8248177: Improve XML support

Reviewed-by: kcr, ahgross, rhalade

Author: arun-joseph

modules/javafx.web/src/main/native/Source/ThirdParty/libxml/src/HTMLparser.c

@@ -3400,13 +3400,16 @@ htmlParseCharRef(htmlParserCtxtPtr ctxt) {
         ((NXT(2) == 'x') || NXT(2) == 'X')) {
     SKIP(3);
     while (CUR != ';') {
-        if ((CUR >= '0') && (CUR <= '9'))
-            val = val * 16 + (CUR - '0');
-        else if ((CUR >= 'a') && (CUR <= 'f'))
-            val = val * 16 + (CUR - 'a') + 10;
-        else if ((CUR >= 'A') && (CUR <= 'F'))
-            val = val * 16 + (CUR - 'A') + 10;
-        else {
+        if ((CUR >= '0') && (CUR <= '9')) {
+                if (val < 0x110000)
+                val = val * 16 + (CUR - '0');
+            } else if ((CUR >= 'a') && (CUR <= 'f')) {
+                if (val < 0x110000)
+                val = val * 16 + (CUR - 'a') + 10;
+            } else if ((CUR >= 'A') && (CUR <= 'F')) {
+                if (val < 0x110000)
+                val = val * 16 + (CUR - 'A') + 10;
+            } else {
             htmlParseErr(ctxt, XML_ERR_INVALID_HEX_CHARREF,
                      "htmlParseCharRef: missing semicolon\n",
                  NULL, NULL);
@@ -3419,9 +3422,10 @@ htmlParseCharRef(htmlParserCtxtPtr ctxt) {
     } else if  ((CUR == '&') && (NXT(1) == '#')) {
     SKIP(2);
     while (CUR != ';') {
-        if ((CUR >= '0') && (CUR <= '9'))
-            val = val * 10 + (CUR - '0');
-        else {
+        if ((CUR >= '0') && (CUR <= '9')) {
+                if (val < 0x110000)
+                val = val * 10 + (CUR - '0');
+            } else {
             htmlParseErr(ctxt, XML_ERR_INVALID_DEC_CHARREF,
                      "htmlParseCharRef: missing semicolon\n",
                  NULL, NULL);
@@ -3440,6 +3444,9 @@ htmlParseCharRef(htmlParserCtxtPtr ctxt) {
      */
     if (IS_CHAR(val)) {
         return(val);
+    } else if (val >= 0x110000) {
+    htmlParseErr(ctxt, XML_ERR_INVALID_CHAR,
+             "htmlParseCharRef: value too large\n", NULL, NULL);
     } else {
     htmlParseErrInt(ctxt, XML_ERR_INVALID_CHAR,
             "htmlParseCharRef: invalid xmlChar value %d\n",
@@ -5332,7 +5339,7 @@ static int
 htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
     int ret = 0;
     htmlParserInputPtr in;
-    int avail = 0;
+    ptrdiff_t avail = 0;
     xmlChar cur, next;
 
     htmlParserNodeInfo node_info;
@@ -5397,7 +5404,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
     if (in->buf == NULL)
         avail = in->length - (in->cur - in->base);
     else
-        avail = xmlBufUse(in->buf->buffer) - (in->cur - in->base);
+        avail = (ptrdiff_t)xmlBufUse(in->buf->buffer) -
+                    (in->cur - in->base);
     if ((avail == 0) && (terminate)) {
         htmlAutoCloseOnEnd(ctxt);
         if ((ctxt->nameNr == 0) && (ctxt->instate != XML_PARSER_EOF)) {
@@ -5433,7 +5441,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
             if (in->buf == NULL)
             avail = in->length - (in->cur - in->base);
             else
-            avail = xmlBufUse(in->buf->buffer) - (in->cur - in->base);
+            avail = (ptrdiff_t)xmlBufUse(in->buf->buffer) -
+                                (in->cur - in->base);
         }
         if ((ctxt->sax) && (ctxt->sax->setDocumentLocator))
             ctxt->sax->setDocumentLocator(ctxt->userData,
@@ -5475,7 +5484,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
         if (in->buf == NULL)
             avail = in->length - (in->cur - in->base);
         else
-            avail = xmlBufUse(in->buf->buffer) - (in->cur - in->base);
+            avail = (ptrdiff_t)xmlBufUse(in->buf->buffer) -
+                            (in->cur - in->base);
         /*
          * no chars in buffer
          */
@@ -5548,7 +5558,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
         if (in->buf == NULL)
             avail = in->length - (in->cur - in->base);
         else
-            avail = xmlBufUse(in->buf->buffer) - (in->cur - in->base);
+            avail = (ptrdiff_t)xmlBufUse(in->buf->buffer) -
+                            (in->cur - in->base);
         if (avail < 2)
             goto done;
         cur = in->cur[0];
@@ -5589,7 +5600,8 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) {
         if (in->buf == NULL)
             avail = in->length - (in->cur - in->base);
         else
-            avail = xmlBufUse(in->buf->buffer) - (in->cur - in->base);
+            avail = (ptrdiff_t)xmlBufUse(in->buf->buffer) -
+                            (in->cur - in->base);
         if (avail < 1)
             goto done;
         cur = in->cur[0];
@@ -6124,12 +6136,12 @@ htmlParseChunk(htmlParserCtxtPtr ctxt, const char *chunk, int size,
     int res;
 
