kmx git

Commit	Date	Message
ad9a5637	2024-03-22T19:37:12	tree: Fix uninitialized value in xmlSearchNsSafe Short-lived regression.
7b316c11	2024-03-22T12:15:23	tree: Fix uninitialized value in xmlSearchNsByHrefSafe Short-lived regression.
3f05508a	2024-03-18T14:14:00	tree: Report malloc failures in attribute setters
6a49bb77	2024-03-17T17:16:55	tree: Introduce xmlSearchNsSafe After the failed experiment with a static XML namespace, introduce versions of xmlSearchNs that report malloc failures. Optimize the no-document case by only adding the XML namespace declaration if it wasn't found in an ancestor.
047ea3ec	2024-03-17T16:23:31	Revert "tree: Allocate XML namespace statically" This reverts commit 2840e33c5e4b51589a0b96e8102638eeaea6df72.
2469d5d0	2024-03-15T02:55:11	tree: Tighten source doc check in xmlDOMWrapAdoptNode sourceDoc must match even if node->doc is NULL.
37556eb3	2024-03-14T16:32:58	tree: Check destParent->doc in xmlDOMWrapCloneNode The document must match destDoc to avoid tree corruption.
7c48c01b	2024-03-13T12:42:43	tree: Switch to xmlNodeSetDoc in xmlDOMWrapAdoptNode Report malloc failures. Also fixes an issue where xmlDOMWrapAdoptAttr would descend into entity references.
be2c26fb	2024-03-13T12:15:30	tree: Fix tree iteration in xmlDOMWrapRemoveNode We didn't descend into elements having attributes.
4a90ce08	2024-03-12T22:30:43	tree: Don't abort early if malloc fails in DOM functions If malloc fails halfway through updating a subtree, we must process the rest of the tree to avoid tree corruption.
ad019ba1	2024-03-12T19:50:45	tree: Fix reallocation in xmlDOMWrapNSNormAddNsMapItem2
e321eba0	2024-03-12T17:42:28	tree: Set parent->last early in xmlDOMWrapCloneNode Avoids a corrupted tree in error case.
84e6dc9e	2024-03-12T17:41:30	tree: Declare namespace on clone in xmlDOMWrapCloneNode The new namespace must be declared on the cloned node, not the source node.
09905670	2024-03-12T17:40:30	tree: Don't free linked DOM namespaces in error case
27f07f10	2024-03-12T16:49:10	tree: Report malloc failure in xmlDOMWrapCloneNode Also don't store text content in dictionaries.
8d04f0ee	2024-03-11T20:44:47	tree: Refactor text node updates
4ccd3eb8	2024-03-11T19:43:56	tree: Refactor node insertion Also fixes a text coalescing bug.
9f049afa	2024-03-11T15:57:14	tree: Refactor element creation and parsing of attribute values Replace xmlStringGetNodeList and xmlStringLenGetNodeList with xmlNodeParseContentInternal which also updates an optional parent node. Don't look up entities a second time via xmlNewReference.
9991fae4	2024-03-05T16:16:31	tree: Simplify xmlNodeGetContent, xmlBufGetNodeContent Factor out xmlBufGetEntityRefContent and xmlBufGetChildContent. Also allow entity declarations. Optimize single text children. Ignore missing or recursive entities silently. Prefer xmlNodeGetContent over xmlNodeListGetString. Check for entity cycles in xmlBufGetNodeContent. Use children pointer of entity reference nodes if available to look up entities.
05adfbf8	2024-03-11T13:42:15	buf: Don't use default buffer size for small strings Detaching strings from a buffer with a default size of 4096 can waste a lot of memory.
e3342f73	2024-03-07T17:47:06	tree: Work on documentation
8677f547	2024-03-05T03:24:45	malloc-fail: Fix erroneous report in xmlNodeGetBaseSafe
9b3750c6	2024-03-04T03:49:23	malloc-fail: Avoid use-after-free in xmlAddChild Returning NULL doesn't signal that the node was freed.
702f2e46	2024-03-04T01:39:34	malloc-fail: Fix memory leak in xmlNewNodeEatName
b043d959	2024-03-08T12:40:12	tree: Check return value of xmlNodeAddContent
18ebdacf	2024-03-07T13:02:46	tree: Fix error return in xmlGetPropNodeValueInternal
e4e90961	2024-03-07T13:00:14	tree: Prefer xmlGetPropNodeInternal over xmlHasNsProp xmlHasNsProp can cause unreported malloc failures when looking up default attributes. Switch to xmlGetPropNodeInternal when moving attributes. We don't care about default attributes in this case.
7d9ffd40	2024-03-06T19:44:00	tree: Report malloc failure in xmlAddNextSibling
bc7ab5a2	2024-03-02T18:59:51	tree: Rewrite xmlSetTreeDoc Report malloc failures. Fix when called directly on attribute node. Clear 'content' and 'last' and look up new entity for entity reference nodes.
2ba690a7	2024-03-05T16:34:22	tree: Remove more unused node types
fc9a2ca0	2024-03-06T16:02:24	tree: Report more malloc failures
536aa2cd	2024-03-04T16:55:32	tree: Fix adding ids in xmlNewPropInternal Don't try to add ids to NULL document. Report malloc failure from xmlIsID.
d0d6174e	2024-02-29T19:38:29	valid: Rework xmlAddID
d57c57ed	2024-03-05T14:53:35	tree: Improve argument check in xmlTextConcat
