Roll libxml from bfd2f430 to a46e85f6

2021-05-22 rickert@fortiss.org Update CMake project version
2021-05-22 rickert@fortiss.org Add CMake alias targets for embedded projects
2021-05-18 dking@redhat.com Fix some validation errors in the FAQ
2021-05-19 dking@redhat.com Remove unused variable in xmlCharEncOutFunc
2021-05-16 rickert@fortiss.org Add missing file xmlwin32version.h.in to EXTRA_DIST
2021-05-16 rickert@fortiss.org Add instructions on how to use CMake to compile libxml
2021-05-18 wellnhofer@aevum.de Work around lxml API abuse
2021-05-20 mike.dalessio@gmail.com fix: avoid segfault at exit when using custom memory functions
2021-05-13 veillard@redhat.com Release of libxml2-2.9.12
2021-05-13 veillard@redhat.com Release of libxml2-2.9.11
2021-05-13 veillard@redhat.com Patch for security issue CVE-2021-3541

Fixed: 1212694
Bug: 934413
Change-Id: I696f8c50cba19b47eb5cfd58ecbda3f6b4273868
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2915101
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Joey Arhar <jarhar@chromium.org>
Cr-Commit-Position: refs/heads/master@{#886279}
NOKEYCHECK=True
GitOrigin-RevId: acd34896d98b09a96a5d61a86dc4baca08acd3ba
diff --git a/README.chromium b/README.chromium
index df76eb4..73f68be 100644
--- a/README.chromium
+++ b/README.chromium
@@ -1,7 +1,7 @@
 Name: libxml
 URL: http://xmlsoft.org
-Version: bfd2f4300fb348a0fb8265a17546a0eb8bdec719
-CPEPrefix: cpe:/a:xmlsoft:libxml2:2.9.9
+Version: a46e85f6698af712dc8bee683431c70d35e456ff
+CPEPrefix: cpe:/a:xmlsoft:libxml2:2.9.12
 License: MIT
 License File: src/Copyright
 Security Critical: yes
diff --git a/linux/config.h b/linux/config.h
index b6ae433..25172b5 100644
--- a/linux/config.h
+++ b/linux/config.h
@@ -249,7 +249,7 @@
 #define PACKAGE_NAME "libxml2"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "libxml2 2.9.10"
+#define PACKAGE_STRING "libxml2 2.9.12"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "libxml2"
@@ -258,7 +258,7 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "2.9.10"
+#define PACKAGE_VERSION "2.9.12"
 
 /* Type cast for the send() function 2nd arg */
 #define SEND_ARG2_CAST /**/
@@ -273,7 +273,7 @@
 #define VA_LIST_IS_ARRAY 1
 
 /* Version number of package */
-#define VERSION "2.9.10"
+#define VERSION "2.9.12"
 
 /* Determine what socket length (socklen_t) data type is */
 #define XML_SOCKLEN_T socklen_t
diff --git a/linux/include/libxml/xmlversion.h b/linux/include/libxml/xmlversion.h
index 37f673e..4c364e6 100644
--- a/linux/include/libxml/xmlversion.h
+++ b/linux/include/libxml/xmlversion.h
@@ -29,21 +29,21 @@
  *
  * the version string like "1.2.3"
  */
-#define LIBXML_DOTTED_VERSION "2.9.10"
+#define LIBXML_DOTTED_VERSION "2.9.12"
 
 /**
  * LIBXML_VERSION:
  *
  * the version number: 1.2.3 value is 10203
  */
-#define LIBXML_VERSION 20910
+#define LIBXML_VERSION 20912
 
 /**
  * LIBXML_VERSION_STRING:
  *
  * the version number string, 1.2.3 value is "10203"
  */
-#define LIBXML_VERSION_STRING "20910"
+#define LIBXML_VERSION_STRING "20912"
 
 /**
  * LIBXML_VERSION_EXTRA:
@@ -58,7 +58,7 @@
  * Macro to check that the libxml version in use is compatible with
  * the version the software has been compiled against
  */
-#define LIBXML_TEST_VERSION xmlCheckVersion(20910);
+#define LIBXML_TEST_VERSION xmlCheckVersion(20912);
 
 #ifndef VMS
 #if 0
diff --git a/linux/xml2-config b/linux/xml2-config
index 7a271d4..3717ff9 100755
--- a/linux/xml2-config
+++ b/linux/xml2-config
@@ -58,7 +58,7 @@
       ;;
 
     --version)
-	echo 2.9.10
+	echo 2.9.12
 	exit 0
 	;;
 
diff --git a/mac/config.h b/mac/config.h
index ac18495..27a79ec 100644
--- a/mac/config.h
+++ b/mac/config.h
@@ -249,7 +249,7 @@
 #define PACKAGE_NAME "libxml2"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "libxml2 2.9.10"
+#define PACKAGE_STRING "libxml2 2.9.12"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "libxml2"
@@ -258,7 +258,7 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "2.9.10"
+#define PACKAGE_VERSION "2.9.12"
 
 /* Type cast for the send() function 2nd arg */
 #define SEND_ARG2_CAST /**/
@@ -275,7 +275,7 @@
 #define VA_LIST_IS_ARRAY 1
 
 /* Version number of package */
-#define VERSION "2.9.10"
+#define VERSION "2.9.12"
 
 /* Determine what socket length (socklen_t) data type is */
 #define XML_SOCKLEN_T socklen_t
diff --git a/mac/include/libxml/xmlversion.h b/mac/include/libxml/xmlversion.h
index 37f673e..4c364e6 100644
--- a/mac/include/libxml/xmlversion.h
+++ b/mac/include/libxml/xmlversion.h
@@ -29,21 +29,21 @@
  *
  * the version string like "1.2.3"
  */
-#define LIBXML_DOTTED_VERSION "2.9.10"
+#define LIBXML_DOTTED_VERSION "2.9.12"
 
 /**
  * LIBXML_VERSION:
  *
  * the version number: 1.2.3 value is 10203
  */
-#define LIBXML_VERSION 20910
+#define LIBXML_VERSION 20912
 
 /**
  * LIBXML_VERSION_STRING:
  *
  * the version number string, 1.2.3 value is "10203"
  */
-#define LIBXML_VERSION_STRING "20910"
+#define LIBXML_VERSION_STRING "20912"
 
 /**
  * LIBXML_VERSION_EXTRA:
@@ -58,7 +58,7 @@
  * Macro to check that the libxml version in use is compatible with
  * the version the software has been compiled against
  */
-#define LIBXML_TEST_VERSION xmlCheckVersion(20910);
+#define LIBXML_TEST_VERSION xmlCheckVersion(20912);
 
