nokogiri 1.8.0 → 1.8.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 26a2384c923e0e378063f7b522337c13affb87d0
-  data.tar.gz: c400091c5dd53629c00c9b33cf81945f784c2989
+  metadata.gz: bb5ae2f309f32e6299e28f8163ccde42dd7194c6
+  data.tar.gz: fe6d320fb028811a39297771a9b5da13836a57ce
 SHA512:
-  metadata.gz: f28b1f4cde4884023b7cf4556bd0faf3e8ec16d2223a399f37e156d0a7ca3714499a9f58c209d2a16907f4fb815e4563cb134898c24371676f14a9ba657ec5e5
-  data.tar.gz: 705dd04d787ef718ff7959323e5199b0342e0aa2ab18bbaddd4fa4a8f0088f6e2470357e3cc3377e11709fff19e22bcfb300ccb56a2f490bc20ca54085fe8a70
+  metadata.gz: f77a7df358ec08fa9f1c78e2a9d7fd0414c15022b42066208af6724db1087ef74a9e21d8750d9411f726311947618a81625713ce4c8064641ed490a014c99950
+  data.tar.gz: 57adf86c265c43453c50e72b9470a164738eb3c74b229cdfc2eb1c8a8e2b657fdd569c85e01d92c9b63e43da1ef6730937c6c40e666747fd5ee3717ae2713bd4

data/CHANGELOG.md

@@ -1,3 +1,19 @@
+# 1.8.1 / 2017-09-19
+
+## Dependencies
+
+* [MRI] libxml2 is updated from 2.9.4 to 2.9.5.
+* [MRI] libxslt is updated from 1.1.29 to 1.1.30.
+* [MRI] optional dependency on the pkg-config gem has had its constraint loosened to `~> 1.1` (from `~> 1.1.7`). [#1660]
+* [MRI] Upgrade mini_portile2 dependency from `~> 2.2.0` to `~> 2.3.0`, which will validate checksums on the vendored libxml2 and libxslt tarballs before using them.
+
+
+## Bugs
+
+* NodeSet#first with an integer argument longer than the length of the NodeSet now correctly clamps the length of the returned NodeSet to the original length. [#1650] (Thanks, @Derenge!)
+* [MRI] Ensure CData.new raises TypeError if the `content` argument is not implicitly convertible into a string. [#1669]
+
+
 # 1.8.0 / 2017-06-04
 
 ## Backwards incompatibilities

data/Gemfile

@@ -4,12 +4,12 @@
 
 source "https://rubygems.org/"
 
-gem "mini_portile2", "~>2.2.0"
+gem "mini_portile2", "~>2.3.0"
 
-gem "hoe-bundler", "~>1.2.0", :group => [:development, :test]
-gem "hoe-debugging", "~>1.3.0", :group => [:development, :test]
-gem "hoe-gemspec", "~>1.0.0", :group => [:development, :test]
-gem "hoe-git", "~>1.6.0", :group => [:development, :test]
+gem "hoe-bundler", "~>1.2", :group => [:development, :test]
+gem "hoe-debugging", "~>1.4", :group => [:development, :test]
+gem "hoe-gemspec", "~>1.0", :group => [:development, :test]
+gem "hoe-git", "~>1.6", :group => [:development, :test]
 gem "minitest", "~>5.8.4", :group => [:development, :test]
 gem "rake", "~>12.0", :group => [:development, :test]
 gem "rake-compiler", "~>1.0.3", :group => [:development, :test]

data/Manifest.txt

@@ -248,13 +248,9 @@ lib/xalan.jar
 lib/xercesImpl.jar
 lib/xml-apis.jar
 lib/xsd/xmlparser/nokogiri.rb
-patches/libxml2/0001-Fix-comparison-with-root-node-in-xmlXPathCmpNodes.patch
-patches/libxml2/0002-Fix-XPointer-paths-beginning-with-range-to.patch
-patches/libxml2/0003-Disallow-namespace-nodes-in-XPointer-ranges.patch
-patches/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch
-patches/libxslt/0002-Check-for-integer-overflow-in-xsltAddTextString.patch
 patches/sort-patches-by-date
 suppressions/README.txt
+suppressions/nokogiri_ruby-2.supp
 tasks/test.rb
 test/css/test_nthiness.rb
 test/css/test_parser.rb

data/Rakefile

@@ -125,15 +125,15 @@ HOE = Hoe.spec 'nokogiri' do
 
   unless java?
     self.extra_deps += [
-      ["mini_portile2",    "~> 2.2.0"], # keep version in sync with extconf.rb
+      ["mini_portile2",    "~> 2.3.0"], # keep version in sync with extconf.rb
     ]
   end
 
