kmx git

Commit	Date	Message
39f10232	2019-08-09T09:44:11	Fix typos: tree: move{ -> s}, reconcil{i -> }ed, h{o -> e}ld by... ...seems to { -> be to} add. Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
5c0e48b8	2019-07-25T18:46:30	Fix typo: xpath: simpli{ -> fi}ed Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
0571b4e6	2019-08-09T15:39:17	Fix null deref in xmlreader buffer
ea695ac0	2019-08-09T15:09:22	Fix unability to RelaxNG-validate grammar with choice-based name class Previously, test/relaxng/ambig_name-class2.xml would fail to validate against test/relaxng/ambig_name-class2.rng: > test/relaxng/ambig_name-class2.rng:4: > element attribute: Relax-NG parser error : > Found anyName attribute without oneOrMore ancestor > Relax-NG schema test/relaxng/ambig_name-class2.rng failed to compile Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
8074b881	2019-08-08T23:33:48	Fix unability to validate ambiguously constructed interleave for RelaxNG Previously, test/relaxng/ambig_name-class.xml would fail to validate for a simple reason -- interleave within "open-name-class" context is supposed to be fine with whatever else is pending the consumption, since effectively, it's unrelated from a higher parsing perspective. Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
81958b6e	2019-07-11T19:24:11	Doc: do not mislead towards "infeasible" scenario wrt. xmlBufNodeDump At least when merely public API is to be leveraged, one cannot use xmlBufCreate function that would otherwise be a clear fit, and relying on some invariants wrt. how some other struct fields will get initialized along the construction/filling such parent struct and (ab)using that instead does not appear clever, either. Hence, instruct people what's the Right Thing for the moment, that is, make them use xmlNodeDumpOutput instead (together with likewise public xmlAllocOutputBuffer). Going forward, it's questionable what do with xmlBuf* family of functions that are once public, since they, for any practical purpose, cannot be used by the library clients (that's how I've run into this). Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
59028ba0	2019-08-07T14:38:07	Fix possible null dereference in xmlXPathIdFunction If a certain memory allocation fails, xmlXPathIdFunction would dereference a null pointer. Closes #77.
b17e3d1c	2019-08-01T15:04:16	Work around buggy ceil() function on AIX AIX has a buggy ceil() function that does not handle negative-zero correctly. Closes #79.
6c91dd94	2019-08-01T15:01:47	Don't call printf with NULL string in runtest.c Avoids undefined behavior causing problems on HP-UX and Solaris. Closes #78.
2f2bf4b2	2019-07-31T20:21:47	xml2-config.in: Output CFLAGS and LIBS on the same line xml2-config currently outputs the results of '--cflags --libs' on two lines. Printing this information on one line is far more useful.
0c1b4fd2	2019-07-13T10:47:25	Fix comments in test code
4f67dbb0	2019-07-09T15:11:01	fix memory leak in xmlAllocOutputBuffer
1fc410d3	2019-07-01T22:22:14	xml2-config: Add a --dynamic switch to print only shared libraries `xml2-config --libs` prints static library linking information by default. This is un-necessary for most programs, so introduce a new option, --dynamic, which, when combined with --libs, only prints shared library linking information.
87125732	2019-07-08T12:54:21	Switched from unsigned long to ptrdiff_t in parser.c Using unsigned long instead of ptrdiff_t results in non-zero pointer deltas being stored as zero delta, giving incorrect offsets into arrays and hence out of bounds reads. This patch fixes the issue in all places in parser.c and adds a macro to reduce the chances of cut-and-paste errors. Only affects platforms where 'sizeof(long) < sizeof(size_t)' like 64-bit Windows. See https://bugs.chromium.org/p/chromium/issues/detail?id=894933 Closes #44.
63484962	2019-07-08T12:28:39	Remove redundant code in xmlRelaxNGValidateState Closes #70.
b3a95d57	2019-05-21T11:21:29	Fix unsigned int overflow
0df3c2c9	2019-06-28T17:34:24	fix comment in testReader.c
37189c08	2019-07-08T12:18:24	dict.h: gcc 2.95 doesn't allow multiple storage classes This is a partial revert of commit c71f9305. I'm not sure what issue this commit was trying to solve but it seems to be related to a circular dependency. It might be related to tree.h being included from dict.h which is unnecessary. Resolves !22.
01ea9c5a	2019-07-08T11:29:40	Fix another code path in xmlParseQName Check for buffer errors in another code path missed in the previous commit. Found by OSS-Fuzz.
5ccac8ce	2019-06-27T10:23:36	Make sure that xmlParseQName returns NULL in error case If there's an error growing the input buffer when recovering from invalid QNames, make sure to return NULL. Otherwise, callers could be confused. In xmlParseStartTag2, for example, `tlen` could become negative. Found by OSS-Fuzz.
f209e551	2019-06-25T11:45:16	Fix build without reader but with pattern Broken by commit dbc6b55b.
f824a4bd	2019-05-20T13:26:08	Fix memory leak in xmlAllocOutputBufferInternal error path Thanks to Anish K Kurian for the report. Closes #60.
e79a903f	2019-05-20T13:22:49	Remove redundant code in xmlXPathCompRelationalExpr Thanks to Anish K Kurian for the report. Closes #59.
44e7a0d5	2019-05-16T21:17:28	Annotate functions with __attribute__((no_sanitize))
