nokogiri 1.6.1 → 1.6.2.rc1

data/ports/patches/libxml2/0004-Fix-potential-out-of-bound-access.patch

@@ -0,0 +1,26 @@
+From c8385ccac9e9723a1f87da1c29da56d97df4af85 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 29 Oct 2012 10:39:55 +0800
+Subject: [PATCH 4/9] Fix potential out of bound access
+
+[Origin: 6a36fbe3b3e001a8a840b5c1fdd81cefc9947f0d]
+---
+ parser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 9863275..e1b0364 100644
+--- a/parser.c
++++ b/parser.c
+@@ -3932,7 +3932,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ 	c = CUR_CHAR(l);
+     }
+     if ((in_space) && (normalize)) {
+-        while (buf[len - 1] == 0x20) len--;
++        while ((len > 0) && (buf[len - 1] == 0x20)) len--;
+     }
+     buf[len] = 0;
+     if (RAW == '<') {
+-- 
+1.8.4.1
+

data/ports/patches/libxml2/0005-Detect-excessive-entities-expansion-upon-replacement.patch

@@ -0,0 +1,158 @@
+From e8b2f1774cfffce792f38eb1116ea1104758cfc5 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 19 Feb 2013 10:21:49 +0800
+Subject: [PATCH 5/9] Detect excessive entities expansion upon replacement
+
+If entities expansion in the XML parser is asked for,
+it is possble to craft relatively small input document leading
+to excessive on-the-fly content generation.
+This patch accounts for those replacement and stop parsing
+after a given threshold. it can be bypassed as usual with the
+HUGE parser option.
+
+[Origin: 23f05e0c33987d6605387b300c4be5da2120a7ab]
+---
+ include/libxml/parser.h |  1 +
+ parser.c                | 44 ++++++++++++++++++++++++++++++++++++++------
+ parserInternals.c       |  2 ++
+ 3 files changed, 41 insertions(+), 6 deletions(-)
+
+diff --git a/include/libxml/parser.h b/include/libxml/parser.h
+index 04edb9d..5b36584 100644
+--- a/include/libxml/parser.h
++++ b/include/libxml/parser.h
+@@ -310,6 +310,7 @@ struct _xmlParserCtxt {
+     xmlParserNodeInfo *nodeInfoTab;   /* array of nodeInfos */
+ 
+     int                input_id;      /* we need to label inputs */
++    unsigned long      sizeentcopy;   /* volume of entity copy */
+ };
+ 
+ /**
+diff --git a/parser.c b/parser.c
+index e1b0364..b206f05 100644
+--- a/parser.c
++++ b/parser.c
+@@ -119,7 +119,7 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID,
+  */
+ static int
+ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+-                     xmlEntityPtr ent)
++                     xmlEntityPtr ent, size_t replacement)
+ {
+     size_t consumed = 0;
+ 
+@@ -127,7 +127,24 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+         return (0);
+     if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
+         return (1);
+-    if (size != 0) {
++    if (replacement != 0) {
++	if (replacement < XML_MAX_TEXT_LENGTH)
++	    return(0);
++
++        /*
++	 * If the volume of entity copy reaches 10 times the
++	 * amount of parsed data and over the large text threshold
++	 * then that's very likely to be an abuse.
++	 */
++        if (ctxt->input != NULL) {
++	    consumed = ctxt->input->consumed +
++	               (ctxt->input->cur - ctxt->input->base);
++	}
++        consumed += ctxt->sizeentities;
++
++        if (replacement < XML_PARSER_NON_LINEAR * consumed)
++	    return(0);
++    } else if (size != 0) {
+         /*
+          * Do the check based on the replacement size of the entity
+          */
+@@ -173,7 +190,6 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+          */
+         return (0);
+     }
+-
+     xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+     return (1);
+ }
+@@ -2706,7 +2722,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 		    while (*current != 0) { /* non input consuming loop */
+ 			buffer[nbchars++] = *current++;
+ 			if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+-			    if (xmlParserEntityCheck(ctxt, nbchars, ent))
++			    if (xmlParserEntityCheck(ctxt, nbchars, ent, 0))
+ 				goto int_error;
+ 			    growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ 			}
+@@ -2748,7 +2764,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 		    while (*current != 0) { /* non input consuming loop */
+ 			buffer[nbchars++] = *current++;
+ 			if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+-			    if (xmlParserEntityCheck(ctxt, nbchars, ent))
++			    if (xmlParserEntityCheck(ctxt, nbchars, ent, 0))
+ 			        goto int_error;
+ 			    growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ 			}
+@@ -6976,7 +6992,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ 	    xmlFreeNodeList(list);
+ 	    return;
+ 	}
+-	if (xmlParserEntityCheck(ctxt, 0, ent)) {
++	if (xmlParserEntityCheck(ctxt, 0, ent, 0)) {
+ 	    xmlFreeNodeList(list);
+ 	    return;
+ 	}
+@@ -7136,6 +7152,13 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ 		xmlNodePtr nw = NULL, cur, firstChild = NULL;
+ 
+ 		/*
++		 * We are copying here, make sure there is no abuse
++		 */
++		ctxt->sizeentcopy += ent->length;
++		if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
++		    return;
++
++		/*
+ 		 * when operating on a reader, the entities definitions
+ 		 * are always owning the entities subtree.