16c29557	2024-03-05T14:52:34	tree: Remove unused node types
f960c60d	2024-03-05T03:25:16	tree: Make namespace comparison more consistent The API allows NULL namespace URIs, so we should match them consistently. Simply use xmlStrEqual which already takes NULL strings into account.
d1cc6f7d	2024-03-05T04:34:59	tree: Don't allow NULL name in xmlSetNsProp
2840e33c	2024-03-04T07:34:25	tree: Allocate XML namespace statically
696faeb4	2024-03-05T16:17:57	tree: Rework xmlNodeListGetString Use string buffer to avoid quadratic complexity. Handle entities with xmlBufGetNodeContent. Report malloc failures.
41964548	2024-02-28T12:17:57	tree: Rework xmlTextMerge Return NULL on error. Check for malloc failure. Check that nodes are distinct.
a3713f78	2024-02-28T11:44:46	tree: Rework xmlNodeSetName Disallow xmlNodeSetName on DTD nodes. DTD nodes don't store the name in a dictionary. Calling xmlNodeSetName with a DTD node could result in an invalid free. This function doesn't report errors but we can make sure that name isn't set to NULL.
77c71350	2024-02-27T20:21:48	tree: Simplify xmlAddChild with text parent
7e462425	2024-02-27T20:18:42	tree: Don't allow misuse of xmlAddChild xmlAddChild assumes that the child is unlinked. If the child is already linked, return an error instead of corrupting the tree.
2c214a50	2024-02-27T16:29:52	tree: Fix xmlAddPropSibling with duplicate attributes Look up existing attribute before unlinking new attribute. This makes it easier for the fuzzer to detect which attribute will de deleted if there are multiple attributes with the same name.
2e765083	2024-02-27T16:23:44	tree: Fix indentation in xmlAddPropSibling
16c0374a	2024-02-27T15:31:33	tree: Fix xmlAddSibling with last sibling If the node to be added was already at the correct position, the tree could be corrupted.
74ca2f59	2024-02-27T13:44:54	tree: Move type check in xmlAddChild Avoid aborting halfway after changing parent pointer if node types don't match when adding attributes.
29db9881	2024-02-23T16:59:40	tree: Fix xmlDocSetRootElement with multiple top-level elements Fix xmlDocSetRootElement when setting the original root if multiple top-level elements are present.
4b698dba	2024-02-22T18:13:53	tree: Only allow elements in xmlDocSetRootElement
d5f50602	2024-02-22T16:12:07	tree: Disallow setting content of entity reference nodes The content of entity reference nodes points to the entity declaration and isn't freed. Changing the content would result in a memory leak.
77f2012c	2024-02-22T15:25:05	tree: Rework xmlReconciliateNs
af66a6b5	2024-02-22T13:03:59	tree: Unlink DTD in xmlStaticCopyNodeList Avoid tree corruption when copying within a document.
bb22cfb9	2024-02-22T12:39:42	tree: Unlink DTD in xmlFreeNodeList Avoid dangling next/prev pointers.
a581f651	2024-02-21T12:09:10	tree: Check for integer overflow in xmlStringGetNodeList This function is called with unvalidated strings from functions like xmlNewDocProp, xmlNewDocNode or xmlNodeSetContent, so we have to check for integer overflow after all.
6aae1767	2024-02-01T15:18:26	tree: Fix error condition in xmlNodeListGetString Don't return NULL in case of undeclared entities.
d025cfbb	2023-12-27T03:53:24	parser: Always copy content from entity to target. Make sure that references from IDs are updated. Note that if there are IDs with the same value in a document, the last one will now be returned. IDs should be unique, but maybe this should be addressed.
c49572e5	2023-12-23T15:03:22	malloc-fail: Fix erroneous report in xmlStringGetNodeList The parser can produce invalid attribute content in recovery mode. Unless this is fixed, xmlStringGetNodeList should ignore such errors silently.
0ea47327	2023-12-13T14:44:29	malloc-fail: Fix memory leak in xmlNodeGetBaseSafe Short-lived regression.
5c06f4e3	2023-12-12T14:37:17	malloc-fail: Fix erroneous reports in xmlNodeListGetString Short-lived regression.
aca16fb3	2023-12-10T16:37:43	tree: Report malloc failures Fix many places where malloc failures aren't reported. Make some API function return an error code. Changing the return type from void to int is technically an ABI break but should be safe on most platforms. - xmlNodeSetContent - xmlNodeSetContentLen - xmlNodeAddContent - xmlNodeAddContentLen - xmlNodeSetBase Introduce new API functions that return a separate error code if a memory allocation fails. - xmlNodeGetAttrValue - xmlNodeGetBaseSafe - xmlGetNsListSafe Introduce private functions xmlTreeEnsureXMLDecl and xmlSplitQName4. Don't report low-level errors to the global error handler. Fix tree Introduce xmlGetNsListSafe Fix tree
502971cc	2023-12-01T17:49:48	tree: Another fix related to #538 Should fix #639.
