[Libreoffice-commits] core.git: Branch 'feature/cib_contract891' - 22 commits - configure.ac download.lst external/expat external/icu external/libxml2 external/libxslt external/nss i18npool/CustomTarget_collator.mk i18npool/source i18nutil/source include/svx Makefile.fetch svx/source

Michael Stahl mstahl at redhat.com
Mon Apr 30 17:30:51 UTC 2018


 Makefile.fetch                                                                     |    4 
 configure.ac                                                                       |    2 
 download.lst                                                                       |   10 
 external/expat/StaticLibrary_expat.mk                                              |    1 
 external/expat/StaticLibrary_expat_x64.mk                                          |    1 
 external/expat/UnpackedTarball_expat.mk                                            |    3 
 external/expat/expat-2.1.0.patch                                                   |   13 
 external/icu/UnpackedTarball_icu.mk                                                |    3 
 external/icu/icu4c-aix.patch                                                       |    9 
 external/icu/icu4c-buffer-overflow.patch                                           |   30 -
 external/icu/icu4c-build.patch                                                     |   43 -
 external/icu/icu4c-changeset-39671.patch.1                                         |  189 ++++++
 external/icu/icu4c-changeset-40324.patch.1                                         |   11 
 external/icu/icu4c-mkdir.patch                                                     |    9 
 external/icu/icu4c-wchar_t.patch                                                   |   10 
 external/libxml2/0001-Fix-buffer-size-checks-in-xmlSnprintfElementContent.patch.1  |  116 ++++
 external/libxml2/0001-Fix-handling-of-parameter-entity-references.patch.1          |  287 ++++++++++
 external/libxml2/0001-Fix-type-confusion-in-xmlValidateOneNamespace.patch.1        |   43 +
 external/libxml2/0001-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch.1 |   31 +
 external/libxml2/0001-Prevent-unwanted-external-entity-reference.patch.1           |   35 +
 external/libxml2/ExternalPackage_xml2.mk                                           |    2 
 external/libxml2/UnpackedTarball_xml2.mk                                           |    6 
 external/libxml2/libxml2-freebsd.patch.1                                           |   15 
 external/libxml2/libxml2-vc10.patch                                                |    2 
 external/libxslt/0001-Fix-for-type-confusion-in-preprocessing-attributes.patch.1   |   29 +
 external/libxslt/UnpackedTarball_xslt.mk                                           |    1 
 external/nss/ExternalPackage_nss.mk                                                |    5 
 external/nss/ExternalProject_nss.mk                                                |    3 
 external/nss/UnpackedTarball_nss.mk                                                |    9 
 external/nss/nss-winXP-sdk.patch.1                                                 |   12 
 external/nss/nss.cygwin64.in32bit.patch                                            |   14 
 external/nss/nss.patch                                                             |   89 +--
 external/nss/nss.windowbuild.patch.0                                               |   55 +
 external/nss/nss.windows.patch                                                     |   17 
 external/nss/nss_macosx.patch                                                      |   96 ---
 i18npool/CustomTarget_collator.mk                                                  |   55 +
 i18npool/source/collator/collator_unicode.cxx                                      |    4 
 i18nutil/source/utility/unicode.cxx                                                |   20 
 include/svx/ucsubset.hrc                                                           |   32 +
 svx/source/dialog/charmap.cxx                                                      |  125 ++++
 svx/source/dialog/ucsubset.src                                                     |  128 ++++
 41 files changed, 1305 insertions(+), 264 deletions(-)

New commits:
commit 23b8e12c7e99085c411899cd94acf448545996b3
Author: Michael Stahl <mstahl at redhat.com>
Date:   Wed Aug 23 12:10:38 2017 +0200

    libxml2: bunch of CVE fixes
    
    Change-Id: Ic786fef17cbdb574c342925a4c57875123ef3151
    (cherry picked from commit 486d3b214c270fbd2651a0b0895d600e0f647750)
    Reviewed-on: https://gerrit.libreoffice.org/41460
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Markus Mohrhard <markus.mohrhard at googlemail.com>

diff --git a/external/libxml2/0001-Fix-buffer-size-checks-in-xmlSnprintfElementContent.patch.1 b/external/libxml2/0001-Fix-buffer-size-checks-in-xmlSnprintfElementContent.patch.1
new file mode 100644
index 000000000000..047c88d943a7
--- /dev/null
+++ b/external/libxml2/0001-Fix-buffer-size-checks-in-xmlSnprintfElementContent.patch.1
@@ -0,0 +1,116 @@
+From 932cc9896ab41475d4aa429c27d9afd175959d74 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer at aevum.de>
+Date: Sat, 3 Jun 2017 02:01:29 +0200
+Subject: [PATCH] Fix buffer size checks in xmlSnprintfElementContent
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+xmlSnprintfElementContent failed to correctly check the available
+buffer space in two locations.
+
+Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
+
+Thanks to Marcel Böhme and Thuan Pham for the report.
+---
+ result/valid/781333.xml         |  5 +++++
+ result/valid/781333.xml.err     |  3 +++
+ result/valid/781333.xml.err.rdr |  6 ++++++
+ test/valid/781333.xml           |  4 ++++
+ valid.c                         | 20 +++++++++++---------
+ 5 files changed, 29 insertions(+), 9 deletions(-)
+ create mode 100644 result/valid/781333.xml
+ create mode 100644 result/valid/781333.xml.err
+ create mode 100644 result/valid/781333.xml.err.rdr
+ create mode 100644 test/valid/781333.xml
+
+diff --git a/result/valid/781333.xml b/result/valid/781333.xml
+new file mode 100644
+index 00000000..45dc451d
+--- /dev/null
++++ b/result/valid/781333.xml
+@@ -0,0 +1,5 @@
++<?xml version="1.0"?>
++<!DOCTYPE a [
++<!ELEMENT a (ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
 ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
 ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
 ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
 pppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
 lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
 lllllllllllllllllllllllllllllllll)>
++]>
++<a/>
+diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err
+new file mode 100644
+index 00000000..b401b49a
+--- /dev/null
++++ b/result/valid/781333.xml.err
+@@ -0,0 +1,3 @@
++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got 
++<a/>
++    ^
+diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr
+new file mode 100644
+index 00000000..5ff56992
+--- /dev/null
++++ b/result/valid/781333.xml.err.rdr
+@@ -0,0 +1,6 @@
++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got 
++<a/>
++    ^
++./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child
++
++^
+diff --git a/test/valid/781333.xml b/test/valid/781333.xml
+new file mode 100644
+index 00000000..b29e5a68
+--- /dev/null
++++ b/test/valid/781333.xml
+@@ -0,0 +1,4 @@
++<!DOCTYPE a [
++    <!ELEMENT a (ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
 ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
 ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
 ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp
 pppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
 lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
 lllllllllllllllllllllllllllllllllllll)>
++]>
++<a/>
+diff --git a/valid.c b/valid.c
+index 19f84b82..9b2df56a 100644
+--- a/valid.c
++++ b/valid.c
+@@ -1262,22 +1262,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
+         case XML_ELEMENT_CONTENT_PCDATA:
+             strcat(buf, "#PCDATA");
+ 	    break;
+-	case XML_ELEMENT_CONTENT_ELEMENT:
++	case XML_ELEMENT_CONTENT_ELEMENT: {
++            int qnameLen = xmlStrlen(content->name);
++
++	    if (content->prefix != NULL)
++                qnameLen += xmlStrlen(content->prefix) + 1;
++	    if (size - len < qnameLen + 10) {
++		strcat(buf, " ...");
++		return;
++	    }
+ 	    if (content->prefix != NULL) {
+-		if (size - len < xmlStrlen(content->prefix) + 10) {
+-		    strcat(buf, " ...");
+-		    return;
+-		}
+ 		strcat(buf, (char *) content->prefix);
+ 		strcat(buf, ":");
+ 	    }
+-	    if (size - len < xmlStrlen(content->name) + 10) {
+-		strcat(buf, " ...");
+-		return;
+-	    }
+ 	    if (content->name != NULL)
+ 		strcat(buf, (char *) content->name);
+ 	    break;
++        }
+ 	case XML_ELEMENT_CONTENT_SEQ:
+ 	    if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+ 	        (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+@@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
+ 		xmlSnprintfElementContent(buf, size, content->c2, 0);
+ 	    break;
+     }
++    if (size - strlen(buf) <= 2) return;
+     if (englob)
+         strcat(buf, ")");
+     switch (content->ocur) {
+-- 
+2.13.5
+
diff --git a/external/libxml2/0001-Fix-handling-of-parameter-entity-references.patch.1 b/external/libxml2/0001-Fix-handling-of-parameter-entity-references.patch.1
new file mode 100644
index 000000000000..8f005cf32181
--- /dev/null
+++ b/external/libxml2/0001-Fix-handling-of-parameter-entity-references.patch.1
@@ -0,0 +1,287 @@
+From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer at aevum.de>
+Date: Mon, 5 Jun 2017 15:37:17 +0200
+Subject: [PATCH] Fix handling of parameter-entity references
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+There were two bugs where parameter-entity references could lead to an
+unexpected change of the input buffer in xmlParseNameComplex and
+xmlDictLookup being called with an invalid pointer.
+
+Percent sign in DTD Names
+=========================
+
+The NEXTL macro used to call xmlParserHandlePEReference. When parsing
+"complex" names inside the DTD, this could result in entity expansion
+which created a new input buffer. The fix is to simply remove the call
+to xmlParserHandlePEReference from the NEXTL macro. This is safe because
+no users of the macro require expansion of parameter entities.
+
+- xmlParseNameComplex
+- xmlParseNCNameComplex
+- xmlParseNmtoken
+
+The percent sign is not allowed in names, which are grammatical tokens.
+
+- xmlParseEntityValue
+
+Parameter-entity references in entity values are expanded but this
+happens in a separate step in this function.
+
+- xmlParseSystemLiteral
+
+Parameter-entity references are ignored in the system literal.
+
+- xmlParseAttValueComplex
+- xmlParseCharDataComplex
+- xmlParseCommentComplex
+- xmlParsePI
+- xmlParseCDSect
+
+Parameter-entity references are ignored outside the DTD.
+
+- xmlLoadEntityContent
+
+This function is only called from xmlStringLenDecodeEntities and
+entities are replaced in a separate step immediately after the function
+call.
+
+This bug could also be triggered with an internal subset and double
+entity expansion.
+
+This fixes bug 766956 initially reported by Wei Lei and independently by
+Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
+involved.
+
+xmlParseNameComplex with XML_PARSE_OLD10
+========================================
+
+When parsing Names inside an expanded parameter entity with the
+XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the
+GROW macro if the input buffer was exhausted. At the end of the
+parameter entity's replacement text, this function would then call
+xmlPopInput which invalidated the input buffer.
+
+There should be no need to invoke GROW in this situation because the
+buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,
+at least for UTF-8, in xmlCurrentChar. This also matches the code path
+executed when XML_PARSE_OLD10 is not set.
+
+This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
+Thanks to Marcel Böhme and Thuan Pham for the report.
+
+Additional hardening
+====================
+
+A separate check was added in xmlParseNameComplex to validate the
+buffer size.
+---
+ Makefile.am                     | 18 ++++++++++++++++++
+ parser.c                        | 18 ++++++++++--------
+ result/errors10/781205.xml      |  0
+ result/errors10/781205.xml.err  | 21 +++++++++++++++++++++
+ result/errors10/781361.xml      |  0
+ result/errors10/781361.xml.err  | 13 +++++++++++++
+ result/valid/766956.xml         |  0
+ result/valid/766956.xml.err     |  9 +++++++++
+ result/valid/766956.xml.err.rdr | 10 ++++++++++
+ runtest.c                       |  3 +++
+ test/errors10/781205.xml        |  3 +++
+ test/errors10/781361.xml        |  3 +++
+ test/valid/766956.xml           |  2 ++
+ test/valid/dtds/766956.dtd      |  2 ++
+ 14 files changed, 94 insertions(+), 8 deletions(-)
+ create mode 100644 result/errors10/781205.xml
+ create mode 100644 result/errors10/781205.xml.err
+ create mode 100644 result/errors10/781361.xml
+ create mode 100644 result/errors10/781361.xml.err
+ create mode 100644 result/valid/766956.xml
+ create mode 100644 result/valid/766956.xml.err
+ create mode 100644 result/valid/766956.xml.err.rdr
+ create mode 100644 test/errors10/781205.xml
+ create mode 100644 test/errors10/781361.xml
+ create mode 100644 test/valid/766956.xml
+ create mode 100644 test/valid/dtds/766956.dtd
+
+diff --git a/parser.c b/parser.c
+index df2efa55..a175ac4e 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
+ 	ctxt->input->line++; ctxt->input->col = 1;			\
+     } else ctxt->input->col++;						\
+     ctxt->input->cur += l;				\
+-    if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt);	\
+   } while (0)
+ 
+ #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
+@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+ 	    len += l;
+ 	    NEXTL(l);
+ 	    c = CUR_CHAR(l);
+-	    if (c == 0) {
+-		count = 0;
+-		GROW;
+-                if (ctxt->instate == XML_PARSER_EOF)
+-                    return(NULL);
+-		c = CUR_CHAR(l);
+-	    }
+ 	}
+     }
+     if ((len > XML_MAX_NAME_LENGTH) &&
+@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
+         return(NULL);
+     }
++    if (ctxt->input->cur - ctxt->input->base < len) {
++        /*
++         * There were a couple of bugs where PERefs lead to to a change
++         * of the buffer. Check the buffer size to avoid passing an invalid
++         * pointer to xmlDictLookup.
++         */
++        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
++                    "unexpected change of input buffer");
++        return (NULL);
++    }
+     if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
+         return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
+     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
+diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err
+new file mode 100644
+index 00000000..da15c3f7
+--- /dev/null
++++ b/result/errors10/781205.xml.err
+@@ -0,0 +1,21 @@
++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
++
++ %a; 
++    ^
++Entity: line 1: 
++<:0000
++^
++Entity: line 1: parser error : DOCTYPE improperly terminated
++ %a; 
++    ^
++Entity: line 1: 
++<:0000
++^
++namespace error : Failed to parse QName ':0000'
++ %a; 
++    ^
++<:0000
++      ^
++./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1
++
++^
+diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err
+new file mode 100644
+index 00000000..655f41a2
+--- /dev/null
++++ b/result/errors10/781361.xml.err
+@@ -0,0 +1,13 @@
++./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected
++
++^
++./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
++
++
++^
++./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated
++
++^
++./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found
++
++^
+diff --git a/result/valid/766956.xml b/result/valid/766956.xml
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err
+new file mode 100644
+index 00000000..34b1dae6
+--- /dev/null
++++ b/result/valid/766956.xml.err
+@@ -0,0 +1,9 @@
++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
++%ä%ent;
++   ^
++Entity: line 1: parser error : Content error in the external subset
++ %ent; 
++      ^
++Entity: line 1: 
++value
++^
+diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr
+new file mode 100644
+index 00000000..77603462
+--- /dev/null
++++ b/result/valid/766956.xml.err.rdr
+@@ -0,0 +1,10 @@
++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
++%ä%ent;
++   ^
++Entity: line 1: parser error : Content error in the external subset
++ %ent; 
++      ^
++Entity: line 1: 
++value
++^
++./test/valid/766956.xml : failed to parse
+diff --git a/runtest.c b/runtest.c
+index b2ce693b..378b38e3 100644
+--- a/runtest.c
++++ b/runtest.c
+@@ -4214,6 +4214,9 @@ testDesc testDescriptions[] = {
+     { "Error cases regression tests",
+       errParseTest, "./test/errors/*.xml", "result/errors/", "", ".err",
+       0 },
++    { "Error cases regression tests (old 1.0)",
++      errParseTest, "./test/errors10/*.xml", "result/errors10/", "", ".err",
++      XML_PARSE_OLD10 },
+ #ifdef LIBXML_READER_ENABLED
+     { "Error cases stream regression tests",
+       streamParseTest, "./test/errors/*.xml", "result/errors/", NULL, ".str",
+diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml
+new file mode 100644
+index 00000000..d9e9e839
+--- /dev/null
++++ b/test/errors10/781205.xml
+@@ -0,0 +1,3 @@
++<!DOCTYPE D [
++  <!ENTITY % a "<:0000">
++  %a;
+diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml
+new file mode 100644
+index 00000000..67476bcb
+--- /dev/null
++++ b/test/errors10/781361.xml
+@@ -0,0 +1,3 @@
++<!DOCTYPE doc [
++  <!ENTITY % elem "<!ELEMENT e0000000000">
++  %elem;
+diff --git a/test/valid/766956.xml b/test/valid/766956.xml
+new file mode 100644
+index 00000000..19a95a0e
+--- /dev/null
++++ b/test/valid/766956.xml
+@@ -0,0 +1,2 @@
++<!DOCTYPE test SYSTEM "dtds/766956.dtd">
++<test/>
+diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd
+new file mode 100644
+index 00000000..dddde68b
+--- /dev/null
++++ b/test/valid/dtds/766956.dtd
+@@ -0,0 +1,2 @@
++<!ENTITY % ent "value">
++%ä%ent;
+-- 
+2.13.5
+
diff --git a/external/libxml2/0001-Fix-type-confusion-in-xmlValidateOneNamespace.patch.1 b/external/libxml2/0001-Fix-type-confusion-in-xmlValidateOneNamespace.patch.1
new file mode 100644
index 000000000000..f0c4e6d5dba5
--- /dev/null
+++ b/external/libxml2/0001-Fix-type-confusion-in-xmlValidateOneNamespace.patch.1
@@ -0,0 +1,43 @@
+From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer at aevum.de>
+Date: Tue, 6 Jun 2017 12:56:28 +0200
+Subject: [PATCH] Fix type confusion in xmlValidateOneNamespace
+
+Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on
+namespace declarations make no practical sense anyway.
+
+Fixes bug 780228.
+
+Found with libFuzzer and ASan.
+---
+ valid.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/valid.c b/valid.c
+index 8075d3a0..c51ea290 100644
+--- a/valid.c
++++ b/valid.c
+@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+ 	}
+     }
+ 
++    /*
++     * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
++     * xmlAddID and xmlAddRef for namespace declarations, but it makes
++     * no practical sense to use ID types anyway.
++     */
++#if 0
+     /* Validity Constraint: ID uniqueness */
+     if (attrDecl->atype == XML_ATTRIBUTE_ID) {
+         if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
+@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+         if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
+ 	    ret = 0;
+     }
++#endif
+ 
+     /* Validity Constraint: Notation Attributes */
+     if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
+-- 
+2.13.5
+
diff --git a/external/libxml2/0001-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch.1 b/external/libxml2/0001-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch.1
new file mode 100644
index 000000000000..fa90247f5e23
--- /dev/null
+++ b/external/libxml2/0001-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch.1
@@ -0,0 +1,31 @@
+From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard at redhat.com>
+Date: Fri, 7 Apr 2017 17:13:28 +0200
+Subject: [PATCH] Increase buffer space for port in HTTP redirect support
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=780690
+
+nanohttp.c: the code wrongly assumed a short int port value.
+---
+ nanohttp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/nanohttp.c b/nanohttp.c
+index e109ad75..373425de 100644
+--- a/nanohttp.c
++++ b/nanohttp.c
+@@ -1423,9 +1423,9 @@ retry:
+     if (ctxt->port != 80) {
+ 	/* reserve space for ':xxxxx', incl. potential proxy */
+ 	if (proxy)
+-	    blen += 12;
++	    blen += 17;
+ 	else
+-	    blen += 6;
++	    blen += 11;
+     }
+     bp = (char*)xmlMallocAtomic(blen);
+     if ( bp == NULL ) {
+-- 
+2.13.5
+
diff --git a/external/libxml2/0001-Prevent-unwanted-external-entity-reference.patch.1 b/external/libxml2/0001-Prevent-unwanted-external-entity-reference.patch.1
new file mode 100644
index 000000000000..7a935a6ada60
--- /dev/null
+++ b/external/libxml2/0001-Prevent-unwanted-external-entity-reference.patch.1
@@ -0,0 +1,35 @@
+From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001
+From: Neel Mehta <nmehta at google.com>
+Date: Fri, 7 Apr 2017 17:43:02 +0200
+Subject: [PATCH] Prevent unwanted external entity reference
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=780691
+
+* parser.c: add a specific check to avoid PE reference
+---
+ parser.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index 609a2703..c2c812de 100644
+--- a/parser.c
++++ b/parser.c
+@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+ 	    if (xmlPushInput(ctxt, input) < 0)
+ 		return;
+ 	} else {
++	    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
++	        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
++		((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
++		((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
++		((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
++		(ctxt->replaceEntities == 0) &&
++		(ctxt->validate == 0))
++		return;
++
+ 	    /*
+ 	     * TODO !!!
+ 	     * handle the extra spaces added before and after
+-- 
+2.13.5
+
diff --git a/external/libxml2/UnpackedTarball_xml2.mk b/external/libxml2/UnpackedTarball_xml2.mk
index 2c77ef84a11f..0d3f866a0ae8 100644
--- a/external/libxml2/UnpackedTarball_xml2.mk
+++ b/external/libxml2/UnpackedTarball_xml2.mk
@@ -16,6 +16,11 @@ $(eval $(call gb_UnpackedTarball_add_patches,xml2,\
 	external/libxml2/libxml2-global-symbols.patch \
 	external/libxml2/libxml2-vc10.patch \
 	$(if $(filter ANDROID,$(OS)),external/libxml2/libxml2-android.patch) \
+	external/libxml2/0001-Fix-type-confusion-in-xmlValidateOneNamespace.patch.1 \
+	external/libxml2/0001-Prevent-unwanted-external-entity-reference.patch.1 \
+	external/libxml2/0001-Increase-buffer-space-for-port-in-HTTP-redirect-supp.patch.1 \
+	external/libxml2/0001-Fix-buffer-size-checks-in-xmlSnprintfElementContent.patch.1 \
+	external/libxml2/0001-Fix-handling-of-parameter-entity-references.patch.1 \
 ))
 