+ 		if (ctxt->parseMode == XML_PARSE_READER)
+@@ -7175,6 +7198,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ 	    } else if (list == NULL) {
+ 		xmlNodePtr nw = NULL, cur, next, last,
+ 			   firstChild = NULL;
++
++		/*
++		 * We are copying here, make sure there is no abuse
++		 */
++		ctxt->sizeentcopy += ent->length;
++		if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
++		    return;
++
+ 		/*
+ 		 * Copy the entity child list and make it the new
+ 		 * entity child list. The goal is to make sure any
+@@ -14355,6 +14386,7 @@ xmlCtxtReset(xmlParserCtxtPtr ctxt)
+     ctxt->catalogs = NULL;
+     ctxt->nbentities = 0;
+     ctxt->sizeentities = 0;
++    ctxt->sizeentcopy = 0;
+     xmlInitNodeInfoSeq(&ctxt->node_seq);
+ 
+     if (ctxt->attsDefault != NULL) {
+diff --git a/parserInternals.c b/parserInternals.c
+index 746b7fd..d7e320c 100644
+--- a/parserInternals.c
++++ b/parserInternals.c
+@@ -1761,6 +1761,8 @@ xmlInitParserCtxt(xmlParserCtxtPtr ctxt)
+     ctxt->charset = XML_CHAR_ENCODING_UTF8;
+     ctxt->catalogs = NULL;
+     ctxt->nbentities = 0;
++    ctxt->sizeentities = 0;
++    ctxt->sizeentcopy = 0;
+     ctxt->input_id = 1;
+     xmlInitNodeInfoSeq(&ctxt->node_seq);
+     return(0);
+-- 
+1.8.4.1
+

data/ports/patches/libxml2/0006-Do-not-fetch-external-parsed-entities.patch

@@ -0,0 +1,78 @@
+From 8c222b89f6f68157283498d1bc6e0cce568c977b Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 Jul 2012 14:15:40 +0800
+Subject: [PATCH 6/9] Do not fetch external parsed entities
+
+Unless explicietely asked for when validating or replacing entities
+with their value. Problem pointed out by Tom Lane <tgl@redhat.com>
+
+* parser.c: do not load external parsed entities unless needed
+* test/errors/extparsedent.xml result/errors/extparsedent.xml*:
+  add a regression test to avoid change of the behaviour in the future
+
+[Origin: 4629ee02ac649c27f9c0cf98ba017c6b5526070f]
+---
+ parser.c                           | 11 +++++++++--
+ result/errors/extparsedent.xml     |  5 +++++
+ result/errors/extparsedent.xml.err |  0
+ result/errors/extparsedent.xml.str |  0
+ test/errors/extparsedent.xml       |  5 +++++
+ 5 files changed, 19 insertions(+), 2 deletions(-)
+ create mode 100644 result/errors/extparsedent.xml
+ create mode 100644 result/errors/extparsedent.xml.err
+ create mode 100644 result/errors/extparsedent.xml.str
+ create mode 100644 test/errors/extparsedent.xml
+
+diff --git a/parser.c b/parser.c
+index b206f05..8fb16af 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6943,8 +6943,15 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+      * The first reference to the entity trigger a parsing phase
+      * where the ent->children is filled with the result from
+      * the parsing.
