From 7d937edcf577372b429524e83e778cf3d998bc1a Mon Sep 17 00:00:00 2001
From: David King <amigadave@amigadave.com>
Date: Thu, 6 May 2021 11:22:51 +0100
Subject: [PATCH] Fix CVE-2021-3537 (#1956524)

---
 libxml2-2.9.10-CVE-2021-3537.patch | 44 ++++++++++++++++++++++++++++++
 libxml2.spec                       |  7 ++++-
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 libxml2-2.9.10-CVE-2021-3537.patch

diff --git a/libxml2-2.9.10-CVE-2021-3537.patch b/libxml2-2.9.10-CVE-2021-3537.patch
new file mode 100644
index 0000000..3df1539
--- /dev/null
+++ b/libxml2-2.9.10-CVE-2021-3537.patch
@@ -0,0 +1,44 @@
+From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 1 May 2021 16:53:33 +0200
+Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv
+
+Check return value of recursive calls to
+xmlParseElementChildrenContentDeclPriv and return immediately in case
+of errors. Otherwise, struct xmlElementContent could contain unexpected
+null pointers, leading to a null deref when post-validating documents
+which aren't well-formed and parsed in recovery mode.
+
+Fixes #243.
+---
+ parser.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index b42e6043..73c27edd 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
+ 	SKIP_BLANKS;
+         cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
+                                                            depth + 1);
++        if (cur == NULL)
++            return(NULL);
+ 	SKIP_BLANKS;
+ 	GROW;
+     } else {
+@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
+ 	    SKIP_BLANKS;
+ 	    last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
+                                                           depth + 1);
++            if (last == NULL) {
++		if (ret != NULL)
++		    xmlFreeDocElementContent(ctxt->myDoc, ret);
++		return(NULL);
++            }
+ 	    SKIP_BLANKS;
+ 	} else {
+ 	    elem = xmlParseName(ctxt);
+-- 
+GitLab
+
diff --git a/libxml2.spec b/libxml2.spec
index e7cbd86..72923ae 100644
--- a/libxml2.spec
+++ b/libxml2.spec
@@ -1,6 +1,6 @@
 Name:           libxml2
 Version:        2.9.10
-Release:        11%{?dist}
+Release:        12%{?dist}
 Summary:        Library providing XML and HTML support
 
 License:        MIT
@@ -28,6 +28,8 @@ Patch9:         libxml2-2.9.10-CVE-2021-3516.patch
 Patch10:        libxml2-2.9.10-CVE-2021-3517.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1954243
 Patch11:        libxml2-2.9.10-CVE-2021-3518.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1956524
+Patch12:        libxml2-2.9.10-CVE-2021-3537.patch
 
 BuildRequires:  gcc
 BuildRequires:  make
@@ -159,6 +161,9 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
 %{python3_sitearch}/libxml2mod.so
 
 %changelog
+* Thu May 06 2021 David King <amigadave@amigadave.com> - 2.9.10-12
+- Fix CVE-2021-3537 (#1956524)
+
 * Wed May 05 2021 David King <amigadave@amigadave.com> - 2.9.10-11
 - Fix CVE-2021-3516 (#1954227)
 - Fix CVE-2021-3517 (#1954234)