f9fce963	2019-05-16T21:16:01	Fix unsigned integer overflow It's defined behavior but -fsanitize=unsigned-integer-overflow is useful to discover bugs.
dbc6b55b	2019-05-16T21:06:56	Fix warnings when compiling without reader or push parser
407b393d	2019-05-15T12:47:28	Fix return value of xmlOutputBufferWrite When using memory buffers, the total size of the buffer was added again and again, potentially leading to an integer overflow. Found by OSS-Fuzz.
3c0d62b4	2019-05-13T07:15:44	Fix parser termination from "Double hyphen within comment" error The patch fixes the parser not halting immediately when the error handler attempts to stop the parser. Rather it was running on and continuing to reference the freed buffer in the while loop termination test. This is only a problem if xmlStopParser is called from an error handler. Probably caused by commit 123234f2. Fixes #58.
96125557	2019-05-10T12:30:03	Remove unused member `doc` in xmlSaveCtxt
14ed63b7	2019-05-08T12:00:51	Limit recursion depth in xmlXPathCompOpEvalPredicate
ad93f087	2019-04-25T12:47:49	Remove -Wno-array-bounds It's unsupported on GCC versions older than 4.3 and the false positives seem to be fixed in newer versions.
9948a9a3	2019-04-05T06:34:59	timsort.h: support older GCCs cherry-pick upstream pull request: __builtin_clzll isn't available on older GCCs
346febc6	2019-04-25T11:34:08	Fix call stack overflow in xmlFreePattern Since xmlFreePattern tried to free the next pattern recursively, its behavior is identical to xmlFreePatternList. Make it call xmlFreePatternList to avoid call stack overflows. Found by OSS-Fuzz.
f75256e7	2019-04-23T17:23:39	Remove unreachable code in xmlXPathCountFunction After the initial test, the condition (type == XPATH_NODESET) \|\| (type == XPATH_XSLT_TREE) always holds true.
949eced4	2019-04-22T16:04:26	Fix null deref in previous commit
c2f4da1a	2017-05-21T22:08:50	Improve XPath predicate and filter evaluation Consolidate code paths evaluating XPath predicates and filters. Don't push context node on stack when evaluating predicates. I have no idea why this was done. It seems completely useless and trying to pop the context node from a corrupted stack has already caused security issues. Filter nodesets in-place and don't create node sets with NULL gaps which allows to simplify merging a great deal. Simply move matched nodes backward and create a compact node set. Merge xmlXPathCompOpEvalPositionalPredicate into xmlXPathCompOpEvalPredicate.
012f8e92	2019-04-20T17:01:19	Limit recursion depth in xmlXPathOptimizeExpression
93a1d223	2019-04-16T13:37:47	Fix memory leaks in xmlXPathParseNameComplex error paths Found by OSS-Fuzz.
fa3166c2	2019-04-12T12:03:04	Disable hash randomization when fuzzing Use the FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION macro proposed by libFuzzer.
2d97a97a	2019-03-15T16:27:58	Optional recursion limit when parsing XPath expressions Useful to avoid call stack overflows when fuzzing. Note that parsing a parenthesized expression currently consumes more than 10 stack frames, so this limit should be set rather low.
64115ed6	2019-03-18T11:34:26	Optional recursion limit when evaluating XPath expressions Useful to avoid call stack overflows when fuzzing.
5153c7ba	2019-03-18T11:18:31	Use break statements in xmlXPathCompOpEval This prepares for the next commit.
852c93a2	2019-03-12T16:12:05	Optional XPath operation limit Optionally limit the maximum numbers of XPath operations when evaluating an expression. Useful to avoid timeouts when fuzzing. The following operations count towards the limit: - XPath operations - Location step iterations - Union operations Enabled by setting opLimit to a non-zero value. Note that it's the user's responsibility to reset opCount. This allows to enforce the operation limit across multiple reuses of an XPath context.
91d576de	2019-04-09T13:16:50	Make configure.ac work with older pkg-config Older versions of pkg.m4 require the action-if-not-found argument of the PKG_CHECK_MODULES macro to be non-empty. Use a colon (null command) instead of an empty string. Fixes #50.
0f518611	2019-04-08T14:02:11	Fix compilation with --with-minimum Presence of xmlEncodeAttributeEntities doesn't depend on output module. Fixes #52.
b9bdb9db	2019-03-19T17:44:51	Check for integer overflow in xmlXPtrEvalChildSeq Found with libFuzzer and UBSan.
236dd6ab	2019-03-13T18:21:02	Check XPath stack after calling functions Check that there's exactly one return value on the stack after calling XPath functions. Otherwise, functions that corrupt the stack without signaling an error could lead to memory errors. Found with libFuzzer and UBSan.
c494a0ba	2019-03-12T14:45:04	Fix xmllint dump of XPath namespace nodes Starting with commit da35eeae, xmllint uses the xmlNodeDump API to dump XPath nodes. Make sure not to access node->doc which doesn't work with namespace nodes.
30a6533e	2019-03-08T12:15:17	Fix float casts in xmlXPathSubstringFunction Rewrite conversion of double to int in xmlXPathSubstringFunction, adding range checks to avoid undefined behavior. Make sure to add start and length as floating-point numbers before converting to int. Fix a bug when rounding negative start indices. Remove unneeded calls to xmlXPathIs{Inf,NaN} and rely on IEEE math instead. Avoid computing the string length. xmlUTF8Strsub works as expected if the length of the requested substring exceeds the input. Found with libFuzzer and UBSan.