8707838e	2023-11-28T13:27:25	tree: Fix #583 again Only set doc->intSubset after successful copy to avoid dangling pointers in error case.
de3f7014	2023-11-28T13:01:38	tree: Fix regression when copying DTDs This reverts commit d39f78069dff496ec865c73aa44d7110e429bce9. Fixes #634.
97e99f41	2023-10-05T17:11:24	parser: Acknowledge that entities with namespaces are broken Entities which reference out-of-scope namespace have always been broken. xmlParseBalancedChunkMemoryInternal tried to reuse the namespaces currently in scope but these namespaces were ignored by the SAX handler. Besides, there could be different namespaces in scope when expanding the entity again. For example: <!DOCTYPE doc [ <!ENTITY ent "<ns:elem/>"> ]> <doc> <decl1 xmlns:ns="urn:ns1"> &ent; </decl1> <decl2 xmlns:ns="urn:ns2"> &ent; </decl2> </doc> Add some comments outlining possible solutions to this problem. For now, we stop copying namespaces to the temporary parser context in xmlParseBalancedChunkMemoryInternal. This has never really worked and the recent changes contained a partial fix which uncovered other problems like a use-after-free with the XML Reader interface, found by OSS-Fuzz.
8c084ebd	2023-09-21T22:57:33	doc: Make apibuild.py happy
9b5cce7a	2023-09-21T00:44:50	include: Remove more unnecessary includes
11a1839d	2023-09-20T17:54:48	globals: Move remaining globals back to correct header files This undoes a lot of damage.
dc3382ef	2023-09-20T12:58:03	globals: Move xmlRegisterNodeDefault to tree.c Code in globals.c must not try to access globals itself since the accessor macros aren't defined and we would only see the main variable.
4e1c13eb	2023-09-18T14:45:10	debug: Remove debugging code This is barely useful these days and only clutters the code base.
d39f7806	2023-08-23T20:24:24	tree: Fix copying of DTDs - Don't create multiple DTD nodes. - Fix UAF if malloc fails. - Skip DTD nodes if tree module is disabled. Fixes #583.
b8961df6	2023-05-09T03:25:24	SAX: Always validate xml:ids The behavior shouldn't depend on mostly random configuration options.
dbc893f5	2023-03-03T13:02:11	malloc-fail: Fix memory leak in xmlCopyNamespaceList Found with libFuzzer, see #344.
a442d16a	2023-02-26T14:48:23	malloc-fail: Fix memory leak in xmlGetNsList Found with libFuzzer, see #344.
bc7740b3	2023-02-16T11:45:58	malloc-fail: Fix memory leak in xmlCopyPropList Found with libFuzzer, see #344.
e6401b68	2023-01-17T14:01:23	tree: Fix recursion check in xmlStringGetNodeList Use the new entity flag to check for recursion.
481d79d4	2022-12-19T15:26:46	entities: Add XML_ENT_PARSED flag To check whether an entity was already parsed, the code previously tested whether "checked" was non-zero or "children" was non-null. The "children" check could be unreliable because an empty entity also results in an empty (NULL) node list. Use a separate flag to make this check more reliable.
2059df53	2022-11-14T22:27:58	buf: Deprecate static/immutable buffers
b4592709	2022-11-02T16:22:54	malloc-fail: Fix memory leak in xmlStringGetNodeList Also make sure to return NULL on error instead of a partial node list. Found with libFuzzer, see #344.
dd50cfeb	2022-11-02T15:58:31	malloc-fail: Fix memory leak in xmlNewDocNodeEatName Found with libFuzzer, see #344.
fa361de0	2022-11-02T15:53:52	malloc-fail: Fix memory leak in xmlNewPropInternal Also fixes a memory leak if called with a non-element node. Found with libFuzzer, see #344.
a22bd982	2022-11-02T15:44:42	malloc-fail: Fix memory leak in xmlStaticCopyNodeList Found with libFuzzer, see #344.
2fc8d123	2022-10-22T19:08:43	xinclude: Make xmlXIncludeCopyNode non-recursive Avoid call stack overflows. Also switch to xmlStaticCopyNode which avoids duplicate namespace definitions.
59f2f60e	2022-09-02T00:27:57	Remove "runtime debugging" This doesn't seem useful as configuration option.
bdcf842c	2022-09-01T20:45:35	Move xmlIsXHTML to tree.c It's declared in tree.h and not guarded by LIBXML_OUTPUT_ENABLED like the other functions in xmlsave.c.
2cac6269	2022-09-01T03:14:13	Don't use sizeof(xmlChar) or sizeof(char)
ad338ca7	2022-09-01T01:18:30	Remove explicit integer casts Remove explicit integer casts as final operation - in assignments - when passing arguments - when returning values Remove casts - to the same type - from certain range-bound values The main motivation is that these explicit casts don't change the result of operations and only render UBSan's implicit-conversion checks useless. Removing these casts allows UBSan to detect cases where truncation or sign-changes occur unexpectedly. Document some explicit casts as truncating and add a few missing ones.
