[reactos] 05/05: [LIBXML2] Update to version 2.9.14. CORE-17766 - Ros-diffs

22 Nov 2022

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=8940614a78009668dcf86d...
commit 8940614a78009668dcf86d3641aea6485b147432
Author:     Thomas Faber thomas.faber@reactos.org
AuthorDate: Sat Nov 19 15:10:55 2022 -0500
Commit:     Thomas Faber thomas.faber@reactos.org
CommitDate: Mon Nov 21 19:46:12 2022 -0500
[LIBXML2] Update to version 2.9.14. CORE-17766
---
 media/doc/3rd Party Files.txt                |  2 +-
 sdk/include/reactos/libs/libxml/xmlversion.h | 10 ++--
 sdk/lib/3rdparty/libxml2/HTMLparser.c        | 47 ++++++++-------
 sdk/lib/3rdparty/libxml2/NEWS                | 36 ++++++++++--
 sdk/lib/3rdparty/libxml2/buf.c               | 86 +++++++++++-----------------
 sdk/lib/3rdparty/libxml2/config.h            |  2 +-
 sdk/lib/3rdparty/libxml2/encoding.c          |  4 ++
 sdk/lib/3rdparty/libxml2/globals.c           | 30 +++++-----
 sdk/lib/3rdparty/libxml2/libxml.h            |  7 ++-
 sdk/lib/3rdparty/libxml2/parser.c            |  7 ++-
 sdk/lib/3rdparty/libxml2/tree.c              | 72 +++++++++--------------
 sdk/lib/3rdparty/libxml2/valid.c             | 59 +++++++++----------
 sdk/lib/3rdparty/libxml2/xinclude.c          |  5 +-
 sdk/lib/3rdparty/libxml2/xmlregexp.c         | 19 +++---
 sdk/lib/3rdparty/libxml2/xpath.c             | 71 +++++++++++------------
 sdk/lib/3rdparty/libxml2/xpointer.c          |  1 +
 16 files changed, 226 insertions(+), 232 deletions(-)

diff --git a/media/doc/3rd Party Files.txt b/media/doc/3rd Party Files.txt
index 4d781121fa0..68c6ab5a0e1 100644
--- a/media/doc/3rd Party Files.txt	
+++ b/media/doc/3rd Party Files.txt	
@@ -239,7 +239,7 @@ URL: https://github.com/win-iconv/win-iconv
Title: LibXML
 Path: sdk/lib/3rdparty/libxml2
-Used Version: 2.9.13
+Used Version: 2.9.14
 License: MIT (https://spdx.org/licenses/MIT.htmlf)
 URL: http://xmlsoft.org, ftp://xmlsoft.org/libxml2/
diff --git a/sdk/include/reactos/libs/libxml/xmlversion.h b/sdk/include/reactos/libs/libxml/xmlversion.h
index 1c8a8558ca6..9cd054df70e 100644
--- a/sdk/include/reactos/libs/libxml/xmlversion.h
+++ b/sdk/include/reactos/libs/libxml/xmlversion.h
@@ -29,28 +29,28 @@ XMLPUBFUN void XMLCALL xmlCheckVersion(int version);
  *
  * the version string like "1.2.3"
  */
-#define LIBXML_DOTTED_VERSION "2.9.13"
+#define LIBXML_DOTTED_VERSION "2.9.14"
/**
  * LIBXML_VERSION:
  *
  * the version number: 1.2.3 value is 10203
  */
-#define LIBXML_VERSION 20913
+#define LIBXML_VERSION 20914
/**
  * LIBXML_VERSION_STRING:
  *
  * the version number string, 1.2.3 value is "10203"
  */
-#define LIBXML_VERSION_STRING "20913"
+#define LIBXML_VERSION_STRING "20914"
/**
  * LIBXML_VERSION_EXTRA:
  *
  * extra version information, used to show a git commit description
  */
-#define LIBXML_VERSION_EXTRA "-GITv2.9.12-115-ga075d256f"
+#define LIBXML_VERSION_EXTRA "-GITv2.9.13-22-g7846b0a67"
/**
  * LIBXML_TEST_VERSION:
@@ -58,7 +58,7 @@ XMLPUBFUN void XMLCALL xmlCheckVersion(int version);
  * Macro to check that the libxml version in use is compatible with
  * the version the software has been compiled against
  */
-#define LIBXML_TEST_VERSION xmlCheckVersion(20913);
+#define LIBXML_TEST_VERSION xmlCheckVersion(20914);
#ifndef VMS
 #if 0
diff --git a/sdk/lib/3rdparty/libxml2/HTMLparser.c b/sdk/lib/3rdparty/libxml2/HTMLparser.c
index 3e8a1657400..e720bb2013d 100644
--- a/sdk/lib/3rdparty/libxml2/HTMLparser.c
+++ b/sdk/lib/3rdparty/libxml2/HTMLparser.c
@@ -614,7 +614,8 @@ htmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
        if (*ctxt->input->cur == 0)
    	xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
    }
-	res++;
+	if (res < INT_MAX)
+	    res++;
     }
     return(res);
 }
@@ -3960,26 +3961,6 @@ htmlParseStartTag(htmlParserCtxtPtr ctxt) {
    htmlParseErr(ctxt, XML_ERR_NAME_REQUIRED,
                 "htmlParseStartTag: invalid element name\n",
    	     NULL, NULL);
-        /*
-         * The recovery code is disabled for now as it can result in
-         * quadratic behavior with the push parser. htmlParseStartTag
-         * must consume all content up to the final '>' in order to avoid
-         * rescanning for this terminator.