 # vim: set noet sw=4 ts=4:
commit 55084fcb00f86705493a1b7a062d4b4b5f8b115e
Author: Michael Stahl <mstahl at redhat.com>
Date:   Tue May 24 17:27:14 2016 +0200

    libxml2: upgrade to release 2.9.4
    
    Change-Id: Ia3109b704155b9baa28f2a5f224e55af161f4fa1
    Reviewed-on: https://gerrit.libreoffice.org/25412
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Michael Stahl <mstahl at redhat.com>

diff --git a/download.lst b/download.lst
index e0de909e433f..a33f4f15e030 100644
--- a/download.lst
+++ b/download.lst
@@ -89,7 +89,7 @@ export LCMS2_TARBALL := 861ef15fa0bc018f9ddc932c4ad8b6dd-lcms2-2.4.tar.gz
 export LIBEXTTEXTCAT_TARBALL := ae330b9493bd4503ac390106ff6060d7-libexttextcat-3.4.3.tar.bz2
 export LIBLANGTAG_TARBALL := 36271d3fa0d9dec1632029b6d7aac925-liblangtag-0.5.1.tar.bz2
 export LIBXMLSEC_TARBALL := 1f24ab1d39f4a51faf22244c94a6203f-xmlsec1-1.2.14.tar.gz
-export LIBXML_TARBALL := daece17e045f1c107610e137ab50c179-libxml2-2.9.3.tar.gz
+export LIBXML_TARBALL := ae249165c173b1ff386ee8ad676815f5-libxml2-2.9.4.tar.gz
 export LIBXSLT_TARBALL := 9667bf6f9310b957254fdcf6596600b7-libxslt-1.1.28.tar.gz
 export LPSOLVE_TARBALL := 26b3e95ddf3d9c077c480ea45874b3b8-lp_solve_5.5.tar.gz
 export MARIADB_TARBALL := 05f84c95b610c21c5fd510d10debcabf-mariadb-native-client-1.0.0.tar.bz2
diff --git a/external/libxml2/ExternalPackage_xml2.mk b/external/libxml2/ExternalPackage_xml2.mk
index 8df732b0e5b9..b89b054a2b68 100644
--- a/external/libxml2/ExternalPackage_xml2.mk
+++ b/external/libxml2/ExternalPackage_xml2.mk
@@ -25,7 +25,7 @@ $(eval $(call gb_ExternalPackage_add_file,xml2,$(LIBO_URE_LIB_FOLDER)/libxml2.dl
 $(eval $(call gb_ExternalPackage_add_file,xml2,$(LIBO_LIB_FOLDER)/libxml2.dll,win32/bin.msvc/libxml2.dll))
 endif
 else # OS!=WNT
-$(eval $(call gb_ExternalPackage_add_file,xml2,$(LIBO_URE_LIB_FOLDER)/libxml2.so.2,.libs/libxml2.so.2.9.3))
+$(eval $(call gb_ExternalPackage_add_file,xml2,$(LIBO_URE_LIB_FOLDER)/libxml2.so.2,.libs/libxml2.so.2.9.4))
 endif
 endif # DISABLE_DYNLOADING
 
commit 858d658b5debdd1d2624b9033d936a6424fc7f62
Author: Michael Stahl <mstahl at redhat.com>
Date:   Fri Nov 20 13:50:51 2015 +0100

    libxml2: upgrade to version 2.9.3
    
    - drop libxml2-freebsd.patch.1 (upstream libtool 2.4.6 does the same)
    - drop libxml2-vc15.patch (fixed upstream)
    
