File libxml2-CVE-2021-3518.patch of Package libxml2.19429

From 1098c30a040e72a4654968547f415be4e4c40fe7 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 22 Apr 2021 19:26:28 +0200
Subject: [PATCH] Fix user-after-free with `xmllint --xinclude --dropdtd`

The --dropdtd option can leave dangling pointers in entity reference
nodes. Make sure to skip these nodes when processing XIncludes.

This also avoids scanning entity declarations and even modifying
them inadvertently during XInclude processing.

Move from a block list to an allow list approach to avoid descending
into other node types that can't contain elements.

Fixes #237.
---
 xinclude.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

Index: libxml2-2.9.10/xinclude.c
===================================================================
--- libxml2-2.9.10.orig/xinclude.c
+++ libxml2-2.9.10/xinclude.c
@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr
     while ((cur != NULL) && (cur != tree->parent)) {
 	/* TODO: need to work on entities -> stack */
 	if ((cur->children != NULL) &&
-	    (cur->children->type != XML_ENTITY_DECL) &&
-	    (cur->children->type != XML_XINCLUDE_START) &&
-	    (cur->children->type != XML_XINCLUDE_END)) {
+	    ((cur->type == XML_DOCUMENT_NODE) ||
+	     (cur->type == XML_ELEMENT_NODE))) {
 	    cur = cur->children;
 	    if (xmlXIncludeTestNode(ctxt, cur))
 		xmlXIncludePreProcessNode(ctxt, cur);
openSUSE Build Service is sponsored by