kmx git

Commit	Date	Message
43a8836c	2020-05-31T18:46:21	Fix rebuilding docs, by hiding __attribute__((...)) behind a macro. When enabled via `./configure --enable-rebuild-docs`, `make -C doc libxml2-api.xml` will invoke apibuild.py to rebuild libxml2-api.xml from the sources. But the code added in 9fa3200cb366c726f7c8ef234282603bb9e8816d made it error out with ``` Parsing ../parser.c Parse Error: parsing type : expecting a name ('Got token ', ('sep', '(')) ('Last token: ', ('sep', '(')) ('Token queue: ', [('name', 'destructor'), ('sep', ')'), ('sep', ')')]) ('Line 14689 end: ', '') ```
9f42f6ba	2020-06-24T15:33:38	Don't follow next pointer on documents in xmlXPathRunStreamEval RVTs from libxslt are document nodes which are linked using the 'next' pointer. These pointers must never be used to navigate the document tree. Otherwise, random content from other RVTs could be returned when evaluating XPath expressions. It's interesting that this seemingly long-standing bug wasn't discovered earlier. This issue could also cause severe performance degradation. Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/37
18425d3a	2020-06-21T19:14:23	Fix integer overflow in _xmlSchemaParseGYear Found with libFuzzer and UBSan.
070d635e	2020-06-21T16:26:38	Fix integer overflow when parsing {min,max}Occurs Clamp value to INT_MAX. Found with libFuzzer and UBSan.
c0440868	2020-06-22T13:08:11	Copy xs:duration parser from libexslt The duration parser in libexslt checks for integer overflows.
50f18830	2020-06-21T15:21:45	Fix another memory leak in xmlSchemaValAtomicType Don't collapse language IDs twice. Found with libFuzzer and ASan.
eac1c7e2	2020-06-21T14:42:00	Fuzz target for XML Schemas This only tests the schema parser for now.
ffd31dbe	2020-06-21T12:14:19	Move entity recorder to fuzz.c
681f094e	2020-06-15T15:23:05	Fix unsigned integer overflow in htmlParseTryOrFinish Cast to signed type before subtraction to avoid unsigned integer overflow. Also use ptrdiff_t to avoid potential integer truncation. Found with libFuzzer and UBSan.
31ca4a72	2020-06-15T18:47:53	Fix integer overflow in htmlParseCharRef Fixes #115.
2f938203	2020-06-15T15:45:47	Fix undefined behavior in UTF16LEToUTF8 Don't perform arithmetic on null pointer. Found with libFuzzer and UBSan.
536f421d	2020-06-15T12:20:54	Fuzz target for HTML parser
a697ed1e	2020-06-15T14:49:22	Fix return value of xmlCharEncOutput Commit 407b393d introduced a regression caused by xmlCharEncOutput returning 0 in case of success instead of the number of bytes written. Always use its return value for nbchars in xmlOutputBufferWrite. Fixes #166.
af893a58	2020-06-11T16:08:16	Update GitLab CI container
a28f7d87	2020-06-10T13:41:13	Never expand parameter entities in text declaration When parsing the text declaration of external DTDs or entities, make sure that parameter entities are not expanded. This also fixes a memory leak in certain error cases. The change to xmlSkipBlankChars assumes that the parser state is maintained correctly when parsing external DTDs or parameter entities, and might expose bugs in the code that were hidden previously. Found by OSS-Fuzz.
487871b0	2020-06-10T13:23:43	Fix undefined behavior in xmlXPathTryStreamCompile &NULL[0] is undefined behavior.
e98150d4	2020-06-09T13:45:31	Add options file for xml fuzzer This will be picked up OSS-Fuzz, limiting the maximum input size to 80 KB and hopefully avoiding timeouts. Some of the timeouts seem to be related to our suboptimal handling of excessive entity expansion. The new fuzzers support external entities and make this problem even more prominent.
2af3c2a8	2020-06-08T12:49:51	Fix use-after-free with validating reader Just like IDs, IDREF attributes must be removed from the document's refs table when they're freed by a reader. This bug is often hidden because xmlAttr structs are reused and strings are stored in a dictionary unless XML_PARSE_NODICT is specified. Found by OSS-Fuzz.
00ed736e	2020-06-05T12:49:25	Add a couple of libFuzzer targets - XML fuzzer Currently tests the pull parser, push parser and reader, as well as serialization. Supports splitting fuzz data into multiple documents for things like external DTDs or entities. The seed corpus is built from parts of the test suite. - Regexp fuzzer Seed corpus was statically generated from test suite. - URI fuzzer Tests parsing and most other functions from uri.c.
2e8cc66d	2020-05-30T15:40:08	xmlParseBalancedChunkMemory must not be called with NULL doc There is no way to avoid memory leaks without a document to hold the namespace list.
a0a8059b	2020-05-30T15:33:03	Revert "Fix memory leak in xmlParseBalancedChunkMemoryRecover" This reverts commit 5a02583c7e683896d84878bd90641d8d9b0d0549. Fixes #161.
ff009f99	2020-05-30T15:32:25	Fix memory leak in xmlXIncludeLoadDoc error path Found by OSS-Fuzz.
a230b728	2020-04-10T19:22:07	win32: allow passing *FLAGS on command line nmake is a primitive tool, so this is a primitive implementation: append EXTRA_CFLAGS etc. variables. Command line variables should be appended to allow overriding flags set in the makefile. It doesn't work to pass in CFLAGS like in make because that always overrides the assignments in the makefile.
4f2aee18	2020-05-04T14:03:52	Make schema validation fail with multiple top-level elements Closes #126.
106757e8	2020-04-10T14:52:03	Guard new calls to xmlValidatePopElement in xml_reader.c Closes #154.