   self.extra_dev_deps += [
-    ["hoe-bundler",        "~> 1.2.0"],
-    ["hoe-debugging",      "~> 1.3.0"],
-    ["hoe-gemspec",        "~> 1.0.0"],
-    ["hoe-git",            "~> 1.6.0"],
+    ["hoe-bundler",        "~> 1.2"],
+    ["hoe-debugging",      "~> 1.4"],
+    ["hoe-gemspec",        "~> 1.0"],
+    ["hoe-git",            "~> 1.6"],
     ["minitest",           "~> 5.8.4"],
     ["rake",               "~> 12.0"],
     ["rake-compiler",      "~> 1.0.3"],

data/dependencies.yml

@@ -1,22 +1,57 @@
 libxml2:
-  version: "2.9.4"
-  sha256: "ffb911191e509b966deb55de705387f14156e1a56b21824357cdf0053233633c" # manually confirmed via `gpg --verify`
-  # gpg: Signature made Mon 23 May 2016 04:02:13 AM EDT using DSA key ID DE95BC1F
-  # gpg: Good signature from "Daniel Veillard (Red Hat work email) <veillard@redhat.com>"
-  # gpg:                 aka "Daniel Veillard <Daniel.Veillard@w3.org>"
-  # gpg: WARNING: This key is not certified with a trusted signature!
-  # gpg:          There is no indication that the signature belongs to the owner.
-  # Primary key fingerprint: C744 15BA 7C9C 7F78 F02E  1DC3 4606 B8A5 DE95 BC1F
+  version: "2.9.5"
+  sha256: "4031c1ecee9ce7ba4f313e91ef6284164885cdb69937a123f6a83bb6a72dcd38"
+  # manually verified checksum:
+  #
+  #   $ gpg --verify libxml2-2.9.5.tar.gz.asc libxml2-2.9.5.tar.gz
+  #   gpg: Signature made Mon 04 Sep 2017 09:00:53 AM EDT using RSA key ID 596BEA5D
+  #   gpg: Good signature from "Daniel Veillard (Red Hat work email) <veillard@redhat.com>"
+  #   gpg:                 aka "Daniel Veillard <Daniel.Veillard@w3.org>"
+  #   gpg: WARNING: This key is not certified with a trusted signature!
+  #   gpg:          There is no indication that the signature belongs to the owner.
+  #   Primary key fingerprint: C744 15BA 7C9C 7F78 F02E  1DC3 4606 B8A5 DE95 BC1F
+  #        Subkey fingerprint: DB46 681B B91A DCEA 170F  A2D4 1558 8B26 596B EA5D
+  #
+  # using this pgp signature:
+  #
+  #   -----BEGIN PGP SIGNATURE-----
+  #
+  #   iQEcBAABAgAGBQJZrU6FAAoJEBVYiyZZa+pd73cIAMZpWcbiWwFqPgEJtscDfUqs
+  #   V0LjMKYXMDZCUs9/SPV/d6yXbOWSx2PgQ0wa7eCq2KmitIKYlcwnqB1WfAgSvNc+
+  #   cK8rVwIF4MfZQTzWie6uBvwukDn3224b3qjXxJtPS6J8HmiyK6suwDX5auEgEF8f
+  #   Ac1xy0K/hfAo+W5x7bm+suPHUduI7d6pWo1hNMwW/lyPiQthT4pPElkMBeKTi4vl
+  #   HTRTVEJKjVkdQ2tJ9b5pUYE0Aa6T54SVpCyBRmTu4d/MoOX5VnXBoiZIJDbSA5cD
+  #   GLQeXjDg/tYdq9DpYuT3otYd+6VWuWdH+f6jM6L2+82rAMtOAjBm97Z45XxH31I=
+  #   =T2TF
+  #   -----END PGP SIGNATURE-----
 
