#
-# Copyright (C) 2014 OpenWrt.org
+# Copyright (C) 2014 - 2018 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
PKG_NAME:=libxslt
PKG_VERSION:=1.1.28
-PKG_RELEASE:=2
+PKG_RELEASE:=3
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= \
endef
CONFIGURE_ARGS+= \
+ --disable-silent-rules \
--enable-shared \
--enable-static \
--without-python \
--- /dev/null
+From: Daniel Veillard <veillard@redhat.com>
+Date: Wed, 30 Jan 2013 16:31:37 +0000
+Subject: Fix a couple of places where (f)printf parameters were broken
+
+As reported by Thomas Jarosch <thomas.jarosch@intra2net.com>
+---
+ python/libxslt.c | 10 +++++-----
+ xsltproc/xsltproc.c | 2 +-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/python/libxslt.c b/python/libxslt.c
+index 6a4f1c3..8dd6c78 100644
+--- a/python/libxslt.c
++++ b/python/libxslt.c
+@@ -356,15 +356,15 @@ libxslt_xsltRegisterExtModuleElement(PyObject *self ATTRIBUTE_UNUSED,
+ PyObject *pyobj_element_f;
+ PyObject *pyobj_precomp_f;
+
+-#ifdef DEBUG_EXTENSIONS
+- printf("libxslt_xsltRegisterExtModuleElement called\n",
+- name, ns_uri);
+-#endif
+-
+ if (!PyArg_ParseTuple(args, (char *)"szOO:registerExtModuleElement",
+ &name, &ns_uri, &pyobj_precomp_f, &pyobj_element_f))
+ return(NULL);
+
++#ifdef DEBUG_EXTENSIONS
++ printf("libxslt_xsltRegisterExtModuleElement called: %s %s\n",
++ name, ns_uri);
++#endif
++
+ if ((name == NULL) || (pyobj_element_f == NULL) || (pyobj_precomp_f == NULL)) {
+ py_retval = libxml_intWrap(-1);
+ return(py_retval);
+diff --git a/xsltproc/xsltproc.c b/xsltproc/xsltproc.c
+index 9ec4b76..33beddf 100644
+--- a/xsltproc/xsltproc.c
++++ b/xsltproc/xsltproc.c
+@@ -319,7 +319,7 @@ static void endTimer(char *format, ...)
+ va_start(ap, format);
+ vfprintf(stderr,format,ap);
+ va_end(ap);
+- fprintf(stderr, " was not timed\n", msec);
++ fprintf(stderr, " was not timed\n");
+ #else
+ /* We don't have gettimeofday, time or stdarg.h, what crazy world is
+ * this ?!
--- /dev/null
+From: Nils Werner <wernerns@iis.fraunhofer.de>
+Date: Thu, 24 Jan 2013 18:44:03 +0000
+Subject: Initialize pseudo random number generator with current time or
+ optional command line parameter
+
+---
+ xsltproc/xsltproc.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/xsltproc/xsltproc.c b/xsltproc/xsltproc.c
+index 33beddf..7d1fe61 100644
+--- a/xsltproc/xsltproc.c
++++ b/xsltproc/xsltproc.c
+@@ -514,6 +514,7 @@ static void usage(const char *name) {
+ printf("\t--maxdepth val : increase the maximum depth (default %d)\n", xsltMaxDepth);
+ printf("\t--maxvars val : increase the maximum variables (default %d)\n", xsltMaxVars);
+ printf("\t--maxparserdepth val : increase the maximum parser depth\n");
++ printf("\t--seed-rand val : initialize pseudo random number generator with specific seed\n");
+ #ifdef LIBXML_HTML_ENABLED
+ printf("\t--html: the input document is(are) an HTML file(s)\n");
+ #endif
+@@ -556,6 +557,7 @@ main(int argc, char **argv)
+ return (1);
+ }
+
++ srand(time(NULL));
+ xmlInitMemory();
+
+ LIBXML_TEST_VERSION
+@@ -750,6 +752,15 @@ main(int argc, char **argv)
+ if (value > 0)
+ xmlParserMaxDepth = value;
+ }
++ } else if ((!strcmp(argv[i], "-seed-rand")) ||
++ (!strcmp(argv[i], "--seed-rand"))) {
++ int value;
++
++ i++;
++ if (sscanf(argv[i], "%d", &value) == 1) {
++ if (value > 0)
++ srand(value);
++ }
+ } else if ((!strcmp(argv[i],"-dumpextensions"))||
+ (!strcmp(argv[i],"--dumpextensions"))) {
+ dumpextensions++;
+@@ -786,6 +797,10 @@ main(int argc, char **argv)
+ (!strcmp(argv[i], "--maxparserdepth"))) {
+ i++;
+ continue;
++ } else if ((!strcmp(argv[i], "-seed-rand")) ||
++ (!strcmp(argv[i], "--seed-rand"))) {
++ i++;
++ continue;
+ } else if ((!strcmp(argv[i], "-o")) ||
+ (!strcmp(argv[i], "-output")) ||
+ (!strcmp(argv[i], "--output"))) {
--- /dev/null
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 1 Jul 2013 13:10:10 +0000
+Subject: EXSLT function str:replace() is broken as-is
+
+the str:replace() function is no longer usable without a transform
+context. I take it from the bug report that it is not supposed to be used
+from plain XPath but only from XSLT according to the EXSLT specification.
