kc3-lang/libxml2/buf.c

Branch : - branch - master - tag - CVE-2013-2877 CVE-2014-0191 CVE-2014-3660 CVE-2015-1819 CVE-2015-5312 CVE-2015-7497 CVE-2015-7498 CVE-2015-7499-1 CVE-2015-7499-2 CVE-2015-7500 CVE-2015-7941_1 CVE-2015-7941_2 CVE-2015-7942 CVE-2015-7942-2 CVE-2015-8035 CVE-2015-8242 CVE-2015-8317 CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-3627 CVE-2016-3705 CVE-2016-4449 CVE-2016-4483 CVE-2021-3541 ChangeLog EAZEL-NAUTILUS-MS-AUG07 FOR_GNOME_0_99_1 GNOME_0_30 GNOME_PRINT_0_24 GNUMERIC_FIRST_PUBLIC_RELEASE LIBXML2.6.32 LIBXML2.7.0 LIBXML2.7.1 LIBXML2.7.2 LIBXML2.7.3 LIBXML2_2_4_21 LIBXML2_2_5_0 LIBXML2_2_5_10 LIBXML2_2_5_11 LIBXML2_2_5_7 LIBXML2_2_5_8 LIBXML2_2_5_9 LIBXML2_2_5_x LIBXML2_2_6_1 LIBXML2_2_6_11 LIBXML2_2_6_12 LIBXML2_2_6_13 LIBXML2_2_6_14 LIBXML2_2_6_15 LIBXML2_2_6_16 LIBXML2_2_6_18 LIBXML2_2_6_19 LIBXML2_2_6_2 LIBXML2_2_6_20 LIBXML2_2_6_21 LIBXML2_2_6_22 LIBXML2_2_6_23 LIBXML2_2_6_24 LIBXML2_2_6_26 LIBXML2_2_6_27 LIBXML2_2_6_28 LIBXML2_2_6_3 LIBXML2_2_6_4 LIBXML2_2_6_5 LIBXML2_2_6_6 LIBXML2_2_6_7 LIBXML2_2_6_8 LIBXML2_2_6_9 LIBXML2_6_0 LIBXML_0_99 LIBXML_1_5_0 LIBXML_1_8_10 LIBXML_1_8_10_REAL LIBXML_1_8_12 LIBXML_1_8_14 LIBXML_1_8_16 LIBXML_1_8_17 LIBXML_1_8_5 LIBXML_1_8_6 LIBXML_1_8_8 LIBXML_1_8_9 LIBXML_2_0_0 LIBXML_2_1_0 LIBXML_2_1_1 LIBXML_2_2_1 LIBXML_2_2_3 LIBXML_2_2_4 LIBXML_2_2_6 LIBXML_2_2_7 LIBXML_2_2_8 LIBXML_2_3_0 LIBXML_2_3_10 LIBXML_2_3_11 LIBXML_2_3_12 LIBXML_2_3_13 LIBXML_2_3_14 LIBXML_2_3_2 LIBXML_2_3_3 LIBXML_2_3_4 LIBXML_2_3_5 LIBXML_2_3_6 LIBXML_2_3_7 LIBXML_2_3_8 LIBXML_2_3_9 LIBXML_2_4_0 LIBXML_2_4_11 LIBXML_2_4_12 LIBXML_2_4_13 LIBXML_2_4_14 LIBXML_2_4_16 LIBXML_2_4_18 LIBXML_2_4_2 LIBXML_2_4_20 LIBXML_2_4_22 LIBXML_2_4_23 LIBXML_2_4_24 LIBXML_2_4_25 LIBXML_2_4_26 LIBXML_2_4_27 LIBXML_2_4_29 LIBXML_2_4_3 LIBXML_2_4_30 LIBXML_2_4_4 LIBXML_2_4_6 LIBXML_2_4_7 LIBXML_2_5_1 LIBXML_2_5_2 LIBXML_2_5_3 LIBXML_2_5_4 LIBXML_2_5_5 LIBXML_2_5_6 LIBXML_2_6_10 LIBXML_TEST_2_0_0 LIB_XML_1_1 LIB_XML_1_3 LIB_XML_1_4 LIB_XML_1_6_1 LIB_XML_1_6_2 LIB_XML_1_7_0 LIB_XML_1_7_1 LIB_XML_1_7_3 LIB_XML_1_8_3 LIB_XML_1_X PRE_MUCKUP PRE_MUCKUP2 PRE_MUCKUP3 help v2.10.0 v2.10.1 v2.10.2 v2.10.3 v2.10.4 v2.11.0 v2.11.1 v2.11.2 v2.11.3 v2.11.4 v2.11.5 v2.11.6 v2.11.7 v2.11.8 v2.11.9 v2.12.0 v2.12.1 v2.12.10 v2.12.2 v2.12.3 v2.12.4 v2.12.5 v2.12.6 v2.12.7 v2.12.8 v2.12.9 v2.13.0 v2.13.1 v2.13.2 v2.13.3 v2.13.4 v2.13.5 v2.13.6 v2.13.7 v2.13.8 v2.13.9 v2.14.0 v2.14.1 v2.14.2 v2.14.3 v2.14.4 v2.14.5 v2.14.6 v2.15.0 v2.15.1 v2.7.4 v2.7.5 v2.7.6 v2.7.7 v2.7.8 v2.8.0 v2.8.0-rc1 v2.8.0-rc2 v2.9.0 v2.9.0-rc2 v2.9.1 v2.9.10 v2.9.10-rc1 v2.9.11 v2.9.12 v2.9.13 v2.9.14 v2.9.2 v2.9.2-rc1 v2.9.2-rc2 v2.9.3 v2.9.4 v2.9.4-rc1 v2.9.4-rc2 v2.9.5 v2.9.5-rc1 v2.9.5-rc2 v2.9.6 v2.9.6-rc1 v2.9.7 v2.9.7-rc1 v2.9.8 v2.9.8-rc1 v2.9.9 v2.9.9-rc1 v2.9.9-rc2