09797c13	2019-03-05T15:14:34	Fix null deref in xmlregexp error path Thanks to Shaobo He for the report.
8161b463	2019-02-28T12:25:05	Remove debug printf in xmlreader.c Fixes #46.
9a82ae30	2019-02-28T12:18:37	Stop defining _REENTRANT on some Win32 platforms The _REENTRANT macro was defined unconditionally on some Win32 builds using the Microsoft C runtime. It shouldn't have an effect under MSVCRT and was presumably only defined because of the LIBXML_THREAD_ENABLED issue fixed with the previous commit.
cf68fe3d	2019-02-27T15:00:14	Always define LIBXML_THREAD_ENABLED when enabled When libxml2 is compiled with threads enabled, have the header file define LIBXML_THREAD_ENABLED even if the subsequent application by itself does not enable threads. Otherwise, the application would see the unthreaded API functions, but these are not exported (where it does make a difference, like on Win32 based platforms).
2c8dc715	2019-02-25T12:00:50	Fix null pointer dereference in xmlTextReaderReadOuterXml Fix a regression caused by commit 39fbfb4f. If xmlTextReaderReadOuterXml is called on a pristine xmlReader, the current node is NULL and must not be dereferenced. Move the call to xmlTextReaderExpand to the start of the function to make sure that we have a valid node. Fixes #43.
a7fe7ee4	2019-02-15T17:28:38	Regenerate NEWS
538d827c	2019-02-15T17:26:38	Change git repo URL
04fbfa3f	2019-02-15T17:20:18	Change bug tracker URL
656df97d	2019-02-15T17:05:16	Remove outdated HTML file
d3de7578	2019-01-15T12:33:48	Fix nanohttp.c on MinGW Commit e3890546 broke nanohttp.c on (old) MinGW. MinGW-w64 wasn't affected. Should fix #36. Thanks to Simon Sobisch for the report.
b48226f7	2019-01-07T17:58:32	Fix memory leaks in xmlParseStartTag2 error paths Found by OSS-Fuzz.
6b49db2c	2019-01-07T17:14:21	Fix memory leak in xmlSAX2StartElement Introduced by a recent commit. Only happens if max depth is exceeded in SAX1 mode. Found by OSS-Fuzz.
26828cb3	2019-01-07T16:52:42	Fix commit "Memory leak in xmlFreeID (xmlreader.c)" The recent commit "Memory leak in xmlFreeID (xmlreader.c)" introduced a double-free.
57d4329b	2018-01-23T17:33:42	Merge testThreadsWin32.c into testThreads.c Apply the same cross-platform modifications as previously in runtest.c.
7f40ed01	2018-01-23T16:40:36	Fix Python bindings under Windows - Correct linker flags for MinGW-w64 - Adjust PATH to find libxml2.dll when running tests
619534ef	2018-01-23T17:36:23	Fix Windows compiler warning in testC14N.c
e8fdf5df	2019-01-01T19:20:22	Fix unused function warning in testapi.c Check whether all param and return types are known before generating functions for param types. Otherwise, unused functions end up in testapi.c.
731b5064	2019-01-01T18:43:02	Add some generated test files to .gitignore
dcae579e	2019-01-01T16:48:40	Remove unneeded function pointer casts
19f0950d	2019-01-01T16:38:42	Fix -Wcast-function-type warnings (GCC 8) Use xmlGenericError instead of fprintf as error handler. It also prints to stderr by default.
8919885f	2019-01-01T16:30:38	Fix -Wformat-truncation warnings (GCC 8)
157cd3ae	2018-11-24T15:46:00	Fix NULL pointer deref in xmlTextReaderValidateEntity Found by OSS-Fuzz.
57a3af56	2018-11-24T12:14:55	Memory leak in xmlFreeTextReader In error cases, there might still be elements in the vstate table. Since vstateVPop in valid.c is private, we have to pop the elements with xmlValidatePopElement. This inspects nodes of the document, so the reader doc must be freed after the clearing the vstate table. Found by OSS-Fuzz.
efe8c093	2018-11-24T11:39:32	Memory leak in xmlFreeID (xmlreader.c) Fix a memory leak in xmlReader's private copy of xmlFreeID. Only affects validation with NODICT. Found by OSS-Fuzz.
f8a8c1f5	2019-01-03T19:14:17	Release of libxml2-2.9.9 * configure.ac doc/news.html doc/xml.html doc/libxml2.xsa: making changes for the release Signed-off-by: Daniel Veillard <veillard@redhat.com>
7c4949af	2019-01-01T19:58:07	Fix "Problem with data in interleave in RelaxNG validation" Fixes commit c8e5f958. https://mail.gnome.org/archives/xml/2018-November/msg00029.html
6fc04d71	2018-11-23T22:56:03	Revert "Support xmlTextReaderNextSibling w/o preparsed doc" This reverts commit bfec41b3de1cbd35e547b57c80ae3a5101f8891c which caused problems with the XML::LibXML Perl bindings. https://mail.gnome.org/archives/xml/2018-November/msg00010.html
a71b98ec	2018-11-05T14:26:26	cleanup: remove some unreachable code
b1f87c0e	2018-11-05T14:20:16	Fix building relative URIs Examples: testURI --relative --base file:///a file:///b New correct result: b Old incorrect result: ../b testURI --relative --base file:///a file:/// New correct result: ./ Old incorrect result: ../ testURI --relative --base file:///a/b file:///a/ New correct result: ./ Old incorrect result: ../../a/
25f13e77	2018-11-05T13:53:00	add --relative to testURI Example: testURI --relative --base file:///a/b/c file:///a/x/y Result: ../x/y
c7461f65	2018-11-03T21:19:13	reader: Fix documentation comment
c64d4efb	2018-10-13T00:12:12	Remove redefined starts and defines inside include elements When including a grammar from another grammar, we need to make sure that any redefines of starts and includes that that grammar does inside any of its include elements are also removed.