    Change-Id: Ia2f194f39efebd3d2ea924d23a5543ac53e93116
    Reviewed-on: https://gerrit.libreoffice.org/20084
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Michael Stahl <mstahl at redhat.com>

diff --git a/download.lst b/download.lst
index b4c043e3a092..e0de909e433f 100644
--- a/download.lst
+++ b/download.lst
@@ -89,7 +89,7 @@ export LCMS2_TARBALL := 861ef15fa0bc018f9ddc932c4ad8b6dd-lcms2-2.4.tar.gz
 export LIBEXTTEXTCAT_TARBALL := ae330b9493bd4503ac390106ff6060d7-libexttextcat-3.4.3.tar.bz2
 export LIBLANGTAG_TARBALL := 36271d3fa0d9dec1632029b6d7aac925-liblangtag-0.5.1.tar.bz2
 export LIBXMLSEC_TARBALL := 1f24ab1d39f4a51faf22244c94a6203f-xmlsec1-1.2.14.tar.gz
-export LIBXML_TARBALL := 9c0cfef285d5c4a5c80d00904ddab380-libxml2-2.9.1.tar.gz
+export LIBXML_TARBALL := daece17e045f1c107610e137ab50c179-libxml2-2.9.3.tar.gz
 export LIBXSLT_TARBALL := 9667bf6f9310b957254fdcf6596600b7-libxslt-1.1.28.tar.gz
 export LPSOLVE_TARBALL := 26b3e95ddf3d9c077c480ea45874b3b8-lp_solve_5.5.tar.gz
 export MARIADB_TARBALL := 05f84c95b610c21c5fd510d10debcabf-mariadb-native-client-1.0.0.tar.bz2
diff --git a/external/libxml2/ExternalPackage_xml2.mk b/external/libxml2/ExternalPackage_xml2.mk
index e25a7f8c38e0..8df732b0e5b9 100644
--- a/external/libxml2/ExternalPackage_xml2.mk
+++ b/external/libxml2/ExternalPackage_xml2.mk
@@ -25,7 +25,7 @@ $(eval $(call gb_ExternalPackage_add_file,xml2,$(LIBO_URE_LIB_FOLDER)/libxml2.dl
 $(eval $(call gb_ExternalPackage_add_file,xml2,$(LIBO_LIB_FOLDER)/libxml2.dll,win32/bin.msvc/libxml2.dll))
 endif
 else # OS!=WNT
-$(eval $(call gb_ExternalPackage_add_file,xml2,$(LIBO_URE_LIB_FOLDER)/libxml2.so.2,.libs/libxml2.so.2.9.1))
+$(eval $(call gb_ExternalPackage_add_file,xml2,$(LIBO_URE_LIB_FOLDER)/libxml2.so.2,.libs/libxml2.so.2.9.3))
 endif
 endif # DISABLE_DYNLOADING
 
diff --git a/external/libxml2/UnpackedTarball_xml2.mk b/external/libxml2/UnpackedTarball_xml2.mk
index ef00e8e2f97a..2c77ef84a11f 100644
--- a/external/libxml2/UnpackedTarball_xml2.mk
+++ b/external/libxml2/UnpackedTarball_xml2.mk
@@ -13,7 +13,6 @@ $(eval $(call gb_UnpackedTarball_set_tarball,xml2,$(LIBXML_TARBALL),,libxml2))
 
 $(eval $(call gb_UnpackedTarball_add_patches,xml2,\
 	external/libxml2/libxml2-config.patch.1 \
-	external/libxml2/libxml2-freebsd.patch.1 \
 	external/libxml2/libxml2-global-symbols.patch \
 	external/libxml2/libxml2-vc10.patch \
 	$(if $(filter ANDROID,$(OS)),external/libxml2/libxml2-android.patch) \
diff --git a/external/libxml2/libxml2-freebsd.patch.1 b/external/libxml2/libxml2-freebsd.patch.1
deleted file mode 100644
index a8743155a940..000000000000
--- a/external/libxml2/libxml2-freebsd.patch.1
+++ /dev/null
@@ -1,15 +0,0 @@
-Usual patch to produce Linux-like .so files on FreeBSD
-
---- a/ltmain.sh	2009-10-06 17:39:54.000000000 +0100
-+++ b/ltmain.sh	2009-12-17 11:43:56.000000000 +0000
-@@ -6271,8 +6271,8 @@
- 	  ;;
- 
- 	freebsd-elf)
--	  major=".$current"
--	  versuffix=".$current"
-+	  major=.`expr $current - $age`
-+	  versuffix=".$major.$age.$revision";
- 	  ;;
- 
- 	irix | nonstopux)
diff --git a/external/libxml2/libxml2-vc10.patch b/external/libxml2/libxml2-vc10.patch
index 90c43125b384..e88d25563667 100644
--- a/external/libxml2/libxml2-vc10.patch
+++ b/external/libxml2/libxml2-vc10.patch
@@ -1,3 +1,5 @@
+Add SOLARINC, and disable SSE2 default for MSVC2012
+
 --- build/libxml2-2.7.6/win32/Makefile.msvc.old	2010-09-20 20:22:41.500000000 +0200
 +++ build/libxml2-2.7.6/win32/Makefile.msvc	2010-09-20 20:23:00.250000000 +0200
 @@ -59,6 +59,7 @@
commit a40b3cbc9f6af50db0e2dfe079a53722a28c394b
Author: Eike Rathke <erack at redhat.com>
Date:   Wed Apr 13 22:24:25 2016 +0200

    upgrade to ICU 57
    
    This does not apply patches
    
    external/icu/khmerbreakengine.patch
    external/icu/khmerdict.dict
    
    anymore, as the khmerbreakengine.patch failed to apply with several
    hunks of which one was 16k. Asking the patch contributor to follow-up on
    this.
    
    Reviewed-on: https://gerrit.libreoffice.org/24067
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Eike Rathke <erack at redhat.com>
    Tested-by: Eike Rathke <erack at redhat.com>
    
    Conflicts:
            download.lst
            external/icu/UnpackedTarball_icu.mk
    
    Change-Id: I78d4371d04a7b03417d402a222bcd384f02a619e

diff --git a/configure.ac b/configure.ac
index 55fe972bcdce..4fe00e79aef1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -8939,7 +8939,7 @@ SYSTEM_GENBRK=
 SYSTEM_GENCCODE=
 SYSTEM_GENCMN=
 
-ICU_MAJOR=56
+ICU_MAJOR=57
 ICU_MINOR=1
 ICU_RECLASSIFIED_CLOSE_PARENTHESIS="YES"
 ICU_RECLASSIFIED_PREPEND_SET_EMPTY="YES"
diff --git a/download.lst b/download.lst
index 9bb9e1ce5e7c..b4c043e3a092 100644
--- a/download.lst
+++ b/download.lst
@@ -71,7 +71,7 @@ export GRAPHITE_TARBALL := 17df8301bcc459e83f8a8f3aca6183b2-graphite-minimal-1.3
 export HSQLDB_TARBALL := 17410483b5b5f267aa18b7e00b65e6e0-hsqldb_1_8_0.zip
 export HUNSPELL_TARBALL := 3121aaf3e13e5d88dfff13fb4a5f1ab8-hunspell-1.3.2.tar.gz
 export HYPHEN_TARBALL := a2f6010987e1c601274ab5d63b72c944-hyphen-2.8.4.tar.gz
-export ICU_TARBALL := c4a2d71ff56aec5ebfab2a3f059be99d-icu4c-56_1-src.tgz
+export ICU_TARBALL := 976734806026a4ef8bdd17937c8898b9-icu4c-57_1-src.tgz
 export JFREEREPORT_FLOW_ENGINE_TARBALL := ba2930200c9f019c2d93a8c88c651a0f-flow-engine-0.9.4.zip
 export JFREEREPORT_FLUTE_TARBALL := d8bd5eed178db6e2b18eeed243f85aa8-flute-1.1.6.zip
 export JFREEREPORT_LIBBASE_TARBALL := eeb2c7ddf0d302fba4bfc6e97eac9624-libbase-1.1.6.zip
commit b91c2f2e6cd147c0e4c8ca088b9cccaf72a7c018
Author: Eike Rathke <erack at redhat.com>
Date:   Tue Oct 20 14:19:12 2015 +0200

    Upgrade to ICU 56.1
    
    Change-Id: Icc3d66c16fca95aa890aee6c67c84674fef878fc

diff --git a/configure.ac b/configure.ac
index c2fffdd10153..55fe972bcdce 100644
--- a/configure.ac
+++ b/configure.ac
@@ -8939,7 +8939,7 @@ SYSTEM_GENBRK=
 SYSTEM_GENCCODE=
 SYSTEM_GENCMN=
 
-ICU_MAJOR=54
+ICU_MAJOR=56
 ICU_MINOR=1
 ICU_RECLASSIFIED_CLOSE_PARENTHESIS="YES"
 ICU_RECLASSIFIED_PREPEND_SET_EMPTY="YES"
diff --git a/download.lst b/download.lst
index 0d441ee13c2a..9bb9e1ce5e7c 100644
--- a/download.lst
+++ b/download.lst
@@ -71,7 +71,7 @@ export GRAPHITE_TARBALL := 17df8301bcc459e83f8a8f3aca6183b2-graphite-minimal-1.3
 export HSQLDB_TARBALL := 17410483b5b5f267aa18b7e00b65e6e0-hsqldb_1_8_0.zip
 export HUNSPELL_TARBALL := 3121aaf3e13e5d88dfff13fb4a5f1ab8-hunspell-1.3.2.tar.gz
 export HYPHEN_TARBALL := a2f6010987e1c601274ab5d63b72c944-hyphen-2.8.4.tar.gz
-export ICU_TARBALL := e844caed8f2ca24c088505b0d6271bc0-icu4c-54_1-src.tgz
+export ICU_TARBALL := c4a2d71ff56aec5ebfab2a3f059be99d-icu4c-56_1-src.tgz
 export JFREEREPORT_FLOW_ENGINE_TARBALL := ba2930200c9f019c2d93a8c88c651a0f-flow-engine-0.9.4.zip
 export JFREEREPORT_FLUTE_TARBALL := d8bd5eed178db6e2b18eeed243f85aa8-flute-1.1.6.zip
 export JFREEREPORT_LIBBASE_TARBALL := eeb2c7ddf0d302fba4bfc6e97eac9624-libbase-1.1.6.zip
diff --git a/svx/source/dialog/charmap.cxx b/svx/source/dialog/charmap.cxx
index 7d5dc869ff0b..6de4feb424b2 100644
--- a/svx/source/dialog/charmap.cxx
+++ b/svx/source/dialog/charmap.cxx
@@ -1554,6 +1554,32 @@ void SubsetMap::InitList()
                     aAllSubsets.push_back( Subset( 0x118A0, 0x118FF, RID_SUBSETSTR_WARANG_CITI ) );
                     break;
 #endif
+#if U_ICU_VERSION_MAJOR_NUM >= 56
+                    /* FIXME: add RID_... to include/svx/ucsubset.hrc and
+                     * strings to svx/source/dialog/ucsubset.src and Unicode
+                     * block ranges to aAllSubsets, for now this only
+                     * compiles.. */
+                case UBLOCK_AHOM:
+                    break;
+                case UBLOCK_ANATOLIAN_HIEROGLYPHS:
+                    break;
+                case UBLOCK_CHEROKEE_SUPPLEMENT:
+                    break;
+                case UBLOCK_CJK_UNIFIED_IDEOGRAPHS_EXTENSION_E:
+                    break;
+                case UBLOCK_EARLY_DYNASTIC_CUNEIFORM:
+                    break;
+                case UBLOCK_HATRAN:
+                    break;
+                case UBLOCK_MULTANI:
+                    break;
+                case UBLOCK_OLD_HUNGARIAN:
+                    break;
+                case UBLOCK_SUPPLEMENTAL_SYMBOLS_AND_PICTOGRAPHS:
+                    break;
+                case UBLOCK_SUTTON_SIGNWRITING:
+                    break;
+#endif
 
             }
 
commit c4e4bf5c23e21c037678d832f7888514fa92db7b
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Fri Dec 19 11:04:49 2014 +0000

    upgrade to icu 54
    
    Change-Id: I4d32ac386ff8b69bee4319e673769917045d9450
    Reviewed-on: https://gerrit.libreoffice.org/13547
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/configure.ac b/configure.ac
index 96dbeb54e543..c2fffdd10153 100644
--- a/configure.ac
+++ b/configure.ac
@@ -8939,7 +8939,7 @@ SYSTEM_GENBRK=
 SYSTEM_GENCCODE=
 SYSTEM_GENCMN=
 
-ICU_MAJOR=53
+ICU_MAJOR=54
 ICU_MINOR=1
 ICU_RECLASSIFIED_CLOSE_PARENTHESIS="YES"
 ICU_RECLASSIFIED_PREPEND_SET_EMPTY="YES"
diff --git a/download.lst b/download.lst
index 78b89b14b07f..0d441ee13c2a 100644
--- a/download.lst
+++ b/download.lst
@@ -71,7 +71,7 @@ export GRAPHITE_TARBALL := 17df8301bcc459e83f8a8f3aca6183b2-graphite-minimal-1.3
 export HSQLDB_TARBALL := 17410483b5b5f267aa18b7e00b65e6e0-hsqldb_1_8_0.zip
 export HUNSPELL_TARBALL := 3121aaf3e13e5d88dfff13fb4a5f1ab8-hunspell-1.3.2.tar.gz
 export HYPHEN_TARBALL := a2f6010987e1c601274ab5d63b72c944-hyphen-2.8.4.tar.gz
-export ICU_TARBALL := b73baa6fbdfef197608d1f69300919b9-icu4c-53_1-src.tgz
+export ICU_TARBALL := e844caed8f2ca24c088505b0d6271bc0-icu4c-54_1-src.tgz
 export JFREEREPORT_FLOW_ENGINE_TARBALL := ba2930200c9f019c2d93a8c88c651a0f-flow-engine-0.9.4.zip
 export JFREEREPORT_FLUTE_TARBALL := d8bd5eed178db6e2b18eeed243f85aa8-flute-1.1.6.zip
 export JFREEREPORT_LIBBASE_TARBALL := eeb2c7ddf0d302fba4bfc6e97eac9624-libbase-1.1.6.zip
diff --git a/external/icu/UnpackedTarball_icu.mk b/external/icu/UnpackedTarball_icu.mk
index 69807924605d..710ba70aa9ad 100644
--- a/external/icu/UnpackedTarball_icu.mk
+++ b/external/icu/UnpackedTarball_icu.mk
@@ -19,7 +19,6 @@ $(eval $(call gb_UnpackedTarball_add_patches,icu,\
 	external/icu/icu4c-macosx.patch \
 	external/icu/icu4c-solarisgcc.patch \
 	external/icu/icu4c-mkdir.patch \
-	external/icu/icu4c-buffer-overflow.patch \
 	external/icu/icu4c-$(if $(filter ANDROID,$(OS)),android,rpath).patch \
 	external/icu/icu4c-scriptrun.patch \
 	external/icu/icu4c-changeset-39671.patch.1 \
diff --git a/external/icu/icu4c-aix.patch b/external/icu/icu4c-aix.patch
index 580a8fc8e004..f4a449f9b423 100644
--- a/external/icu/icu4c-aix.patch
+++ b/external/icu/icu4c-aix.patch
@@ -114,16 +114,16 @@
  ## BIR  - bind with internal references [so app data and icu data doesn't collide]
 --- misc/icu/source/tools/pkgdata/pkgdata.cpp	2013-04-06 20:56:00.935656635 +0100
 +++ misc/build/icu/source/tools/pkgdata/pkgdata.cpp	2013-10-31 20:38:10.623984554 +0700
-@@ -888,7 +888,7 @@
+@@ -902,7 +902,7 @@
  