 #ifndef VMS
 #if 0
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index a437717..b4c0c79 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -1,6 +1,6 @@
 cmake_minimum_required(VERSION 3.15)
 
-project(libxml2 VERSION 2.9.10 LANGUAGES C)
+project(libxml2 VERSION 2.9.12 LANGUAGES C)
 
 include(CheckCSourceCompiles)
 include(CheckFunctionExists)
@@ -414,6 +414,7 @@
 endif()
 
 add_library(LibXml2 ${LIBXML2_HDRS} ${LIBXML2_SRCS})
+add_library(LibXml2::LibXml2 ALIAS LibXml2)
 
 if(NOT BUILD_SHARED_LIBS)
 	target_compile_definitions(LibXml2 INTERFACE LIBXML_STATIC)
@@ -537,6 +538,7 @@
 	)
 	foreach(PROGRAM ${PROGRAMS})
 		add_executable(${PROGRAM} ${PROGRAM}.c)
+		add_executable(LibXml2::${PROGRAM} ALIAS ${PROGRAM})
 		target_link_libraries(${PROGRAM} LibXml2)
 		if(HAVE_LIBHISTORY)
 			target_link_libraries(${PROGRAM} history)
diff --git a/src/HTMLtree.c b/src/HTMLtree.c
index 24434d4..bdd639c 100644
--- a/src/HTMLtree.c
+++ b/src/HTMLtree.c
@@ -744,7 +744,7 @@
 htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc,
 	                 xmlNodePtr cur, const char *encoding ATTRIBUTE_UNUSED,
                          int format) {
-    xmlNodePtr root;
+    xmlNodePtr root, parent;
     xmlAttrPtr attr;
     const htmlElemDesc * info;
 
@@ -755,6 +755,7 @@
     }
 
     root = cur;
+    parent = cur->parent;
     while (1) {
         switch (cur->type) {
         case XML_HTML_DOCUMENT_NODE:
@@ -762,7 +763,9 @@
             if (((xmlDocPtr) cur)->intSubset != NULL) {
                 htmlDtdDumpOutput(buf, (xmlDocPtr) cur, NULL);
             }
-            if (cur->children != NULL) {
+            /* Always validate cur->parent when descending. */
+            if ((cur->parent == parent) && (cur->children != NULL)) {
+                parent = cur;
                 cur = cur->children;
                 continue;
             }
@@ -770,6 +773,16 @@
 
         case XML_ELEMENT_NODE:
             /*
+             * Some users like lxml are known to pass nodes with a corrupted
+             * tree structure. Fall back to a recursive call to handle this
+             * case.
+             */
+            if ((cur->parent != parent) && (cur->children != NULL)) {
+                htmlNodeDumpFormatOutput(buf, doc, cur, encoding, format);
+                break;
+            }
+
+            /*
              * Get specific HTML info for that node.
              */
             if (cur->ns == NULL)
@@ -817,6 +830,7 @@
                     (cur->name != NULL) &&
                     (cur->name[0] != 'p')) /* p, pre, param */
                     xmlOutputBufferWriteString(buf, "\n");
+                parent = cur;
                 cur = cur->children;
                 continue;
             }
@@ -825,9 +839,9 @@
                 (info != NULL) && (!info->isinline)) {
                 if ((cur->next->type != HTML_TEXT_NODE) &&
                     (cur->next->type != HTML_ENTITY_REF_NODE) &&
-                    (cur->parent != NULL) &&
-                    (cur->parent->name != NULL) &&
-                    (cur->parent->name[0] != 'p')) /* p, pre, param */
+                    (parent != NULL) &&
+                    (parent->name != NULL) &&
+                    (parent->name[0] != 'p')) /* p, pre, param */
                     xmlOutputBufferWriteString(buf, "\n");
             }
 
@@ -842,9 +856,9 @@
                 break;
             if (((cur->name == (const xmlChar *)xmlStringText) ||
                  (cur->name != (const xmlChar *)xmlStringTextNoenc)) &&
-                ((cur->parent == NULL) ||
-                 ((xmlStrcasecmp(cur->parent->name, BAD_CAST "script")) &&
-                  (xmlStrcasecmp(cur->parent->name, BAD_CAST "style"))))) {
+                ((parent == NULL) ||
+                 ((xmlStrcasecmp(parent->name, BAD_CAST "script")) &&
+                  (xmlStrcasecmp(parent->name, BAD_CAST "style"))))) {
                 xmlChar *buffer;
 
                 buffer = xmlEncodeEntitiesReentrant(doc, cur->content);
@@ -902,13 +916,9 @@
                 break;
             }
 
-            /*
-             * The parent should never be NULL here but we want to handle
-             * corrupted documents gracefully.
-             */
-            if (cur->parent == NULL)
-                return;
-            cur = cur->parent;
+            cur = parent;
+            /* cur->parent was validated when descending. */
+            parent = cur->parent;
 
             if ((cur->type == XML_HTML_DOCUMENT_NODE) ||
                 (cur->type == XML_DOCUMENT_NODE)) {
@@ -939,9 +949,9 @@
                     (cur->next != NULL)) {
                     if ((cur->next->type != HTML_TEXT_NODE) &&
                         (cur->next->type != HTML_ENTITY_REF_NODE) &&
-                        (cur->parent != NULL) &&
-                        (cur->parent->name != NULL) &&
-                        (cur->parent->name[0] != 'p')) /* p, pre, param */
+                        (parent != NULL) &&
+                        (parent->name != NULL) &&
+                        (parent->name[0] != 'p')) /* p, pre, param */
                         xmlOutputBufferWriteString(buf, "\n");
                 }
             }
diff --git a/src/configure.ac b/src/configure.ac
index a4c675b..5b161a5 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -3,7 +3,7 @@
 
 m4_define([MAJOR_VERSION], 2)
 m4_define([MINOR_VERSION], 9)
-m4_define([MICRO_VERSION], 10)
+m4_define([MICRO_VERSION], 12)
 
 AC_INIT([libxml2],[MAJOR_VERSION.MINOR_VERSION.MICRO_VERSION])
 AC_CONFIG_SRCDIR([entities.c])
diff --git a/src/encoding.c b/src/encoding.c
index cdff6ae..5e50c15 100644
--- a/src/encoding.c
+++ b/src/encoding.c
@@ -2629,7 +2629,6 @@
     int written;
     int writtentot = 0;
     int toconv;
-    int output = 0;
 
     if (handler == NULL) return(-1);
     if (out == NULL) return(-1);
@@ -2682,8 +2681,6 @@
         ret = -3;
     }
 
