From b5284f318d9bdb20bcd8c562d6e4b1efebbfed21 Mon Sep 17 00:00:00 2001
From: David King <amigadave@amigadave.com>
Date: Mon, 10 Feb 2020 16:08:44 +0000
Subject: [PATCH] Fix CVE-2019-20388 (#1799736)

---
 libxml2-2.9.10-CVE-2019-20388.patch | 33 +++++++++++++++++++++++++++++
 libxml2.spec                        |  7 +++++-
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 libxml2-2.9.10-CVE-2019-20388.patch

diff --git a/libxml2-2.9.10-CVE-2019-20388.patch b/libxml2-2.9.10-CVE-2019-20388.patch
new file mode 100644
index 0000000..3763354
--- /dev/null
+++ b/libxml2-2.9.10-CVE-2019-20388.patch
@@ -0,0 +1,33 @@
+From 6088a74bcf7d0c42e24cff4594d804e1d3c9fbca Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Tue, 20 Aug 2019 16:33:06 +0800
+Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream
+
+When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun
+alloc a new schema for ctxt->schema and set vctxt->xsiAssemble
+to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize
+vctxt->xsiAssemble to 0 again which cause the alloced schema
+can not be freed anymore.
+
+Found with libFuzzer.
+
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+---
+ xmlschemas.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 301c8449..39d92182 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) {
+     vctxt->nberrors = 0;
+     vctxt->depth = -1;
+     vctxt->skipDepth = -1;
+-    vctxt->xsiAssemble = 0;
+     vctxt->hasKeyrefs = 0;
+ #ifdef ENABLE_IDC_NODE_TABLES_TEST
+     vctxt->createIDCNodeTables = 1;
+-- 
+2.24.1
+
diff --git a/libxml2.spec b/libxml2.spec
index 094c2db..3b950a4 100644
--- a/libxml2.spec
+++ b/libxml2.spec
@@ -1,6 +1,6 @@
 Name:           libxml2
 Version:        2.9.10
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Library providing XML and HTML support
 
 License:        MIT
@@ -11,6 +11,8 @@ Patch0:         libxml2-multilib.patch
 # See:  https://bugzilla.gnome.org/show_bug.cgi?id=789714
 Patch1:         libxml2-2.9.8-python3-unicode-errors.patch
 Patch2:         https://gitlab.gnome.org/GNOME/libxml2/commit/0815302dee2b78139832c2080348086a0564836b.patch#/fix-relaxed-approach-to-nested-documents.patch
+# https://gitlab.gnome.org/GNOME/libxml2/merge_requests/68
+Patch3:         libxml2-2.9.10-CVE-2019-20388.patch
 
 BuildRequires:  gcc
 BuildRequires:  make
@@ -139,6 +141,9 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
 %{python3_sitearch}/libxml2mod.so
 
 %changelog
+* Mon Feb 10 2020 David King <amigadave@amigadave.com> - 2.9.10-4
+- Fix CVE-2019-20388 (#1799736)
+
 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.10-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild