Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2023-04-21 14:15:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.1533 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxml2" Fri Apr 21 14:15:35 2023 rev:117 rq:1079409 version:2.10.4 Changes: -------- --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2023-02-07 18:47:29.598618359 +0100 +++ /work/SRC/openSUSE:Factory/.libxml2.new.1533/libxml2.changes 2023-04-21 14:15:39.798127118 +0200 @@ -1,0 +2,15 @@ +Tue Apr 11 12:37:32 UTC 2023 - Bjørn Lie <[email protected]> + +- Update to version 2.10.4: + + Security: + - [CVE-2023-29469, bsc#1210412] Hashing of empty dict strings + isnât deterministic + - [CVE-2023-28484, bsc#1210411] Fix null deref in + xmlSchemaFixupComplexType + - schemas: Fix null-pointer-deref in + xmlSchemaCheckCOSSTDerivedOK + + Regressions: + - SAX2: Ignore namespaces in HTML documents + - io: Fix âbuffer fullâ error with certain buffer sizes + +------------------------------------------------------------------- Old: ---- libxml2-2.10.3.tar.xz New: ---- libxml2-2.10.4.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxml2.spec ++++++ --- /var/tmp/diff_new_pack.oGE3gK/_old 2023-04-21 14:15:40.750132456 +0200 +++ /var/tmp/diff_new_pack.oGE3gK/_new 2023-04-21 14:15:40.762132523 +0200 @@ -25,7 +25,7 @@ %endif Name: libxml2%{?dash}%{flavor} -Version: 2.10.3 +Version: 2.10.4 Release: 0 License: MIT Summary: A Library to Manipulate XML Files ++++++ libxml2-2.10.3.tar.xz -> libxml2-2.10.4.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/INSTALL new/libxml2-2.10.4/INSTALL --- old/libxml2-2.10.3/INSTALL 1970-01-01 01:00:00.000000000 +0100 +++ new/libxml2-2.10.4/INSTALL 2022-11-30 12:01:49.000000000 +0100 @@ -0,0 +1,368 @@ +Installation Instructions +************************* + + Copyright (C) 1994-1996, 1999-2002, 2004-2017, 2020-2021 Free +Software Foundation, Inc. + + Copying and distribution of this file, with or without modification, +are permitted in any medium without royalty provided the copyright +notice and this notice are preserved. This file is offered as-is, +without warranty of any kind. + +Basic Installation +================== + + Briefly, the shell command './configure && make && make install' +should configure, build, and install this package. The following +more-detailed instructions are generic; see the 'README' file for +instructions specific to this package. Some packages provide this +'INSTALL' file but do not implement all of the features documented +below. The lack of an optional feature in a given package is not +necessarily a bug. More recommendations for GNU packages can be found +in *note Makefile Conventions: (standards)Makefile Conventions. + + The 'configure' shell script attempts to guess correct values for +various system-dependent variables used during compilation. It uses +those values to create a 'Makefile' in each directory of the package. +It may also create one or more '.h' files containing system-dependent +definitions. Finally, it creates a shell script 'config.status' that +you can run in the future to recreate the current configuration, and a +file 'config.log' containing compiler output (useful mainly for +debugging 'configure'). + + It can also use an optional file (typically called 'config.cache' and +enabled with '--cache-file=config.cache' or simply '-C') that saves the +results of its tests to speed up reconfiguring. Caching is disabled by +default to prevent problems with accidental use of stale cache files. + + If you need to do unusual things to compile the package, please try +to figure out how 'configure' could check whether to do them, and mail +diffs or instructions to the address given in the 'README' so they can +be considered for the next release. If you are using the cache, and at +some point 'config.cache' contains results you don't want to keep, you +may remove or edit it. + + The file 'configure.ac' (or 'configure.in') is used to create +'configure' by a program called 'autoconf'. You need 'configure.ac' if +you want to change it or regenerate 'configure' using a newer version of +'autoconf'. + + The simplest way to compile this package is: + + 1. 