kmx git

Commit	Date	Message
868e49cf	2021-03-16T10:36:04	Allow FP division by zero in xmlXPathInit
d25460da	2021-03-13T19:12:00	Fix XPath NaN/Inf for older GCC versions The DBL_MAX approach could lead to errors caused by excess precision. Switch back to the division-by-zero approach with a work-around for MSVC and use the extern globals instead of macro expressions.
e6ec58ec	2020-09-21T12:49:36	Fix null deref in XPointer expression error path Make sure that the filter functions introduced with commit c2f4da1a return node-sets without NULL pointers also in the error case. Found by OSS-Fuzz.
8b88503a	2020-09-18T19:15:27	Don't call xmlXPathInit directly Call xmlInitParser which uses a lock to avoid race conditions. Fixes #184.
6f1470a5	2020-08-25T18:50:45	Hardcode maximum XPath recursion depth Always limit nested functions calls to 5000. This avoids call stack overflows with deeply nested expressions. The expression parser produces about 10 nested function calls when parsing a subexpression in parentheses, so the effective nesting limit is about 500 which should be more than enough. Use a lower limit when fuzzing to account for increased memory usage when using sanitizers.
804c5297	2020-08-17T03:37:18	Stop using maxParserDepth in xpath.c Only use a single maxDepth value.
beb7d71a	2020-07-13T12:41:19	Remove misleading comments in xpath.c Fixes #169
9f42f6ba	2020-06-24T15:33:38	Don't follow next pointer on documents in xmlXPathRunStreamEval RVTs from libxslt are document nodes which are linked using the 'next' pointer. These pointers must never be used to navigate the document tree. Otherwise, random content from other RVTs could be returned when evaluating XPath expressions. It's interesting that this seemingly long-standing bug wasn't discovered earlier. This issue could also cause severe performance degradation. Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/37
487871b0	2020-06-10T13:23:43	Fix undefined behavior in xmlXPathTryStreamCompile &NULL[0] is undefined behavior.
20c60886	2020-03-08T17:19:42	Fix typos Resolves #133.
2c80fc91	2019-12-02T11:30:30	Fix more memory leaks in error paths of XPath parser Found by OSS-Fuzz.
d5f2f74d	2019-11-11T11:27:40	Fix memory leak in error path of XPath expr parser Also propagate memory errors. Found by OSS-Fuzz.
bfc0f674	2019-10-20T14:39:46	Audit memory error handling in xpath.c Memory allocation errors in the following functions a often ignored. Add TODO comments. - xmlXPathNodeSetCreate - xmlXPathNodeSetAdd* - xmlXPathNodeSetMerge* - xmlXPathNodeSetDupNs Note that the following functions currently lack a way to propagate memory errors: - xmlXPathCompareNodeSets - xmlXPathEqualNodeSets
429d4eca	2019-10-20T14:22:20	Propagate memory errors in valuePush Currently, many memory allocation errors in xpath.c aren't propagated to the parser/evaluation context and for the most part ignored. Most XPath objects allocated via one of the New, Wrap or Copy functions end up being pushed on the stack, so adding a check in valuePush handles many cases without much effort. Also simplify the code a little and make sure to return -1 in case of error.
390f05e7	2019-10-20T13:42:19	Propagate memory errors in xmlXPathCompExprAdd Make sure that memory errors in xmlXPathCompExprAdd are propagated to the parser context. Hitting the step limit or running out of memory without raising an error could also lead to an out-of-bounds read. Also fixes a memory leak in xmlXPathErrMemory. Found by OSS-Fuzz.
2a350ee9	2019-09-30T17:04:54	Large batch of typo fixes Closes #109.
6705f4d2	2019-09-16T15:45:27	Remove executable bit from non-executable files
5c0e48b8	2019-07-25T18:46:30	Fix typo: xpath: simpli{ -> fi}ed Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
59028ba0	2019-08-07T14:38:07	Fix possible null dereference in xmlXPathIdFunction If a certain memory allocation fails, xmlXPathIdFunction would dereference a null pointer. Closes #77.
b17e3d1c	2019-08-01T15:04:16	Work around buggy ceil() function on AIX AIX has a buggy ceil() function that does not handle negative-zero correctly. Closes #79.
e79a903f	2019-05-20T13:22:49	Remove redundant code in xmlXPathCompRelationalExpr Thanks to Anish K Kurian for the report. Closes #59.
44e7a0d5	2019-05-16T21:17:28	Annotate functions with __attribute__((no_sanitize))
14ed63b7	2019-05-08T12:00:51	Limit recursion depth in xmlXPathCompOpEvalPredicate
f75256e7	2019-04-23T17:23:39	Remove unreachable code in xmlXPathCountFunction After the initial test, the condition (type == XPATH_NODESET) \|\| (type == XPATH_XSLT_TREE) always holds true.
949eced4	2019-04-22T16:04:26	Fix null deref in previous commit
c2f4da1a	2017-05-21T22:08:50	Improve XPath predicate and filter evaluation Consolidate code paths evaluating XPath predicates and filters. Don't push context node on stack when evaluating predicates. I have no idea why this was done. It seems completely useless and trying to pop the context node from a corrupted stack has already caused security issues. Filter nodesets in-place and don't create node sets with NULL gaps which allows to simplify merging a great deal. Simply move matched nodes backward and create a compact node set. Merge xmlXPathCompOpEvalPositionalPredicate into xmlXPathCompOpEvalPredicate.
012f8e92	2019-04-20T17:01:19	Limit recursion depth in xmlXPathOptimizeExpression
93a1d223	2019-04-16T13:37:47	Fix memory leaks in xmlXPathParseNameComplex error paths Found by OSS-Fuzz.
2d97a97a	2019-03-15T16:27:58	Optional recursion limit when parsing XPath expressions Useful to avoid call stack overflows when fuzzing. Note that parsing a parenthesized expression currently consumes more than 10 stack frames, so this limit should be set rather low.
64115ed6	2019-03-18T11:34:26	Optional recursion limit when evaluating XPath expressions Useful to avoid call stack overflows when fuzzing.
