3 files changed, 271 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 3073851a53..7fd76937be 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -31,6 +31,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
           file://0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch \
           file://CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch \
           file://CVE-2015-7499-2-Detect-incoherency-on-GROW.patch \
+           file://0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch \
+           file://0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch \
          "
 BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
new file mode 100644
index 0000000000..b4860791bf
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
@@ -0,0 +1,131 @@
+From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 16:06:59 +0800
+Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect
+ entities boundaries
+For https://bugzilla.gnome.org/show_bug.cgi?id=756525
+handle properly the case where we popped out of the current entity
+while processing a start tag
+Reported by Kostya Serebryany @ Google
+This slightly modifies the output of 754946 in regression tests
+Upstream-Status: Backport
+CVE-2015-7500
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ parser.c                     | 28 ++++++++++++++++++++++------
+ result/errors/754946.xml.err |  7 +++++--
+ 2 files changed, 27 insertions(+), 8 deletions(-)
+diff --git a/parser.c b/parser.c
+index c7e4574..c5741e3 100644
+--- a/parser.c
+++ b/parser.c
+@@ -9348,7 +9348,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,
+     const xmlChar **atts = ctxt->atts;
+     int maxatts = ctxt->maxatts;
+     int nratts, nbatts, nbdef;
+-    int i, j, nbNs, attval, oldline, oldcol;
+    int i, j, nbNs, attval, oldline, oldcol, inputNr;
+     const xmlChar *base;
+     unsigned long cur;
+     int nsNr = ctxt->nsNr;
+@@ -9367,6 +9367,7 @@ reparse:
+     SHRINK;
+     base = ctxt->input->base;
+     cur = ctxt->input->cur - ctxt->input->base;
+    inputNr = ctxt->inputNr;
+     oldline = ctxt->input->line;
+     oldcol = ctxt->input->col;
+     nbatts = 0;
+@@ -9392,7 +9393,8 @@ reparse:
+      */
+     SKIP_BLANKS;
+     GROW;
+-    if (ctxt->input->base != base) goto base_changed;
+    if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+        goto base_changed;
+ 
+     while (((RAW != '>') &&
+           ((RAW != '/') || (NXT(1) != '>')) &&
+@@ -9403,7 +9405,7 @@ reparse:
+ 
+        attname = xmlParseAttribute2(ctxt, prefix, localname,
+                                     &aprefix, &attvalue, &len, &alloc);
+-       if (ctxt->input->base != base) {
+       if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) {
+            if ((attvalue != NULL) && (alloc != 0))
+                xmlFree(attvalue);
+            attvalue = NULL;
+@@ -9552,7 +9554,8 @@ skip_ns:
+                    break;
+                }
+                SKIP_BLANKS;
+-               if (ctxt->input->base != base) goto base_changed;
+               if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+                   goto base_changed;
+                continue;
+            }
+ 
+@@ -9589,7 +9592,8 @@ failed:
+        GROW
+         if (ctxt->instate == XML_PARSER_EOF)
+             break;
+-       if (ctxt->input->base != base) goto base_changed;
+       if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+           goto base_changed;
+        if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+            break;
+        if (!IS_BLANK_CH(RAW)) {
+@@ -9605,7 +9609,8 @@ failed:
+            break;
+        }
+         GROW;
+-       if (ctxt->input->base != base) goto base_changed;
+       if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+           goto base_changed;
+     }
+ 
+     /*
+@@ -9772,6 +9777,17 @@ base_changed:
+            if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL))
+                xmlFree((xmlChar *) atts[i]);
+     }
+
+    /*
+     * We can't switch from one entity to another in the middle
+     * of a start tag
+     */
+    if (inputNr != ctxt->inputNr) {
+        xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
+                   "Start tag doesn't start and stop in the same entity\n");
+       return(NULL);
+    }
+
+     ctxt->input->cur = ctxt->input->base + cur;
+     ctxt->input->line = oldline;
+     ctxt->input->col = oldcol;
+diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err
+index 423dff5..a75088b 100644
+--- a/result/errors/754946.xml.err
+++ b/result/errors/754946.xml.err
+@@ -11,6 +11,9 @@ Entity: line 1: parser error : DOCTYPE improperly terminated
+ Entity: line 1: 
+ A<lbbbbbbbbbbbbbbbbbbb_
+ ^
+./test/errors/754946.xml:1: parser error : Start tag doesn't start and stop in the same entity
+>%SYSTEM;<![
+         ^
+ ./test/errors/754946.xml:1: parser error : Extra content at the end of the document
+-<!DOCTYPEA[<!ENTITY %
+-  ^
+>%SYSTEM;<![
+         ^
+-- 
+2.3.5
diff --git a/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch b/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch
new file mode 100644
index 0000000000..a86b9ee86e
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch
@@ -0,0 +1,138 @@
+From 51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 15 Sep 2015 16:50:32 +0800
+Subject: [PATCH] Fix a bug on name parsing at the end of current input buffer
+For https://bugzilla.gnome.org/show_bug.cgi?id=754946
+When hitting the end of the current input buffer while parsing
+a name we could end up loosing the beginning of the name, which
+led to various issues.
