/errors/758588.xml.err
+ create mode 100644 result/errors/758588.xml.str
+ create mode 100644 test/errors/758588.xml
+
+Index: libxml2-2.9.1+dfsg1/parser.c
+===================================================================
+--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:58:22.736533361 -0400
++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:58:22.732533310 -0400
+@@ -9766,6 +9766,7 @@
+ xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix,
+ const xmlChar *URI, int line, int nsNr, int tlen) {
+ const xmlChar *name;
++ size_t curLength;
+
+ GROW;
+ if ((RAW != '<') || (NXT(1) != '/')) {
+@@ -9774,8 +9775,11 @@
+ }
+ SKIP(2);
+
+- if ((tlen > 0) && (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) {
+- if (ctxt->input->cur[tlen] == '>') {
++ curLength = ctxt->input->end - ctxt->input->cur;
++ if ((tlen > 0) && (curLength >= (size_t)tlen) &&
++ (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) {
++ if ((curLength >= (size_t)(tlen + 1)) &&
++ (ctxt->input->cur[tlen] == '>')) {
+ ctxt->input->cur += tlen + 1;
+ goto done;
+ }
+Index: libxml2-2.9.1+dfsg1/result/errors/758588.xml.err
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ libxml2-2.9.1+dfsg1/result/errors/758588.xml.err 2016-06-03 08:58:22.732533310 -0400
+@@ -0,0 +1,9 @@
++./test/errors/758588.xml:1: namespace error : Namespace prefix a-340282366920938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867209384634725979468672093846347259794686720938463472597946867261d on a is not defined
++63472597946867209384634725979468672093846347259794686720938463472597946867261d:a
++ ^
++./test/errors/758588.xml:1: parser error : expected '>'
++2597946867209384634725979468672093846347259794686720938463472597946867261d:a>'
++2597946867209384634725979468672093846347259794686720938463472597946867261d:a>
+Date: Tue, 1 Mar 2016 11:34:04 -0800
+Subject: Bug 758605: Heap-based buffer overread in xmlDictAddString
+
+
+Reviewed by David Kilzer.
+
+* HTMLparser.c:
+(htmlParseName): Add bounds check.
+(htmlParseNameComplex): Ditto.
+* result/HTML/758605.html: Added.
+* result/HTML/758605.html.err: Added.
+* result/HTML/758605.html.sax: Added.
+* runtest.c:
+(pushParseTest): The input for the new test case was so small
+(4 bytes) that htmlParseChunk() was never called after
+htmlCreatePushParserCtxt(), thereby creating a false positive
+test failure. Fixed by using a do-while loop so we always call
+htmlParseChunk() at least once.
+* test/HTML/758605.html: Added.
+---
+ HTMLparser.c | 8 ++++++++
+ result/HTML/758605.html | 3 +++
+ result/HTML/758605.html.err | 3 +++
+ result/HTML/758605.html.sax | 13 +++++++++++++
+ runtest.c | 4 ++--
+ test/HTML/758605.html | 1 +
+ 6 files changed, 30 insertions(+), 2 deletions(-)
+ create mode 100644 result/HTML/758605.html
+ create mode 100644 result/HTML/758605.html.err
+ create mode 100644 result/HTML/758605.html.sax
+ create mode 100644 test/HTML/758605.html
+
+Index: libxml2-2.9.3+dfsg1/HTMLparser.c
+===================================================================
+--- libxml2-2.9.3+dfsg1.orig/HTMLparser.c 2016-06-03 08:00:49.064670606 -0400
++++ libxml2-2.9.3+dfsg1/HTMLparser.c 2016-06-03 08:00:49.060670558 -0400
+@@ -2472,6 +2472,10 @@
+ (*in == '_') || (*in == '-') ||
+ (*in == ':') || (*in == '.'))
+ in++;
++
++ if (in == ctxt->input->end)
++ return(NULL);
++
+ if ((*in > 0) && (*in < 0x80)) {
+ count = in - ctxt->input->cur;
+ ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count);
+@@ -2515,6 +2519,10 @@
+ NEXTL(l);
+ c = CUR_CHAR(l);
+ }
++
++ if (ctxt->input->base > ctxt->input->cur - len)
++ return(NULL);
++
+ return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
+ }
+
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1840.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1840.patch
--- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1840.patch 1970-01-01 00:00:00.000000000 +0000
+++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-1840.patch 2016-06-03 12:59:12.000000000 +0000
@@ -0,0 +1,32 @@
+From cbb271655cadeb8dbb258a64701d9a3a0c4835b4 Mon Sep 17 00:00:00 2001
+From: Pranjal Jumde
+Date: Mon, 7 Mar 2016 06:34:26 -0800
+Subject: Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup
+
+
+* xmlregexp.c:
+(xmlFAParseCharRange): Only advance to the next character if
+there is no error. Advancing to the next character in case of
+an error while parsing regexp leads to an out of bounds access.