+-     */
+-    if (ent->checked == 0) {
++     * Note: external parsed entities will not be loaded, it is not
++     * required for a non-validating parser, unless the parsing option
++     * of validating, or substituting entities were given. Doing so is
++     * far more secure as the parser will only process data coming from
++     * the document entity by default.
++     */
++    if ((ent->checked == 0) &&
++        ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) ||
++         (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) {
+ 	unsigned long oldnbent = ctxt->nbentities;
+ 
+ 	/*
+diff --git a/result/errors/extparsedent.xml b/result/errors/extparsedent.xml
+new file mode 100644
+index 0000000..07e4c54
+--- /dev/null
++++ b/result/errors/extparsedent.xml
+@@ -0,0 +1,5 @@
++<?xml version="1.0"?>
++<!DOCTYPE foo [
++<!ENTITY c PUBLIC "bar" "/etc/doesnotexist">
++]>
++<root>&c;</root>
+diff --git a/result/errors/extparsedent.xml.err b/result/errors/extparsedent.xml.err
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/errors/extparsedent.xml.str b/result/errors/extparsedent.xml.str
+new file mode 100644
+index 0000000..e69de29
+diff --git a/test/errors/extparsedent.xml b/test/errors/extparsedent.xml
+new file mode 100644
+index 0000000..07e4c54
+--- /dev/null
++++ b/test/errors/extparsedent.xml
+@@ -0,0 +1,5 @@
++<?xml version="1.0"?>
++<!DOCTYPE foo [
++<!ENTITY c PUBLIC "bar" "/etc/doesnotexist">
++]>
++<root>&c;</root>
+-- 
+1.8.4.1
+

data/ports/patches/libxml2/0007-Enforce-XML_PARSER_EOF-state-handling-through-the-pa.patch

@@ -0,0 +1,480 @@
+From c27670420c22b2d64da7d44e266a73bb4e66c2cc Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 30 Jul 2012 16:16:04 +0800
+Subject: [PATCH 7/9] Enforce XML_PARSER_EOF state handling through the parser
+
+That condition is one raised when the parser should positively stop
+processing further even to report errors. Best is to test is after
+most GROW call especially within loops
+
+[Origin: 48b4cdde3483e054af8ea02e0cd7ee467b0e9a50]
+---
+ parser.c | 131 +++++++++++++++++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 110 insertions(+), 21 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index 8fb16af..409cde8 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2161,6 +2161,8 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) {
+ 		"Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur);
+     }
+     ret = inputPush(ctxt, input);
++    if (ctxt->instate == XML_PARSER_EOF)
++        return(-1);
+     GROW;
+     return(ret);
+ }
+@@ -2197,6 +2199,8 @@ xmlParseCharRef(xmlParserCtxtPtr ctxt) {
+ 	    if (count++ > 20) {
+ 		count = 0;
+ 		GROW;
++                if (ctxt->instate == XML_PARSER_EOF)
++                    return(0);
+ 	    }
+ 	    if ((RAW >= '0') && (RAW <= '9')) 
+ 	        val = val * 16 + (CUR - '0');
+@@ -2228,6 +2232,8 @@ xmlParseCharRef(xmlParserCtxtPtr ctxt) {
+ 	    if (count++ > 20) {
+ 		count = 0;
+ 		GROW;
++                if (ctxt->instate == XML_PARSER_EOF)
++                    return(0);
+ 	    }
+ 	    if ((RAW >= '0') && (RAW <= '9')) 
+ 	        val = val * 10 + (CUR - '0');
+@@ -2576,6 +2582,8 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
+ 		     * the amount of data in the buffer.