+
+However, the previous implementation used to work in XPath and is still
+registered on an xmlXPathContext by the exsltStrXpathCtxtRegister()
+function. When called from plain XPath, it results in a memory error in
+line 526 (exsltStrReturnString()) of strings.c because xsltCreateRVT()
+returns NULL as an error indicator due to a NULL transform context being
+passed in, which was the return value from xsltXPathGetTransformContext() a
+bit further up (and the code doesn't validate that).
+
+Since fixing the function looks impossible, best is to remove it.
+---
+ libexslt/strings.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/libexslt/strings.c b/libexslt/strings.c
+index 045cc14..c0c7a18 100644
+--- a/libexslt/strings.c
++++ b/libexslt/strings.c
+@@ -838,11 +838,7 @@ exsltStrXpathCtxtRegister (xmlXPathContextPtr ctxt, const xmlChar *prefix)
+ && !xmlXPathRegisterFuncNS(ctxt,
+ (const xmlChar *) "concat",
+ (const xmlChar *) EXSLT_STRINGS_NAMESPACE,
+- exsltStrConcatFunction)
+- && !xmlXPathRegisterFuncNS(ctxt,
+- (const xmlChar *) "replace",
+- (const xmlChar *) EXSLT_STRINGS_NAMESPACE,
+- exsltStrReplaceFunction)) {
++ exsltStrConcatFunction)) {
+ return 0;
+ }
+ return -1;
--- /dev/null
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 30 Jul 2013 11:57:28 +0000
+Subject: Fix quoting of xlocale test program in configure.in
+
+Double square brackets aren't needed anymore, probably due to the
+changes in commit a2cd8a03.
+---
+ configure.in | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/configure.in b/configure.in
+index 767e980..ac004fe 100644
+--- a/configure.in
++++ b/configure.in
+@@ -196,21 +196,21 @@ typedef locale_t xsltLocale;
+ #endif
+ ]],[[
+ xsltLocale locale;
+- const char *src[[2]] = { "\xc3\x84rger", "Zeppelin" };
+- char *dst[[2]];
++ const char *src[2] = { "\xc3\x84rger", "Zeppelin" };
++ char *dst[2];
+ size_t len, r;
+ int i;
+
+ locale = newlocale(LC_COLLATE_MASK, "en_US.utf8", NULL);
+ if (locale == NULL) exit(1);
+ for (i=0; i<2; ++i) {
+- len = strxfrm_l(NULL, src[[i]], 0, locale) + 1;
+- dst[[i]] = malloc(len);
+- if(dst[[i]] == NULL) exit(1);
+- r = strxfrm_l(dst[[i]], src[[i]], len, locale);
++ len = strxfrm_l(NULL, src[i], 0, locale) + 1;
++ dst[i] = malloc(len);
++ if(dst[i] == NULL) exit(1);
++ r = strxfrm_l(dst[i], src[i], len, locale);
+ if(r >= len) exit(1);
+ }
+- if (strcmp(dst[[0]], dst[[1]]) >= 0) exit(1);
++ if (strcmp(dst[0], dst[1]) >= 0) exit(1);
+
+ exit(0);
+ return(0);
--- /dev/null
+From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 29 Oct 2015 19:33:23 +0800
+Subject: [PATCH] Fix for type confusion in preprocessing attributes
+
+CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10
+We need to check that the parent node is an element before dereferencing
+its namespace
+---
+ libxslt/preproc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/preproc.c b/libxslt/preproc.c
+index 0eb80a0..7f69325 100644
+--- a/libxslt/preproc.c
++++ b/libxslt/preproc.c
+@@ -2249,7 +2249,8 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr inst) {
+ } else if (IS_XSLT_NAME(inst, "attribute")) {
+ xmlNodePtr parent = inst->parent;
+
+- if ((parent == NULL) || (parent->ns == NULL) ||
++ if ((parent == NULL) ||
++ (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) ||
+ ((parent->ns != inst->ns) &&
+ (!xmlStrEqual(parent->ns->href, inst->ns->href))) ||