5153c7ba	2019-03-18T11:18:31	Use break statements in xmlXPathCompOpEval This prepares for the next commit.
852c93a2	2019-03-12T16:12:05	Optional XPath operation limit Optionally limit the maximum numbers of XPath operations when evaluating an expression. Useful to avoid timeouts when fuzzing. The following operations count towards the limit: - XPath operations - Location step iterations - Union operations Enabled by setting opLimit to a non-zero value. Note that it's the user's responsibility to reset opCount. This allows to enforce the operation limit across multiple reuses of an XPath context.
236dd6ab	2019-03-13T18:21:02	Check XPath stack after calling functions Check that there's exactly one return value on the stack after calling XPath functions. Otherwise, functions that corrupt the stack without signaling an error could lead to memory errors. Found with libFuzzer and UBSan.
30a6533e	2019-03-08T12:15:17	Fix float casts in xmlXPathSubstringFunction Rewrite conversion of double to int in xmlXPathSubstringFunction, adding range checks to avoid undefined behavior. Make sure to add start and length as floating-point numbers before converting to int. Fix a bug when rounding negative start indices. Remove unneeded calls to xmlXPathIs{Inf,NaN} and rely on IEEE math instead. Avoid computing the string length. xmlUTF8Strsub works as expected if the length of the requested substring exceeds the input. Found with libFuzzer and UBSan.
a4363749	2018-07-30T12:54:38	Fix nullptr deref with XPath logic ops If the XPath stack is corrupted, for example by a misbehaving extension function, the "and" and "or" XPath operators could dereference NULL pointers. Check that the XPath stack isn't empty and optimize the logic operators slightly. Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5 Also see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 https://bugzilla.redhat.com/show_bug.cgi?id=1595985 This is CVE-2018-14404. Thanks to Guy Inbar for the report.
b7c50b8d	2018-04-17T12:07:08	Remove stray character from comment Fixes bug #795316: https://bugzilla.gnome.org/show_bug.cgi?id=795316
fa33bf31	2017-05-25T00:45:10	Improve restoring of context size and position Restore context size and position where it is modified, not in seemingly random places.
665df41d	2018-04-16T19:37:34	Simplify and harden nodeset filtering If a nodeset to be filtered is empty, it can be returned without popping it from the stack. Make sure to restore the context node in all error paths and never set it to NULL. Save and restore the context node in RANGETO operations.
029d0e96	2017-05-25T01:28:27	Avoid unnecessary backups of the context node
938835e7	2017-05-25T01:21:57	Don't change context node in xmlXPathRoot
e22a83b1	2017-05-25T01:18:36	Stop using XPATH_OP_RESET It only sets the context node to NULL which doesn't seem useful and can even cause bugs like bug #795299: https://bugzilla.gnome.org/show_bug.cgi?id=795299
ebe12882	2018-04-16T18:18:11	Fix inconsistency in xmlXPathIsInf We don't use HUGE_VAL for INFINITY after the most recent fix.
7abec671	2018-03-15T19:33:52	NaN and Inf fixes for pre-C99 compilers On some pre-C99 compilers, the NAN and INFINITY macros don't expand to constant expressions. Some MSVC versions complain about floating point division by zero in constants. Thanks to Fabrice Manfroi for the report.
ddbb075b	2017-11-27T14:30:19	Fix xmlXPathIsNaN broken by recent commit
b2189571	2017-11-13T21:23:17	Fix -Wenum-compare warnings Also fixes a serious bug in xmlXPtrNewRangeNodePoint.
13acadbb	2017-11-12T17:28:12	Ignore function pointer cast warnings Use GCC pragmas as these warnings are enabled by -Wpedantic and there's no way to disable them selectively.
8813f397	2017-09-21T00:11:26	Simplify XPath NaN, inf and -0 handling Use C99 macros NAN, INFINITY, isnan, isinf. If they're not available: - Assume that (0.0 / 0.0) generates a NaN and !(x == x) tests for NaN. - Use C89's HUGE_VAL for INFINITY. Remove manual handling of NaN, infinity and negative zero in functions xmlXPathValueFlipSign and xmlXPathDivValues. Remove xmlXPathGetSign. All the tests for negative zero can be replaced with a test for negative or positive zero. Simplify xmlXPathRoundFunction. Remove Trio dependency. This should work on IEEE 754 compliant implementations even if the C99 macros aren't available, but will likely break some ancient platforms. If problems arise, my plan is to port the relevant trionan.c solution to xpath.c. Note that non-compliant implementations are impossible to fully support, anyway, since XPath requires IEEE 754.
e03f0a19	2017-11-09T16:42:47	Fix hash callback signatures Make sure that all parameters and return values of hash callback functions exactly match the callback function type. This is required to pass clang's Control Flow Integrity checks and to allow compilation to asm.js with Emscripten. Fixes bug 784861.
d2c329a9	2017-10-21T13:49:31	Fix -Wimplicit-fallthrough warnings Add "falls through" comments to quench implicit-fallthrough warnings which are enabled by -Wextra under GCC 7.
d422b954	2017-10-09T13:37:42	Fix pointer/int cast warnings on 64-bit Windows On 64-bit Windows, `long` is 32 bits wide and can't hold a pointer. Switch to ptrdiff_t instead which should be the same size as a pointer on every somewhat sane platform without requiring C99 types like intptr_t. Fixes bug 788312. Thanks to J. Peter Mugaas for the report and initial patch.
5af594d8	2017-10-07T14:54:45	Fix comparison of nodesets to strings Fix two bugs in xmlXPathNodeValHash which could lead to errors when comparing nodesets to strings: - Only use contents of text nodes to compute the hash for element nodes. Comments, PIs, and other node types don't affect the string-value and must be ignored. - Reset `string` to NULL for node types other than text. Reported by Aleksei on the mailing list: https://mail.gnome.org/archives/xml/2017-September/msg00016.html
