untrusted comment: verify with openbsd-70-base.pub RWR3KL+gSr4QZ1UhA/ZyWHm3c/PMyp1AqwADwj0u+czkqRZXQyOUjdySk4wr4AbohaQIOQfCCR/0Qrq4r6JJnSObRd56RYi8FAM= OpenBSD 7.0 errata 009, January 19, 2022: Fix 8 security issues in libexpat, all related to fixed-size integer math (integer overflow and invalid shifts) near memory allocation. Apply by doing: signify -Vep /etc/signify/openbsd-70-base.pub -x 009_expat.patch.sig \ -m - | (cd /usr/src && patch -p0) And then rebuild and install libexpat: cd /usr/src/lib/libexpat make obj make make install Index: lib/libexpat/Changes =================================================================== RCS file: /cvs/src/lib/libexpat/Changes,v diff -u -p -u -p -r1.17 Changes --- lib/libexpat/Changes 26 May 2021 19:14:32 -0000 1.17 +++ lib/libexpat/Changes 17 Jan 2022 12:56:20 -0000 @@ -2,6 +2,81 @@ NOTE: We are looking for help with a few https://github.com/libexpat/libexpat/labels/help%20wanted If you can help, please get in touch. Thanks! +Release 2.4.3 Sun January 16 2022 + Security fixes: + #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places + resulting in + a) realloc acting as free + b) realloc allocating too few bytes + c) undefined behavior + depending on architecture and precise value + for XML documents with >=2^27+1 prefixed attributes + on a single XML tag a la + "" + where XML_ParserCreateNS is used to create the parser + (which needs argument "-n" when running xmlwf). + Impact is denial of service, or more. + #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow + on variable m_groupSize in function doProlog leading + to realloc acting as free. + Impact is denial of service or more. + #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows + near memory allocation at multiple places. Mitre assigned + a dedicated CVE for each involved internal C function: + - CVE-2022-22822 for function addBinding + - CVE-2022-22823 for function build_model + - CVE-2022-22824 for function defineAttribute + - CVE-2022-22825 for function lookup + - CVE-2022-22826 for function nextScaffoldPart + - CVE-2022-22827 for function storeAtts + Impact is denial of service or more. + + Other changes: + #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19 + #541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin + and MSYS2 by not going through Wine on these platforms + #527 #528 Address compiler warnings + #533 #543 Version info bumped from 9:2:8 to 9:3:8; + see https://verbump.de/ for what these numbers do + + Infrastructure: + #536 CI: Check for realistic minimum CMake version + #529 #539 CI: Cover compilation with -m32 + #529 CI: Store coverage reports as artifacts for download + #528 CI: Upgrade Clang from 11 to 13 + + Special thanks to: + An anonymous whitehat + Christopher Degawa + J. Peter Mugaas + Tyson Smith + and + GCC Farm Project + Trend Micro Zero Day Initiative + +Release 2.4.2 Sun December 19 2021 + Other changes: + #509 #510 Link againgst libm for function "isnan" + #513 #514 Include expat_config.h as early as possible + #498 Autotools: Include files with release archives: + - buildconf.sh + - fuzz/*.c + #507 #519 Autotools: Sync CMake