Merge commit '66453240c94b5cbd3e9ae9b32016fdafb13cdf18'

Author: Sibras

.gitlab-ci.yml

@@ -1,3 +1,9 @@
+include:
+  - component: "gitlab.gnome.org/GNOME/citemplates/release-service@master"
+    inputs:
+      dist-job-name: "dist"
+      tarball-artifact-path: "libxml2-dist/libxml2-2.13.6.tar.xz"
+
 .test:
   image: registry.gitlab.gnome.org/gnome/libxml2
   variables:
@@ -286,6 +292,14 @@ cmake:linux:gcc:shared:
     CC: gcc
     SUFFIX: linux-gcc-shared
 
+dist:
+  image: registry.gitlab.gnome.org/gnome/libxml2
+  script:
+    - sh .gitlab-ci/dist.sh
+  artifacts:
+    paths:
+      - libxml2-dist/*.tar.xz
+
 pages:
   script:
     - mkdir -p public

.gitlab-ci/dist.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -e
+
+mkdir -p libxml2-dist
+cd libxml2-dist
+sh ../autogen.sh
+make distcheck V=1 DISTCHECK_CONFIGURE_FLAGS='--with-legacy'
+if [ -z "$CI_COMMIT_TAG" ]; then
+    mv libxml2-*.tar.xz libxml2-git-$CI_COMMIT_SHORT_SHA.tar.xz
+fi

CMakeLists.txt

@@ -149,7 +149,12 @@ if (NOT MSVC)
     check_function_exists(stat HAVE_STAT)
     check_include_files(stdint.h HAVE_STDINT_H)
     check_include_files(sys/mman.h HAVE_SYS_MMAN_H)
-    check_include_files(sys/random.h HAVE_SYS_RANDOM_H)
+    if (APPLE)
+        # In old macOS SDKs (ex: 10.15), sys/random.h fails to include header files it needs, so add them here.
+        check_include_files("Availability.h;stddef.h;sys/random.h" HAVE_SYS_RANDOM_H)
+    else()
+        check_include_files(sys/random.h HAVE_SYS_RANDOM_H)
+    endif()
     check_include_files(sys/select.h HAVE_SYS_SELECT_H)
     check_include_files(sys/socket.h HAVE_SYS_SOCKET_H)
     check_include_files(sys/stat.h HAVE_SYS_STAT_H)
@@ -549,7 +554,7 @@ if(LIBXML2_WITH_PYTHON)
     file(APPEND ${CMAKE_CURRENT_BINARY_DIR}/libxml2.py.in "${LIBXML2CLASS_PY}")
     configure_file(${CMAKE_CURRENT_BINARY_DIR}/libxml2.py.in libxml2.py COPYONLY)
     add_library(
-        LibXml2Mod
+        LibXml2Mod SHARED
         libxml2-py.c
         libxml2-py.h
         python/libxml.c
@@ -611,7 +616,7 @@ install(
 write_basic_package_version_file(
     ${CMAKE_CURRENT_BINARY_DIR}/libxml2-config-version.cmake
     VERSION ${PROJECT_VERSION}
-    COMPATIBILITY ExactVersion
+    COMPATIBILITY SameMajorVersion
 )
 
 install(

NEWS

@@ -1,19 +1,50 @@
 NEWS file for libxml2
 
+v2.13.6: Feb 18 2025
+
+### Security
+
+- [CVE-2025-24928] Fix stack-buffer-overflow in xmlSnprintfElements
+- [CVE-2024-56171] Fix use-after-free after xmlSchemaItemListAdd
+- pattern: Fix compilation of explicit child axis
+
+### Regressions
+
+- xmllint: Support compressed input from stdin
+- uri: Fix handling of Windows drive letters
+- reader: Fix return value of xmlTextReaderReadString again
+- SAX2: Fix xmlSAX2ResolveEntity if systemId is NULL
+
+### Portability
+
+- dict: Handle ENOSYS from getentropy gracefully
+- Fix compilation with uclibc (Dario Binacchi)
+- python: Declare init func with PyMODINIT_FUNC
+- tests: Fix sanitizer version check on old Apple clang
+- cmake: Work around broken sys/random.h in old macOS SDKs
+
+### Build
+
+- autotools: Set AC_CONFIG_AUX_DIR
+- cmake: Always build Python module as shared library
+- cmake: add missing `Bcrypt` link on Windows (Saleem Abdulrasool)
+- cmake: Fix compatibility in package version file
+
+
 v2.13.5: Nov 12 2024
 
 ### Regressions
 
-- xmlIO: Fix reading from non-regular files like pipes (Nick Wellnhofer)
-- xmlreader: Fix return value of xmlTextReaderReadString (Nick Wellnhofer)
-- parser: Fix loading of parameter entities in external DTDs (Nick Wellnhofer)
-- parser: Fix downstream code that swaps DTDs (Nick Wellnhofer)
-- parser: Fix detection of duplicate attributes (Nick Wellnhofer)
-- string: Fix va_copy fallback (Nick Wellnhofer)
+- xmlIO: Fix reading from non-regular files like pipes
+- xmlreader: Fix return value of xmlTextReaderReadString
+- parser: Fix loading of parameter entities in external DTDs
+- parser: Fix downstream code that swaps DTDs
+- parser: Fix detection of duplicate attributes
+- string: Fix va_copy fallback
 
 ### Bug fixes
 
-- xpath: Fix parsing of non-ASCII names (Nick Wellnhofer)
+- xpath: Fix parsing of non-ASCII names
 
 
 v2.13.4: Sep 18 2024

SAX2.c

@@ -404,42 +404,48 @@ xmlSAX2ResolveEntity(void *ctx, const xmlChar *publicId, const xmlChar *systemId
 {
     xmlParserCtxtPtr ctxt = (xmlParserCtxtPtr) ctx;
     xmlParserInputPtr ret = NULL;
-    xmlChar *URI;
-    const xmlChar *base = NULL;
-    int res;
+    xmlChar *URI = NULL;
 
     if (ctx == NULL) return(NULL);
-    if (ctxt->input != NULL)
-	base = BAD_CAST ctxt->input->filename;
 
-    /*
-     * We don't really need the 'directory' struct member, but some
-     * users set it manually to a base URI for memory streams.
-     */
-    if (base == NULL)
-        base = BAD_CAST ctxt->directory;
+    if (systemId != NULL) {
+        const xmlChar *base = NULL;
+        int res;
 
-    if ((xmlStrlen(systemId) > XML_MAX_URI_LENGTH) ||
-        (xmlStrlen(base) > XML_MAX_URI_LENGTH)) {
-        xmlFatalErr(ctxt, XML_ERR_RESOURCE_LIMIT, "URI too long");
-        return(NULL);
-    }
-    res = xmlBuildURISafe(systemId, base, &URI);
-    if (URI == NULL) {
-        if (res < 0)
-            xmlSAX2ErrMemory(ctxt);
-        else
-            xmlWarnMsg(ctxt, XML_ERR_INVALID_URI,
-                       "Can't resolve URI: %s\n", systemId);
-        return(NULL);
-    }
-    if (xmlStrlen(URI) > XML_MAX_URI_LENGTH) {
-        xmlFatalErr(ctxt, XML_ERR_RESOURCE_LIMIT, "URI too long");
-    } else {
-        ret = xmlLoadExternalEntity((const char *) URI,
-                                    (const char *) publicId, ctxt);
+        if (ctxt->input != NULL)
+            base = BAD_CAST ctxt->input->filename;
+
+        /*
+         * We don't really need the 'directory' struct member, but some
+         * users set it manually to a base URI for memory streams.
+         */
+        if (base == NULL)
+            base = BAD_CAST ctxt->directory;
+
+        if ((xmlStrlen(systemId) > XML_MAX_URI_LENGTH) ||
+            (xmlStrlen(base) > XML_MAX_URI_LENGTH)) {
+            xmlFatalErr(ctxt, XML_ERR_RESOURCE_LIMIT, "URI too long");
+            return(NULL);
+        }
+        res = xmlBuildURISafe(systemId, base, &URI);
+        if (URI == NULL) {
+            if (res < 0)
+                xmlSAX2ErrMemory(ctxt);
+            else
+                xmlWarnMsg(ctxt, XML_ERR_INVALID_URI,
+                           "Can't resolve URI: %s\n", systemId);
+            return(NULL);
+        }
+        if (xmlStrlen(URI) > XML_MAX_URI_LENGTH) {
+            xmlFatalErr(ctxt, XML_ERR_RESOURCE_LIMIT, "URI too long");
+            xmlFree(URI);
+            return(NULL);
+        }
     }
 