d7a334f2	2022-08-26T14:43:28	Silence -Warray-bounds warning This is a hack, but works for now. Fixes #389.
0f568c0b	2022-08-26T01:22:33	Consolidate private header files Private functions were previously declared - in header files in the root directory - in public headers guarded with IN_LIBXML - in libxml.h - redundantly in source files that used them. Consolidate all private header files in include/private.
39745c92	2022-07-19T21:23:44	Improve documentation of tree manipulation API - Discourage use of node constructors without document. - Mention that xmlReconciliateNs is crucial when moving nodes from one document to another.
3e7b4f37	2022-05-20T23:28:25	Avoid calling xmlSetTreeDoc Create text nodes with xmlNewDocText or set the document directly to avoid xmlSetTreeDoc being called when the node is inserted.
823bf161	2022-05-20T22:38:38	Simplify xmlFreeNode
a17a1f56	2022-05-18T02:17:31	Don't reset nsDef when changing node content nsDef is only used for element nodes.
24646525	2022-05-18T02:16:34	Fix unintended fall-through in xmlNodeAddContentLen
6ef16dee	2022-05-13T14:43:33	Reserve byte for NUL terminator and report errors consistently in xmlBuf and xmlBuffer This is a follow-up to commit 6c283d83. * buf.c: (xmlBufGrowInternal): - Call xmlBufMemoryError() when the buffer size would overflow. - Account for NUL terminator byte when using XML_MAX_TEXT_LENGTH. - Do not include NUL terminator byte when returning length. (xmlBufAdd): - Call xmlBufMemoryError() when the buffer size would overflow. * tree.c: (xmlBufferGrow): - Call xmlTreeErrMemory() when the buffer size would overflow. - Do not include NUL terminator byte when returning length. (xmlBufferResize): - Update error message in xmlTreeErrMemory() to be consistent with other similar messages. (xmlBufferAdd): - Call xmlTreeErrMemory() when the buffer size would overflow. (xmlBufferAddHead): - Add overflow checks similar to those in xmlBufferAdd().
4ce2abf6	2022-05-29T09:46:00	Fix missing NUL terminators in xmlBuf and xmlBuffer functions * buf.c: (xmlBufAddLen): - Change check for remaining space to account for the NUL terminator. When adding a length exactly equal to the number of unused bytes, a NUL terminator was not written. (xmlBufResize): - Set `buf->use` and NUL terminator when allocating a new buffer. * tree.c: (xmlBufferResize): - Set `buf->use` and NUL terminator when allocating a new buffer. (xmlBufferAddHead): - Set NUL terminator before returning early when shifting contents.
a6df42e6	2022-05-28T08:08:29	Fix integer overflow in xmlBufferDump() * tree.c: (xmlBufferDump): - Cap the return value to INT_MAX.
461ef8ac	2022-05-25T14:19:10	Fix double colon typos in xmlBufferResize() Introduced in commit 6c283d83e.
4bc3ebf3	2022-03-19T17:17:40	Fix ownership of xmlNodePtr & xmlAttrPtr fields in xmlSetTreeDoc() When changing `doc` on an xmlNodePtr or xmlAttrPtr, certain fields must either be a free-standing string, or they must be owned by `doc->dict`. The code to make this change was simply missing, so the crash happened when an xmlAttrPtr was being torn down after `doc` changed from non-NULL to NULL, but the `name` field was not copied. This is scenario 1 below. The xmlNodePtr->name and xmlNodePtr->content fields are also fixed at the same time. Note that xmlNodePtr->content is never added to the dictionary, so NULL is used instead of `newDict` to force a free-standing copy. This change covers all cases of dictionary changes: 1. Owned by old dictionary -> NULL new dictionary - Create free-standing copy of string. 2. Owned by old dictionary -> Non-NULL new dictionary - Get string from new dictionary pool. 3. Not owned by old dictionary -> Non-NULL new dictionary - No action necessary (already a free-standing string). 4. Not owned by old dictionary -> NULL new dictionary - No action necessary (already a free-standing string). * tree.c: (_copyStringForNewDictIfNeeded): Add. (xmlSetTreeDoc): - Update xmlNodePtr->name, xmlNodePtr->content and xmlAttrPtr->name when changing the document, if needed. Found by OSS-Fuzz Issue 45132.
6c283d83	2022-03-08T20:10:02	[CVE-2022-29824] Fix integer overflows in xmlBuf and xmlBuffer In several places, the code handling string buffers didn't check for integer overflow or used wrong types for buffer sizes. This could result in out-of-bounds writes or other memory errors when working on large, multi-gigabyte buffers. Thanks to Felix Wilhelm for the report.
d314046f	2022-04-23T17:41:44	Don't try to copy children of entity references This would result in an error, aborting the whole copy operation. Regressed in commit 7618a3b1. Fixes #371.