0f3b843b	2017-06-01T23:12:19	Fix XPath stack frame logic Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in xmlXPathCompOpEvalPositionalPredicate to make sure that the context object on the stack is actually protected. Otherwise, memory corruption can occur when calling sloppily coded XPath extension functions. Fixes bug 783160.
3157cf4e	2017-09-20T16:13:29	Report undefined XPath variable error message Commit c851970 removed a redundant error message if XPath evaluation failed. This uncovered a case where an undefined XPath variable error wasn't reported correctly. Thanks to Petr Pisar for the report. Fixes bug 787941.
ca8635bf	2017-09-07T15:46:12	Fix debug dump of streaming XPath expressions The debug function xmlXPathDebugDumpCompExpr would crash when called with a "streaming" expression. Fixes bug 787368.
dbb828fe	2017-08-28T20:38:53	Fix missing part of comment for function xmlXPathEvalExpression()
454e397e	2017-08-28T14:30:43	Porting libxml2 on zOS encoding of code First set of patches for zOS - entities.c parser.c tree.c xmlschemas.c xmlschemastypes.c xpath.c xpointer.c: ask conversion of code to ISO Latin 1 to avoid having the compiler assume EBCDIC codepoint for characters. - xmlmodule.c: make sure we have support for modules - xmlIO.c: zOS path names are special avoid dsome of the expectstions from Unix/Windows
7482f41f	2017-06-01T22:00:19	Check for integer overflow in xmlXPathFormatNumber Check for overflow before casting double to int. Found with afl-fuzz and UBSan.
f4029cd4	2016-04-21T16:37:26	Check XPath exponents for overflow Avoid undefined behavior and wrong results with huge exponents. Found with afl-fuzz and UBSan.
a58331a6	2017-05-29T21:02:21	Check for overflow in xmlXPathIsPositionalPredicate Avoid undefined behavior when casting from double to int. Found with afl-fuzz and UBSan.
a851868a	2017-05-29T20:14:42	Parse small XPath numbers more accurately Don't count leading zeros towards the fraction size limit. This allows to parse numbers like 0.0000000000000000000000000000000000000000000000000000000001 which is the only standard-conformant way to represent such numbers, as scientific notation isn't allowed in XPath 1.0. (It is allowed in XPath 2.0 and in libxml2 as an extension, though.) Overall accuracy is still bad, see bug 783238.
4bebb030	2016-04-21T13:41:09	Rework XPath rounding functions Use the C library's floor and ceil functions. The old code was overly complicated for no apparent reason and could result in undefined behavior when handling NaNs (found with afl-fuzz and UBSan). Fix wrong comment in xmlXPathRoundFunction. The implementation was already following the spec and rounding half up.
40f58521	2017-05-26T20:16:35	Fix axis traversal from attribute and namespace nodes When traversing the "preceding" axis from an attribute node, we must first go up to the attribute's containing element. Otherwise, text children of other attributes could be returned. This made it possible to hit a code path in xmlXPathNextAncestor which contained another bug: The attribute node was initialized with the context node instead of the current node. Normally, this code path is only hit via xmlXPathNextAncestorOrSelf in which case the current and context node are the same. The combination of the two bugs could result in an infinite loop, found with libFuzzer. Traversing the "following" and the "preceding" axis from namespace nodes should be handled similarly. This wasn't supported at all previously.
a07a4e96	2017-05-27T17:04:12	Fix spurious error message Commit c851970 introduced a spurious error message when evaluating XPath expressions with xmlXPathCompiledEvalToBoolean.
aed407c1	2017-05-25T16:57:14	Check for trailing characters in XPath expressions earlier Move the check for trailing characters from xmlXPathEval to xmlXPathEvalExpr. Otherwise, a valid portion of a syntactically invalid expression would be evaluated before returning an error.
c851970c	2017-05-27T15:26:11	Rework final handling of XPath results Move cleanup of XPath stack to xmlXPathFreeParserContext. This avoids memory leaks if valuePop fails in some error cases. Found with libFuzzer and ASan. Rework handling of the final XPath result object in xmlXPathCompiledEvalInternal and xmlXPathEval to avoid useless error messages.
640a368c	2017-05-27T14:59:49	Make xmlXPathEvalExpression call xmlXPathEval Both functions are supposed to do exactly the same.
cf60dbe4	2017-05-25T16:20:56	Fix memory leak in xmlXPathCompareNodeSetValue Implement TODO block to free the arguments in error case. Found with libFuzzer and ASan.
9d08b347	2017-05-21T16:46:12	Fix memory leak in xmlXPathNodeSetMergeAndClear Namespaces nodes must not be duplicated when merging. Found with libFuzzer and ASan.
95a9249a	2017-05-21T15:18:58	Fix memory leak in XPath filter optimizations Namespace nodes must be freed when selecting the first or last element of a node set. Found with libFuzzer and ASan.
d42a7063	2017-05-27T14:58:19	Fix memory leaks in XPath error paths Found with libFuzzer and ASan.
229d1f93	2016-08-22T13:21:57	Avoid function/data pointer conversion in xpath.c Fixes a `-pedantic` compiler warning.
9ab01a27	2016-06-28T14:22:23	Fix XPointer paths beginning with range-to The old code would invoke the broken xmlXPtrRangeToFunction. range-to isn't really a function but a special kind of location step. Remove this function and always handle range-to in the XPath code. The old xmlXPtrRangeToFunction could also be abused to trigger a use-after-free error with the potential for remote code execution. Found with afl-fuzz. Fixes CVE-2016-5131.
a0051993	2016-06-28T14:19:58	Fix comparison with root node in xmlXPathCmpNodes This change has already been made in xmlXPathCmpNodesExt but not in xmlXPathCmpNodes.
d8083bf7	2016-06-25T12:35:50	Fix NULL pointer deref in XPointer range-to - Check for errors after evaluating first operand. - Add sanity check for empty stack. Found with afl-fuzz.