          uprv_strcat(pkgDataFlags[SO_EXT], ".");
          uprv_strcat(pkgDataFlags[SO_EXT], pkgDataFlags[A_EXT]);
 -#elif U_PLATFORM == U_PF_OS400 || defined(_AIX)
 +#elif U_PLATFORM == U_PF_OS400
-         sprintf(libFileNames[LIB_FILE_VERSION_TMP], "%s.%s",
+         sprintf(libFileNames[LIB_FILE_VERSION_TMP], "%s%s%s",
                  libFileNames[LIB_FILE],
-                 pkgDataFlags[SOBJ_EXT]);
-@@ -1302,15 +1302,6 @@
+                 FILE_EXTENSION_SEP,
+@@ -1375,15 +1375,6 @@
                  pkgDataFlags[LDICUDTFLAGS],
                  targetDir,
                  libFileNames[LIB_FILE_CYGWIN_VERSION],
@@ -139,4 +139,3 @@
  #else
          sprintf(cmd, "%s %s -o %s%s %s %s%s %s %s",
                  pkgDataFlags[GENLIB],
-
diff --git a/external/icu/icu4c-buffer-overflow.patch b/external/icu/icu4c-buffer-overflow.patch
deleted file mode 100644
index fb5f8abbaa58..000000000000
--- a/external/icu/icu4c-buffer-overflow.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-I: Statement might be overflowing a buffer in strncat. Common mistake:
-   BAD: strncat(buffer,charptr,sizeof(buffer)) is wrong, it takes the left over size as 3rd argument
-   GOOD: strncat(buffer,charptr,sizeof(buffer)-strlen(buffer)-1)
-E: icu bufferoverflowstrncat pkgdata.cpp:299:87
-
----
- source/tools/pkgdata/pkgdata.cpp |    6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-Index: icu/source/tools/pkgdata/pkgdata.cpp
-===================================================================
---- build/icu.orig/source/tools/pkgdata/pkgdata.cpp
-+++ build/icu/source/tools/pkgdata/pkgdata.cpp
-@@ -2060,12 +2060,12 @@
-     const char cmd[] = "icu-config --incpkgdatafile";
- 
-     /* #1 try the same path where pkgdata was called from. */
--    findDirname(progname, cmdBuf, 1024, &status);
-+    findDirname(progname, cmdBuf, sizeof(cmdBuf), &status);
-     if(U_SUCCESS(status)) {
-       if (cmdBuf[0] != 0) {
--          uprv_strncat(cmdBuf, U_FILE_SEP_STRING, 1024);
-+          uprv_strncat(cmdBuf, U_FILE_SEP_STRING, sizeof(cmdBuf)-1-strlen(cmdBuf));
-       }
--      uprv_strncat(cmdBuf, cmd, 1023);
-+      uprv_strncat(cmdBuf, cmd, sizeof(cmdBuf)-1-strlen(cmdBuf));
-       
-       if(verbose) {
-         fprintf(stdout, "# Calling icu-config: %s\n", cmdBuf);
-
diff --git a/external/icu/icu4c-build.patch b/external/icu/icu4c-build.patch
index 8f4a7eefcff2..1f6010b4c9d2 100644
--- a/external/icu/icu4c-build.patch
+++ b/external/icu/icu4c-build.patch
@@ -16,31 +16,30 @@
          ".long ","",HEX_0X
      },
 +    {"gcc-android-arm",
-+	"\t.arch armv5te\n"
-+	"\t.fpu softvfp\n"
-+	"\t.eabi_attribute 20, 1\n"
-+	"\t.eabi_attribute 21, 1\n"
-+	"\t.eabi_attribute 23, 3\n"
-+	"\t.eabi_attribute 24, 1\n"
-+	"\t.eabi_attribute 25, 1\n"
-+	"\t.eabi_attribute 26, 2\n"
-+	"\t.eabi_attribute 30, 6\n"
-+	"\t.eabi_attribute 18, 4\n"
-+	"\t.file \"%s.s\"\n"
-+	"\t.global %s\n"
-+	"\t.section .rodata\n"
-+	"\t.align 2\n"
-+	"\t.type %s, %%object\n"
-+	"%s:\n",
++        "\t.arch armv5te\n"
++        "\t.fpu softvfp\n"
++        "\t.eabi_attribute 20, 1\n"
++        "\t.eabi_attribute 21, 1\n"
++        "\t.eabi_attribute 23, 3\n"
++        "\t.eabi_attribute 24, 1\n"
++        "\t.eabi_attribute 25, 1\n"
++        "\t.eabi_attribute 26, 2\n"
++        "\t.eabi_attribute 30, 6\n"
++        "\t.eabi_attribute 18, 4\n"
++        "\t.file \"%s.s\"\n"
++        "\t.global %s\n"
++        "\t.section .rodata\n"
++        "\t.align 2\n"
++        "\t.type %s, %%object\n"
++        "%s:\n",
 +
-+	"\t.word ",
-+	"\t.section .note.GNU-stack,\"\",%%progbits\n",
-+	HEX_0X
++        "\t.word ",
++        "\t.section .note.GNU-stack,\"\",%%progbits\n",
++        HEX_0X
 +    },
- // 16 bytes alignment.
- // http://docs.oracle.com/cd/E19641-01/802-1947/802-1947.pdf
+ /* 16 bytes alignment. */
+ /* http://docs.oracle.com/cd/E19641-01/802-1947/802-1947.pdf */
      {"sun",
-
 --- misc/icu/source/config/mh-darwin	2010-09-29 20:37:36.000000000 +0200
 +++ misc/build/icu/source/config/mh-darwin	2011-03-15 10:56:26.653056004 +0100
 @@ -28,11 +28,7 @@
diff --git a/external/icu/icu4c-mkdir.patch b/external/icu/icu4c-mkdir.patch
index c9758a306464..094ddd5abca4 100644
--- a/external/icu/icu4c-mkdir.patch
+++ b/external/icu/icu4c-mkdir.patch
@@ -1,11 +1,10 @@
 --- misc/icu/source/dataMakefile.in.sav	2012-04-05 22:49:20.000000000 +0200
 +++ build/icu/source/data/Makefile.in	2012-12-04 14:24:40.548026700 +0100
-@@ -350,6 +350,7 @@
+@@ -363,6 +363,7 @@
  ifeq ($(PKGDATA_MODE),dll)
  SO_VERSION_DATA = $(OUTTMPDIR)/icudata.res
  $(SO_VERSION_DATA) : $(MISCSRCDIR)/icudata.rc
 +	mkdir -p $(OUTTMPDIR)
- 	rc.exe /i$(srcdir)/../common /i$(top_builddir)/common /fo$@ $(CPPFLAGS) $(SOURCE_FILE)
- endif
- endif
-
+ ifeq ($(MSYS_RC_MODE),1)
+ 	rc.exe -i$(srcdir)/../common -i$(top_builddir)/common -fo$@ $(CPPFLAGS) $<
+ else
diff --git a/i18nutil/source/utility/unicode.cxx b/i18nutil/source/utility/unicode.cxx
index 009896987b6e..b70ff9eb9236 100644
--- a/i18nutil/source/utility/unicode.cxx
+++ b/i18nutil/source/utility/unicode.cxx
@@ -930,6 +930,26 @@ OString SAL_CALL unicode::getExemplarLanguageForUScriptCode(UScriptCode eScript)
             sRet = "mwr";
             break;
 #endif
+#if (U_ICU_VERSION_MAJOR_NUM >= 54)
+        case USCRIPT_AHOM:
+            sRet = "aho";
+            break;
+        case USCRIPT_HATRAN:
+            sRet = "qly-Hatr";
+            break;
+        case USCRIPT_MODI:
+            sRet = "mr-Modi";
+            break;
+        case USCRIPT_MULTANI:
+            sRet = "skr-Mutl";
+            break;
+        case USCRIPT_PAU_CIN_HAU:
+            sRet = "ctd-Pauc";
+            break;
+        case USCRIPT_SIDDHAM:
+            sRet = "sa-Sidd";
+            break;
+#endif
     }
     return sRet;
 }
diff --git a/include/svx/ucsubset.hrc b/include/svx/ucsubset.hrc
index f41d223fa13e..de34c4c4e7d9 100644
--- a/include/svx/ucsubset.hrc
+++ b/include/svx/ucsubset.hrc
@@ -249,6 +249,38 @@
 #define RID_SUBSETSTR_HANUNOO                   (RID_SUBSET_START + 221)
 #define RID_SUBSETSTR_KANBUN                    (RID_SUBSET_START + 222)
 #define RID_SUBSETSTR_BUHID                     (RID_SUBSET_START + 223)
+#define RID_SUBSETSTR_BASSA_VAH                 (RID_SUBSET_START + 224)
+#define RID_SUBSETSTR_CAUCASIAN_ALBANIAN        (RID_SUBSET_START + 225)
+#define RID_SUBSETSTR_COPTIC_EPACT_NUMBERS      (RID_SUBSET_START + 226)
+#define RID_SUBSETSTR_COMBINING_DIACRITICAL_MARKS_EXTENDED  (RID_SUBSET_START + 227)
+#define RID_SUBSETSTR_DUPLOYAN                  (RID_SUBSET_START + 228)
+#define RID_SUBSETSTR_ELBASAN                   (RID_SUBSET_START + 229)
+#define RID_SUBSETSTR_GEOMETRIC_SHAPES_EXTENDED (RID_SUBSET_START + 230)
+#define RID_SUBSETSTR_GRANTHA                   (RID_SUBSET_START + 231)
+#define RID_SUBSETSTR_KHOJKI                    (RID_SUBSET_START + 232)
+#define RID_SUBSETSTR_KHUDAWADI                 (RID_SUBSET_START + 233)
+#define RID_SUBSETSTR_LATIN_EXTENDED_E          (RID_SUBSET_START + 234)
+#define RID_SUBSETSTR_LINEAR_A                  (RID_SUBSET_START + 235)
+#define RID_SUBSETSTR_MAHAJANI                  (RID_SUBSET_START + 236)
+#define RID_SUBSETSTR_MANICHAEAN                (RID_SUBSET_START + 237)
+#define RID_SUBSETSTR_MENDE_KIKAKUI             (RID_SUBSET_START + 238)
+#define RID_SUBSETSTR_MODI                      (RID_SUBSET_START + 239)
+#define RID_SUBSETSTR_MRO                       (RID_SUBSET_START + 240)
+#define RID_SUBSETSTR_MYANMAR_EXTENDED_B        (RID_SUBSET_START + 241)
+#define RID_SUBSETSTR_NABATAEAN                 (RID_SUBSET_START + 242)
+#define RID_SUBSETSTR_OLD_NORTH_ARABIAN         (RID_SUBSET_START + 243)
+#define RID_SUBSETSTR_OLD_PERMIC                (RID_SUBSET_START + 244)
+#define RID_SUBSETSTR_ORNAMENTAL_DINGBATS       (RID_SUBSET_START + 245)
+#define RID_SUBSETSTR_PAHAWH_HMONG              (RID_SUBSET_START + 246)
+#define RID_SUBSETSTR_PALMYRENE                 (RID_SUBSET_START + 247)
+#define RID_SUBSETSTR_PAU_CIN_HAU               (RID_SUBSET_START + 248)
+#define RID_SUBSETSTR_PSALTER_PAHLAVI           (RID_SUBSET_START + 249)
+#define RID_SUBSETSTR_SHORTHAND_FORMAT_CONTROLS (RID_SUBSET_START + 250)
+#define RID_SUBSETSTR_SIDDHAM                   (RID_SUBSET_START + 251)
+#define RID_SUBSETSTR_SINHALA_ARCHAIC_NUMBERS   (RID_SUBSET_START + 252)
+#define RID_SUBSETSTR_SUPPLEMENTAL_ARROWS_C     (RID_SUBSET_START + 253)
+#define RID_SUBSETSTR_TIRHUTA                   (RID_SUBSET_START + 254)
+#define RID_SUBSETSTR_WARANG_CITI               (RID_SUBSET_START + 255)
 
