kmx git

Commit	Date	Message
c2f209c0	2019-09-30T14:13:21	Disallow conditional sections in internal subset Conditional sections are only allowed in external parameter entities referenced from the internal subset.
c51e38cb	2019-09-30T13:50:02	Make xmlParseConditionalSections non-recursive Avoid call stack overflow in deeply nested conditional sections. Found by OSS-Fuzz.
9d461ac7	2019-09-26T16:17:31	Adjust expected error in Python tests Closes #107.
d56184a0	2019-09-26T12:11:39	Disable xmlExp regex code This is apparently another regex engine that was never used, see commit 81a8ec6.
664f8810	2019-09-26T11:01:58	Fix use-after-free in xmlTextReaderFreeNodeList Recent commit 1fbcf40 caused a use-after-free read because it didn't account for the fact that xmlTextReaderFreeDoc frees entities before freeing entity references via xmlTextReaderFreeNodeList. Found by OSS-Fuzz.
99a864a1	2019-09-25T15:27:45	Fix Regextests - One of the bug316338 test cases is expected to succeed. - Memory leak in testRegexp.c. - Refcount handling in xmlExpHashGetEntry.
c2b0a184	2019-09-25T13:57:42	Fix empty branch in regex Fixes bug 649244: https://bugzilla.gnome.org/show_bug.cgi?id=649244 Closes #57.
1fbcf409	2019-09-23T17:13:05	Make xmlTextReaderFreeNodeList non-recursive Avoid call stack overflow when freeing deeply nested documents. Found by OSS-Fuzz.
0762c9b6	2019-09-23T17:07:40	Make xmlFreeNodeList non-recursive Avoid call stack overflow when freeing deeply nested documents.
62150ed2	2019-09-23T14:46:41	Make xmlParseContent and xmlParseElement non-recursive Split xmlParseElement into subfunctions. Use nameNsPush to store prefix, URI and nsNr on the heap, similar to the push parser. Closes #84.
a28bc751	2019-09-20T13:46:58	Fix integer overflow in entity recursion check
e91cbcf6	2019-09-20T12:44:17	Don't read external entities or XIncludes from stdin The file input callbacks try to read from stdin if "-" is passed as URL. This should never be done when loading indirect resources like external entities or XIncludes. Unfortunately, the stdin substitution happens deep inside the IO code, so we simply replace "-" with "./-" in specific locations. This issue also affects other users of the library like libxslt. Ideally, stdin should only be substituted on explicit request. But more intrusive changes could break existing code. Closes #90 and #102.
6705f4d2	2019-09-16T15:45:27	Remove executable bit from non-executable files
eee1dd5a	2019-09-16T15:36:44	Fix expected output of test/schemas/any4 libxml2 correctly rejects any4_0.xsd as invalid schema. I can't figure out what the intent behind this test case was. Simply adjust the expected output to match the current behavior. Closes #92.
e8c9cd5c	2019-09-16T15:36:02	Fix Schema determinism check of ##other namespaces Non-compound (##local) and compound string atoms are always disjoint regardless of whether the compound atom is negated (##other). Closes #40.
4e326a3a	2019-09-02T14:16:12	Fix potential null deref in xmlSchemaIDCFillNodeTables Merge request !45
5f1f455c	2019-09-13T15:51:16	Fix potential memory leak in xmlBufBackToBuffer Fixes bug #794373 https://bugzilla.gnome.org/show_bug.cgi?id=794373 Also see merge request !42
e32afd3f	2019-09-13T15:45:21	Fix error message when processing XIncludes with fallbacks Fixes bug #616491 https://bugzilla.gnome.org/show_bug.cgi?id=616491 Based on merge request !41
fa5e8ca6	2019-08-27T19:09:20	Optimize build instructions in README Fixes bug #792181 https://bugzilla.gnome.org/show_bug.cgi?id=792181 Merge request !40
0b793591	2019-08-26T15:24:12	Fix memory leak in xmlRegEpxFromParse Merge request !39
8efc5b28	2019-09-13T12:24:23	14:00 is a valid timezone for xs:dateTime Closes #100
5a02583c	2019-08-07T17:39:17	Fix memory leak in xmlParseBalancedChunkMemoryRecover When doc is NULL, namespace created in xmlTreeEnsureXMLDecl is bind to newDoc->oldNs, in this case, set newDoc->oldNs to NULL and free newDoc will cause a memory leak. Found with libFuzzer. Closes #82.
09b6f818	2019-08-25T13:58:41	Fix potential null deref in xmlRelaxNGParsePatterns Thanks to Zhongyuan Zhou for the initial patch.
01d8cf07	2019-08-15T15:15:42	Misleading error message with xs:{min\|max}Inclusive Closes #53.
a6a57867	2019-08-13T20:08:53	Fix memory leak in xmlXIncludeLoadTxt
e3f1c7f7	2019-08-25T14:12:23	Partial fix for comparison of xs:durations See https://bugzilla.gnome.org/show_bug.cgi?id=777139 Thanks to Zhongyuan Zhou for the initial merge request !34.
39f10232	2019-08-09T09:44:11	Fix typos: tree: move{ -> s}, reconcil{i -> }ed, h{o -> e}ld by... ...seems to { -> be to} add. Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
5c0e48b8	2019-07-25T18:46:30	Fix typo: xpath: simpli{ -> fi}ed Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