386fb276	2020-04-28T17:00:37	Add LIBXML_VALID_ENABLED to xmlreader There are already LIBXML_VALID_ENABLED in this file to guard against "--without-valid" at "./configure" step, but here they were missing.
e7ff2efc	2020-04-21T21:16:07	Configure file xmlwin32version.h.in on MSVC
e2f10494	2020-04-21T21:04:23	List headers individually
2a2c38f3	2020-04-21T00:53:12	Add CMake build files Closes #24.
9fa3200c	2020-03-31T23:18:25	Call xmlCleanupParser on ELF destruction Fixes #153.
e4fb3684	2020-02-28T12:48:14	Parenthesize Py<type>_Check() in ifs In C, if expressions should be parenthesized. PyLong_Check, PyUnicode_Check etc. happened to expand to a parenthesized expression before, but that's not API to rely on. Since Python 3.9.0a4 it needs to be parenthesized explicitly. Fixes https://gitlab.gnome.org/GNOME/libxml2/issues/149
20c60886	2020-03-08T17:19:42	Fix typos Resolves #133.
2a7b6684	2020-03-02T11:52:52	Disable LeakSanitizer The GitLab runner doesn't run in privileged mode anymore [1], at least for projects outside the GNOME group. Disable LeakSanitizer for now as it needs the ptrace capability. [1] https://gitlab.gnome.org/Infrastructure/Infrastructure/issues/251
c005c7a0	2020-02-11T16:35:20	Stop calling SAX getEntity handler from XMLReader The getEntity handler was already invoked by xmlParseReference, so it's useless to call it again. After the recent change, xmlSAX2GetEntity won't load any kind of entities anyway.
32cb5dcc	2020-02-11T13:16:10	Add test case for recursive external parsed entities
f20daa9e	2020-02-11T13:13:52	Enable error tests with entity substitution
eddfbc38	2020-01-22T22:03:45	Don't load external entity from xmlSAX2GetEntity Despite the comment, I can't see a reason why external entities must be loaded in the SAX handler. For external entities, the handler is typically first invoked via xmlParseReference which will later load the entity on its own if it wasn't loaded yet. The old code also lead to duplicated SAX events which makes it basically impossible to reuse xmlSAX2GetEntity for a custom SAX parser. See the change to the expected test output. Note that xmlSAX2GetEntity was loading the entity via xmlParseCtxtExternalEntity while xmlParseReference uses xmlParseExternalEntityPrivate. In the previous commit, the two functions were merged, trying to compensate for some slight differences between the two mostly identical implementations. But the more urgent reason for this change is that xmlParseReference has the facility to abort early when recursive entities are detected, avoiding what could practically amount to an infinite loop. If you want to backport this change, note that the previous three commits are required as well: f9ea1a24 Fix copying of entities in xmlParseReference 5c7e0a9a Copy some XMLReader option flags to parser context 1a3e584a Merge code paths loading external entities Found by OSS-Fuzz.
1a3e584a	2020-01-21T22:12:42	Merge code paths loading external entities Merge xmlParseCtxtExternalEntity into xmlParseExternalEntityPrivate.
5c7e0a9a	2020-02-11T16:29:30	Copy some XMLReader option flags to parser context The parser context stores some options both in the "options" bits and extra members like "validate" or "replaceEntities". Which of these are actually read is inconsistent, so make sure to also update the bit field.
f9ea1a24	2020-02-11T16:17:34	Fix copying of entities in xmlParseReference Before, reader mode would end up in a branch that didn't handle entities with multiple children and failed to update ent->last, so the hack copying the "extra" reader data wouldn't trigger. Consequently, some empty nodes in entities are correctly detected now in the test suite. (The detection of empty nodes in entities is still buggy, though.)
7ffcd44d	2019-08-20T16:33:06	Fix memory leak in xmlSchemaValidateStream When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun alloc a new schema for ctxt->schema and set vctxt->xsiAssemble to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize vctxt->xsiAssemble to 0 again which cause the alloced schema can not be freed anymore. Found with libFuzzer. Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
e45e06de	2020-01-31T13:16:37	Fix xmlSchemaGetCanonValue formatting for date and dateTime Per https://www.w3.org/TR/xmlschema-2/#dateTime-lexical-representation, the date portion is supposed to use '-' as the delimiter
c7c526d6	2020-01-13T18:49:01	Fix memory leak when shared libxml.dll is unloaded When a multiple modules (process/plugins) all link to libxml2.dll they will in fact share a single loaded instance of it. It is unsafe for any of them to call xmlCleanupParser, as this would deinitialize the shared state and break others that might still have ongoing use. However, on windows atexit is per-module (rather process-wide), so if used within libxml2 it is possible to register a clean up when all users are done and libxml2.dll is about to actually unload. This allows multiple plugins to link with and share libxml2 without a premature cleanup if one is unloaded, while still cleaning up if all such callers are themselves unloaded.
453bdfb9	2020-01-13T18:28:34	Fix potentially-uninitialized critical section in Win32 DLL builds If non-parser parts of libxml (e.g. xmlwriter) are used before a parser, xmlOnceInit may have run (e.g. via the many paths to xmlGetGlobalState), but not xmlInitThreads (which is called only by xmlInitParser) Once globalkey != TLS_OUT_OF_INDEXES (which can happen in many ways), DLLMAIN(DLL_THREAD_DETACH) may attempt to lock cleanup_helpers_cs before it is valid. This may happen even if the thread whose exit is triggering DllMain is from code which is not linked to libxml. globalkey and cleanup_helpers_cs should be initialized together, with cleanup_helpers_cs initialized first and deleted last.
