Security fix libxslt heap overflow, bump the PORTREVISION.

PR:		ports/126869
Submitted by:	Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
Obtained from:	http://www.ocert.org/advisories/ocert-2008-009.html
Security:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2935

2 files changed, 153 insertions, 1 deletions

diff --git a/textproc/libxslt/Makefile b/textproc/libxslt/Makefile
index 147410fab771..2c7ba67c485f 100644
--- a/textproc/libxslt/Makefile
+++ b/textproc/libxslt/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	libxslt
 PORTVERSION=	1.1.24
-PORTREVISION?=	0
+PORTREVISION?=	1
 CATEGORIES?=	textproc gnome
 MASTER_SITES=	ftp://fr.rpmfind.net/pub/libxml/ \
 		ftp://gd.tuwien.ac.at/pub/libxml/ \
diff --git a/textproc/libxslt/files/patch-exslt_crypt b/textproc/libxslt/files/patch-exslt_crypt
new file mode 100644
index 000000000000..c9ab232dd4b9
--- /dev/null
+++ b/textproc/libxslt/files/patch-exslt_crypt
@@ -0,0 +1,152 @@
+Index: libexslt/crypto.c
+===================================================================
+--- libexslt/crypto.c	(revision 1479)
++++ libexslt/crypto.c	(working copy)
+@@ -595,11 +595,13 @@ exsltCryptoRc4EncryptFunction (xmlXPathP
+     int str_len = 0, bin_len = 0, hex_len = 0;
+     xmlChar *key = NULL, *str = NULL, *padkey = NULL;
+     xmlChar *bin = NULL, *hex = NULL;
++    xsltTransformContextPtr tctxt = NULL;
+ 
+-    if ((nargs < 1) || (nargs > 3)) {
++    if (nargs != 2) {
+ 	xmlXPathSetArityError (ctxt);
+ 	return;
+     }
++    tctxt = xsltXPathGetTransformContext(ctxt);
+ 
+     str = xmlXPathPopString (ctxt);
+     str_len = xmlUTF8Strlen (str);
+@@ -611,7 +613,7 @@ exsltCryptoRc4EncryptFunction (xmlXPathP
+     }
+ 
+     key = xmlXPathPopString (ctxt);
+-    key_len = xmlUTF8Strlen (str);
++    key_len = xmlUTF8Strlen (key);
+ 
+     if (key_len == 0) {
+ 	xmlXPathReturnEmptyString (ctxt);
+@@ -620,15 +622,33 @@ exsltCryptoRc4EncryptFunction (xmlXPathP
+ 	return;
+     }
+ 
+-    padkey = xmlMallocAtomic (RC4_KEY_LENGTH);
++    padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1);
++    if (padkey == NULL) {
++	xsltTransformError(tctxt, NULL, tctxt->inst,
++	    "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n");
++	tctxt->state = XSLT_STATE_STOPPED;
++	xmlXPathReturnEmptyString (ctxt);
++	goto done;
++    }
++    memset(padkey, 0, RC4_KEY_LENGTH + 1);
++
+     key_size = xmlUTF8Strsize (key, key_len);
++    if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) {
++	xsltTransformError(tctxt, NULL, tctxt->inst,
++	    "exsltCryptoRc4EncryptFunction: key size too long or key broken\n");
++	tctxt->state = XSLT_STATE_STOPPED;
++	xmlXPathReturnEmptyString (ctxt);
++	goto done;
++    }
+     memcpy (padkey, key, key_size);
+-    memset (padkey + key_size, '\0', sizeof (padkey));
+ 
+ /* encrypt it */
+     bin_len = str_len;
+     bin = xmlStrdup (str);
+     if (bin == NULL) {
++	xsltTransformError(tctxt, NULL, tctxt->inst,
++	    "exsltCryptoRc4EncryptFunction: Failed to allocate string\n");