 libxslt:
-  version: "1.1.29"
-  sha256: "b5976e3857837e7617b29f2249ebb5eeac34e249208d31f1fbf7a6ba7a4090ce"
-  # gpg: Signature made Mon 23 May 2016 09:58:52 PM EDT using DSA key ID DE95BC1F
-  # gpg: Good signature from "Daniel Veillard (Red Hat work email) <veillard@redhat.com>"
-  # gpg:                 aka "Daniel Veillard <Daniel.Veillard@w3.org>"
-  # gpg: WARNING: This key is not certified with a trusted signature!
-  # gpg:          There is no indication that the signature belongs to the owner.
-  # Primary key fingerprint: C744 15BA 7C9C 7F78 F02E  1DC3 4606 B8A5 DE95 BC1F
+  version: "1.1.30"
+  sha256: "ba65236116de8326d83378b2bd929879fa185195bc530b9d1aba72107910b6b3"
+  # manually verified checksum:
+  #
+  #   $ gpg --verify libxslt-1.1.30.tar.gz.asc libxslt-1.1.30.tar.gz
+  #   gpg: Signature made Mon 04 Sep 2017 09:36:06 AM EDT using RSA key ID 596BEA5D
+  #   gpg: Good signature from "Daniel Veillard (Red Hat work email) <veillard@redhat.com>"
+  #   gpg:                 aka "Daniel Veillard <Daniel.Veillard@w3.org>"
+  #   gpg: WARNING: This key is not certified with a trusted signature!
+  #   gpg:          There is no indication that the signature belongs to the owner.
+  #   Primary key fingerprint: C744 15BA 7C9C 7F78 F02E  1DC3 4606 B8A5 DE95 BC1F
+  #        Subkey fingerprint: DB46 681B B91A DCEA 170F  A2D4 1558 8B26 596B EA5D
+  #
+  # using this pgp signature:
+  #
+  #   -----BEGIN PGP SIGNATURE-----
+  #
+  #   iQEcBAABAgAGBQJZrVbGAAoJEBVYiyZZa+pdVrMH/Ru0J8zvwx8Geu6PX8ykvdEU
+  #   o5U/izwg8C8a1mtI9M8PcVUsERQinBcngO14Vk0V0dXHLp7/IEpRuXksCYkcTJL9
+  #   HawU2uDXTE/VwUl9aM2OXJOCk9W/JUkElbqEG11LCfU6uGlV+mFpLVO+eMDPxlRZ
+  #   v2LMs/yBFSiwNw757771ADShdRe3QxqhRscikK/yz/BRESdqls3/3y6GSEV2rx2n
+  #   VKVvsuHFisviwEn+1pvqcAGNCm0pIkPX6/nr+ayK3rBX7tmS493Stp6e/qUYKo6e
+  #   5cmdTkPhpzICQH2yqeUlfMp1M1nN50oShpvQqyjmpI+SV1udw08suIxVTDUCTRc=
+  #   =LjYD
+  #   -----END PGP SIGNATURE-----
+  #
 
 zlib:
   version: "1.2.11"

data/ext/nokogiri/extconf.rb

@@ -116,7 +116,7 @@ def package_config pkg, options={}
 
   begin
     require 'rubygems'
-    gem 'pkg-config', (gem_ver='~> 1.1.7')
+    gem 'pkg-config', (gem_ver='~> 1.1')
     require 'pkg-config' and message("Using pkg-config gem version #{PKGConfig::VERSION}\n")
   rescue LoadError
     message "pkg-config could not be used to find #{pkg}\nPlease install either `pkg-config` or the pkg-config gem per\n\n    gem install pkg-config -v #{gem_ver.inspect}\n\n"
@@ -457,7 +457,7 @@ else
   # The gem version constraint in the Rakefile is not respected at install time.
   # Keep this version in sync with the one in the Rakefile !
   require 'rubygems'
-  gem 'mini_portile2', '~> 2.2.0'
+  gem 'mini_portile2', '~> 2.3.0'
   require 'mini_portile2'
   message "Using mini_portile version #{MiniPortile::VERSION}\n"
 

data/ext/nokogiri/xml_cdata.c

@@ -5,6 +5,9 @@
  *  new(document, content)
  *
  * Create a new CDATA element on the +document+ with +content+
+ *
+ * If +content+ cannot be implicitly converted to a string, this method will
+ * raise a TypeError exception.
  */
 static VALUE new(int argc, VALUE *argv, VALUE klass)
 {
@@ -14,23 +17,24 @@ static VALUE new(int argc, VALUE *argv, VALUE klass)
   VALUE content;
   VALUE rest;
   VALUE rb_node;
+  const xmlChar *content_str;
+  int content_str_len;
 
   rb_scan_args(argc, argv, "2*", &doc, &content, &rest);
 
   Data_Get_Struct(doc, xmlDoc, xml_doc);
 
-  node = xmlNewCDataBlock(
-      xml_doc->doc,
-      NIL_P(content) ? NULL : (const xmlChar *)StringValuePtr(content),
-      NIL_P(content) ? 0 : (int)RSTRING_LEN(content)
-  );
+  content_str = NIL_P(content) ? NULL : (const xmlChar *)StringValueCStr(content);
+  content_str_len = (content_str == NULL) ? 0 : strlen(content_str);
+
+  node = xmlNewCDataBlock(xml_doc->doc, content_str, content_str_len);
 
   nokogiri_root_node(node);
 
   rb_node = Nokogiri_wrap_xml_node(klass, node);
   rb_obj_call_init(rb_node, argc, argv);
 