c2e09f44	2020-02-11T11:32:23	Add xmlPopOutputCallbacks Add function to pop a single set of output callbacks from the stack. This was only implemented for input callbacks before. Fixes #135.
b0725121	2020-01-10T15:55:07	Fix integer overflow in xmlBufferResize Found by OSS-Fuzz.
3e7e75be	2020-01-02T15:19:57	Minor fixes to configure.js - Semicolon coding style - Remove duplicated option check Found by lgtm.com
52649b63	2020-01-02T14:45:28	Check for overflow when allocating two-dimensional arrays Found by lgtm.com
9bd7abfb	2020-01-02T14:14:48	Remove useless comparisons Found by lgtm.com
c9faa292	2020-01-02T14:12:39	Fix overflow check in xmlNodeDump Store return value of xmlBufNodeDump in a size_t before checking for integer overflow. Found by lgtm.com
8f62ac92	2020-01-01T19:16:10	Updated Python test reader2.py Added all test cases that have a non-empty error in result/valid/*.xml.err Restructured to make it easier extensible with new test cases Added coding cookie because there is non-ASCII in the error messages
8c3e52eb	2019-12-31T21:49:58	Updated python/tests/tstLastError.py libxml2.registerErrorHandler(None,None): None is not acceptable as first argument failUnlessEqual replaced by assertEqual
0e1a49c8	2019-12-12T17:30:55	Fix infinite loop in xmlStringLenDecodeEntities When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef return NULL which cause a infinite loop in xmlStringLenDecodeEntities Found with libFuzzer. Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
0815302d	2019-12-06T12:27:29	Fix freeing of nested documents Apparently, some libxslt RVTs can contain nested document nodes, see issue #132. I'm not sure how this happens exactly but it can cause a segfault in xmlFreeNodeList after the changes in commit 0762c9b6. Make sure not to touch the (nonexistent) `content` member of xmlDocs.
2c80fc91	2019-12-02T11:30:30	Fix more memory leaks in error paths of XPath parser Found by OSS-Fuzz.
3c8a3e99	2019-11-07T12:59:10	Use random seed in xmlDictComputeFastKey xmlDictComputeFastKey is only used for small tables, so this shouldn't be a security problem.
42942066	2019-11-11T13:49:11	Fix memory leaks of encoding handlers in xmlsave.c Fix leak of iconv/ICU encoding handler in xmlSaveToBuffer. Fix leaks of iconv/ICU encoding handlers in xmlSaveTo* error paths. Closes #127.
2a357ab9	2019-11-11T11:29:17	Fix xml2-config error code Return an error code if called with an unknown option.
d5f2f74d	2019-11-11T11:27:40	Fix memory leak in error path of XPath expr parser Also propagate memory errors. Found by OSS-Fuzz.
bf2e9617	2019-11-07T12:54:01	Fix overflow handling in xmlBufBackToBuffer Don't overwrite 'use' and 'size' members after clamping to INT_MAX. Thanks to Ranier Vilela for pointing this out in merge request !56.
d7248615	2019-11-04T23:19:28	Null pointer handling in catalog.c Fix potential deferencing potential null pointers; Small optimizations. Closes #123.
29740ed1	2019-11-02T17:51:39	xml2-config.in: fix regressions introduced by commit 2f2bf4b2c One of regressions introduced by commit 2f2bf4b2caa1cb9a4a5039b7a44db101943382d1 aka v2.9.10-rc1~56 is that cflags and libs variables are used uninitialized, resulting to the following behaviour: $ cflags=foo libs=bar sh ./xml2-config.in --prefix @prefix@ foo bar Another regression is that the test for these variables is flawed. Fixes: 2f2bf4b2c ("xml2-config.in: Output CFLAGS and LIBS on the same line")
db0c0450	2019-11-02T15:14:10	Enable more undefined behavior sanitizers Minor fix to xmlStringLenGetNodeList to avoid a pointer overflow during API test. Enable pointer-overflow and unsigned-integer-overflow sanitizers in CI tests. Technically, unsigned integer overflows aren't undefined behavior, but they typically indicate programming errors. Some hash functions that really require unsigned integer overflows have already been annotated.
41a34e1f	2019-10-30T20:14:56	Release of libxml2-2.9.10 * configure.ac doc/xml.html: updated for the release * doc/*: regenerated docs, APIs, etc ...
a5bb6aaa	2019-10-29T14:21:54	Run XML conformance tests under CI Also add llvm to Docker image so that backtraces can be symbolized.
9737ec07	2019-10-29T16:19:37	Another fix for conditional sections at end of document The previous fix introduced an uninitialized read.
9acef289	2019-10-23T18:13:08	Fix some release issues on Fedora 30 * doc/Makefile.am: xzlib.html seems not generated anymore since it was only containing an internal define we can drop it * libxml.spec.in: don't run python tests as part of %check as this is now breaking on F30
c1035664	2019-10-23T11:40:34	Fix for conditional sections at end of document Parsing conditional sections would fail if the final ']]>' was at the end of the document. Short-lived regression caused by commit c51e38cb.
d188eb92	2019-10-21T12:44:59	Make sure that Python tests exit with error code Closes #108.
55d95dcf	2019-10-20T18:03:21	Update GitLab CI config - Update Dockerfile - Don't configure with -Werror - Don't mention Travis in CONTRIBUTING