-         *
-         * For a proper fix in line with HTML5, htmlParseStartTag and
-         * htmlParseElement should only be called when there's an ASCII
-         * alpha character following the initial '<'. Otherwise, the '<'
-         * should be emitted as text (unless followed by '!', '/' or '?').
-         */
-#if 0
-	/* if recover preserve text on classic misconstructs */
-	if ((ctxt->recovery) && ((IS_BLANK_CH(CUR)) || (CUR == '<') ||
-	    (CUR == '=') || (CUR == '>') || (((CUR >= '0') && (CUR <= '9'))))) {
-	    htmlParseCharDataInternal(ctxt, '<');
-	    return(-1);
-	}
-#endif
-
    /* Dump the bogus tag like browsers do */
    while ((CUR != 0) && (CUR != '>') &&
                (ctxt->instate != XML_PARSER_EOF))
@@ -4432,9 +4413,15 @@ htmlParseContent(htmlParserCtxtPtr ctxt) {
        /*
         * Third case :  a sub-element.
         */
-	    else if (CUR == '<') {
+	    else if ((CUR == '<') && IS_ASCII_LETTER(NXT(1))) {
    	htmlParseElement(ctxt);
        }
+	    else if (CUR == '<') {
+                if ((ctxt->sax != NULL) && (!ctxt->disableSAX) &&
+                    (ctxt->sax->characters != NULL))
+                    ctxt->sax->characters(ctxt->userData, BAD_CAST "<", 1);
+                NEXT;
+	    }
/*
         * Fourth case : a reference. If if has not been resolved,
@@ -4831,13 +4818,19 @@ htmlParseContentInternal(htmlParserCtxtPtr ctxt) {
        /*
         * Third case :  a sub-element.
         */
-	    else if (CUR == '<') {
+	    else if ((CUR == '<') && IS_ASCII_LETTER(NXT(1))) {
    	htmlParseElementInternal(ctxt);
    	if (currentNode != NULL) xmlFree(currentNode);
currentNode = xmlStrdup(ctxt->name);
    	depth = ctxt->nameNr;
        }
+	    else if (CUR == '<') {
+                if ((ctxt->sax != NULL) && (!ctxt->disableSAX) &&
+                    (ctxt->sax->characters != NULL))
+                    ctxt->sax->characters(ctxt->userData, BAD_CAST "<", 1);
+                NEXT;
+            }
/*
         * Fourth case : a reference. If if has not been resolved,
@@ -6004,7 +5997,7 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
    			"HPP: entering END_TAG\n");
 #endif
    		break;
-		    } else if (cur == '<') {
+		    } else if ((cur == '<') && IS_ASCII_LETTER(next)) {
                         if ((!terminate) && (next == 0))
                             goto done;
                         ctxt->instate = XML_PARSER_START_TAG;
@@ -6014,6 +6007,12 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
                                 "HPP: entering START_TAG\n");
 #endif
    		break;
+		    } else if (cur == '<') {
+                        if ((ctxt->sax != NULL) && (!ctxt->disableSAX) &&
+                            (ctxt->sax->characters != NULL))
+			    ctxt->sax->characters(ctxt->userData,
+						  BAD_CAST "<", 1);
+                        NEXT;
    	    } else {
    	        /*
    		 * check that the text sequence is complete
diff --git a/sdk/lib/3rdparty/libxml2/NEWS b/sdk/lib/3rdparty/libxml2/NEWS
index 2ccdc10a9d2..c33d32a1727 100644
--- a/sdk/lib/3rdparty/libxml2/NEWS
+++ b/sdk/lib/3rdparty/libxml2/NEWS
@@ -1,12 +1,36 @@
NEWS file for libxml2
-The change log at 
-ChangeLog.html
- describes the recents commits
-to the GIT at 
-https://gitlab.gnome.org/GNOME/libxml2
- code base.Here is the list of public releases:
+v2.9.14: May 02 2022:
+   - Security:
+  [CVE-2022-29824] Integer overflow in xmlBuf and xmlBuffer
+  Fix potential double-free in xmlXPtrStringRangeFunction
+  Fix memory leak in xmlFindCharEncodingHandler
+  Normalize XPath strings in-place
+  Prevent integer-overflow in htmlSkipBlankChars() and xmlSkipBlankChars()
+    (David Kilzer)
+  Fix leak of xmlElementContent (David Kilzer)
+
+   - Bug fixes:
+  Fix parsing of subtracted regex character classes
+  Fix recursion check in xinclude.c