46da8fc5	2018-10-12T23:46:24	Allow choice within choice in nameClass in RELAX NG The pattern nameClass allows for nested choice elements, for example <name> <choice> <choice> <name>a</name> <name>b</name> </choice> <name>c</name> </choice> </name> which is semantically equivalent to <name> <choice> <name>a</name> <name>b</name> <name>c</name> </choice> </name> The old code didn’t handle this correctly, as it never expected a choice inside another choice. This patch fixes this by flattening any nested choices. This pattern of nested choice elements comes up in RELAX NG simplification, where all choice elements are rewritten in this nested manner, see section 4.12 of the RELAX NG specification.
4338c310	2018-10-12T22:30:26	Look inside divs for starts and defines inside include RELAX NG allows for div elements inside of include elements. We need to look inside those div elements for start and define elements that may be redefining start and define elements in the included grammar.
3c614191	2018-10-12T22:30:10	Add compile and libxml2-config.cmake to .gitignore
c8e5f958	2018-11-22T18:09:51	Problem with data in interleave in RelaxNG validation Reported in https://mail.gnome.org/archives/xml/2018-October/msg00003.html The issue seems to be that we build groups of what can be matched by the interleave, but that these groups don’t include data, list, and value elements, only element and text elements. This patch extends xmlRelaxNGGetElements so that it can return these elements for us in xmlRelaxNGComputeInterleaves. Then we make sure to updatexmlRelaxNGNodeMatchesList as well so that it accepts the correct types.
3776cb47	2018-11-22T15:27:28	Fix memory leak in xmlSwitchInputEncodingInt error path Found by OSS-Fuzz.
1567b55b	2018-11-22T14:28:58	Set doc on element obtained from freeElems In commit 8c9daf79, a call to xmlFreeNode was added in xmlSAX2StartElementNs. If a node was obtained from the freeElems list, make sure to set the doc, otherwise xmlFreeNode wouldn't realize that the node name might be in the dictionary, causing an invalid free. Note that the issue fixed in commit 8c9daf79 requires commit 0ed6addb and this one to work properly. Found by OSS-Fuzz.
fc27759d	2018-11-06T10:17:35	Fix MSVC build with lzma
d459831c	2018-10-13T16:12:14	Fix HTML serialization with UTF-8 encoding If the encoding is specified as UTF-8, make sure to use a NULL encoding handler.
ee501f54	2018-10-13T15:23:35	Stop using doc->charset outside parser code doc->charset does not specify the in-memory encoding which is always UTF-8.
39fbfb4f	2018-09-25T12:57:04	Use actual doc in xmlTextReaderRead*Xml Otherwise the encoding of the document is ignored and non-ASCII characters are serialized as numeric references even if the encoding is specified as UTF-8.
da35eeae	2018-09-23T01:09:56	Add newlines to 'xmllint --xpath' output Separate nodes in a node-set with newlines and always add a terminating newline. This is a breaking change but the old behavior of dumping text nodes without separator was mostly useless. Also use buffered I/O when dumping node-sets.
73b2417c	2018-09-22T15:45:02	Variables need 'extern' in static lib on Cygwin While the dllimport/dllexport macros now work for Cygwin, using the static library still requires variables to be declared as 'extern'. This is a regression of c65c9e8ee07e2dab0647392c2bd1795a5bc99829, found+fixed by Bruno Haible using static libxml embedded in gettext.
0ed6addb	2018-09-22T15:41:01	Unlink node before freeing it in xmlSAX2StartElement The node may have been added to the document already, so it must be unlinked first. Thanks to David Kilzer for spotting this.
8c9daf79	2018-09-12T13:42:27	Check return value of nodePush in xmlSAX2StartElement If the maximum depth is exceeded, nodePush halts the parser which results in freeing the input buffer since the previous commit. This invalidates the attribute pointers, so the error condition must be checked. Found by OSS-Fuzz.
123234f2	2018-09-11T14:52:07	Free input buffer in xmlHaltParser This avoids miscalculation of available bytes. Thanks to Yunho Kim for the report. Closes: #26
60173c82	2018-09-11T14:08:39	Reset HTML parser input pointers on encoding failure Call xmlBufResetInput before bailing out if switching the encoding fails. Otherwise, the input pointers could be left in an invalid state. Similar to commit f9e7997e803457b714352c4d51a96104ae298d94 for the XML parser. Thanks to Yunho Kim for the report. Closes: #27
dc6d2a49	2018-09-04T17:13:29	Don't run icu_parse_test if EUC-JP is unsupported Closes: #25
b697d7bb	2018-09-04T16:48:15	Fix xmlSchemaValidCtxtPtr reuse memory leak When reusing an xmlSchemaValidCtxtPtr to validate multiple xml documents against the same schema, there is a memory leak in xmlschemas.c in xmlSchemaClearValidCtxt(). The vctxt->idcKeys and associated counters are not cleaned up in xmlSchemaClearValidCtxt() as they are in xmlSchemaFreeValidCtxt(). As a result, vctxt->idcKeys grows with each xmlValidateDoc() call that uses the same context and that memory is never freed. Similarly, vctxt->nbIdcKeys and vctxt->sizeIdcKeys increment and are never reset. Closes: #23
1dafb427	2018-09-03T15:29:50	Don't include SAX.h from globals.h SAX.h contains a legacy interface with several unprefixed symbols like `reference`, causing severe namespace pollution. The globals.h header doesn't need any of these symbols, so remove the #include.