bfc0f674	2019-10-20T14:39:46	Audit memory error handling in xpath.c Memory allocation errors in the following functions a often ignored. Add TODO comments. - xmlXPathNodeSetCreate - xmlXPathNodeSetAdd* - xmlXPathNodeSetMerge* - xmlXPathNodeSetDupNs Note that the following functions currently lack a way to propagate memory errors: - xmlXPathCompareNodeSets - xmlXPathEqualNodeSets
429d4eca	2019-10-20T14:22:20	Propagate memory errors in valuePush Currently, many memory allocation errors in xpath.c aren't propagated to the parser/evaluation context and for the most part ignored. Most XPath objects allocated via one of the New, Wrap or Copy functions end up being pushed on the stack, so adding a check in valuePush handles many cases without much effort. Also simplify the code a little and make sure to return -1 in case of error.
390f05e7	2019-10-20T13:42:19	Propagate memory errors in xmlXPathCompExprAdd Make sure that memory errors in xmlXPathCompExprAdd are propagated to the parser context. Hitting the step limit or running out of memory without raising an error could also lead to an out-of-bounds read. Also fixes a memory leak in xmlXPathErrMemory. Found by OSS-Fuzz.
aec2bf71	2019-10-14T18:01:51	Make xmlFreeDocElementContent non-recursive Avoid call stack overflow when freeing element type declarations with deeply nested contents. Found by OSS-Fuzz.
d8999b1d	2019-10-14T17:04:04	Fix error code in xmlTextWriterStartDocument Return XML_ERR_UNSUPPORTED_ENCODING if no encoding handler could be found. Fixes bug #521808: https://bugzilla.gnome.org/show_bug.cgi?id=521808 Resolves !53.
40e00bc5	2019-10-14T16:56:59	Fix integer overflow when counting written bytes Check for integer overflow when updating the `written` member of struct xmlOutputBuffer in xmlIO.c. Closes #112. Resolves !54 and !55.
1fda3248	2019-10-14T16:48:32	Fix exponent digits when running tests under old MSVC Switch printf output format to two-digit exponent under certain MSVC versions. Closes #111.
f9f8df0a	2019-10-03T04:15:52	Fix uninitialized memory access in HTML parser The SAX2 character handler expects NULL-terminated buffer. Closes #106. Also see https://github.com/lxml/lxml/pull/288
5eeb9d5f	2019-10-14T16:35:00	Fix memory leak in xmlSchemaValAtomicType Don't collapse anyUris twice. Closes #104.
61f2abb1	2019-10-04T00:21:24	Enable continuous integration via GitLab CI Port the Travis CI setup to GitLab. We currently run three builds: - GCC with -std=c89 - clang with ASan and UBSan - clang with MSan Closes #110.
b88ae6d2	2019-10-14T15:38:28	Avoid ignored attribute warnings under GCC GCC doesn't support the unsigned-integer-overflow sanitizer.
24e3973b	2019-10-04T14:42:59	Make xmlDumpElementContent non-recursive Avoid call stack overflow when dumping deeply nested element declarations. Found by OSS-Fuzz.
64966ebe	2019-09-30T17:34:32	Rebuild docs
2e55f6dc	2019-09-30T17:30:17	Make apibuild.py ignore ATTRIBUTE_NO_SANITIZE
74a8a91f	2019-09-30T17:58:59	Fix a few more typos ("fonction")
2a350ee9	2019-09-30T17:04:54	Large batch of typo fixes Closes #109.
80b110a9	2019-09-30T14:37:57	Mark xmlExp* symbols as removed
c2f209c0	2019-09-30T14:13:21	Disallow conditional sections in internal subset Conditional sections are only allowed in external parameter entities referenced from the internal subset.
c51e38cb	2019-09-30T13:50:02	Make xmlParseConditionalSections non-recursive Avoid call stack overflow in deeply nested conditional sections. Found by OSS-Fuzz.
9d461ac7	2019-09-26T16:17:31	Adjust expected error in Python tests Closes #107.
d56184a0	2019-09-26T12:11:39	Disable xmlExp regex code This is apparently another regex engine that was never used, see commit 81a8ec6.
664f8810	2019-09-26T11:01:58	Fix use-after-free in xmlTextReaderFreeNodeList Recent commit 1fbcf40 caused a use-after-free read because it didn't account for the fact that xmlTextReaderFreeDoc frees entities before freeing entity references via xmlTextReaderFreeNodeList. Found by OSS-Fuzz.
99a864a1	2019-09-25T15:27:45	Fix Regextests - One of the bug316338 test cases is expected to succeed. - Memory leak in testRegexp.c. - Refcount handling in xmlExpHashGetEntry.
c2b0a184	2019-09-25T13:57:42	Fix empty branch in regex Fixes bug 649244: https://bugzilla.gnome.org/show_bug.cgi?id=649244 Closes #57.
1fbcf409	2019-09-23T17:13:05	Make xmlTextReaderFreeNodeList non-recursive Avoid call stack overflow when freeing deeply nested documents. Found by OSS-Fuzz.
0762c9b6	2019-09-23T17:07:40	Make xmlFreeNodeList non-recursive Avoid call stack overflow when freeing deeply nested documents.
62150ed2	2019-09-23T14:46:41	Make xmlParseContent and xmlParseElement non-recursive Split xmlParseElement into subfunctions. Use nameNsPush to store prefix, URI and nsNr on the heap, similar to the push parser. Closes #84.
a28bc751	2019-09-20T13:46:58	Fix integer overflow in entity recursion check
e91cbcf6	2019-09-20T12:44:17	Don't read external entities or XIncludes from stdin The file input callbacks try to read from stdin if "-" is passed as URL. This should never be done when loading indirect resources like external entities or XIncludes. Unfortunately, the stdin substitution happens deep inside the IO code, so we simply replace "-" with "./-" in specific locations. This issue also affects other users of the library like libxslt. Ideally, stdin should only be substituted on explicit request. But more intrusive changes could break existing code. Closes #90 and #102.
6705f4d2	2019-09-16T15:45:27	Remove executable bit from non-executable files