templates + #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for + - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug) + - multi-config CMake generators (e.g. Ninja Multi-Config) + #502 #503 docs: Document that function XML_GetBuffer may return NULL + when asking for a buffer of 0 (zero) bytes size + #522 #523 docs: Fix return value docs for both + XML_SetBillionLaughsAttackProtection* functions + #525 #526 Version info bumped from 9:1:8 to 9:2:8; + see https://verbump.de/ for what these numbers do + + Special thanks to: + Dong-hee Na + Joergen Ibsen + Kai Pastor + Release 2.4.1 Sun May 23 2021 Bug fixes: #488 #490 Autotools: Fix installed header expat_config.h for multilib Index: lib/libexpat/README.md =================================================================== RCS file: /cvs/src/lib/libexpat/README.md,v diff -u -p -u -p -r1.9 README.md --- lib/libexpat/README.md 26 May 2021 19:14:32 -0000 1.9 +++ lib/libexpat/README.md 17 Jan 2022 12:56:20 -0000 @@ -5,7 +5,7 @@ [![Downloads GitHub](https://img.shields.io/github/downloads/libexpat/libexpat/total?label=Downloads%20GitHub)](https://github.com/libexpat/libexpat/releases) -# Expat, Release 2.4.1 +# Expat, Release 2.4.3 This is Expat, a C library for parsing XML, started by [James Clark](https://en.wikipedia.org/wiki/James_Clark_%28programmer%29) in 1997. Index: lib/libexpat/doc/reference.html =================================================================== RCS file: /cvs/src/lib/libexpat/doc/reference.html,v diff -u -p -u -p -r1.13 reference.html --- lib/libexpat/doc/reference.html 26 May 2021 19:14:32 -0000 1.13 +++ lib/libexpat/doc/reference.html 17 Jan 2022 12:56:21 -0000 @@ -14,9 +14,10 @@ Copyright (c) 2000 Clark Cooper Copyright (c) 2000-2004 Fred L. Drake, Jr. Copyright (c) 2002-2012 Karl Waclawek - Copyright (c) 2017-2021 Sebastian Pipping + Copyright (c) 2017-2022 Sebastian Pipping Copyright (c) 2017 Jakub Wilk Copyright (c) 2021 Tomas Korbar + Copyright (c) 2021 Nicolas Cavallari Licensed under the MIT license: Permission is hereby granted, free of charge, to any person obtaining @@ -48,7 +49,7 @@

The Expat XML Parser - Release 2.4.1 + Release 2.4.3

@@ -1115,7 +1116,8 @@ XML_GetBuffer(XML_Parser p,
Obtain a buffer of size len to read a piece of the document into. A NULL value is returned if Expat can't allocate enough memory for -this buffer. This has to be called prior to every call to +this buffer. A NULL value may also be returned if len is zero. +This has to be called prior to every call to XML_ParseBuffer. A typical use would look like this: @@ -2100,7 +2102,7 @@ XML_SetBillionLaughsAttackProtectionMaxi billion laughs attacks (default: 100.0) of parser p to maximumAmplificationFactor, and - returns XML_TRUE upon success and XML_TRUE upon error. + returns XML_TRUE upon success and XML_FALSE upon error.

The amplification factor is calculated as .. @@ -2150,7 +2152,7 @@ XML_SetBillionLaughsAttackProtectionActi billion laughs attacks (default: 8 MiB) of parser p to activationThresholdBytes, and - returns XML_TRUE upon success and XML_TRUE upon error. + returns XML_TRUE upon success and XML_FALSE upon error.