+ (!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) {
+--
+2.8.1
+
--- /dev/null
+From 3309feb654036280d2355f8025150a69bfded6e2 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 3 Jan 2016 16:45:24 +0100
+Subject: [PATCH] Always initialize EXSLT month and day to 1
+
+Fixes bug #757970
+https://bugzilla.gnome.org/show_bug.cgi?id=757970
+---
+ libexslt/date.c | 17 +++++++----------
+ 1 file changed, 7 insertions(+), 10 deletions(-)
+
+diff --git a/libexslt/date.c b/libexslt/date.c
+index 9ca993c..272c61b 100644
+--- a/libexslt/date.c
++++ b/libexslt/date.c
+@@ -667,6 +667,11 @@ exsltDateCreateDate (exsltDateType type)
+ }
+ memset (ret, 0, sizeof(exsltDateVal));
+
++ if (type != XS_DURATION) {
++ ret->value.date.mon = 1;
++ ret->value.date.day = 1;
++ }
++
+ if (type != EXSLT_UNKNOWN)
+ ret->type = type;
+
+@@ -1395,10 +1400,10 @@ _exsltDateTruncateDate (exsltDateValPtr dt, exsltDateType type)
+ }
+
+ if ((type & XS_GDAY) != XS_GDAY)
+- dt->value.date.day = 0;
++ dt->value.date.day = 1;
+
+ if ((type & XS_GMONTH) != XS_GMONTH)
+- dt->value.date.mon = 0;
++ dt->value.date.mon = 1;
+
+ if ((type & XS_GYEAR) != XS_GYEAR)
+ dt->value.date.year = 0;
+@@ -1473,18 +1478,10 @@ _exsltDateAdd (exsltDateValPtr dt, exsltDateValPtr dur)
+ d = &(dt->value.date);
+ u = &(dur->value.dur);
+
+- /* normalization */
+- if (d->mon == 0)
+- d->mon = 1;
+-
+ /* normalize for time zone offset */
+ u->sec -= (d->tzo * 60); /* changed from + to - (bug 153000) */
+ d->tzo = 0;
+
+- /* normalization */
+- if (d->day == 0)
+- d->day = 1;
+-
+ /* month */
+ carry = d->mon + u->mon;
+ r->mon = (unsigned int)MODULO_RANGE(carry, 1, 13);
+--
+2.8.1
+
--- /dev/null
+From fc1ff481fd01e9a65a921c542fed68d8c965e8a3 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 25 Feb 2016 17:16:06 +0100
+Subject: [PATCH] Fix use-after-free in xsltDocumentFunctionLoadDocument
+
+Also fixes a memory leak in an unlikely error case.
+
+Fixes bug #758291
+https://bugzilla.gnome.org/show_bug.cgi?id=758291
+---
+ libxslt/functions.c | 3 ++-
+ tests/docs/bug-185-data.xml | 5 +++++
+ tests/docs/bug-185.xml | 2 ++
+ tests/general/bug-185.err | 3 +++
+ tests/general/bug-185.out | 0
+ tests/general/bug-185.xsl | 14 ++++++++++++++
+ 6 files changed, 26 insertions(+), 1 deletion(-)
+ create mode 100644 tests/docs/bug-185-data.xml
+ create mode 100644 tests/docs/bug-185.xml
+ create mode 100644 tests/general/bug-185.err
+ create mode 100644 tests/general/bug-185.out
+ create mode 100644 tests/general/bug-185.xsl
+
+diff --git a/libxslt/functions.c b/libxslt/functions.c
+index 549649c..a5e7021 100644
+--- a/libxslt/functions.c
++++ b/libxslt/functions.c
+@@ -180,7 +180,6 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
+ resObj = xmlXPtrEval(fragment, xptrctxt);
+ xmlXPathFreeContext(xptrctxt);
+ #endif
+- xmlFree(fragment);
+
+ if (resObj == NULL)
+ goto out_fragment;
+@@ -204,6 +203,7 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
+ }
+
+ valuePush(ctxt, resObj);
++ xmlFree(fragment);
+ return;
+
+ out_object:
+@@ -211,6 +211,7 @@ out_object:
+
+ out_fragment:
+ valuePush(ctxt, xmlXPathNewNodeSet(NULL));
++ xmlFree(fragment);
+ }
+
+ /**
+diff --git a/tests/docs/bug-185-data.xml b/tests/docs/bug-185-data.xml
+new file mode 100644
+index 0000000..166ef17
+--- /dev/null
++++ b/tests/docs/bug-185-data.xml