4472c3a5	2016-05-13T15:13:17	Fix some format string warnings with possible format string vulnerability For https://bugzilla.gnome.org/show_bug.cgi?id=761029 Decorate every method in libxml2 with the appropriate LIBXML_ATTR_FORMAT(fmt,args) macro and add some cleanups following the reports.
6eb0894a	2016-05-05T16:49:00	Fix memory leak with XPath namespace nodes Set hasNsNodes to 1 when adding namespace nodes via XP_TEST_HIT.
82b73039	2016-04-30T17:53:10	Fix namespace axis traversal When the namespace axis is traversed in "toBool" mode, the traversal can exit early, before visiting all nodes. In this case, the XPath context still contains a non-NULL tmpNsList. This means that - the check when to start a new traversal was wrong and - the tmpNsList could be leaked. Fixes bug #750037 and, by accident, bug #756075: https://bugzilla.gnome.org/show_bug.cgi?id=750037 https://bugzilla.gnome.org/show_bug.cgi?id=756075
839689a9	2016-04-27T18:00:12	Don't recurse into OP_VALUEs in xmlXPathOptimizeExpression The ch1 slot of OP_VALUEs contains an invalid value. Ignore it. Fixes bug #760325: https://bugzilla.gnome.org/show_bug.cgi?id=760325
f39fd66e	2016-04-27T03:01:16	Fix namespace::node() XPath expression Make sure that xmlXPathNodeSetAddNs is called for namespace nodes when matched with a namespace::node() step. This correctly sets the parent of namespace nodes. Note that xmlXPathNodeSetAddNs must only be called if working on the namespace axis. Otherwise, the context node is not the parent of the namespace node and the standard XP_TEST_HIT macro must be invoked. This explains the errors in the C14N tests that the old TODO comment mentioned.
e2893903	2016-04-21T19:19:23	Fix parsing of NCNames in XPath The NCName parser would allow any NameChar as start character. For example, the following XPath expressions would compile: self::-abc self::0abc self::.abc
bb654feb	2016-04-13T16:56:07	Fix typos: dictio{ nn -> n }ar{y,ies} Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
d5bd2a9a	2016-04-03T05:14:44	Correct a typo.
3eaedba1	2015-07-11T14:27:34	Fix previous change to node sort order Commit ba58f23 broke comparison of nodes from different documents. Thanks to Olli Pottonen for the report.
ba58f23c	2015-03-08T16:44:11	Fix order of root nodes Make sure root nodes are sorted before other nodes.
f6aaabce	2015-03-08T16:05:26	Allow attributes on descendant-or-self axis If the context node is an attribute, the attribute itself is on the descendant-or-self axis. The principal node type of this axis is element, so the only node test that can return the attribute is "node()". In other words, "@attr/descendant-or-self::node()" is equivalent to "@attr". This matches the behavior of Saxon-CE.
07def30f	2014-03-21T19:38:08	Restore context size and position after XPATH_OP_ARG Fixes a bug with predicates: https://mail.gnome.org/archives/xml/2014-March/msg00014.html
75801652	2013-12-19T15:09:14	Fix typos in {tree,xpath}.c (errror) Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
03c67230	2013-12-20T00:01:53	Handling of XPath function arguments in error case The XPath engine tries to guarantee that every XPath function can pop 'nargs' non-NULL values off the stack. libxslt, for example, relies on this assumption. But the check isn't thorough enough if there are errors during the evaluation of arguments. This can lead to segfaults: https://mail.gnome.org/archives/xslt/2013-December/msg00005.html This commit makes the handling of function arguments more robust. * Bail out early when evaluation of XPath function arguments fails. * Make sure that there are 'nargs' arguments in the current call frame.
fcd45831	2013-11-28T23:01:44	Fix XPath node comparison bug For https://bugzilla.gnome.org/show_bug.cgi?id=715143
e8de99f9	2013-08-05T01:26:25	Fix XPath expressions of the form '@ns:*' Use namespace for match-all queries on the attribute axis.
b4bcba23	2013-08-05T00:15:11	Fix XPath '//' optimization with predicates My attempt to optimize XPath expressions containing '//' caused a regression reported in bug #695699. This commit disables the optimization for expressions of the form '//foo[predicate]'.
e28c8a1a	2013-08-03T14:22:54	#705267 - add additional defines checks for support "./configure --with-minimum" https://bugzilla.gnome.org/show_bug.cgi?id=705267
b9e4d5b6	2013-07-22T13:21:31	Remove occasional leading space in XPath number formatting https://bugzilla.gnome.org/show_bug.cgi?id=704528 Somehow snprintf "%.e" can generate a leading space, remove it
28876afb	2013-03-23T17:23:27	Add xmlXPathSetContextNode and xmlXPathNodeEval This patch adds xmlXPathSetContextNode and xmlXPathNodeEval, which make it easier to evaluation XPath expressions with a context node other than the document root without poking about inside the internals of the context. This patch is compile-tested only, and is my first libxml2 contribution, so please go easy. Signed-off-by: Alex Bligh <alex@alex.org.uk>
713434d2	2012-09-26T10:21:06	Silence a clang warning as reported by Hans Wennborg <hans@chromium.org>
7651606f	2012-09-11T14:02:08	Various cleanups to avoid compiler warnings
f8e3db04	2012-09-11T13:26:36	Big space and tab cleanup Remove all space before tabs and space and tabs at end of lines.
47881284	2012-09-07T14:24:50	Add a forbidden variable error number and message to XPath Related to https://bugzilla.gnome.org/show_bug.cgi?id=680938 When the XML_XPATH_NOVAR flags is being used it means that variables are forbidden, not that they are missing
1bd45d13	2012-09-05T15:35:19	Change the XPath code to percolate allocation errors looping 1000 time on an error stating that a nodeset has grown out of control is useless, make sure we percolate error up to the various loops and break when errors occurs
510e7583	2012-09-04T11:50:36	Fix a Timsort function helper comment