 //      RID_SUBSET_END                          (RID_SUBSET_START + 299)
 
diff --git a/svx/source/dialog/charmap.cxx b/svx/source/dialog/charmap.cxx
index 24fc2ce54f5a..7d5dc869ff0b 100644
--- a/svx/source/dialog/charmap.cxx
+++ b/svx/source/dialog/charmap.cxx
@@ -1456,6 +1456,105 @@ void SubsetMap::InitList()
                     aAllSubsets.push_back( Subset( 0x11680, 0x116CF, RID_SUBSETSTR_TAKRI ) );
                     break;
 #endif
+#if U_ICU_VERSION_MAJOR_NUM >= 53
+                case UBLOCK_BASSA_VAH:
+                    aAllSubsets.push_back( Subset( 0x16AD0, 0x16AFF, RID_SUBSETSTR_BASSA_VAH ) );
+                    break;
+                case UBLOCK_CAUCASIAN_ALBANIAN:
+                    aAllSubsets.push_back( Subset( 0x10530, 0x1056F, RID_SUBSETSTR_CAUCASIAN_ALBANIAN) );
+                    break;
+                case UBLOCK_COPTIC_EPACT_NUMBERS:
+                    aAllSubsets.push_back( Subset( 0x102E0, 0x102FF, RID_SUBSETSTR_COPTIC_EPACT_NUMBERS ) );
+                    break;
+                case UBLOCK_COMBINING_DIACRITICAL_MARKS_EXTENDED:
+                    aAllSubsets.push_back( Subset( 0x1AB0, 0x1AFF, RID_SUBSETSTR_COMBINING_DIACRITICAL_MARKS_EXTENDED ) );
+                    break;
+                case UBLOCK_DUPLOYAN:
+                    aAllSubsets.push_back( Subset( 0x1BC00, 0x1BC9F, RID_SUBSETSTR_DUPLOYAN ) );
+                    break;
+                case UBLOCK_ELBASAN:
+                    aAllSubsets.push_back( Subset( 0x10500, 0x1052F, RID_SUBSETSTR_ELBASAN ) );
+                    break;
+                case UBLOCK_GEOMETRIC_SHAPES_EXTENDED:
+                    aAllSubsets.push_back( Subset( 0x1F780, 0x1F7FF, RID_SUBSETSTR_GEOMETRIC_SHAPES_EXTENDED ) );
+                    break;
+                case UBLOCK_GRANTHA:
+                    aAllSubsets.push_back( Subset( 0x11300, 0x1137F, RID_SUBSETSTR_GRANTHA ) );
+                    break;
+                case UBLOCK_KHOJKI:
+                    aAllSubsets.push_back( Subset( 0x11200, 0x1124F, RID_SUBSETSTR_KHOJKI ) );
+                    break;
+                case UBLOCK_KHUDAWADI:
+                    aAllSubsets.push_back( Subset( 0x112B0, 0x112FF, RID_SUBSETSTR_KHUDAWADI ) );
+                    break;
+                case UBLOCK_LATIN_EXTENDED_E:
+                    aAllSubsets.push_back( Subset( 0xAB30, 0xAB6F, RID_SUBSETSTR_LATIN_EXTENDED_E ) );
+                    break;
+                case UBLOCK_LINEAR_A:
+                    aAllSubsets.push_back( Subset( 0x10600, 0x1077F, RID_SUBSETSTR_LINEAR_A ) );
+                    break;
+                case UBLOCK_MAHAJANI:
+                    aAllSubsets.push_back( Subset( 0x11150, 0x1117F, RID_SUBSETSTR_MAHAJANI ) );
+                    break;
+                case UBLOCK_MANICHAEAN:
+                    aAllSubsets.push_back( Subset( 0x10AC0, 0x10AFF, RID_SUBSETSTR_MANICHAEAN ) );
+                    break;
+                case UBLOCK_MENDE_KIKAKUI:
+                    aAllSubsets.push_back( Subset( 0x1E800, 0x1E8DF, RID_SUBSETSTR_MENDE_KIKAKUI ) );
+                    break;
+                case UBLOCK_MODI:
+                    aAllSubsets.push_back( Subset( 0x11600, 0x1165F, RID_SUBSETSTR_MODI ) );
+                    break;
+                case UBLOCK_MRO:
+                    aAllSubsets.push_back( Subset( 0x16A40, 0x16A6F, RID_SUBSETSTR_MRO ) );
+                    break;
+                case UBLOCK_MYANMAR_EXTENDED_B:
+                    aAllSubsets.push_back( Subset( 0xA9E0, 0xA9FF, RID_SUBSETSTR_MYANMAR_EXTENDED_B ) );
+                    break;
+                case UBLOCK_NABATAEAN:
+                    aAllSubsets.push_back( Subset( 0x10880, 0x108AF, RID_SUBSETSTR_NABATAEAN ) );
+                    break;
+                case UBLOCK_OLD_NORTH_ARABIAN:
+                    aAllSubsets.push_back( Subset( 0x10A80, 0x10A9F, RID_SUBSETSTR_OLD_NORTH_ARABIAN ) );
+                    break;
+                case UBLOCK_OLD_PERMIC:
+                    aAllSubsets.push_back( Subset( 0x10350, 0x1037F, RID_SUBSETSTR_OLD_PERMIC ) );
+                    break;
+                case UBLOCK_ORNAMENTAL_DINGBATS:
+                    aAllSubsets.push_back( Subset( 0x1F650, 0x1F67F, RID_SUBSETSTR_ORNAMENTAL_DINGBATS ) );
+                    break;
+                case UBLOCK_PAHAWH_HMONG:
+                    aAllSubsets.push_back( Subset( 0x16B00, 0x16B8F, RID_SUBSETSTR_PAHAWH_HMONG ) );
+                    break;
+                case UBLOCK_PALMYRENE:
+                    aAllSubsets.push_back( Subset( 0x10860, 0x1087F, RID_SUBSETSTR_PALMYRENE ) );
+                    break;
+                case UBLOCK_PAU_CIN_HAU:
+                    aAllSubsets.push_back( Subset( 0x11AC0, 0x11AFF, RID_SUBSETSTR_PAU_CIN_HAU ) );
+                    break;
+                case UBLOCK_PSALTER_PAHLAVI:
+                    aAllSubsets.push_back( Subset( 0x10B80, 0x10BAF, RID_SUBSETSTR_PSALTER_PAHLAVI ) );
+                    break;
+                case UBLOCK_SHORTHAND_FORMAT_CONTROLS:
+                    aAllSubsets.push_back( Subset( 0x1BCA0, 0x1BCAF, RID_SUBSETSTR_SHORTHAND_FORMAT_CONTROLS ) );
+                    break;
+                case UBLOCK_SIDDHAM:
+                    aAllSubsets.push_back( Subset( 0x11580, 0x115FF, RID_SUBSETSTR_SIDDHAM ) );
+                    break;
+                case UBLOCK_SINHALA_ARCHAIC_NUMBERS:
+                    aAllSubsets.push_back( Subset( 0x111E0, 0x111FF, RID_SUBSETSTR_SINHALA_ARCHAIC_NUMBERS ) );
+                    break;
+                case UBLOCK_SUPPLEMENTAL_ARROWS_C:
+                    aAllSubsets.push_back( Subset( 0x1F800, 0x1F8FF, RID_SUBSETSTR_SUPPLEMENTAL_ARROWS_C ) );
+                    break;
+                case UBLOCK_TIRHUTA:
+                    aAllSubsets.push_back( Subset( 0x11480, 0x114DF, RID_SUBSETSTR_TIRHUTA ) );
+                    break;
+                case UBLOCK_WARANG_CITI:
+                    aAllSubsets.push_back( Subset( 0x118A0, 0x118FF, RID_SUBSETSTR_WARANG_CITI ) );
+                    break;
+#endif
+
             }
 
 #if OSL_DEBUG_LEVEL > 0
diff --git a/svx/source/dialog/ucsubset.src b/svx/source/dialog/ucsubset.src
index 15b283d1ba18..d9cf59f131fc 100644
--- a/svx/source/dialog/ucsubset.src
+++ b/svx/source/dialog/ucsubset.src
@@ -911,6 +911,134 @@ Resource RID_SUBSETMAP
     {
         Text [ en-US ] = "Takri";
     };
+    String RID_SUBSETSTR_BASSA_VAH
+    {
+        Text [ en-US ] = "Bassa Vah";
+    };
+    String RID_SUBSETSTR_CAUCASIAN_ALBANIAN
+    {
+        Text [ en-US ] = "Caucasian Albanian";
+    };
+    String RID_SUBSETSTR_COPTIC_EPACT_NUMBERS
+    {
+        Text [ en-US ] = "Coptic Epact Numbers";
+    };
+    String RID_SUBSETSTR_COMBINING_DIACRITICAL_MARKS_EXTENDED
+    {
+        Text [ en-US ] = "Combining Diacritical Marks Extended";
+    };
+    String RID_SUBSETSTR_DUPLOYAN
+    {
+        Text [ en-US ] = "Duployan";
+    };
+    String RID_SUBSETSTR_ELBASAN
+    {
+        Text [ en-US ] = "Elbasan";
+    };
+    String RID_SUBSETSTR_GEOMETRIC_SHAPES_EXTENDED
+    {
+        Text [ en-US ] = "Geometric Shapes Extended";
+    };
+    String RID_SUBSETSTR_GRANTHA
+    {
+        Text [ en-US ] = "Grantha";
+    };
+    String RID_SUBSETSTR_KHOJKI
+    {
+        Text [ en-US ] = "Khojki";
+    };
+    String RID_SUBSETSTR_KHUDAWADI
+    {
+        Text [ en-US ] = "Khudawadi";
+    };
+    String RID_SUBSETSTR_LATIN_EXTENDED_E
+    {
+        Text [ en-US ] = "Latin Extended-E";
+    };
+    String RID_SUBSETSTR_LINEAR_A
+    {
+        Text [ en-US ] = "Linear A";
+    };
+    String RID_SUBSETSTR_MAHAJANI
+    {
+        Text [ en-US ] = "Mahajani";
+    };
+    String RID_SUBSETSTR_MANICHAEAN
+    {
+        Text [ en-US ] = "Manichaean";
+    };
+    String RID_SUBSETSTR_MENDE_KIKAKUI
+    {
+        Text [ en-US ] = "Mende Kikakui";
+    };
+    String RID_SUBSETSTR_MODI
+    {
+        Text [ en-US ] = "Modi";
+    };
+    String RID_SUBSETSTR_MRO
+    {
+        Text [ en-US ] = "Mro";
+    };
+    String RID_SUBSETSTR_MYANMAR_EXTENDED_B
+    {
+        Text [ en-US ] = "Myanmar Extended-B";
+    };
+    String RID_SUBSETSTR_NABATAEAN
+    {
+        Text [ en-US ] = "Nabataean";
+    };
+    String RID_SUBSETSTR_OLD_NORTH_ARABIAN
+    {
+        Text [ en-US ] = "Old North Arabian";
+    };
+    String RID_SUBSETSTR_OLD_PERMIC
+    {
+        Text [ en-US ] = "Old Permic";
+    };
+    String RID_SUBSETSTR_ORNAMENTAL_DINGBATS
+    {
+        Text [ en-US ] = "Ornamental Dingbats";
+    };
+    String RID_SUBSETSTR_PAHAWH_HMONG
+    {
+        Text [ en-US ] = "Pahawh Hmong";
+    };
+    String RID_SUBSETSTR_PALMYRENE
+    {
+        Text [ en-US ] = "Palmyrene";
+    };
+    String RID_SUBSETSTR_PAU_CIN_HAU
+    {
+        Text [ en-US ] = "Pau Cin Hau";
+    };
+    String RID_SUBSETSTR_PSALTER_PAHLAVI
+    {
+        Text [ en-US ] = "Psalter Pahlavi";
+    };
+    String RID_SUBSETSTR_SHORTHAND_FORMAT_CONTROLS
+    {
+        Text [ en-US ] = "Shorthand Format Controls";
+    };
+    String RID_SUBSETSTR_SIDDHAM
+    {
+        Text [ en-US ] = "Siddham";
+    };
+    String RID_SUBSETSTR_SINHALA_ARCHAIC_NUMBERS
+    {
+        Text [ en-US ] = "Sinhala Archaic Numbers";
+    };
+    String RID_SUBSETSTR_SUPPLEMENTAL_ARROWS_C
+    {
+        Text [ en-US ] = "Supplemental Arrows-C";
+    };
+    String RID_SUBSETSTR_TIRHUTA
+    {
+        Text [ en-US ] = "Tirhuta";
+    };
+    String RID_SUBSETSTR_WARANG_CITI
+    {
+        Text [ en-US ] = "Warang Citi";
+    };
 };
 
 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
commit 63163e0825b7c3c9d0be7590c11804fad52e96d9
Author: Eike Rathke <erack at redhat.com>
Date:   Tue Apr 29 10:10:38 2014 +0100

    upgrade to ICU 53.1, fdo#77071 related
    
    plus further work in i18npool to make that build
    
    adapt i18npool to ICU 53 upgrade, fdo#77071
    
    Korean charset collator can't be built from ko_charset.txt because of
    
    "The runtime code decomposes Hangul syllables on the fly, with recursive
    processing but without making the Jamo pieces visible for matching. It
    does not work with certain types of contextual mappings."
    "While handling a Hangul syllable, contractions starting with Jamo L or
    V would not see the following Jamo of that syllable." (this is where we
    bail out already with the first syllable of ko_charset.txt)
    Another condition to fail is described as "A contraction ending with
    Jamo L or L+V would require generating Hangul syllables in
    addTailComposites() (588 for a Jamo L), or decomposing a following
    Hangul syllable on the fly, during contraction matching."
    