-    if (ret >= 0) output += ret;
-
     /*
      * Attempt to handle error cases
      */
diff --git a/src/fuzz/Makefile.am b/src/fuzz/Makefile.am
index 7d38347..6f48713 100644
--- a/src/fuzz/Makefile.am
+++ b/src/fuzz/Makefile.am
@@ -2,7 +2,7 @@
 EXTRA_PROGRAMS = genSeed html regexp schema uri xml xpath
 check_PROGRAMS = testFuzzer
 EXTRA_DIST = html.dict regexp.dict schema.dict xml.dict xpath.dict \
-	     seed/uri
+	     seed/uri seed/regexp fuzz.h
 CLEANFILES = $(EXTRA_PROGRAMS)
 AM_CPPFLAGS = -I$(top_srcdir)/include
 DEPENDENCIES = $(top_builddir)/libxml2.la
diff --git a/src/fuzz/Makefile.in b/src/fuzz/Makefile.in
index e9de41c..47f1edb 100644
--- a/src/fuzz/Makefile.in
+++ b/src/fuzz/Makefile.in
@@ -491,7 +491,7 @@
 top_srcdir = @top_srcdir@
 AUTOMAKE_OPTIONS = -Wno-syntax
 EXTRA_DIST = html.dict regexp.dict schema.dict xml.dict xpath.dict \
-	     seed/uri
+	     seed/uri seed/regexp fuzz.h
 