+  Reset last error in xmlCleanupGlobals
+  Fix certain combinations of regex range quantifiers
+  Fix range quantifier on subregex
+
+   - Improvements:
+  Fix recovery from invalid HTML start tags
+
+   - Build system, portability:
+  Define LFS macros before including system headers
+  Initialize XPath floating-point globals
+  configure: check for icu DEFS (James Hilliard)
+  configure.ac: produce tar.xz only (GNOME policy) (David Seifert)
+  CMakeLists.txt: Fix LIBXML_VERSION_NUMBER
+  Fix build with older Python versions
+  Fix --without-valid build
+
+
 v2.9.13: Feb 19 2022:
    - Security:
   [CVE-2022-23308] Use-after-free of ID and IDREF attributes
diff --git a/sdk/lib/3rdparty/libxml2/buf.c b/sdk/lib/3rdparty/libxml2/buf.c
index 24368d379f8..40a5ee068b1 100644
--- a/sdk/lib/3rdparty/libxml2/buf.c
+++ b/sdk/lib/3rdparty/libxml2/buf.c
@@ -30,6 +30,10 @@
 #include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
 #include "buf.h"
+#ifndef SIZE_MAX
+#define SIZE_MAX ((size_t) -1)
+#endif
+
 #define WITH_BUFFER_COMPAT
/**
@@ -156,6 +160,8 @@ xmlBufPtr
 xmlBufCreateSize(size_t size) {
     xmlBufPtr ret;
+    if (size == SIZE_MAX)
+        return(NULL);
     ret = (xmlBufPtr) xmlMalloc(sizeof(xmlBuf));
     if (ret == NULL) {
    xmlBufMemoryError(NULL, "creating buffer");
@@ -166,8 +172,8 @@ xmlBufCreateSize(size_t size) {
     ret->error = 0;
     ret->buffer = NULL;
     ret->alloc = xmlBufferAllocScheme;
-    ret->size = (size ? size+2 : 0);         /* +1 for ending null */
-    ret->compat_size = (int) ret->size;
+    ret->size = (size ? size + 1 : 0);         /* +1 for ending null */
+    ret->compat_size = (ret->size > INT_MAX ? INT_MAX : ret->size);
     if (ret->size){
         ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar));
         if (ret->content == NULL) {
@@ -442,23 +448,17 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
     CHECK_COMPAT(buf)
if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
-    if (buf->use + len < buf->size)
+    if (len < buf->size - buf->use)
         return(buf->size - buf->use);
+    if (len > SIZE_MAX - buf->use)
+        return(0);
-    /*
-     * Windows has a BIG problem on realloc timing, so we try to double
-     * the buffer size (if that's enough) (bug 146697)
-     * Apparently BSD too, and it's probably best for linux too
-     * On an embedded system this may be something to change
-     */
-#if 1
-    if (buf->size > (size_t) len)
-        size = buf->size * 2;
-    else
-        size = buf->use + len + 100;
-#else
-    size = buf->use + len + 100;
-#endif
+    if (buf->size > (size_t) len) {
+        size = buf->size > SIZE_MAX / 2 ? SIZE_MAX : buf->size * 2;
+    } else {
+        size = buf->use + len;
+        size = size > SIZE_MAX - 100 ? SIZE_MAX : size + 100;
+    }
if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
         /*
@@ -744,7 +744,7 @@ xmlBufIsEmpty(const xmlBufPtr buf)
 int
 xmlBufResize(xmlBufPtr buf, size_t size)
 {
-    unsigned int newSize;
+    size_t newSize;
     xmlChar* rebuf = NULL;
     size_t start_buf;
@@ -772,9 +772,13 @@ xmlBufResize(xmlBufPtr buf, size_t size)
    case XML_BUFFER_ALLOC_IO:
    case XML_BUFFER_ALLOC_DOUBLEIT:
        /*take care of empty case*/
-	    newSize = (buf->size ? buf->size*2 : size + 10);
+            if (buf->size == 0) {
+                newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
+            } else {
+                newSize = buf->size;
+            }
        while (size > newSize) {
-	        if (newSize > UINT_MAX / 2) {
+	        if (newSize > SIZE_MAX / 2) {
                xmlBufMemoryError(buf, "growing buffer");
                return 0;
            }
@@ -782,15 +786,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
        }
        break;
    case XML_BUFFER_ALLOC_EXACT:
-	    newSize = size+10;