    Excluded the file from the build for ICU >=53 and hope that ICU in the
    mean time handles Korean collation correctly.
    
    Additionally, ICU 53 took ages (if it would had finished at all) to
    build the collator from zh_TW_charset.txt because of the \u#### escaped
    notation. Converted the file's content to characters using
    http://www.rishida.net/tools/conversion/
    
    Change-Id: I64213214b4870e7077f72b95fee1ddc9782c2b21
    Reviewed-on: https://gerrit.libreoffice.org/9204
    Reviewed-by: Eike Rathke <erack at redhat.com>
    Tested-by: Eike Rathke <erack at redhat.com>

diff --git a/configure.ac b/configure.ac
index 89e948d3fb72..96dbeb54e543 100644
--- a/configure.ac
+++ b/configure.ac
@@ -8939,7 +8939,7 @@ SYSTEM_GENBRK=
 SYSTEM_GENCCODE=
 SYSTEM_GENCMN=
 
-ICU_MAJOR=52
+ICU_MAJOR=53
 ICU_MINOR=1
 ICU_RECLASSIFIED_CLOSE_PARENTHESIS="YES"
 ICU_RECLASSIFIED_PREPEND_SET_EMPTY="YES"
diff --git a/download.lst b/download.lst
index 39a2e252b8c4..78b89b14b07f 100644
--- a/download.lst
+++ b/download.lst
@@ -71,7 +71,7 @@ export GRAPHITE_TARBALL := 17df8301bcc459e83f8a8f3aca6183b2-graphite-minimal-1.3
 export HSQLDB_TARBALL := 17410483b5b5f267aa18b7e00b65e6e0-hsqldb_1_8_0.zip
 export HUNSPELL_TARBALL := 3121aaf3e13e5d88dfff13fb4a5f1ab8-hunspell-1.3.2.tar.gz
 export HYPHEN_TARBALL := a2f6010987e1c601274ab5d63b72c944-hyphen-2.8.4.tar.gz
-export ICU_TARBALL := 9e96ed4c1d99c0d14ac03c140f9f346c-icu4c-52_1-src.tgz
+export ICU_TARBALL := b73baa6fbdfef197608d1f69300919b9-icu4c-53_1-src.tgz
 export JFREEREPORT_FLOW_ENGINE_TARBALL := ba2930200c9f019c2d93a8c88c651a0f-flow-engine-0.9.4.zip
 export JFREEREPORT_FLUTE_TARBALL := d8bd5eed178db6e2b18eeed243f85aa8-flute-1.1.6.zip
 export JFREEREPORT_LIBBASE_TARBALL := eeb2c7ddf0d302fba4bfc6e97eac9624-libbase-1.1.6.zip
diff --git a/external/icu/icu4c-buffer-overflow.patch b/external/icu/icu4c-buffer-overflow.patch
index 46815634addd..fb5f8abbaa58 100644
--- a/external/icu/icu4c-buffer-overflow.patch
+++ b/external/icu/icu4c-buffer-overflow.patch
@@ -11,7 +11,7 @@ Index: icu/source/tools/pkgdata/pkgdata.cpp
 ===================================================================
 --- build/icu.orig/source/tools/pkgdata/pkgdata.cpp
 +++ build/icu/source/tools/pkgdata/pkgdata.cpp
-@@ -1980,12 +1980,12 @@
+@@ -2060,12 +2060,12 @@
      const char cmd[] = "icu-config --incpkgdatafile";
  
      /* #1 try the same path where pkgdata was called from. */
@@ -22,7 +22,7 @@ Index: icu/source/tools/pkgdata/pkgdata.cpp
 -          uprv_strncat(cmdBuf, U_FILE_SEP_STRING, 1024);
 +          uprv_strncat(cmdBuf, U_FILE_SEP_STRING, sizeof(cmdBuf)-1-strlen(cmdBuf));
        }
--      uprv_strncat(cmdBuf, cmd, 1024);
+-      uprv_strncat(cmdBuf, cmd, 1023);
 +      uprv_strncat(cmdBuf, cmd, sizeof(cmdBuf)-1-strlen(cmdBuf));
        
        if(verbose) {
diff --git a/external/icu/icu4c-wchar_t.patch b/external/icu/icu4c-wchar_t.patch
index b3eefe104a7f..4a8067c879ad 100644
--- a/external/icu/icu4c-wchar_t.patch
+++ b/external/icu/icu4c-wchar_t.patch
@@ -6,11 +6,11 @@
  # /EHsc enables exception handling
 -# /Zc:wchar_t makes wchar_t a native type. Required for C++ ABI compatibility.
  # -D_CRT_SECURE_NO_DEPRECATE is needed to quiet warnings about using standard C functions.
--CFLAGS+=/GF /nologo
--CXXFLAGS+=/GF /nologo /EHsc /Zc:wchar_t
-+CFLAGS+=/GF /nologo /Zc:wchar_t-
-+CXXFLAGS+=/GF /nologo /EHsc /Zc:wchar_t-
+-CFLAGS+=-GF -nologo
+-CXXFLAGS+=-GF -nologo -EHsc -Zc:wchar_t
++CFLAGS+=-GF -nologo -Zc:wchar_t-
++CXXFLAGS+=-GF -nologo -EHsc -Zc:wchar_t-
  CPPFLAGS+=-D_CRT_SECURE_NO_DEPRECATE
  DEFS+=-DWIN32 -DCYGWINMSVC
- LDFLAGS+=/nologo
+ LDFLAGS+=-nologo
 
diff --git a/i18npool/CustomTarget_collator.mk b/i18npool/CustomTarget_collator.mk
index bf57ae3445f9..f1ba808373ac 100644
--- a/i18npool/CustomTarget_collator.mk
+++ b/i18npool/CustomTarget_collator.mk
@@ -12,28 +12,39 @@ $(eval $(call gb_CustomTarget_CustomTarget,i18npool/collator))
 i18npool_ICULT53 := $(filter 1, $(shell expr $(ICU_MAJOR) \< 53))
 i18npool_CODIR := $(call gb_CustomTarget_get_workdir,i18npool/collator)
 i18npool_COTXTS := \
-    ca_charset.txt \
-    dz_charset.txt \
-    hu_charset.txt \
-    ja_charset.txt \
-    ja_phonetic_alphanumeric_first.txt \
-    ja_phonetic_alphanumeric_last.txt \
-    $(if $(i18npool_ICULT53), \
-        ko_charset.txt \
-        ) \
-    ku_alphanumeric.txt \
-    ln_charset.txt \
-    my_dictionary.txt \
-    ne_charset.txt \
-    sid_charset.txt \
-    zh_charset.txt \
-    zh_pinyin.txt \
-    zh_radical.txt \
-    zh_stroke.txt \
-    zh_TW_charset.txt \
-    zh_TW_radical.txt \
-    zh_TW_stroke.txt \
-    zh_zhuyin.txt
+    $(call gb_Helper_optional_locale,ca, \
+        ca_charset.txt) \
+    $(call gb_Helper_optional_locale,dz, \
+        dz_charset.txt) \
+    $(call gb_Helper_optional_locale,hu, \
+        hu_charset.txt) \
+    $(call gb_Helper_optional_locale,ja, \
+        ja_charset.txt \
+        ja_phonetic_alphanumeric_first.txt \
+        ja_phonetic_alphanumeric_last.txt) \
+	$(if $(i18npool_ICULT53), \
+		$(call gb_Helper_optional_locale,ko, \
+			ko_charset.txt) \
+			) \
+    $(call gb_Helper_optional_locale,ku, \
+        ku_alphanumeric.txt) \
+    $(call gb_Helper_optional_locale,ln, \
+        ln_charset.txt) \
+    $(call gb_Helper_optional_locale,my, \
+        my_dictionary.txt) \
+    $(call gb_Helper_optional_locale,ne, \
+        ne_charset.txt) \
+    $(call gb_Helper_optional_locale,sid, \
+        sid_charset.txt) \
+    $(call gb_Helper_optional_locale,zh, \
+        zh_charset.txt \
+        zh_pinyin.txt \
+        zh_radical.txt \
+        zh_stroke.txt \
+        zh_TW_charset.txt \
+        zh_TW_radical.txt \
+        zh_TW_stroke.txt \
+        zh_zhuyin.txt)
 
 $(call gb_CustomTarget_get_target,i18npool/collator) : $(SRCDIR)/i18npool/CustomTarget_collator.mk \
 	$(i18npool_CODIR)/lrl_include.hxx $(foreach txt,$(i18npool_COTXTS), \
diff --git a/i18npool/source/collator/collator_unicode.cxx b/i18npool/source/collator/collator_unicode.cxx
index 35c237d4cd82..36f827846fa8 100644
--- a/i18npool/source/collator/collator_unicode.cxx
+++ b/i18npool/source/collator/collator_unicode.cxx
@@ -223,6 +223,8 @@ Collator_Unicode::loadCollatorAlgorithm(const OUString& rAlgorithm, const lang::
                     func = get_collator_data_ja_phonetic_alphanumeric_last;
                     funclen = get_collator_data_ja_phonetic_alphanumeric_last_length;
                 }
+#endif
+#if WITH_LOCALE_ALL || WITH_LOCALE_ko
 #if (U_ICU_VERSION_MAJOR_NUM < 53)
             } else if ( rLocale.Language == "ko" ) {
                 if ( rAlgorithm == "charset" )
@@ -231,6 +233,8 @@ Collator_Unicode::loadCollatorAlgorithm(const OUString& rAlgorithm, const lang::
                     funclen = get_collator_data_ko_charset_length;
                 }
 #endif
+#endif
+#if WITH_LOCALE_ALL || WITH_LOCALE_ku
             } else if ( rLocale.Language == "ku" ) {
                 if ( rAlgorithm == "alphanumeric" )
                 {
commit 75d43e3ce895ba3b856bfb1b56a6cbe74e4390af
Author: Eike Rathke <erack at redhat.com>
Date:   Wed Nov 8 17:17:44 2017 +0100

    Add ICU changeset-40324 fix for CVE-2017-14952
    
    (cherry picked from commit cebe1279665960b732c9cb05c18e481c33e778bb)
    
     Conflicts:
            external/icu/UnpackedTarball_icu.mk
    
    Change-Id: Ia457669c5ec6ef5c568f4550c44ef5df32a4be66
    Reviewed-on: https://gerrit.libreoffice.org/44494
    Tested-by: Eike Rathke <erack at redhat.com>
    Reviewed-by: Andras Timar <andras.timar at collabora.com>

diff --git a/external/icu/UnpackedTarball_icu.mk b/external/icu/UnpackedTarball_icu.mk
index 4927c87cd17a..69807924605d 100644
--- a/external/icu/UnpackedTarball_icu.mk
+++ b/external/icu/UnpackedTarball_icu.mk
@@ -23,6 +23,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,icu,\
 	external/icu/icu4c-$(if $(filter ANDROID,$(OS)),android,rpath).patch \
 	external/icu/icu4c-scriptrun.patch \
 	external/icu/icu4c-changeset-39671.patch.1 \
+	external/icu/icu4c-changeset-40324.patch.1 \
 ))
 
 # vim: set noet sw=4 ts=4:
diff --git a/external/icu/icu4c-changeset-40324.patch.1 b/external/icu/icu4c-changeset-40324.patch.1
new file mode 100644
index 000000000000..a651eb19415d
--- /dev/null
+++ b/external/icu/icu4c-changeset-40324.patch.1
@@ -0,0 +1,11 @@
+# https://ssl.icu-project.org/trac/changeset/40324/trunk/icu4c/source/i18n/zonemeta.cpp
+Index: trunk/icu4c/source/i18n/zonemeta.cpp
+===================================================================
+--- icu.orig/source/i18n/zonemeta.cpp
++++ icu/source/i18n/zonemeta.cpp
+@@ -691,5 +691,4 @@
+                     if (U_FAILURE(status)) {
+                         delete mzMappings;
+-                        deleteOlsonToMetaMappingEntry(entry);
+                         uprv_free(entry);
+                         break;
commit 21b1a8805f87709a1a211906405ce6a6cb4936f3
Author: Eike Rathke <erack at redhat.com>
Date:   Thu Apr 20 22:06:23 2017 +0200

    add ICU changeset-39671 fix for CVE-2017-7867 CVE-2017-7868
    
    http://bugs.icu-project.org/trac/changeset/39671
    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=213
    https://bugzilla.redhat.com/show_bug.cgi?id=1444101
    
    Reviewed-on: https://gerrit.libreoffice.org/36754
    Reviewed-by: Eike Rathke <erack at redhat.com>
    Tested-by: Jenkins <ci at libreoffice.org>
    (cherry picked from commit c7de8233d15ed0c90fef6c49a54d60cf10119f58)
    
    Backported to older MSVC using the UGLY_SIZEOF_MAPTOUCHARS macro instead
    of sizeof(UTF8Buf::mapToUChars).
    