39f10232

2019-08-09T09:44:11

Fix typos: tree: move{ -> s}, reconcil{i -> }ed, h{o -> e}ld by... ...seems to { -> be to} add. Signed-off-by: Jan Pokorný <jpokorny@redhat.com>

5c0e48b8

2019-07-25T18:46:30

Fix typo: xpath: simpli{ -> fi}ed Signed-off-by: Jan Pokorný <jpokorny@redhat.com>

0571b4e6

2019-08-09T15:39:17

Fix null deref in xmlreader buffer

ea695ac0

2019-08-09T15:09:22

Fix unability to RelaxNG-validate grammar with choice-based name class Previously, test/relaxng/ambig_name-class2.xml would fail to validate against test/relaxng/ambig_name-class2.rng: > test/relaxng/ambig_name-class2.rng:4: > element attribute: Relax-NG parser error : > Found anyName attribute without oneOrMore ancestor > Relax-NG schema test/relaxng/ambig_name-class2.rng failed to compile Signed-off-by: Jan Pokorný <jpokorny@redhat.com>

8074b881

2019-08-08T23:33:48

Fix unability to validate ambiguously constructed interleave for RelaxNG Previously, test/relaxng/ambig_name-class.xml would fail to validate for a simple reason -- interleave within "open-name-class" context is supposed to be fine with whatever else is pending the consumption, since effectively, it's unrelated from a higher parsing perspective. Signed-off-by: Jan Pokorný <jpokorny@redhat.com>

81958b6e

2019-07-11T19:24:11

Doc: do not mislead towards "infeasible" scenario wrt. xmlBufNodeDump At least when merely public API is to be leveraged, one cannot use xmlBufCreate function that would otherwise be a clear fit, and relying on some invariants wrt. how some other struct fields will get initialized along the construction/filling such parent struct and (ab)using that instead does not appear clever, either. Hence, instruct people what's the Right Thing for the moment, that is, make them use xmlNodeDumpOutput instead (together with likewise public xmlAllocOutputBuffer). Going forward, it's questionable what do with xmlBuf* family of functions that are once public, since they, for any practical purpose, cannot be used by the library clients (that's how I've run into this). Signed-off-by: Jan Pokorný <jpokorny@redhat.com>

59028ba0

2019-08-07T14:38:07

Fix possible null dereference in xmlXPathIdFunction If a certain memory allocation fails, xmlXPathIdFunction would dereference a null pointer. Closes #77.

b17e3d1c

2019-08-01T15:04:16

Work around buggy ceil() function on AIX AIX has a buggy ceil() function that does not handle negative-zero correctly. Closes #79.

6c91dd94

2019-08-01T15:01:47

Don't call printf with NULL string in runtest.c Avoids undefined behavior causing problems on HP-UX and Solaris. Closes #78.

2f2bf4b2

2019-07-31T20:21:47

xml2-config.in: Output CFLAGS and LIBS on the same line xml2-config currently outputs the results of '--cflags --libs' on two lines. Printing this information on one line is far more useful.

0c1b4fd2

2019-07-13T10:47:25

Fix comments in test code

4f67dbb0

2019-07-09T15:11:01

fix memory leak in xmlAllocOutputBuffer

1fc410d3

2019-07-01T22:22:14

xml2-config: Add a --dynamic switch to print only shared libraries `xml2-config --libs` prints static library linking information by default. This is un-necessary for most programs, so introduce a new option, --dynamic, which, when combined with --libs, only prints shared library linking information.

87125732

2019-07-08T12:54:21

Switched from unsigned long to ptrdiff_t in parser.c Using unsigned long instead of ptrdiff_t results in non-zero pointer deltas being stored as zero delta, giving incorrect offsets into arrays and hence out of bounds reads. This patch fixes the issue in all places in parser.c and adds a macro to reduce the chances of cut-and-paste errors. Only affects platforms where 'sizeof(long) < sizeof(size_t)' like 64-bit Windows. See https://bugs.chromium.org/p/chromium/issues/detail?id=894933 Closes #44.

63484962

2019-07-08T12:28:39

Remove redundant code in xmlRelaxNGValidateState Closes #70.

b3a95d57

2019-05-21T11:21:29

Fix unsigned int overflow

0df3c2c9

2019-06-28T17:34:24

fix comment in testReader.c

37189c08

2019-07-08T12:18:24

dict.h: gcc 2.95 doesn't allow multiple storage classes This is a partial revert of commit c71f9305. I'm not sure what issue this commit was trying to solve but it seems to be related to a circular dependency. It might be related to tree.h being included from dict.h which is unnecessary. Resolves !22.

01ea9c5a

2019-07-08T11:29:40

Fix another code path in xmlParseQName Check for buffer errors in another code path missed in the previous commit. Found by OSS-Fuzz.

5ccac8ce

2019-06-27T10:23:36

Make sure that xmlParseQName returns NULL in error case If there's an error growing the input buffer when recovering from invalid QNames, make sure to return NULL. Otherwise, callers could be confused. In xmlParseStartTag2, for example, `tlen` could become negative. Found by OSS-Fuzz.

f209e551

2019-06-25T11:45:16

Fix build without reader but with pattern Broken by commit dbc6b55b.

f824a4bd

2019-05-20T13:26:08

Fix memory leak in xmlAllocOutputBufferInternal error path Thanks to Anish K Kurian for the report. Closes #60.

e79a903f

2019-05-20T13:22:49

Remove redundant code in xmlXPathCompRelationalExpr Thanks to Anish K Kurian for the report. Closes #59.