For a call to XML_SetBillionLaughsAttackProtectionActivationThreshold to succeed:

Index: lib/libexpat/lib/expat.h =================================================================== RCS file: /cvs/src/lib/libexpat/lib/expat.h,v diff -u -p -u -p -r1.17 expat.h --- lib/libexpat/lib/expat.h 26 May 2021 19:14:32 -0000 1.17 +++ lib/libexpat/lib/expat.h 17 Jan 2022 12:56:21 -0000 @@ -11,7 +11,7 @@ Copyright (c) 2000-2005 Fred L. Drake, Jr. Copyright (c) 2001-2002 Greg Stein Copyright (c) 2002-2016 Karl Waclawek - Copyright (c) 2016-2021 Sebastian Pipping + Copyright (c) 2016-2022 Sebastian Pipping Copyright (c) 2016 Cristian Rodríguez Copyright (c) 2016 Thomas Beutlich Copyright (c) 2017 Rhodri James @@ -1041,7 +1041,7 @@ XML_SetBillionLaughsAttackProtectionActi */ #define XML_MAJOR_VERSION 2 #define XML_MINOR_VERSION 4 -#define XML_MICRO_VERSION 1 +#define XML_MICRO_VERSION 3 #ifdef __cplusplus } Index: lib/libexpat/lib/xmlparse.c =================================================================== RCS file: /cvs/src/lib/libexpat/lib/xmlparse.c,v diff -u -p -u -p -r1.29 xmlparse.c --- lib/libexpat/lib/xmlparse.c 27 May 2021 12:57:22 -0000 1.29 +++ lib/libexpat/lib/xmlparse.c 17 Jan 2022 12:56:22 -0000 @@ -1,4 +1,4 @@ -/* 8539b9040d9d901366a62560a064af7cb99811335784b363abc039c5b0ebc416 (2.4.1+) +/* 9ca2a2fedc35bcb13ba9a134ba5e173020bc2ff5f5a311abf742cec7da1ff26a (2.4.3+) __ __ _ ___\ \/ /_ __ __ _| |_ / _ \\ /| '_ \ / _` | __| @@ -13,7 +13,7 @@ Copyright (c) 2002-2016 Karl Waclawek Copyright (c) 2005-2009 Steven Solie Copyright (c) 2016 Eric Rahm - Copyright (c) 2016-2021 Sebastian Pipping + Copyright (c) 2016-2022 Sebastian Pipping Copyright (c) 2016 Gaurav Copyright (c) 2016 Thomas Beutlich Copyright (c) 2016 Gustavo Grieco @@ -32,6 +32,7 @@ Copyright (c) 2019 David Loffredo Copyright (c) 2019-2020 Ben Wagner Copyright (c) 2019 Vadim Zeitlin + Copyright (c) 2021 Dong-hee Na Licensed under the MIT license: Permission is hereby granted, free of charge, to any person obtaining @@ -54,6 +55,10 @@ USE OR OTHER DEALINGS IN THE SOFTWARE. */ +#define XML_BUILDING_EXPAT 1 + +#include + #if ! defined(_GNU_SOURCE) # define _GNU_SOURCE 1 /* syscall prototype */ #endif @@ -84,14 +89,10 @@ # include #endif -#define XML_BUILDING_EXPAT 1 - #ifdef _WIN32 # include "winconfig.h" #endif -#include - #include "ascii.h" #include "expat.h" #include "siphash.h" @@ -3260,13 +3261,38 @@ storeAtts(XML_Parser parser, const ENCOD /* get the attributes from the tokenizer */ n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts); + + /* Detect and prevent integer overflow */ + if (n > INT_MAX - nDefaultAtts) { + return XML_ERROR_NO_MEMORY; + } + if (n + nDefaultAtts > parser->m_attsSize) { int oldAttsSize = parser->m_attsSize; ATTRIBUTE *temp; #ifdef XML_ATTR_INFO XML_AttrInfo *temp2; #endif + + /* Detect and prevent integer overflow */ + if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE) + || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) { + return XML_ERROR_NO_MEMORY; + } + parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE; + + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) { + parser->m_attsSize = oldAttsSize; + return XML_ERROR_NO_MEMORY; + } +#endif + temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts, parser->m_attsSize * sizeof(ATTRIBUTE)); if (temp == NULL) { @@ -3275,6 +3301,17 @@ storeAtts(XML_Parser parser, const ENCOD } parser->m_atts = temp; #ifdef XML_ATTR_INFO + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +# if UINT_MAX >= SIZE_MAX + if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) { + parser->m_attsSize = oldAttsSize; + return XML_ERROR_NO_MEMORY; + } +# endif + temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo, parser->m_attsSize * sizeof(XML_AttrInfo)); if (temp2 == NULL) { @@ -3413,7 +3450,13 @@ storeAtts(XML_Parser parser, const ENCOD if (nPrefixes) { int j; /* hash table index */ unsigned long version = parser->m_nsAttsVersion; - int nsAttsSize = (int)1 << parser->m_nsAttsPower; + + /* Detect and prevent invalid shift */ + if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */) { + return XML_ERROR_NO_MEMORY; + } + + unsigned int nsAttsSize = 1u << parser->m_nsAttsPower; unsigned char oldNsAttsPower = parser->m_nsAttsPower; /* size of hash table must be at least 2 * (# of prefixed attributes) */ if ((nPrefixes << 1) @@ -3424,7 +3467,28 @@ storeAtts(XML_Parser parser, const ENCOD ; if (parser->m_nsAttsPower < 3) parser->m_nsAttsPower = 3; - nsAttsSize = (int)1 << parser->m_nsAttsPower; + + /* Detect and prevent invalid shift */ + if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */) { + /* Restore actual size of memory in m_nsAtts */ + parser->m_nsAttsPower = oldNsAttsPower; + return XML_ERROR_NO_MEMORY; + } + + nsAttsSize = 1u << parser->m_nsAttsPower; + + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) { + /* Restore actual size of memory in m_nsAtts */ + parser->m_nsAttsPower = oldNsAttsPower; + return XML_ERROR_NO_MEMORY; + } +#endif + temp = (NS_ATT *)REALLOC(parser, parser->m_nsAtts, nsAttsSize * sizeof(NS_ATT)); if (! temp) { @@ -3582,9 +3646,31 @@ storeAtts(XML_Parser parser, const ENCOD tagNamePtr->prefixLen = prefixLen; for (i = 0; localPart[i++];) ; /* i includes null terminator */ + + /* Detect and prevent integer overflow */ + if (binding->uriLen > INT_MAX - prefixLen + || i > INT_MAX - (binding->uriLen + prefixLen)) { + return XML_ERROR_NO_MEMORY; + } + n = i + binding->uriLen + prefixLen; if (n > binding->uriAlloc) { TAG *p; + + /* Detect and prevent integer overflow */ + if (n > INT_MAX - EXPAND_SPARE) { + return XML_ERROR_NO_MEMORY; + } + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) { + return XML_ERROR_NO_MEMORY; + } +#endif + uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char)); if (! uri) return XML_ERROR_NO_MEMORY; @@ -3680,6 +3766,21 @@ addBinding(XML_Parser parser, PREFIX *pr if (parser->m_freeBindingList) { b = parser->m_freeBindingList; if (len > b->uriAlloc) { + /* Detect and prevent integer overflow */ + if (len > INT_MAX - EXPAND_SPARE) { + return XML_ERROR_NO_MEMORY; + } + + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) { + return XML_ERROR_NO_MEMORY; + } +#endif + XML_Char *temp = (XML_Char *)REALLOC( parser, b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE)); if (temp == NULL) @@ -3692,6 +3793,21 @@ addBinding(XML_Parser parser, PREFIX *pr b = (BINDING *)MALLOC(parser, sizeof(BINDING)); if (! b) return XML_ERROR_NO_MEMORY; + + /* Detect and prevent integer overflow */ + if (len > INT_MAX - EXPAND_SPARE) { + return XML_ERROR_NO_MEMORY; + } + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) { + return XML_ERROR_NO_MEMORY; + } +#endif + b->uri = (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE)); if (! b->uri) { @@ -5018,6 +5134,11 @@ doProlog(XML_Parser parser, const ENCODI if (parser->m_prologState.level >= parser->m_groupSize) { if (parser->m_groupSize) { { + /* Detect and prevent integer overflow */ + if (parser->m_groupSize > (unsigned int)(-1) / 2u) { + return XML_ERROR_NO_MEMORY; + } + char *const new_connector = (char *)REALLOC( parser, parser->m_groupConnector, parser->m_groupSize *= 2); if (new_connector == NULL) { @@ -5028,6 +5149,16 @@ doProlog(XML_Parser parser, const ENCODI } if (dtd->scaffIndex) { + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) { + return XML_ERROR_NO_MEMORY; + } +#endif + int *const new_scaff_index = (int *)REALLOC( parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int)); if (new_scaff_index == NULL) @@ -6098,7 +6229,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTR } } else { DEFAULT_ATTRIBUTE *temp; + + /* Detect and prevent integer overflow */ + if (type->allocDefaultAtts > INT_MAX / 2) { + return 0; + } + int count = type->allocDefaultAtts * 2; + + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) { + return 0; + } +#endif + temp = (DEFAULT_ATTRIBUTE *)REALLOC(parser, type->defaultAtts, (count * sizeof(DEFAULT_ATTRIBUTE))); if (temp == NULL) @@ -6749,8 +6897,20 @@ lookup(XML_Parser parser, HASH_TABLE *ta /* check for overflow (table is half full) */ if (table->used >> (table->power - 1)) { unsigned char newPower = table->power + 1; + + /* Detect and prevent invalid shift */ + if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) { + return NULL; + } + size_t newSize = (size_t)1 << newPower; unsigned long newMask = (unsigned long)newSize - 1; + + /* Detect and prevent integer overflow */ + if (newSize > (size_t)(-1) / sizeof(NAMED *)) { + return NULL; + } + size_t tsize = newSize * sizeof(NAMED *); NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize); if (! newV) @@ -7100,6 +7260,20 @@ nextScaffoldPart(XML_Parser parser) { if (dtd->scaffCount >= dtd->scaffSize) { CONTENT_SCAFFOLD *temp; if (dtd->scaffold) { + /* Detect and prevent integer overflow */ + if (dtd->scaffSize > UINT_MAX / 2u) { + return -1; + } + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) { + return -1; + } +#endif + temp = (CONTENT_SCAFFOLD *)REALLOC( parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD)); if (temp == NULL) @@ -7169,8 +7343,26 @@ build_model(XML_Parser parser) { XML_Content *ret; XML_Content *cpos; XML_Char *str; - int allocsize = (dtd->scaffCount * sizeof(XML_Content) - + (dtd->contentStringLen * sizeof(XML_Char))); + + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) { + return NULL; + } + if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) { + return NULL; + } +#endif + if (dtd->scaffCount * sizeof(XML_Content) + > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) { + return NULL; + } + + const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content) + + (dtd->contentStringLen * sizeof(XML_Char))); ret = (XML_Content *)MALLOC(parser, allocsize); if (! ret) Index: lib/libexpat/lib/xmlrole.c =================================================================== RCS file: /cvs/src/lib/libexpat/lib/xmlrole.c,v diff -u -p -u -p -r1.10 xmlrole.c --- lib/libexpat/lib/xmlrole.c 26 May 2021 19:14:32 -0000 1.10 +++ lib/libexpat/lib/xmlrole.c 17 Jan 2022 12:56:22 -0000 @@ -15,6 +15,7 @@ Copyright (c) 2016-2021 Sebastian Pipping Copyright (c) 2017 Rhodri James Copyright (c) 2019 David Loffredo + Copyright (c) 2021 Dong-hee Na Licensed under the MIT license: Permission is hereby granted, free of charge, to any person obtaining @@ -37,13 +38,13 @@ USE OR OTHER DEALINGS IN THE SOFTWARE. */ +#include + #include #ifdef _WIN32 # include "winconfig.h" #endif - -#include #include "expat_external.h" #include "internal.h" Index: lib/libexpat/lib/xmltok.c =================================================================== RCS file: /cvs/src/lib/libexpat/lib/xmltok.c,v diff -u -p -u -p -r1.13 xmltok.c --- lib/libexpat/lib/xmltok.c 26 May 2021 19:14:32 -0000 1.13 +++ lib/libexpat/lib/xmltok.c 17 Jan 2022 12:56:22 -0000 @@ -20,6 +20,7 @@ Copyright (c) 2017 Benbuck Nason Copyright (c) 2017 José Gutiérrez de la Concha Copyright (c) 2019 David Loffredo + Copyright (c) 2021 Dong-hee Na Licensed under the MIT license: Permission is hereby granted, free of charge, to any person obtaining @@ -42,6 +43,8 @@ USE OR OTHER DEALINGS IN THE SOFTWARE. */ +#include + #include #include /* memcpy */ #include @@ -49,8 +52,6 @@ #ifdef _WIN32 # include "winconfig.h" #endif - -#include #include "expat_external.h" #include "internal.h" Index: lib/libexpat/lib/xmltok_ns.c =================================================================== RCS file: /cvs/src/lib/libexpat/lib/xmltok_ns.c,v diff -u -p -u -p -r1.6 xmltok_ns.c --- lib/libexpat/lib/xmltok_ns.c 26 May 2021 19:14:32 -0000 1.6 +++ lib/libexpat/lib/xmltok_ns.c 17 Jan 2022 12:56:23 -0000 @@ -11,7 +11,7 @@ Copyright (c) 2002 Greg Stein Copyright (c) 2002 Fred L. Drake, Jr. Copyright (c) 2002-2006 Karl Waclawek - Copyright (c) 2017 Sebastian Pipping + Copyright (c) 2017-2021 Sebastian Pipping Licensed under the MIT license: Permission is hereby granted, free of charge, to any person obtaining @@ -93,7 +93,7 @@ NS(XmlInitEncoding)(INIT_ENCODING *p, co static const ENCODING * NS(findEncoding)(const ENCODING *enc, const char *ptr, const char *end) { # define ENCODING_MAX 128 - char buf[ENCODING_MAX]; + char buf[ENCODING_MAX] = ""; char *p = buf; int i; XmlUtf8Convert(enc, &ptr, end, &p, p + ENCODING_MAX - 1); Index: lib/libexpat/tests/runtests.c =================================================================== RCS file: /cvs/src/lib/libexpat/tests/runtests.c,v diff -u -p -u -p -r1.12 runtests.c --- lib/libexpat/tests/runtests.c 26 May 2021 19:14:32 -0000 1.12 +++ lib/libexpat/tests/runtests.c 17 Jan 2022 12:56:24 -0000 @@ -10,13 +10,14 @@ Copyright (c) 2003 Greg Stein Copyright (c) 2005-2007 Steven Solie Copyright (c) 2005-2012 Karl Waclawek - Copyright (c) 2016-2021 Sebastian Pipping + Copyright (c) 2016-2022 Sebastian Pipping Copyright (c) 2017-2018 Rhodri James Copyright (c) 2017 Joe Orton Copyright (c) 2017 José Gutiérrez de la Concha Copyright (c) 2018 Marco Maggi Copyright (c) 2019 David Loffredo Copyright (c) 2020 Tim Gates + Copyright (c) 2021 Dong-hee Na Licensed under the MIT license: Permission is hereby granted, free of charge, to any person obtaining @@ -39,12 +40,12 @@ USE OR OTHER DEALINGS IN THE SOFTWARE. */ +#include + #if defined(NDEBUG) # undef NDEBUG /* because test suite relies on assert(...) at the moment */ #endif -#include - #include #include #include @@ -7351,7 +7352,7 @@ START_TEST(test_misc_version) { fail("Version mismatch"); #if ! defined(XML_UNICODE) || defined(XML_UNICODE_WCHAR_T) - if (xcstrcmp(version_text, XCS("expat_2.4.1"))) /* needs bump on releases */ + if (xcstrcmp(version_text, XCS("expat_2.4.3"))) /* needs bump on releases */ fail("XML_*_VERSION in expat.h out of sync?\n"); #else /* If we have XML_UNICODE defined but not XML_UNICODE_WCHAR_T