43a8836c

2020-05-31T18:46:21

Fix rebuilding docs, by hiding __attribute__((...)) behind a macro. When enabled via `./configure --enable-rebuild-docs`, `make -C doc libxml2-api.xml` will invoke apibuild.py to rebuild libxml2-api.xml from the sources. But the code added in 9fa3200cb366c726f7c8ef234282603bb9e8816d made it error out with ``` Parsing ../parser.c Parse Error: parsing type : expecting a name ('Got token ', ('sep', '(')) ('Last token: ', ('sep', '(')) ('Token queue: ', [('name', 'destructor'), ('sep', ')'), ('sep', ')')]) ('Line 14689 end: ', '') ```

9f42f6ba

2020-06-24T15:33:38

Don't follow next pointer on documents in xmlXPathRunStreamEval RVTs from libxslt are document nodes which are linked using the 'next' pointer. These pointers must never be used to navigate the document tree. Otherwise, random content from other RVTs could be returned when evaluating XPath expressions. It's interesting that this seemingly long-standing bug wasn't discovered earlier. This issue could also cause severe performance degradation. Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/37

18425d3a

2020-06-21T19:14:23

Fix integer overflow in _xmlSchemaParseGYear Found with libFuzzer and UBSan.

070d635e

2020-06-21T16:26:38

Fix integer overflow when parsing {min,max}Occurs Clamp value to INT_MAX. Found with libFuzzer and UBSan.

c0440868

2020-06-22T13:08:11

Copy xs:duration parser from libexslt The duration parser in libexslt checks for integer overflows.

50f18830

2020-06-21T15:21:45

Fix another memory leak in xmlSchemaValAtomicType Don't collapse language IDs twice. Found with libFuzzer and ASan.

eac1c7e2

2020-06-21T14:42:00

Fuzz target for XML Schemas This only tests the schema parser for now.

ffd31dbe

2020-06-21T12:14:19

Move entity recorder to fuzz.c

681f094e

2020-06-15T15:23:05

Fix unsigned integer overflow in htmlParseTryOrFinish Cast to signed type before subtraction to avoid unsigned integer overflow. Also use ptrdiff_t to avoid potential integer truncation. Found with libFuzzer and UBSan.

31ca4a72

2020-06-15T18:47:53

Fix integer overflow in htmlParseCharRef Fixes #115.

2f938203

2020-06-15T15:45:47

Fix undefined behavior in UTF16LEToUTF8 Don't perform arithmetic on null pointer. Found with libFuzzer and UBSan.

536f421d

2020-06-15T12:20:54

Fuzz target for HTML parser

a697ed1e

2020-06-15T14:49:22

Fix return value of xmlCharEncOutput Commit 407b393d introduced a regression caused by xmlCharEncOutput returning 0 in case of success instead of the number of bytes written. Always use its return value for nbchars in xmlOutputBufferWrite. Fixes #166.

af893a58

2020-06-11T16:08:16

Update GitLab CI container

a28f7d87

2020-06-10T13:41:13

Never expand parameter entities in text declaration When parsing the text declaration of external DTDs or entities, make sure that parameter entities are not expanded. This also fixes a memory leak in certain error cases. The change to xmlSkipBlankChars assumes that the parser state is maintained correctly when parsing external DTDs or parameter entities, and might expose bugs in the code that were hidden previously. Found by OSS-Fuzz.

487871b0

2020-06-10T13:23:43

Fix undefined behavior in xmlXPathTryStreamCompile &NULL[0] is undefined behavior.

e98150d4

2020-06-09T13:45:31

Add options file for xml fuzzer This will be picked up OSS-Fuzz, limiting the maximum input size to 80 KB and hopefully avoiding timeouts. Some of the timeouts seem to be related to our suboptimal handling of excessive entity expansion. The new fuzzers support external entities and make this problem even more prominent.

2af3c2a8

2020-06-08T12:49:51

Fix use-after-free with validating reader Just like IDs, IDREF attributes must be removed from the document's refs table when they're freed by a reader. This bug is often hidden because xmlAttr structs are reused and strings are stored in a dictionary unless XML_PARSE_NODICT is specified. Found by OSS-Fuzz.

00ed736e

2020-06-05T12:49:25

Add a couple of libFuzzer targets - XML fuzzer Currently tests the pull parser, push parser and reader, as well as serialization. Supports splitting fuzz data into multiple documents for things like external DTDs or entities. The seed corpus is built from parts of the test suite. - Regexp fuzzer Seed corpus was statically generated from test suite. - URI fuzzer Tests parsing and most other functions from uri.c.

2e8cc66d

2020-05-30T15:40:08

xmlParseBalancedChunkMemory must not be called with NULL doc There is no way to avoid memory leaks without a document to hold the namespace list.

a0a8059b

2020-05-30T15:33:03

Revert "Fix memory leak in xmlParseBalancedChunkMemoryRecover" This reverts commit 5a02583c7e683896d84878bd90641d8d9b0d0549. Fixes #161.

ff009f99

2020-05-30T15:32:25

Fix memory leak in xmlXIncludeLoadDoc error path Found by OSS-Fuzz.

a230b728

2020-04-10T19:22:07

win32: allow passing *FLAGS on command line nmake is a primitive tool, so this is a primitive implementation: append EXTRA_CFLAGS etc. variables. Command line variables should be appended to allow overriding flags set in the makefile. It doesn't work to pass in CFLAGS like in make because that always overrides the assignments in the makefile.

4f2aee18

2020-05-04T14:03:52

Make schema validation fail with multiple top-level elements Closes #126.

106757e8

2020-04-10T14:52:03

Guard new calls to xmlValidatePopElement in xml_reader.c Closes #154.