Log

Author	Commit	Date	CI	Message
	8e13133d	2023-12-12 15:13:11		malloc-fail: Don't truncate parser input buffer We now follow a laissez-faire approach when handling malloc failures and removed many checks whether the parser was stopped by such an error. This means the parser input must not be truncated to avoid out-of-bounds reads. Short-lived regression.
	c37a9051	2023-12-10 15:18:55		buf: Stop invoking global error handler Memory errors from low-level code should be handled by higher layers.
	fef12ed8	2023-10-11 13:32:54		buf: Also reset input in error case Avoid dangling pointers if memory allocation failed. This could cause a use-after-free after recent changes. Found by OSS-Fuzz.
	699299ca	2023-09-20 18:54:39		globals: Stop including globals.h
	4e1c13eb	2023-09-18 14:45:10		debug: Remove debugging code This is barely useful these days and only clutters the code base.
	59fa0bb3	2023-08-08 15:21:14		parser: Simplify input pointer updates The base member always points to the beginning of the buffer.
	b236b7a5	2023-06-08 21:53:05		parser: Halt parser when growing buffer results in OOM Fix short-lived regression from previous commit. It might be safer to make xmlBufSetInputBaseCur use the original buffer even in case of errors. Found by OSS-Fuzz.
	1aabc9db	2023-01-22 13:20:15		malloc-fail: Fix null deref in xmlBufResize Found with libFuzzer, see #344.
	f8c5e7fb	2023-01-22 13:49:19		buf: Fix return value of xmlBufGetInputBase Don't return (size_t) -1 in error case. Found with libFuzzer and -fsanitize=implicit-conversion.
	2059df53	2022-11-14 22:27:58		buf: Deprecate static/immutable buffers
	2cac6269	2022-09-01 03:14:13		Don't use sizeof(xmlChar) or sizeof(char)
	ad338ca7	2022-09-01 01:18:30		Remove explicit integer casts Remove explicit integer casts as final operation - in assignments - when passing arguments - when returning values Remove casts - to the same type - from certain range-bound values The main motivation is that these explicit casts don't change the result of operations and only render UBSan's implicit-conversion checks useless. Removing these casts allows UBSan to detect cases where truncation or sign-changes occur unexpectedly. Document some explicit casts as truncating and add a few missing ones.
	0f568c0b	2022-08-26 01:22:33		Consolidate private header files Private functions were previously declared - in header files in the root directory - in public headers guarded with IN_LIBXML - in libxml.h - redundantly in source files that used them. Consolidate all private header files in include/private.