-  if(rb_block_given_p()) rb_yield(rb_node);
+  if(rb_block_given_p()) { rb_yield(rb_node); }
 
   return rb_node;
 }

data/ext/nokogiri/xml_sax_parser.c

@@ -19,15 +19,16 @@ static void start_document(void * ctx)
   if(NULL != ctxt && ctxt->html != 1) {
     if(ctxt->standalone != -1) {  /* -1 means there was no declaration */
       VALUE encoding = Qnil ;
+      VALUE standalone = Qnil;
+      VALUE version;
       if (ctxt->encoding) {
         encoding = NOKOGIRI_STR_NEW2(ctxt->encoding) ;
       } else if (ctxt->input && ctxt->input->encoding) {
         encoding = NOKOGIRI_STR_NEW2(ctxt->input->encoding) ;
       }
 
-      VALUE version = ctxt->version ? NOKOGIRI_STR_NEW2(ctxt->version) : Qnil;
+      version = ctxt->version ? NOKOGIRI_STR_NEW2(ctxt->version) : Qnil;
 
-      VALUE standalone = Qnil;
       switch(ctxt->standalone)
       {
         case 0:

data/lib/nokogiri/version.rb

@@ -1,6 +1,6 @@
 module Nokogiri
   # The version of Nokogiri you are using
-  VERSION = '1.8.0'
+  VERSION = '1.8.1'
 
   class VersionInfo # :nodoc:
     def jruby?

data/lib/nokogiri/xml/node.rb

@@ -679,7 +679,7 @@ module Nokogiri
       #
       # To save indented with two dashes:
       #
-      #   node.write_to(io, :indent_text => '-', :indent => 2
+      #   node.write_to(io, :indent_text => '-', :indent => 2)
       #
       def write_to io, *options
         options       = options.first.is_a?(Hash) ? options.shift : {}

data/lib/nokogiri/xml/node_set.rb

@@ -26,7 +26,7 @@ module Nokogiri
       def first n = nil
         return self[0] unless n
         list = []
-        n.times { |i| list << self[i] }
+        [n, length].min.times { |i| list << self[i] }
         list
       end
 

data/suppressions/nokogiri_ruby-2.supp

@@ -0,0 +1,10 @@
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Free
+   fun:free
+   fun:__libc_freeres
+   fun:_vgnU_freeres
+   fun:__run_exit_handlers
+   fun:exit
+   fun:(below main)
+}

data/test/xml/test_cdata.rb

@@ -28,6 +28,12 @@ module Nokogiri
         assert_equal nil, node.content
       end
 
+      def test_new_with_non_string
+        assert_raises(TypeError) do
+          CDATA.new(@xml, 1.234)
+        end
+      end
+
       def test_lots_of_new_cdata
         assert 100.times { CDATA.new(@xml, "asdfasdf") }
       end

data/test/xml/test_node_set.rb

@@ -251,6 +251,11 @@ module Nokogiri
         assert node_set = @xml.xpath('//employee')
         assert_equal 2, node_set.first(2).length
       end
+      
+      def test_first_clamps_arguments
+        assert node_set = @xml.xpath('//employee[position() < 3]')
+        assert_equal 2, node_set.first(5).length
+      end
 
       [:dup, :clone].each do |method_name|
         define_method "test_#{method_name}" do

data/test/xslt/test_custom_functions.rb

@@ -55,7 +55,7 @@ EOXML
 </xsl:stylesheet>
 EOXSL
         result = xsl.transform @xml
-        assert_equal 'FOO', result.css('title').first.text
+        assert_match(/FOO/, result.css('title').first.text)
       end
 