386fb276

2020-04-28T17:00:37

Add LIBXML_VALID_ENABLED to xmlreader There are already LIBXML_VALID_ENABLED in this file to guard against "--without-valid" at "./configure" step, but here they were missing.

e7ff2efc

2020-04-21T21:16:07

Configure file xmlwin32version.h.in on MSVC

e2f10494

2020-04-21T21:04:23

List headers individually

2a2c38f3

2020-04-21T00:53:12

Add CMake build files Closes #24.

9fa3200c

2020-03-31T23:18:25

Call xmlCleanupParser on ELF destruction Fixes #153.

e4fb3684

2020-02-28T12:48:14

Parenthesize Py<type>_Check() in ifs In C, if expressions should be parenthesized. PyLong_Check, PyUnicode_Check etc. happened to expand to a parenthesized expression before, but that's not API to rely on. Since Python 3.9.0a4 it needs to be parenthesized explicitly. Fixes https://gitlab.gnome.org/GNOME/libxml2/issues/149

20c60886

2020-03-08T17:19:42

Fix typos Resolves #133.

2a7b6684

2020-03-02T11:52:52

Disable LeakSanitizer The GitLab runner doesn't run in privileged mode anymore [1], at least for projects outside the GNOME group. Disable LeakSanitizer for now as it needs the ptrace capability. [1] https://gitlab.gnome.org/Infrastructure/Infrastructure/issues/251

c005c7a0

2020-02-11T16:35:20

Stop calling SAX getEntity handler from XMLReader The getEntity handler was already invoked by xmlParseReference, so it's useless to call it again. After the recent change, xmlSAX2GetEntity won't load any kind of entities anyway.

32cb5dcc

2020-02-11T13:16:10

Add test case for recursive external parsed entities

f20daa9e

2020-02-11T13:13:52

Enable error tests with entity substitution

eddfbc38

2020-01-22T22:03:45

Don't load external entity from xmlSAX2GetEntity Despite the comment, I can't see a reason why external entities must be loaded in the SAX handler. For external entities, the handler is typically first invoked via xmlParseReference which will later load the entity on its own if it wasn't loaded yet. The old code also lead to duplicated SAX events which makes it basically impossible to reuse xmlSAX2GetEntity for a custom SAX parser. See the change to the expected test output. Note that xmlSAX2GetEntity was loading the entity via xmlParseCtxtExternalEntity while xmlParseReference uses xmlParseExternalEntityPrivate. In the previous commit, the two functions were merged, trying to compensate for some slight differences between the two mostly identical implementations. But the more urgent reason for this change is that xmlParseReference has the facility to abort early when recursive entities are detected, avoiding what could practically amount to an infinite loop. If you want to backport this change, note that the previous three commits are required as well: f9ea1a24 Fix copying of entities in xmlParseReference 5c7e0a9a Copy some XMLReader option flags to parser context 1a3e584a Merge code paths loading external entities Found by OSS-Fuzz.

1a3e584a

2020-01-21T22:12:42

Merge code paths loading external entities Merge xmlParseCtxtExternalEntity into xmlParseExternalEntityPrivate.

5c7e0a9a

2020-02-11T16:29:30

Copy some XMLReader option flags to parser context The parser context stores some options both in the "options" bits and extra members like "validate" or "replaceEntities". Which of these are actually read is inconsistent, so make sure to also update the bit field.

f9ea1a24

2020-02-11T16:17:34

Fix copying of entities in xmlParseReference Before, reader mode would end up in a branch that didn't handle entities with multiple children and failed to update ent->last, so the hack copying the "extra" reader data wouldn't trigger. Consequently, some empty nodes in entities are correctly detected now in the test suite. (The detection of empty nodes in entities is still buggy, though.)

7ffcd44d

2019-08-20T16:33:06

Fix memory leak in xmlSchemaValidateStream When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun alloc a new schema for ctxt->schema and set vctxt->xsiAssemble to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize vctxt->xsiAssemble to 0 again which cause the alloced schema can not be freed anymore. Found with libFuzzer. Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>

e45e06de

2020-01-31T13:16:37

Fix xmlSchemaGetCanonValue formatting for date and dateTime Per https://www.w3.org/TR/xmlschema-2/#dateTime-lexical-representation, the date portion is supposed to use '-' as the delimiter

c7c526d6

2020-01-13T18:49:01

Fix memory leak when shared libxml.dll is unloaded When a multiple modules (process/plugins) all link to libxml2.dll they will in fact share a single loaded instance of it. It is unsafe for any of them to call xmlCleanupParser, as this would deinitialize the shared state and break others that might still have ongoing use. However, on windows atexit is per-module (rather process-wide), so if used *within* libxml2 it is possible to register a clean up when all users are done and libxml2.dll is about to actually unload. This allows multiple plugins to link with and share libxml2 without a premature cleanup if one is unloaded, while still cleaning up if *all* such callers are themselves unloaded.

453bdfb9

2020-01-13T18:28:34

Fix potentially-uninitialized critical section in Win32 DLL builds If non-parser parts of libxml (e.g. xmlwriter) are used before a parser, xmlOnceInit may have run (e.g. via the many paths to xmlGetGlobalState), but not xmlInitThreads (which is called only by xmlInitParser) Once globalkey != TLS_OUT_OF_INDEXES (which can happen in many ways), DLLMAIN(DLL_THREAD_DETACH) may attempt to lock cleanup_helpers_cs before it is valid. This may happen even if the thread whose exit is triggering DllMain is from code which is not linked to libxml. globalkey and cleanup_helpers_cs should be initialized together, with cleanup_helpers_cs initialized first and deleted last.

c2e09f44

2020-02-11T11:32:23

Add xmlPopOutputCallbacks Add function to pop a single set of output callbacks from the stack. This was only implemented for input callbacks before. Fixes #135.

b0725121

2020-01-10T15:55:07

Fix integer overflow in xmlBufferResize Found by OSS-Fuzz.