ad9a5637

2024-03-22T19:37:12

tree: Fix uninitialized value in xmlSearchNsSafe Short-lived regression.

7b316c11

2024-03-22T12:15:23

tree: Fix uninitialized value in xmlSearchNsByHrefSafe Short-lived regression.

3f05508a

2024-03-18T14:14:00

tree: Report malloc failures in attribute setters

6a49bb77

2024-03-17T17:16:55

tree: Introduce xmlSearchNsSafe After the failed experiment with a static XML namespace, introduce versions of xmlSearchNs that report malloc failures. Optimize the no-document case by only adding the XML namespace declaration if it wasn't found in an ancestor.

047ea3ec

2024-03-17T16:23:31

Revert "tree: Allocate XML namespace statically" This reverts commit 2840e33c5e4b51589a0b96e8102638eeaea6df72.

2469d5d0

2024-03-15T02:55:11

tree: Tighten source doc check in xmlDOMWrapAdoptNode sourceDoc must match even if node->doc is NULL.

37556eb3

2024-03-14T16:32:58

tree: Check destParent->doc in xmlDOMWrapCloneNode The document must match destDoc to avoid tree corruption.

7c48c01b

2024-03-13T12:42:43

tree: Switch to xmlNodeSetDoc in xmlDOMWrapAdoptNode Report malloc failures. Also fixes an issue where xmlDOMWrapAdoptAttr would descend into entity references.

be2c26fb

2024-03-13T12:15:30

tree: Fix tree iteration in xmlDOMWrapRemoveNode We didn't descend into elements having attributes.

4a90ce08

2024-03-12T22:30:43

tree: Don't abort early if malloc fails in DOM functions If malloc fails halfway through updating a subtree, we must process the rest of the tree to avoid tree corruption.

ad019ba1

2024-03-12T19:50:45

tree: Fix reallocation in xmlDOMWrapNSNormAddNsMapItem2

e321eba0

2024-03-12T17:42:28

tree: Set parent->last early in xmlDOMWrapCloneNode Avoids a corrupted tree in error case.

84e6dc9e

2024-03-12T17:41:30

tree: Declare namespace on clone in xmlDOMWrapCloneNode The new namespace must be declared on the cloned node, not the source node.

09905670

2024-03-12T17:40:30

tree: Don't free linked DOM namespaces in error case

27f07f10

2024-03-12T16:49:10

tree: Report malloc failure in xmlDOMWrapCloneNode Also don't store text content in dictionaries.

8d04f0ee

2024-03-11T20:44:47

tree: Refactor text node updates

4ccd3eb8

2024-03-11T19:43:56

tree: Refactor node insertion Also fixes a text coalescing bug.

9f049afa

2024-03-11T15:57:14

tree: Refactor element creation and parsing of attribute values Replace xmlStringGetNodeList and xmlStringLenGetNodeList with xmlNodeParseContentInternal which also updates an optional parent node. Don't look up entities a second time via xmlNewReference.

9991fae4

2024-03-05T16:16:31

tree: Simplify xmlNodeGetContent, xmlBufGetNodeContent Factor out xmlBufGetEntityRefContent and xmlBufGetChildContent. Also allow entity declarations. Optimize single text children. Ignore missing or recursive entities silently. Prefer xmlNodeGetContent over xmlNodeListGetString. Check for entity cycles in xmlBufGetNodeContent. Use children pointer of entity reference nodes if available to look up entities.

05adfbf8

2024-03-11T13:42:15

buf: Don't use default buffer size for small strings Detaching strings from a buffer with a default size of 4096 can waste a lot of memory.

e3342f73

2024-03-07T17:47:06

tree: Work on documentation

8677f547

2024-03-05T03:24:45

malloc-fail: Fix erroneous report in xmlNodeGetBaseSafe

9b3750c6

2024-03-04T03:49:23

malloc-fail: Avoid use-after-free in xmlAddChild Returning NULL doesn't signal that the node was freed.

702f2e46

2024-03-04T01:39:34

malloc-fail: Fix memory leak in xmlNewNodeEatName

b043d959

2024-03-08T12:40:12

tree: Check return value of xmlNodeAddContent

18ebdacf

2024-03-07T13:02:46

tree: Fix error return in xmlGetPropNodeValueInternal

e4e90961

2024-03-07T13:00:14

tree: Prefer xmlGetPropNodeInternal over xmlHasNsProp xmlHasNsProp can cause unreported malloc failures when looking up default attributes. Switch to xmlGetPropNodeInternal when moving attributes. We don't care about default attributes in this case.

7d9ffd40

2024-03-06T19:44:00

tree: Report malloc failure in xmlAddNextSibling

bc7ab5a2

2024-03-02T18:59:51

tree: Rewrite xmlSetTreeDoc Report malloc failures. Fix when called directly on attribute node. Clear 'content' and 'last' and look up new entity for entity reference nodes.