 CLEANFILES = $(EXTRA_PROGRAMS)
 AM_CPPFLAGS = -I$(top_srcdir)/include
diff --git a/src/fuzz/fuzz.h b/src/fuzz/fuzz.h
new file mode 100644
index 0000000..a51b398
--- /dev/null
+++ b/src/fuzz/fuzz.h
@@ -0,0 +1,91 @@
+/*
+ * fuzz.h: Common functions and macros for fuzzing.
+ *
+ * See Copyright for the status of this software.
+ */
+
+#ifndef __XML_FUZZERCOMMON_H__
+#define __XML_FUZZERCOMMON_H__
+
+#include <stddef.h>
+#include <stdio.h>
+#include <libxml/parser.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(LIBXML_HTML_ENABLED) && defined(LIBXML_OUTPUT_ENABLED)
+  #define HAVE_HTML_FUZZER
+#endif
+#if defined(LIBXML_REGEXP_ENABLED)
+  #define HAVE_REGEXP_FUZZER
+#endif
+#if defined(LIBXML_SCHEMAS_ENABLED)
+  #define HAVE_SCHEMA_FUZZER
+#endif
+#if 1
+  #define HAVE_URI_FUZZER
+#endif
+#if defined(LIBXML_OUTPUT_ENABLED) && \
+    defined(LIBXML_READER_ENABLED) && \
+    defined(LIBXML_XINCLUDE_ENABLED)
+  #define HAVE_XML_FUZZER
+#endif
+#if defined(LIBXML_XPATH_ENABLED)
+  #define HAVE_XPATH_FUZZER
+#endif
+
+int
+LLVMFuzzerInitialize(int *argc, char ***argv);
+
+int
+LLVMFuzzerTestOneInput(const char *data, size_t size);
+
+void
+xmlFuzzErrorFunc(void *ctx ATTRIBUTE_UNUSED, const char *msg ATTRIBUTE_UNUSED,
+                 ...);
+
+void
+xmlFuzzDataInit(const char *data, size_t size);
+
+void
+xmlFuzzDataCleanup(void);
+
+int
+xmlFuzzReadInt(void);
+
+const char *
+xmlFuzzReadRemaining(size_t *size);
+
+void
+xmlFuzzWriteString(FILE *out, const char *str);
+
+const char *
+xmlFuzzReadString(size_t *size);
+
+void
+xmlFuzzReadEntities(void);
+
+const char *
+xmlFuzzMainUrl(void);
+
+const char *
+xmlFuzzMainEntity(size_t *size);
+
+xmlParserInputPtr
+xmlFuzzEntityLoader(const char *URL, const char *ID, xmlParserCtxtPtr ctxt);
+
+size_t
+xmlFuzzExtractStrings(const char *data, size_t size, char **strings,
+                      size_t numStrings);
+
+char *
+xmlSlurpFile(const char *path, size_t *size);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __XML_FUZZERCOMMON_H__ */
+
diff --git a/src/fuzz/seed/regexp/branch-1 b/src/fuzz/seed/regexp/branch-1
new file mode 100644
index 0000000..ded775e
--- /dev/null
+++ b/src/fuzz/seed/regexp/branch-1
Binary files differ
diff --git a/src/fuzz/seed/regexp/branch-10 b/src/fuzz/seed/regexp/branch-10
new file mode 100644
index 0000000..6700d77
--- /dev/null
+++ b/src/fuzz/seed/regexp/branch-10
Binary files differ
diff --git a/src/fuzz/seed/regexp/branch-11 b/src/fuzz/seed/regexp/branch-11
new file mode 100644
index 0000000..d83f918
--- /dev/null
+++ b/src/fuzz/seed/regexp/branch-11
Binary files differ
diff --git a/src/fuzz/seed/regexp/branch-12 b/src/fuzz/seed/regexp/branch-12
new file mode 100644
index 0000000..b44dba5
--- /dev/null
+++ b/src/fuzz/seed/regexp/branch-12
Binary files differ
diff --git a/src/fuzz/seed/regexp/branch-13 b/src/fuzz/seed/regexp/branch-13
new file mode 100644
index 0000000..64e50a0
--- /dev/null
+++ b/src/fuzz/seed/regexp/branch-13
Binary files differ
diff --git a/src/fuzz/seed/regexp/branch-2 b/src/fuzz/seed/regexp/branch-2
new file mode 100644
index 0000000..8293d81
--- /dev/null
+++ b/src/fuzz/seed/regexp/branch-2
Binary files differ
diff --git a/src/fuzz/seed/regexp/branch-3 b/src/fuzz/seed/regexp/branch-3
new file mode 100644
index 0000000..696af9b
--- /dev/null
+++ b/src/fuzz/seed/regexp/branch-3
Binary files differ
diff --git a/src/fuzz/seed/regexp/branch-4 b/src/fuzz/seed/regexp/branch-4
new file mode 100644
index 0000000..8317998
--- /dev/null
+++ b/src/fuzz/seed/regexp/branch-4
Binary files differ
diff --git a/src/fuzz/seed/regexp/branch-5 b/src/fuzz/seed/regexp/branch-5
new file mode 100644
index 0000000..6b6db8b
--- /dev/null
+++ b/src/fuzz/seed/regexp/branch-5
Binary files differ
diff --git a/src/fuzz/seed/regexp/branch-6 b/src/fuzz/seed/regexp/branch-6
new file mode 100644
index 0000000..4f47790
--- /dev/null
+++ b/src/fuzz/seed/regexp/branch-6
Binary files differ
diff --git a/src/fuzz/seed/regexp/branch-7 b/src/fuzz/seed/regexp/branch-7
new file mode 100644
index 0000000..6334f72
--- /dev/null
+++ b/src/fuzz/seed/regexp/branch-7
Binary files differ
diff --git a/src/fuzz/seed/regexp/branch-8 b/src/fuzz/seed/regexp/branch-8
new file mode 100644
index 0000000..f77a8f4
--- /dev/null
+++ b/src/fuzz/seed/regexp/branch-8
Binary files differ
diff --git a/src/fuzz/seed/regexp/branch-9 b/src/fuzz/seed/regexp/branch-9
new file mode 100644
index 0000000..acd0eec
--- /dev/null
+++ b/src/fuzz/seed/regexp/branch-9
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug316338-1 b/src/fuzz/seed/regexp/bug316338-1
new file mode 100644
index 0000000..9f0a504
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug316338-1
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug316338-10 b/src/fuzz/seed/regexp/bug316338-10
new file mode 100644
index 0000000..60685bb
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug316338-10
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug316338-11 b/src/fuzz/seed/regexp/bug316338-11
new file mode 100644
index 0000000..72a7956
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug316338-11
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug316338-12 b/src/fuzz/seed/regexp/bug316338-12
new file mode 100644
index 0000000..85416ee
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug316338-12
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug316338-13 b/src/fuzz/seed/regexp/bug316338-13
new file mode 100644
index 0000000..c91d4fe
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug316338-13
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug316338-14 b/src/fuzz/seed/regexp/bug316338-14
new file mode 100644
index 0000000..a164b42
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug316338-14
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug316338-15 b/src/fuzz/seed/regexp/bug316338-15
new file mode 100644
index 0000000..750c76d
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug316338-15
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug316338-16 b/src/fuzz/seed/regexp/bug316338-16
new file mode 100644
index 0000000..23c5d23
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug316338-16
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug316338-2 b/src/fuzz/seed/regexp/bug316338-2
new file mode 100644
index 0000000..5468d06
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug316338-2
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug316338-3 b/src/fuzz/seed/regexp/bug316338-3
new file mode 100644
index 0000000..76e1e0b
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug316338-3
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug316338-4 b/src/fuzz/seed/regexp/bug316338-4
new file mode 100644
index 0000000..e0f65a4
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug316338-4
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug316338-5 b/src/fuzz/seed/regexp/bug316338-5
new file mode 100644
index 0000000..fcfaa97
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug316338-5
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug316338-6 b/src/fuzz/seed/regexp/bug316338-6
new file mode 100644
index 0000000..ce00a15
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug316338-6
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug316338-7 b/src/fuzz/seed/regexp/bug316338-7
new file mode 100644
index 0000000..127fe1f
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug316338-7
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug316338-8 b/src/fuzz/seed/regexp/bug316338-8
new file mode 100644
index 0000000..fe8bb8b
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug316338-8
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug316338-9 b/src/fuzz/seed/regexp/bug316338-9
new file mode 100644
index 0000000..3d56e5d
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug316338-9
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug420596-1 b/src/fuzz/seed/regexp/bug420596-1
new file mode 100644
index 0000000..4426933
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug420596-1
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug420596-2 b/src/fuzz/seed/regexp/bug420596-2
new file mode 100644
index 0000000..474d2b6
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug420596-2
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug420596-3 b/src/fuzz/seed/regexp/bug420596-3
new file mode 100644
index 0000000..09c75cb
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug420596-3
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug420596-4 b/src/fuzz/seed/regexp/bug420596-4
new file mode 100644
index 0000000..65d561e