3e7e75be

2020-01-02T15:19:57

Minor fixes to configure.js - Semicolon coding style - Remove duplicated option check Found by lgtm.com

52649b63

2020-01-02T14:45:28

Check for overflow when allocating two-dimensional arrays Found by lgtm.com

9bd7abfb

2020-01-02T14:14:48

Remove useless comparisons Found by lgtm.com

c9faa292

2020-01-02T14:12:39

Fix overflow check in xmlNodeDump Store return value of xmlBufNodeDump in a size_t before checking for integer overflow. Found by lgtm.com

8f62ac92

2020-01-01T19:16:10

Updated Python test reader2.py Added all test cases that have a non-empty error in result/valid/*.xml.err Restructured to make it easier extensible with new test cases Added coding cookie because there is non-ASCII in the error messages

8c3e52eb

2019-12-31T21:49:58

Updated python/tests/tstLastError.py libxml2.registerErrorHandler(None,None): None is not acceptable as first argument failUnlessEqual replaced by assertEqual

0e1a49c8

2019-12-12T17:30:55

Fix infinite loop in xmlStringLenDecodeEntities When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef return NULL which cause a infinite loop in xmlStringLenDecodeEntities Found with libFuzzer. Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>

0815302d

2019-12-06T12:27:29

Fix freeing of nested documents Apparently, some libxslt RVTs can contain nested document nodes, see issue #132. I'm not sure how this happens exactly but it can cause a segfault in xmlFreeNodeList after the changes in commit 0762c9b6. Make sure not to touch the (nonexistent) `content` member of xmlDocs.

2c80fc91

2019-12-02T11:30:30

Fix more memory leaks in error paths of XPath parser Found by OSS-Fuzz.

3c8a3e99

2019-11-07T12:59:10

Use random seed in xmlDictComputeFastKey xmlDictComputeFastKey is only used for small tables, so this shouldn't be a security problem.

42942066

2019-11-11T13:49:11

Fix memory leaks of encoding handlers in xmlsave.c Fix leak of iconv/ICU encoding handler in xmlSaveToBuffer. Fix leaks of iconv/ICU encoding handlers in xmlSaveTo* error paths. Closes #127.

2a357ab9

2019-11-11T11:29:17

Fix xml2-config error code Return an error code if called with an unknown option.

d5f2f74d

2019-11-11T11:27:40

Fix memory leak in error path of XPath expr parser Also propagate memory errors. Found by OSS-Fuzz.

bf2e9617

2019-11-07T12:54:01

Fix overflow handling in xmlBufBackToBuffer Don't overwrite 'use' and 'size' members after clamping to INT_MAX. Thanks to Ranier Vilela for pointing this out in merge request !56.

d7248615

2019-11-04T23:19:28

Null pointer handling in catalog.c Fix potential deferencing potential null pointers; Small optimizations. Closes #123.

29740ed1

2019-11-02T17:51:39

xml2-config.in: fix regressions introduced by commit 2f2bf4b2c One of regressions introduced by commit 2f2bf4b2caa1cb9a4a5039b7a44db101943382d1 aka v2.9.10-rc1~56 is that cflags and libs variables are used uninitialized, resulting to the following behaviour: $ cflags=foo libs=bar sh ./xml2-config.in --prefix @prefix@ foo bar Another regression is that the test for these variables is flawed. Fixes: 2f2bf4b2c ("xml2-config.in: Output CFLAGS and LIBS on the same line")

db0c0450

2019-11-02T15:14:10

Enable more undefined behavior sanitizers Minor fix to xmlStringLenGetNodeList to avoid a pointer overflow during API test. Enable pointer-overflow and unsigned-integer-overflow sanitizers in CI tests. Technically, unsigned integer overflows aren't undefined behavior, but they typically indicate programming errors. Some hash functions that really require unsigned integer overflows have already been annotated.

41a34e1f

2019-10-30T20:14:56

Release of libxml2-2.9.10 * configure.ac doc/xml.html: updated for the release * doc/*: regenerated docs, APIs, etc ...

a5bb6aaa

2019-10-29T14:21:54

Run XML conformance tests under CI Also add llvm to Docker image so that backtraces can be symbolized.

9737ec07

2019-10-29T16:19:37

Another fix for conditional sections at end of document The previous fix introduced an uninitialized read.

9acef289

2019-10-23T18:13:08

Fix some release issues on Fedora 30 * doc/Makefile.am: xzlib.html seems not generated anymore since it was only containing an internal define we can drop it * libxml.spec.in: don't run python tests as part of %check as this is now breaking on F30

c1035664

2019-10-23T11:40:34

Fix for conditional sections at end of document Parsing conditional sections would fail if the final ']]>' was at the end of the document. Short-lived regression caused by commit c51e38cb.

d188eb92

2019-10-21T12:44:59

Make sure that Python tests exit with error code Closes #108.

55d95dcf

2019-10-20T18:03:21

Update GitLab CI config - Update Dockerfile - Don't configure with -Werror - Don't mention Travis in CONTRIBUTING

bfc0f674

2019-10-20T14:39:46

Audit memory error handling in xpath.c Memory allocation errors in the following functions a often ignored. Add TODO comments. - xmlXPathNodeSetCreate - xmlXPathNodeSetAdd* - xmlXPathNodeSetMerge* - xmlXPathNodeSetDupNs Note that the following functions currently lack a way to propagate memory errors: - xmlXPathCompareNodeSets - xmlXPathEqualNodeSets

429d4eca

2019-10-20T14:22:20

Propagate memory errors in valuePush Currently, many memory allocation errors in xpath.c aren't propagated to the parser/evaluation context and for the most part ignored. Most XPath objects allocated via one of the New, Wrap or Copy functions end up being pushed on the stack, so adding a check in valuePush handles many cases without much effort. Also simplify the code a little and make sure to return -1 in case of error.