+ 		     */
+ 		    GROW
++                    if (ctxt->instate == XML_PARSER_EOF)
++                        return;
+ 		    if ((ctxt->input->end - ctxt->input->cur)>=4) {
+ 			start[0] = RAW;
+ 			start[1] = NXT(1);
+@@ -3194,6 +3202,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+      * Handler for more complex cases
+      */
+     GROW;
++    if (ctxt->instate == XML_PARSER_EOF)
++        return(NULL);
+     c = CUR_CHAR(l);
+     if ((ctxt->options & XML_PARSE_OLD10) == 0) {
+         /*
+@@ -3245,6 +3255,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ 	    if (count++ > 100) {
+ 		count = 0;
+ 		GROW;
++                if (ctxt->instate == XML_PARSER_EOF)
++                    return(NULL);
+ 	    }
+ 	    len += l;
+ 	    NEXTL(l);
+@@ -3269,6 +3281,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ 	    if (count++ > 100) {
+ 		count = 0;
+ 		GROW;
++                if (ctxt->instate == XML_PARSER_EOF)
++                    return(NULL);
+ 	    }
+ 	    len += l;
+ 	    NEXTL(l);
+@@ -3362,6 +3376,8 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+ 	if (count++ > 100) {
+ 	    count = 0;
+ 	    GROW;
++            if (ctxt->instate == XML_PARSER_EOF)
++                return(NULL);
+ 	}
+ 	len += l;
+ 	NEXTL(l);
+@@ -3442,6 +3458,8 @@ xmlParseNameAndCompare(xmlParserCtxtPtr ctxt, xmlChar const *other) {
+     const xmlChar *ret;
+ 
+     GROW;
++    if (ctxt->instate == XML_PARSER_EOF)
++        return(NULL);
+ 
+     in = ctxt->input->cur;
+     while (*in != 0 && *in == *cmp) {
+@@ -3569,6 +3587,8 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
+ #endif
+ 
+     GROW;
++    if (ctxt->instate == XML_PARSER_EOF)
++        return(NULL);
+     c = CUR_CHAR(l);
+ 
+     while (xmlIsNameChar(ctxt, c)) {
+@@ -3597,6 +3617,10 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
+ 		if (count++ > 100) {
+ 		    count = 0;
+ 		    GROW;
++                    if (ctxt->instate == XML_PARSER_EOF) {
++                        xmlFree(buffer);
++                        return(NULL);
++                    }
+ 		}
+ 		if (len + 10 > max) {
+ 		    xmlChar *tmp;
+@@ -3667,6 +3691,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
+     ctxt->instate = XML_PARSER_ENTITY_VALUE;
+     input = ctxt->input;
+     GROW;
++    if (ctxt->instate == XML_PARSER_EOF) {
++        xmlFree(buf);
++        return(NULL);
++    }
+     NEXT;
+     c = CUR_CHAR(l);
+     /*
+@@ -3678,8 +3706,8 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
+      * In practice it means we stop the loop only when back at parsing
+      * the initial entity and the quote is found
+      */
+-    while ((IS_CHAR(c)) && ((c != stop) || /* checked */
+-	   (ctxt->input != input))) {
++    while (((IS_CHAR(c)) && ((c != stop) || /* checked */
++	    (ctxt->input != input))) && (ctxt->instate != XML_PARSER_EOF)) {
+ 	if (len + 5 >= size) {
+ 	    xmlChar *tmp;
+ 
+@@ -3708,6 +3736,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
+ 	}
+     }
+     buf[len] = 0;
++    if (ctxt->instate == XML_PARSER_EOF) {
++        xmlFree(buf);
++        return(NULL);
++    }
+ 
+     /*
+      * Raise problem w.r.t. '&' and '%' being used in non-entities
+@@ -3755,12 +3787,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
+ 	 */
+ 	ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
+ 				      0, 0, 0);
+-	if (orig != NULL) 
++	if (orig != NULL)
+ 	    *orig = buf;
+ 	else
+ 	    xmlFree(buf);
+     }
+-    
++
+     return(ret);
+ }
+ 
+@@ -3811,8 +3843,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+      * OK loop until we reach one of the ending char or a size limit.
