dep: update libxml2 to v2.10.3

from v2.10.2 See https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.3 Note the new behavior around CDATA nodes longer than 10MB. backport of 3ebb3b5
sparklemotion · Oct 14, 2022 · e8cfe13 · e8cfe13
1 parent d3fa539
commit e8cfe13
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/dependencies.yml b/dependencies.yml
@@ -1,7 +1,7 @@
 libxml2:
-  version: "2.10.2"
-  sha256: "d240abe6da9c65cb1900dd9bf3a3501ccf88b3c2a1cb98317d03f272dda5b265"
-  # sha-256 hash provided in https://download.gnome.org/sources/libxml2/2.10/libxml2-2.10.2.sha256sum
+  version: "2.10.3"
+  sha256: "5d2cc3d78bec3dbe212a9d7fa629ada25a7da928af432c93060ff5c17ee28a9c"
+  # sha-256 hash provided in https://download.gnome.org/sources/libxml2/2.10/libxml2-2.10.3.sha256sum
 
 libxslt:
   version: "1.1.37"

diff --git a/test/xml/sax/test_parser.rb b/test/xml/sax/test_parser.rb
@@ -429,7 +429,12 @@ def call_parse_io_with_encoding(encoding)
       parser = Nokogiri::XML::SAX::Parser.new(handler)
       parser.parse(xml)
 
-      assert_predicate(handler.errors, :empty?)
+      if Nokogiri.uses_libxml?(">=2.10.3")
+        # CVE-2022-40303 https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986
+        assert_match(/CData section too big/, handler.errors.first)
+      else
+        assert_predicate(handler.errors, :empty?)
+      end
     end
 
     it "does not resolve entities by default" do