+@@ -0,0 +1,5 @@
++<!DOCTYPE test [ <!ATTLIST A id ID #REQUIRED> ] >
++<test>
++ <A id="X"/>
++ <A id="Y"/>
++</test>
+diff --git a/tests/docs/bug-185.xml b/tests/docs/bug-185.xml
+new file mode 100644
+index 0000000..72bfdc4
+--- /dev/null
++++ b/tests/docs/bug-185.xml
+@@ -0,0 +1,2 @@
++<?xml-stylesheet href="poc.xsl" type="text/xsl"?>
++<in>bug-185-data.xml#xpointer(id('X')/range-to(id('Y')))</in>
+diff --git a/tests/general/bug-185.err b/tests/general/bug-185.err
+new file mode 100644
+index 0000000..d7bbe92
+--- /dev/null
++++ b/tests/general/bug-185.err
+@@ -0,0 +1,3 @@
++runtime error: file ./bug-185.xsl line 7 element copy-of
++document() : XPointer does not select a node set: #xpointer(id('X')/range-to(id('Y')))
++no result for ./../docs/bug-185.xml
+diff --git a/tests/general/bug-185.out b/tests/general/bug-185.out
+new file mode 100644
+index 0000000..e69de29
+diff --git a/tests/general/bug-185.xsl b/tests/general/bug-185.xsl
+new file mode 100644
+index 0000000..1c5c7d1
+--- /dev/null
++++ b/tests/general/bug-185.xsl
+@@ -0,0 +1,14 @@
++<?xml version="1.0" encoding="utf-8"?>
++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
++ <xsl:template match="in">
++ <annotation>
++ <xsl:copy-of select="."/>
++ <value>
++ <xsl:copy-of select="document(.)"/>
++ </value>
++ </annotation>
++ </xsl:template>
++ <xsl:template match="@*|node()">
++ <xsl:apply-templates/>
++ </xsl:template>
++</xsl:stylesheet>
+--
+2.8.1
+
--- /dev/null
+From d182d8f6ba3071503d96ce17395c9d55871f0242 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 22 Mar 2016 18:20:01 +0100
+Subject: [PATCH] Fix xsltNumberFormatGetMultipleLevel
+
+Namespace nodes are actually an xmlNs, not an xmlNode. They must be
+special-cased in xsltNumberFormatGetMultipleLevel to avoid an
+out-of-bounds heap access.
+
+Move the test whether a node matches the "count" pattern to a separate
+function to make the code more readable. As a side effect, we also
+compare expanded names when walking up the ancestor axis, fixing an
+insignificant bug.
+---
+ libxslt/numbers.c | 82 +++++++++++++++++++++++++++--------------------
+ tests/docs/bug-186.xml | 4 +++
+ tests/general/bug-186.out | 5 +++
+ tests/general/bug-186.xsl | 7 ++++
+ 4 files changed, 63 insertions(+), 35 deletions(-)
+ create mode 100644 tests/docs/bug-186.xml
+ create mode 100644 tests/general/bug-186.out
+ create mode 100644 tests/general/bug-186.xsl
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index e3209e0..184ee6f 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -532,6 +532,43 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
+ }
+
+ static int
++xsltTestCompMatchCount(xsltTransformContextPtr context,
++ xmlNodePtr node,
++ xsltCompMatchPtr countPat,
++ xmlNodePtr cur)
++{
++ if (countPat != NULL) {
++ return xsltTestCompMatchList(context, node, countPat);
++ }
++ else {
++ /*
++ * 7.7 Numbering
++ *
++ * If count attribute is not specified, then it defaults to the
++ * pattern that matches any node with the same node type as the
++ * current node and, if the current node has an expanded-name, with
++ * the same expanded-name as the current node.
++ */
++ if (node->type != cur->type)
++ return 0;
++ if (node->type == XML_NAMESPACE_DECL)
++ /*
++ * Namespace nodes have no preceding siblings and no parents
++ * that are namespace nodes. This means that node == cur.