+Upstream-Status: backport
+Depend patch for CVE-2015-7500
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ parser.c                     | 29 ++++++++++++++++++++---------
+ result/errors/754946.xml     |  0
+ result/errors/754946.xml.err | 16 ++++++++++++++++
+ result/errors/754946.xml.str |  4 ++++
+ test/errors/754946.xml       |  1 +
+ 5 files changed, 41 insertions(+), 9 deletions(-)
+ create mode 100644 result/errors/754946.xml
+ create mode 100644 result/errors/754946.xml.err
+ create mode 100644 result/errors/754946.xml.str
+ create mode 100644 test/errors/754946.xml
+diff --git a/parser.c b/parser.c
+index 0edd53b..fd29a39 100644
+--- a/parser.c
+++ b/parser.c
+@@ -3491,7 +3491,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+        c = CUR_CHAR(l);
+        if (c == 0) {
+            count = 0;
+           /*
+            * when shrinking to extend the buffer we really need to preserve
+            * the part of the name we already parsed. Hence rolling back
+            * by current lenght.
+            */
+           ctxt->input->cur -= l;
+            GROW;
+           ctxt->input->cur += l;
+             if (ctxt->instate == XML_PARSER_EOF)
+                 return(NULL);
+            end = ctxt->input->cur;
+@@ -3523,7 +3530,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+ 
+ static const xmlChar *
+ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+-    const xmlChar *in;
+    const xmlChar *in, *e;
+     const xmlChar *ret;
+     int count = 0;
+ 
+@@ -3535,16 +3542,19 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+      * Accelerator for simple ASCII names
+      */
+     in = ctxt->input->cur;
+-    if (((*in >= 0x61) && (*in <= 0x7A)) ||
+-       ((*in >= 0x41) && (*in <= 0x5A)) ||
+-       (*in == '_')) {
+    e = ctxt->input->end;
+    if ((((*in >= 0x61) && (*in <= 0x7A)) ||
+        ((*in >= 0x41) && (*in <= 0x5A)) ||
+        (*in == '_')) && (in < e)) {
+        in++;
+-       while (((*in >= 0x61) && (*in <= 0x7A)) ||
+-              ((*in >= 0x41) && (*in <= 0x5A)) ||
+-              ((*in >= 0x30) && (*in <= 0x39)) ||
+-              (*in == '_') || (*in == '-') ||
+-              (*in == '.'))
+       while ((((*in >= 0x61) && (*in <= 0x7A)) ||
+               ((*in >= 0x41) && (*in <= 0x5A)) ||
+               ((*in >= 0x30) && (*in <= 0x39)) ||
+               (*in == '_') || (*in == '-') ||
+               (*in == '.')) && (in < e))
+            in++;
+       if (in >= e)
+           goto complex;
+        if ((*in > 0) && (*in < 0x80)) {
+            count = in - ctxt->input->cur;
+             if ((count > XML_MAX_NAME_LENGTH) &&
+@@ -3562,6 +3572,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+            return(ret);
+        }
+     }
+complex:
+     return(xmlParseNCNameComplex(ctxt));
+ }
+ 
+diff --git a/result/errors/754946.xml b/result/errors/754946.xml
+new file mode 100644
+index 0000000..e69de29
+diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err
+new file mode 100644
+index 0000000..423dff5
+--- /dev/null
+++ b/result/errors/754946.xml.err
+@@ -0,0 +1,16 @@
+Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
+
+ %SYSTEM; 
+         ^
+Entity: line 1: 
+A<lbbbbbbbbbbbbbbbbbbb_
+^
+Entity: line 1: parser error : DOCTYPE improperly terminated
+ %SYSTEM; 
+         ^
+Entity: line 1: 
+A<lbbbbbbbbbbbbbbbbbbb_
+^
+./test/errors/754946.xml:1: parser error : Extra content at the end of the document
+<!DOCTYPEA[<!ENTITY %
+  ^
+diff --git a/result/errors/754946.xml.str b/result/errors/754946.xml.str
+new file mode 100644
+index 0000000..3b748cc
+--- /dev/null
+++ b/result/errors/754946.xml.str
+@@ -0,0 +1,4 @@
+./test/errors/754946.xml:1: parser error : Extra content at the end of the document