390f05e7

2019-10-20T13:42:19

Propagate memory errors in xmlXPathCompExprAdd Make sure that memory errors in xmlXPathCompExprAdd are propagated to the parser context. Hitting the step limit or running out of memory without raising an error could also lead to an out-of-bounds read. Also fixes a memory leak in xmlXPathErrMemory. Found by OSS-Fuzz.

aec2bf71

2019-10-14T18:01:51

Make xmlFreeDocElementContent non-recursive Avoid call stack overflow when freeing element type declarations with deeply nested contents. Found by OSS-Fuzz.

d8999b1d

2019-10-14T17:04:04

Fix error code in xmlTextWriterStartDocument Return XML_ERR_UNSUPPORTED_ENCODING if no encoding handler could be found. Fixes bug #521808: https://bugzilla.gnome.org/show_bug.cgi?id=521808 Resolves !53.

40e00bc5

2019-10-14T16:56:59

Fix integer overflow when counting written bytes Check for integer overflow when updating the `written` member of struct xmlOutputBuffer in xmlIO.c. Closes #112. Resolves !54 and !55.

1fda3248

2019-10-14T16:48:32

Fix exponent digits when running tests under old MSVC Switch printf output format to two-digit exponent under certain MSVC versions. Closes #111.

f9f8df0a

2019-10-03T04:15:52

Fix uninitialized memory access in HTML parser The SAX2 character handler expects NULL-terminated buffer. Closes #106. Also see https://github.com/lxml/lxml/pull/288

5eeb9d5f

2019-10-14T16:35:00

Fix memory leak in xmlSchemaValAtomicType Don't collapse anyUris twice. Closes #104.

61f2abb1

2019-10-04T00:21:24

Enable continuous integration via GitLab CI Port the Travis CI setup to GitLab. We currently run three builds: - GCC with -std=c89 - clang with ASan and UBSan - clang with MSan Closes #110.

b88ae6d2

2019-10-14T15:38:28

Avoid ignored attribute warnings under GCC GCC doesn't support the unsigned-integer-overflow sanitizer.

24e3973b

2019-10-04T14:42:59

Make xmlDumpElementContent non-recursive Avoid call stack overflow when dumping deeply nested element declarations. Found by OSS-Fuzz.

64966ebe

2019-09-30T17:34:32

Rebuild docs

2e55f6dc

2019-09-30T17:30:17

Make apibuild.py ignore ATTRIBUTE_NO_SANITIZE

74a8a91f

2019-09-30T17:58:59

Fix a few more typos ("fonction")

2a350ee9

2019-09-30T17:04:54

Large batch of typo fixes Closes #109.

80b110a9

2019-09-30T14:37:57

Mark xmlExp* symbols as removed

c2f209c0

2019-09-30T14:13:21

Disallow conditional sections in internal subset Conditional sections are only allowed in *external* parameter entities referenced from the internal subset.

c51e38cb

2019-09-30T13:50:02

Make xmlParseConditionalSections non-recursive Avoid call stack overflow in deeply nested conditional sections. Found by OSS-Fuzz.

9d461ac7

2019-09-26T16:17:31

Adjust expected error in Python tests Closes #107.

d56184a0

2019-09-26T12:11:39

Disable xmlExp regex code This is apparently another regex engine that was never used, see commit 81a8ec6.

664f8810

2019-09-26T11:01:58

Fix use-after-free in xmlTextReaderFreeNodeList Recent commit 1fbcf40 caused a use-after-free read because it didn't account for the fact that xmlTextReaderFreeDoc frees entities before freeing entity references via xmlTextReaderFreeNodeList. Found by OSS-Fuzz.

99a864a1

2019-09-25T15:27:45

Fix Regextests - One of the bug316338 test cases is expected to succeed. - Memory leak in testRegexp.c. - Refcount handling in xmlExpHashGetEntry.

c2b0a184

2019-09-25T13:57:42

Fix empty branch in regex Fixes bug 649244: https://bugzilla.gnome.org/show_bug.cgi?id=649244 Closes #57.

1fbcf409

2019-09-23T17:13:05

Make xmlTextReaderFreeNodeList non-recursive Avoid call stack overflow when freeing deeply nested documents. Found by OSS-Fuzz.

0762c9b6

2019-09-23T17:07:40

Make xmlFreeNodeList non-recursive Avoid call stack overflow when freeing deeply nested documents.

62150ed2

2019-09-23T14:46:41

Make xmlParseContent and xmlParseElement non-recursive Split xmlParseElement into subfunctions. Use nameNsPush to store prefix, URI and nsNr on the heap, similar to the push parser. Closes #84.

a28bc751

2019-09-20T13:46:58

Fix integer overflow in entity recursion check

e91cbcf6

2019-09-20T12:44:17

Don't read external entities or XIncludes from stdin The file input callbacks try to read from stdin if "-" is passed as URL. This should never be done when loading indirect resources like external entities or XIncludes. Unfortunately, the stdin substitution happens deep inside the IO code, so we simply replace "-" with "./-" in specific locations. This issue also affects other users of the library like libxslt. Ideally, stdin should only be substituted on explicit request. But more intrusive changes could break existing code. Closes #90 and #102.

6705f4d2

2019-09-16T15:45:27

Remove executable bit from non-executable files

kc3-lang/libxml2

Log