From 29bed4cd0fe23c4d78604d0781a3fbe646531521 Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Tue, 9 May 2017 16:47:29 -0400
Subject: [PATCH] apply upstream libxslt patches

to address CVE-2017-5029 and CVE-2016-4738.

see #1634 for more information.

Conflicts:
	CHANGELOG.rdoc
---
 CHANGELOG.rdoc                                | 27 ++++++-
 Manifest.txt                                  |  2 +
 ...erread-in-xsltFormatNumberConversion.patch | 31 ++++++++
 ...nteger-overflow-in-xsltAddTextString.patch | 74 +++++++++++++++++++
 4 files changed, 132 insertions(+), 2 deletions(-)
 create mode 100644 patches/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch
 create mode 100644 patches/libxslt/0002-Check-for-integer-overflow-in-xsltAddTextString.patch

diff --git a/CHANGELOG.rdoc b/CHANGELOG.rdoc
index a5db2e80b9..054644fbe4 100644
--- a/CHANGELOG.rdoc
+++ b/CHANGELOG.rdoc
@@ -1,6 +1,29 @@
-=== 1.6.8.1 / 2016-10-03
 
-==== Dependency License Notes
+## Security Notes
+
+[MRI] Upstream libxslt patches are applied to the vendored libxslt 1.1.29 which address CVE-2017-5029 and CVE-2016-4738.
+
+For more information:
+
+* https://github.com/sparklemotion/nokogiri/issues/1634
+* http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
+* http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html
+
+
+## Security Notes
+
+[MRI] Upstream libxml2 patches are applied to the vendored libxml 2.9.4 which address CVE-2016-4658 and CVE-2016-5131.
+
+For more information:
+
+* https://github.com/sparklemotion/nokogiri/issues/1615
+* http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4658.html
+* http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5131.html
+
+
+# 1.6.8.1 / 2016-10-03
+
+## Dependency License Notes
 
 Removes required dependency on the `pkg-config` gem. This dependency
 was introduced in v1.6.8 and, because it's distributed under LGPL, was
diff --git a/Manifest.txt b/Manifest.txt
index 1a866bce0d..599c7d414c 100644
--- a/Manifest.txt
+++ b/Manifest.txt
@@ -249,6 +249,8 @@ lib/xsd/xmlparser/nokogiri.rb
 patches/libxml2/0001-Fix-comparison-with-root-node-in-xmlXPathCmpNodes.patch
 patches/libxml2/0002-Fix-XPointer-paths-beginning-with-range-to.patch
 patches/libxml2/0003-Disallow-namespace-nodes-in-XPointer-ranges.patch
+patches/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch
+patches/libxslt/0002-Check-for-integer-overflow-in-xsltAddTextString.patch
 patches/sort-patches-by-date
 suppressions/README.txt
 suppressions/nokogiri_ree-1.8.7.358.supp
diff --git a/patches/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch b/patches/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch
new file mode 100644
index 0000000000..9bf818ee0c
--- /dev/null
+++ b/patches/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch
@@ -0,0 +1,31 @@
+From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 10 Jun 2016 14:23:58 +0200
+Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
+
+An empty decimal-separator could cause a heap overread. This can be
+exploited to leak a couple of bytes after the buffer that holds the
+pattern string.
+
+Found with afl-fuzz and ASan.
+---
+ libxslt/numbers.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index d1549b4..e78c46b 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
+     }
+ 
+     /* We have finished the integer part, now work on fraction */
+-    if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
++    if ( (*the_format != 0) &&
++         (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
+         format_info.add_decimal = TRUE;
+ 	the_format += xsltUTF8Size(the_format);	/* Skip over the decimal */
+     }
+-- 
+2.9.3
+
diff --git a/patches/libxslt/0002-Check-for-integer-overflow-in-xsltAddTextString.patch b/patches/libxslt/0002-Check-for-integer-overflow-in-xsltAddTextString.patch
new file mode 100644
index 0000000000..82b33279e9
--- /dev/null
+++ b/patches/libxslt/0002-Check-for-integer-overflow-in-xsltAddTextString.patch
@@ -0,0 +1,74 @@
+From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 12 Jan 2017 15:39:52 +0100
+Subject: [PATCH] Check for integer overflow in xsltAddTextString
+
+Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
+exploited to trigger an out of bounds write on 64-bit systems.
+
+Originally reported to Chromium:
+
+https://crbug.com/676623
+---
+ libxslt/transform.c     | 25 ++++++++++++++++++++++---
+ libxslt/xsltInternals.h |  4 ++--
+ 2 files changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 519133f..02bff34 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
+         return(target);
+ 
+     if (ctxt->lasttext == target->content) {
++        int minSize;
+ 
+-	if (ctxt->lasttuse + len >= ctxt->lasttsize) {
++        /* Check for integer overflow accounting for NUL terminator. */
++        if (len >= INT_MAX - ctxt->lasttuse) {
++            xsltTransformError(ctxt, NULL, target,
++                "xsltCopyText: text allocation failed\n");
++            return(NULL);
++        }
++        minSize = ctxt->lasttuse + len + 1;
++
++        if (ctxt->lasttsize < minSize) {
+ 	    xmlChar *newbuf;
+ 	    int size;
++            int extra;
++
++            /* Double buffer size but increase by at least 100 bytes. */
++            extra = minSize < 100 ? 100 : minSize;
++
++            /* Check for integer overflow. */
++            if (extra > INT_MAX - ctxt->lasttsize) {
++                size = INT_MAX;
++            }
++            else {
++                size = ctxt->lasttsize + extra;
++            }
+ 
+-	    size = ctxt->lasttsize + len + 100;
+-	    size *= 2;
+ 	    newbuf = (xmlChar *) xmlRealloc(target->content,size);
+ 	    if (newbuf == NULL) {
+ 		xsltTransformError(ctxt, NULL, target,
+diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
+index 060b178..5ad1771 100644
+--- a/libxslt/xsltInternals.h
++++ b/libxslt/xsltInternals.h
+@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
+      * Speed optimization when coalescing text nodes
+      */
+     const xmlChar  *lasttext;		/* last text node content */
+-    unsigned int    lasttsize;		/* last text node size */
+-    unsigned int    lasttuse;		/* last text node use */
++    int             lasttsize;		/* last text node size */
++    int             lasttuse;		/* last text node use */
+     /*
+      * Per Context Debugging
+      */
+-- 
+2.9.3
+