++	tctxt->state = XSLT_STATE_STOPPED;
+ 	xmlXPathReturnEmptyString (ctxt);
+ 	goto done;
+     }
+@@ -638,6 +658,9 @@ exsltCryptoRc4EncryptFunction (xmlXPathP
+     hex_len = str_len * 2 + 1;
+     hex = xmlMallocAtomic (hex_len);
+     if (hex == NULL) {
++	xsltTransformError(tctxt, NULL, tctxt->inst,
++	    "exsltCryptoRc4EncryptFunction: Failed to allocate result\n");
++	tctxt->state = XSLT_STATE_STOPPED;
+ 	xmlXPathReturnEmptyString (ctxt);
+ 	goto done;
+     }
+@@ -670,11 +693,13 @@ exsltCryptoRc4DecryptFunction (xmlXPathP
+     int str_len = 0, bin_len = 0, ret_len = 0;
+     xmlChar *key = NULL, *str = NULL, *padkey = NULL, *bin =
+ 	NULL, *ret = NULL;
++    xsltTransformContextPtr tctxt = NULL;
+ 
+-    if ((nargs < 1) || (nargs > 3)) {
++    if (nargs != 2) {
+ 	xmlXPathSetArityError (ctxt);
+ 	return;
+     }
++    tctxt = xsltXPathGetTransformContext(ctxt);
+ 
+     str = xmlXPathPopString (ctxt);
+     str_len = xmlUTF8Strlen (str);
+@@ -686,7 +711,7 @@ exsltCryptoRc4DecryptFunction (xmlXPathP
+     }
+ 
+     key = xmlXPathPopString (ctxt);
+-    key_len = xmlUTF8Strlen (str);
++    key_len = xmlUTF8Strlen (key);
+ 
+     if (key_len == 0) {
+ 	xmlXPathReturnEmptyString (ctxt);
+@@ -695,22 +720,51 @@ exsltCryptoRc4DecryptFunction (xmlXPathP
+ 	return;
+     }
+ 
+-    padkey = xmlMallocAtomic (RC4_KEY_LENGTH);
++    padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1);
++    if (padkey == NULL) {
++	xsltTransformError(tctxt, NULL, tctxt->inst,
++	    "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n");
++	tctxt->state = XSLT_STATE_STOPPED;
++	xmlXPathReturnEmptyString (ctxt);
++	goto done;
++    }
++    memset(padkey, 0, RC4_KEY_LENGTH + 1);
+     key_size = xmlUTF8Strsize (key, key_len);
++    if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) {
++	xsltTransformError(tctxt, NULL, tctxt->inst,
++	    "exsltCryptoRc4EncryptFunction: key size too long or key broken\n");
++	tctxt->state = XSLT_STATE_STOPPED;
++	xmlXPathReturnEmptyString (ctxt);
++	goto done;
++    }
+     memcpy (padkey, key, key_size);
+-    memset (padkey + key_size, '\0', sizeof (padkey));
+ 
+ /* decode hex to binary */
+     bin_len = str_len;
+     bin = xmlMallocAtomic (bin_len);
++    if (bin == NULL) {
++	xsltTransformError(tctxt, NULL, tctxt->inst,
++	    "exsltCryptoRc4EncryptFunction: Failed to allocate string\n");
++	tctxt->state = XSLT_STATE_STOPPED;
++	xmlXPathReturnEmptyString (ctxt);
++	goto done;
++    }
+     ret_len = exsltCryptoHex2Bin (str, str_len, bin, bin_len);
+ 
+ /* decrypt the binary blob */
+     ret = xmlMallocAtomic (ret_len);
++    if (ret == NULL) {
++	xsltTransformError(tctxt, NULL, tctxt->inst,
++	    "exsltCryptoRc4EncryptFunction: Failed to allocate result\n");
++	tctxt->state = XSLT_STATE_STOPPED;
++	xmlXPathReturnEmptyString (ctxt);
++	goto done;
++    }
+     PLATFORM_RC4_DECRYPT (ctxt, padkey, bin, ret_len, ret, ret_len);
+ 
+     xmlXPathReturnString (ctxt, ret);
+ 
++done:
+     if (key != NULL)
+ 	xmlFree (key);
+     if (str != NULL)