Apply the security patch by Daniel Veillard (against libxml2 2.6.32).

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@2309 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 3 insertions, 1 deletions

diff --git a/third_party/libxml/README.google b/third_party/libxml/README.google
index f7cd50b..8d2b1d6 100644
--- a/third_party/libxml/README.google
+++ b/third_party/libxml/README.google
@@ -15,6 +15,7 @@ includes the following modifications :
   added a check to nsParent in xmlGetNamespace() in parser.c. 
   This allows parsed entities to inherit namespaces.
   (http://bugzilla.gnome.org/show_bug.cgi?id=502960 )
+* Applied security patch located at https://bugzilla.redhat.com/show_bug.cgi?id=461015
 
 Current version: 2.6.32
 
diff --git a/third_party/libxml/parser.c b/third_party/libxml/parser.c
index d12f429..fab0ea8 100644
--- a/third_party/libxml/parser.c
+++ b/third_party/libxml/parser.c
@@ -2307,6 +2307,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
  */
 #define growBuffer(buffer) {						\
     xmlChar *tmp;							\
+    buffer##_size += XML_PARSER_BUFFER_SIZE ;				\
     buffer##_size *= 2;							\
     tmp = (xmlChar *)							\
 		xmlRealloc(buffer, buffer##_size * sizeof(xmlChar));	\
@@ -3347,7 +3348,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
 		     * Just output the reference
 		     */
 		    buf[len++] = '&';
-		    if (len > buf_size - i - 10) {
+		    while (len > buf_size - i - 10) {
 			growBuffer(buf);
 		    }
 		    for (;i > 0;i--)