++ */
++ return 1;
++ /* TODO: Skip node types without expanded names like text nodes. */
++ if (!xmlStrEqual(node->name, cur->name))
++ return 0;
++ if (node->ns == cur->ns)
++ return 1;
++ if ((node->ns == NULL) || (cur->ns == NULL))
++ return 0;
++ return (xmlStrEqual(node->ns->href, cur->ns->href));
++ }
++}
++
++static int
+ xsltNumberFormatGetAnyLevel(xsltTransformContextPtr context,
+ xmlNodePtr node,
+ xsltCompMatchPtr countPat,
+@@ -562,21 +599,8 @@ xsltNumberFormatGetAnyLevel(xsltTransformContextPtr context,
+
+ while (cur != NULL) {
+ /* process current node */
+- if (countPat == NULL) {
+- if ((node->type == cur->type) &&
+- /* FIXME: must use expanded-name instead of local name */
+- xmlStrEqual(node->name, cur->name)) {
+- if ((node->ns == cur->ns) ||
+- ((node->ns != NULL) &&
+- (cur->ns != NULL) &&
+- (xmlStrEqual(node->ns->href,
+- cur->ns->href) )))
+- cnt++;
+- }
+- } else {
+- if (xsltTestCompMatchList(context, cur, countPat))
+- cnt++;
+- }
++ if (xsltTestCompMatchCount(context, cur, countPat, node))
++ cnt++;
+ if ((fromPat != NULL) &&
+ xsltTestCompMatchList(context, cur, fromPat)) {
+ break; /* while */
+@@ -633,30 +657,18 @@ xsltNumberFormatGetMultipleLevel(xsltTransformContextPtr context,
+ xsltTestCompMatchList(context, ancestor, fromPat))
+ break; /* for */
+
+- if ((countPat == NULL && node->type == ancestor->type &&
+- xmlStrEqual(node->name, ancestor->name)) ||
+- xsltTestCompMatchList(context, ancestor, countPat)) {
++ if (xsltTestCompMatchCount(context, ancestor, countPat, node)) {
+ /* count(preceding-sibling::*) */
+- cnt = 0;
+- for (preceding = ancestor;
++ cnt = 1;
++ for (preceding =
++ xmlXPathNextPrecedingSibling(parser, ancestor);
+ preceding != NULL;
+ preceding =
+ xmlXPathNextPrecedingSibling(parser, preceding)) {
+- if (countPat == NULL) {
+- if ((preceding->type == ancestor->type) &&
+- xmlStrEqual(preceding->name, ancestor->name)){
+- if ((preceding->ns == ancestor->ns) ||
+- ((preceding->ns != NULL) &&
+- (ancestor->ns != NULL) &&
+- (xmlStrEqual(preceding->ns->href,
+- ancestor->ns->href) )))
+- cnt++;
+- }
+- } else {
+- if (xsltTestCompMatchList(context, preceding,
+- countPat))
+- cnt++;
+- }
++
++ if (xsltTestCompMatchCount(context, preceding, countPat,
++ node))
++ cnt++;
+ }
+ array[amount++] = (double)cnt;
+ if (amount >= max)
+diff --git a/tests/docs/bug-186.xml b/tests/docs/bug-186.xml
+new file mode 100644
+index 0000000..424db6b
+--- /dev/null
++++ b/tests/docs/bug-186.xml
+@@ -0,0 +1,4 @@
++<top xmlns:a="AAAA" xmlns:b="BBBB" xmlns:c="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC">
++<foo/>
++<bar/>
++</top>
+diff --git a/tests/general/bug-186.out b/tests/general/bug-186.out
+new file mode 100644
+index 0000000..01a59f8
+--- /dev/null
++++ b/tests/general/bug-186.out
+@@ -0,0 +1,5 @@
++<?xml version="1.0"?>
++
++1111
++1111
++
+diff --git a/tests/general/bug-186.xsl b/tests/general/bug-186.xsl
+new file mode 100644
+index 0000000..9c491dd
+--- /dev/null
++++ b/tests/general/bug-186.xsl
+@@ -0,0 +1,7 @@
++<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
++ <xsl:template match="*/*">
++ <xsl:for-each select="namespace::*">
++ <xsl:number/>
++ </xsl:for-each>
++ </xsl:template>
++</xsl:stylesheet>
+--
+2.8.1
+
--- /dev/null
+From 345e0bfb1c1131155a32dfbdfc8f78d1c602dc40 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 10 Apr 2016 12:50:02 +0200
+Subject: [PATCH] Round xsl:number values to nearest integer
+
+This matches XSLT 2.0 behavior.
+---
+ libxslt/numbers.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 184ee6f..eb087bc 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -440,6 +440,8 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
+ for (i = 0; i < numbers_max; i++) {
+ /* Insert number */
+ number = numbers[(numbers_max - 1) - i];
++ /* Round to nearest like XSLT 2.0 */
++ number = floor(number + 0.5);
+ if (i < tokens->nTokens) {
+ /*
+ * The "n"th format token will be used to format the "n"th
+--
+2.8.1
+
--- /dev/null
+From 69ec3da1b653024aca6515ddd4adc91919dd188e Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 10 Apr 2016 12:51:57 +0200
+Subject: [PATCH] Handle negative xsl:number values
+
+According to XSLT 2.0, negative values are a non-recoverable dynamic error.