0571b4e6	2019-08-09T15:39:17	Fix null deref in xmlreader buffer
ea695ac0	2019-08-09T15:09:22	Fix unability to RelaxNG-validate grammar with choice-based name class Previously, test/relaxng/ambig_name-class2.xml would fail to validate against test/relaxng/ambig_name-class2.rng: > test/relaxng/ambig_name-class2.rng:4: > element attribute: Relax-NG parser error : > Found anyName attribute without oneOrMore ancestor > Relax-NG schema test/relaxng/ambig_name-class2.rng failed to compile Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
8074b881	2019-08-08T23:33:48	Fix unability to validate ambiguously constructed interleave for RelaxNG Previously, test/relaxng/ambig_name-class.xml would fail to validate for a simple reason -- interleave within "open-name-class" context is supposed to be fine with whatever else is pending the consumption, since effectively, it's unrelated from a higher parsing perspective. Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
81958b6e	2019-07-11T19:24:11	Doc: do not mislead towards "infeasible" scenario wrt. xmlBufNodeDump At least when merely public API is to be leveraged, one cannot use xmlBufCreate function that would otherwise be a clear fit, and relying on some invariants wrt. how some other struct fields will get initialized along the construction/filling such parent struct and (ab)using that instead does not appear clever, either. Hence, instruct people what's the Right Thing for the moment, that is, make them use xmlNodeDumpOutput instead (together with likewise public xmlAllocOutputBuffer). Going forward, it's questionable what do with xmlBuf* family of functions that are once public, since they, for any practical purpose, cannot be used by the library clients (that's how I've run into this). Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
59028ba0	2019-08-07T14:38:07	Fix possible null dereference in xmlXPathIdFunction If a certain memory allocation fails, xmlXPathIdFunction would dereference a null pointer. Closes #77.
b17e3d1c	2019-08-01T15:04:16	Work around buggy ceil() function on AIX AIX has a buggy ceil() function that does not handle negative-zero correctly. Closes #79.
6c91dd94	2019-08-01T15:01:47	Don't call printf with NULL string in runtest.c Avoids undefined behavior causing problems on HP-UX and Solaris. Closes #78.
2f2bf4b2	2019-07-31T20:21:47	xml2-config.in: Output CFLAGS and LIBS on the same line xml2-config currently outputs the results of '--cflags --libs' on two lines. Printing this information on one line is far more useful.
0c1b4fd2	2019-07-13T10:47:25	Fix comments in test code
4f67dbb0	2019-07-09T15:11:01	fix memory leak in xmlAllocOutputBuffer
1fc410d3	2019-07-01T22:22:14	xml2-config: Add a --dynamic switch to print only shared libraries `xml2-config --libs` prints static library linking information by default. This is un-necessary for most programs, so introduce a new option, --dynamic, which, when combined with --libs, only prints shared library linking information.
87125732	2019-07-08T12:54:21	Switched from unsigned long to ptrdiff_t in parser.c Using unsigned long instead of ptrdiff_t results in non-zero pointer deltas being stored as zero delta, giving incorrect offsets into arrays and hence out of bounds reads. This patch fixes the issue in all places in parser.c and adds a macro to reduce the chances of cut-and-paste errors. Only affects platforms where 'sizeof(long) < sizeof(size_t)' like 64-bit Windows. See https://bugs.chromium.org/p/chromium/issues/detail?id=894933 Closes #44.
63484962	2019-07-08T12:28:39	Remove redundant code in xmlRelaxNGValidateState Closes #70.
b3a95d57	2019-05-21T11:21:29	Fix unsigned int overflow
0df3c2c9	2019-06-28T17:34:24	fix comment in testReader.c
37189c08	2019-07-08T12:18:24	dict.h: gcc 2.95 doesn't allow multiple storage classes This is a partial revert of commit c71f9305. I'm not sure what issue this commit was trying to solve but it seems to be related to a circular dependency. It might be related to tree.h being included from dict.h which is unnecessary. Resolves !22.
01ea9c5a	2019-07-08T11:29:40	Fix another code path in xmlParseQName Check for buffer errors in another code path missed in the previous commit. Found by OSS-Fuzz.
5ccac8ce	2019-06-27T10:23:36	Make sure that xmlParseQName returns NULL in error case If there's an error growing the input buffer when recovering from invalid QNames, make sure to return NULL. Otherwise, callers could be confused. In xmlParseStartTag2, for example, `tlen` could become negative. Found by OSS-Fuzz.
f209e551	2019-06-25T11:45:16	Fix build without reader but with pattern Broken by commit dbc6b55b.
f824a4bd	2019-05-20T13:26:08	Fix memory leak in xmlAllocOutputBufferInternal error path Thanks to Anish K Kurian for the report. Closes #60.