+<!DOCTYPEA[<!ENTITY %
+          ^
+./test/errors/754946.xml : failed to parse
+diff --git a/test/errors/754946.xml b/test/errors/754946.xml
+new file mode 100644
+index 0000000..6b5f9b0
+--- /dev/null
+++ b/test/errors/754946.xml
+@@ -0,0 +1 @@
+<!DOCTYPEA[<!ENTITY %
+SYSTEM "A<lbbbbbbbbbbbbbbbbbbb_"
+>%SYSTEM;<![
+\ No newline at end of file
+-- 
+2.3.5

diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc index 3073851a53..7fd76937be 100644 --- a/meta/recipes-core/libxml/libxml2.inc +++ b/meta/recipes-core/libxml/libxml2.inc
@@ -31,6 +31,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
31	file://0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch \	31	file://0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch \
32	file://CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch \	32	file://CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch \
33	file://CVE-2015-7499-2-Detect-incoherency-on-GROW.patch \	33	file://CVE-2015-7499-2-Detect-incoherency-on-GROW.patch \
		34	file://0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch \
		35	file://0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch \
34	"	36	"
35		37
36	BINCONFIG = "${bindir}/xml2-config"	38	BINCONFIG = "${bindir}/xml2-config"


diff --git a/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch new file mode 100644 index 0000000000..b4860791bf --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
@@ -0,0 +1,131 @@
		1	From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001
		2	From: Daniel Veillard <veillard@redhat.com>
		3	Date: Fri, 20 Nov 2015 16:06:59 +0800
		4	Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect
		5	entities boundaries
		6
		7	For https://bugzilla.gnome.org/show_bug.cgi?id=756525
		8	handle properly the case where we popped out of the current entity
		9	while processing a start tag
		10	Reported by Kostya Serebryany @ Google
		11
		12	This slightly modifies the output of 754946 in regression tests
		13
		14	Upstream-Status: Backport
		15
		16	CVE-2015-7500
		17
		18	Signed-off-by: Armin Kuster <akuster@mvista.com>
		19
		20	---
		21	parser.c \| 28 ++++++++++++++++++++++------
		22	result/errors/754946.xml.err \| 7 +++++--
		23	2 files changed, 27 insertions(+), 8 deletions(-)
		24
		25	diff --git a/parser.c b/parser.c
		26	index c7e4574..c5741e3 100644
		27	--- a/parser.c
		28	+++ b/parser.c
		29	@@ -9348,7 +9348,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,
		30	const xmlChar **atts = ctxt->atts;
		31	int maxatts = ctxt->maxatts;
		32	int nratts, nbatts, nbdef;
		33	- int i, j, nbNs, attval, oldline, oldcol;
		34	+ int i, j, nbNs, attval, oldline, oldcol, inputNr;
		35	const xmlChar *base;
		36	unsigned long cur;
		37	int nsNr = ctxt->nsNr;
		38	@@ -9367,6 +9367,7 @@ reparse:
		39	SHRINK;
		40	base = ctxt->input->base;
		41	cur = ctxt->input->cur - ctxt->input->base;
		42	+ inputNr = ctxt->inputNr;
		43	oldline = ctxt->input->line;
		44	oldcol = ctxt->input->col;
		45	nbatts = 0;
		46	@@ -9392,7 +9393,8 @@ reparse:
		47	*/
		48	SKIP_BLANKS;
		49	GROW;
		50	- if (ctxt->input->base != base) goto base_changed;
		51	+ if ((ctxt->input->base != base) \|\| (inputNr != ctxt->inputNr))
		52	+ goto base_changed;
		53
		54	while (((RAW != '>') &&
		55	((RAW != '/') \|\| (NXT(1) != '>')) &&
		56	@@ -9403,7 +9405,7 @@ reparse:
		57
		58	attname = xmlParseAttribute2(ctxt, prefix, localname,
		59	&aprefix, &attvalue, &len, &alloc);
		60	- if (ctxt->input->base != base) {
		61	+ if ((ctxt->input->base != base) \|\| (inputNr != ctxt->inputNr)) {
		62	if ((attvalue != NULL) && (alloc != 0))
		63	xmlFree(attvalue);
		64	attvalue = NULL;
		65	@@ -9552,7 +9554,8 @@ skip_ns:
		66	break;
		67	}
		68	SKIP_BLANKS;
		69	- if (ctxt->input->base != base) goto base_changed;