	6ef16dee	2022-05-13 14:43:33		Reserve byte for NUL terminator and report errors consistently in xmlBuf and xmlBuffer This is a follow-up to commit 6c283d83. * buf.c: (xmlBufGrowInternal): - Call xmlBufMemoryError() when the buffer size would overflow. - Account for NUL terminator byte when using XML_MAX_TEXT_LENGTH. - Do not include NUL terminator byte when returning length. (xmlBufAdd): - Call xmlBufMemoryError() when the buffer size would overflow. * tree.c: (xmlBufferGrow): - Call xmlTreeErrMemory() when the buffer size would overflow. - Do not include NUL terminator byte when returning length. (xmlBufferResize): - Update error message in xmlTreeErrMemory() to be consistent with other similar messages. (xmlBufferAdd): - Call xmlTreeErrMemory() when the buffer size would overflow. (xmlBufferAddHead): - Add overflow checks similar to those in xmlBufferAdd().
	4ce2abf6	2022-05-29 09:46:00		Fix missing NUL terminators in xmlBuf and xmlBuffer functions * buf.c: (xmlBufAddLen): - Change check for remaining space to account for the NUL terminator. When adding a length exactly equal to the number of unused bytes, a NUL terminator was not written. (xmlBufResize): - Set `buf->use` and NUL terminator when allocating a new buffer. * tree.c: (xmlBufferResize): - Set `buf->use` and NUL terminator when allocating a new buffer. (xmlBufferAddHead): - Set NUL terminator before returning early when shifting contents.
	c14cac8b	2022-05-25 18:13:07		xmlBufAvail() should return length without including a byte for NUL terminator * buf.c: (xmlBufAvail): - Return the number of bytes available in the buffer, but do not include a byte for the NUL terminator so that it is reserved. * encoding.c: (xmlCharEncFirstLineInput): (xmlCharEncInput): (xmlCharEncOutput): * xmlIO.c: (xmlOutputBufferWriteEscape): - Remove code that subtracts 1 from the return value of xmlBufAvail(). It was implemented inconsistently anyway.
	fe9f76eb	2022-05-25 15:58:30		Remove unused xmlBuf functions Remove the following functions: - xmlBufAddHead() - xmlBufErase() - xmlBufInflate() - xmlBufWriteCHAR() - xmlBufWriteChar()
	6c283d83	2022-03-08 20:10:02		[CVE-2022-29824] Fix integer overflows in xmlBuf and xmlBuffer In several places, the code handling string buffers didn't check for integer overflow or used wrong types for buffer sizes. This could result in out-of-bounds writes or other memory errors when working on large, multi-gigabyte buffers. Thanks to Felix Wilhelm for the report.
	a15f2abe	2022-04-08 12:16:51		Use UPDATE_COMPAT() consistently in buf.c * buf.c: (xmlBufCreate): (xmlBufCreateSize): (xmlBufDetach): (xmlBufCreateStatic): (xmlBufFromBuffer):
	776d15d3	2022-03-02 00:29:17		Don't check for standard C89 headers Don't check for - ctype.h - errno.h - float.h - limits.h - math.h - signal.h - stdarg.h - stdlib.h - string.h - time.h Stop including non-standard headers - malloc.h - strings.h
	346c3a93	2022-02-20 18:46:42		Remove elfgcchack.h The same optimization can be enabled with -fno-semantic-interposition since GCC 5. clang has always used this option by default.
	3f18e748	2020-07-11 14:34:57		Reset HTML parser input before reporting error Avoid use-after-free, similar to 13ba5b61. Also make sure that xmlBufSetInputBaseCur sets valid pointers in case of buffer errors. Found by OSS-Fuzz.
	20c60886	2020-03-08 17:19:42		Fix typos Resolves #133.
	bf2e9617	2019-11-07 12:54:01		Fix overflow handling in xmlBufBackToBuffer Don't overwrite 'use' and 'size' members after clamping to INT_MAX. Thanks to Ranier Vilela for pointing this out in merge request !56.
	2a350ee9	2019-09-30 17:04:54		Large batch of typo fixes Closes #109.
