diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2017-03-08 10:28:10 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2017-03-20 13:40:30 +0000 |
commit | e733310db58160074f574c429d48f8308c0afe17 (patch) | |
tree | f8aef4b7e62a69928dbcf880620eece20f98c6df /chromium/third_party/libxml | |
parent | 2f583e4aec1ae3a86fa047829c96b310dc12ecdf (diff) | |
download | qtwebengine-chromium-e733310db58160074f574c429d48f8308c0afe17.tar.gz |
BASELINE: Update Chromium to 56.0.2924.122
Change-Id: I4e04de8f47e47e501c46ed934c76a431c6337ced
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
Diffstat (limited to 'chromium/third_party/libxml')
-rw-r--r-- | chromium/third_party/libxml/README.chromium | 4 | ||||
-rw-r--r-- | chromium/third_party/libxml/src/entities.c | 2 | ||||
-rw-r--r-- | chromium/third_party/libxml/src/include/libxml/entities.h | 16 | ||||
-rw-r--r-- | chromium/third_party/libxml/src/libxml2.spec | 2 | ||||
-rw-r--r-- | chromium/third_party/libxml/src/parser.c | 94 | ||||
-rw-r--r-- | chromium/third_party/libxml/src/relaxng.c | 3 | ||||
-rw-r--r-- | chromium/third_party/libxml/src/runtest.c | 12 | ||||
-rw-r--r-- | chromium/third_party/libxml/src/xmlschemas.c | 32 | ||||
-rw-r--r-- | chromium/third_party/libxml/src/xpath.c | 7 |
9 files changed, 122 insertions, 50 deletions
diff --git a/chromium/third_party/libxml/README.chromium b/chromium/third_party/libxml/README.chromium index 98ce1d93b56..e7ad3737e61 100644 --- a/chromium/third_party/libxml/README.chromium +++ b/chromium/third_party/libxml/README.chromium @@ -1,6 +1,6 @@ Name: libxml URL: http://xmlsoft.org -Version: bdec2183f34b37ee89ae1d330c6ad2bb4d76605f +Version: 3169602058bd2d04913909e869c61d1540bc7fb4 License: MIT License File: src/Copyright Security Critical: yes @@ -16,6 +16,8 @@ Modifications: - Add second workaround for VS 2015 Update 2 code-gen bug - crbug.com/599427 - Apply patch contributed here: https://crbug.com/623378#c7 - Apply patch contributed here: https://crbug.com/624011 +- Apply patch contributed here: https://crbug.com/628581#c18 +- Apply patch contributed here: https://crbug.com/620679#c34 This import was generated by this script: https://goo.gl/72CTWf diff --git a/chromium/third_party/libxml/src/entities.c b/chromium/third_party/libxml/src/entities.c index 64808ff64d6..2851e2d4311 100644 --- a/chromium/third_party/libxml/src/entities.c +++ b/chromium/third_party/libxml/src/entities.c @@ -159,6 +159,7 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type, memset(ret, 0, sizeof(xmlEntity)); ret->type = XML_ENTITY_DECL; ret->checked = 0; + ret->guard = XML_ENTITY_NOT_BEING_CHECKED; /* * fill the structure. @@ -931,6 +932,7 @@ xmlCopyEntity(xmlEntityPtr ent) { cur->orig = xmlStrdup(ent->orig); if (ent->URI != NULL) cur->URI = xmlStrdup(ent->URI); + cur->guard = 0; return(cur); } diff --git a/chromium/third_party/libxml/src/include/libxml/entities.h b/chromium/third_party/libxml/src/include/libxml/entities.h index 47b4573eba6..012efab294c 100644 --- a/chromium/third_party/libxml/src/include/libxml/entities.h +++ b/chromium/third_party/libxml/src/include/libxml/entities.h @@ -35,8 +35,13 @@ typedef enum { * and the linkind data needed for the linking in the hash table. */ +typedef enum { + XML_ENTITY_NOT_BEING_CHECKED, + XML_ENTITY_BEING_CHECKED /* entity check is in progress */ +} xmlEntityRecursionGuard; + struct _xmlEntity { - void *_private; /* application data */ + void *_private; /* application data */ xmlElementType type; /* XML_ENTITY_DECL, must be second ! */ const xmlChar *name; /* Entity name */ struct _xmlNode *children; /* First child link */ @@ -56,10 +61,11 @@ struct _xmlEntity { struct _xmlEntity *nexte; /* unused */ const xmlChar *URI; /* the full URI as computed */ int owner; /* does the entity own the childrens */ - int checked; /* was the entity content checked */ - /* this is also used to count entities - * references done from that entity - * and if it contains '<' */ + int checked; /* was the entity content checked and */ + /* l.o. bit: replacement contains '<' */ + /* remaining bits: one plus count of */ + /* entity references from this entity */ + xmlEntityRecursionGuard guard; }; /* diff --git a/chromium/third_party/libxml/src/libxml2.spec b/chromium/third_party/libxml/src/libxml2.spec index 256ac618f52..fe8a30bf4ce 100644 --- a/chromium/third_party/libxml/src/libxml2.spec +++ b/chromium/third_party/libxml/src/libxml2.spec @@ -194,6 +194,6 @@ rm -fr %{buildroot} %endif # with_python3 %changelog -* Thu May 26 2016 Daniel