$NetBSD: patch-CVE-2017-5029,v 1.1 2017/05/23 23:37:01 tez Exp $

Patch for CVE-2017-5029 from:
 https://git.gnome.org/browse/libxslt/commit/?id=08ab2774b870de1c7b5a48693df75e8154addae5


--- libxslt/xsltInternals.h.orig	2017-05-23 23:14:05.625798800 +0000
+++ libxslt/xsltInternals.h
@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
      * Speed optimization when coalescing text nodes
      */
     const xmlChar  *lasttext;		/* last text node content */
-    unsigned int    lasttsize;		/* last text node size */
-    unsigned int    lasttuse;		/* last text node use */
+    int		    lasttsize;		/* last text node size */
+    int		    lasttuse;		/* last text node use */
     /*
      * Per Context Debugging
      */

--- libxslt/transform.c.orig	2017-05-23 23:14:23.480987400 +0000
+++ libxslt/transform.c
@@ -816,13 +816,32 @@ xsltAddTextString(xsltTransformContextPt
         return(target);
 
     if (ctxt->lasttext == target->content) {
+	int minSize;
 
-	if (ctxt->lasttuse + len >= ctxt->lasttsize) {
+	/* Check for integer overflow accounting for NUL terminator. */
+	if (len >= INT_MAX - ctxt->lasttuse) {
+	    xsltTransformError(ctxt, NULL, target,
+		"xsltCopyText: text allocation failed\n");
+	    return(NULL);
+	}
+	minSize = ctxt->lasttuse + len + 1;
+
+	if (ctxt->lasttsize < minSize) {
 	    xmlChar *newbuf;
 	    int size;
+	    int extra;
+
+	    /* Double buffer size but increase by at least 100 bytes. */
+	    extra = minSize < 100 ? 100 : minSize;
+
+	    /* Check for integer overflow. */
+	    if (extra > INT_MAX - ctxt->lasttsize) {
+		size = INT_MAX;
+	    }
+	    else {
+		size = ctxt->lasttsize + extra;
+	    }
 
-	    size = ctxt->lasttsize + len + 100;
-	    size *= 2;
 	    newbuf = (xmlChar *) xmlRealloc(target->content,size);
 	    if (newbuf == NULL) {
 		xsltTransformError(ctxt, NULL, target,