+    ret = xmlLoadExternalEntity((const char *) URI,
+                                (const char *) publicId, ctxt);
+
     xmlFree(URI);
     return(ret);
 }

configure.ac

@@ -3,12 +3,13 @@ AC_PREREQ([2.63])
 
 m4_define([MAJOR_VERSION], 2)
 m4_define([MINOR_VERSION], 13)
-m4_define([MICRO_VERSION], 5)
+m4_define([MICRO_VERSION], 6)
 
 AC_INIT([libxml2],[MAJOR_VERSION.MINOR_VERSION.MICRO_VERSION])
 AC_CONFIG_SRCDIR([entities.c])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
+AC_CONFIG_AUX_DIR([.])
 AC_CANONICAL_HOST
 
 LIBXML_MAJOR_VERSION=MAJOR_VERSION

dict.c

@@ -928,14 +928,15 @@ xmlDictQLookup(xmlDictPtr dict, const xmlChar *prefix, const xmlChar *name) {
   #define WIN32_LEAN_AND_MEAN
   #include <windows.h>
   #include <bcrypt.h>
-#elif defined(HAVE_GETENTROPY)
-  #ifdef HAVE_UNISTD_H
-    #include <unistd.h>
-  #endif
-  #ifdef HAVE_SYS_RANDOM_H
-    #include <sys/random.h>
-  #endif
 #else
+  #if defined(HAVE_GETENTROPY)
+    #ifdef HAVE_UNISTD_H
+      #include <unistd.h>
+    #endif
+    #ifdef HAVE_SYS_RANDOM_H
+      #include <sys/random.h>
+    #endif
+  #endif
   #include <time.h>
 #endif
 
@@ -965,9 +966,21 @@ xmlInitRandom(void) {
                     "error code %lu\n", GetLastError());
             abort();
         }
-#elif defined(HAVE_GETENTROPY)
+#else
+        int var;
+
+#if defined(HAVE_GETENTROPY)
         while (1) {
             if (getentropy(globalRngState, sizeof(globalRngState)) == 0)
+                return;
+
+            /*
+             * This most likely means that libxml2 was compiled on
+             * a system supporting certain system calls and is running
+             * on a system that doesn't support these calls, as can
+             * be the case on Linux.
+             */
+            if (errno == ENOSYS)
                 break;
 
             if (errno != EINTR) {
@@ -976,8 +989,7 @@ xmlInitRandom(void) {
                 abort();
             }
         }
-#else
-        int var;
+#endif
 
         globalRngState[0] =
                 (unsigned) time(NULL) ^

encoding.c

@@ -1264,7 +1264,7 @@ DECLARE_ISO_FUNCS(16)
 #endif /* LIBXML_ISO8859X_ENABLED */
 
 #ifdef LIBXML_ICONV_ENABLED
-  #define EMPTY_ICONV , (iconv_t) 0, (iconv_t) 0
+  #define EMPTY_ICONV , (iconv_t) -1, (iconv_t) -1
 #else
   #define EMPTY_ICONV
 #endif
@@ -1389,8 +1389,8 @@ xmlNewCharEncodingHandler(const char *name,
     handler->name = up;
 
 #ifdef LIBXML_ICONV_ENABLED
-    handler->iconv_in = NULL;
-    handler->iconv_out = NULL;
+    handler->iconv_in = (iconv_t) -1;
+    handler->iconv_out = (iconv_t) -1;
 #endif
 #ifdef LIBXML_ICU_ENABLED
     handler->uconv_in = NULL;
@@ -1641,6 +1641,10 @@ xmlCreateUconvHandler(const char *name, xmlCharEncodingHandler **out) {
     }
     enc->input = NULL;
     enc->output = NULL;
+#ifdef LIBXML_ICONV_ENABLED
+    enc->iconv_in = (iconv_t) -1;
+    enc->iconv_out = (iconv_t) -1;
+#endif
     enc->uconv_in = ucv_in;
     enc->uconv_out = ucv_out;
 
