Fix two integer overflow vulnerabilities, bump the PORTREVISION. In the

mailing list, the developer said that he might release new tarball in next
week or so. Better now than later.

Submitted by:	pluknet <pluknet@gmail.com>
Obtained from:	https://bugzilla.redhat.com/show_bug.cgi?id=470480
		https://bugzilla.redhat.com/show_bug.cgi?id=470466
Security:	http://secunia.com/Advisories/32773/


git-svn-id: svn://creme-brulee.marcuscom.com/ports/trunk@11765 df743ca5-7f9a-e211-a948-0013205c9059

3 files changed, 65 insertions, 1 deletions

diff --git a/textproc/libxml2/Makefile b/textproc/libxml2/Makefile
index ba8d3bb90..55d2ead37 100644
--- a/textproc/libxml2/Makefile
+++ b/textproc/libxml2/Makefile
@@ -13,7 +13,7 @@
 
 PORTNAME=	libxml2
 PORTVERSION=	2.7.2
-PORTREVISION?=	0
+PORTREVISION?=	1
 CATEGORIES?=	textproc gnome
 MASTER_SITES=	ftp://fr.rpmfind.net/pub/libxml/ \
 		ftp://gd.tuwien.ac.at/pub/libxml/ \
diff --git a/textproc/libxml2/files/patch-CVE-2008-4225 b/textproc/libxml2/files/patch-CVE-2008-4225
new file mode 100644
index 000000000..0666795c6
--- /dev/null
+++ b/textproc/libxml2/files/patch-CVE-2008-4225
@@ -0,0 +1,26 @@
+--- tree.c.orig	2008-10-31 18:14:00.000000000 -0700
++++ tree.c	2008-10-31 18:14:35.000000000 -0700
+@@ -14,7 +14,7 @@
+ #include "libxml.h"
+ 
+ #include <string.h> /* for memset() only ! */
+-
++#include <limits.h>
+ #ifdef HAVE_CTYPE_H
+ #include <ctype.h>
+ #endif
+@@ -6996,7 +6996,13 @@
+ 	case XML_BUFFER_ALLOC_DOUBLEIT:
+ 	    /*take care of empty case*/
+ 	    newSize = (buf->size ? buf->size*2 : size + 10);
+-	    while (size > newSize) newSize *= 2;
++	    while (size > newSize) {
++	        if (newSize > UINT_MAX / 2) {
++	            xmlTreeErrMemory("growing buffer");
++	            return 0;
++	        }
++	        newSize *= 2;
++	    }
+ 	    break;
+ 	case XML_BUFFER_ALLOC_EXACT:
+ 	    newSize = size+10;
diff --git a/textproc/libxml2/files/patch-CVE-2008-4226 b/textproc/libxml2/files/patch-CVE-2008-4226
new file mode 100644
index 000000000..79e808b40
--- /dev/null
+++ b/textproc/libxml2/files/patch-CVE-2008-4226
@@ -0,0 +1,38 @@
+--- SAX2.c.orig	2008-01-25 08:10:04.000000000 -0500
++++ SAX2.c	2008-11-07 05:07:34.000000000 -0500
+@@ -11,6 +11,7 @@
+ #include "libxml.h"
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ #include <libxml/xmlmemory.h>
+ #include <libxml/tree.h>
+ #include <libxml/parser.h>
+@@ -26,6 +27,11 @@
+ #include <libxml/HTMLtree.h>
+ #include <libxml/globals.h>
+ 
++/* Define SIZE_T_MAX unless defined through <limits.h>. */
++#ifndef SIZE_T_MAX
++# define SIZE_T_MAX     ((size_t)-1)
++#endif /* !SIZE_T_MAX */
++
+ /* #define DEBUG_SAX2 */
+ /* #define DEBUG_SAX2_TREE */
+ 
+@@ -2445,9 +2451,14 @@
+ 	               (xmlDictOwns(ctxt->dict, lastChild->content))) {
+ 		lastChild->content = xmlStrdup(lastChild->content);
+ 	    }
++	    if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len || 
++	        (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) {
++	            xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented");
++	            return;
++	    }
+ 	    if (ctxt->nodelen + len >= ctxt->nodemem) {
+ 		xmlChar *newbuf;
+-		int size;
++		size_t size;
+ 
+ 		size = ctxt->nodemem + len;
+ 		size *= 2;