 
@@ -126,7 +126,7 @@ EOXSL
 </xsl:stylesheet>
 EOXSL
         result = xsl.transform @xml
-        assert_equal 'FOO', result.css('title').first.text
+        assert_match(/FOO/, result.css('title').first.text)
       end
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: nokogiri
 version: !ruby/object:Gem::Version
-  version: 1.8.0
+  version: 1.8.1
 platform: ruby
 authors:
 - Aaron Patterson
@@ -12,7 +12,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-06-05 00:00:00.000000000 Z
+date: 2017-09-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mini_portile2
@@ -20,70 +20,70 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: 2.3.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: 2.3.0
 - !ruby/object:Gem::Dependency
   name: hoe-bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: '1.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: '1.2'
 - !ruby/object:Gem::Dependency
   name: hoe-debugging
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3.0
+        version: '1.4'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3.0
+        version: '1.4'
 - !ruby/object:Gem::Dependency
   name: hoe-gemspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: '1.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: hoe-git
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.6.0
+        version: '1.6'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.6.0
+        version: '1.6'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -425,15 +425,11 @@ files:
 - lib/nokogiri/xslt.rb
 - lib/nokogiri/xslt/stylesheet.rb
 - lib/xsd/xmlparser/nokogiri.rb
-- patches/libxml2/0001-Fix-comparison-with-root-node-in-xmlXPathCmpNodes.patch
-- patches/libxml2/0002-Fix-XPointer-paths-beginning-with-range-to.patch
-- patches/libxml2/0003-Disallow-namespace-nodes-in-XPointer-ranges.patch
-- patches/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch
-- patches/libxslt/0002-Check-for-integer-overflow-in-xsltAddTextString.patch
 - patches/sort-patches-by-date
-- ports/archives/libxml2-2.9.4.tar.gz
-- ports/archives/libxslt-1.1.29.tar.gz
+- ports/archives/libxml2-2.9.5.tar.gz
+- ports/archives/libxslt-1.1.30.tar.gz
 - suppressions/README.txt
+- suppressions/nokogiri_ruby-2.supp
 - tasks/test.rb
 - test/css/test_nthiness.rb
 - test/css/test_parser.rb
@@ -565,7 +561,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.10
+rubygems_version: 2.6.12
 signing_key: 
 specification_version: 4
 summary: Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser

data/patches/libxml2/0001-Fix-comparison-with-root-node-in-xmlXPathCmpNodes.patch

@@ -1,34 +0,0 @@
-From a005199330b86dada19d162cae15ef9bdcb6baa8 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 28 Jun 2016 14:19:58 +0200
-Subject: [PATCH] Fix comparison with root node in xmlXPathCmpNodes
-
-This change has already been made in xmlXPathCmpNodesExt but not in
-xmlXPathCmpNodes.
----
- xpath.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/xpath.c b/xpath.c
-index 751665b..d992841 100644
---- a/xpath.c
-+++ b/xpath.c
-@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) {
-      * compute depth to root
-      */
-     for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {
--	if (cur == node1)
-+	if (cur->parent == node1)
- 	    return(1);
- 	depth2++;
-     }
-     root = cur;
-     for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {
--	if (cur == node2)
-+	if (cur->parent == node2)
- 	    return(-1);
- 	depth1++;
-     }
--- 
-2.9.3
-