2ba690a7

2024-03-05T16:34:22

tree: Remove more unused node types

fc9a2ca0

2024-03-06T16:02:24

tree: Report more malloc failures

536aa2cd

2024-03-04T16:55:32

tree: Fix adding ids in xmlNewPropInternal Don't try to add ids to NULL document. Report malloc failure from xmlIsID.

d0d6174e

2024-02-29T19:38:29

valid: Rework xmlAddID

d57c57ed

2024-03-05T14:53:35

tree: Improve argument check in xmlTextConcat

16c29557

2024-03-05T14:52:34

tree: Remove unused node types

f960c60d

2024-03-05T03:25:16

tree: Make namespace comparison more consistent The API allows NULL namespace URIs, so we should match them consistently. Simply use xmlStrEqual which already takes NULL strings into account.

d1cc6f7d

2024-03-05T04:34:59

tree: Don't allow NULL name in xmlSetNsProp

2840e33c

2024-03-04T07:34:25

tree: Allocate XML namespace statically

696faeb4

2024-03-05T16:17:57

tree: Rework xmlNodeListGetString Use string buffer to avoid quadratic complexity. Handle entities with xmlBufGetNodeContent. Report malloc failures.

41964548

2024-02-28T12:17:57

tree: Rework xmlTextMerge Return NULL on error. Check for malloc failure. Check that nodes are distinct.

a3713f78

2024-02-28T11:44:46

tree: Rework xmlNodeSetName Disallow xmlNodeSetName on DTD nodes. DTD nodes don't store the name in a dictionary. Calling xmlNodeSetName with a DTD node could result in an invalid free. This function doesn't report errors but we can make sure that name isn't set to NULL.

77c71350

2024-02-27T20:21:48

tree: Simplify xmlAddChild with text parent

7e462425

2024-02-27T20:18:42

tree: Don't allow misuse of xmlAddChild xmlAddChild assumes that the child is unlinked. If the child is already linked, return an error instead of corrupting the tree.

2c214a50

2024-02-27T16:29:52

tree: Fix xmlAddPropSibling with duplicate attributes Look up existing attribute before unlinking new attribute. This makes it easier for the fuzzer to detect which attribute will de deleted if there are multiple attributes with the same name.

2e765083

2024-02-27T16:23:44

tree: Fix indentation in xmlAddPropSibling

16c0374a

2024-02-27T15:31:33

tree: Fix xmlAddSibling with last sibling If the node to be added was already at the correct position, the tree could be corrupted.

74ca2f59

2024-02-27T13:44:54

tree: Move type check in xmlAddChild Avoid aborting halfway after changing parent pointer if node types don't match when adding attributes.

29db9881

2024-02-23T16:59:40

tree: Fix xmlDocSetRootElement with multiple top-level elements Fix xmlDocSetRootElement when setting the original root if multiple top-level elements are present.

4b698dba

2024-02-22T18:13:53

tree: Only allow elements in xmlDocSetRootElement

d5f50602

2024-02-22T16:12:07

tree: Disallow setting content of entity reference nodes The content of entity reference nodes points to the entity declaration and isn't freed. Changing the content would result in a memory leak.

77f2012c

2024-02-22T15:25:05

tree: Rework xmlReconciliateNs

af66a6b5

2024-02-22T13:03:59

tree: Unlink DTD in xmlStaticCopyNodeList Avoid tree corruption when copying within a document.

bb22cfb9

2024-02-22T12:39:42

tree: Unlink DTD in xmlFreeNodeList Avoid dangling next/prev pointers.

a581f651

2024-02-21T12:09:10

tree: Check for integer overflow in xmlStringGetNodeList This function is called with unvalidated strings from functions like xmlNewDocProp, xmlNewDocNode or xmlNodeSetContent, so we have to check for integer overflow after all.

6aae1767

2024-02-01T15:18:26

tree: Fix error condition in xmlNodeListGetString Don't return NULL in case of undeclared entities.

d025cfbb

2023-12-27T03:53:24

parser: Always copy content from entity to target. Make sure that references from IDs are updated. Note that if there are IDs with the same value in a document, the last one will now be returned. IDs should be unique, but maybe this should be addressed.

c49572e5

2023-12-23T15:03:22

malloc-fail: Fix erroneous report in xmlStringGetNodeList The parser can produce invalid attribute content in recovery mode. Unless this is fixed, xmlStringGetNodeList should ignore such errors silently.

0ea47327

2023-12-13T14:44:29

malloc-fail: Fix memory leak in xmlNodeGetBaseSafe Short-lived regression.

5c06f4e3

2023-12-12T14:37:17

malloc-fail: Fix erroneous reports in xmlNodeListGetString Short-lived regression.

aca16fb3

2023-12-10T16:37:43

tree: Report malloc failures Fix many places where malloc failures aren't reported. Make some API function return an error code. Changing the return type from void to int is technically an ABI break but should be safe on most platforms. - xmlNodeSetContent - xmlNodeSetContentLen - xmlNodeAddContent - xmlNodeAddContentLen - xmlNodeSetBase Introduce new API functions that return a separate error code if a memory allocation fails. - xmlNodeGetAttrValue - xmlNodeGetBaseSafe - xmlGetNsListSafe Introduce private functions xmlTreeEnsureXMLDecl and xmlSplitQName4. Don't report low-level errors to the global error handler. Fix tree Introduce xmlGetNsListSafe Fix tree

502971cc

2023-12-01T17:49:48

tree: Another fix related to #538 Should fix #639.