     res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk);
+    xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur);
     if (res < 0) {
         ctxt->errNo = XML_PARSER_EOF;
         ctxt->disableSAX = 1;
         return (XML_PARSER_EOF);
     }
-        xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur);
 #ifdef DEBUG_PUSH
     xmlGenericError(xmlGenericErrorContext, "HPP: pushed %d\n", size);
 #endif
@@ -6148,12 +6160,12 @@ htmlParseChunk(htmlParserCtxtPtr ctxt, const char *chunk, int size,
         size_t current = ctxt->input->cur - ctxt->input->base;
 
         nbchars = xmlCharEncInput(in, terminate);
+        xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
         if (nbchars < 0) {
             htmlParseErr(ctxt, XML_ERR_INVALID_ENCODING,
                      "encoder error\n", NULL, NULL);
             return(XML_ERR_INVALID_ENCODING);
         }
-        xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
         }
     }
     }

modules/javafx.web/src/main/native/Source/ThirdParty/libxml/src/buf.c

@@ -1233,10 +1233,12 @@ xmlBufBackToBuffer(xmlBufPtr buf) {
          * Keep the buffer but provide a truncated size value.
          */
         xmlBufOverflowError(buf, "Allocated size too big for xmlBuffer");
+        ret->use = (int) buf->use;
         ret->size = INT_MAX;
+    } else {
+        ret->use = (int) buf->use;
+        ret->size = (int) buf->size;
     }
-    ret->use = (int) buf->use;
-    ret->size = (int) buf->size;
     ret->alloc = buf->alloc;
     ret->content = buf->content;
     ret->contentIO = buf->contentIO;
@@ -1332,8 +1334,12 @@ xmlBufGetInputBase(xmlBufPtr buf, xmlParserInputPtr input) {
 int
 xmlBufSetInputBaseCur(xmlBufPtr buf, xmlParserInputPtr input,
                       size_t base, size_t cur) {
-    if ((input == NULL) || (buf == NULL) || (buf->error))
+    if (input == NULL)
         return(-1);
+    if ((buf == NULL) || (buf->error)) {
+        input->base = input->cur = input->end = BAD_CAST "";
+        return(-1);
+    }
     CHECK_COMPAT(buf)
     input->base = &buf->content[base];
     input->cur = input->base + cur;

modules/javafx.web/src/main/native/Source/ThirdParty/libxml/src/parser.c

@@ -12231,12 +12231,12 @@ xmlParseChunk(xmlParserCtxtPtr ctxt, const char *chunk, int size,
             }
         }
     res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk);
+        xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur);
     if (res < 0) {
         ctxt->errNo = XML_PARSER_EOF;
         xmlHaltParser(ctxt);
         return (XML_PARSER_EOF);
     }
-        xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur);
 #ifdef DEBUG_PUSH
     xmlGenericError(xmlGenericErrorContext, "PP: pushed %d\n", size);
 #endif
@@ -12251,14 +12251,14 @@ xmlParseChunk(xmlParserCtxtPtr ctxt, const char *chunk, int size,
         size_t current = ctxt->input->cur - ctxt->input->base;
 
         nbchars = xmlCharEncInput(in, terminate);
+        xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
         if (nbchars < 0) {
             /* TODO 2.6.0 */
             xmlGenericError(xmlGenericErrorContext,
                     "xmlParseChunk: encoder error\n");
                     xmlHaltParser(ctxt);
             return(XML_ERR_INVALID_ENCODING);
         }
-        xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
         }
     }
     }

modules/javafx.web/src/main/native/Source/ThirdParty/libxml/src/tree.c

@@ -7417,12 +7417,17 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
     if (size < buf->size)
         return 1;
 