e79a903f	2019-05-20T13:22:49	Remove redundant code in xmlXPathCompRelationalExpr Thanks to Anish K Kurian for the report. Closes #59.
44e7a0d5	2019-05-16T21:17:28	Annotate functions with __attribute__((no_sanitize))
f9fce963	2019-05-16T21:16:01	Fix unsigned integer overflow It's defined behavior but -fsanitize=unsigned-integer-overflow is useful to discover bugs.
dbc6b55b	2019-05-16T21:06:56	Fix warnings when compiling without reader or push parser
407b393d	2019-05-15T12:47:28	Fix return value of xmlOutputBufferWrite When using memory buffers, the total size of the buffer was added again and again, potentially leading to an integer overflow. Found by OSS-Fuzz.
3c0d62b4	2019-05-13T07:15:44	Fix parser termination from "Double hyphen within comment" error The patch fixes the parser not halting immediately when the error handler attempts to stop the parser. Rather it was running on and continuing to reference the freed buffer in the while loop termination test. This is only a problem if xmlStopParser is called from an error handler. Probably caused by commit 123234f2. Fixes #58.
96125557	2019-05-10T12:30:03	Remove unused member `doc` in xmlSaveCtxt
14ed63b7	2019-05-08T12:00:51	Limit recursion depth in xmlXPathCompOpEvalPredicate
ad93f087	2019-04-25T12:47:49	Remove -Wno-array-bounds It's unsupported on GCC versions older than 4.3 and the false positives seem to be fixed in newer versions.
9948a9a3	2019-04-05T06:34:59	timsort.h: support older GCCs cherry-pick upstream pull request: __builtin_clzll isn't available on older GCCs
346febc6	2019-04-25T11:34:08	Fix call stack overflow in xmlFreePattern Since xmlFreePattern tried to free the next pattern recursively, its behavior is identical to xmlFreePatternList. Make it call xmlFreePatternList to avoid call stack overflows. Found by OSS-Fuzz.
f75256e7	2019-04-23T17:23:39	Remove unreachable code in xmlXPathCountFunction After the initial test, the condition (type == XPATH_NODESET) \|\| (type == XPATH_XSLT_TREE) always holds true.
949eced4	2019-04-22T16:04:26	Fix null deref in previous commit
c2f4da1a	2017-05-21T22:08:50	Improve XPath predicate and filter evaluation Consolidate code paths evaluating XPath predicates and filters. Don't push context node on stack when evaluating predicates. I have no idea why this was done. It seems completely useless and trying to pop the context node from a corrupted stack has already caused security issues. Filter nodesets in-place and don't create node sets with NULL gaps which allows to simplify merging a great deal. Simply move matched nodes backward and create a compact node set. Merge xmlXPathCompOpEvalPositionalPredicate into xmlXPathCompOpEvalPredicate.
012f8e92	2019-04-20T17:01:19	Limit recursion depth in xmlXPathOptimizeExpression
93a1d223	2019-04-16T13:37:47	Fix memory leaks in xmlXPathParseNameComplex error paths Found by OSS-Fuzz.
fa3166c2	2019-04-12T12:03:04	Disable hash randomization when fuzzing Use the FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION macro proposed by libFuzzer.
2d97a97a	2019-03-15T16:27:58	Optional recursion limit when parsing XPath expressions Useful to avoid call stack overflows when fuzzing. Note that parsing a parenthesized expression currently consumes more than 10 stack frames, so this limit should be set rather low.
64115ed6	2019-03-18T11:34:26	Optional recursion limit when evaluating XPath expressions Useful to avoid call stack overflows when fuzzing.
5153c7ba	2019-03-18T11:18:31	Use break statements in xmlXPathCompOpEval This prepares for the next commit.
852c93a2	2019-03-12T16:12:05	Optional XPath operation limit Optionally limit the maximum numbers of XPath operations when evaluating an expression. Useful to avoid timeouts when fuzzing. The following operations count towards the limit: - XPath operations - Location step iterations - Union operations Enabled by setting opLimit to a non-zero value. Note that it's the user's responsibility to reset opCount. This allows to enforce the operation limit across multiple reuses of an XPath context.
91d576de	2019-04-09T13:16:50	Make configure.ac work with older pkg-config Older versions of pkg.m4 require the action-if-not-found argument of the PKG_CHECK_MODULES macro to be non-empty. Use a colon (null command) instead of an empty string. Fixes #50.
0f518611	2019-04-08T14:02:11	Fix compilation with --with-minimum Presence of xmlEncodeAttributeEntities doesn't depend on output module. Fixes #52.
b9bdb9db	2019-03-19T17:44:51	Check for integer overflow in xmlXPtrEvalChildSeq Found with libFuzzer and UBSan.
236dd6ab	2019-03-13T18:21:02	Check XPath stack after calling functions Check that there's exactly one return value on the stack after calling XPath functions. Otherwise, functions that corrupt the stack without signaling an error could lead to memory errors. Found with libFuzzer and UBSan.