'cd' to the directory containing the package's source code and type + './configure' to configure the package for your system. + + Running 'configure' might take a while. While running, it prints + some messages telling which features it is checking for. + + 2. Type 'make' to compile the package. + + 3. Optionally, type 'make check' to run any self-tests that come with + the package, generally using the just-built uninstalled binaries. + + 4. Type 'make install' to install the programs and any data files and + documentation. When installing into a prefix owned by root, it is + recommended that the package be configured and built as a regular + user, and only the 'make install' phase executed with root + privileges. + + 5. Optionally, type 'make installcheck' to repeat any self-tests, but + this time using the binaries in their final installed location. + This target does not install anything. Running this target as a + regular user, particularly if the prior 'make install' required + root privileges, verifies that the installation completed + correctly. + + 6. You can remove the program binaries and object files from the + source code directory by typing 'make clean'. To also remove the + files that 'configure' created (so you can compile the package for + a different kind of computer), type 'make distclean'. There is + also a 'make maintainer-clean' target, but that is intended mainly + for the package's developers. If you use it, you may have to get + all sorts of other programs in order to regenerate files that came + with the distribution. + + 7. Often, you can also type 'make uninstall' to remove the installed + files again. In practice, not all packages have tested that + uninstallation works correctly, even though it is required by the + GNU Coding Standards. + + 8. Some packages, particularly those that use Automake, provide 'make + distcheck', which can by used by developers to test that all other + targets like 'make install' and 'make uninstall' work correctly. + This target is generally not run by end users. + +Compilers and Options +===================== + + Some systems require unusual options for compilation or linking that +the 'configure' script does not know about. Run './configure --help' +for details on some of the pertinent environment variables. + + You can give 'configure' initial values for configuration parameters +by setting variables in the command line or in the environment. Here is +an example: + + ./configure CC=c99 CFLAGS=-g LIBS=-lposix + + *Note Defining Variables::, for more details. + +Compiling For Multiple Architectures +==================================== + + You can compile the package for more than one kind of computer at the +same time, by placing the object files for each architecture in their +own directory. To do this, you can use GNU 'make'. 'cd' to the +directory where you want the object files and executables to go and run +the 'configure' script. 'configure' automatically checks for the source +code in the directory that 'configure' is in and in '..'. This is known +as a "VPATH" build. + + With a non-GNU 'make', it is safer to compile the package for one +architecture at a time in the source code directory. After you have +installed the package for one architecture, use 'make distclean' before +reconfiguring for another architecture. + + On MacOS X 10.5 and later systems, you can create libraries and +executables that work on multiple system types--known as "fat" or +"universal" binaries--by specifying multiple '-arch' options to the +compiler but only a single '-arch' option to the preprocessor. Like +this: + + ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ + CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ + CPP="gcc -E" CXXCPP="g++ -E" + + This is not guaranteed to produce working output in all cases, you +may have to build one architecture at a time and combine the results +using the 'lipo' tool if