    Reviewed-on: https://gerrit.libreoffice.org/36776
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Michael Stahl <mstahl at redhat.com>
    
    Conflicts:
            external/icu/UnpackedTarball_icu.mk
    
    Change-Id: I4e776ad4fe63c77057b0c823f8672a2b6703346f

diff --git a/external/icu/UnpackedTarball_icu.mk b/external/icu/UnpackedTarball_icu.mk
index 8c73b48ce6a4..4927c87cd17a 100644
--- a/external/icu/UnpackedTarball_icu.mk
+++ b/external/icu/UnpackedTarball_icu.mk
@@ -22,6 +22,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,icu,\
 	external/icu/icu4c-buffer-overflow.patch \
 	external/icu/icu4c-$(if $(filter ANDROID,$(OS)),android,rpath).patch \
 	external/icu/icu4c-scriptrun.patch \
+	external/icu/icu4c-changeset-39671.patch.1 \
 ))
 
 # vim: set noet sw=4 ts=4:
diff --git a/external/icu/icu4c-changeset-39671.patch.1 b/external/icu/icu4c-changeset-39671.patch.1
new file mode 100644
index 000000000000..b8ac1385364e
--- /dev/null
+++ b/external/icu/icu4c-changeset-39671.patch.1
@@ -0,0 +1,189 @@
+diff -ur icu.org/source/common/utext.cpp icu/source/common/utext.cpp
+--- icu.org/source/common/utext.cpp	2016-06-15 20:58:17.000000000 +0200
++++ icu/source/common/utext.cpp	2017-04-21 16:38:15.993398034 +0200
+@@ -847,9 +847,15 @@
+ //------------------------------------------------------------------------------
+ 
+ // Chunk size.
+-//     Must be less than 85, because of byte mapping from UChar indexes to native indexes.
+-//     Worst case is three native bytes to one UChar.  (Supplemenaries are 4 native bytes
+-//     to two UChars.)
++//     Must be less than 42  (256/6), because of byte mapping from UChar indexes to native indexes.
++//     Worst case there are six UTF-8 bytes per UChar.
++//         obsolete 6 byte form fd + 5 trails maps to fffd
++//         obsolete 5 byte form fc + 4 trails maps to fffd
++//         non-shortest 4 byte forms maps to fffd
++//         normal supplementaries map to a pair of utf-16, two utf8 bytes per utf-16 unit
++//     mapToUChars array size must allow for the worst case, 6.
++//     This could be brought down to 4, by treating fd and fc as pure illegal,
++//     rather than obsolete lead bytes. But that is not compatible with the utf-8 access macros.
+ //
+ enum { UTF8_TEXT_CHUNK_SIZE=32 };
+ 
+@@ -867,6 +873,15 @@
+ //     pair.  Doing this is simpler than checking for the edge case.
+ //
+ 
++// erAck: older MSVC used on libreoffice-5-3 and 5-2 bails out with
++// error C2070: 'unknown': illegal sizeof operand
++// for sizeof(UTF8Buf::mapToUChars)
++// so have an ugly workaround:
++// First define a macro of the original size expression, so a follow-up patch
++// on the original code would fail..
++#define UGLY_MAPTOUCHARS_SIZE (UTF8_TEXT_CHUNK_SIZE*6+6)
++#define UGLY_SIZEOF_MAPTOUCHARS (sizeof(uint8_t)*(UGLY_MAPTOUCHARS_SIZE))
++
+ struct UTF8Buf {
+     int32_t   bufNativeStart;                        // Native index of first char in UChar buf
+     int32_t   bufNativeLimit;                        // Native index following last char in buf.
+@@ -889,7 +904,7 @@
+                                                      //  Requires two extra slots,
+                                                      //    one for a supplementary starting in the last normal position,
+                                                      //    and one for an entry for the buffer limit position.
+-    uint8_t   mapToUChars[UTF8_TEXT_CHUNK_SIZE*3+6]; // Map native offset from bufNativeStart to
++    uint8_t   mapToUChars[UGLY_MAPTOUCHARS_SIZE];    // Map native offset from bufNativeStart to
+                                                      //   correspoding offset in filled part of buf.
+     int32_t   align;
+ };
+@@ -1032,6 +1047,7 @@
+             // Requested index is in this buffer.
+             u8b = (UTF8Buf *)ut->p;   // the current buffer
+             mapIndex = ix - u8b->toUCharsMapStart;
++            U_ASSERT(mapIndex < (int32_t)UGLY_SIZEOF_MAPTOUCHARS);
+             ut->chunkOffset = u8b->mapToUChars[mapIndex] - u8b->bufStartIdx;
+             return TRUE;
+ 
+@@ -1298,6 +1314,10 @@
+         // Can only do this if the incoming index is somewhere in the interior of the string.
+         //   If index is at the end, there is no character there to look at.
+         if (ix != ut->b) {
++            // Note: this function will only move the index back if it is on a trail byte
++            //       and there is a preceding lead byte and the sequence from the lead 
++            //       through this trail could be part of a valid UTF-8 sequence
++            //       Otherwise the index remains unchanged.
+             U8_SET_CP_START(s8, 0, ix);
+         }
+ 
+@@ -1311,7 +1331,10 @@
+         UChar   *buf = u8b->buf;
+         uint8_t *mapToNative = u8b->mapToNative;
+         uint8_t *mapToUChars = u8b->mapToUChars;
+-        int32_t  toUCharsMapStart = ix - (UTF8_TEXT_CHUNK_SIZE*3 + 1);
++        int32_t  toUCharsMapStart = ix - UGLY_SIZEOF_MAPTOUCHARS + 1;
++        // Note that toUCharsMapStart can be negative. Happens when the remaining
++        // text from current position to the beginning is less than the buffer size.
++        // + 1 because mapToUChars must have a slot at the end for the bufNativeLimit entry.
+         int32_t  destIx = UTF8_TEXT_CHUNK_SIZE+2;   // Start in the overflow region
+                                                     //   at end of buffer to leave room
+                                                     //   for a surrogate pair at the
+@@ -1338,6 +1361,7 @@
+             if (c<0x80) {
+                 // Special case ASCII range for speed.
+                 buf[destIx] = (UChar)c;
++                U_ASSERT(toUCharsMapStart <= srcIx);
+                 mapToUChars[srcIx - toUCharsMapStart] = (uint8_t)destIx;
+                 mapToNative[destIx] = (uint8_t)(srcIx - toUCharsMapStart);
+             } else {
+@@ -1367,6 +1391,7 @@
+                 do {
+                     mapToUChars[sIx-- - toUCharsMapStart] = (uint8_t)destIx;
+                 } while (sIx >= srcIx);
++                U_ASSERT(toUCharsMapStart <= (srcIx+1));
+ 
+                 // Set native indexing limit to be the current position.
+                 //   We are processing a non-ascii, non-native-indexing char now;
+@@ -1541,6 +1566,7 @@
+     U_ASSERT(index>=ut->chunkNativeStart+ut->nativeIndexingLimit);
+     U_ASSERT(index<=ut->chunkNativeLimit);
+     int32_t mapIndex = index - u8b->toUCharsMapStart;
++    U_ASSERT(mapIndex < (int32_t)UGLY_SIZEOF_MAPTOUCHARS);
+     int32_t offset = u8b->mapToUChars[mapIndex] - u8b->bufStartIdx;
+     U_ASSERT(offset>=0 && offset<=ut->chunkLength);
+     return offset;
+diff -ur icu.org/source/test/intltest/utxttest.cpp icu/source/test/intltest/utxttest.cpp
+--- icu.org/source/test/intltest/utxttest.cpp	2016-06-15 20:58:17.000000000 +0200
++++ icu/source/test/intltest/utxttest.cpp	2017-04-21 16:14:57.383814739 +0200
+@@ -67,6 +67,8 @@
+             if (exec) Ticket10983();  break;
+         case 7: name = "Ticket12130";
+             if (exec) Ticket12130(); break;
++        case 8: name = "Ticket12888";
++            if (exec) Ticket12888(); break;
+         default: name = "";          break;
+     }
+ }
+@@ -1583,3 +1585,63 @@
+     }
+     utext_close(&ut);
+ }
++
++// Ticket 12888: bad handling of illegal utf-8 containing many instances of the archaic, now illegal,
++//               six byte utf-8 forms. Original implementation had an assumption that
++//               there would be at most three utf-8 bytes per UTF-16 code unit.
++//               The five and six byte sequences map to a single replacement character.
++
++void UTextTest::Ticket12888() {
++    const char *badString = 
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
++            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80";
++
++    UErrorCode status = U_ZERO_ERROR;
++    LocalUTextPointer ut(utext_openUTF8(NULL, badString, -1, &status));
++    TEST_SUCCESS(status);
++    for (;;) {
++        UChar32 c = utext_next32(ut.getAlias());
++        if (c == U_SENTINEL) {
++            break;
++        }
++    }
++    int32_t endIdx = utext_getNativeIndex(ut.getAlias());
++    if (endIdx != (int32_t)strlen(badString)) {
++        errln("%s:%d expected=%d, actual=%d", __FILE__, __LINE__, strlen(badString), endIdx);
++        return;
++    }
++
++    for (int32_t prevIndex = endIdx; prevIndex>0;) {
++        UChar32 c = utext_previous32(ut.getAlias());
++        int32_t currentIndex = utext_getNativeIndex(ut.getAlias());
++        if (c != 0xfffd) {
++            errln("%s:%d (expected, actual, index) = (%d, %d, %d)\n",
++                    __FILE__, __LINE__, 0xfffd, c, currentIndex);
++            break;
++        }
++        if (currentIndex != prevIndex - 6) {
++            errln("%s:%d: wrong index. Expected, actual = %d, %d",
++                    __FILE__, __LINE__, prevIndex - 6, currentIndex);
++            break;
++        }
++        prevIndex = currentIndex;
++    }
++}
+diff -ur icu.org/source/test/intltest/utxttest.h icu/source/test/intltest/utxttest.h
+--- icu.org/source/test/intltest/utxttest.h	2016-06-15 20:58:17.000000000 +0200
++++ icu/source/test/intltest/utxttest.h	2017-04-21 16:14:57.383814739 +0200
+@@ -38,6 +38,7 @@
+     void Ticket10562();
+     void Ticket10983();
+     void Ticket12130();
++    void Ticket12888();
+ 
+ private:
+     struct m {                              // Map between native indices & code points.
commit e7ad9dfa9137b7d326bdbe7e1226543eb087054a
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Thu Aug 3 14:03:27 2017 +0100

    CVE-2017-11742: Expat 2.2.3
    
    Reviewed-on: https://gerrit.libreoffice.org/40718
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>
    (cherry picked from commit f680e5a441cecba4d238f031fc417ef3bccfd792)
    
    Reviewed-on: https://gerrit.libreoffice.org/40749
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Markus Mohrhard <markus.mohrhard at googlemail.com>
    
    Conflicts:
            download.lst
    
    Change-Id: I1a1de789eaa5a78d2dc0e41ef861d10fa97b689b

diff --git a/download.lst b/download.lst
index 928f4281052f..39a2e252b8c4 100644
--- a/download.lst
+++ b/download.lst
@@ -6,8 +6,8 @@ EBOOK_MD5SUM := 2f1ceaf2ac8752ed278e175447d9b978
 export EBOOK_TARBALL := libe-book-0.0.3.tar.bz2
 ETONYEK_MD5SUM := 3c50bc60394d1f2675fbf9bd22581363
 export ETONYEK_TARBALL := libetonyek-0.0.4.tar.bz2
-EXPAT_MD5SUM := 2f47841c829facb346eb6e3fab5212e2
-export EXPAT_TARBALL := expat-2.2.0.tar.bz2
+EXPAT_MD5SUM := f053af63ef5f39bd9b78d01fbc203334
+export EXPAT_TARBALL := expat-2.2.3.tar.bz2
 FREEHAND_MD5SUM := 496dd00028afcc19f896b01394769043
 export FREEHAND_TARBALL := libfreehand-0.0.0.tar.bz2
 MSPUB_MD5SUM := 1120705cd0f0d9bd5506360bf57b6c2e
diff --git a/external/expat/StaticLibrary_expat.mk b/external/expat/StaticLibrary_expat.mk
index 2f754526b6e9..9f0726d4a3fe 100644
--- a/external/expat/StaticLibrary_expat.mk
+++ b/external/expat/StaticLibrary_expat.mk
@@ -48,6 +48,7 @@ $(eval $(call gb_StaticLibrary_add_cflags,expat,\
 ))
 
 $(eval $(call gb_StaticLibrary_add_generated_cobjects,expat,\
+	UnpackedTarball/expat/lib/loadlibrary \
 	UnpackedTarball/expat/lib/xmlparse \
 	UnpackedTarball/expat/lib/xmlrole \
 	UnpackedTarball/expat/lib/xmltok \
diff --git a/external/expat/StaticLibrary_expat_x64.mk b/external/expat/StaticLibrary_expat_x64.mk
index a38ba28c80dd..4f92d0fb284e 100644
--- a/external/expat/StaticLibrary_expat_x64.mk
+++ b/external/expat/StaticLibrary_expat_x64.mk
@@ -25,6 +25,7 @@ $(eval $(call gb_StaticLibrary_add_defs,expat_x64,\
 ))
 
 $(eval $(call gb_StaticLibrary_add_x64_generated_cobjects,expat_x64,\
+	UnpackedTarball/expat/lib/loadlibrary_x64 \
 	UnpackedTarball/expat/lib/xmlparse_x64 \
 	UnpackedTarball/expat/lib/xmltok_x64 \
 	UnpackedTarball/expat/lib/xmlrole_x64 \
diff --git a/external/expat/UnpackedTarball_expat.mk b/external/expat/UnpackedTarball_expat.mk
index 60e933d76090..f90fc8552568 100644
--- a/external/expat/UnpackedTarball_expat.mk
+++ b/external/expat/UnpackedTarball_expat.mk
@@ -24,6 +24,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,expat,\
 