868e49cf

2021-03-16T10:36:04

Allow FP division by zero in xmlXPathInit

d25460da

2021-03-13T19:12:00

Fix XPath NaN/Inf for older GCC versions The DBL_MAX approach could lead to errors caused by excess precision. Switch back to the division-by-zero approach with a work-around for MSVC and use the extern globals instead of macro expressions.

e6ec58ec

2020-09-21T12:49:36

Fix null deref in XPointer expression error path Make sure that the filter functions introduced with commit c2f4da1a return node-sets without NULL pointers also in the error case. Found by OSS-Fuzz.

8b88503a

2020-09-18T19:15:27

Don't call xmlXPathInit directly Call xmlInitParser which uses a lock to avoid race conditions. Fixes #184.

6f1470a5

2020-08-25T18:50:45

Hardcode maximum XPath recursion depth Always limit nested functions calls to 5000. This avoids call stack overflows with deeply nested expressions. The expression parser produces about 10 nested function calls when parsing a subexpression in parentheses, so the effective nesting limit is about 500 which should be more than enough. Use a lower limit when fuzzing to account for increased memory usage when using sanitizers.

804c5297

2020-08-17T03:37:18

Stop using maxParserDepth in xpath.c Only use a single maxDepth value.

beb7d71a

2020-07-13T12:41:19

Remove misleading comments in xpath.c Fixes #169

9f42f6ba

2020-06-24T15:33:38

Don't follow next pointer on documents in xmlXPathRunStreamEval RVTs from libxslt are document nodes which are linked using the 'next' pointer. These pointers must never be used to navigate the document tree. Otherwise, random content from other RVTs could be returned when evaluating XPath expressions. It's interesting that this seemingly long-standing bug wasn't discovered earlier. This issue could also cause severe performance degradation. Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/37

487871b0

2020-06-10T13:23:43

Fix undefined behavior in xmlXPathTryStreamCompile &NULL[0] is undefined behavior.

20c60886

2020-03-08T17:19:42

Fix typos Resolves #133.

2c80fc91

2019-12-02T11:30:30

Fix more memory leaks in error paths of XPath parser Found by OSS-Fuzz.

d5f2f74d

2019-11-11T11:27:40

Fix memory leak in error path of XPath expr parser Also propagate memory errors. Found by OSS-Fuzz.

bfc0f674

2019-10-20T14:39:46

Audit memory error handling in xpath.c Memory allocation errors in the following functions a often ignored. Add TODO comments. - xmlXPathNodeSetCreate - xmlXPathNodeSetAdd* - xmlXPathNodeSetMerge* - xmlXPathNodeSetDupNs Note that the following functions currently lack a way to propagate memory errors: - xmlXPathCompareNodeSets - xmlXPathEqualNodeSets

429d4eca

2019-10-20T14:22:20

Propagate memory errors in valuePush Currently, many memory allocation errors in xpath.c aren't propagated to the parser/evaluation context and for the most part ignored. Most XPath objects allocated via one of the New, Wrap or Copy functions end up being pushed on the stack, so adding a check in valuePush handles many cases without much effort. Also simplify the code a little and make sure to return -1 in case of error.

390f05e7

2019-10-20T13:42:19

Propagate memory errors in xmlXPathCompExprAdd Make sure that memory errors in xmlXPathCompExprAdd are propagated to the parser context. Hitting the step limit or running out of memory without raising an error could also lead to an out-of-bounds read. Also fixes a memory leak in xmlXPathErrMemory. Found by OSS-Fuzz.

2a350ee9

2019-09-30T17:04:54

Large batch of typo fixes Closes #109.

6705f4d2

2019-09-16T15:45:27

Remove executable bit from non-executable files

5c0e48b8

2019-07-25T18:46:30

Fix typo: xpath: simpli{ -> fi}ed Signed-off-by: Jan Pokorný <jpokorny@redhat.com>

59028ba0

2019-08-07T14:38:07

Fix possible null dereference in xmlXPathIdFunction If a certain memory allocation fails, xmlXPathIdFunction would dereference a null pointer. Closes #77.

b17e3d1c

2019-08-01T15:04:16

Work around buggy ceil() function on AIX AIX has a buggy ceil() function that does not handle negative-zero correctly. Closes #79.

e79a903f

2019-05-20T13:22:49

Remove redundant code in xmlXPathCompRelationalExpr Thanks to Anish K Kurian for the report. Closes #59.

44e7a0d5

2019-05-16T21:17:28

Annotate functions with __attribute__((no_sanitize))

14ed63b7

2019-05-08T12:00:51

Limit recursion depth in xmlXPathCompOpEvalPredicate

f75256e7

2019-04-23T17:23:39

Remove unreachable code in xmlXPathCountFunction After the initial test, the condition (type == XPATH_NODESET) || (type == XPATH_XSLT_TREE) always holds true.

949eced4

2019-04-22T16:04:26

Fix null deref in previous commit

c2f4da1a

2017-05-21T22:08:50

Improve XPath predicate and filter evaluation Consolidate code paths evaluating XPath predicates and filters. Don't push context node on stack when evaluating predicates. I have no idea why this was done. It seems completely useless and trying to pop the context node from a corrupted stack has already caused security issues. Filter nodesets in-place and don't create node sets with NULL gaps which allows to simplify merging a great deal. Simply move matched nodes backward and create a compact node set. Merge xmlXPathCompOpEvalPositionalPredicate into xmlXPathCompOpEvalPredicate.

012f8e92

2019-04-20T17:01:19

Limit recursion depth in xmlXPathOptimizeExpression

93a1d223

2019-04-16T13:37:47

Fix memory leaks in xmlXPathParseNameComplex error paths Found by OSS-Fuzz.

2d97a97a

2019-03-15T16:27:58

Optional recursion limit when parsing XPath expressions Useful to avoid call stack overflows when fuzzing. Note that parsing a parenthesized expression currently consumes more than 10 stack frames, so this limit should be set rather low.

64115ed6

2019-03-18T11:34:26

Optional recursion limit when evaluating XPath expressions Useful to avoid call stack overflows when fuzzing.

