$NetBSD: patch-bb,v 1.1.2.2 2012/08/09 18:05:03 tron Exp $

upstream commits 4f9fdc709c4861c390cd84e2ed1fd878b3442e28
and baaf03f80f817bb34c421421e6cb4d68c353ac9a
related to CVE-2012-2807

--- entities.c.orig	2010-02-15 10:58:14.000000000 +0000
+++ entities.c
@@ -528,13 +528,13 @@ xmlGetDocEntity(xmlDocPtr doc, const xml
  * Macro used to grow the current buffer.
  */
 #define growBufferReentrant() {						\
-    buffer_size *= 2;							\
-    buffer = (xmlChar *)						\
-    		xmlRealloc(buffer, buffer_size * sizeof(xmlChar));	\
-    if (buffer == NULL) {						\
-        xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");\
-	return(NULL);							\
-    }									\
+    xmlChar *tmp;                                                       \
+    size_t new_size = buffer_size * 2;                                  \
+    if (new_size < buffer_size) goto mem_error;                         \
+    tmp = (xmlChar *) xmlRealloc(buffer, new_size);	                \
+    if (tmp == NULL) goto mem_error;                                    \
+    buffer = tmp;							\
+    buffer_size = new_size;						\
 }
 
 
@@ -555,7 +555,7 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc
     const xmlChar *cur = input;
     xmlChar *buffer = NULL;
     xmlChar *out = NULL;
-    int buffer_size = 0;
+    size_t buffer_size = 0;
     int html = 0;
 
     if (input == NULL) return(NULL);
@@ -574,8 +574,8 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc
     out = buffer;
 
     while (*cur != '\0') {
-        if (out - buffer > buffer_size - 100) {
-	    int indx = out - buffer;
+        size_t indx = out - buffer;
+        if (indx + 100 > buffer_size) {
 
 	    growBufferReentrant();
 	    out = &buffer[indx];
@@ -692,6 +692,11 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc
     }
     *out = 0;
     return(buffer);
+
+mem_error:
+    xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");
+    xmlFree(buffer);
+    return(NULL);
 }
 
 /**
@@ -709,7 +714,7 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR
     const xmlChar *cur = input;
     xmlChar *buffer = NULL;
     xmlChar *out = NULL;
-    int buffer_size = 0;
+    size_t buffer_size = 0;
     if (input == NULL) return(NULL);
 
     /*
@@ -724,8 +729,8 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR
     out = buffer;
 
     while (*cur != '\0') {
-        if (out - buffer > buffer_size - 10) {
-	    int indx = out - buffer;
+        size_t indx = out - buffer;
+        if (indx + 10 > buffer_size) {
 
 	    growBufferReentrant();
 	    out = &buffer[indx];
@@ -774,6 +779,11 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR
     }
     *out = 0;
     return(buffer);
+
+mem_error:
+    xmlEntitiesErrMemory("xmlEncodeSpecialChars: realloc failed");
+    xmlFree(buffer);
+    return(NULL);
 }
 
 /**
