From 0f0605e729ae2b872dc0a14e08af125b01e87078 Mon Sep 17 00:00:00 2001
From: jasper <jasper@openbsd.org>
Date: Tue, 28 Dec 2010 10:53:02 +0000
Subject: [PATCH] Security fix for CVE-2010-4494, Libxml2 XPath Double Free
 Vulnerability

Patch from upstream git.
---
 textproc/libxml/Makefile              |  5 +++--
 textproc/libxml/patches/patch-xpath_c | 29 +++++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 2 deletions(-)
 create mode 100644 textproc/libxml/patches/patch-xpath_c

diff --git a/textproc/libxml/Makefile b/textproc/libxml/Makefile
index 8ef9098378c..cc5c5386d8e 100644
--- a/textproc/libxml/Makefile
+++ b/textproc/libxml/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.133 2010/11/21 12:25:49 espie Exp $
+# $OpenBSD: Makefile,v 1.134 2010/12/28 10:53:02 jasper Exp $
 
 COMMENT-main=		XML parsing library
 COMMENT-python=		Python bindings for libxml
@@ -6,7 +6,8 @@ COMMENT-python=		Python bindings for libxml
 VERSION=		2.7.8
 DISTNAME=		libxml2-${VERSION}
 PKGNAME-main=		libxml-${VERSION}
-REVISION =		0
+REVISION =		1
+REVISION-python =	0
 PKGNAME-python=		py-libxml-${VERSION}
 SHARED_LIBS=		xml2	12.0
 CATEGORIES=		textproc
diff --git a/textproc/libxml/patches/patch-xpath_c b/textproc/libxml/patches/patch-xpath_c
new file mode 100644
index 00000000000..40a317514f1
--- /dev/null
+++ b/textproc/libxml/patches/patch-xpath_c
@@ -0,0 +1,29 @@
+$OpenBSD: patch-xpath_c,v 1.1 2010/12/28 10:53:02 jasper Exp $
+
+Fix for CVE-2010-4494, Libxml2 XPath Double Free Vulnerability.
+
+From upstream git:
+http://git.gnome.org/browse/libxml2/commit/?id=df83c17e5a2646bd923f75e5e507bc80d73c9722
+
+--- xpath.c.orig	Wed Nov  3 20:18:27 2010
++++ xpath.c	Tue Dec 28 11:35:16 2010
+@@ -11763,11 +11763,15 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserCo
+ 
+ 	    if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+ 	        xmlXPathObjectPtr tmp;
+-		/* pop the result */
++		/* pop the result if any */
+ 		tmp = valuePop(ctxt);
+-		xmlXPathReleaseObject(xpctxt, tmp);
+-		/* then pop off contextObj, which will be freed later */
+-		valuePop(ctxt);
++                if (tmp != contextObj)
++                    /*
++                     * Free up the result
++                     * then pop off contextObj, which will be freed later
++                     */
++                    xmlXPathReleaseObject(xpctxt, tmp);
++                    valuePop(ctxt);
+ 		goto evaluation_error;
+ 	    }
+