+      */
+     c = CUR_CHAR(l);
+-    while ((NXT(0) != limit) && /* checked */
+-           (IS_CHAR(c)) && (c != '<')) {
++    while (((NXT(0) != limit) && /* checked */
++            (IS_CHAR(c)) && (c != '<')) &&
++            (ctxt->instate != XML_PARSER_EOF)) {
+ 	if (c == 0) break;
+ 	if (c == '&') {
+ 	    in_space = 0;
+@@ -3947,6 +3980,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ 	GROW;
+ 	c = CUR_CHAR(l);
+     }
++    if (ctxt->instate == XML_PARSER_EOF)
++        goto error;
++
+     if ((in_space) && (normalize)) {
+         while ((len > 0) && (buf[len - 1] == 0x20)) len--;
+     }
+@@ -3979,6 +4015,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ 
+ mem_error:
+     xmlErrMemory(ctxt, NULL);
++error:
+     if (buf != NULL)
+         xmlFree(buf);
+     if (rep != NULL)
+@@ -4084,6 +4121,10 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
+ 	if (count > 50) {
+ 	    GROW;
+ 	    count = 0;
++            if (ctxt->instate == XML_PARSER_EOF) {
++	        xmlFree(buf);
++		return(NULL);
++            }
+ 	}
+ 	COPY_BUF(l,buf,len,cur);
+ 	NEXTL(l);
+@@ -4161,6 +4202,10 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
+ 	if (count > 50) {
+ 	    GROW;
+ 	    count = 0;
++            if (ctxt->instate == XML_PARSER_EOF) {
++		xmlFree(buf);
++		return(NULL);
++            }
+ 	}
+ 	NEXT;
+ 	cur = CUR;
+@@ -4367,6 +4412,8 @@ get_more:
+ 	    }
+ 	    SHRINK;
+ 	    GROW;
++            if (ctxt->instate == XML_PARSER_EOF)
++		return;
+ 	    in = ctxt->input->cur;
+ 	} while (((*in >= 0x20) && (*in <= 0x7F)) || (*in == 0x09));
+ 	nbchar = 0;
+@@ -4435,6 +4482,8 @@ xmlParseCharDataComplex(xmlParserCtxtPtr ctxt, int cdata) {
+ 	if (count > 50) {
+ 	    GROW;
+ 	    count = 0;
++            if (ctxt->instate == XML_PARSER_EOF)
++		return;
+ 	}
+ 	NEXTL(l);
+ 	cur = CUR_CHAR(l);
+@@ -4635,6 +4684,10 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, int len, int size) {
+ 	if (count > 50) {
+ 	    GROW;
+ 	    count = 0;
++            if (ctxt->instate == XML_PARSER_EOF) {
++		xmlFree(buf);
++		return;
++            }
+ 	}
+ 	NEXTL(l);
+ 	cur = CUR_CHAR(l);
+@@ -4785,6 +4838,10 @@ get_more:
+ 	}
+ 	SHRINK;
+ 	GROW;
++        if (ctxt->instate == XML_PARSER_EOF) {
++            xmlFree(buf);
++            return;
++        }
+ 	in = ctxt->input->cur;
+ 	if (*in == '-') {
+ 	    if (in[1] == '-') {
+@@ -5022,6 +5079,10 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
+ 		count++;
+ 		if (count > 50) {
+ 		    GROW;
++                    if (ctxt->instate == XML_PARSER_EOF) {
++                        xmlFree(buf);
++                        return;
++                    }
+ 		    count = 0;
+ 		}
+ 		COPY_BUF(l,buf,len,cur);
+@@ -5762,7 +5823,7 @@ xmlParseAttributeListDecl(xmlParserCtxtPtr ctxt) {
+ 	}
+ 	SKIP_BLANKS;
+ 	GROW;
+-	while (RAW != '>') {
++	while ((RAW != '>') && (ctxt->instate != XML_PARSER_EOF)) {
+ 	    const xmlChar *check = CUR_PTR;
+ 	    int type;
+ 	    int def;
+@@ -5911,7 +5972,7 @@ xmlParseElementMixedContentDecl(xmlParserCtxtPtr ctxt, int inputchk) {
+ 	    ret = cur = xmlNewDocElementContent(ctxt->myDoc, NULL, XML_ELEMENT_CONTENT_PCDATA);
+ 	    if (ret == NULL) return(NULL);
+ 	}
+-	while (RAW == '|') {
++	while ((RAW == '|') && (ctxt->instate != XML_PARSER_EOF)) {
+ 	    NEXT;
+ 	    if (elem == NULL) {
+ 	        ret = xmlNewDocElementContent(ctxt->myDoc, NULL, XML_ELEMENT_CONTENT_OR);
+@@ -6055,7 +6116,7 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
+     }
+     SKIP_BLANKS;
+     SHRINK;
+-    while (RAW != ')') {
++    while ((RAW != ')') && (ctxt->instate != XML_PARSER_EOF)) {
+         /*
+ 	 * Each loop we parse one separator and one element.