5153c7ba

2019-03-18T11:18:31

Use break statements in xmlXPathCompOpEval This prepares for the next commit.

852c93a2

2019-03-12T16:12:05

Optional XPath operation limit Optionally limit the maximum numbers of XPath operations when evaluating an expression. Useful to avoid timeouts when fuzzing. The following operations count towards the limit: - XPath operations - Location step iterations - Union operations Enabled by setting opLimit to a non-zero value. Note that it's the user's responsibility to reset opCount. This allows to enforce the operation limit across multiple reuses of an XPath context.

236dd6ab

2019-03-13T18:21:02

Check XPath stack after calling functions Check that there's exactly one return value on the stack after calling XPath functions. Otherwise, functions that corrupt the stack without signaling an error could lead to memory errors. Found with libFuzzer and UBSan.

30a6533e

2019-03-08T12:15:17

Fix float casts in xmlXPathSubstringFunction Rewrite conversion of double to int in xmlXPathSubstringFunction, adding range checks to avoid undefined behavior. Make sure to add start and length as floating-point numbers before converting to int. Fix a bug when rounding negative start indices. Remove unneeded calls to xmlXPathIs{Inf,NaN} and rely on IEEE math instead. Avoid computing the string length. xmlUTF8Strsub works as expected if the length of the requested substring exceeds the input. Found with libFuzzer and UBSan.

a4363749

2018-07-30T12:54:38

Fix nullptr deref with XPath logic ops If the XPath stack is corrupted, for example by a misbehaving extension function, the "and" and "or" XPath operators could dereference NULL pointers. Check that the XPath stack isn't empty and optimize the logic operators slightly. Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5 Also see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 https://bugzilla.redhat.com/show_bug.cgi?id=1595985 This is CVE-2018-14404. Thanks to Guy Inbar for the report.

b7c50b8d

2018-04-17T12:07:08

Remove stray character from comment Fixes bug #795316: https://bugzilla.gnome.org/show_bug.cgi?id=795316

fa33bf31

2017-05-25T00:45:10

Improve restoring of context size and position Restore context size and position where it is modified, not in seemingly random places.

665df41d

2018-04-16T19:37:34

Simplify and harden nodeset filtering If a nodeset to be filtered is empty, it can be returned without popping it from the stack. Make sure to restore the context node in all error paths and never set it to NULL. Save and restore the context node in RANGETO operations.

029d0e96

2017-05-25T01:28:27

Avoid unnecessary backups of the context node

938835e7

2017-05-25T01:21:57

Don't change context node in xmlXPathRoot

e22a83b1

2017-05-25T01:18:36

Stop using XPATH_OP_RESET It only sets the context node to NULL which doesn't seem useful and can even cause bugs like bug #795299: https://bugzilla.gnome.org/show_bug.cgi?id=795299

ebe12882

2018-04-16T18:18:11

Fix inconsistency in xmlXPathIsInf We don't use HUGE_VAL for INFINITY after the most recent fix.

7abec671

2018-03-15T19:33:52

NaN and Inf fixes for pre-C99 compilers On some pre-C99 compilers, the NAN and INFINITY macros don't expand to constant expressions. Some MSVC versions complain about floating point division by zero in constants. Thanks to Fabrice Manfroi for the report.

ddbb075b

2017-11-27T14:30:19

Fix xmlXPathIsNaN broken by recent commit

b2189571

2017-11-13T21:23:17

Fix -Wenum-compare warnings Also fixes a serious bug in xmlXPtrNewRangeNodePoint.

13acadbb

2017-11-12T17:28:12

Ignore function pointer cast warnings Use GCC pragmas as these warnings are enabled by -Wpedantic and there's no way to disable them selectively.

8813f397

2017-09-21T00:11:26

Simplify XPath NaN, inf and -0 handling Use C99 macros NAN, INFINITY, isnan, isinf. If they're not available: - Assume that (0.0 / 0.0) generates a NaN and !(x == x) tests for NaN. - Use C89's HUGE_VAL for INFINITY. Remove manual handling of NaN, infinity and negative zero in functions xmlXPathValueFlipSign and xmlXPathDivValues. Remove xmlXPathGetSign. All the tests for negative zero can be replaced with a test for negative or positive zero. Simplify xmlXPathRoundFunction. Remove Trio dependency. This should work on IEEE 754 compliant implementations even if the C99 macros aren't available, but will likely break some ancient platforms. If problems arise, my plan is to port the relevant trionan.c solution to xpath.c. Note that non-compliant implementations are impossible to fully support, anyway, since XPath requires IEEE 754.

e03f0a19

2017-11-09T16:42:47

Fix hash callback signatures Make sure that all parameters and return values of hash callback functions exactly match the callback function type. This is required to pass clang's Control Flow Integrity checks and to allow compilation to asm.js with Emscripten. Fixes bug 784861.

d2c329a9

2017-10-21T13:49:31

Fix -Wimplicit-fallthrough warnings Add "falls through" comments to quench implicit-fallthrough warnings which are enabled by -Wextra under GCC 7.

d422b954

2017-10-09T13:37:42

Fix pointer/int cast warnings on 64-bit Windows On 64-bit Windows, `long` is 32 bits wide and can't hold a pointer. Switch to ptrdiff_t instead which should be the same size as a pointer on every somewhat sane platform without requiring C99 types like intptr_t. Fixes bug 788312. Thanks to J. Peter Mugaas for the report and initial patch.

5af594d8

2017-10-07T14:54:45

Fix comparison of nodesets to strings Fix two bugs in xmlXPathNodeValHash which could lead to errors when comparing nodesets to strings: - Only use contents of text nodes to compute the hash for element nodes. Comments, PIs, and other node types don't affect the string-value and must be ignored. - Reset `string` to NULL for node types other than text. Reported by Aleksei on the mailing list: https://mail.gnome.org/archives/xml/2017-September/msg00016.html

0f3b843b

2017-06-01T23:12:19

Fix XPath stack frame logic Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in xmlXPathCompOpEvalPositionalPredicate to make sure that the context object on the stack is actually protected. Otherwise, memory corruption can occur when calling sloppily coded XPath extension functions. Fixes bug 783160.