+            newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
        break;
         case XML_BUFFER_ALLOC_HYBRID:
             if (buf->use < BASE_BUFFER_SIZE)
                 newSize = size;
             else {
-                newSize = buf->size * 2;
+                newSize = buf->size;
                 while (size > newSize) {
-                    if (newSize > UINT_MAX / 2) {
+                    if (newSize > SIZE_MAX / 2) {
                         xmlBufMemoryError(buf, "growing buffer");
                         return 0;
                     }
@@ -800,7 +804,7 @@ xmlBufResize(xmlBufPtr buf, size_t size)
             break;
default:
-	    newSize = size+10;
+            newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
        break;
     }
@@ -866,7 +870,7 @@ xmlBufResize(xmlBufPtr buf, size_t size)
  */
 int
 xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
-    unsigned int needSize;
+    size_t needSize;
if ((str == NULL) || (buf == NULL) || (buf->error))
    return -1;
@@ -888,8 +892,10 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
     if (len < 0) return -1;
     if (len == 0) return 0;
-    needSize = buf->use + len + 2;
-    if (needSize > buf->size){
+    if ((size_t) len >= buf->size - buf->use) {
+        if ((size_t) len >= SIZE_MAX - buf->use)
+            return(-1);
+        needSize = buf->use + len + 1;
    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
        /*
         * Used to provide parsing limits
@@ -1025,31 +1031,7 @@ xmlBufCat(xmlBufPtr buf, const xmlChar *str) {
  */
 int
 xmlBufCCat(xmlBufPtr buf, const char *str) {
-    const char *cur;
-
-    if ((buf == NULL) || (buf->error))
-        return(-1);
-    CHECK_COMPAT(buf)
-    if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return -1;
-    if (str == NULL) {
-#ifdef DEBUG_BUFFER
-        xmlGenericError(xmlGenericErrorContext,
-		"xmlBufCCat: str == NULL\n");
-#endif
-	return -1;
-    }
-    for (cur = str;*cur != 0;cur++) {
-        if (buf->use  + 10 >= buf->size) {
-            if (!xmlBufResize(buf, buf->use+10)){
-		xmlBufMemoryError(buf, "growing buffer");
-                return XML_ERR_NO_MEMORY;
-            }
-        }
-        buf->content[buf->use++] = *cur;
-    }
-    buf->content[buf->use] = 0;
-    UPDATE_COMPAT(buf)
-    return 0;
+    return xmlBufCat(buf, (const xmlChar *) str);
 }
/**
diff --git a/sdk/lib/3rdparty/libxml2/config.h b/sdk/lib/3rdparty/libxml2/config.h
index ef0b883226d..596556c11d3 100644
--- a/sdk/lib/3rdparty/libxml2/config.h
+++ b/sdk/lib/3rdparty/libxml2/config.h
@@ -265,7 +265,7 @@
 /* #undef VA_LIST_IS_ARRAY */
/* Version number of package */
-#define VERSION "2.9.13"
+#define VERSION "2.9.14"
/* Determine what socket length (socklen_t) data type is */
 #define XML_SOCKLEN_T int
diff --git a/sdk/lib/3rdparty/libxml2/encoding.c b/sdk/lib/3rdparty/libxml2/encoding.c
index 3741c94ec48..c14c9ff6991 100644
--- a/sdk/lib/3rdparty/libxml2/encoding.c
+++ b/sdk/lib/3rdparty/libxml2/encoding.c
@@ -1738,6 +1738,10 @@ xmlFindCharEncodingHandler(const char *name) {
     } else if ((icv_in != (iconv_t) -1) || icv_out != (iconv_t) -1) {
        xmlEncodingErr(XML_ERR_INTERNAL_ERROR,
    	    "iconv : problems with filters for '%s'\n", name);
+	    if (icv_in != (iconv_t) -1)
+		iconv_close(icv_in);
+	    else
+		iconv_close(icv_out);
     }
 #endif /* LIBXML_ICONV_ENABLED */
 #ifdef LIBXML_ICU_ENABLED
diff --git a/sdk/lib/3rdparty/libxml2/globals.c b/sdk/lib/3rdparty/libxml2/globals.c
index 0c0bdb44a83..893fb73a714 100644
--- a/sdk/lib/3rdparty/libxml2/globals.c
+++ b/sdk/lib/3rdparty/libxml2/globals.c
@@ -50,20 +50,6 @@ void xmlInitGlobals(void)
         xmlThrDefMutex = xmlNewMutex();
 }
-/**
- * xmlCleanupGlobals:
- *
- * Additional cleanup for multi-threading
- */
-void xmlCleanupGlobals(void)