 $(eval $(call gb_UnpackedTarball_set_post_action,expat,\
 	$(if $(filter $(BUILD_X64),TRUE),         \
+	  cp lib/loadlibrary.c lib/loadlibrary_x64.c && \
 	  cp lib/xmlparse.c lib/xmlparse_x64.c && \
 	  cp lib/xmltok.c lib/xmltok_x64.c     && \
 	  cp lib/xmlrole.c lib/xmlrole_x64.c) \
commit 4b198d95db3b7ad96c542c5961a2f196ba0ae909
Author: David Tardon <dtardon at redhat.com>
Date:   Fri Jul 8 13:28:10 2016 +0200

    tdf#100807 upload expat 2.2.0
    
    Reviewed-on: https://gerrit.libreoffice.org/27037
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: David Tardon <dtardon at redhat.com>
    (cherry picked from commit 4c28c8051ac99bd2a39ad06af35d87c2ddf2677e)
    Reviewed-on: https://gerrit.libreoffice.org/27107
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>
    
    Conflicts:
            download.lst
    
    Change-Id: Ic059d9cc94d4a5cf016dcf63cf5a8bf9c05d8c8a

diff --git a/Makefile.fetch b/Makefile.fetch
index 0fad64fa452e..c04bb7c5a228 100644
--- a/Makefile.fetch
+++ b/Makefile.fetch
@@ -80,6 +80,7 @@ $(WORKDIR)/download: $(BUILDDIR)/config_host.mk $(SRCDIR)/download.lst $(SRCDIR)
 		$(call fetch_Optional,EBOOK,EBOOK_TARBALL) \
 		$(call fetch_Optional,FREEHAND,FREEHAND_TARBALL) \
 		$(call fetch_Optional,ETONYEK,ETONYEK_TARBALL) \
+		$(call fetch_Optional,EXPAT,EXPAT_TARBALL) \
 		$(call fetch_Optional,FIREBIRD,FIREBIRD_TARBALL) \
 		$(call fetch_Optional,HARFBUZZ,HARFBUZZ_TARBALL) \
 		$(call fetch_Optional,LIBEOT,LIBEOT_TARBALL) \
@@ -108,7 +109,6 @@ $(WORKDIR)/download: $(BUILDDIR)/config_host.mk $(SRCDIR)/download.lst $(SRCDIR)
 		$(call fetch_Optional,CT2N,$(CT2N_TARBALL)) \
 		$(call fetch_Optional,CURL,$(CURL_TARBALL)) \
 		$(call fetch_Optional,EPM,$(EPM_TARBALL)) \
-		$(call fetch_Optional,EXPAT,$(EXPAT_TARBALL)) \
 		$(call fetch_Optional,MARIADB,$(MARIADB_TARBALL)) \
 		$(call fetch_Optional,MORE_FONTS,$(FONT_CALADEA_TARBALL)) \
 		$(call fetch_Optional,MORE_FONTS,$(FONT_CARLITO_TARBALL)) \
diff --git a/download.lst b/download.lst
index dcb979dabf92..928f4281052f 100644
--- a/download.lst
+++ b/download.lst
@@ -6,6 +6,8 @@ EBOOK_MD5SUM := 2f1ceaf2ac8752ed278e175447d9b978
 export EBOOK_TARBALL := libe-book-0.0.3.tar.bz2
 ETONYEK_MD5SUM := 3c50bc60394d1f2675fbf9bd22581363
 export ETONYEK_TARBALL := libetonyek-0.0.4.tar.bz2
+EXPAT_MD5SUM := 2f47841c829facb346eb6e3fab5212e2
+export EXPAT_TARBALL := expat-2.2.0.tar.bz2
 FREEHAND_MD5SUM := 496dd00028afcc19f896b01394769043
 export FREEHAND_TARBALL := libfreehand-0.0.0.tar.bz2
 MSPUB_MD5SUM := 1120705cd0f0d9bd5506360bf57b6c2e
@@ -52,7 +54,6 @@ export CT2N_TARBALL := 451ccf439a36a568653b024534669971-ConvertTextToNumber-1.3.
 export CURL_TARBALL := 57409d6bf0bd97053b8378dbe0cadcef-curl-7.33.0.tar.bz2
 export DBGHELP_DLL := 13fbc2e8b37ddf28181dd6d8081c2b8e-dbghelp.dll
 export EPM_TARBALL := 3ade8cfe7e59ca8e65052644fed9fca4-epm-3.7.tar.gz
-export EXPAT_TARBALL := dd7dab7a5fea97d2a6a43f511449b7cd-expat-2.1.0.tar.gz
 export FONTCONFIG_TARBALL := 77e15a92006ddc2adbb06f840d591c0e-fontconfig-2.8.0.tar.gz
 export FONT_CALADEA_TARBALL := 368f114c078f94214a308a74c7e991bc-crosextrafonts-20130214.tar.gz
 export FONT_CARLITO_TARBALL := c74b7223abe75949b4af367942d96c7a-crosextrafonts-carlito-20130920.tar.gz
diff --git a/external/expat/CVE-2015-1283-refix.patch.1 b/external/expat/CVE-2015-1283-refix.patch.1
deleted file mode 100644
index f7d971dbcd60..000000000000
--- a/external/expat/CVE-2015-1283-refix.patch.1
+++ /dev/null
@@ -1,37 +0,0 @@
-From 29a11774d8ebbafe8418b4a5ffb4cc1160b194a1 Mon Sep 17 00:00:00 2001
-From: Pascal Cuoq <cuoq at trust-in-soft.com>
-Date: Sun, 15 May 2016 09:05:46 +0200
-Subject: [PATCH] Avoid relying on undefined behavior in CVE-2015-1283 fix. It
- does not really work: https://godbolt.org/g/Zl8gdF
-
----
- expat/lib/xmlparse.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 13e080d..cdb12ef 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -1693,7 +1693,8 @@ XML_GetBuffer(XML_Parser parser, int len)
-   }
- 
-   if (len > bufferLim - bufferEnd) {
--    int neededSize = len + (int)(bufferEnd - bufferPtr);
-+    /* Do not invoke signed arithmetic overflow: */
-+    int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr));
-     if (neededSize < 0) {
-       errorCode = XML_ERROR_NO_MEMORY;
-       return NULL;
-@@ -1725,7 +1726,8 @@ XML_GetBuffer(XML_Parser parser, int len)
-       if (bufferSize == 0)
-         bufferSize = INIT_BUFFER_SIZE;
-       do {
--        bufferSize *= 2;
-+        /* Do not invoke signed arithmetic overflow: */
-+        bufferSize = (int) (2U * (unsigned) bufferSize);
-       } while (bufferSize < neededSize && bufferSize > 0);
-       if (bufferSize <= 0) {
-         errorCode = XML_ERROR_NO_MEMORY;
--- 
-2.8.2
-
diff --git a/external/expat/CVE-2016-0718-v2-2-1.patch.1 b/external/expat/CVE-2016-0718-v2-2-1.patch.1
deleted file mode 100644
index a4a7963b9535..000000000000
--- a/external/expat/CVE-2016-0718-v2-2-1.patch.1
+++ /dev/null
@@ -1,755 +0,0 @@
-From cdfcb1b5c95e93b00ae9e9d25708b4a3bee72c15 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian at pipping.org>
-Date: Mon, 2 May 2016 00:02:44 +0200
-Subject: [PATCH] Address CVE-2016-0718 (/patch/ version 2.2.1)
-
-* Out of bounds memory access when doing text conversion on malformed input
-* Integer overflow related to memory allocation
-
-Reported by Gustavo Grieco
-
-Patch credits go to
-* Christian Heimes
-* Karl Waclawek
-* Gustavo Grieco
-* Sebastian Pipping
-* Pascal Cuoq
----
- expat/lib/xmlparse.c    |  34 +++++++++-----
- expat/lib/xmltok.c      | 115 +++++++++++++++++++++++++++++++++++-------------
- expat/lib/xmltok.h      |  10 ++++-
- expat/lib/xmltok_impl.c |  62 +++++++++++++-------------
- 4 files changed, 146 insertions(+), 75 deletions(-)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index e308c79..13e080d 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -2426,11 +2426,11 @@ doContent(XML_Parser parser,
-           for (;;) {
-             int bufSize;
-             int convLen;
--            XmlConvert(enc,
-+            const enum XML_Convert_Result convert_res = XmlConvert(enc,
-                        &fromPtr, rawNameEnd,
-                        (ICHAR **)&toPtr, (ICHAR *)tag->bufEnd - 1);
-             convLen = (int)(toPtr - (XML_Char *)tag->buf);
--            if (fromPtr == rawNameEnd) {
-+            if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) {
-               tag->name.strLen = convLen;
-               break;
-             }
-@@ -2651,11 +2651,11 @@ doContent(XML_Parser parser,
-           if (MUST_CONVERT(enc, s)) {
-             for (;;) {
-               ICHAR *dataPtr = (ICHAR *)dataBuf;
--              XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
-+              const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
-               *eventEndPP = s;
-               charDataHandler(handlerArg, dataBuf,
-                               (int)(dataPtr - (ICHAR *)dataBuf));
--              if (s == next)
-+              if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
-                 break;
-               *eventPP = s;
-             }
-@@ -3261,11 +3261,11 @@ doCdataSection(XML_Parser parser,
-           if (MUST_CONVERT(enc, s)) {
-             for (;;) {
-               ICHAR *dataPtr = (ICHAR *)dataBuf;
--              XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
-+              const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
-               *eventEndPP = next;
-               charDataHandler(handlerArg, dataBuf,
-                               (int)(dataPtr - (ICHAR *)dataBuf));
--              if (s == next)
-+              if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
-                 break;
-               *eventPP = s;
-             }
-@@ -5342,6 +5342,7 @@ reportDefault(XML_Parser parser, const ENCODING *enc,
-               const char *s, const char *end)
- {
-   if (MUST_CONVERT(enc, s)) {
-+    enum XML_Convert_Result convert_res;
-     const char **eventPP;
-     const char **eventEndPP;
-     if (enc == encoding) {
-@@ -5354,11 +5355,11 @@ reportDefault(XML_Parser parser, const ENCODING *enc,
-     }
-     do {
-       ICHAR *dataPtr = (ICHAR *)dataBuf;
--      XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd);
-+      convert_res = XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd);
-       *eventEndPP = s;
-       defaultHandler(handlerArg, dataBuf, (int)(dataPtr - (ICHAR *)dataBuf));
-       *eventPP = s;
--    } while (s != end);
-+    } while ((convert_res != XML_CONVERT_COMPLETED) && (convert_res != XML_CONVERT_INPUT_INCOMPLETE));
-   }
-   else
-     defaultHandler(handlerArg, (XML_Char *)s, (int)((XML_Char *)end - (XML_Char *)s));
-@@ -6163,8 +6164,8 @@ poolAppend(STRING_POOL *pool, const ENCODING *enc,
-   if (!pool->ptr && !poolGrow(pool))
-     return NULL;
-   for (;;) {
--    XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
--    if (ptr == end)
-+    const enum XML_Convert_Result convert_res = XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
-+    if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
-       break;
-     if (!poolGrow(pool))
-       return NULL;
-@@ -6248,8 +6249,13 @@ poolGrow(STRING_POOL *pool)
-     }
-   }
-   if (pool->blocks && pool->start == pool->blocks->s) {
--    int blockSize = (int)(pool->end - pool->start)*2;
--    BLOCK *temp = (BLOCK *)
-+    BLOCK *temp;
-+    int blockSize = (int)((unsigned)(pool->end - pool->start)*2U);
-+
-+    if (blockSize < 0)
-+      return XML_FALSE;
-+
-+    temp = (BLOCK *)
-       pool->mem->realloc_fcn(pool->blocks,
-                              (offsetof(BLOCK, s)
-                               + blockSize * sizeof(XML_Char)));
-@@ -6264,6 +6270,10 @@ poolGrow(STRING_POOL *pool)
-   else {
-     BLOCK *tem;
-     int blockSize = (int)(pool->end - pool->start);
-+
-+    if (blockSize < 0)
-+      return XML_FALSE;
-+
-     if (blockSize < INIT_BLOCK_SIZE)
-       blockSize = INIT_BLOCK_SIZE;
-     else
-diff --git a/lib/xmltok.c b/lib/xmltok.c
-index bf09dfc..cb98ce1 100644
---- a/lib/xmltok.c
-+++ b/lib/xmltok.c
-@@ -318,39 +318,55 @@ enum {  /* UTF8_cvalN is value of masked first byte of N byte sequence */
-   UTF8_cval4 = 0xf0
- };
- 
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- utf8_toUtf8(const ENCODING *enc,
-             const char **fromP, const char *fromLim,
-             char **toP, const char *toLim)
- {
-+  enum XML_Convert_Result res = XML_CONVERT_COMPLETED;
-   char *to;
-   const char *from;
-   if (fromLim - *fromP > toLim - *toP) {
-     /* Avoid copying partial characters. */
-+    res = XML_CONVERT_OUTPUT_EXHAUSTED;
-     for (fromLim = *fromP + (toLim - *toP); fromLim > *fromP; fromLim--)
-       if (((unsigned char)fromLim[-1] & 0xc0) != 0x80)
-         break;
-   }
--  for (to = *toP, from = *fromP; from != fromLim; from++, to++)
-+  for (to = *toP, from = *fromP; (from < fromLim) && (to < toLim); from++, to++)
-     *to = *from;
-   *fromP = from;

... etc. - the rest is truncated


More information about the Libreoffice-commits mailing list