Fix two integer overflow vulnerabilities, bump the PORTREVISION.

Submitted by:	pluknet <pluknet@gmail.com>
Obtained from:	https://bugzilla.redhat.com/show_bug.cgi?id=470480
		https://bugzilla.redhat.com/show_bug.cgi?id=470466
Security:	http://secunia.com/Advisories/32773/

3 files changed, 65 insertions, 1 deletions

diff --git a/textproc/libxml2/Makefile b/textproc/libxml2/Makefile
index a936555b8471..5f0733fa8f61 100644
--- a/textproc/libxml2/Makefile
+++ b/textproc/libxml2/Makefile
@@ -13,7 +13,7 @@
 
 PORTNAME=	libxml2
 PORTVERSION=	2.6.32
-PORTREVISION?=	1
+PORTREVISION?=	2
 CATEGORIES?=	textproc gnome
 MASTER_SITES=	ftp://fr.rpmfind.net/pub/libxml/ \
 		ftp://gd.tuwien.ac.at/pub/libxml/ \
diff --git a/textproc/libxml2/files/patch-CVE-2008-4225 b/textproc/libxml2/files/patch-CVE-2008-4225
new file mode 100644
index 000000000000..6d1155794f62
--- /dev/null
+++ b/textproc/libxml2/files/patch-CVE-2008-4225
@@ -0,0 +1,26 @@
+--- tree.c.orig	2008-11-19 13:14:41.000000000 -0600
++++ tree.c	2008-11-19 13:17:07.000000000 -0600
+@@ -14,7 +14,7 @@
+ #include "libxml.h"
+ 
+ #include <string.h> /* for memset() only ! */
+-
++#include <limits.h>
+ #ifdef HAVE_CTYPE_H
+ #include <ctype.h>
+ #endif
+@@ -6916,7 +6916,13 @@
+     case XML_BUFFER_ALLOC_DOUBLEIT:
+ 	/*take care of empty case*/
+         newSize = (buf->size ? buf->size*2 : size + 10);
+-        while (size > newSize) newSize *= 2;
++        while (size > newSize) {
++            if (newSize > UINT_MAX / 2) {
++                xmlTreeErrMemory("growing buffer");
++                return 0;
++            }
++            newSize *= 2;
++        }
+         break;
+     case XML_BUFFER_ALLOC_EXACT:
+         newSize = size+10;
diff --git a/textproc/libxml2/files/patch-CVE-2008-4226 b/textproc/libxml2/files/patch-CVE-2008-4226
new file mode 100644
index 000000000000..79e808b40c34
--- /dev/null
+++ b/textproc/libxml2/files/patch-CVE-2008-4226
@@ -0,0 +1,38 @@
+--- SAX2.c.orig	2008-01-25 08:10:04.000000000 -0500
++++ SAX2.c	2008-11-07 05:07:34.000000000 -0500
+@@ -11,6 +11,7 @@
+ #include "libxml.h"
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ #include <libxml/xmlmemory.h>
+ #include <libxml/tree.h>
+ #include <libxml/parser.h>
+@@ -26,6 +27,11 @@
+ #include <libxml/HTMLtree.h>
+ #include <libxml/globals.h>
+ 
++/* Define SIZE_T_MAX unless defined through <limits.h>. */
++#ifndef SIZE_T_MAX
++# define SIZE_T_MAX     ((size_t)-1)
++#endif /* !SIZE_T_MAX */
++
+ /* #define DEBUG_SAX2 */
+ /* #define DEBUG_SAX2_TREE */
+ 
+@@ -2445,9 +2451,14 @@
+ 	               (xmlDictOwns(ctxt->dict, lastChild->content))) {
+ 		lastChild->content = xmlStrdup(lastChild->content);
+ 	    }
++	    if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len || 
++	        (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) {
++	            xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented");
++	            return;
++	    }
+ 	    if (ctxt->nodelen + len >= ctxt->nodemem) {
+ 		xmlChar *newbuf;
+-		int size;
++		size_t size;
+ 
+ 		size = ctxt->nodemem + len;
+ 		size *= 2;