+ 	 */
+@@ -6334,6 +6395,8 @@ xmlParseElementContentDecl(xmlParserCtxtPtr ctxt, const xmlChar *name,
+     }
+     NEXT;
+     GROW;
++    if (ctxt->instate == XML_PARSER_EOF)
++        return(-1);
+     SKIP_BLANKS;
+     if (CMP7(CUR_PTR, '#', 'P', 'C', 'D', 'A', 'T', 'A')) {
+         tree = xmlParseElementMixedContentDecl(ctxt, inputid);
+@@ -6501,8 +6564,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 		    "Entering INCLUDE Conditional Section\n");
+ 	}
+ 
+-	while ((RAW != 0) && ((RAW != ']') || (NXT(1) != ']') ||
+-	       (NXT(2) != '>'))) {
++	while (((RAW != 0) && ((RAW != ']') || (NXT(1) != ']') ||
++	        (NXT(2) != '>'))) && (ctxt->instate != XML_PARSER_EOF)) {
+ 	    const xmlChar *check = CUR_PTR;
+ 	    unsigned int cons = ctxt->input->consumed;
+ 
+@@ -6570,7 +6633,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	if (ctxt->recovery == 0) ctxt->disableSAX = 1;
+ 	ctxt->instate = XML_PARSER_IGNORE;
+ 
+-	while ((depth >= 0) && (RAW != 0)) {
++	while (((depth >= 0) && (RAW != 0)) &&
++               (ctxt->instate != XML_PARSER_EOF)) {
+ 	  if ((RAW == '<') && (NXT(1) == '!') && (NXT(2) == '[')) {
+ 	    depth++;
+ 	    SKIP(3);
+@@ -6841,7 +6905,7 @@ xmlParseExternalSubset(xmlParserCtxtPtr ctxt, const xmlChar *ExternalID,
+ 	    break;
+ 	}
+     }
+-    
++
+     if (RAW != 0) {
+ 	xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL);
+     }
+@@ -7310,6 +7374,8 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) {
+     xmlEntityPtr ent = NULL;
+ 
+     GROW;
++    if (ctxt->instate == XML_PARSER_EOF)
++        return(NULL);
+ 
+     if (RAW != '&')
+         return(NULL);
+@@ -7840,6 +7906,10 @@ xmlLoadEntityContent(xmlParserCtxtPtr ctxt, xmlEntityPtr entity) {
+ 	if (count++ > 100) {
+ 	    count = 0;
+ 	    GROW;
++            if (ctxt->instate == XML_PARSER_EOF) {
++                xmlBufferFree(buf);
++                return(-1);
++            }
+ 	}
+ 	NEXTL(l);
+ 	c = CUR_CHAR(l);
+@@ -8073,7 +8143,7 @@ xmlParseInternalSubset(xmlParserCtxtPtr ctxt) {
+ 	 * PEReferences.
+ 	 * Subsequence (markupdecl | PEReference | S)*
+ 	 */
+-	while (RAW != ']') {
++	while ((RAW != ']') && (ctxt->instate != XML_PARSER_EOF)) {
+ 	    const xmlChar *check = CUR_PTR;
+ 	    unsigned int cons = ctxt->input->consumed;
+ 
+@@ -8259,9 +8329,9 @@ xmlParseStartTag(xmlParserCtxtPtr ctxt) {
+     SKIP_BLANKS;
+     GROW;
+ 
+-    while ((RAW != '>') && 
++    while (((RAW != '>') && 
+ 	   ((RAW != '/') || (NXT(1) != '>')) &&
+-	   (IS_BYTE_CHAR(RAW))) {
++	   (IS_BYTE_CHAR(RAW))) && (ctxt->instate != XML_PARSER_EOF)) {
+ 	const xmlChar *q = CUR_PTR;
+ 	unsigned int cons = ctxt->input->consumed;
+ 
+@@ -8685,6 +8755,8 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+ 	    if (in >= end) {
+ 		const xmlChar *oldbase = ctxt->input->base;
+ 		GROW;
++                if (ctxt->instate == XML_PARSER_EOF)
++                    return(NULL);
+ 		if (oldbase != ctxt->input->base) {
+ 		    long delta = ctxt->input->base - oldbase;
+ 		    start = start + delta;
+@@ -8699,6 +8771,8 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+ 	    if (in >= end) {
+ 		const xmlChar *oldbase = ctxt->input->base;
+ 		GROW;