3157cf4e

2017-09-20T16:13:29

Report undefined XPath variable error message Commit c851970 removed a redundant error message if XPath evaluation failed. This uncovered a case where an undefined XPath variable error wasn't reported correctly. Thanks to Petr Pisar for the report. Fixes bug 787941.

ca8635bf

2017-09-07T15:46:12

Fix debug dump of streaming XPath expressions The debug function xmlXPathDebugDumpCompExpr would crash when called with a "streaming" expression. Fixes bug 787368.

dbb828fe

2017-08-28T20:38:53

Fix missing part of comment for function xmlXPathEvalExpression()

454e397e

2017-08-28T14:30:43

Porting libxml2 on zOS encoding of code First set of patches for zOS - entities.c parser.c tree.c xmlschemas.c xmlschemastypes.c xpath.c xpointer.c: ask conversion of code to ISO Latin 1 to avoid having the compiler assume EBCDIC codepoint for characters. - xmlmodule.c: make sure we have support for modules - xmlIO.c: zOS path names are special avoid dsome of the expectstions from Unix/Windows

7482f41f

2017-06-01T22:00:19

Check for integer overflow in xmlXPathFormatNumber Check for overflow before casting double to int. Found with afl-fuzz and UBSan.

f4029cd4

2016-04-21T16:37:26

Check XPath exponents for overflow Avoid undefined behavior and wrong results with huge exponents. Found with afl-fuzz and UBSan.

a58331a6

2017-05-29T21:02:21

Check for overflow in xmlXPathIsPositionalPredicate Avoid undefined behavior when casting from double to int. Found with afl-fuzz and UBSan.

a851868a

2017-05-29T20:14:42

Parse small XPath numbers more accurately Don't count leading zeros towards the fraction size limit. This allows to parse numbers like 0.0000000000000000000000000000000000000000000000000000000001 which is the only standard-conformant way to represent such numbers, as scientific notation isn't allowed in XPath 1.0. (It is allowed in XPath 2.0 and in libxml2 as an extension, though.) Overall accuracy is still bad, see bug 783238.

4bebb030

2016-04-21T13:41:09

Rework XPath rounding functions Use the C library's floor and ceil functions. The old code was overly complicated for no apparent reason and could result in undefined behavior when handling NaNs (found with afl-fuzz and UBSan). Fix wrong comment in xmlXPathRoundFunction. The implementation was already following the spec and rounding half up.

40f58521

2017-05-26T20:16:35

Fix axis traversal from attribute and namespace nodes When traversing the "preceding" axis from an attribute node, we must first go up to the attribute's containing element. Otherwise, text children of other attributes could be returned. This made it possible to hit a code path in xmlXPathNextAncestor which contained another bug: The attribute node was initialized with the context node instead of the current node. Normally, this code path is only hit via xmlXPathNextAncestorOrSelf in which case the current and context node are the same. The combination of the two bugs could result in an infinite loop, found with libFuzzer. Traversing the "following" and the "preceding" axis from namespace nodes should be handled similarly. This wasn't supported at all previously.

a07a4e96

2017-05-27T17:04:12

Fix spurious error message Commit c851970 introduced a spurious error message when evaluating XPath expressions with xmlXPathCompiledEvalToBoolean.

aed407c1

2017-05-25T16:57:14

Check for trailing characters in XPath expressions earlier Move the check for trailing characters from xmlXPathEval to xmlXPathEvalExpr. Otherwise, a valid portion of a syntactically invalid expression would be evaluated before returning an error.

c851970c

2017-05-27T15:26:11

Rework final handling of XPath results Move cleanup of XPath stack to xmlXPathFreeParserContext. This avoids memory leaks if valuePop fails in some error cases. Found with libFuzzer and ASan. Rework handling of the final XPath result object in xmlXPathCompiledEvalInternal and xmlXPathEval to avoid useless error messages.

640a368c

2017-05-27T14:59:49

Make xmlXPathEvalExpression call xmlXPathEval Both functions are supposed to do exactly the same.

cf60dbe4

2017-05-25T16:20:56

Fix memory leak in xmlXPathCompareNodeSetValue Implement TODO block to free the arguments in error case. Found with libFuzzer and ASan.

9d08b347

2017-05-21T16:46:12

Fix memory leak in xmlXPathNodeSetMergeAndClear Namespaces nodes must not be duplicated when merging. Found with libFuzzer and ASan.

95a9249a

2017-05-21T15:18:58

Fix memory leak in XPath filter optimizations Namespace nodes must be freed when selecting the first or last element of a node set. Found with libFuzzer and ASan.

d42a7063

2017-05-27T14:58:19

Fix memory leaks in XPath error paths Found with libFuzzer and ASan.

229d1f93

2016-08-22T13:21:57

Avoid function/data pointer conversion in xpath.c Fixes a `-pedantic` compiler warning.

9ab01a27

2016-06-28T14:22:23

Fix XPointer paths beginning with range-to The old code would invoke the broken xmlXPtrRangeToFunction. range-to isn't really a function but a special kind of location step. Remove this function and always handle range-to in the XPath code. The old xmlXPtrRangeToFunction could also be abused to trigger a use-after-free error with the potential for remote code execution. Found with afl-fuzz. Fixes CVE-2016-5131.

a0051993

2016-06-28T14:19:58

Fix comparison with root node in xmlXPathCmpNodes This change has already been made in xmlXPathCmpNodesExt but not in xmlXPathCmpNodes.

d8083bf7

2016-06-25T12:35:50

Fix NULL pointer deref in XPointer range-to - Check for errors after evaluating first operand. - Add sanity check for empty stack. Found with afl-fuzz.

4472c3a5

2016-05-13T15:13:17

Fix some format string warnings with possible format string vulnerability For https://bugzilla.gnome.org/show_bug.cgi?id=761029 Decorate every method in libxml2 with the appropriate LIBXML_ATTR_FORMAT(fmt,args) macro and add some cleanups following the reports.