+Print an error message and treat negative values as zero.
+
+Fixes an OOB array access in xsltNumberFormatAlpha.
+---
+ libxslt/numbers.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index eb087bc..a3cabcf 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -246,7 +246,7 @@ xsltNumberFormatAlpha(xmlBufferPtr buffer,
+ number--;
+ *(--pointer) = alpha_list[((int)fmod(number, alpha_size))];
+ number /= alpha_size;
+- if (fabs(number) < 1.0)
++ if (number < 1.0)
+ break; /* for */
+ }
+ xmlBufferCCat(buffer, pointer);
+@@ -442,6 +442,21 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
+ number = numbers[(numbers_max - 1) - i];
+ /* Round to nearest like XSLT 2.0 */
+ number = floor(number + 0.5);
++ /*
++ * XSLT 1.0 isn't clear on how to handle negative numbers, but XSLT
++ * 2.0 says:
++ *
++ * It is a non-recoverable dynamic error if any undiscarded item
++ * in the atomized sequence supplied as the value of the value
++ * attribute of xsl:number cannot be converted to an integer, or
++ * if the resulting integer is less than 0 (zero).
++ */
++ if (number < 0.0) {
++ xsltTransformError(NULL, NULL, NULL,
++ "xsl-number : negative value\n");
++ /* Recover by treating negative values as zero. */
++ number = 0.0;
++ }
+ if (i < tokens->nTokens) {
+ /*
+ * The "n"th format token will be used to format the "n"th
+--
+2.8.1
+
--- /dev/null
+From 405034286fbdd6166229335b7203a41bf53b40fc Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 10 Apr 2016 13:11:31 +0200
+Subject: [PATCH] Lower bound for format token "a"
+
+Handle xsl:number with format "a" and value 0 according to XSLT 2.0.
+
+Fixes an OOB array access in xsltNumberFormatAlpha.
+---
+ libxslt/numbers.c | 33 ++++++++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index a3cabcf..af52883 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -227,7 +227,8 @@ xsltNumberFormatDecimal(xmlBufferPtr buffer,
+ }
+
+ static void
+-xsltNumberFormatAlpha(xmlBufferPtr buffer,
++xsltNumberFormatAlpha(xsltNumberDataPtr data,
++ xmlBufferPtr buffer,
+ double number,
+ int is_upper)
+ {
+@@ -237,6 +238,26 @@ xsltNumberFormatAlpha(xmlBufferPtr buffer,
+ char *alpha_list;
+ double alpha_size = (double)(sizeof(alpha_upper_list) - 1);
+
++ /*
++ * XSLT 1.0 isn't clear on how to handle zero, but XSLT 2.0 says:
++ *
++ * For all format tokens other than the first kind above (one that
++ * consists of decimal digits), there may be implementation-defined
++ * lower and upper bounds on the range of numbers that can be
++ * formatted using this format token; indeed, for some numbering
++ * sequences there may be intrinsic limits. [...] Numbers that fall
++ * outside this range must be formatted using the format token 1.
++ *
++ * The "a" token has an intrinsic lower limit of 1.
++ */
++ if (number < 1.0) {
++ xsltNumberFormatDecimal(buffer, number, '0', 1,
++ data->digitsPerGroup,
++ data->groupingCharacter,
++ data->groupingCharacterLen);
++ return;
++ }
++
+ /* Build buffer from back */
+ pointer = &temp_string[sizeof(temp_string)];
+ *(--pointer) = 0;
+@@ -500,16 +521,10 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
+
+ switch (token->token) {
+ case 'A':
+- xsltNumberFormatAlpha(buffer,
+- number,
+- TRUE);
+-
++ xsltNumberFormatAlpha(data, buffer, number, TRUE);
+ break;
+ case 'a':
+- xsltNumberFormatAlpha(buffer,
+- number,
+- FALSE);
+-
++ xsltNumberFormatAlpha(data, buffer, number, FALSE);
+ break;
+ case 'I':
+ xsltNumberFormatRoman(buffer,
+--
+2.8.1
+
--- /dev/null
+From 91d0540ac9beaa86719a05b749219a69baa0dd8d Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 10 Apr 2016 13:12:28 +0200
+Subject: [PATCH] Lower and upper bound for format token "i"
+
+Handle xsl:number with format "i" and value 0 according to XSLT 2.0.
+
+Also introduce an upper bound to fix a denial of service.