you have problems. + +Installation Names +================== + + By default, 'make install' installs the package's commands under +'/usr/local/bin', include files under '/usr/local/include', etc. You +can specify an installation prefix other than '/usr/local' by giving +'configure' the option '--prefix=PREFIX', where PREFIX must be an +absolute file name. + + You can specify separate installation prefixes for +architecture-specific files and architecture-independent files. If you +pass the option '--exec-prefix=PREFIX' to 'configure', the package uses +PREFIX as the prefix for installing programs and libraries. +Documentation and other data files still use the regular prefix. + + In addition, if you use an unusual directory layout you can give +options like '--bindir=DIR' to specify different values for particular +kinds of files. Run 'configure --help' for a list of the directories +you can set and what kinds of files go in them. In general, the default +for these options is expressed in terms of '${prefix}', so that +specifying just '--prefix' will affect all of the other directory +specifications that were not explicitly provided. + + The most portable way to affect installation locations is to pass the +correct locations to 'configure'; however, many packages provide one or +both of the following shortcuts of passing variable assignments to the +'make install' command line to change installation locations without +having to reconfigure or recompile. + + The first method involves providing an override variable for each +affected directory. For example, 'make install +prefix=/alternate/directory' will choose an alternate location for all +directory configuration variables that were expressed in terms of +'${prefix}'. Any directories that were specified during 'configure', +but not in terms of '${prefix}', must each be overridden at install time +for the entire installation to be relocated. The approach of makefile +variable overrides for each directory variable is required by the GNU +Coding Standards, and ideally causes no recompilation. However, some +platforms have known limitations with the semantics of shared libraries +that end up requiring recompilation when using this method, particularly +noticeable in packages that use GNU Libtool. + + The second method involves providing the 'DESTDIR' variable. For +example, 'make install DESTDIR=/alternate/directory' will prepend +'/alternate/directory' before all installation names. The approach of +'DESTDIR' overrides is not required by the GNU Coding Standards, and +does not work on platforms that have drive letters. On the other hand, +it does better at avoiding recompilation issues, and works well even +when some directory options were not specified in terms of '${prefix}' +at 'configure' time. + +Optional Features +================= + + If the package supports it, you can cause programs to be installed +with an extra prefix or suffix on their names by giving 'configure' the +option '--program-prefix=PREFIX' or '--program-suffix=SUFFIX'. + + Some packages pay attention to '--enable-FEATURE' options to +'configure', where FEATURE indicates an optional part of the package. +They may also pay attention to '--with-PACKAGE' options, where PACKAGE +is something like 'gnu-as' or 'x' (for the X Window System). The +'README' should mention any '--enable-' and '--with-' options that the +package recognizes. + + For packages that use the X Window System, 'configure' can usually +find the X include and library files automatically, but if it doesn't, +you can use the 'configure' options '--x-includes=DIR' and +'--x-libraries=DIR' to specify their locations. + + Some packages offer the ability to configure how verbose the +execution of 'make' will be. For these packages, running './configure +--enable-silent-rules' sets the default to minimal output, which can be +overridden with 'make V=1'; while running './configure +--disable-silent-rules' sets the default to verbose, which can be +overridden with 'make V=0'. + +Particular systems +================== + + On HP-UX, the default C compiler is not ANSI C compatible. If GNU CC +is not installed, it is recommended to use the following options in +order to use an ANSI C compiler: + + ./configure CC="cc -Ae -D_XOPEN_SOURCE=500" + +and if that doesn't work, install pre-built binaries of GCC for HP-UX. + + HP-UX 'make' updates targets which have the same timestamps as their +prerequisites, which makes it generally unusable when shipped generated +files such as 'configure' are involved. Use GNU 'make' instead. + + On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot +parse its '<wchar.h>' header file. The option '-nodtk' can be used as a +workaround. If GNU CC is not installed, it is therefore recommended to +try + + ./configure CC="cc" + +and if that doesn't work, try + + ./configure CC="cc -nodtk" + + On Solaris, don't put '/usr/ucb' early in your 'PATH'. This +directory contains several dysfunctional programs; working variants of +these programs are available in '/usr/bin'. So, if you need '/usr/ucb' +in your 'PATH', put it _after_ '/usr/bin'. + + On Haiku, software installed for all users goes in '/boot/common', +not '/usr/local'. It is recommended to use the following options: + + ./configure --prefix=/boot/common + +Specifying the System Type +========================== + + There may be some features 'configure' cannot figure out +automatically, but needs to determine by the type of machine the package +will run on. Usually, assuming the package is built to be run on the +_same_ architectures, 'configure' can figure that out, but if it prints +a message saying it cannot guess the machine type, give it the +'--build=TYPE' option. TYPE can either be a short name for the system +type, such as 'sun4', or a canonical name which has the form: + + CPU-COMPANY-SYSTEM + +where SYSTEM can have one of these forms: + + OS + KERNEL-OS + + See the file 'config.sub' for the possible values of each field. If +'config.sub' isn't included in this package, then this package doesn't +need to know the machine type. + + If you are _building_ compiler tools for cross-compiling, you should +use the option '--target=TYPE' to select the type of system they will +produce code for. + + If you want to _use_ a cross compiler, that generates code for a +platform different from the build platform, you should specify the +"host" platform (i.e., that on which the generated programs will +eventually be run) with '--host=TYPE'. + +Sharing Defaults +================ + + If you want to set default values for 'configure' scripts to share, +you can create a site shell script called 'config.site' that gives +default values for variables like 'CC', 'cache_file', and 'prefix'. +'configure' looks for 'PREFIX/share/config.site' if it exists, then +'PREFIX/etc/config.site' if it exists. Or, you can set the +'CONFIG_SITE' environment variable to the location of the site script. +A warning: not all 'configure' scripts look for a site script. + +Defining Variables +================== + + Variables not defined in a site shell script can be set in the +environment passed to 'configure'. However, some packages may run +configure again during the build, and the customized values of these +variables may be lost. In order to avoid this problem, you should set +them in the 'configure' command line, using 'VAR=value'. For example: + + ./configure CC=/usr/local2/bin/gcc + +causes the specified 'gcc' to be used as the C compiler (unless it is +overridden in the site shell script). + +Unfortunately, this technique does not work for 'CONFIG_SHELL' due to an +Autoconf limitation. Until the limitation is lifted, you can use this +workaround: + + CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash + +'configure' Invocation +====================== + + 'configure' recognizes the following options to control how it +operates. + +'--help' +'-h' + Print a summary of all of the options to 'configure', and exit. + +'--help=short' +'--help=recursive' + Print a summary of the options unique to this package's + 'configure', and