c494a0ba	2019-03-12T14:45:04	Fix xmllint dump of XPath namespace nodes Starting with commit da35eeae, xmllint uses the xmlNodeDump API to dump XPath nodes. Make sure not to access node->doc which doesn't work with namespace nodes.
30a6533e	2019-03-08T12:15:17	Fix float casts in xmlXPathSubstringFunction Rewrite conversion of double to int in xmlXPathSubstringFunction, adding range checks to avoid undefined behavior. Make sure to add start and length as floating-point numbers before converting to int. Fix a bug when rounding negative start indices. Remove unneeded calls to xmlXPathIs{Inf,NaN} and rely on IEEE math instead. Avoid computing the string length. xmlUTF8Strsub works as expected if the length of the requested substring exceeds the input. Found with libFuzzer and UBSan.
09797c13	2019-03-05T15:14:34	Fix null deref in xmlregexp error path Thanks to Shaobo He for the report.
8161b463	2019-02-28T12:25:05	Remove debug printf in xmlreader.c Fixes #46.
9a82ae30	2019-02-28T12:18:37	Stop defining _REENTRANT on some Win32 platforms The _REENTRANT macro was defined unconditionally on some Win32 builds using the Microsoft C runtime. It shouldn't have an effect under MSVCRT and was presumably only defined because of the LIBXML_THREAD_ENABLED issue fixed with the previous commit.
cf68fe3d	2019-02-27T15:00:14	Always define LIBXML_THREAD_ENABLED when enabled When libxml2 is compiled with threads enabled, have the header file define LIBXML_THREAD_ENABLED even if the subsequent application by itself does not enable threads. Otherwise, the application would see the unthreaded API functions, but these are not exported (where it does make a difference, like on Win32 based platforms).
2c8dc715	2019-02-25T12:00:50	Fix null pointer dereference in xmlTextReaderReadOuterXml Fix a regression caused by commit 39fbfb4f. If xmlTextReaderReadOuterXml is called on a pristine xmlReader, the current node is NULL and must not be dereferenced. Move the call to xmlTextReaderExpand to the start of the function to make sure that we have a valid node. Fixes #43.
a7fe7ee4	2019-02-15T17:28:38	Regenerate NEWS
538d827c	2019-02-15T17:26:38	Change git repo URL
04fbfa3f	2019-02-15T17:20:18	Change bug tracker URL
656df97d	2019-02-15T17:05:16	Remove outdated HTML file
d3de7578	2019-01-15T12:33:48	Fix nanohttp.c on MinGW Commit e3890546 broke nanohttp.c on (old) MinGW. MinGW-w64 wasn't affected. Should fix #36. Thanks to Simon Sobisch for the report.
b48226f7	2019-01-07T17:58:32	Fix memory leaks in xmlParseStartTag2 error paths Found by OSS-Fuzz.
6b49db2c	2019-01-07T17:14:21	Fix memory leak in xmlSAX2StartElement Introduced by a recent commit. Only happens if max depth is exceeded in SAX1 mode. Found by OSS-Fuzz.
26828cb3	2019-01-07T16:52:42	Fix commit "Memory leak in xmlFreeID (xmlreader.c)" The recent commit "Memory leak in xmlFreeID (xmlreader.c)" introduced a double-free.
619534ef	2018-01-23T17:36:23	Fix Windows compiler warning in testC14N.c
57d4329b	2018-01-23T17:33:42	Merge testThreadsWin32.c into testThreads.c Apply the same cross-platform modifications as previously in runtest.c.
7f40ed01	2018-01-23T16:40:36	Fix Python bindings under Windows - Correct linker flags for MinGW-w64 - Adjust PATH to find libxml2.dll when running tests
e8fdf5df	2019-01-01T19:20:22	Fix unused function warning in testapi.c Check whether all param and return types are known before generating functions for param types. Otherwise, unused functions end up in testapi.c.
731b5064	2019-01-01T18:43:02	Add some generated test files to .gitignore
dcae579e	2019-01-01T16:48:40	Remove unneeded function pointer casts
19f0950d	2019-01-01T16:38:42	Fix -Wcast-function-type warnings (GCC 8) Use xmlGenericError instead of fprintf as error handler. It also prints to stderr by default.
8919885f	2019-01-01T16:30:38	Fix -Wformat-truncation warnings (GCC 8)
157cd3ae	2018-11-24T15:46:00	Fix NULL pointer deref in xmlTextReaderValidateEntity Found by OSS-Fuzz.
57a3af56	2018-11-24T12:14:55	Memory leak in xmlFreeTextReader In error cases, there might still be elements in the vstate table. Since vstateVPop in valid.c is private, we have to pop the elements with xmlValidatePopElement. This inspects nodes of the document, so the reader doc must be freed after the clearing the vstate table. Found by OSS-Fuzz.
efe8c093	2018-11-24T11:39:32	Memory leak in xmlFreeID (xmlreader.c) Fix a memory leak in xmlReader's private copy of xmlFreeID. Only affects validation with NODICT. Found by OSS-Fuzz.
f8a8c1f5	2019-01-03T19:14:17	Release of libxml2-2.9.9 * configure.ac doc/news.html doc/xml.html doc/libxml2.xsa: making changes for the release Signed-off-by: Daniel Veillard <veillard@redhat.com>