+---
+ libxslt/numbers.c | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index af52883..e769c42 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -274,11 +274,24 @@ xsltNumberFormatAlpha(xsltNumberDataPtr data,
+ }
+
+ static void
+-xsltNumberFormatRoman(xmlBufferPtr buffer,
++xsltNumberFormatRoman(xsltNumberDataPtr data,
++ xmlBufferPtr buffer,
+ double number,
+ int is_upper)
+ {
+ /*
++ * See discussion in xsltNumberFormatAlpha. Also use a reasonable upper
++ * bound to avoid denial of service.
++ */
++ if (number < 1.0 || number > 5000.0) {
++ xsltNumberFormatDecimal(buffer, number, '0', 1,
++ data->digitsPerGroup,
++ data->groupingCharacter,
++ data->groupingCharacterLen);
++ return;
++ }
++
++ /*
+ * Based on an example by Jim Walsh
+ */
+ while (number >= 1000.0) {
+@@ -527,16 +540,10 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
+ xsltNumberFormatAlpha(data, buffer, number, FALSE);
+ break;
+ case 'I':
+- xsltNumberFormatRoman(buffer,
+- number,
+- TRUE);
+-
++ xsltNumberFormatRoman(data, buffer, number, TRUE);
+ break;
+ case 'i':
+- xsltNumberFormatRoman(buffer,
+- number,
+- FALSE);
+-
++ xsltNumberFormatRoman(data, buffer, number, FALSE);
+ break;
+ default:
+ if (IS_DIGIT_ZERO(token->token)) {
+--
+2.8.1
+
--- /dev/null
+From d8862309f08054218b28e2c8f5fb3cb2f650cac7 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 20 Apr 2016 14:35:43 +0200
+Subject: [PATCH] Fix double free in libexslt hash functions
+
+Thanks to Nicolas Gregoire for the report.
+
+Fixes bug #765271:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=765271
+---
+ libexslt/crypto.c | 15 +++------------
+ tests/exslt/crypto/hash.1.out | 2 ++
+ tests/exslt/crypto/hash.1.xml | 5 +++++
+ 3 files changed, 10 insertions(+), 12 deletions(-)
+
+diff --git a/libexslt/crypto.c b/libexslt/crypto.c
+index 6aa9dd2..e13db8b 100644
+--- a/libexslt/crypto.c
++++ b/libexslt/crypto.c
+@@ -499,11 +499,8 @@ exsltCryptoMd4Function (xmlXPathParserContextPtr ctxt, int nargs) {
+ unsigned char hex[MD5_DIGEST_LENGTH * 2 + 1];
+
+ str_len = exsltCryptoPopString (ctxt, nargs, &str);
+- if (str_len == 0) {
+- xmlXPathReturnEmptyString (ctxt);
+- xmlFree (str);
++ if (str_len == 0)
+ return;
+- }
+
+ PLATFORM_HASH (ctxt, PLATFORM_MD4, (const char *) str, str_len,
+ (char *) hash);
+@@ -532,11 +529,8 @@ exsltCryptoMd5Function (xmlXPathParserContextPtr ctxt, int nargs) {
+ unsigned char hex[MD5_DIGEST_LENGTH * 2 + 1];
+
+ str_len = exsltCryptoPopString (ctxt, nargs, &str);
+- if (str_len == 0) {
+- xmlXPathReturnEmptyString (ctxt);
+- xmlFree (str);
++ if (str_len == 0)
+ return;
+- }
+
+ PLATFORM_HASH (ctxt, PLATFORM_MD5, (const char *) str, str_len,
+ (char *) hash);
+@@ -565,11 +559,8 @@ exsltCryptoSha1Function (xmlXPathParserContextPtr ctxt, int nargs) {
+ unsigned char hex[SHA1_DIGEST_LENGTH * 2 + 1];
+
+ str_len = exsltCryptoPopString (ctxt, nargs, &str);
+- if (str_len == 0) {
+- xmlXPathReturnEmptyString (ctxt);
+- xmlFree (str);
++ if (str_len == 0)
+ return;
+- }
+
+ PLATFORM_HASH (ctxt, PLATFORM_SHA1, (const char *) str, str_len,
+ (char *) hash);
+--
+2.8.1
+
--- /dev/null
+From 5d0c6565bab5b9b7efceb33b626916d22b4101a7 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 28 Apr 2016 17:34:27 +0200
+Subject: [PATCH] Fix buffer overflow in exsltDateFormat
+
+Long years can overflow a stack-based buffer on 64-bit platforms by
+up to four bytes.
+
+Thanks to Nicolas Gregoire for the report.