-{
-    if (xmlThrDefMutex != NULL) {
-	xmlFreeMutex(xmlThrDefMutex);
-	xmlThrDefMutex = NULL;
-    }
-    __xmlGlobalInitMutexDestroy();
-}
-
 /************************************************************************
  *									*
  *	All the user accessible global variables of the library		*
@@ -577,6 +563,22 @@ xmlInitializeGlobalState(xmlGlobalStatePtr gs)
     xmlMutexUnlock(xmlThrDefMutex);
 }
+/**
+ * xmlCleanupGlobals:
+ *
+ * Additional cleanup for multi-threading
+ */
+void xmlCleanupGlobals(void)
+{
+    xmlResetError(&xmlLastError);
+
+    if (xmlThrDefMutex != NULL) {
+	xmlFreeMutex(xmlThrDefMutex);
+	xmlThrDefMutex = NULL;
+    }
+    __xmlGlobalInitMutexDestroy();
+}
+
 /**
  * DOC_DISABLE : we ignore missing doc for the xmlThrDef functions,
  *               those are really internal work
diff --git a/sdk/lib/3rdparty/libxml2/libxml.h b/sdk/lib/3rdparty/libxml2/libxml.h
index 1090729c65e..d40fcf86323 100644
--- a/sdk/lib/3rdparty/libxml2/libxml.h
+++ b/sdk/lib/3rdparty/libxml2/libxml.h
@@ -9,8 +9,10 @@
 #ifndef __XML_LIBXML_H__
 #define __XML_LIBXML_H__
-#include <libxml/xmlstring.h>
-
+/*
+ * These macros must be defined before including system headers.
+ * Do not add any #include directives above this block.
+ */
 #ifndef NO_LARGEFILE_SOURCE
 #ifndef _LARGEFILE_SOURCE
 #define _LARGEFILE_SOURCE
@@ -39,6 +41,7 @@
 #include "config.h"
 #include <libxml/xmlversion.h>
 #endif
+#include <libxml/xmlstring.h>
#if defined(__Lynx__)
 #include <stdio.h> /* pull definition of size_t */
diff --git a/sdk/lib/3rdparty/libxml2/parser.c b/sdk/lib/3rdparty/libxml2/parser.c
index 8ca9b2ddcf1..1bc37137f19 100644
--- a/sdk/lib/3rdparty/libxml2/parser.c
+++ b/sdk/lib/3rdparty/libxml2/parser.c
@@ -2208,7 +2208,8 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
    	ctxt->input->col++;
        }
        cur++;
-	    res++;
+	    if (res < INT_MAX)
+		res++;
        if (*cur == 0) {
    	ctxt->input->cur = cur;
    	xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
@@ -2244,7 +2245,8 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
              * by the attachment of one leading and one following space (#x20)
              * character."
              */
-	    res++;
+	    if (res < INT_MAX)
+		res++;
         }
     }
     return(res);
@@ -14749,7 +14751,6 @@ xmlCleanupParser(void) {
     xmlSchemaCleanupTypes();
     xmlRelaxNGCleanupTypes();
 #endif
-    xmlResetLastError();
     xmlCleanupGlobals();
     xmlCleanupThreads(); /* must be last if called not from the main thread */
     xmlCleanupMemory();
diff --git a/sdk/lib/3rdparty/libxml2/tree.c b/sdk/lib/3rdparty/libxml2/tree.c
index 9d94aa42ae7..86afb7d6b1a 100644
--- a/sdk/lib/3rdparty/libxml2/tree.c
+++ b/sdk/lib/3rdparty/libxml2/tree.c
@@ -7104,6 +7104,8 @@ xmlBufferPtr
 xmlBufferCreateSize(size_t size) {
     xmlBufferPtr ret;
+    if (size >= UINT_MAX)
+        return(NULL);
     ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer));
     if (ret == NULL) {
    xmlTreeErrMemory("creating buffer");
@@ -7111,7 +7113,7 @@ xmlBufferCreateSize(size_t size) {
     }
     ret->use = 0;
     ret->alloc = xmlBufferAllocScheme;
-    ret->size = (size ? size+2 : 0);         /* +1 for ending null */
+    ret->size = (size ? size + 1 : 0);         /* +1 for ending null */
     if (ret->size){
         ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar));
         if (ret->content == NULL) {
@@ -7171,6 +7173,8 @@ xmlBufferCreateStatic(void *mem, size_t size) {
if ((mem == NULL) || (size == 0))
         return(NULL);
+    if (size > UINT_MAX)
+        return(NULL);
ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer));
     if (ret == NULL) {
@@ -7318,28 +7322,23 @@ xmlBufferShrink(xmlBufferPtr buf, unsigned int len) {
  */
 int
 xmlBufferGrow(xmlBufferPtr buf, unsigned int len) {
-    int size;