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug420596-4
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug420596-5 b/src/fuzz/seed/regexp/bug420596-5
new file mode 100644
index 0000000..b678580
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug420596-5
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug420596-6 b/src/fuzz/seed/regexp/bug420596-6
new file mode 100644
index 0000000..3a05d82
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug420596-6
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug420596-7 b/src/fuzz/seed/regexp/bug420596-7
new file mode 100644
index 0000000..88e1660
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug420596-7
Binary files differ
diff --git a/src/fuzz/seed/regexp/bug420596-8 b/src/fuzz/seed/regexp/bug420596-8
new file mode 100644
index 0000000..4575a92
--- /dev/null
+++ b/src/fuzz/seed/regexp/bug420596-8
Binary files differ
diff --git a/src/fuzz/seed/regexp/content-1 b/src/fuzz/seed/regexp/content-1
new file mode 100644
index 0000000..5acbf86
--- /dev/null
+++ b/src/fuzz/seed/regexp/content-1
Binary files differ
diff --git a/src/fuzz/seed/regexp/content-10 b/src/fuzz/seed/regexp/content-10
new file mode 100644
index 0000000..f131454
--- /dev/null
+++ b/src/fuzz/seed/regexp/content-10
Binary files differ
diff --git a/src/fuzz/seed/regexp/content-2 b/src/fuzz/seed/regexp/content-2
new file mode 100644
index 0000000..4e6b663
--- /dev/null
+++ b/src/fuzz/seed/regexp/content-2
Binary files differ
diff --git a/src/fuzz/seed/regexp/content-3 b/src/fuzz/seed/regexp/content-3
new file mode 100644
index 0000000..b13fc8d
--- /dev/null
+++ b/src/fuzz/seed/regexp/content-3
Binary files differ
diff --git a/src/fuzz/seed/regexp/content-4 b/src/fuzz/seed/regexp/content-4
new file mode 100644
index 0000000..47c5d6d
--- /dev/null
+++ b/src/fuzz/seed/regexp/content-4
Binary files differ
diff --git a/src/fuzz/seed/regexp/content-5 b/src/fuzz/seed/regexp/content-5
new file mode 100644
index 0000000..f93860e
--- /dev/null
+++ b/src/fuzz/seed/regexp/content-5
Binary files differ
diff --git a/src/fuzz/seed/regexp/content-6 b/src/fuzz/seed/regexp/content-6
new file mode 100644
index 0000000..e5c6e14
--- /dev/null
+++ b/src/fuzz/seed/regexp/content-6
Binary files differ
diff --git a/src/fuzz/seed/regexp/content-7 b/src/fuzz/seed/regexp/content-7
new file mode 100644
index 0000000..4868dd2
--- /dev/null
+++ b/src/fuzz/seed/regexp/content-7
Binary files differ
diff --git a/src/fuzz/seed/regexp/content-8 b/src/fuzz/seed/regexp/content-8
new file mode 100644
index 0000000..a3a87d0
--- /dev/null
+++ b/src/fuzz/seed/regexp/content-8
Binary files differ
diff --git a/src/fuzz/seed/regexp/content-9 b/src/fuzz/seed/regexp/content-9
new file mode 100644
index 0000000..91f0d9e
--- /dev/null
+++ b/src/fuzz/seed/regexp/content-9
Binary files differ
diff --git a/src/fuzz/seed/regexp/hard-1 b/src/fuzz/seed/regexp/hard-1
new file mode 100644
index 0000000..ba00382
--- /dev/null
+++ b/src/fuzz/seed/regexp/hard-1
Binary files differ
diff --git a/src/fuzz/seed/regexp/hard-10 b/src/fuzz/seed/regexp/hard-10
new file mode 100644
index 0000000..7db28fa
--- /dev/null
+++ b/src/fuzz/seed/regexp/hard-10
Binary files differ
diff --git a/src/fuzz/seed/regexp/hard-2 b/src/fuzz/seed/regexp/hard-2
new file mode 100644
index 0000000..ed38b91
--- /dev/null
+++ b/src/fuzz/seed/regexp/hard-2
Binary files differ
diff --git a/src/fuzz/seed/regexp/hard-3 b/src/fuzz/seed/regexp/hard-3
new file mode 100644
index 0000000..7b16da0
--- /dev/null
+++ b/src/fuzz/seed/regexp/hard-3
Binary files differ
diff --git a/src/fuzz/seed/regexp/hard-4 b/src/fuzz/seed/regexp/hard-4
new file mode 100644
index 0000000..2ece886
--- /dev/null
+++ b/src/fuzz/seed/regexp/hard-4
Binary files differ
diff --git a/src/fuzz/seed/regexp/hard-5 b/src/fuzz/seed/regexp/hard-5
new file mode 100644
index 0000000..870a3ec
--- /dev/null
+++ b/src/fuzz/seed/regexp/hard-5
Binary files differ
diff --git a/src/fuzz/seed/regexp/hard-6 b/src/fuzz/seed/regexp/hard-6
new file mode 100644
index 0000000..06aa7d0
--- /dev/null
+++ b/src/fuzz/seed/regexp/hard-6
Binary files differ
diff --git a/src/fuzz/seed/regexp/hard-7 b/src/fuzz/seed/regexp/hard-7
new file mode 100644
index 0000000..50a9ec3
--- /dev/null
+++ b/src/fuzz/seed/regexp/hard-7
Binary files differ
diff --git a/src/fuzz/seed/regexp/hard-8 b/src/fuzz/seed/regexp/hard-8
new file mode 100644
index 0000000..0991129
--- /dev/null
+++ b/src/fuzz/seed/regexp/hard-8
Binary files differ
diff --git a/src/fuzz/seed/regexp/hard-9 b/src/fuzz/seed/regexp/hard-9
new file mode 100644
index 0000000..5bd1d89
--- /dev/null
+++ b/src/fuzz/seed/regexp/hard-9
Binary files differ
diff --git a/src/fuzz/seed/regexp/ncname-1 b/src/fuzz/seed/regexp/ncname-1
new file mode 100644
index 0000000..608eb9a
--- /dev/null
+++ b/src/fuzz/seed/regexp/ncname-1
Binary files differ
diff --git a/src/fuzz/seed/regexp/ncname-2 b/src/fuzz/seed/regexp/ncname-2
new file mode 100644
index 0000000..cfb9b96
--- /dev/null
+++ b/src/fuzz/seed/regexp/ncname-2
Binary files differ
diff --git a/src/fuzz/seed/regexp/ncname-3 b/src/fuzz/seed/regexp/ncname-3
new file mode 100644
index 0000000..07a6a08
--- /dev/null
+++ b/src/fuzz/seed/regexp/ncname-3
Binary files differ
diff --git a/src/fuzz/seed/regexp/ncname-4 b/src/fuzz/seed/regexp/ncname-4
new file mode 100644
index 0000000..87e937f
--- /dev/null
+++ b/src/fuzz/seed/regexp/ncname-4
Binary files differ
diff --git a/src/fuzz/seed/regexp/ncname-5 b/src/fuzz/seed/regexp/ncname-5
new file mode 100644
index 0000000..ad29456
--- /dev/null
+++ b/src/fuzz/seed/regexp/ncname-5
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges-1 b/src/fuzz/seed/regexp/ranges-1
new file mode 100644
index 0000000..71448f2
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges-1
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges-10 b/src/fuzz/seed/regexp/ranges-10
new file mode 100644
index 0000000..91aed3c
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges-10
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges-11 b/src/fuzz/seed/regexp/ranges-11
new file mode 100644
index 0000000..76eb5de
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges-11
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges-12 b/src/fuzz/seed/regexp/ranges-12
new file mode 100644
index 0000000..9c3bc66
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges-12
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges-2 b/src/fuzz/seed/regexp/ranges-2
new file mode 100644
index 0000000..9369f7a
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges-2
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges-3 b/src/fuzz/seed/regexp/ranges-3
new file mode 100644
index 0000000..58a3a08
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges-3
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges-4 b/src/fuzz/seed/regexp/ranges-4
new file mode 100644
index 0000000..da7e9da
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges-4
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges-5 b/src/fuzz/seed/regexp/ranges-5
new file mode 100644
index 0000000..83ad4a8
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges-5
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges-6 b/src/fuzz/seed/regexp/ranges-6
new file mode 100644
index 0000000..3bc9758
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges-6
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges-7 b/src/fuzz/seed/regexp/ranges-7
new file mode 100644
index 0000000..fa89038
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges-7
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges-8 b/src/fuzz/seed/regexp/ranges-8
new file mode 100644
index 0000000..96f0bb6
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges-8
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges-9 b/src/fuzz/seed/regexp/ranges-9
new file mode 100644
index 0000000..8e3fc43
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges-9
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges2-1 b/src/fuzz/seed/regexp/ranges2-1
new file mode 100644
index 0000000..044a8eb
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges2-1
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges2-10 b/src/fuzz/seed/regexp/ranges2-10
new file mode 100644
index 0000000..19e2aa2
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges2-10
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges2-11 b/src/fuzz/seed/regexp/ranges2-11
new file mode 100644
index 0000000..89be181
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges2-11
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges2-12 b/src/fuzz/seed/regexp/ranges2-12