data/patches/libxml2/0002-Fix-XPointer-paths-beginning-with-range-to.patch

@@ -1,174 +0,0 @@
-From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 28 Jun 2016 14:22:23 +0200
-Subject: [PATCH] Fix XPointer paths beginning with range-to
-
-The old code would invoke the broken xmlXPtrRangeToFunction. range-to
-isn't really a function but a special kind of location step. Remove
-this function and always handle range-to in the XPath code.
-
-The old xmlXPtrRangeToFunction could also be abused to trigger a
-use-after-free error with the potential for remote code execution.
-
-Found with afl-fuzz.
-
-Fixes CVE-2016-5131.
----
- result/XPath/xptr/vidbase | 13 ++++++++
- test/XPath/xptr/vidbase   |  1 +
- xpath.c                   |  7 ++++-
- xpointer.c                | 76 ++++-------------------------------------------
- 4 files changed, 26 insertions(+), 71 deletions(-)
-
-diff --git a/result/XPath/xptr/vidbase b/result/XPath/xptr/vidbase
-index 8b9e92d..f19193e 100644
---- a/result/XPath/xptr/vidbase
-+++ b/result/XPath/xptr/vidbase
-@@ -17,3 +17,16 @@ Object is a Location Set:
-   To node
-     ELEMENT p
- 
-+
-+========================
-+Expression: xpointer(range-to(id('chapter2')))
-+Object is a Location Set:
-+1 :   Object is a range :
-+  From node
-+     /
-+  To node
-+    ELEMENT chapter
-+      ATTRIBUTE id
-+        TEXT
-+          content=chapter2
-+
-diff --git a/test/XPath/xptr/vidbase b/test/XPath/xptr/vidbase
-index b146383..884b106 100644
---- a/test/XPath/xptr/vidbase
-+++ b/test/XPath/xptr/vidbase
-@@ -1,2 +1,3 @@
- xpointer(id('chapter1')/p)
- xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2]))
-+xpointer(range-to(id('chapter2')))
-diff --git a/xpath.c b/xpath.c
-index d992841..5a01b1b 100644
---- a/xpath.c
-+++ b/xpath.c
-@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) {
- 		    lc = 1;
- 		    break;
- 		} else if ((NXT(len) == '(')) {
--		    /* Note Type or Function */
-+		    /* Node Type or Function */
- 		    if (xmlXPathIsNodeType(name)) {
- #ifdef DEBUG_STEP
- 		        xmlGenericError(xmlGenericErrorContext,
- 				"PathExpr: Type search\n");
- #endif
- 			lc = 1;
-+#ifdef LIBXML_XPTR_ENABLED
-+                    } else if (ctxt->xptr &&
-+                               xmlStrEqual(name, BAD_CAST "range-to")) {
-+                        lc = 1;
-+#endif
- 		    } else {
- #ifdef DEBUG_STEP
- 		        xmlGenericError(xmlGenericErrorContext,
-diff --git a/xpointer.c b/xpointer.c
-index 676c510..d74174a 100644
---- a/xpointer.c
-+++ b/xpointer.c
-@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) {
-     ret->here = here;
-     ret->origin = origin;
- 
--    xmlXPathRegisterFunc(ret, (xmlChar *)"range-to",
--	                 xmlXPtrRangeToFunction);
-     xmlXPathRegisterFunc(ret, (xmlChar *)"range",
- 	                 xmlXPtrRangeFunction);
-     xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside",
-@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) {
-  * @nargs:  the number of args
-  *
-  * Implement the range-to() XPointer function
-+ *
-+ * Obsolete. range-to is not a real function but a special type of location
-+ * step which is handled in xpath.c.
-  */
- void
--xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) {
--    xmlXPathObjectPtr range;
--    const xmlChar *cur;
--    xmlXPathObjectPtr res, obj;
--    xmlXPathObjectPtr tmp;
--    xmlLocationSetPtr newset = NULL;
--    xmlNodeSetPtr oldset;
--    int i;
--
--    if (ctxt == NULL) return;
--    CHECK_ARITY(1);
--    /*
--     * Save the expression pointer since we will have to evaluate
--     * it multiple times. Initialize the new set.
--     */
--    CHECK_TYPE(XPATH_NODESET);
--    obj = valuePop(ctxt);
--    oldset = obj->nodesetval;
--    ctxt->context->node = NULL;
--
--    cur = ctxt->cur;
--    newset = xmlXPtrLocationSetCreate(NULL);
--
--    for (i = 0; i < oldset->nodeNr; i++) {
--	ctxt->cur = cur;
--
--	/*
--	 * Run the evaluation with a node list made of a single item
--	 * in the nodeset.
--	 */
--	ctxt->context->node = oldset->nodeTab[i];
--	tmp = xmlXPathNewNodeSet(ctxt->context->node);
--	valuePush(ctxt, tmp);
--
--	xmlXPathEvalExpr(ctxt);
--	CHECK_ERROR;
--
--	/*
--	 * The result of the evaluation need to be tested to
--	 * decided whether the filter succeeded or not
--	 */
--	res = valuePop(ctxt);
--	range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res);
--	if (range != NULL) {
--	    xmlXPtrLocationSetAdd(newset, range);
--	}
--
--	/*
--	 * Cleanup
--	 */
--	if (res != NULL)
--	    xmlXPathFreeObject(res);
--	if (ctxt->value == tmp) {
--	    res = valuePop(ctxt);
--	    xmlXPathFreeObject(res);
--	}
--
--	ctxt->context->node = NULL;
--    }
--
--    /*
--     * The result is used as the new evaluation set.
--     */
--    xmlXPathFreeObject(obj);
--    ctxt->context->node = NULL;
--    ctxt->context->contextSize = -1;
--    ctxt->context->proximityPosition = -1;
--    valuePush(ctxt, xmlXPtrWrapLocationSet(newset));
-+xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt,
-+                       int nargs ATTRIBUTE_UNUSED) {
-+    XP_ERROR(XPATH_EXPR_ERROR);
- }
- 
- /**
--- 
-2.9.3
-