++                if (ctxt->instate == XML_PARSER_EOF)
++                    return(NULL);
+ 		if (oldbase != ctxt->input->base) {
+ 		    long delta = ctxt->input->base - oldbase;
+ 		    start = start + delta;
+@@ -8719,6 +8793,8 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+ 	    if (in >= end) {
+ 		const xmlChar *oldbase = ctxt->input->base;
+ 		GROW;
++                if (ctxt->instate == XML_PARSER_EOF)
++                    return(NULL);
+ 		if (oldbase != ctxt->input->base) {
+ 		    long delta = ctxt->input->base - oldbase;
+ 		    start = start + delta;
+@@ -8736,6 +8812,8 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+ 	    if (in >= end) {
+ 		const xmlChar *oldbase = ctxt->input->base;
+ 		GROW;
++                if (ctxt->instate == XML_PARSER_EOF)
++                    return(NULL);
+ 		if (oldbase != ctxt->input->base) {
+ 		    long delta = ctxt->input->base - oldbase;
+ 		    start = start + delta;
+@@ -8967,9 +9045,9 @@ reparse:
+     GROW;
+     if (ctxt->input->base != base) goto base_changed;
+ 
+-    while ((RAW != '>') && 
++    while (((RAW != '>') &&
+ 	   ((RAW != '/') || (NXT(1) != '>')) &&
+-	   (IS_BYTE_CHAR(RAW))) {
++	   (IS_BYTE_CHAR(RAW))) && (ctxt->instate != XML_PARSER_EOF)) {
+ 	const xmlChar *q = CUR_PTR;
+ 	unsigned int cons = ctxt->input->consumed;
+ 	int len = -1, alloc = 0;
+@@ -9140,6 +9218,8 @@ skip_ns:
+ failed:
+ 
+ 	GROW
++        if (ctxt->instate == XML_PARSER_EOF)
++            break;
+ 	if (ctxt->input->base != base) goto base_changed;
+ 	if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+ 	    break;
+@@ -9377,6 +9457,8 @@ xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix,
+      * We should definitely be at the ending "S? '>'" part
+      */
+     GROW;
++    if (ctxt->instate == XML_PARSER_EOF)
++        return;
+     SKIP_BLANKS;
+     if ((!IS_BYTE_CHAR(RAW)) || (RAW != '>')) {
+ 	xmlFatalErr(ctxt, XML_ERR_GT_REQUIRED, NULL);
+@@ -9485,6 +9567,10 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
+ 	count++;
+ 	if (count > 50) {
+ 	    GROW;
++            if (ctxt->instate == XML_PARSER_EOF) {
++		xmlFree(buf);
++		return;
++            }
+ 	    count = 0;
+ 	}
+ 	NEXTL(l);
+@@ -10255,9 +10341,10 @@ xmlParseXMLDecl(xmlParserCtxtPtr ctxt) {
+ 
+ void
+ xmlParseMisc(xmlParserCtxtPtr ctxt) {
+-    while (((RAW == '<') && (NXT(1) == '?')) ||
+-           (CMP4(CUR_PTR, '<', '!', '-', '-')) ||
+-           IS_BLANK_CH(CUR)) {
++    while ((ctxt->instate != XML_PARSER_EOF) &&
++           (((RAW == '<') && (NXT(1) == '?')) ||
++            (CMP4(CUR_PTR, '<', '!', '-', '-')) ||
++            IS_BLANK_CH(CUR))) {
+         if ((RAW == '<') && (NXT(1) == '?')) {
+ 	    xmlParsePI(ctxt);
+ 	} else if (IS_BLANK_CH(CUR)) {
+@@ -11727,6 +11814,8 @@ xmlParseChunk(xmlParserCtxtPtr ctxt, const char *chunk, int size,
+         return(XML_ERR_INTERNAL_ERROR);
+     if ((ctxt->errNo != XML_ERR_OK) && (ctxt->disableSAX == 1))
+         return(ctxt->errNo);
++    if (ctxt->instate == XML_PARSER_EOF)
++        return(-1);
+     if (ctxt->instate == XML_PARSER_START)
+         xmlDetectSAX2(ctxt);
+     if ((size > 0) && (chunk != NULL) && (!terminate) &&
+-- 
+1.8.4.1
+