+---
+ xmlregexp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: libxml2-2.9.1+dfsg1/xmlregexp.c
+===================================================================
+--- libxml2-2.9.1+dfsg1.orig/xmlregexp.c 2016-06-03 08:59:10.053135718 -0400
++++ libxml2-2.9.1+dfsg1/xmlregexp.c 2016-06-03 08:59:10.053135718 -0400
+@@ -5050,11 +5050,12 @@
+ ERROR("Expecting the end of a char range");
+ return;
+ }
+- NEXTL(len);
++
+ /* TODO check that the values are acceptable character ranges for XML */
+ if (end < start) {
+ ERROR("End of range is before start of range");
+ } else {
++ NEXTL(len);
+ xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg,
+ XML_REGEXP_CHARVAL, start, end, NULL);
+ }
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3627.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3627.patch
--- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3627.patch 1970-01-01 00:00:00.000000000 +0000
+++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3627.patch 2016-06-03 12:59:52.000000000 +0000
@@ -0,0 +1,56 @@
+From bdd66182ef53fe1f7209ab6535fda56366bd7ac9 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard
+Date: Mon, 23 May 2016 12:27:58 +0800
+Subject: Avoid building recursive entities
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=762100
+
+When we detect a recusive entity we should really not
+build the associated data, moreover if someone bypass
+libxml2 fatal errors and still tries to serialize a broken
+entity make sure we don't risk to get ito a recursion
+
+* parser.c: xmlParserEntityCheck() don't build if entity loop
+ were found and remove the associated text content
+* tree.c: xmlStringGetNodeList() avoid a potential recursion
+---
+ parser.c | 6 +++++-
+ tree.c | 1 +
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+Index: libxml2-2.9.1+dfsg1/parser.c
+===================================================================
+--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:59:49.753640913 -0400
++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:59:49.749640863 -0400
+@@ -138,7 +138,8 @@
+ * entities problems
+ */
+ if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&
+- (ent->content != NULL) && (ent->checked == 0)) {
++ (ent->content != NULL) && (ent->checked == 0) &&
++ (ctxt->errNo != XML_ERR_ENTITY_LOOP)) {
+ unsigned long oldnbent = ctxt->nbentities;
+ xmlChar *rep;
+
+@@ -148,6 +149,9 @@
+ rep = xmlStringDecodeEntities(ctxt, ent->content,
+ XML_SUBSTITUTE_REF, 0, 0, 0);
+ --ctxt->depth;
++ if (ctxt->errNo == XML_ERR_ENTITY_LOOP) {
++ ent->content[0] = 0;
++ }
+
+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+ if (rep != NULL) {
+Index: libxml2-2.9.1+dfsg1/tree.c
+===================================================================
+--- libxml2-2.9.1+dfsg1.orig/tree.c 2016-06-03 08:59:49.753640913 -0400
++++ libxml2-2.9.1+dfsg1/tree.c 2016-06-03 08:59:49.749640863 -0400
+@@ -1588,6 +1588,7 @@
+ else if ((ent != NULL) && (ent->children == NULL)) {
+ xmlNodePtr temp;
+
++ ent->children = (xmlNodePtr) -1;
+ ent->children = xmlStringGetNodeList(doc,
+ (const xmlChar*)node->content);
+ ent->owner = 1;
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3705.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3705.patch
--- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3705.patch 1970-01-01 00:00:00.000000000 +0000
+++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-3705.patch 2016-06-03 12:59:21.000000000 +0000
@@ -0,0 +1,65 @@
+From 8f30bdff69edac9075f4663ce3b56b0c52d48ce6 Mon Sep 17 00:00:00 2001
+From: Peter Simons
+Date: Fri, 15 Apr 2016 11:56:55 +0200
+Subject: Add missing increments of recursion depth counter to XML parser.
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=765207
+CVE-2016-3705
+The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
+xmlStringDecodeEntities() in a recursive context without incrementing the
+'depth' counter in the parser context. Because of that omission, the parser
+failed to detect attribute recursions in certain documents before running out
+of stack space.
+---
+ parser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+Index: libxml2-2.9.1+dfsg1/parser.c
+===================================================================
+--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:59:18.205239470 -0400
++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:59:18.205239470 -0400
+@@ -144,8 +144,10 @@
+
+ ent->checked = 1;
+
++ ++ctxt->depth;
+ rep = xmlStringDecodeEntities(ctxt, ent->content,
+ XML_SUBSTITUTE_REF, 0, 0, 0);
++ --ctxt->depth;
+
+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+ if (rep != NULL) {
+@@ -3947,8 +3949,10 @@
+ * an entity declaration, it is bypassed and left as is.