8707838e

2023-11-28T13:27:25

tree: Fix #583 again Only set doc->intSubset after successful copy to avoid dangling pointers in error case.

de3f7014

2023-11-28T13:01:38

tree: Fix regression when copying DTDs This reverts commit d39f78069dff496ec865c73aa44d7110e429bce9. Fixes #634.

97e99f41

2023-10-05T17:11:24

parser: Acknowledge that entities with namespaces are broken Entities which reference out-of-scope namespace have always been broken. xmlParseBalancedChunkMemoryInternal tried to reuse the namespaces currently in scope but these namespaces were ignored by the SAX handler. Besides, there could be different namespaces in scope when expanding the entity again. For example: <!DOCTYPE doc [ <!ENTITY ent "<ns:elem/>"> ]> <doc> <decl1 xmlns:ns="urn:ns1"> &ent; </decl1> <decl2 xmlns:ns="urn:ns2"> &ent; </decl2> </doc> Add some comments outlining possible solutions to this problem. For now, we stop copying namespaces to the temporary parser context in xmlParseBalancedChunkMemoryInternal. This has never really worked and the recent changes contained a partial fix which uncovered other problems like a use-after-free with the XML Reader interface, found by OSS-Fuzz.

8c084ebd

2023-09-21T22:57:33

doc: Make apibuild.py happy

9b5cce7a

2023-09-21T00:44:50

include: Remove more unnecessary includes

11a1839d

2023-09-20T17:54:48

globals: Move remaining globals back to correct header files This undoes a lot of damage.

dc3382ef

2023-09-20T12:58:03

globals: Move xmlRegisterNodeDefault to tree.c Code in globals.c must not try to access globals itself since the accessor macros aren't defined and we would only see the main variable.

4e1c13eb

2023-09-18T14:45:10

debug: Remove debugging code This is barely useful these days and only clutters the code base.

d39f7806

2023-08-23T20:24:24

tree: Fix copying of DTDs - Don't create multiple DTD nodes. - Fix UAF if malloc fails. - Skip DTD nodes if tree module is disabled. Fixes #583.

b8961df6

2023-05-09T03:25:24

SAX: Always validate xml:ids The behavior shouldn't depend on mostly random configuration options.

dbc893f5

2023-03-03T13:02:11

malloc-fail: Fix memory leak in xmlCopyNamespaceList Found with libFuzzer, see #344.

a442d16a

2023-02-26T14:48:23

malloc-fail: Fix memory leak in xmlGetNsList Found with libFuzzer, see #344.

bc7740b3

2023-02-16T11:45:58

malloc-fail: Fix memory leak in xmlCopyPropList Found with libFuzzer, see #344.

e6401b68

2023-01-17T14:01:23

tree: Fix recursion check in xmlStringGetNodeList Use the new entity flag to check for recursion.

481d79d4

2022-12-19T15:26:46

entities: Add XML_ENT_PARSED flag To check whether an entity was already parsed, the code previously tested whether "checked" was non-zero or "children" was non-null. The "children" check could be unreliable because an empty entity also results in an empty (NULL) node list. Use a separate flag to make this check more reliable.

2059df53

2022-11-14T22:27:58

buf: Deprecate static/immutable buffers

b4592709

2022-11-02T16:22:54

malloc-fail: Fix memory leak in xmlStringGetNodeList Also make sure to return NULL on error instead of a partial node list. Found with libFuzzer, see #344.

dd50cfeb

2022-11-02T15:58:31

malloc-fail: Fix memory leak in xmlNewDocNodeEatName Found with libFuzzer, see #344.

fa361de0

2022-11-02T15:53:52

malloc-fail: Fix memory leak in xmlNewPropInternal Also fixes a memory leak if called with a non-element node. Found with libFuzzer, see #344.

a22bd982

2022-11-02T15:44:42

malloc-fail: Fix memory leak in xmlStaticCopyNodeList Found with libFuzzer, see #344.

2fc8d123

2022-10-22T19:08:43

xinclude: Make xmlXIncludeCopyNode non-recursive Avoid call stack overflows. Also switch to xmlStaticCopyNode which avoids duplicate namespace definitions.

59f2f60e

2022-09-02T00:27:57

Remove "runtime debugging" This doesn't seem useful as configuration option.

bdcf842c

2022-09-01T20:45:35

Move xmlIsXHTML to tree.c It's declared in tree.h and not guarded by LIBXML_OUTPUT_ENABLED like the other functions in xmlsave.c.

2cac6269

2022-09-01T03:14:13

Don't use sizeof(xmlChar) or sizeof(char)

ad338ca7

2022-09-01T01:18:30

Remove explicit integer casts Remove explicit integer casts as final operation - in assignments - when passing arguments - when returning values Remove casts - to the same type - from certain range-bound values The main motivation is that these explicit casts don't change the result of operations and only render UBSan's implicit-conversion checks useless. Removing these casts allows UBSan to detect cases where truncation or sign-changes occur unexpectedly. Document some explicit casts as truncating and add a few missing ones.

d7a334f2

2022-08-26T14:43:28

Silence -Warray-bounds warning This is a hack, but works for now. Fixes #389.