44e7a0d5

2019-05-16T21:17:28

Annotate functions with __attribute__((no_sanitize))

f9fce963

2019-05-16T21:16:01

Fix unsigned integer overflow It's defined behavior but -fsanitize=unsigned-integer-overflow is useful to discover bugs.

dbc6b55b

2019-05-16T21:06:56

Fix warnings when compiling without reader or push parser

407b393d

2019-05-15T12:47:28

Fix return value of xmlOutputBufferWrite When using memory buffers, the total size of the buffer was added again and again, potentially leading to an integer overflow. Found by OSS-Fuzz.

3c0d62b4

2019-05-13T07:15:44

Fix parser termination from "Double hyphen within comment" error The patch fixes the parser not halting immediately when the error handler attempts to stop the parser. Rather it was running on and continuing to reference the freed buffer in the while loop termination test. This is only a problem if xmlStopParser is called from an error handler. Probably caused by commit 123234f2. Fixes #58.

96125557

2019-05-10T12:30:03

Remove unused member `doc` in xmlSaveCtxt

14ed63b7

2019-05-08T12:00:51

Limit recursion depth in xmlXPathCompOpEvalPredicate

ad93f087

2019-04-25T12:47:49

Remove -Wno-array-bounds It's unsupported on GCC versions older than 4.3 and the false positives seem to be fixed in newer versions.

9948a9a3

2019-04-05T06:34:59

timsort.h: support older GCCs cherry-pick upstream pull request: __builtin_clzll isn't available on older GCCs

346febc6

2019-04-25T11:34:08

Fix call stack overflow in xmlFreePattern Since xmlFreePattern tried to free the next pattern recursively, its behavior is identical to xmlFreePatternList. Make it call xmlFreePatternList to avoid call stack overflows. Found by OSS-Fuzz.

f75256e7

2019-04-23T17:23:39

Remove unreachable code in xmlXPathCountFunction After the initial test, the condition (type == XPATH_NODESET) || (type == XPATH_XSLT_TREE) always holds true.

949eced4

2019-04-22T16:04:26

Fix null deref in previous commit

c2f4da1a

2017-05-21T22:08:50

Improve XPath predicate and filter evaluation Consolidate code paths evaluating XPath predicates and filters. Don't push context node on stack when evaluating predicates. I have no idea why this was done. It seems completely useless and trying to pop the context node from a corrupted stack has already caused security issues. Filter nodesets in-place and don't create node sets with NULL gaps which allows to simplify merging a great deal. Simply move matched nodes backward and create a compact node set. Merge xmlXPathCompOpEvalPositionalPredicate into xmlXPathCompOpEvalPredicate.

012f8e92

2019-04-20T17:01:19

Limit recursion depth in xmlXPathOptimizeExpression

93a1d223

2019-04-16T13:37:47

Fix memory leaks in xmlXPathParseNameComplex error paths Found by OSS-Fuzz.

fa3166c2

2019-04-12T12:03:04

Disable hash randomization when fuzzing Use the FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION macro proposed by libFuzzer.

2d97a97a

2019-03-15T16:27:58

Optional recursion limit when parsing XPath expressions Useful to avoid call stack overflows when fuzzing. Note that parsing a parenthesized expression currently consumes more than 10 stack frames, so this limit should be set rather low.

64115ed6

2019-03-18T11:34:26

Optional recursion limit when evaluating XPath expressions Useful to avoid call stack overflows when fuzzing.

5153c7ba

2019-03-18T11:18:31

Use break statements in xmlXPathCompOpEval This prepares for the next commit.

852c93a2

2019-03-12T16:12:05

Optional XPath operation limit Optionally limit the maximum numbers of XPath operations when evaluating an expression. Useful to avoid timeouts when fuzzing. The following operations count towards the limit: - XPath operations - Location step iterations - Union operations Enabled by setting opLimit to a non-zero value. Note that it's the user's responsibility to reset opCount. This allows to enforce the operation limit across multiple reuses of an XPath context.

91d576de

2019-04-09T13:16:50

Make configure.ac work with older pkg-config Older versions of pkg.m4 require the action-if-not-found argument of the PKG_CHECK_MODULES macro to be non-empty. Use a colon (null command) instead of an empty string. Fixes #50.

0f518611

2019-04-08T14:02:11

Fix compilation with --with-minimum Presence of xmlEncodeAttributeEntities doesn't depend on output module. Fixes #52.

b9bdb9db

2019-03-19T17:44:51

Check for integer overflow in xmlXPtrEvalChildSeq Found with libFuzzer and UBSan.

236dd6ab

2019-03-13T18:21:02

Check XPath stack after calling functions Check that there's exactly one return value on the stack after calling XPath functions. Otherwise, functions that corrupt the stack without signaling an error could lead to memory errors. Found with libFuzzer and UBSan.

c494a0ba

2019-03-12T14:45:04

Fix xmllint dump of XPath namespace nodes Starting with commit da35eeae, xmllint uses the xmlNodeDump API to dump XPath nodes. Make sure not to access node->doc which doesn't work with namespace nodes.

30a6533e

2019-03-08T12:15:17

Fix float casts in xmlXPathSubstringFunction Rewrite conversion of double to int in xmlXPathSubstringFunction, adding range checks to avoid undefined behavior. Make sure to add start and length as floating-point numbers before converting to int. Fix a bug when rounding negative start indices. Remove unneeded calls to xmlXPathIs{Inf,NaN} and rely on IEEE math instead. Avoid computing the string length. xmlUTF8Strsub works as expected if the length of the requested substring exceeds the input. Found with libFuzzer and UBSan.

09797c13

2019-03-05T15:14:34

Fix null deref in xmlregexp error path Thanks to Shaobo He for the report.

8161b463

2019-02-28T12:25:05

Remove debug printf in xmlreader.c Fixes #46.