data/patches/libxml2/0003-Disallow-namespace-nodes-in-XPointer-ranges.patch

@@ -1,249 +0,0 @@
-From c1d1f7121194036608bf555f08d3062a36fd344b Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 28 Jun 2016 18:34:52 +0200
-Subject: [PATCH] Disallow namespace nodes in XPointer ranges
-
-Namespace nodes must be copied to avoid use-after-free errors.
-But they don't necessarily have a physical representation in a
-document, so simply disallow them in XPointer ranges.
-
-Found with afl-fuzz.
-
-Fixes CVE-2016-4658.
----
- xpointer.c | 149 +++++++++++++++++++++++--------------------------------------
- 1 file changed, 56 insertions(+), 93 deletions(-)
-
-diff --git a/xpointer.c b/xpointer.c
-index a7b03fb..694d120 100644
---- a/xpointer.c
-+++ b/xpointer.c
-@@ -319,6 +319,45 @@ xmlXPtrRangesEqual(xmlXPathObjectPtr range1, xmlXPathObjectPtr range2) {
-     return(1);
- }
- 
-+/**
-+ * xmlXPtrNewRangeInternal:
-+ * @start:  the starting node
-+ * @startindex:  the start index
-+ * @end:  the ending point
-+ * @endindex:  the ending index
-+ *
-+ * Internal function to create a new xmlXPathObjectPtr of type range
-+ *
-+ * Returns the newly created object.
-+ */
-+static xmlXPathObjectPtr
-+xmlXPtrNewRangeInternal(xmlNodePtr start, int startindex,
-+                        xmlNodePtr end, int endindex) {
-+    xmlXPathObjectPtr ret;
-+
-+    /*
-+     * Namespace nodes must be copied (see xmlXPathNodeSetDupNs).
-+     * Disallow them for now.
-+     */
-+    if ((start != NULL) && (start->type == XML_NAMESPACE_DECL))
-+	return(NULL);
-+    if ((end != NULL) && (end->type == XML_NAMESPACE_DECL))
-+	return(NULL);
-+
-+    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
-+    if (ret == NULL) {
-+        xmlXPtrErrMemory("allocating range");
-+	return(NULL);
-+    }
-+    memset(ret, 0, sizeof(xmlXPathObject));
-+    ret->type = XPATH_RANGE;
-+    ret->user = start;
-+    ret->index = startindex;
-+    ret->user2 = end;
-+    ret->index2 = endindex;
-+    return(ret);
-+}
-+
- /**
-  * xmlXPtrNewRange:
-  * @start:  the starting node
-@@ -344,17 +383,7 @@ xmlXPtrNewRange(xmlNodePtr start, int startindex,
-     if (endindex < 0)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start;
--    ret->index = startindex;
--    ret->user2 = end;
--    ret->index2 = endindex;
-+    ret = xmlXPtrNewRangeInternal(start, startindex, end, endindex);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -381,17 +410,8 @@ xmlXPtrNewRangePoints(xmlXPathObjectPtr start, xmlXPathObjectPtr end) {
-     if (end->type != XPATH_POINT)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start->user;
--    ret->index = start->index;
--    ret->user2 = end->user;
--    ret->index2 = end->index;
-+    ret = xmlXPtrNewRangeInternal(start->user, start->index, end->user,
-+                                  end->index);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -416,17 +436,7 @@ xmlXPtrNewRangePointNode(xmlXPathObjectPtr start, xmlNodePtr end) {
-     if (start->type != XPATH_POINT)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start->user;
--    ret->index = start->index;
--    ret->user2 = end;
--    ret->index2 = -1;
-+    ret = xmlXPtrNewRangeInternal(start->user, start->index, end, -1);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -453,17 +463,7 @@ xmlXPtrNewRangeNodePoint(xmlNodePtr start, xmlXPathObjectPtr end) {
-     if (end->type != XPATH_POINT)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start;
--    ret->index = -1;
--    ret->user2 = end->user;
--    ret->index2 = end->index;
-+    ret = xmlXPtrNewRangeInternal(start, -1, end->user, end->index);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -486,17 +486,7 @@ xmlXPtrNewRangeNodes(xmlNodePtr start, xmlNodePtr end) {
-     if (end == NULL)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start;
--    ret->index = -1;
--    ret->user2 = end;
--    ret->index2 = -1;
-+    ret = xmlXPtrNewRangeInternal(start, -1, end, -1);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -516,17 +506,7 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) {
-     if (start == NULL)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start;
--    ret->index = -1;
--    ret->user2 = NULL;
--    ret->index2 = -1;
-+    ret = xmlXPtrNewRangeInternal(start, -1, NULL, -1);
-     return(ret);
- }
- 
-@@ -541,6 +521,8 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) {
-  */
- xmlXPathObjectPtr
- xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
-+    xmlNodePtr endNode;
-+    int endIndex;
-     xmlXPathObjectPtr ret;
- 
-     if (start == NULL)
-@@ -549,7 +531,12 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
- 	return(NULL);
-     switch (end->type) {
- 	case XPATH_POINT:
-+	    endNode = end->user;
-+	    endIndex = end->index;
-+	    break;
- 	case XPATH_RANGE:
-+	    endNode = end->user2;
-+	    endIndex = end->index2;
- 	    break;
- 	case XPATH_NODESET:
- 	    /*
-@@ -557,39 +544,15 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
- 	     */
- 	    if (end->nodesetval->nodeNr <= 0)
- 		return(NULL);
-+	    endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
-+	    endIndex = -1;
- 	    break;
- 	default:
- 	    /* TODO */
- 	    return(NULL);
-     }
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start;
--    ret->index = -1;
--    switch (end->type) {
--	case XPATH_POINT:
--	    ret->user2 = end->user;
--	    ret->index2 = end->index;
--	    break;
--	case XPATH_RANGE:
--	    ret->user2 = end->user2;
--	    ret->index2 = end->index2;
--	    break;
--	case XPATH_NODESET: {
--	    ret->user2 = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
--	    ret->index2 = -1;
--	    break;
--	}
--	default:
--	    STRANGE
--	    return(NULL);
--    }
-+    ret = xmlXPtrNewRangeInternal(start, -1, endNode, endIndex);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
--- 
-2.9.3
-