0f568c0b

2022-08-26T01:22:33

Consolidate private header files Private functions were previously declared - in header files in the root directory - in public headers guarded with IN_LIBXML - in libxml.h - redundantly in source files that used them. Consolidate all private header files in include/private.

39745c92

2022-07-19T21:23:44

Improve documentation of tree manipulation API - Discourage use of node constructors without document. - Mention that xmlReconciliateNs is crucial when moving nodes from one document to another.

3e7b4f37

2022-05-20T23:28:25

Avoid calling xmlSetTreeDoc Create text nodes with xmlNewDocText or set the document directly to avoid xmlSetTreeDoc being called when the node is inserted.

823bf161

2022-05-20T22:38:38

Simplify xmlFreeNode

a17a1f56

2022-05-18T02:17:31

Don't reset nsDef when changing node content nsDef is only used for element nodes.

24646525

2022-05-18T02:16:34

Fix unintended fall-through in xmlNodeAddContentLen

6ef16dee

2022-05-13T14:43:33

Reserve byte for NUL terminator and report errors consistently in xmlBuf and xmlBuffer This is a follow-up to commit 6c283d83. * buf.c: (xmlBufGrowInternal): - Call xmlBufMemoryError() when the buffer size would overflow. - Account for NUL terminator byte when using XML_MAX_TEXT_LENGTH. - Do not include NUL terminator byte when returning length. (xmlBufAdd): - Call xmlBufMemoryError() when the buffer size would overflow. * tree.c: (xmlBufferGrow): - Call xmlTreeErrMemory() when the buffer size would overflow. - Do not include NUL terminator byte when returning length. (xmlBufferResize): - Update error message in xmlTreeErrMemory() to be consistent with other similar messages. (xmlBufferAdd): - Call xmlTreeErrMemory() when the buffer size would overflow. (xmlBufferAddHead): - Add overflow checks similar to those in xmlBufferAdd().

4ce2abf6

2022-05-29T09:46:00

Fix missing NUL terminators in xmlBuf and xmlBuffer functions * buf.c: (xmlBufAddLen): - Change check for remaining space to account for the NUL terminator. When adding a length exactly equal to the number of unused bytes, a NUL terminator was not written. (xmlBufResize): - Set `buf->use` and NUL terminator when allocating a new buffer. * tree.c: (xmlBufferResize): - Set `buf->use` and NUL terminator when allocating a new buffer. (xmlBufferAddHead): - Set NUL terminator before returning early when shifting contents.

a6df42e6

2022-05-28T08:08:29

Fix integer overflow in xmlBufferDump() * tree.c: (xmlBufferDump): - Cap the return value to INT_MAX.

461ef8ac

2022-05-25T14:19:10

Fix double colon typos in xmlBufferResize() Introduced in commit 6c283d83e.

4bc3ebf3

2022-03-19T17:17:40

Fix ownership of xmlNodePtr & xmlAttrPtr fields in xmlSetTreeDoc() When changing `doc` on an xmlNodePtr or xmlAttrPtr, certain fields must either be a free-standing string, or they must be owned by `doc->dict`. The code to make this change was simply missing, so the crash happened when an xmlAttrPtr was being torn down after `doc` changed from non-NULL to NULL, but the `name` field was not copied. This is scenario 1 below. The xmlNodePtr->name and xmlNodePtr->content fields are also fixed at the same time. Note that xmlNodePtr->content is never added to the dictionary, so NULL is used instead of `newDict` to force a free-standing copy. This change covers all cases of dictionary changes: 1. Owned by old dictionary -> NULL new dictionary - Create free-standing copy of string. 2. Owned by old dictionary -> Non-NULL new dictionary - Get string from new dictionary pool. 3. Not owned by old dictionary -> Non-NULL new dictionary - No action necessary (already a free-standing string). 4. Not owned by old dictionary -> NULL new dictionary - No action necessary (already a free-standing string). * tree.c: (_copyStringForNewDictIfNeeded): Add. (xmlSetTreeDoc): - Update xmlNodePtr->name, xmlNodePtr->content and xmlAttrPtr->name when changing the document, if needed. Found by OSS-Fuzz Issue 45132.

6c283d83

2022-03-08T20:10:02

[CVE-2022-29824] Fix integer overflows in xmlBuf and xmlBuffer In several places, the code handling string buffers didn't check for integer overflow or used wrong types for buffer sizes. This could result in out-of-bounds writes or other memory errors when working on large, multi-gigabyte buffers. Thanks to Felix Wilhelm for the report.

d314046f

2022-04-23T17:41:44

Don't try to copy children of entity references This would result in an error, aborting the whole copy operation. Regressed in commit 7618a3b1. Fixes #371.

kc3-lang/libxml2/tree.c

tree.c

Log