@@ -2200,7 +2204,7 @@ xmlEncInputChunk(xmlCharEncodingHandler *handler, unsigned char *out,
         }
     }
 #ifdef LIBXML_ICONV_ENABLED
-    else if (handler->iconv_in != NULL) {
+    else if (handler->iconv_in != (iconv_t) -1) {
         ret = xmlIconvWrapper(handler->iconv_in, out, outlen, in, inlen);
     }
 #endif /* LIBXML_ICONV_ENABLED */
@@ -2260,7 +2264,7 @@ xmlEncOutputChunk(xmlCharEncodingHandler *handler, unsigned char *out,
         }
     }
 #ifdef LIBXML_ICONV_ENABLED
-    else if (handler->iconv_out != NULL) {
+    else if (handler->iconv_out != (iconv_t) -1) {
         ret = xmlIconvWrapper(handler->iconv_out, out, outlen, in, inlen);
     }
 #endif /* LIBXML_ICONV_ENABLED */
@@ -2672,17 +2676,17 @@ xmlCharEncCloseFunc(xmlCharEncodingHandler *handler) {
      * Iconv handlers can be used only once, free the whole block.
      * and the associated icon resources.
      */
-    if ((handler->iconv_out != NULL) || (handler->iconv_in != NULL)) {
+    if ((handler->iconv_out != (iconv_t) -1) || (handler->iconv_in != (iconv_t) -1)) {
         tofree = 1;
-	if (handler->iconv_out != NULL) {
+	if (handler->iconv_out != (iconv_t) -1) {
 	    if (iconv_close(handler->iconv_out))
 		ret = -1;
-	    handler->iconv_out = NULL;
+	    handler->iconv_out = (iconv_t) -1;
 	}
-	if (handler->iconv_in != NULL) {
+	if (handler->iconv_in != (iconv_t) -1) {
 	    if (iconv_close(handler->iconv_in))
 		ret = -1;
-	    handler->iconv_in = NULL;
+	    handler->iconv_in = (iconv_t) -1;
 	}
     }
 #endif /* LIBXML_ICONV_ENABLED */

include/private/io.h

@@ -24,6 +24,9 @@ XML_HIDDEN xmlParserInputBufferPtr
 xmlNewInputBufferMemory(const void *mem, size_t size, int flags,
                         xmlCharEncoding enc);
 
+XML_HIDDEN int
+xmlInputFromFd(xmlParserInputBufferPtr buf, int fd, int unzip);
+
 #ifdef LIBXML_OUTPUT_ENABLED
 XML_HIDDEN xmlOutputBufferPtr
 xmlAllocOutputBufferInternal(xmlCharEncodingHandlerPtr encoder);

include/private/parser.h

@@ -90,6 +90,10 @@ xmlParserNsLookupSax(xmlParserCtxtPtr ctxt, const xmlChar *prefix);
 
 #define XML_INPUT_BUF_STATIC		(1u << 1)
 #define XML_INPUT_BUF_ZERO_TERMINATED	(1u << 2)
+#define XML_INPUT_UNZIP			(1u << 3)
+
+/* Internal parser option */
+#define XML_PARSE_UNZIP     (1 << 24)
 
 XML_HIDDEN xmlParserInputPtr
 xmlNewInputURL(xmlParserCtxtPtr ctxt, const char *url, const char *publicId,

libxml.h

@@ -55,7 +55,8 @@
 #endif
 
 #ifdef __clang__
-  #if __clang_major__ >= 12
+  #if (!defined(__apple_build_version__) && __clang_major__ >= 12) || \
+      (defined(__apple_build_version__) && __clang_major__ >= 13)
     #define ATTRIBUTE_NO_SANITIZE_INTEGER \
       ATTRIBUTE_NO_SANITIZE("unsigned-integer-overflow") \
       ATTRIBUTE_NO_SANITIZE("unsigned-shift-base")

libxml2-config.cmake.cmake.in

@@ -157,7 +157,7 @@ if(NOT LIBXML2_SHARED)
   endif()
 
   if(WIN32)
-    list(APPEND LIBXML2_LIBRARIES ws2_32)
+    list(APPEND LIBXML2_LIBRARIES ws2_32;Bcrypt)
   endif()
 endif()
 

libxml2-config.cmake.in

@@ -113,8 +113,8 @@ if(UNIX)
 endif()
 
 if(WIN32)
-  list(APPEND LIBXML2_LIBRARIES    ws2_32)
-  list(APPEND LIBXML2_INTERFACE_LINK_LIBRARIES "\$<LINK_ONLY:ws2_32>")
+  list(APPEND LIBXML2_LIBRARIES    ws2_32;Bcrypt)
+  list(APPEND LIBXML2_INTERFACE_LINK_LIBRARIES "\$<LINK_ONLY:ws2_32>;\$<LINK_ONLY:Bcrypt>")
 endif()
 
 # whether libxml2 has dso support