+    unsigned int size;
     xmlChar *newbuf;
if (buf == NULL) return(-1);
if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
-    if (len + buf->use < buf->size) return(0);
+    if (len < buf->size - buf->use)
+        return(0);
+    if (len > UINT_MAX - buf->use)
+        return(-1);
-    /*
-     * Windows has a BIG problem on realloc timing, so we try to double
-     * the buffer size (if that's enough) (bug 146697)
-     * Apparently BSD too, and it's probably best for linux too
-     * On an embedded system this may be something to change
-     */
-#if 1
-    if (buf->size > len)
-        size = buf->size * 2;
-    else
-        size = buf->use + len + 100;
-#else
-    size = buf->use + len + 100;
-#endif
+    if (buf->size > (size_t) len) {
+        size = buf->size > UINT_MAX / 2 ? UINT_MAX : buf->size * 2;
+    } else {
+        size = buf->use + len;
+        size = size > UINT_MAX - 100 ? UINT_MAX : size + 100;
+    }
if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
         size_t start_buf = buf->content - buf->contentIO;
@@ -7466,7 +7465,10 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
    case XML_BUFFER_ALLOC_IO:
    case XML_BUFFER_ALLOC_DOUBLEIT:
        /*take care of empty case*/
-	    newSize = (buf->size ? buf->size : size + 10);
+            if (buf->size == 0)
+                newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);
+            else
+                newSize = buf->size;
        while (size > newSize) {
            if (newSize > UINT_MAX / 2) {
                xmlTreeErrMemory("growing buffer");
@@ -7476,7 +7478,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
        }
        break;
    case XML_BUFFER_ALLOC_EXACT:
-	    newSize = size+10;
+	    newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);;
        break;
         case XML_BUFFER_ALLOC_HYBRID:
             if (buf->use < BASE_BUFFER_SIZE)
@@ -7494,7 +7496,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
             break;
default:
-	    newSize = size+10;
+	    newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);;
        break;
     }
@@ -7580,8 +7582,10 @@ xmlBufferAdd(xmlBufferPtr buf, const xmlChar *str, int len) {
     if (len < 0) return -1;
     if (len == 0) return 0;
-    needSize = buf->use + len + 2;
-    if (needSize > buf->size){
+    if ((unsigned) len >= buf->size - buf->use) {
+        if ((unsigned) len >= UINT_MAX - buf->use)
+            return XML_ERR_NO_MEMORY;
+        needSize = buf->use + len + 1;
         if (!xmlBufferResize(buf, needSize)){
        xmlTreeErrMemory("growing buffer");
             return XML_ERR_NO_MEMORY;
@@ -7694,29 +7698,7 @@ xmlBufferCat(xmlBufferPtr buf, const xmlChar *str) {
  */
 int
 xmlBufferCCat(xmlBufferPtr buf, const char *str) {
-    const char *cur;
-
-    if (buf == NULL)
-        return(-1);
-    if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return -1;
-    if (str == NULL) {
-#ifdef DEBUG_BUFFER
-        xmlGenericError(xmlGenericErrorContext,
-		"xmlBufferCCat: str == NULL\n");
-#endif
-	return -1;
-    }
-    for (cur = str;*cur != 0;cur++) {
-        if (buf->use  + 10 >= buf->size) {
-            if (!xmlBufferResize(buf, buf->use+10)){
-		xmlTreeErrMemory("growing buffer");
-                return XML_ERR_NO_MEMORY;
-            }
-        }
-        buf->content[buf->use++] = *cur;
-    }
-    buf->content[buf->use] = 0;
-    return 0;
+    return xmlBufferCat(buf, (const xmlChar *) str);
 }
/**
diff --git a/sdk/lib/3rdparty/libxml2/valid.c b/sdk/lib/3rdparty/libxml2/valid.c
index 8e596f1db3d..ed3c8503057 100644
--- a/sdk/lib/3rdparty/libxml2/valid.c
+++ b/sdk/lib/3rdparty/libxml2/valid.c
@@ -479,35 +479,6 @@ nodeVPop(xmlValidCtxtPtr ctxt)
     return (ret);
 }
-/**
- * xmlValidNormalizeString:
- * @str: a string
- *
- * Normalize a string in-place.