new file mode 100644
index 0000000..42ebdd3
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges2-12
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges2-2 b/src/fuzz/seed/regexp/ranges2-2
new file mode 100644
index 0000000..026f7b8
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges2-2
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges2-3 b/src/fuzz/seed/regexp/ranges2-3
new file mode 100644
index 0000000..83e78a9
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges2-3
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges2-4 b/src/fuzz/seed/regexp/ranges2-4
new file mode 100644
index 0000000..847b4e8
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges2-4
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges2-5 b/src/fuzz/seed/regexp/ranges2-5
new file mode 100644
index 0000000..349168d
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges2-5
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges2-6 b/src/fuzz/seed/regexp/ranges2-6
new file mode 100644
index 0000000..5d2a407
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges2-6
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges2-7 b/src/fuzz/seed/regexp/ranges2-7
new file mode 100644
index 0000000..74fbafb
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges2-7
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges2-8 b/src/fuzz/seed/regexp/ranges2-8
new file mode 100644
index 0000000..125bfa9
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges2-8
Binary files differ
diff --git a/src/fuzz/seed/regexp/ranges2-9 b/src/fuzz/seed/regexp/ranges2-9
new file mode 100644
index 0000000..f2cf128
--- /dev/null
+++ b/src/fuzz/seed/regexp/ranges2-9
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-1 b/src/fuzz/seed/regexp/xpath-1
new file mode 100644
index 0000000..3bc1792
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-1
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-10 b/src/fuzz/seed/regexp/xpath-10
new file mode 100644
index 0000000..e4f4b0c
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-10
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-11 b/src/fuzz/seed/regexp/xpath-11
new file mode 100644
index 0000000..318e0cc
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-11
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-12 b/src/fuzz/seed/regexp/xpath-12
new file mode 100644
index 0000000..f204295
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-12
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-13 b/src/fuzz/seed/regexp/xpath-13
new file mode 100644
index 0000000..70fccd5
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-13
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-14 b/src/fuzz/seed/regexp/xpath-14
new file mode 100644
index 0000000..357ce2b
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-14
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-15 b/src/fuzz/seed/regexp/xpath-15
new file mode 100644
index 0000000..2a10a83
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-15
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-16 b/src/fuzz/seed/regexp/xpath-16
new file mode 100644
index 0000000..1f3089f
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-16
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-17 b/src/fuzz/seed/regexp/xpath-17
new file mode 100644
index 0000000..a9d542f
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-17
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-18 b/src/fuzz/seed/regexp/xpath-18
new file mode 100644
index 0000000..651eb9d
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-18
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-19 b/src/fuzz/seed/regexp/xpath-19
new file mode 100644
index 0000000..fefea8f
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-19
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-2 b/src/fuzz/seed/regexp/xpath-2
new file mode 100644
index 0000000..81e5fba
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-2
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-20 b/src/fuzz/seed/regexp/xpath-20
new file mode 100644
index 0000000..1f3089f
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-20
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-21 b/src/fuzz/seed/regexp/xpath-21
new file mode 100644
index 0000000..706a702
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-21
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-22 b/src/fuzz/seed/regexp/xpath-22
new file mode 100644
index 0000000..a246f84
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-22
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-23 b/src/fuzz/seed/regexp/xpath-23
new file mode 100644
index 0000000..02753be
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-23
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-24 b/src/fuzz/seed/regexp/xpath-24
new file mode 100644
index 0000000..331105c
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-24
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-25 b/src/fuzz/seed/regexp/xpath-25
new file mode 100644
index 0000000..ce3da44
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-25
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-26 b/src/fuzz/seed/regexp/xpath-26
new file mode 100644
index 0000000..b3bf8c2
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-26
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-27 b/src/fuzz/seed/regexp/xpath-27
new file mode 100644
index 0000000..74bbe46
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-27
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-28 b/src/fuzz/seed/regexp/xpath-28
new file mode 100644
index 0000000..b38a709
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-28
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-29 b/src/fuzz/seed/regexp/xpath-29
new file mode 100644
index 0000000..104d4e5
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-29
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-3 b/src/fuzz/seed/regexp/xpath-3
new file mode 100644
index 0000000..6d7be85
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-3
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-30 b/src/fuzz/seed/regexp/xpath-30
new file mode 100644
index 0000000..b681ff1
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-30
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-31 b/src/fuzz/seed/regexp/xpath-31
new file mode 100644
index 0000000..cd87b0e
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-31
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-32 b/src/fuzz/seed/regexp/xpath-32
new file mode 100644
index 0000000..c5cac32
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-32
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-33 b/src/fuzz/seed/regexp/xpath-33
new file mode 100644
index 0000000..89e3fcd
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-33
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-34 b/src/fuzz/seed/regexp/xpath-34
new file mode 100644
index 0000000..b65a3d6
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-34
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-35 b/src/fuzz/seed/regexp/xpath-35
new file mode 100644
index 0000000..252a70c
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-35
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-4 b/src/fuzz/seed/regexp/xpath-4
new file mode 100644
index 0000000..30718c5
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-4
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-5 b/src/fuzz/seed/regexp/xpath-5
new file mode 100644
index 0000000..06ad88e
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-5
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-6 b/src/fuzz/seed/regexp/xpath-6
new file mode 100644
index 0000000..6678772
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-6
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-7 b/src/fuzz/seed/regexp/xpath-7
new file mode 100644
index 0000000..e69ad85
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-7
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-8 b/src/fuzz/seed/regexp/xpath-8
new file mode 100644
index 0000000..a8120cc
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-8
Binary files differ
diff --git a/src/fuzz/seed/regexp/xpath-9 b/src/fuzz/seed/regexp/xpath-9
new file mode 100644
index 0000000..c037ce7
--- /dev/null
+++ b/src/fuzz/seed/regexp/xpath-9
Binary files differ
diff --git a/src/include/libxml/Makefile.am b/src/include/libxml/Makefile.am
index cf9297a..328c180 100644
--- a/src/include/libxml/Makefile.am
+++ b/src/include/libxml/Makefile.am
@@ -51,4 +51,4 @@
 		xmlsave.h \
 		schematron.h
 