		70	+ if ((ctxt->input->base != base) \|\| (inputNr != ctxt->inputNr))
		71	+ goto base_changed;
		72	continue;
		73	}
		74
		75	@@ -9589,7 +9592,8 @@ failed:
		76	GROW
		77	if (ctxt->instate == XML_PARSER_EOF)
		78	break;
		79	- if (ctxt->input->base != base) goto base_changed;
		80	+ if ((ctxt->input->base != base) \|\| (inputNr != ctxt->inputNr))
		81	+ goto base_changed;
		82	if ((RAW == '>') \|\| (((RAW == '/') && (NXT(1) == '>'))))
		83	break;
		84	if (!IS_BLANK_CH(RAW)) {
		85	@@ -9605,7 +9609,8 @@ failed:
		86	break;
		87	}
		88	GROW;
		89	- if (ctxt->input->base != base) goto base_changed;
		90	+ if ((ctxt->input->base != base) \|\| (inputNr != ctxt->inputNr))
		91	+ goto base_changed;
		92	}
		93
		94	/*
		95	@@ -9772,6 +9777,17 @@ base_changed:
		96	if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL))
		97	xmlFree((xmlChar *) atts[i]);
		98	}
		99	+
		100	+ /*
		101	+ * We can't switch from one entity to another in the middle
		102	+ * of a start tag
		103	+ */
		104	+ if (inputNr != ctxt->inputNr) {
		105	+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
		106	+ "Start tag doesn't start and stop in the same entity\n");
		107	+ return(NULL);
		108	+ }
		109	+
		110	ctxt->input->cur = ctxt->input->base + cur;
		111	ctxt->input->line = oldline;
		112	ctxt->input->col = oldcol;
		113	diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err
		114	index 423dff5..a75088b 100644
		115	--- a/result/errors/754946.xml.err
		116	+++ b/result/errors/754946.xml.err
		117	@@ -11,6 +11,9 @@ Entity: line 1: parser error : DOCTYPE improperly terminated
		118	Entity: line 1:
		119	A<lbbbbbbbbbbbbbbbbbbb_
		120	^
		121	+./test/errors/754946.xml:1: parser error : Start tag doesn't start and stop in the same entity
		122	+>%SYSTEM;<![
		123	+ ^
		124	./test/errors/754946.xml:1: parser error : Extra content at the end of the document
		125	-<!DOCTYPEA[<!ENTITY %
		126	- ^
		127	+>%SYSTEM;<![
		128	+ ^
		129	--
		130	2.3.5
		131


diff --git a/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch b/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch new file mode 100644 index 0000000000..a86b9ee86e --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch
@@ -0,0 +1,138 @@
		1	From 51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783 Mon Sep 17 00:00:00 2001
		2	From: Daniel Veillard <veillard@redhat.com>
		3	Date: Tue, 15 Sep 2015 16:50:32 +0800
		4	Subject: [PATCH] Fix a bug on name parsing at the end of current input buffer
		5
		6	For https://bugzilla.gnome.org/show_bug.cgi?id=754946
		7
		8	When hitting the end of the current input buffer while parsing
		9	a name we could end up loosing the beginning of the name, which
		10	led to various issues.
		11
		12	Upstream-Status: backport
		13
		14	Depend patch for CVE-2015-7500
		15
		16	Signed-off-by: Armin Kuster <akuster@mvista.com>
		17	---
		18	parser.c \| 29 ++++++++++++++++++++---------
		19	result/errors/754946.xml \| 0
		20	result/errors/754946.xml.err \| 16 ++++++++++++++++
		21	result/errors/754946.xml.str \| 4 ++++
		22	test/errors/754946.xml \| 1 +
		23	5 files changed, 41 insertions(+), 9 deletions(-)
		24	create mode 100644 result/errors/754946.xml
		25	create mode 100644 result/errors/754946.xml.err
		26	create mode 100644 result/errors/754946.xml.str
		27	create mode 100644 test/errors/754946.xml
		28
		29	diff --git a/parser.c b/parser.c
		30	index 0edd53b..fd29a39 100644
		31	--- a/parser.c
		32	+++ b/parser.c
		33	@@ -3491,7 +3491,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
		34	c = CUR_CHAR(l);
		35	if (c == 0) {
		36	count = 0;
		37	+ /*
		38	+ * when shrinking to extend the buffer we really need to preserve
		39	+ * the part of the name we already parsed. Hence rolling back
		40	+ * by current lenght.