+    if (size > UINT_MAX - 10) {
+        xmlTreeErrMemory("growing buffer");
+        return 0;
+    }
+
     /* figure out new size */
     switch (buf->alloc){
     case XML_BUFFER_ALLOC_IO:
     case XML_BUFFER_ALLOC_DOUBLEIT:
         /*take care of empty case*/
-        newSize = (buf->size ? buf->size*2 : size + 10);
+        newSize = (buf->size ? buf->size : size + 10);
         while (size > newSize) {
             if (newSize > UINT_MAX / 2) {
                 xmlTreeErrMemory("growing buffer");
@@ -7438,7 +7443,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
             if (buf->use < BASE_BUFFER_SIZE)
                 newSize = size;
             else {
-                newSize = buf->size * 2;
+                newSize = buf->size;
                 while (size > newSize) {
                     if (newSize > UINT_MAX / 2) {
                         xmlTreeErrMemory("growing buffer");

modules/javafx.web/src/main/native/Source/ThirdParty/libxml/src/xmlreader.c

@@ -278,6 +278,59 @@ xmlTextReaderRemoveID(xmlDocPtr doc, xmlAttrPtr attr) {
     return(0);
 }
 
+/**
+ * xmlTextReaderWalkRemoveRef:
+ * @data:  Contents of current link
+ * @user:  Value supplied by the user
+ *
+ * Returns 0 to abort the walk or 1 to continue
+ */
+static int
+xmlTextReaderWalkRemoveRef(const void *data, void *user)
+{
+    xmlRefPtr ref = (xmlRefPtr)data;
+    xmlAttrPtr attr = (xmlAttrPtr)user;
+
+    if (ref->attr == attr) { /* Matched: remove and terminate walk */
+        ref->name = xmlStrdup(attr->name);
+        ref->attr = NULL;
+        return 0;
+    }
+    return 1;
+}
+
+/**
+ * xmlTextReaderRemoveRef:
+ * @doc:  the document
+ * @attr:  the attribute
+ *
+ * Remove the given attribute from the Ref table maintained internally.
+ *
+ * Returns -1 if the lookup failed and 0 otherwise
+ */
+static int
+xmlTextReaderRemoveRef(xmlDocPtr doc, xmlAttrPtr attr) {
+    xmlListPtr ref_list;
+    xmlRefTablePtr table;
+    xmlChar *ID;
+
+    if (doc == NULL) return(-1);
+    if (attr == NULL) return(-1);
+    table = (xmlRefTablePtr) doc->refs;
+    if (table == NULL)
+        return(-1);
+
+    ID = xmlNodeListGetString(doc, attr->children, 1);
+    if (ID == NULL)
+        return(-1);
+    ref_list = xmlHashLookup(table, ID);
+    xmlFree(ID);
+    if(ref_list == NULL)
+        return (-1);
+    xmlListWalk(ref_list, xmlTextReaderWalkRemoveRef, attr);
+    return(0);
+}
+
 /**
  * xmlTextReaderFreeProp:
  * @reader:  the xmlTextReaderPtr used
@@ -304,6 +357,8 @@ xmlTextReaderFreeProp(xmlTextReaderPtr reader, xmlAttrPtr cur) {
      (cur->parent->doc->extSubset != NULL))) {
         if (xmlIsID(cur->parent->doc, cur->parent, cur))
         xmlTextReaderRemoveID(cur->parent->doc, cur);
+        if (xmlIsRef(cur->parent->doc, cur->parent, cur))
+            xmlTextReaderRemoveRef(cur->parent->doc, cur);
     }
     if (cur->children != NULL)
         xmlTextReaderFreeNodeList(reader, cur->children);

modules/javafx.web/src/main/native/Source/ThirdParty/libxml/src/xmlsave.c

@@ -2197,7 +2197,7 @@ xmlNodeDump(xmlBufferPtr buf, xmlDocPtr doc, xmlNodePtr cur, int level,
             int format)
 {
     xmlBufPtr buffer;
-    int ret;
+    size_t ret;
 
     if ((buf == NULL) || (cur == NULL))
         return(-1);