c2f209c0

2019-09-30T14:13:21

Disallow conditional sections in internal subset Conditional sections are only allowed in *external* parameter entities referenced from the internal subset.

c51e38cb

2019-09-30T13:50:02

Make xmlParseConditionalSections non-recursive Avoid call stack overflow in deeply nested conditional sections. Found by OSS-Fuzz.

9d461ac7

2019-09-26T16:17:31

Adjust expected error in Python tests Closes #107.

d56184a0

2019-09-26T12:11:39

Disable xmlExp regex code This is apparently another regex engine that was never used, see commit 81a8ec6.

664f8810

2019-09-26T11:01:58

Fix use-after-free in xmlTextReaderFreeNodeList Recent commit 1fbcf40 caused a use-after-free read because it didn't account for the fact that xmlTextReaderFreeDoc frees entities before freeing entity references via xmlTextReaderFreeNodeList. Found by OSS-Fuzz.

99a864a1

2019-09-25T15:27:45

Fix Regextests - One of the bug316338 test cases is expected to succeed. - Memory leak in testRegexp.c. - Refcount handling in xmlExpHashGetEntry.

c2b0a184

2019-09-25T13:57:42

Fix empty branch in regex Fixes bug 649244: https://bugzilla.gnome.org/show_bug.cgi?id=649244 Closes #57.

1fbcf409

2019-09-23T17:13:05

Make xmlTextReaderFreeNodeList non-recursive Avoid call stack overflow when freeing deeply nested documents. Found by OSS-Fuzz.

0762c9b6

2019-09-23T17:07:40

Make xmlFreeNodeList non-recursive Avoid call stack overflow when freeing deeply nested documents.

62150ed2

2019-09-23T14:46:41

Make xmlParseContent and xmlParseElement non-recursive Split xmlParseElement into subfunctions. Use nameNsPush to store prefix, URI and nsNr on the heap, similar to the push parser. Closes #84.

a28bc751

2019-09-20T13:46:58

Fix integer overflow in entity recursion check

e91cbcf6

2019-09-20T12:44:17

Don't read external entities or XIncludes from stdin The file input callbacks try to read from stdin if "-" is passed as URL. This should never be done when loading indirect resources like external entities or XIncludes. Unfortunately, the stdin substitution happens deep inside the IO code, so we simply replace "-" with "./-" in specific locations. This issue also affects other users of the library like libxslt. Ideally, stdin should only be substituted on explicit request. But more intrusive changes could break existing code. Closes #90 and #102.

6705f4d2

2019-09-16T15:45:27

Remove executable bit from non-executable files

eee1dd5a

2019-09-16T15:36:44

Fix expected output of test/schemas/any4 libxml2 correctly rejects any4_0.xsd as invalid schema. I can't figure out what the intent behind this test case was. Simply adjust the expected output to match the current behavior. Closes #92.

e8c9cd5c

2019-09-16T15:36:02

Fix Schema determinism check of ##other namespaces Non-compound (##local) and compound string atoms are always disjoint regardless of whether the compound atom is negated (##other). Closes #40.

4e326a3a

2019-09-02T14:16:12

Fix potential null deref in xmlSchemaIDCFillNodeTables Merge request !45

5f1f455c

2019-09-13T15:51:16

Fix potential memory leak in xmlBufBackToBuffer Fixes bug #794373 https://bugzilla.gnome.org/show_bug.cgi?id=794373 Also see merge request !42

e32afd3f

2019-09-13T15:45:21

Fix error message when processing XIncludes with fallbacks Fixes bug #616491 https://bugzilla.gnome.org/show_bug.cgi?id=616491 Based on merge request !41

fa5e8ca6

2019-08-27T19:09:20

Optimize build instructions in README Fixes bug #792181 https://bugzilla.gnome.org/show_bug.cgi?id=792181 Merge request !40

0b793591

2019-08-26T15:24:12

Fix memory leak in xmlRegEpxFromParse Merge request !39

8efc5b28

2019-09-13T12:24:23

14:00 is a valid timezone for xs:dateTime Closes #100

5a02583c

2019-08-07T17:39:17

Fix memory leak in xmlParseBalancedChunkMemoryRecover When doc is NULL, namespace created in xmlTreeEnsureXMLDecl is bind to newDoc->oldNs, in this case, set newDoc->oldNs to NULL and free newDoc will cause a memory leak. Found with libFuzzer. Closes #82.

09b6f818

2019-08-25T13:58:41

Fix potential null deref in xmlRelaxNGParsePatterns Thanks to Zhongyuan Zhou for the initial patch.

01d8cf07

2019-08-15T15:15:42

Misleading error message with xs:{min|max}Inclusive Closes #53.

a6a57867

2019-08-13T20:08:53

Fix memory leak in xmlXIncludeLoadTxt

e3f1c7f7

2019-08-25T14:12:23

Partial fix for comparison of xs:durations See https://bugzilla.gnome.org/show_bug.cgi?id=777139 Thanks to Zhongyuan Zhou for the initial merge request !34.