		41	+ */
		42	+ ctxt->input->cur -= l;
		43	GROW;
		44	+ ctxt->input->cur += l;
		45	if (ctxt->instate == XML_PARSER_EOF)
		46	return(NULL);
		47	end = ctxt->input->cur;
		48	@@ -3523,7 +3530,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
		49
		50	static const xmlChar *
		51	xmlParseNCName(xmlParserCtxtPtr ctxt) {
		52	- const xmlChar *in;
		53	+ const xmlChar in, e;
		54	const xmlChar *ret;
		55	int count = 0;
		56
		57	@@ -3535,16 +3542,19 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
		58	* Accelerator for simple ASCII names
		59	*/
		60	in = ctxt->input->cur;
		61	- if (((in >= 0x61) && (in <= 0x7A)) \|\|
		62	- ((in >= 0x41) && (in <= 0x5A)) \|\|
		63	- (*in == '_')) {
		64	+ e = ctxt->input->end;
		65	+ if ((((in >= 0x61) && (in <= 0x7A)) \|\|
		66	+ ((in >= 0x41) && (in <= 0x5A)) \|\|
		67	+ (*in == '_')) && (in < e)) {
		68	in++;
		69	- while (((in >= 0x61) && (in <= 0x7A)) \|\|
		70	- ((in >= 0x41) && (in <= 0x5A)) \|\|
		71	- ((in >= 0x30) && (in <= 0x39)) \|\|
		72	- (in == '_') \|\| (in == '-') \|\|
		73	- (*in == '.'))
		74	+ while ((((in >= 0x61) && (in <= 0x7A)) \|\|
		75	+ ((in >= 0x41) && (in <= 0x5A)) \|\|
		76	+ ((in >= 0x30) && (in <= 0x39)) \|\|
		77	+ (in == '_') \|\| (in == '-') \|\|
		78	+ (*in == '.')) && (in < e))
		79	in++;
		80	+ if (in >= e)
		81	+ goto complex;
		82	if ((in > 0) && (in < 0x80)) {
		83	count = in - ctxt->input->cur;
		84	if ((count > XML_MAX_NAME_LENGTH) &&
		85	@@ -3562,6 +3572,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
		86	return(ret);
		87	}
		88	}
		89	+complex:
		90	return(xmlParseNCNameComplex(ctxt));
		91	}
		92
		93	diff --git a/result/errors/754946.xml b/result/errors/754946.xml
		94	new file mode 100644
		95	index 0000000..e69de29
		96	diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err
		97	new file mode 100644
		98	index 0000000..423dff5
		99	--- /dev/null
		100	+++ b/result/errors/754946.xml.err
		101	@@ -0,0 +1,16 @@
		102	+Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
		103	+
		104	+ %SYSTEM;
		105	+ ^
		106	+Entity: line 1:
		107	+A<lbbbbbbbbbbbbbbbbbbb_
		108	+^
		109	+Entity: line 1: parser error : DOCTYPE improperly terminated
		110	+ %SYSTEM;
		111	+ ^
		112	+Entity: line 1:
		113	+A<lbbbbbbbbbbbbbbbbbbb_
		114	+^
		115	+./test/errors/754946.xml:1: parser error : Extra content at the end of the document
		116	+<!DOCTYPEA[<!ENTITY %
		117	+ ^
		118	diff --git a/result/errors/754946.xml.str b/result/errors/754946.xml.str
		119	new file mode 100644
		120	index 0000000..3b748cc
		121	--- /dev/null
		122	+++ b/result/errors/754946.xml.str
		123	@@ -0,0 +1,4 @@
		124	+./test/errors/754946.xml:1: parser error : Extra content at the end of the document
		125	+<!DOCTYPEA[<!ENTITY %
		126	+ ^
		127	+./test/errors/754946.xml : failed to parse
		128	diff --git a/test/errors/754946.xml b/test/errors/754946.xml
		129	new file mode 100644
		130	index 0000000..6b5f9b0
		131	--- /dev/null
		132	+++ b/test/errors/754946.xml
		133	@@ -0,0 +1 @@
		134	+<!DOCTYPEA[<!ENTITY % SYSTEM "A<lbbbbbbbbbbbbbbbbbbb_" >%SYSTEM;<![
		135	\ No newline at end of file
		136	--
		137	2.3.5
		138