	6705f4d2	2019-09-16 15:45:27		Remove executable bit from non-executable files
	5f1f455c	2019-09-13 15:51:16		Fix potential memory leak in xmlBufBackToBuffer Fixes bug #794373 https://bugzilla.gnome.org/show_bug.cgi?id=794373 Also see merge request !42
	8bbe4508	2017-06-17 16:15:09		Spelling and grammar fixes Fixes bug 743172, bug 743489, bug 769632, bug 782400 and a few other misspellings.
	94f6ce83	2017-06-08 22:36:09		Allow zero sized memory input buffers Useful for a fuzz target I'm working on.
	213f1fe0	2015-04-14 17:41:48		CVE-2015-1819 Enforce the reader to run in constant memory One of the operation on the reader could resolve entities leading to the classic expansion issue. Make sure the buffer used for xmlreader operation is bounded. Introduce a new allocation type for the buffers for this effect.
	95ebe53b	2014-10-13 16:06:21		Fix and add const qualifiers For https://bugzilla.gnome.org/show_bug.cgi?id=689483 It seems there are functions that do use the const qualifier for some of the arguments, but it seems that there are a lot of functions that don't use it and probably should. So I created a patch against 2.9.0 that makes as much as possible const in tree.h, and changed other files as needed. There were a lot of cases like "const xmlNodePtr node". This doesn't actually do anything, there the *pointer* is constant not the object it points to. So I changed those to "const xmlNode *node". I also removed some consts, mostly in the Copy functions, because those functions can actually modify the doc or node they copy from
	2ff92843	2012-09-12 01:32:11		elfgcchack for buf module
	28cc42d0	2012-08-10 10:00:18		Regenerating docs and API files Various cleanups * configure.in: force regeneration of APIs in my environment * buf.c buf.h enc.h encoding.c include/libxml/tree.h include/libxml/xmlerror.h save.h tree.c: various comment cleanups pointed by apibuild * doc/apibuild.py: added the 3 new internal headers in the excludes * doc/libxml2-api.xml doc/libxml2-refs.xml: regenerated the API * doc/symbols.xml: listing new entry points for 2.9.0 * doc/devhelp/*: regenerated
	7f713494	2012-08-07 14:34:53		Improve compatibility between xmlBuf and xmlBuffer An old xsltproc binary now works correctly with the new libxml2
	18e1f1f1	2012-08-06 10:16:41		Improvements for old buffer compatibility Now tree.h exports LIBXML2_NEW_BUFFER macro indicating that the API uses the new buffers, important to keep code working with both versions. * tree.h buf.h: also export xmlBufContent(), xmlBufEnd(), and xmlBufUse() to help port the old code * buf.c: make sure the compatibility counters are updated on buffer usage, to keep proper working of application compiled against the old structures, but take care of int overflow
	6f6feba8	2012-07-25 16:30:56		Fixup for buf.c
	9ee02f80	2012-07-16 19:57:42		Harden the buffer code and make it more compatible Mimic the old xmlBuffer strcture in xmlBuf to avaoid catastrophic failures in case of old code directly reading ctxt->input->buf->buffer Check on all buffer entry points if an error previously occured on the buffer, and fail the operation if this is the case, the buffer becomes immutable and unreadable.
	00ac0d3b	2012-07-16 18:03:01		More cleanups for input/buffers code When calling xmlParserInputBufferPush, the buffer may be reallocated and at the input level the pointers for base, cur and end need to be reevaluated. * buf.c buf.h: add two new functions, one to get the base from the input of the buffer, and another one to reset the pointers based on the cur and base inded * HTMLparser.c parser.c: cleanup to use the new helper functions as well as making sure size_t is used for the indexes computations
	61551a1e	2012-07-16 16:28:47		Cleanup function xmlBufResetInput() to set input from Buffer This was scattered in a number of modules, xmlParserInputPtr have usually their base, cur and end pointer set from an xmlBuf used as input. * buf.c buf.h: add a new function implementing this setup * parser.c HTMLparser.c catalog.c parserInternals.c xmlreader.c use the new function instead of digging into the buffer in all those modules
	bca22f40	2012-07-11 16:48:47		Adding a new buf module for buffers This also add converter functions between xmlBuf and xmlBuffer * buf.c buf.h: the old xmlBuffer routines but modified for size_t and using xmlBuf instead of xmlBuffer * Makefile.am: add the 2 new files * include/libxml/xmlerror.h: add an entry for the new module * include/libxml/tree.h: expose the xmlBufPtr type but not the structure which stay private