39f10232

2019-08-09T09:44:11

Fix typos: tree: move{ -> s}, reconcil{i -> }ed, h{o -> e}ld by... ...seems to { -> be to} add. Signed-off-by: Jan Pokorný <jpokorny@redhat.com>

5c0e48b8

2019-07-25T18:46:30

Fix typo: xpath: simpli{ -> fi}ed Signed-off-by: Jan Pokorný <jpokorny@redhat.com>

0571b4e6

2019-08-09T15:39:17

Fix null deref in xmlreader buffer

ea695ac0

2019-08-09T15:09:22

Fix unability to RelaxNG-validate grammar with choice-based name class Previously, test/relaxng/ambig_name-class2.xml would fail to validate against test/relaxng/ambig_name-class2.rng: > test/relaxng/ambig_name-class2.rng:4: > element attribute: Relax-NG parser error : > Found anyName attribute without oneOrMore ancestor > Relax-NG schema test/relaxng/ambig_name-class2.rng failed to compile Signed-off-by: Jan Pokorný <jpokorny@redhat.com>

8074b881

2019-08-08T23:33:48

Fix unability to validate ambiguously constructed interleave for RelaxNG Previously, test/relaxng/ambig_name-class.xml would fail to validate for a simple reason -- interleave within "open-name-class" context is supposed to be fine with whatever else is pending the consumption, since effectively, it's unrelated from a higher parsing perspective. Signed-off-by: Jan Pokorný <jpokorny@redhat.com>

81958b6e

2019-07-11T19:24:11

Doc: do not mislead towards "infeasible" scenario wrt. xmlBufNodeDump At least when merely public API is to be leveraged, one cannot use xmlBufCreate function that would otherwise be a clear fit, and relying on some invariants wrt. how some other struct fields will get initialized along the construction/filling such parent struct and (ab)using that instead does not appear clever, either. Hence, instruct people what's the Right Thing for the moment, that is, make them use xmlNodeDumpOutput instead (together with likewise public xmlAllocOutputBuffer). Going forward, it's questionable what do with xmlBuf* family of functions that are once public, since they, for any practical purpose, cannot be used by the library clients (that's how I've run into this). Signed-off-by: Jan Pokorný <jpokorny@redhat.com>

59028ba0

2019-08-07T14:38:07

Fix possible null dereference in xmlXPathIdFunction If a certain memory allocation fails, xmlXPathIdFunction would dereference a null pointer. Closes #77.

b17e3d1c

2019-08-01T15:04:16

Work around buggy ceil() function on AIX AIX has a buggy ceil() function that does not handle negative-zero correctly. Closes #79.

6c91dd94

2019-08-01T15:01:47

Don't call printf with NULL string in runtest.c Avoids undefined behavior causing problems on HP-UX and Solaris. Closes #78.

2f2bf4b2

2019-07-31T20:21:47

xml2-config.in: Output CFLAGS and LIBS on the same line xml2-config currently outputs the results of '--cflags --libs' on two lines. Printing this information on one line is far more useful.

0c1b4fd2

2019-07-13T10:47:25

Fix comments in test code

4f67dbb0

2019-07-09T15:11:01

fix memory leak in xmlAllocOutputBuffer

1fc410d3

2019-07-01T22:22:14

xml2-config: Add a --dynamic switch to print only shared libraries `xml2-config --libs` prints static library linking information by default. This is un-necessary for most programs, so introduce a new option, --dynamic, which, when combined with --libs, only prints shared library linking information.

87125732

2019-07-08T12:54:21

Switched from unsigned long to ptrdiff_t in parser.c Using unsigned long instead of ptrdiff_t results in non-zero pointer deltas being stored as zero delta, giving incorrect offsets into arrays and hence out of bounds reads. This patch fixes the issue in all places in parser.c and adds a macro to reduce the chances of cut-and-paste errors. Only affects platforms where 'sizeof(long) < sizeof(size_t)' like 64-bit Windows. See https://bugs.chromium.org/p/chromium/issues/detail?id=894933 Closes #44.

63484962

2019-07-08T12:28:39

Remove redundant code in xmlRelaxNGValidateState Closes #70.

b3a95d57

2019-05-21T11:21:29

Fix unsigned int overflow

0df3c2c9

2019-06-28T17:34:24

fix comment in testReader.c

37189c08

2019-07-08T12:18:24

dict.h: gcc 2.95 doesn't allow multiple storage classes This is a partial revert of commit c71f9305. I'm not sure what issue this commit was trying to solve but it seems to be related to a circular dependency. It might be related to tree.h being included from dict.h which is unnecessary. Resolves !22.

01ea9c5a

2019-07-08T11:29:40

Fix another code path in xmlParseQName Check for buffer errors in another code path missed in the previous commit. Found by OSS-Fuzz.

5ccac8ce

2019-06-27T10:23:36

Make sure that xmlParseQName returns NULL in error case If there's an error growing the input buffer when recovering from invalid QNames, make sure to return NULL. Otherwise, callers could be confused. In xmlParseStartTag2, for example, `tlen` could become negative. Found by OSS-Fuzz.

f209e551

2019-06-25T11:45:16

Fix build without reader but with pattern Broken by commit dbc6b55b.

f824a4bd

2019-05-20T13:26:08

Fix memory leak in xmlAllocOutputBufferInternal error path Thanks to Anish K Kurian for the report. Closes #60.

e79a903f

2019-05-20T13:22:49

Remove redundant code in xmlXPathCompRelationalExpr Thanks to Anish K Kurian for the report. Closes #59.

44e7a0d5

2019-05-16T21:17:28

Annotate functions with __attribute__((no_sanitize))

f9fce963

2019-05-16T21:16:01

Fix unsigned integer overflow It's defined behavior but -fsanitize=unsigned-integer-overflow is useful to discover bugs.

dbc6b55b

2019-05-16T21:06:56

Fix warnings when compiling without reader or push parser

407b393d

2019-05-15T12:47:28

Fix return value of xmlOutputBufferWrite When using memory buffers, the total size of the buffer was added again and again, potentially leading to an integer overflow. Found by OSS-Fuzz.

3c0d62b4

2019-05-13T07:15:44

Fix parser termination from "Double hyphen within comment" error The patch fixes the parser not halting immediately when the error handler attempts to stop the parser. Rather it was running on and continuing to reference the freed buffer in the while loop termination test. This is only a problem if xmlStopParser is called from an error handler. Probably caused by commit 123234f2. Fixes #58.

96125557

2019-05-10T12:30:03

Remove unused member `doc` in xmlSaveCtxt

14ed63b7

2019-05-08T12:00:51

Limit recursion depth in xmlXPathCompOpEvalPredicate

ad93f087

2019-04-25T12:47:49

Remove -Wno-array-bounds It's unsupported on GCC versions older than 4.3 and the false positives seem to be fixed in newer versions.

9948a9a3

2019-04-05T06:34:59

timsort.h: support older GCCs cherry-pick upstream pull request: __builtin_clzll isn't available on older GCCs

346febc6

2019-04-25T11:34:08

Fix call stack overflow in xmlFreePattern Since xmlFreePattern tried to free the next pattern recursively, its behavior is identical to xmlFreePatternList. Make it call xmlFreePatternList to avoid call stack overflows. Found by OSS-Fuzz.

f75256e7

2019-04-23T17:23:39

Remove unreachable code in xmlXPathCountFunction After the initial test, the condition (type == XPATH_NODESET) || (type == XPATH_XSLT_TREE) always holds true.

949eced4

2019-04-22T16:04:26

Fix null deref in previous commit

c2f4da1a

2017-05-21T22:08:50

Improve XPath predicate and filter evaluation Consolidate code paths evaluating XPath predicates and filters. Don't push context node on stack when evaluating predicates. I have no idea why this was done. It seems completely useless and trying to pop the context node from a corrupted stack has already caused security issues. Filter nodesets in-place and don't create node sets with NULL gaps which allows to simplify merging a great deal. Simply move matched nodes backward and create a compact node set. Merge xmlXPathCompOpEvalPositionalPredicate into xmlXPathCompOpEvalPredicate.

012f8e92

2019-04-20T17:01:19

Limit recursion depth in xmlXPathOptimizeExpression

93a1d223

2019-04-16T13:37:47

Fix memory leaks in xmlXPathParseNameComplex error paths Found by OSS-Fuzz.

fa3166c2

2019-04-12T12:03:04

Disable hash randomization when fuzzing Use the FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION macro proposed by libFuzzer.

2d97a97a

2019-03-15T16:27:58

Optional recursion limit when parsing XPath expressions Useful to avoid call stack overflows when fuzzing. Note that parsing a parenthesized expression currently consumes more than 10 stack frames, so this limit should be set rather low.

64115ed6

2019-03-18T11:34:26

Optional recursion limit when evaluating XPath expressions Useful to avoid call stack overflows when fuzzing.

5153c7ba

2019-03-18T11:18:31

Use break statements in xmlXPathCompOpEval This prepares for the next commit.

852c93a2

2019-03-12T16:12:05

Optional XPath operation limit Optionally limit the maximum numbers of XPath operations when evaluating an expression. Useful to avoid timeouts when fuzzing. The following operations count towards the limit: - XPath operations - Location step iterations - Union operations Enabled by setting opLimit to a non-zero value. Note that it's the user's responsibility to reset opCount. This allows to enforce the operation limit across multiple reuses of an XPath context.

91d576de

2019-04-09T13:16:50

Make configure.ac work with older pkg-config Older versions of pkg.m4 require the action-if-not-found argument of the PKG_CHECK_MODULES macro to be non-empty. Use a colon (null command) instead of an empty string. Fixes #50.

0f518611

2019-04-08T14:02:11

Fix compilation with --with-minimum Presence of xmlEncodeAttributeEntities doesn't depend on output module. Fixes #52.

b9bdb9db

2019-03-19T17:44:51

Check for integer overflow in xmlXPtrEvalChildSeq Found with libFuzzer and UBSan.

236dd6ab

2019-03-13T18:21:02

Check XPath stack after calling functions Check that there's exactly one return value on the stack after calling XPath functions. Otherwise, functions that corrupt the stack without signaling an error could lead to memory errors. Found with libFuzzer and UBSan.

c494a0ba

2019-03-12T14:45:04

Fix xmllint dump of XPath namespace nodes Starting with commit da35eeae, xmllint uses the xmlNodeDump API to dump XPath nodes. Make sure not to access node->doc which doesn't work with namespace nodes.