exit. The 'short' variant lists options used only + in the top level, while the 'recursive' variant lists options also + present in any nested packages. + +'--version' +'-V' + Print the version of Autoconf used to generate the 'configure' + script, and exit. + +'--cache-file=FILE' + Enable the cache: use and save the results of the tests in FILE, + traditionally 'config.cache'. FILE defaults to '/dev/null' to + disable caching. + +'--config-cache' +'-C' + Alias for '--cache-file=config.cache'. + +'--quiet' +'--silent' +'-q' + Do not print messages saying which checks are being made. To + suppress all normal output, redirect it to '/dev/null' (any error + messages will still be shown). + +'--srcdir=DIR' + Look for the package's source code in directory DIR. Usually + 'configure' can determine that directory automatically. + +'--prefix=DIR' + Use DIR as the installation prefix. *note Installation Names:: for + more details, including other options available for fine-tuning the + installation locations. + +'--no-create' +'-n' + Run the configure checks, but stop before creating any output + files. + +'configure' also accepts some other, not widely useful, options. Run +'configure --help' for more details. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/Makefile.in new/libxml2-2.10.4/Makefile.in --- old/libxml2-2.10.3/Makefile.in 2022-10-14 14:41:27.000000000 +0200 +++ new/libxml2-2.10.4/Makefile.in 2023-04-11 13:28:11.000000000 +0200 @@ -405,8 +405,8 @@ $(srcdir)/libxml-2.0-uninstalled.pc.in \ $(srcdir)/libxml-2.0.pc.in $(srcdir)/libxml.spec.in \ $(srcdir)/libxml2-config.cmake.in $(srcdir)/xml2-config.in \ - NEWS README.md TODO compile config.guess config.sub depcomp \ - install-sh ltmain.sh missing py-compile + INSTALL NEWS README.md TODO compile config.guess config.sub \ + depcomp install-sh ltmain.sh missing py-compile DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/NEWS new/libxml2-2.10.4/NEWS --- old/libxml2-2.10.3/NEWS 2022-10-14 14:30:33.000000000 +0200 +++ new/libxml2-2.10.4/NEWS 2023-04-11 13:13:42.000000000 +0200 @@ -1,5 +1,19 @@ NEWS file for libxml2 +v2.10.4: Apr 11 2023 + +### Security + +- [CVE-2023-29469] Hashing of empty dict strings isn't deterministic +- [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType +- schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK + +### Regressions + +- SAX2: Ignore namespaces in HTML documents +- io: Fix "buffer full" error with certain buffer sizes + + v2.10.3: Oct 14 2022 ### Security @@ -60,6 +74,47 @@ v2.10.0: Aug 17 2022 +### Breaking changes + +The Docbook parser module and all related symbols habe been removed completely. +This was experimental code which never worked and generated a deprecation +warning for 15+ years. The library's soname wasn't changed in order to allow +seamless upgrades to later versions. If this concerns you, consider bumping +soname yourself. + +Some other modules are now disabled by default and will eventually be removed +completely: + +- Support for XPointer locations (ranges and points): This was based on + a W3C specification which never got beyond Working Draft status. To my + knowledge, there's no software supporting this spec which is still + maintained. You now have to enable this code by passing the + `--with-xptr-locs` configuration option. Be warned that this part of + the code base is buggy and had many security issues in the past. + +- Support for the built-in FTP client (`--with-ftp`). + +- Support for "legacy" functions (`--with-legacy`). + +If you're concerned about ABI stability and haven't disabled these modules +already, add the following configuration options or bump soname yourself: + + --with-ftp + --with-legacy + --with-xptr-locs + +Several functions of the public API were deprecated. Most of them should be +completely unused and will generate a deprecation warning now. + +The autoconf build now uses the sysconfdir variable for the location of +the default catalog file. The path changed from hardcoded /etc/xml/catalog +to ${sysconfdir}/xml/catalog. The