+
+Fixes bug #765380:
+
+https://bugzilla.gnome.org/show_bug.cgi?id=765380
+---
+ libexslt/date.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libexslt/date.c b/libexslt/date.c
+index 272c61b..12c9919 100644
+--- a/libexslt/date.c
++++ b/libexslt/date.c
+@@ -1283,7 +1283,7 @@ exsltDateFormat (const exsltDateValPtr dt)
+ }
+
+ if (dt->type & XS_GYEAR) {
+- xmlChar buf[20], *cur = buf;
++ xmlChar buf[100], *cur = buf;
+
+ FORMAT_GYEAR(dt->value.date.year, cur);
+ if (dt->type == XS_GYEARMONTH) {
+--
+2.8.1
+
--- /dev/null
+From 87c3d9ea214fc0503fd8130b6dd97431d69cc066 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 5 May 2016 15:12:48 +0200
+Subject: [PATCH] Fix OOB heap read in xsltExtModuleRegisterDynamic
+
+xsltExtModuleRegisterDynamic would read a byte before the start of a
+string under certain circumstances. I looks like this piece code was
+supposed to strip characters from the end of the extension name, but
+it didn't have any effect. Don't read beyond the beginning of the
+string and actually strip unwanted characters.
+
+Found with afl-fuzz and ASan.
+---
+ libxslt/extensions.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/extensions.c b/libxslt/extensions.c
+index 5ad73cb..ae6eef0 100644
+--- a/libxslt/extensions.c
++++ b/libxslt/extensions.c
+@@ -367,8 +367,11 @@ xsltExtModuleRegisterDynamic(const xmlChar * URI)
+ i++;
+ }
+
+- if (*(i - 1) == '_')
++ /* Strip underscores from end of string. */
++ while (i > ext_name && *(i - 1) == '_') {
++ i--;
+ *i = '\0';
++ }
+
+ /* determine module directory */
+ ext_directory = (xmlChar *) getenv("LIBXSLT_PLUGINS_PATH");
+--
+2.8.1
+
--- /dev/null
+From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 10 Jun 2016 14:23:58 +0200
+Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
+
+An empty decimal-separator could cause a heap overread. This can be
+exploited to leak a couple of bytes after the buffer that holds the
+pattern string.
+
+Found with afl-fuzz and ASan.
+---
+ libxslt/numbers.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index d1549b4..e78c46b 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
+ }
+
+ /* We have finished the integer part, now work on fraction */
+- if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
++ if ( (*the_format != 0) &&
++ (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
+ format_info.add_decimal = TRUE;
+ the_format += xsltUTF8Size(the_format); /* Skip over the decimal */
+ }
+--
+2.10.2
+
--- /dev/null
+From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 12 Jan 2017 15:39:52 +0100
+Subject: [PATCH] Check for integer overflow in xsltAddTextString
+
+Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
+exploited to trigger an out of bounds write on 64-bit systems.
+
+Originally reported to Chromium:
+
+https://crbug.com/676623
+---
+ libxslt/transform.c | 25 ++++++++++++++++++++++---
+ libxslt/xsltInternals.h | 4 ++--
+ 2 files changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 519133fc..02bff34a 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
+ return(target);
+
+ if (ctxt->lasttext == target->content) {
++ int minSize;
+
+- if (ctxt->lasttuse + len >= ctxt->lasttsize) {
++ /* Check for integer overflow accounting for NUL terminator. */
++ if (len >= INT_MAX - ctxt->lasttuse) {
++ xsltTransformError(ctxt, NULL, target,
++ "xsltCopyText: text allocation failed\n");
++ return(NULL);
++ }
++ minSize = ctxt->lasttuse + len + 1;
++
++ if (ctxt->lasttsize < minSize) {
+ xmlChar *newbuf;
+ int size;
++ int extra;
++
++ /* Double buffer size but increase by at least 100 bytes. */
++ extra = minSize < 100 ? 100 : minSize;
++
++ /* Check for integer overflow. */
++ if (extra > INT_MAX - ctxt->lasttsize) {
++ size = INT_MAX;
++ }
++ else {
++ size = ctxt->lasttsize + extra;
++ }
+
+- size = ctxt->lasttsize + len + 100;
+- size *= 2;
+ newbuf = (xmlChar *) xmlRealloc(target->content,size);
+ if (newbuf == NULL) {
+ xsltTransformError(ctxt, NULL, target,
+diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
+index 060b1783..5ad17719 100644
+--- a/libxslt/xsltInternals.h
++++ b/libxslt/xsltInternals.h
+@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
+ * Speed optimization when coalescing text nodes
+ */
+ const xmlChar *lasttext; /* last text node content */
+- unsigned int lasttsize; /* last text node size */
+- unsigned int lasttuse; /* last text node use */
++ int lasttsize; /* last text node size */
++ int lasttuse; /* last text node use */
+ /*
+ * Per Context Debugging
+ */
+--
+2.11.0
+