30a6533e

2019-03-08T12:15:17

Fix float casts in xmlXPathSubstringFunction Rewrite conversion of double to int in xmlXPathSubstringFunction, adding range checks to avoid undefined behavior. Make sure to add start and length as floating-point numbers before converting to int. Fix a bug when rounding negative start indices. Remove unneeded calls to xmlXPathIs{Inf,NaN} and rely on IEEE math instead. Avoid computing the string length. xmlUTF8Strsub works as expected if the length of the requested substring exceeds the input. Found with libFuzzer and UBSan.

09797c13

2019-03-05T15:14:34

Fix null deref in xmlregexp error path Thanks to Shaobo He for the report.

8161b463

2019-02-28T12:25:05

Remove debug printf in xmlreader.c Fixes #46.

9a82ae30

2019-02-28T12:18:37

Stop defining _REENTRANT on some Win32 platforms The _REENTRANT macro was defined unconditionally on some Win32 builds using the Microsoft C runtime. It shouldn't have an effect under MSVCRT and was presumably only defined because of the LIBXML_THREAD_ENABLED issue fixed with the previous commit.

cf68fe3d

2019-02-27T15:00:14

Always define LIBXML_THREAD_ENABLED when enabled When libxml2 is compiled with threads enabled, have the header file define LIBXML_THREAD_ENABLED even if the subsequent application by itself does not enable threads. Otherwise, the application would see the unthreaded API functions, but these are not exported (where it does make a difference, like on Win32 based platforms).

2c8dc715

2019-02-25T12:00:50

Fix null pointer dereference in xmlTextReaderReadOuterXml Fix a regression caused by commit 39fbfb4f. If xmlTextReaderReadOuterXml is called on a pristine xmlReader, the current node is NULL and must not be dereferenced. Move the call to xmlTextReaderExpand to the start of the function to make sure that we have a valid node. Fixes #43.

a7fe7ee4

2019-02-15T17:28:38

Regenerate NEWS

538d827c

2019-02-15T17:26:38

Change git repo URL

04fbfa3f

2019-02-15T17:20:18

Change bug tracker URL

656df97d

2019-02-15T17:05:16

Remove outdated HTML file

d3de7578

2019-01-15T12:33:48

Fix nanohttp.c on MinGW Commit e3890546 broke nanohttp.c on (old) MinGW. MinGW-w64 wasn't affected. Should fix #36. Thanks to Simon Sobisch for the report.

b48226f7

2019-01-07T17:58:32

Fix memory leaks in xmlParseStartTag2 error paths Found by OSS-Fuzz.

6b49db2c

2019-01-07T17:14:21

Fix memory leak in xmlSAX2StartElement Introduced by a recent commit. Only happens if max depth is exceeded in SAX1 mode. Found by OSS-Fuzz.

26828cb3

2019-01-07T16:52:42

Fix commit "Memory leak in xmlFreeID (xmlreader.c)" The recent commit "Memory leak in xmlFreeID (xmlreader.c)" introduced a double-free.

619534ef

2018-01-23T17:36:23

Fix Windows compiler warning in testC14N.c

57d4329b

2018-01-23T17:33:42

Merge testThreadsWin32.c into testThreads.c Apply the same cross-platform modifications as previously in runtest.c.

7f40ed01

2018-01-23T16:40:36

Fix Python bindings under Windows - Correct linker flags for MinGW-w64 - Adjust PATH to find libxml2.dll when running tests

e8fdf5df

2019-01-01T19:20:22

Fix unused function warning in testapi.c Check whether all param and return types are known before generating functions for param types. Otherwise, unused functions end up in testapi.c.

731b5064

2019-01-01T18:43:02

Add some generated test files to .gitignore

dcae579e

2019-01-01T16:48:40

Remove unneeded function pointer casts

19f0950d

2019-01-01T16:38:42

Fix -Wcast-function-type warnings (GCC 8) Use xmlGenericError instead of fprintf as error handler. It also prints to stderr by default.

8919885f

2019-01-01T16:30:38

Fix -Wformat-truncation warnings (GCC 8)

157cd3ae

2018-11-24T15:46:00

Fix NULL pointer deref in xmlTextReaderValidateEntity Found by OSS-Fuzz.

57a3af56

2018-11-24T12:14:55

Memory leak in xmlFreeTextReader In error cases, there might still be elements in the vstate table. Since vstateVPop in valid.c is private, we have to pop the elements with xmlValidatePopElement. This inspects nodes of the document, so the reader doc must be freed after the clearing the vstate table. Found by OSS-Fuzz.

efe8c093

2018-11-24T11:39:32

Memory leak in xmlFreeID (xmlreader.c) Fix a memory leak in xmlReader's private copy of xmlFreeID. Only affects validation with NODICT. Found by OSS-Fuzz.

f8a8c1f5

2019-01-03T19:14:17

Release of libxml2-2.9.9 * configure.ac doc/news.html doc/xml.html doc/libxml2.xsa: making changes for the release Signed-off-by: Daniel Veillard <veillard@redhat.com>

kc3-lang/libxml2

Log