- */
-static void
-xmlValidNormalizeString(xmlChar *str) {
-    xmlChar *dst;
-    const xmlChar *src;
-
-    if (str == NULL)
-        return;
-    src = str;
-    dst = str;
-
-    while (*src == 0x20) src++;
-    while (*src != 0) {
-	if (*src == 0x20) {
-	    while (*src == 0x20) src++;
-	    if (*src != 0)
-		*dst++ = 0x20;
-	} else {
-	    *dst++ = *src++;
-	}
-    }
-    *dst = 0;
-}
-
 #ifdef DEBUG_VALID_ALGO
 static void
 xmlValidPrintNode(xmlNodePtr cur) {
@@ -1081,6 +1052,7 @@ xmlCopyDocElementContent(xmlDocPtr doc, xmlElementContentPtr cur) {
        tmp->type = cur->type;
        tmp->ocur = cur->ocur;
        prev->c2 = tmp;
+	    tmp->parent = prev;
        if (cur->name != NULL) {
    	if (dict)
    	    tmp->name = xmlDictLookup(dict, cur->name, -1);
@@ -2636,6 +2608,35 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
        (xmlDictOwns(dict, (const xmlChar *)(str)) == 0)))	\
        xmlFree((char *)(str));
+/**
+ * xmlValidNormalizeString:
+ * @str: a string
+ *
+ * Normalize a string in-place.
+ */
+static void
+xmlValidNormalizeString(xmlChar *str) {
+    xmlChar *dst;
+    const xmlChar *src;
+
+    if (str == NULL)
+        return;
+    src = str;
+    dst = str;
+
+    while (*src == 0x20) src++;
+    while (*src != 0) {
+	if (*src == 0x20) {
+	    while (*src == 0x20) src++;
+	    if (*src != 0)
+		*dst++ = 0x20;
+	} else {
+	    *dst++ = *src++;
+	}
+    }
+    *dst = 0;
+}
+
 static int
 xmlIsStreaming(xmlValidCtxtPtr ctxt) {
     xmlParserCtxtPtr pctxt;
diff --git a/sdk/lib/3rdparty/libxml2/xinclude.c b/sdk/lib/3rdparty/libxml2/xinclude.c
index 2a0614d737a..e5fdf0fe8fa 100644
--- a/sdk/lib/3rdparty/libxml2/xinclude.c
+++ b/sdk/lib/3rdparty/libxml2/xinclude.c
@@ -525,8 +525,6 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) {
    if (href == NULL)
        return(-1);
     }
-    if ((href[0] == '#') || (href[0] == 0))
-	local = 1;
     parse = xmlXIncludeGetProp(ctxt, cur, XINCLUDE_PARSE);
     if (parse != NULL) {
    if (xmlStrEqual(parse, XINCLUDE_PARSE_XML))
@@ -623,6 +621,9 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) {
    return(-1);
     }
+    if (xmlStrEqual(URL, ctxt->doc->URL))
+	local = 1;
+
     /*
      * If local and xml then we need a fragment
      */
diff --git a/sdk/lib/3rdparty/libxml2/xmlregexp.c b/sdk/lib/3rdparty/libxml2/xmlregexp.c
index 8d01c2ba32c..657912e0698 100644
--- a/sdk/lib/3rdparty/libxml2/xmlregexp.c
+++ b/sdk/lib/3rdparty/libxml2/xmlregexp.c
@@ -1693,12 +1693,12 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from,
    	    counter = xmlRegGetCounter(ctxt);
    	    ctxt->counters[counter].min = atom->min - 1;
    	    ctxt->counters[counter].max = atom->max - 1;
-		    /* count the number of times we see it again */
-		    xmlFAGenerateCountedEpsilonTransition(ctxt, atom->stop,
-						   atom->start, counter);
    	    /* allow a way out based on the count */
    	    xmlFAGenerateCountedTransition(ctxt, atom->stop,
    		                           newstate, counter);
+		    /* count the number of times we see it again */
+		    xmlFAGenerateCountedEpsilonTransition(ctxt, atom->stop,
+						   atom->start, counter);
    	    /* and if needed allow a direct exit for 0 */
    	    if (atom->min == 0)
    		xmlFAGenerateEpsilonTransition(ctxt, atom->start0,
@@ -3364,7 +3364,6 @@ xmlFARegExec(xmlRegexpPtr comp, const xmlChar *content) {
    	    /*
    	     * this is a multiple input sequence
    	     * If there is a counter associated increment it now.