9a82ae30

2019-02-28T12:18:37

Stop defining _REENTRANT on some Win32 platforms The _REENTRANT macro was defined unconditionally on some Win32 builds using the Microsoft C runtime. It shouldn't have an effect under MSVCRT and was presumably only defined because of the LIBXML_THREAD_ENABLED issue fixed with the previous commit.

cf68fe3d

2019-02-27T15:00:14

Always define LIBXML_THREAD_ENABLED when enabled When libxml2 is compiled with threads enabled, have the header file define LIBXML_THREAD_ENABLED even if the subsequent application by itself does not enable threads. Otherwise, the application would see the unthreaded API functions, but these are not exported (where it does make a difference, like on Win32 based platforms).

2c8dc715

2019-02-25T12:00:50

Fix null pointer dereference in xmlTextReaderReadOuterXml Fix a regression caused by commit 39fbfb4f. If xmlTextReaderReadOuterXml is called on a pristine xmlReader, the current node is NULL and must not be dereferenced. Move the call to xmlTextReaderExpand to the start of the function to make sure that we have a valid node. Fixes #43.

a7fe7ee4

2019-02-15T17:28:38

Regenerate NEWS

538d827c

2019-02-15T17:26:38

Change git repo URL

04fbfa3f

2019-02-15T17:20:18

Change bug tracker URL

656df97d

2019-02-15T17:05:16

Remove outdated HTML file

d3de7578

2019-01-15T12:33:48

Fix nanohttp.c on MinGW Commit e3890546 broke nanohttp.c on (old) MinGW. MinGW-w64 wasn't affected. Should fix #36. Thanks to Simon Sobisch for the report.

b48226f7

2019-01-07T17:58:32

Fix memory leaks in xmlParseStartTag2 error paths Found by OSS-Fuzz.

6b49db2c

2019-01-07T17:14:21

Fix memory leak in xmlSAX2StartElement Introduced by a recent commit. Only happens if max depth is exceeded in SAX1 mode. Found by OSS-Fuzz.

26828cb3

2019-01-07T16:52:42

Fix commit "Memory leak in xmlFreeID (xmlreader.c)" The recent commit "Memory leak in xmlFreeID (xmlreader.c)" introduced a double-free.

57d4329b

2018-01-23T17:33:42

Merge testThreadsWin32.c into testThreads.c Apply the same cross-platform modifications as previously in runtest.c.

7f40ed01

2018-01-23T16:40:36

Fix Python bindings under Windows - Correct linker flags for MinGW-w64 - Adjust PATH to find libxml2.dll when running tests

619534ef

2018-01-23T17:36:23

Fix Windows compiler warning in testC14N.c

e8fdf5df

2019-01-01T19:20:22

Fix unused function warning in testapi.c Check whether all param and return types are known before generating functions for param types. Otherwise, unused functions end up in testapi.c.

731b5064

2019-01-01T18:43:02

Add some generated test files to .gitignore

dcae579e

2019-01-01T16:48:40

Remove unneeded function pointer casts

19f0950d

2019-01-01T16:38:42

Fix -Wcast-function-type warnings (GCC 8) Use xmlGenericError instead of fprintf as error handler. It also prints to stderr by default.

8919885f

2019-01-01T16:30:38

Fix -Wformat-truncation warnings (GCC 8)

157cd3ae

2018-11-24T15:46:00

Fix NULL pointer deref in xmlTextReaderValidateEntity Found by OSS-Fuzz.

57a3af56

2018-11-24T12:14:55

Memory leak in xmlFreeTextReader In error cases, there might still be elements in the vstate table. Since vstateVPop in valid.c is private, we have to pop the elements with xmlValidatePopElement. This inspects nodes of the document, so the reader doc must be freed after the clearing the vstate table. Found by OSS-Fuzz.

efe8c093

2018-11-24T11:39:32

Memory leak in xmlFreeID (xmlreader.c) Fix a memory leak in xmlReader's private copy of xmlFreeID. Only affects validation with NODICT. Found by OSS-Fuzz.

f8a8c1f5

2019-01-03T19:14:17

Release of libxml2-2.9.9 * configure.ac doc/news.html doc/xml.html doc/libxml2.xsa: making changes for the release Signed-off-by: Daniel Veillard <veillard@redhat.com>

7c4949af

2019-01-01T19:58:07

Fix "Problem with data in interleave in RelaxNG validation" Fixes commit c8e5f958. https://mail.gnome.org/archives/xml/2018-November/msg00029.html

6fc04d71

2018-11-23T22:56:03

Revert "Support xmlTextReaderNextSibling w/o preparsed doc" This reverts commit bfec41b3de1cbd35e547b57c80ae3a5101f8891c which caused problems with the XML::LibXML Perl bindings. https://mail.gnome.org/archives/xml/2018-November/msg00010.html

a71b98ec

2018-11-05T14:26:26

cleanup: remove some unreachable code

b1f87c0e

2018-11-05T14:20:16

Fix building relative URIs Examples: testURI --relative --base file:///a file:///b New correct result: b Old incorrect result: ../b testURI --relative --base file:///a file:/// New correct result: ./ Old incorrect result: ../ testURI --relative --base file:///a/b file:///a/ New correct result: ./ Old incorrect result: ../../a/

25f13e77

2018-11-05T13:53:00

add --relative to testURI Example: testURI --relative --base file:///a/b/c file:///a/x/y Result: ../x/y

c7461f65

2018-11-03T21:19:13

reader: Fix documentation comment

c64d4efb

2018-10-13T00:12:12

Remove redefined starts and defines inside include elements When including a grammar from another grammar, we need to make sure that any redefines of starts and includes that that grammar does inside any of its include elements are also removed.