+ * so XML_SUBSTITUTE_REF is not set here.
+ */
++ ++ctxt->depth;
+ ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
+ 0, 0, 0);
++ --ctxt->depth;
+ if (orig != NULL)
+ *orig = buf;
+ else
+@@ -4073,9 +4077,11 @@
+ } else if ((ent != NULL) &&
+ (ctxt->replaceEntities != 0)) {
+ if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
++ ++ctxt->depth;
+ rep = xmlStringDecodeEntities(ctxt, ent->content,
+ XML_SUBSTITUTE_REF,
+ 0, 0, 0);
++ --ctxt->depth;
+ if (rep != NULL) {
+ current = rep;
+ while (*current != 0) { /* non input consuming */
+@@ -4111,8 +4117,10 @@
+ (ent->content != NULL) && (ent->checked == 0)) {
+ unsigned long oldnbent = ctxt->nbentities;
+
++ ++ctxt->depth;
+ rep = xmlStringDecodeEntities(ctxt, ent->content,
+ XML_SUBSTITUTE_REF, 0, 0, 0);
++ --ctxt->depth;
+
+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
+ if (rep != NULL) {
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4447.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4447.patch
--- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4447.patch 1970-01-01 00:00:00.000000000 +0000
+++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4447.patch 2016-06-03 12:59:30.000000000 +0000
@@ -0,0 +1,64 @@
+From 00906759053986b8079985644172085f74331f83 Mon Sep 17 00:00:00 2001
+From: David Kilzer
+Date: Tue, 26 Jan 2016 16:57:03 -0800
+Subject: Heap-based buffer-underreads due to xmlParseName
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=759573
+
+* parser.c:
+(xmlParseElementDecl): Return early on invalid input to fix
+non-minimized test case (759573-2.xml). Otherwise the parser
+gets into a bad state in SKIP(3) at the end of the function.
+(xmlParseConditionalSections): Halt parsing when hitting invalid
+input that would otherwise caused xmlParserHandlePEReference()
+to recurse unexpectedly. This fixes the minimized test case
+(759573.xml).
+
+* result/errors/759573-2.xml: Add.
+* result/errors/759573-2.xml.err: Add.
+* result/errors/759573-2.xml.str: Add.
+* result/errors/759573.xml: Add.
+* result/errors/759573.xml.err: Add.
+* result/errors/759573.xml.str: Add.
+* test/errors/759573-2.xml: Add.
+* test/errors/759573.xml: Add.
+---
+ parser.c | 2 ++
+ result/errors/759573-2.xml | 0
+ result/errors/759573-2.xml.err | 58 ++++++++++++++++++++++++++++++++++++++++++
+ result/errors/759573-2.xml.str | 4 +++
+ result/errors/759573.xml | 0
+ result/errors/759573.xml.err | 31 ++++++++++++++++++++++
+ result/errors/759573.xml.str | 4 +++
+ test/errors/759573-2.xml | 9 +++++++
+ test/errors/759573.xml | 1 +
+ 9 files changed, 109 insertions(+)
+ create mode 100644 result/errors/759573-2.xml
+ create mode 100644 result/errors/759573-2.xml.err
+ create mode 100644 result/errors/759573-2.xml.str
+ create mode 100644 result/errors/759573.xml
+ create mode 100644 result/errors/759573.xml.err
+ create mode 100644 result/errors/759573.xml.str
+ create mode 100644 test/errors/759573-2.xml
+ create mode 100644 test/errors/759573.xml
+
+Index: libxml2-2.9.1+dfsg1/parser.c
+===================================================================
+--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:59:27.601359045 -0400
++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:59:27.601359045 -0400
+@@ -6675,6 +6675,7 @@
+ if (!IS_BLANK_CH(CUR)) {
+ xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
+ "Space required after 'ELEMENT'\n");
++ return(-1);
+ }
+ SKIP_BLANKS;
+ name = xmlParseName(ctxt);
+@@ -6826,6 +6827,7 @@
+
+ if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) {
+ xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL);
++ xmlHaltParser(ctxt);
+ break;
+ }
+ }
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4449.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4449.patch
--- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4449.patch 1970-01-01 00:00:00.000000000 +0000
+++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4449.patch 2016-06-03 12:59:37.000000000 +0000
@@ -0,0 +1,41 @@
+From b1d34de46a11323fccffa9fadeb33be670d602f5 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard
+Date: Mon, 14 Mar 2016 17:19:44 +0800
+Subject: Fix inappropriate fetch of entities content
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=761430
+
+libfuzzer regression testing exposed another case where the parser would
+fetch content of an external entity while not in validating mode.