Veillard <veillard@redhat.com> +* Wed Oct 12 2016 Daniel Veillard <veillard@redhat.com> - upstream release 2.9.4 see http://xmlsoft.org/news.html diff --git a/chromium/third_party/libxml/src/parser.c b/chromium/third_party/libxml/src/parser.c index 53a6b7f0c96..33786f08354 100644 --- a/chromium/third_party/libxml/src/parser.c +++ b/chromium/third_party/libxml/src/parser.c @@ -137,18 +137,24 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, * This may look absurd but is needed to detect * entities problems */ + if ((ent != NULL) && (ent->guard == XML_ENTITY_BEING_CHECKED)) { + xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); + return (1); + } if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) && (ent->content != NULL) && (ent->checked == 0) && (ctxt->errNo != XML_ERR_ENTITY_LOOP)) { unsigned long oldnbent = ctxt->nbentities; xmlChar *rep; + ent->guard = XML_ENTITY_BEING_CHECKED; ent->checked = 1; ++ctxt->depth; rep = xmlStringDecodeEntities(ctxt, ent->content, XML_SUBSTITUTE_REF, 0, 0, 0); --ctxt->depth; + ent->guard = XML_ENTITY_NOT_BEING_CHECKED; if (ctxt->errNo == XML_ERR_ENTITY_LOOP) { ent->content[0] = 0; } @@ -3420,8 +3426,15 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); return(NULL); } - if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r')) + if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r')) { + if (ctxt->input->base > ctxt->input->cur - (len + 1)) { + return(NULL); + } return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len)); + } + if (ctxt->input->base > ctxt->input->cur - len) { + return(NULL); + } return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); } @@ -7329,23 +7342,28 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { * if its replacement text matches the production labeled * content. */ - if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) { - ctxt->depth++; - ret = xmlParseBalancedChunkMemoryInternal(ctxt, ent->content, - user_data, &list); - ctxt->depth--; - - } else if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY) { - ctxt->depth++; - ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, ctxt->sax, - user_data, ctxt->depth, ent->URI, - ent->ExternalID, &list); - ctxt->depth--; - } else { - ret = XML_ERR_ENTITY_PE_INTERNAL; - xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, - "invalid entity type found\n", NULL); - } + if (ent->guard == XML_ENTITY_BEING_CHECKED) { + ret = XML_ERR_ENTITY_LOOP; + } else { + ent->guard = XML_ENTITY_BEING_CHECKED; + if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) { + ctxt->depth++; + ret = xmlParseBalancedChunkMemoryInternal(ctxt, ent->content, + user_data, &list); + ctxt->depth--; + } else if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY) { + ctxt->depth++; + ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, ctxt->sax, + user_data, ctxt->depth, ent->URI, + ent->ExternalID, &list); + ctxt->depth--; + } else { + ret = XML_ERR_ENTITY_PE_INTERNAL; + xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, + "invalid entity type found\n", NULL); + } + ent->guard = XML_ENTITY_NOT_BEING_CHECKED; + } /* * Store the number of entities needing parsing for this entity @@ -7448,23 +7466,29 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { else user_data = ctxt->userData; - if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) { - ctxt->depth++; - ret = xmlParseBalancedChunkMemoryInternal(ctxt, - ent->content, user_data, NULL); - ctxt->depth--; - } else if (ent->etype == - XML_EXTERNAL_GENERAL_PARSED_ENTITY) { - ctxt->depth++; - ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, - ctxt->sax, user_data, ctxt->depth, - ent->URI, ent->ExternalID, NULL); - ctxt->depth--; - } else { - ret = XML_ERR_ENTITY_PE_INTERNAL; - xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, - "invalid entity type found\n", NULL); - } + if (ent->guard == XML_ENTITY_BEING_CHECKED) { + ret = XML_ERR_ENTITY_LOOP; + } else { + ent->guard = XML_ENTITY_BEING_CHECKED; + if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) { + ctxt->depth++; + ret = xmlParseBalancedChunkMemoryInternal(ctxt, + ent->content, user_data, NULL); + ctxt->depth--; + } else if (ent->etype == + XML_EXTERNAL_GENERAL_PARSED_ENTITY) { + ctxt->depth++; + ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, + ctxt->sax, user_data, ctxt->depth, + ent->URI, ent->ExternalID, NULL); + ctxt->depth--; + } else { + ret = XML_ERR_ENTITY_PE_INTERNAL; + xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, + "invalid entity type found\n", NULL); + } + ent->guard = XML_ENTITY_NOT_BEING_CHECKED; + } if (ret == XML_ERR_ENTITY_LOOP) { xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); return; diff --git a/chromium/third_party/libxml/src/relaxng.c b/chromium/third_party/libxml/src/relaxng.c index 56a3344a2fe..3d3e69c0e36 100644 --- a/chromium/third_party/libxml/src/relaxng.c +++ b/chromium/third_party/libxml/src/relaxng.c @@ -2088,6 +2088,7 @@ xmlRelaxNGGetErrorString(xmlRelaxNGValidErr err, const xmlChar * arg1, const xmlChar * arg2) { char msg[1000]; + xmlChar *result; if (arg1 == NULL) arg1 = BAD_CAST ""; @@ -2215,7 +2216,7 @@ xmlRelaxNGGetErrorString(xmlRelaxNGValidErr err, const xmlChar * arg1, snprintf(msg, 1000, "Unknown error code %d\n", err); } msg[1000 - 1] = 0; - xmlChar *result = xmlCharStrdup(msg); + result = xmlCharStrdup(msg); return (xmlEscapeFormatString(&result)); } diff --git a/chromium/third_party/libxml/src/runtest.c b/chromium/third_party/libxml/src/runtest.c index bb74d2a82e2..18615773228 100644 --- a/chromium/third_party/libxml/src/runtest.c +++ b/chromium/third_party/libxml/src/runtest.c @@ -2317,10 +2317,19 @@ static FILE *xpathOutput; static xmlDocPtr xpathDocument; static void +ignoreGenericError(void *ctx ATTRIBUTE_UNUSED, + const char *msg ATTRIBUTE_UNUSED, ...) { +} + +static void testXPath(const char *str, int xptr, int expr) { + xmlGenericErrorFunc handler = ignoreGenericError; xmlXPathObjectPtr res; xmlXPathContextPtr ctxt; + /* Don't print generic errors to stderr. */ + initGenericErrorDefaultFunc(&handler); + nb_tests++; #if defined(LIBXML_XPTR_ENABLED) if (xptr) { @@ -2349,6 +2358,9 @@ testXPath(const char *str, int xptr, int expr) { xmlXPathDebugDumpObject(xpathOutput, res, 0); xmlXPathFreeObject(res); xmlXPathFreeContext(ctxt); + + /* Reset generic error handler. */ + initGenericErrorDefaultFunc(NULL); } /** diff --git a/chromium/third_party/libxml/src/xmlschemas.c b/chromium/third_party/libxml/src/xmlschemas.c index e1b3a4f0386..d42afb776e9 100644 --- a/chromium/third_party/libxml/src/xmlschemas.c +++ b/chromium/third_party/libxml/src/xmlschemas.c @@ -3168,8 +3168,8 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserCtxtPtr ctxt, "valid."); } if (expected) { - msg = xmlStrcat(msg, BAD_CAST " Expected is '"); xmlChar *expectedEscaped = xmlCharStrdup(expected); + msg = xmlStrcat(msg, BAD_CAST " Expected is '"); msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped)); FREE_AND_NULL(expectedEscaped); msg = xmlStrcat(msg, BAD_CAST "'.\n"); @@ -27391,6 +27391,7 @@ xmlSchemaSAXHandleStartElementNs(void *ctx, * attributes yet. */ if (nb_attributes != 0) { + int valueLen, k, l; xmlChar *value; for (j = 0, i = 0; i < nb_attributes; i++, j += 5) { @@ -27400,12 +27401,31 @@ xmlSchemaSAXHandleStartElementNs(void *ctx, * libxml2 differs from normal SAX here in that it escapes all ampersands * as & instead of delivering the raw converted string. Changing the * behavior at this point would break applications that use this API, so - * we are forced to work around it. There is no danger of accidentally - * decoding some entity other than & in this step because without - * unescaped ampersands there can be no other entities in the string. + * we are forced to work around it. */ - value = xmlStringLenDecodeEntities(vctxt->parserCtxt, attributes[j+3], - attributes[j+4] - attributes[j+3], XML_SUBSTITUTE_REF, 0, 0, 0); + valueLen = attributes[j+4] - attributes[j+3]; + value = xmlMallocAtomic(valueLen + 1); + if (value == NULL) { + xmlSchemaVErrMemory(vctxt, + "allocating string for decoded attribute", + NULL); + goto internal_error; + } + for (k = 0, l = 0; k < valueLen; l++) { + if (k < valueLen - 4 && + attributes[j+3][k+0] == '&' && + attributes[j+3][k+1] == '#' && + attributes[j+3][k+2] == '3' && + attributes[j+3][k+3] == '8' && + attributes[j+3][k+4] == ';') { + value[l] = '&'; + k += 5; + } else { + value[l] = attributes[j+3][k]; + k++; + } + } + value[l] = '\0'; /* * TODO: Set the node line. */ diff --git a/chromium/third_party/libxml/src/xpath.c b/chromium/third_party/libxml/src/xpath.c index a0d993a1fb5..7c24a824ec0 100644 --- a/chromium/third_party/libxml/src/xpath.c +++ b/chromium/third_party/libxml/src/xpath.c @@ -14008,9 +14008,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) xmlNodeSetPtr oldset; int i, j; - if (op->ch1 != -1) + if (op->ch1 != -1) { total += xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]); + CHECK_ERROR0; + } + if (ctxt->value == NULL) { + XP_ERROR0(XPATH_INVALID_OPERAND); + } if (op->ch2 == -1) return (total); |