sysconfdir variable defaults to +${prefix}/etc, prefix defaults to /usr/local, so without other options +the path becomes /usr/local/etc/xml/catalog. If you want the old behavior, +configure with + + --sysconfdir=/etc + ### Security - [CVE-2022-2309] Reset nsNr in xmlCtxtReset diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/SAX2.c new/libxml2-2.10.4/SAX2.c --- old/libxml2-2.10.3/SAX2.c 2022-10-14 14:22:16.000000000 +0200 +++ new/libxml2-2.10.4/SAX2.c 2023-04-11 12:36:47.000000000 +0200 @@ -1608,12 +1608,15 @@ ctxt->validate = 0; } - - /* - * Split the full name into a namespace prefix and the tag name - */ - name = xmlSplitQName(ctxt, fullname, &prefix); - + if (ctxt->html) { + prefix = NULL; + name = xmlStrdup(fullname); + } else { + /* + * Split the full name into a namespace prefix and the tag name + */ + name = xmlSplitQName(ctxt, fullname, &prefix); + } /* * Note : the namespace resolution is deferred until the end of the diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/configure new/libxml2-2.10.4/configure --- old/libxml2-2.10.3/configure 2022-10-14 14:41:28.000000000 +0200 +++ new/libxml2-2.10.4/configure 2023-04-11 13:28:12.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for libxml2 2.10.3. +# Generated by GNU Autoconf 2.71 for libxml2 2.10.4. # # # Copyright (C) 1992-1996, 1998-2017, 2020-2021 Free Software Foundation, @@ -618,8 +618,8 @@ # Identity of this package. PACKAGE_NAME='libxml2' PACKAGE_TARNAME='libxml2' -PACKAGE_VERSION='2.10.3' -PACKAGE_STRING='libxml2 2.10.3' +PACKAGE_VERSION='2.10.4' +PACKAGE_STRING='libxml2 2.10.4' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1521,7 +1521,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libxml2 2.10.3 to adapt to many kinds of systems. +\`configure' configures libxml2 2.10.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1592,7 +1592,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libxml2 2.10.3:";; + short | recursive ) echo "Configuration of libxml2 2.10.4:";; esac cat <<\_ACEOF @@ -1766,7 +1766,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libxml2 configure 2.10.3 +libxml2 configure 2.10.4 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2079,7 +2079,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libxml2 $as_me 2.10.3, which was +It was created by libxml2 $as_me 2.10.4, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -2917,7 +2917,7 @@ LIBXML_MAJOR_VERSION=2 LIBXML_MINOR_VERSION=10 -LIBXML_MICRO_VERSION=3 +LIBXML_MICRO_VERSION=4 LIBXML_MICRO_VERSION_SUFFIX= LIBXML_VERSION=$LIBXML_MAJOR_VERSION.$LIBXML_MINOR_VERSION.$LIBXML_MICRO_VERSION$LIBXML_MICRO_VERSION_SUFFIX LIBXML_VERSION_INFO=`expr $LIBXML_MAJOR_VERSION + $LIBXML_MINOR_VERSION`:$LIBXML_MICRO_VERSION:$LIBXML_MINOR_VERSION @@ -3456,7 +3456,7 @@ # Define the identity of the package. PACKAGE='libxml2' - VERSION='2.10.3' + VERSION='2.10.4' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -17406,7 +17406,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libxml2 $as_me 2.10.3, which was +This file was extended by libxml2 $as_me 2.10.4, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -17474,7 +17474,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -libxml2 config.status 2.10.3 +libxml2 config.status 2.10.4 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/configure.ac new/libxml2-2.10.4/configure.ac --- old/libxml2-2.10.3/configure.ac 2022-10-14 14:30:41.000000000 +0200 +++ new/libxml2-2.10.4/configure.ac 2023-04-11 13:13:42.000000000 +0200 @@ -3,7 +3,7 @@ m4_define([MAJOR_VERSION], 2) m4_define([MINOR_VERSION], 10) -m4_define([MICRO_VERSION], 3) +m4_define([MICRO_VERSION], 4) AC_INIT([libxml2],[MAJOR_VERSION.MINOR_VERSION.MICRO_VERSION]) AC_CONFIG_SRCDIR([entities.c]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/dict.c new/libxml2-2.10.4/dict.c --- old/libxml2-2.10.3/dict.c 2022-10-14 14:20:48.000000000 +0200 +++ new/libxml2-2.10.4/dict.c 2023-04-11 13:13:42.000000000 +0200 @@ -453,7 +453,8 @@ xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) { unsigned long value = seed; - if (name == NULL) return(0); + if ((name == NULL) || (namelen <= 0)) + return(value); value += *name; value <<= 5; if (namelen > 10) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/result/HTML/names.html new/libxml2-2.10.4/result/HTML/names.html --- old/libxml2-2.10.3/result/HTML/names.html 1970-01-01 01:00:00.000000000 +0100 +++ new/libxml2-2.10.4/result/HTML/names.html 2023-04-11 12:36:47.000000000 +0200 @@ -0,0 +1,6 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd";> +<html> +<body> + <o:p></o:p> +</body> +</html> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/result/HTML/names.html.err new/libxml2-2.10.4/result/HTML/names.html.err --- old/libxml2-2.10.3/result/HTML/names.html.err 1970-01-01 01:00:00.000000000 +0100 +++ new/libxml2-2.10.4/result/HTML/names.html.err 2023-04-11 12:36:47.000000000 +0200 @@ -0,0 +1,3 @@ +./test/HTML/names.html:3: HTML parser error : Tag o:p invalid + <o:p></o:p> + ^ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/result/HTML/names.html.sax new/libxml2-2.10.4/result/HTML/names.html.sax --- old/libxml2-2.10.3/result/HTML/names.html.sax 1970-01-01 01:00:00.000000000 +0100 +++ new/libxml2-2.10.4/result/HTML/names.html.sax 2023-04-11 12:36:47.000000000 +0200 @@ -0,0 +1,20 @@ +SAX.setDocumentLocator() +SAX.startDocument() +SAX.startElement(html) +SAX.characters( +, 1) +SAX.startElement(body) +SAX.characters( + , 3) +SAX.startElement(o:p) +SAX.error: Tag o:p invalid +SAX.endElement(o:p) +SAX.characters( +, 1) +SAX.endElement(body) +SAX.characters( +, 1) +SAX.endElement(html) +SAX.characters( +, 1) +SAX.endDocument() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/result/schemas/issue491_0_0.err new/libxml2-2.10.4/result/schemas/issue491_0_0.err --- old/libxml2-2.10.3/result/schemas/issue491_0_0.err 1970-01-01 01:00:00.000000000 +0100 +++ new/libxml2-2.10.4/result/schemas/issue491_0_0.err 2023-04-11 13:13:42.000000000 +0200 @@ -0,0 +1 @@ +./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/result/schemas/oss-fuzz-51295_0_0.err new/libxml2-2.10.4/result/schemas/oss-fuzz-51295_0_0.err --- old/libxml2-2.10.3/result/schemas/oss-fuzz-51295_0_0.err 1970-01-01 01:00:00.000000000 +0100 +++ new/libxml2-2.10.4/result/schemas/oss-fuzz-51295_0_0.err 2023-04-11 12:36:47.000000000 +0200 @@ -0,0 +1,2 @@ +./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'. +./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/test/HTML/names.html new/libxml2-2.10.4/test/HTML/names.html --- old/libxml2-2.10.3/test/HTML/names.html 1970-01-01 01:00:00.000000000 +0100 +++ new/libxml2-2.10.4/test/HTML/names.html 2023-04-11 12:36:47.000000000 +0200 @@ -0,0 +1,5 @@ +<html> +<body> + <o:p></o:p> +</body> +</html> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/test/recurse/_good2.xml new/libxml2-2.10.4/test/recurse/_good2.xml --- old/libxml2-2.10.3/test/recurse/_good2.xml 2020-08-16 22:29:55.000000000 +0200 +++ new/libxml2-2.10.4/test/recurse/_good2.xml 1970-01-01 01:00:00.000000000 +0100 @@ -1,6 +0,0 @@ -<!DOCTYPE doc [ - <!ENTITY a "-"> - <!ENTITY b "&a;&a;&a;&a;&a;"> - <!ENTITY c "&b; text"> -]> -<doc>&c;</doc> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/test/recurse/_lol7.xml new/libxml2-2.10.4/test/recurse/_lol7.xml --- old/libxml2-2.10.3/test/recurse/_lol7.xml 2020-08-16 22:29:55.000000000 +0200 +++ new/libxml2-2.10.4/test/recurse/_lol7.xml 1970-01-01 01:00:00.000000000 +0100 @@ -1,148 +0,0 @@ -<!DOCTYPE doc [ - <!ENTITY a " -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -"> - <!ENTITY b " -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -"> -]> -<doc> -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -</doc> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/test/recurse/_lol8.xml new/libxml2-2.10.4/test/recurse/_lol8.xml --- old/libxml2-2.10.3/test/recurse/_lol8.xml 2020-08-16 22:29:55.000000000 +0200 +++ new/libxml2-2.10.4/test/recurse/_lol8.xml 1970-01-01 01:00:00.000000000 +0100 @@ -1,148 +0,0 @@ -<!DOCTYPE doc [ - <!ENTITY a " -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -hahahahahahahahahahahahahahahahahahahahahahahahaha -"> - <!ENTITY b " -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a; -"> -]> -<doc> -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b; -</doc> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/test/schemas/issue491_0.xml new/libxml2-2.10.4/test/schemas/issue491_0.xml --- old/libxml2-2.10.3/test/schemas/issue491_0.xml 1970-01-01 01:00:00.000000000 +0100 +++ new/libxml2-2.10.4/test/schemas/issue491_0.xml 2023-04-11 13:13:42.000000000 +0200 @@ -0,0 +1 @@ +<Child xmlns="http://www.test.com";>5</Child> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/test/schemas/issue491_0.xsd new/libxml2-2.10.4/test/schemas/issue491_0.xsd --- old/libxml2-2.10.3/test/schemas/issue491_0.xsd 1970-01-01 01:00:00.000000000 +0100 +++ new/libxml2-2.10.4/test/schemas/issue491_0.xsd 2023-04-11 13:13:42.000000000 +0200 @@ -0,0 +1,18 @@ +<?xml version='1.0' encoding='UTF-8'?> +<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns="http://www.test.com"; targetNamespace="http://www.test.com"; elementFormDefault="qualified" attributeFormDefault="unqualified"> + <xs:complexType name="BaseType"> + <xs:simpleContent> + <xs:extension base="xs:int" /> + </xs:simpleContent> + </xs:complexType> + <xs:complexType name="ChildType"> + <xs:complexContent> + <xs:extension base="BaseType"> + <xs:sequence> + <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/> + </xs:sequence> + </xs:extension> + </xs:complexContent> + </xs:complexType> + <xs:element name="Child" type="ChildType" /> +</xs:schema> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/test/schemas/oss-fuzz-51295_0.xml new/libxml2-2.10.4/test/schemas/oss-fuzz-51295_0.xml --- old/libxml2-2.10.3/test/schemas/oss-fuzz-51295_0.xml 1970-01-01 01:00:00.000000000 +0100 +++ new/libxml2-2.10.4/test/schemas/oss-fuzz-51295_0.xml 2023-04-11 12:36:47.000000000 +0200 @@ -0,0 +1 @@ +<e/> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/test/schemas/oss-fuzz-51295_0.xsd new/libxml2-2.10.4/test/schemas/oss-fuzz-51295_0.xsd --- old/libxml2-2.10.3/test/schemas/oss-fuzz-51295_0.xsd 1970-01-01 01:00:00.000000000 +0100 +++ new/libxml2-2.10.4/test/schemas/oss-fuzz-51295_0.xsd 2023-04-11 12:36:47.000000000 +0200 @@ -0,0 +1,4 @@ +<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema";> + <xs:element name="e" substitutionGroup="e"/> + <xs:element name="t" substitutionGroup="e" type='xs:decimal'/> +</xs:schema> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/xmlIO.c new/libxml2-2.10.4/xmlIO.c --- old/libxml2-2.10.3/xmlIO.c 2022-10-14 14:20:48.000000000 +0200 +++ new/libxml2-2.10.4/xmlIO.c 2023-04-11 12:36:47.000000000 +0200 @@ -3234,12 +3234,6 @@ if ((len <= MINLEN) && (len != 4)) len = MINLEN; - if (xmlBufAvail(in->buffer) <= 0) { - xmlIOErr(XML_IO_BUFFER_FULL, NULL); - in->error = XML_IO_BUFFER_FULL; - return(-1); - } - if (xmlBufGrow(in->buffer, len + 1) < 0) { xmlIOErrMemory("growing input buffer"); in->error = XML_ERR_NO_MEMORY; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/xmlschemas.c new/libxml2-2.10.4/xmlschemas.c --- old/libxml2-2.10.3/xmlschemas.c 2022-10-14 14:20:48.000000000 +0200 +++ new/libxml2-2.10.4/xmlschemas.c 2023-04-11 13:13:42.000000000 +0200 @@ -13345,8 +13345,19 @@ * declaration `resolved` to by the `actual value` * of the substitutionGroup [attribute], if present" */ - if (elemDecl->subtypes == NULL) - elemDecl->subtypes = substHead->subtypes; + if (elemDecl->subtypes == NULL) { + if (substHead->subtypes == NULL) { + /* + * This can happen with self-referencing substitution + * groups. The cycle will be detected later, but we have + * to set subtypes to avoid null-pointer dereferences. + */ + elemDecl->subtypes = xmlSchemaGetBuiltInType( + XML_SCHEMAS_ANYTYPE); + } else { + elemDecl->subtypes = substHead->subtypes; + } + } } } /* @@ -18608,7 +18619,7 @@ "allowed to appear inside other model groups", NULL, NULL); - } else if (! dummySequence) { + } else if ((!dummySequence) && (baseType->subtypes != NULL)) { xmlSchemaTreeItemPtr effectiveContent = (xmlSchemaTreeItemPtr) type->subtypes; /*