+Plug that hole
+---
+ parser.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+Index: libxml2-2.9.1+dfsg1/parser.c
+===================================================================
+--- libxml2-2.9.1+dfsg1.orig/parser.c 2016-06-03 08:59:34.933452346 -0400
++++ libxml2-2.9.1+dfsg1/parser.c 2016-06-03 08:59:34.933452346 -0400
+@@ -2854,7 +2854,21 @@
+ ctxt->nbentities += ent->checked / 2;
+ if (ent != NULL) {
+ if (ent->content == NULL) {
+- xmlLoadEntityContent(ctxt, ent);
++ /*
++ * Note: external parsed entities will not be loaded,
++ * it is not required for a non-validating parser to
++ * complete external PEreferences coming from the
++ * internal subset
++ */
++ if (((ctxt->options & XML_PARSE_NOENT) != 0) ||
++ ((ctxt->options & XML_PARSE_DTDVALID) != 0) ||
++ (ctxt->validate != 0)) {
++ xmlLoadEntityContent(ctxt, ent);
++ } else {
++ xmlWarningMsg(ctxt, XML_ERR_ENTITY_PROCESSING,
++ "not validating will not read content for PE entity %s\n",
++ ent->name, NULL);
++ }
+ }
+ ctxt->depth++;
+ rep = xmlStringDecodeEntities(ctxt, ent->content, what,
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4483.patch libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4483.patch
--- libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4483.patch 1970-01-01 00:00:00.000000000 +0000
+++ libxml2-2.9.1+dfsg1/debian/patches/CVE-2016-4483.patch 2016-06-03 12:59:41.000000000 +0000
@@ -0,0 +1,49 @@
+From c97750d11bb8b6f3303e7131fe526a61ac65bcfd Mon Sep 17 00:00:00 2001
+From: Daniel Veillard
+Date: Mon, 23 May 2016 13:39:13 +0800
+Subject: Avoid an out of bound access when serializing malformed strings
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=766414
+
+* xmlsave.c: xmlBufAttrSerializeTxtContent() if an attribute value
+ is not UTF-8 be more careful when serializing it as we may do an
+ out of bound access as a result.
+---
+ xmlsave.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/xmlsave.c b/xmlsave.c
+index 774404b..4a8e3f3 100644
+--- a/xmlsave.c
++++ b/xmlsave.c
+@@ -2097,8 +2097,8 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc,
+ xmlBufAdd(buf, BAD_CAST "&", 5);
+ cur++;
+ base = cur;
+- } else if ((*cur >= 0x80) && ((doc == NULL) ||
+- (doc->encoding == NULL))) {
++ } else if ((*cur >= 0x80) && (cur[1] != 0) &&
++ ((doc == NULL) || (doc->encoding == NULL))) {
+ /*
+ * We assume we have UTF-8 content.
+ */
+@@ -2121,14 +2121,14 @@ xmlBufAttrSerializeTxtContent(xmlBufPtr buf, xmlDocPtr doc,
+ val <<= 6;
+ val |= (cur[1]) & 0x3F;
+ l = 2;
+- } else if (*cur < 0xF0) {
++ } else if ((*cur < 0xF0) && (cur [2] != 0)) {
+ val = (cur[0]) & 0x0F;
+ val <<= 6;
+ val |= (cur[1]) & 0x3F;
+ val <<= 6;
+ val |= (cur[2]) & 0x3F;
+ l = 3;
+- } else if (*cur < 0xF8) {
++ } else if ((*cur < 0xF8) && (cur [2] != 0) && (cur[3] != 0)) {
+ val = (cur[0]) & 0x07;
+ val <<= 6;
+ val |= (cur[1]) & 0x3F;
+--
+cgit v0.12
+
diff -Nru libxml2-2.9.1+dfsg1/debian/patches/series libxml2-2.9.1+dfsg1/debian/patches/series
--- libxml2-2.9.1+dfsg1/debian/patches/series 2016-01-14 18:13:07.000000000 +0000
+++ libxml2-2.9.1+dfsg1/debian/patches/series 2016-06-03 16:32:11.000000000 +0000
@@ -27,3 +27,19 @@
CVE-2015-7499-3.patch
CVE-2015-7499-4.patch
CVE-2015-8710.patch
+CVE-2016-1762.patch
+CVE-2016-1833-pre.patch
+CVE-2016-1833-pre2.patch
+CVE-2016-1833.patch
+CVE-2016-1834.patch
+CVE-2016-1835.patch
+CVE-2016-1836.patch
+CVE-2016-1837.patch
+CVE-2016-1838.patch
+CVE-2016-1839.patch
+CVE-2016-1840.patch
+CVE-2016-3705.patch
+CVE-2016-4447.patch
+CVE-2016-4449.patch
+CVE-2016-4483.patch
+CVE-2016-3627.patch