For https://bugzilla.gnome.org/show_bug.cgi?id=759020

* parser.c:
(xmlParseStartTag2): Attribute strings are only valid if the
base does not change, so add another check where the base may
change.  Make sure to set 'attvalue' to NULL after freeing it.
* result/errors/759020.xml: Added.
* result/errors/759020.xml.err: Added.
* result/errors/759020.xml.str: Added.
* test/errors/759020.xml: Added test case.

For https://bugzilla.gnome.org/show_bug.cgi?id=760263

* HTMLparser.c: Add BASE_PTR convenience macro.
(htmlParseSystemLiteral): Store length and start position instead
of a pointer while iterating through the public identifier since
the underlying buffer may change, resulting in a stale pointer
being used.
(htmlParsePubidLiteral): Ditto.

For https://bugzilla.gnome.org/show_bug.cgi?id=761029

Decorate every method in libxml2 with the appropriate
LIBXML_ATTR_FORMAT(fmt,args) macro and add some cleanups
following the reports.

From https://bugzilla.gnome.org/show_bug.cgi?id=758518

Happens when a file has a name getting parsed, but no valid encoding
set, so libxml has to guess what the encoding is. This patch detects
when the buffer location changes, and if it does, restarts the parsing
of the name.

This slightly change a couple of regression tests output

For https://bugzilla.gnome.org/show_bug.cgi?id=761430

libfuzzer regression testing exposed another case where the parser would
fetch content of an external entity while not in validating mode.
Plug that hole

Bug 759398: Heap use-after-free in xmlDictComputeFastKey <https://bugzilla.gnome.org/show_bug.cgi?id=759398>

* parser.c:
(xmlParseNCNameComplex): Store start position instead of a
pointer to the name since the underlying buffer may change,
resulting in a stale pointer being used.
* result/errors/759398.xml: Added.
* result/errors/759398.xml.err: Added.
* result/errors/759398.xml.str: Added.
* test/errors/759398.xml: Added test case.

Bug 758605: Heap-based buffer overread in xmlDictAddString <https://bugzilla.gnome.org/show_bug.cgi?id=758605>

Reviewed by David Kilzer.

* HTMLparser.c:
(htmlParseName): Add bounds check.
(htmlParseNameComplex): Ditto.
* result/HTML/758605.html: Added.
* result/HTML/758605.html.err: Added.
* result/HTML/758605.html.sax: Added.
* runtest.c:
(pushParseTest): The input for the new test case was so small
(4 bytes) that htmlParseChunk() was never called after
htmlCreatePushParserCtxt(), thereby creating a false positive
test failure.  Fixed by using a do-while loop so we always call
htmlParseChunk() at least once.
* test/HTML/758605.html: Added.

Bug 758588: Heap-based buffer overread in xmlParserPrintFileContextInternal <https://bugzilla.gnome.org/show_bug.cgi?id=758588>

* parser.c:
(xmlParseEndTag2): Add bounds checks before dereferencing
ctxt->input->cur past the end of the buffer, or incrementing the
pointer past the end of the buffer.

* result/errors/758588.xml: Add test result.
* result/errors/758588.xml.err: Ditto.
* result/errors/758588.xml.str: Ditto.
* test/errors/758588.xml: Add regression test.

Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup <https://bugzilla.gnome.org/show_bug.cgi?id=757711>

* xmlregexp.c:
(xmlFAParseCharRange): Only advance to the next character if
there is no error.  Advancing to the next character in case of
an error while parsing regexp leads to an out of bounds access.

For https://bugzilla.gnome.org/show_bug.cgi?id=761252

It is no longer necessary to save system LDFLAGS when checking
lib specific LDFLAGS.

For https://bugzilla.gnome.org/show_bug.cgi?id=761252

This reverts commit 7dc24965.

For https://bugzilla.gnome.org/show_bug.cgi?id=766414

* xmlsave.c: xmlBufAttrSerializeTxtContent() if an attribute value
  is not UTF-8 be more careful when serializing it as we may do an
  out of bound access as a result.

For https://bugzilla.gnome.org/show_bug.cgi?id=764616

This code is used only if turning memory allocation debug
in configure with --with-mem-debug, which should never happen
in real life, so not a serious issue.

* xmlmemory.c:
(MAX_SIZE_T): Macro to define maximum value of size_t.
(xmlMallocAtomicLoc): Add bounds check.  Fix description and use
the correct function name in another error message.

For https://bugzilla.gnome.org/show_bug.cgi?id=749416

do not use -L$Z_DIR/lib when Z_DIR isn't actually set

When there is a failure, indicates what failed instead of just
dumping the tested file name.

For https://bugzilla.gnome.org/show_bug.cgi?id=611807

Using "make tests" to add new tests is error prone.
This patch implements a "runtest -u" mode that makes it much
easier to create baselines for new tests.

For https://bugzilla.gnome.org/show_bug.cgi?id=766635

* parserInternals.c:
(xmlParserInputGrow): Change 'ret' type to 'int' to match the
return type of xmlParserInputBufferGrow().

* xmlstring.c:
(xmlStrncat): Return NULL if xmlStrlen returns a negative length.
(xmlStrncatNew): Ditto.

For https://bugzilla.gnome.org/show_bug.cgi?id=765207
CVE-2016-3705
The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
xmlStringDecodeEntities() in a recursive context without incrementing the
'depth' counter in the parser context. Because of that omission, the parser
failed to detect attribute recursions in certain documents before running out
of stack space.

For https://bugzilla.gnome.org/show_bug.cgi?id=765566

in xmlParse3986Port(), uri->port can overflow when parsing a the port number.
The type of uri->port is int, so the consequent behavior is undefined and
may differ between compilers and architectures

commit c71f9305 added __XML_EXTERNC
cpp construct which not understood by apibuild, leading to make dist
failures, ask to ignore that construct.

For https://bugzilla.gnome.org/show_bug.cgi?id=765979

This fallback to direct detection if not available, but current situation
this is broken for cross compilation

For https://bugzilla.gnome.org/show_bug.cgi?id=765979

This fallback to icu-config if not available, but current situation
this is broken for cross compilation

This is the first of the two issues raised by Pete Cordell
in https://mail.gnome.org/archives/xml/2016-April/msg00030.html

Set hasNsNodes to 1 when adding namespace nodes via XP_TEST_HIT.

When the namespace axis is traversed in "toBool" mode, the traversal
can exit early, before visiting all nodes. In this case, the XPath
context still contains a non-NULL tmpNsList.

This means that

- the check when to start a new traversal was wrong and
- the tmpNsList could be leaked.

Fixes bug #750037 and, by accident, bug #756075:

https://bugzilla.gnome.org/show_bug.cgi?id=750037
https://bugzilla.gnome.org/show_bug.cgi?id=756075

    From https://bugzilla.gnome.org/show_bug.cgi?id=758514

OS400 C compiler is not C99 compliant.
It only supports local variable declarations at the beginning of a block.
We loose the const as a result but portability is more important.

For https://bugzilla.gnome.org/show_bug.cgi?id=709171

This makes xmlSchemaSAXHandleStartElementNs pass attributes through
xmlStringDecodeEntities, similar to how xmlSchemaVDocWalk passes them
through xmlNodeListGetString.

xmlschemastypes.c: accept endOfDayFrag Times set to "24:00:00" mean "end of day" and should not cause an error.