-EXTRA_DIST = xmlversion.h.in
+EXTRA_DIST = xmlversion.h.in xmlwin32version.h.in
diff --git a/src/libxml2.spec b/src/libxml2.spec
index 1cd4855..682dff2 100644
--- a/src/libxml2.spec
+++ b/src/libxml2.spec
@@ -2,7 +2,7 @@
 
 Summary: Library providing XML and HTML support
 Name: libxml2
-Version: 2.9.10
+Version: 2.9.12
 Release: 1%{?dist}%{?extra_release}
 License: MIT
 Group: Development/Libraries
@@ -204,6 +204,6 @@
 %endif # with_python3
 
 %changelog
-* Mon May 10 2021 Daniel Veillard <veillard@redhat.com>
-- upstream release 2.9.10 see http://xmlsoft.org/news.html
+* Mon May 24 2021 Daniel Veillard <veillard@redhat.com>
+- upstream release 2.9.12 see http://xmlsoft.org/news.html
 
diff --git a/src/parser.c b/src/parser.c
index eba5f61..d5b72e4 100644
--- a/src/parser.c
+++ b/src/parser.c
@@ -140,6 +140,7 @@
                      xmlEntityPtr ent, size_t replacement)
 {
     size_t consumed = 0;
+    int i;
 
     if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
         return (0);
@@ -184,6 +185,28 @@
 	    rep = NULL;
 	}
     }
+
+    /*
+     * Prevent entity exponential check, not just replacement while
+     * parsing the DTD
+     * The check is potentially costly so do that only once in a thousand
+     */
+    if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
+        (ctxt->nbentities % 1024 == 0)) {
+	for (i = 0;i < ctxt->inputNr;i++) {
+	    consumed += ctxt->inputTab[i]->consumed +
+	               (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
+	}
+	if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
+	    xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+	    ctxt->instate = XML_PARSER_EOF;
+	    return (1);
+	}
+	consumed = 0;
+    }
+
+
+
     if (replacement != 0) {
 	if (replacement < XML_MAX_TEXT_LENGTH)
 	    return(0);
@@ -7981,6 +8004,9 @@
             xmlChar start[4];
             xmlCharEncoding enc;
 
+	    if (xmlParserEntityCheck(ctxt, 0, entity, 0))
+	        return;
+
 	    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
 	        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
 		((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
@@ -14664,7 +14690,8 @@
 	return;
 
 #if defined(_WIN32) && (!defined(LIBXML_STATIC) || defined(LIBXML_STATIC_FOR_DLL))
-	atexit(xmlCleanupParser);
+    if (xmlFree == free)
+        atexit(xmlCleanupParser);
 #endif
 
 #ifdef LIBXML_THREAD_ENABLED
diff --git a/src/testapi.c b/src/testapi.c
index 8a4e23e..6f19c6f 100644
--- a/src/testapi.c
+++ b/src/testapi.c
@@ -2843,7 +2843,7 @@
     int n_buf;
     xmlDocPtr cur; /* the document */
     int n_cur;
-    char * encoding; /* the encoding string */
+    char * encoding; /* the encoding string (unused) */
     int n_encoding;
     int format; /* should formatting spaces been added */
     int n_format;
@@ -2896,7 +2896,7 @@
     int n_buf;
     xmlDocPtr cur; /* the document */
     int n_cur;
-    char * encoding; /* the encoding string */
+    char * encoding; /* the encoding string (unused) */
     int n_encoding;
 
     for (n_buf = 0;n_buf < gen_nb_xmlOutputBufferPtr;n_buf++) {
@@ -3397,7 +3397,7 @@
     int n_doc;
     xmlNodePtr cur; /* the current node */
     int n_cur;
-    char * encoding; /* the encoding string */
+    char * encoding; /* the encoding string (unused) */
     int n_encoding;
     int format; /* should formatting spaces been added */
     int n_format;
@@ -3457,7 +3457,7 @@
     int n_doc;
     xmlNodePtr cur; /* the current node */
     int n_cur;
-    char * encoding; /* the encoding string */
+    char * encoding; /* the encoding string (unused) */
     int n_encoding;
 
     for (n_buf = 0;n_buf < gen_nb_xmlOutputBufferPtr;n_buf++) {
@@ -13611,7 +13611,7 @@
 #ifdef LIBXML_SAX1_ENABLED
     int mem_base;
     int ret_val;
-    xmlDocPtr doc; /* the document the chunk pertains to */
+    xmlDocPtr doc; /* the document the chunk pertains to (must not be NULL) */
     int n_doc;
     xmlSAXHandlerPtr sax; /* the SAX handler block (possibly NULL) */
     int n_sax;
@@ -13687,7 +13687,7 @@
 #ifdef LIBXML_SAX1_ENABLED
     int mem_base;
     int ret_val;
-    xmlDocPtr doc; /* the document the chunk pertains to */
+    xmlDocPtr doc; /* the document the chunk pertains to (must not be NULL) */
     int n_doc;
     xmlSAXHandlerPtr sax; /* the SAX handler block (possibly NULL) */
     int n_sax;
@@ -29238,6 +29238,33 @@
 
 
 static int
+test_xmlPopOutputCallbacks(void) {
+    int test_ret = 0;
+
+#if defined(LIBXML_OUTPUT_ENABLED)
+    int mem_base;
+    int ret_val;
+
+        mem_base = xmlMemBlocks();
+
+        ret_val = xmlPopOutputCallbacks();
+        desret_int(ret_val);
+        call_tests++;
+        xmlResetLastError();
+        if (mem_base != xmlMemBlocks()) {
+            printf("Leak of %d blocks found in xmlPopOutputCallbacks",
+	           xmlMemBlocks() - mem_base);
+	    test_ret++;
+            printf("\n");
+        }
+    function_tests++;
+#endif
+
+    return(test_ret);
+}
+
+
+static int
 test_xmlRegisterDefaultInputCallbacks(void) {
     int test_ret = 0;
 
@@ -29313,7 +29340,7 @@
 test_xmlIO(void) {
     int test_ret = 0;
 