6eb0894a

2016-05-05T16:49:00

Fix memory leak with XPath namespace nodes Set hasNsNodes to 1 when adding namespace nodes via XP_TEST_HIT.

82b73039

2016-04-30T17:53:10

Fix namespace axis traversal When the namespace axis is traversed in "toBool" mode, the traversal can exit early, before visiting all nodes. In this case, the XPath context still contains a non-NULL tmpNsList. This means that - the check when to start a new traversal was wrong and - the tmpNsList could be leaked. Fixes bug #750037 and, by accident, bug #756075: https://bugzilla.gnome.org/show_bug.cgi?id=750037 https://bugzilla.gnome.org/show_bug.cgi?id=756075

839689a9

2016-04-27T18:00:12

Don't recurse into OP_VALUEs in xmlXPathOptimizeExpression The ch1 slot of OP_VALUEs contains an invalid value. Ignore it. Fixes bug #760325: https://bugzilla.gnome.org/show_bug.cgi?id=760325

f39fd66e

2016-04-27T03:01:16

Fix namespace::node() XPath expression Make sure that xmlXPathNodeSetAddNs is called for namespace nodes when matched with a namespace::node() step. This correctly sets the parent of namespace nodes. Note that xmlXPathNodeSetAddNs must only be called if working on the namespace axis. Otherwise, the context node is not the parent of the namespace node and the standard XP_TEST_HIT macro must be invoked. This explains the errors in the C14N tests that the old TODO comment mentioned.

e2893903

2016-04-21T19:19:23

Fix parsing of NCNames in XPath The NCName parser would allow any NameChar as start character. For example, the following XPath expressions would compile: self::-abc self::0abc self::.abc

bb654feb

2016-04-13T16:56:07

Fix typos: dictio{ nn -> n }ar{y,ies} Signed-off-by: Jan Pokorný <jpokorny@redhat.com>

d5bd2a9a

2016-04-03T05:14:44

Correct a typo.

3eaedba1

2015-07-11T14:27:34

Fix previous change to node sort order Commit ba58f23 broke comparison of nodes from different documents. Thanks to Olli Pottonen for the report.

ba58f23c

2015-03-08T16:44:11

Fix order of root nodes Make sure root nodes are sorted before other nodes.

f6aaabce

2015-03-08T16:05:26

Allow attributes on descendant-or-self axis If the context node is an attribute, the attribute itself is on the descendant-or-self axis. The principal node type of this axis is element, so the only node test that can return the attribute is "node()". In other words, "@attr/descendant-or-self::node()" is equivalent to "@attr". This matches the behavior of Saxon-CE.

07def30f

2014-03-21T19:38:08

Restore context size and position after XPATH_OP_ARG Fixes a bug with predicates: https://mail.gnome.org/archives/xml/2014-March/msg00014.html

75801652

2013-12-19T15:09:14

Fix typos in {tree,xpath}.c (errror) Signed-off-by: Jan Pokorný <jpokorny@redhat.com>

03c67230

2013-12-20T00:01:53

Handling of XPath function arguments in error case The XPath engine tries to guarantee that every XPath function can pop 'nargs' non-NULL values off the stack. libxslt, for example, relies on this assumption. But the check isn't thorough enough if there are errors during the evaluation of arguments. This can lead to segfaults: https://mail.gnome.org/archives/xslt/2013-December/msg00005.html This commit makes the handling of function arguments more robust. * Bail out early when evaluation of XPath function arguments fails. * Make sure that there are 'nargs' arguments in the current call frame.

fcd45831

2013-11-28T23:01:44

Fix XPath node comparison bug For https://bugzilla.gnome.org/show_bug.cgi?id=715143

e8de99f9

2013-08-05T01:26:25

Fix XPath expressions of the form '@ns:*' Use namespace for match-all queries on the attribute axis.

b4bcba23

2013-08-05T00:15:11

Fix XPath '//' optimization with predicates My attempt to optimize XPath expressions containing '//' caused a regression reported in bug #695699. This commit disables the optimization for expressions of the form '//foo[predicate]'.

e28c8a1a

2013-08-03T14:22:54

#705267 - add additional defines checks for support "./configure --with-minimum" https://bugzilla.gnome.org/show_bug.cgi?id=705267

b9e4d5b6

2013-07-22T13:21:31

Remove occasional leading space in XPath number formatting https://bugzilla.gnome.org/show_bug.cgi?id=704528 Somehow snprintf "%*.*e" can generate a leading space, remove it

28876afb

2013-03-23T17:23:27

Add xmlXPathSetContextNode and xmlXPathNodeEval This patch adds xmlXPathSetContextNode and xmlXPathNodeEval, which make it easier to evaluation XPath expressions with a context node other than the document root without poking about inside the internals of the context. This patch is compile-tested only, and is my first libxml2 contribution, so please go easy. Signed-off-by: Alex Bligh <alex@alex.org.uk>

713434d2

2012-09-26T10:21:06

Silence a clang warning as reported by Hans Wennborg <hans@chromium.org>

7651606f

2012-09-11T14:02:08

Various cleanups to avoid compiler warnings

f8e3db04

2012-09-11T13:26:36

Big space and tab cleanup Remove all space before tabs and space and tabs at end of lines.

47881284

2012-09-07T14:24:50

Add a forbidden variable error number and message to XPath Related to https://bugzilla.gnome.org/show_bug.cgi?id=680938 When the XML_XPATH_NOVAR flags is being used it means that variables are forbidden, not that they are missing

1bd45d13

2012-09-05T15:35:19

Change the XPath code to percolate allocation errors looping 1000 time on an error stating that a nodeset has grown out of control is useless, make sure we percolate error up to the various loops and break when errors occurs

510e7583

2012-09-04T11:50:36

Fix a Timsort function helper comment

kc3-lang/libxml2/xpath.c

xpath.c

Log