This patch addresses two heap overflow bugs in raptor2:

http://seclists.org/oss-sec/2017/q2/424

Patch copied from libreoffice:

https://github.com/LibreOffice/core/blob/master/external/redland/raptor/0001-Calcualte-max-nspace-declarations-correctly-for-XML-.patch.1

From 590681e546cd9aa18d57dc2ea1858cb734a3863f Mon Sep 17 00:00:00 2001
From: Dave Beckett <dave@dajobe.org>
Date: Sun, 16 Apr 2017 23:15:12 +0100
Subject: [PATCH] Calcualte max nspace declarations correctly for XML writer

(raptor_xml_writer_start_element_common): Calculate max including for
each attribute a potential name and value.

Fixes Issues #0000617 http://bugs.librdf.org/mantis/view.php?id=617
and #0000618 http://bugs.librdf.org/mantis/view.php?id=618
---
 src/raptor_xml_writer.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
index 693b946..0d3a36a 100644
--- a/src/raptor_xml_writer.c
+++ b/src/raptor_xml_writer.c
@@ -181,9 +181,10 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
   size_t nspace_declarations_count = 0;  
   unsigned int i;
 
-  /* max is 1 per element and 1 for each attribute + size of declared */
   if(nstack) {
-    int nspace_max_count = element->attribute_count+1;
+    int nspace_max_count = element->attribute_count * 2; /* attr and value */
+    if(element->name->nspace)
+      nspace_max_count++;
     if(element->declared_nspaces)
       nspace_max_count += raptor_sequence_size(element->declared_nspaces);
     if(element->xml_language)
@@ -237,7 +238,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
         }
       }
 
-      /* Add the attribute + value */
+      /* Add the attribute's value */
       nspace_declarations[nspace_declarations_count].declaration=
         raptor_qname_format_as_xml(element->attributes[i],
                                    &nspace_declarations[nspace_declarations_count].length);
-- 
2.9.3

ass='path'>path: <a href='/guix/log/?id=eed2fcc719e0d32ee914794adae7166067d2f9a8'>root</a>/<a href='/guix/log/tests?id=eed2fcc719e0d32ee914794adae7166067d2f9a8'>tests</a>/<a href='/guix/log/tests/grafts.scm?id=eed2fcc719e0d32ee914794adae7166067d2f9a8'>grafts.scm</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/tests/grafts.scm?id=eed2fcc719e0d32ee914794adae7166067d2f9a8&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2023-10-28 00:17:23 +0200'>2023-10-28</span></td><td><a href='/guix/commit/tests/grafts.scm?id=67effc1560fc175dfbcb58ef5b965b08b3942d6c'>grafts: Fix corner case involving multiple-output derivations.</a><span class='msg-avail'>...<span class='msg-tooltip'>Fixes a bug that would occur with references to two outputs of the same
derivation, with one of them referring to the other one.

For example, the references of libreoffice include both mariadb:dev and
mariadb:lib; additionally, mariadb:dev refers to mariadb:lib.  In this
case, the glibc graft would not be applied on one of the mariadb paths,
and both the grafted and ungrafted glibc would end up in the closure of
libreoffice.

Fixes &lt;https://issues.guix.gnu.org/66662&gt;.

* guix/grafts.scm (non-self-references): Simplify and include references
to outputs of DRV other than OUTPUTS.
(reference-origins): Simplify and possibly return outputs of DRV itself.
(cumulative-grafts)[graft-origin?]: Add OUTPUT parameter and honor it.
[dependency-grafts]: Adjust accordingly.
* tests/grafts.scm ("graft-derivation, multiple outputs need to be replaced"):
New test.

Change-Id: Iac2005024ab7049037537b3af55298696ec90e3c
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2022-11-11 23:17:42 +0100'>2022-11-11</span></td><td><a href='/guix/commit/tests/grafts.scm?id=19206eee69e8c22d63104af1b7f1f815969bff7f'>grafts: Run with a UTF-8 locale.</a><span class='msg-avail'>...<span class='msg-tooltip'>Fixes &lt;https://issues.guix.gnu.org/55968&gt;.
Reported by Maxime Devos &lt;maximedevos@telenet.be&gt;.

* guix/grafts.scm (%graft-with-utf8-locale?): New parameter.
(graft-derivation/shallow)[glibc-locales, set-utf8-locale]: New
variables.
[build]: Use 'set-utf8-locale'.
* tests/gexp.scm, tests/grafts.scm, tests/packages.scm: Set
'%graft-with-utf8-locale?' to #f.
</span></span></td><td>Ludovic Courtès</td></tr>

Age	Commit message (Expand)	Author
2023-10-28	grafts: Fix corner case involving multiple-output derivations....Fixes a bug that would occur with references to two outputs of the same derivation, with one of them referring to the other one. For example, the references of libreoffice include both mariadb:dev and mariadb:lib; additionally, mariadb:dev refers to mariadb:lib. In this case, the glibc graft would not be applied on one of the mariadb paths, and both the grafted and ungrafted glibc would end up in the closure of libreoffice. Fixes <https://issues.guix.gnu.org/66662>. * guix/grafts.scm (non-self-references): Simplify and include references to outputs of DRV other than OUTPUTS. (reference-origins): Simplify and possibly return outputs of DRV itself. (cumulative-grafts)[graft-origin?]: Add OUTPUT parameter and honor it. [dependency-grafts]: Adjust accordingly. * tests/grafts.scm ("graft-derivation, multiple outputs need to be replaced"): New test. Change-Id: Iac2005024ab7049037537b3af55298696ec90e3c	Ludovic Courtès
2022-11-11	grafts: Run with a UTF-8 locale....Fixes <https://issues.guix.gnu.org/55968>. Reported by Maxime Devos <maximedevos@telenet.be>. * guix/grafts.scm (%graft-with-utf8-locale?): New parameter. (graft-derivation/shallow)[glibc-locales, set-utf8-locale]: New variables. [build]: Use 'set-utf8-locale'. * tests/gexp.scm, tests/grafts.scm, tests/packages.scm: Set '%graft-with-utf8-locale?' to #f.	Ludovic Courtès