-		     * before potentially saving and rollback
    	     * do not increment if the counter is already over the
    	     * maximum limit in which case get to next transition
    	     */
@@ -3380,15 +3379,17 @@ xmlFARegExec(xmlRegexpPtr comp, const xmlChar *content) {
    		counter = &exec->comp->counters[trans->counter];
    		if (exec->counts[trans->counter] >= counter->max)
    		    continue; /* for loop on transitions */
-
+                    }
+                    /* Save before incrementing */
+		    if (exec->state->nbTrans > exec->transno + 1) {
+			xmlFARegExecSave(exec);
+		    }
+		    if (trans->counter >= 0) {
 #ifdef DEBUG_REGEXP_EXEC
    		printf("Increasing count %d\n", trans->counter);
 #endif
    		exec->counts[trans->counter]++;
    	    }
-		    if (exec->state->nbTrans > exec->transno + 1) {
-			xmlFARegExecSave(exec);
-		    }
    	    exec->transcount = 1;
    	    do {
    		/*
@@ -5107,7 +5108,7 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) {
     }
     NEXTL(len);
     cur = CUR;
-    if ((cur != '-') || (NXT(1) == ']')) {
+    if ((cur != '-') || (NXT(1) == '[') || (NXT(1) == ']')) {
         xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg,
    	              XML_REGEXP_CHARVAL, start, end, NULL);
    return;
diff --git a/sdk/lib/3rdparty/libxml2/xpath.c b/sdk/lib/3rdparty/libxml2/xpath.c
index 2da591cee94..c2d84588877 100644
--- a/sdk/lib/3rdparty/libxml2/xpath.c
+++ b/sdk/lib/3rdparty/libxml2/xpath.c
@@ -488,9 +488,9 @@ int wrap_cmp( xmlNodePtr x, xmlNodePtr y );
  *									*
  ************************************************************************/
-double xmlXPathNAN;
-double xmlXPathPINF;
-double xmlXPathNINF;
+double xmlXPathNAN = 0.0;
+double xmlXPathPINF = 0.0;
+double xmlXPathNINF = 0.0;
/**
  * xmlXPathInit:
@@ -9260,52 +9260,45 @@ xmlXPathSubstringAfterFunction(xmlXPathParserContextPtr ctxt, int nargs) {
  */
 void
 xmlXPathNormalizeFunction(xmlXPathParserContextPtr ctxt, int nargs) {
-  xmlXPathObjectPtr obj = NULL;
-  xmlChar *source = NULL;
-  xmlBufPtr target;
-  xmlChar blank;
-
-  if (ctxt == NULL) return;
-  if (nargs == 0) {
-    /* Use current context node */
-      valuePush(ctxt,
-	  xmlXPathCacheWrapString(ctxt->context,
-	    xmlXPathCastNodeToString(ctxt->context->node)));
-    nargs = 1;
-  }
+    xmlChar *source, *target;
+    int blank;
-  CHECK_ARITY(1);
-  CAST_TO_STRING;
-  CHECK_TYPE(XPATH_STRING);
-  obj = valuePop(ctxt);
-  source = obj->stringval;
+    if (ctxt == NULL) return;
+    if (nargs == 0) {
+        /* Use current context node */
+        valuePush(ctxt,
+            xmlXPathCacheWrapString(ctxt->context,
+                xmlXPathCastNodeToString(ctxt->context->node)));
+        nargs = 1;
+    }
-  target = xmlBufCreate();
-  if (target && source) {
+    CHECK_ARITY(1);
+    CAST_TO_STRING;
+    CHECK_TYPE(XPATH_STRING);
+    source = ctxt->value->stringval;
+    if (source == NULL)
+        return;
+    target = source;
/* Skip leading whitespaces */
     while (IS_BLANK_CH(*source))
-      source++;
+        source++;
/* Collapse intermediate whitespaces, and skip trailing whitespaces */
     blank = 0;
     while (*source) {
-      if (IS_BLANK_CH(*source)) {
-	blank = 0x20;
-      } else {
-	if (blank) {
-	  xmlBufAdd(target, &blank, 1);
-	  blank = 0;
-	}
-	xmlBufAdd(target, source, 1);
-      }
-      source++;
+        if (IS_BLANK_CH(*source)) {
+	    blank = 1;
+        } else {
+            if (blank) {
+                *target++ = 0x20;
+                blank = 0;
+            }
+            *target++ = *source;
+        }
+        source++;
     }
-    valuePush(ctxt, xmlXPathCacheNewString(ctxt->context,
-	xmlBufContent(target)));
-    xmlBufFree(target);
-  }
-  xmlXPathReleaseObject(ctxt->context, obj);
+    *target = 0;
 }
/**
diff --git a/sdk/lib/3rdparty/libxml2/xpointer.c b/sdk/lib/3rdparty/libxml2/xpointer.c
index afeaa2ecf99..e9c783cd66d 100644
--- a/sdk/lib/3rdparty/libxml2/xpointer.c
+++ b/sdk/lib/3rdparty/libxml2/xpointer.c
@@ -2756,6 +2756,7 @@ xmlXPtrStringRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) {
     */
    tmp = xmlXPtrNewLocationSetNodeSet(set->nodesetval);
    xmlXPathFreeObject(set);
+        set = NULL;
    if (tmp == NULL) {
             xmlXPathErr(ctxt, XPATH_MEMORY_ERROR);
             goto error;

    