46da8fc5

2018-10-12T23:46:24

Allow choice within choice in nameClass in RELAX NG The pattern nameClass allows for nested choice elements, for example <name> <choice> <choice> <name>a</name> <name>b</name> </choice> <name>c</name> </choice> </name> which is semantically equivalent to <name> <choice> <name>a</name> <name>b</name> <name>c</name> </choice> </name> The old code didn’t handle this correctly, as it never expected a choice inside another choice. This patch fixes this by flattening any nested choices. This pattern of nested choice elements comes up in RELAX NG simplification, where all choice elements are rewritten in this nested manner, see section 4.12 of the RELAX NG specification.

4338c310

2018-10-12T22:30:26

Look inside divs for starts and defines inside include RELAX NG allows for div elements inside of include elements. We need to look inside those div elements for start and define elements that may be redefining start and define elements in the included grammar.

3c614191

2018-10-12T22:30:10

Add compile and libxml2-config.cmake to .gitignore

c8e5f958

2018-11-22T18:09:51

Problem with data in interleave in RelaxNG validation Reported in https://mail.gnome.org/archives/xml/2018-October/msg00003.html The issue seems to be that we build groups of what can be matched by the interleave, but that these groups don’t include data, list, and value elements, only element and text elements. This patch extends xmlRelaxNGGetElements so that it can return these elements for us in xmlRelaxNGComputeInterleaves. Then we make sure to updatexmlRelaxNGNodeMatchesList as well so that it accepts the correct types.

3776cb47

2018-11-22T15:27:28

Fix memory leak in xmlSwitchInputEncodingInt error path Found by OSS-Fuzz.

1567b55b

2018-11-22T14:28:58

Set doc on element obtained from freeElems In commit 8c9daf79, a call to xmlFreeNode was added in xmlSAX2StartElementNs. If a node was obtained from the freeElems list, make sure to set the doc, otherwise xmlFreeNode wouldn't realize that the node name might be in the dictionary, causing an invalid free. Note that the issue fixed in commit 8c9daf79 requires commit 0ed6addb and this one to work properly. Found by OSS-Fuzz.

fc27759d

2018-11-06T10:17:35

Fix MSVC build with lzma

d459831c

2018-10-13T16:12:14

Fix HTML serialization with UTF-8 encoding If the encoding is specified as UTF-8, make sure to use a NULL encoding handler.

ee501f54

2018-10-13T15:23:35

Stop using doc->charset outside parser code doc->charset does not specify the in-memory encoding which is always UTF-8.

39fbfb4f

2018-09-25T12:57:04

Use actual doc in xmlTextReaderRead*Xml Otherwise the encoding of the document is ignored and non-ASCII characters are serialized as numeric references even if the encoding is specified as UTF-8.

da35eeae

2018-09-23T01:09:56

Add newlines to 'xmllint --xpath' output Separate nodes in a node-set with newlines and always add a terminating newline. This is a breaking change but the old behavior of dumping text nodes without separator was mostly useless. Also use buffered I/O when dumping node-sets.

73b2417c

2018-09-22T15:45:02

Variables need 'extern' in static lib on Cygwin While the dllimport/dllexport macros now work for Cygwin, using the static library still requires variables to be declared as 'extern'. This is a regression of c65c9e8ee07e2dab0647392c2bd1795a5bc99829, found+fixed by Bruno Haible using static libxml embedded in gettext.

0ed6addb

2018-09-22T15:41:01

Unlink node before freeing it in xmlSAX2StartElement The node may have been added to the document already, so it must be unlinked first. Thanks to David Kilzer for spotting this.

8c9daf79

2018-09-12T13:42:27

Check return value of nodePush in xmlSAX2StartElement If the maximum depth is exceeded, nodePush halts the parser which results in freeing the input buffer since the previous commit. This invalidates the attribute pointers, so the error condition must be checked. Found by OSS-Fuzz.

123234f2

2018-09-11T14:52:07

Free input buffer in xmlHaltParser This avoids miscalculation of available bytes. Thanks to Yunho Kim for the report. Closes: #26

60173c82

2018-09-11T14:08:39

Reset HTML parser input pointers on encoding failure Call xmlBufResetInput before bailing out if switching the encoding fails. Otherwise, the input pointers could be left in an invalid state. Similar to commit f9e7997e803457b714352c4d51a96104ae298d94 for the XML parser. Thanks to Yunho Kim for the report. Closes: #27

dc6d2a49

2018-09-04T17:13:29

Don't run icu_parse_test if EUC-JP is unsupported Closes: #25

b697d7bb

2018-09-04T16:48:15

Fix xmlSchemaValidCtxtPtr reuse memory leak When reusing an xmlSchemaValidCtxtPtr to validate multiple xml documents against the same schema, there is a memory leak in xmlschemas.c in xmlSchemaClearValidCtxt(). The vctxt->idcKeys and associated counters are not cleaned up in xmlSchemaClearValidCtxt() as they are in xmlSchemaFreeValidCtxt(). As a result, vctxt->idcKeys grows with each xmlValidateDoc() call that uses the same context and that memory is never freed. Similarly, vctxt->nbIdcKeys and vctxt->sizeIdcKeys increment and are never reset. Closes: #23

1dafb427

2018-09-03T15:29:50

Don't include SAX.h from globals.h SAX.h contains a legacy interface with several unprefixed symbols like `reference`, causing severe namespace pollution. The globals.h header doesn't need any of these symbols, so remove the #include.

kc3-lang/libxml2

Log