-    if (quiet == 0) printf("Testing xmlIO : 40 of 50 functions ...\n");
+    if (quiet == 0) printf("Testing xmlIO : 41 of 51 functions ...\n");
     test_ret += test_xmlAllocOutputBuffer();
     test_ret += test_xmlAllocParserInputBuffer();
     test_ret += test_xmlCheckFilename();
@@ -29354,6 +29381,7 @@
     test_ret += test_xmlParserInputBufferPush();
     test_ret += test_xmlParserInputBufferRead();
     test_ret += test_xmlPopInputCallbacks();
+    test_ret += test_xmlPopOutputCallbacks();
     test_ret += test_xmlRegisterDefaultInputCallbacks();
     test_ret += test_xmlRegisterDefaultOutputCallbacks();
     test_ret += test_xmlRegisterHTTPPostCallbacks();
@@ -34240,27 +34268,27 @@
     long ret_val;
     xmlSaveCtxtPtr ctxt; /* a document saving context */
     int n_ctxt;
-    xmlNodePtr node; /* the top node of the subtree to save */
-    int n_node;
+    xmlNodePtr cur; /*  */
+    int n_cur;
 
     for (n_ctxt = 0;n_ctxt < gen_nb_xmlSaveCtxtPtr;n_ctxt++) {
-    for (n_node = 0;n_node < gen_nb_xmlNodePtr;n_node++) {
+    for (n_cur = 0;n_cur < gen_nb_xmlNodePtr;n_cur++) {
         mem_base = xmlMemBlocks();
         ctxt = gen_xmlSaveCtxtPtr(n_ctxt, 0);
-        node = gen_xmlNodePtr(n_node, 1);
+        cur = gen_xmlNodePtr(n_cur, 1);
 
-        ret_val = xmlSaveTree(ctxt, node);
+        ret_val = xmlSaveTree(ctxt, cur);
         desret_long(ret_val);
         call_tests++;
         des_xmlSaveCtxtPtr(n_ctxt, ctxt, 0);
-        des_xmlNodePtr(n_node, node, 1);
+        des_xmlNodePtr(n_cur, cur, 1);
         xmlResetLastError();
         if (mem_base != xmlMemBlocks()) {
             printf("Leak of %d blocks found in xmlSaveTree",
 	           xmlMemBlocks() - mem_base);
 	    test_ret++;
             printf(" %d", n_ctxt);
-            printf(" %d", n_node);
+            printf(" %d", n_cur);
             printf("\n");
         }
     }
diff --git a/src/xmlsave.c b/src/xmlsave.c
index 61a4045..aedbd5e 100644
--- a/src/xmlsave.c
+++ b/src/xmlsave.c
@@ -847,7 +847,7 @@
 static void
 xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) {
     int format = ctxt->format;
-    xmlNodePtr tmp, root, unformattedNode = NULL;
+    xmlNodePtr tmp, root, unformattedNode = NULL, parent;
     xmlAttrPtr attr;
     xmlChar *start, *end;
     xmlOutputBufferPtr buf;
@@ -856,6 +856,7 @@
     buf = ctxt->buf;
 
     root = cur;
+    parent = cur->parent;
     while (1) {
         switch (cur->type) {
         case XML_DOCUMENT_NODE:
@@ -868,7 +869,9 @@
             break;
 
         case XML_DOCUMENT_FRAG_NODE:
-            if (cur->children != NULL) {
+            /* Always validate cur->parent when descending. */
+            if ((cur->parent == parent) && (cur->children != NULL)) {
+                parent = cur;
                 cur = cur->children;
                 continue;
             }
@@ -887,7 +890,18 @@
             break;
 
         case XML_ELEMENT_NODE:
-	    if ((cur != root) && (ctxt->format == 1) && (xmlIndentTreeOutput))
+            /*
+             * Some users like lxml are known to pass nodes with a corrupted
+             * tree structure. Fall back to a recursive call to handle this
+             * case.
+             */
+            if ((cur->parent != parent) && (cur->children != NULL)) {
+                xmlNodeDumpOutputInternal(ctxt, cur);
+                break;
+            }
+
+	    if ((ctxt->level > 0) && (ctxt->format == 1) &&
+                (xmlIndentTreeOutput))
 		xmlOutputBufferWrite(buf, ctxt->indent_size *
 				     (ctxt->level > ctxt->indent_nr ?
 				      ctxt->indent_nr : ctxt->level),
@@ -942,6 +956,7 @@
                 xmlOutputBufferWrite(buf, 1, ">");
                 if (ctxt->format == 1) xmlOutputBufferWrite(buf, 1, "\n");
                 if (ctxt->level >= 0) ctxt->level++;
+                parent = cur;
                 cur = cur->children;
                 continue;
             }
@@ -1058,13 +1073,9 @@
                 break;
             }
 
-            /*
-             * The parent should never be NULL here but we want to handle
-             * corrupted documents gracefully.
-             */
-            if (cur->parent == NULL)
-                return;
-            cur = cur->parent;
+            cur = parent;
+            /* cur->parent was validated when descending. */
+            parent = cur->parent;
 
             if (cur->type == XML_ELEMENT_NODE) {
                 if (ctxt->level > 0) ctxt->level--;
diff --git a/win32/include/libxml/xmlversion.h b/win32/include/libxml/xmlversion.h
index 28ecf08..31593ed 100644
--- a/win32/include/libxml/xmlversion.h
+++ b/win32/include/libxml/xmlversion.h
@@ -29,21 +29,21 @@
  *
  * the version string like "1.2.3"
  */
-#define LIBXML_DOTTED_VERSION "2.9.10"
+#define LIBXML_DOTTED_VERSION "2.9.12"
 
 /**
  * LIBXML_VERSION:
  *
  * the version number: 1.2.3 value is 10203
  */
-#define LIBXML_VERSION 20910
+#define LIBXML_VERSION 20912
 
 /**
  * LIBXML_VERSION_STRING:
  *
  * the version number string, 1.2.3 value is "10203"
  */
-#define LIBXML_VERSION_STRING "20910"
+#define LIBXML_VERSION_STRING "20912"
 
 /**
  * LIBXML_VERSION_EXTRA:
@@ -58,7 +58,7 @@
  * Macro to check that the libxml version in use is compatible with
  * the version the software has been compiled against
  */
-#define LIBXML_TEST_VERSION xmlCheckVersion(20910);
+#define LIBXML_TEST_VERSION xmlCheckVersion(20912);
 
 #ifndef VMS
 #if 0