data/patches/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch

@@ -1,31 +0,0 @@
-From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Fri, 10 Jun 2016 14:23:58 +0200
-Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
-
-An empty decimal-separator could cause a heap overread. This can be
-exploited to leak a couple of bytes after the buffer that holds the
-pattern string.
-
-Found with afl-fuzz and ASan.
----
- libxslt/numbers.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/libxslt/numbers.c b/libxslt/numbers.c
-index d1549b4..e78c46b 100644
---- a/libxslt/numbers.c
-+++ b/libxslt/numbers.c
-@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
-     }
- 
-     /* We have finished the integer part, now work on fraction */
--    if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
-+    if ( (*the_format != 0) &&
-+         (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
-         format_info.add_decimal = TRUE;
- 	the_format += xsltUTF8Size(the_format);	/* Skip over the decimal */
-     }
--- 
-2.9.3
-

data/patches/libxslt/0002-Check-for-integer-overflow-in-xsltAddTextString.patch

@@ -1,74 +0,0 @@
-From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Thu, 12 Jan 2017 15:39:52 +0100
-Subject: [PATCH] Check for integer overflow in xsltAddTextString
-
-Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
-exploited to trigger an out of bounds write on 64-bit systems.
-
-Originally reported to Chromium:
-
-https://crbug.com/676623
----
- libxslt/transform.c     | 25 ++++++++++++++++++++++---
- libxslt/xsltInternals.h |  4 ++--
- 2 files changed, 24 insertions(+), 5 deletions(-)
-
-diff --git a/libxslt/transform.c b/libxslt/transform.c
-index 519133f..02bff34 100644
---- a/libxslt/transform.c
-+++ b/libxslt/transform.c
-@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
-         return(target);
- 
-     if (ctxt->lasttext == target->content) {
-+        int minSize;
- 
--	if (ctxt->lasttuse + len >= ctxt->lasttsize) {
-+        /* Check for integer overflow accounting for NUL terminator. */
-+        if (len >= INT_MAX - ctxt->lasttuse) {
-+            xsltTransformError(ctxt, NULL, target,
-+                "xsltCopyText: text allocation failed\n");
-+            return(NULL);
-+        }
-+        minSize = ctxt->lasttuse + len + 1;
-+
-+        if (ctxt->lasttsize < minSize) {
- 	    xmlChar *newbuf;
- 	    int size;
-+            int extra;
-+
-+            /* Double buffer size but increase by at least 100 bytes. */
-+            extra = minSize < 100 ? 100 : minSize;
-+
-+            /* Check for integer overflow. */
-+            if (extra > INT_MAX - ctxt->lasttsize) {
-+                size = INT_MAX;
-+            }
-+            else {
-+                size = ctxt->lasttsize + extra;
-+            }
- 
--	    size = ctxt->lasttsize + len + 100;
--	    size *= 2;
- 	    newbuf = (xmlChar *) xmlRealloc(target->content,size);
- 	    if (newbuf == NULL) {
- 		xsltTransformError(ctxt, NULL, target,
-diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
-index 060b178..5ad1771 100644
---- a/libxslt/xsltInternals.h
-+++ b/libxslt/xsltInternals.h
-@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
-      * Speed optimization when coalescing text nodes
-      */
-     const xmlChar  *lasttext;		/* last text node content */
--    unsigned int    lasttsize;		/* last text node size */
--    unsigned int    lasttuse;		/* last text node use */
-+    int             lasttsize;		/* last text node size */
-+    int             lasttuse;		/* last text node use */
-     /*
-      * Per Context Debugging
-      */
--- 
-2.9.3
-