kmx git

Commit	Date	Message
30ef7755	2024-07-02T04:02:16	parser: Don't use deprecated xmlCopyChar
598ee0d2	2024-06-26T01:18:55	error: Remove underscores from xmlRaiseError
217e9b7a	2024-06-08T12:27:45	clang-tidy: don't return in void functions Found with readability-redundant-control-flow Signed-off-by: Rosen Penev <rosenp@gmail.com>
f307237e	2024-06-15T23:53:04	schemas: Use private copy of global NaN and Inf Simplify symbol availability logic.
669bd349	2024-06-12T18:20:01	xpointer: Remove support for XPointer locations The latest spec for what it essentially an XPath extension seems to be this working draft from 2002: https://www.w3.org/TR/xptr-xpointer/ The xpointer() scheme is listed as "being reviewed" in the XPointer registry since at least 2006. libxml2 seems to be the only modern software that tries to implement this spec, but the code has many bugs and quality issues. If you configure --with-legacy, old symbols are retained for ABI compatibility.
e75e878e	2024-05-20T13:58:22	doc: Update and fix documentation
8d215ac5	2024-05-14T15:55:18	xpath: Fix quadratic runtime accounting
63ce5f9a	2024-04-28T17:32:35	Make some globals const
20b0bd98	2024-04-09T18:00:13	fuzz: Account for quadratic runtime in xmlXPathTranslateFunction Avoid fuzzer timeouts caused by this known issue.
047ea3ec	2024-03-17T16:23:31	Revert "tree: Allocate XML namespace statically" This reverts commit 2840e33c5e4b51589a0b96e8102638eeaea6df72.
05adfbf8	2024-03-11T13:42:15	buf: Don't use default buffer size for small strings Detaching strings from a buffer with a default size of 4096 can waste a lot of memory.
2840e33c	2024-03-04T07:34:25	tree: Allocate XML namespace statically
2963a097	2024-02-05T15:35:54	xpath: Report malloc failure in xmlXPathTranslateFunction
37d474ff	2024-01-17T14:19:42	xpath: Fix return of empty node-set in xmlXPathNodeCollectAndTest Don't return NULL node-sets. Ultimately, we should make sure that obj->nodesetval is always non-NULL even for empty node-sets. See #663.
b8313b58	2023-12-26T21:59:08	xpath: Rewrite substring-before and substring-after Don't use buffers. Check malloc failures.
c8f1f4a2	2023-12-21T17:30:38	doc: Improve documentation of error handlers
531d06ad	2023-12-18T22:48:24	error: Stop printing some errors by default Unfortunately, it's long-standing behavior for libxml2 to print all reported errors to stderr by default. This default behavior is now partially disabled. If no error handler is set, only parser and validation errors are passed to a generic error handler or printed to stderr. Other errors are still available via xmlGetLastError and can be captured with a structured error handler.
954b8984	2023-12-18T19:39:38	xpath: Improve error handling Introduce xmlXPathSetErrorHandler allowing to set a structured error handler for an XPath context. Remove arguments from memory error handlers. Use xmlRaiseMemoryError. Remove TODO, STRANGE and CHECK_CTXT macros. Remove remaining uses of xmlGenericError.
6fdc20ba	2023-12-20T18:33:29	xpath: Don't free nodes of XSLT result value trees This feature hasn't been required for a long time and libxslt works around by manually setting 'boolval' to 0.
bcefef20	2023-12-20T14:40:27	malloc-fail: Report malloc failure in xmlXPathNumberFunction
6ae98ebc	2023-12-15T14:53:44	malloc-fail: Report malloc failure in xmlXPathTranslateFunction
8583b9f1	2023-12-12T15:00:44	malloc-fail: Fix null deref in xmlXPathTranslateFunction Short-lived regression.
e632d9f0	2023-12-10T16:56:16	xpath: Report malloc failures Fix many places where malloc failures aren't reported. Rework XPath object cache to store free objects in a linked list to avoid allocating an additional array. Remove some unneeded object pools.
8c084ebd	2023-09-21T22:57:33	doc: Make apibuild.py happy
9b5cce7a	2023-09-21T00:44:50	include: Remove more unnecessary includes
699299ca	2023-09-20T18:54:39	globals: Stop including globals.h
4e1c13eb	2023-09-18T14:45:10	debug: Remove debugging code This is barely useful these days and only clutters the code base.
6273df6c	2023-05-30T12:30:27	xpath: Ignore entity ref nodes when computing node hash XPath queries only work reliably if entities are substituted. Nevertheless, it's possible to query a document with entity reference nodes. xmllint even deletes entities when the `--dropdtd` option is passed, resulting in dangling pointers, so it's best to skip entity reference nodes to avoid a use-after-free. Fixes #550.
01723fc6	2023-05-08T23:12:33	xpath: Fix build without LIBXML_XPATH_ENABLED Move static function declaration into XPATH block. Also move comparison functions. Fixes #537.
b1319c90	2023-03-18T16:34:01	malloc-fail: Check for malloc failures when creating XPath strings Prevent null derefs. Found by OSS-Fuzz, see #344.
48379394	2023-03-13T17:11:27	malloc-fail: Stop using XPath stack frames There's too much code which assumes that if ctxt->value is non-null, a value can be successfully popped off the stack. This assumption can break with stack frames when malloc fails. Instead of trying to fix all call sites, remove the stack frame logic. It only offered very little protection against misbehaving extension functions. We already check the stack size after a function call which should be enough. Found by OSS-Fuzz.
bd6fa2c1	2023-03-09T22:33:19	malloc-fail: Fix memory leak in xmlXPathRegisterNs Found by OSS-Fuzz.
282b75f1	2023-02-28T12:14:33	malloc-fail: Fix memory leak in xmlXPathNameFunction Found with libFuzzer, see #344.
524654ed	2023-02-26T17:19:47	xpath: Fix harmless integer overflow in xmlXPathTranslateFunction
8608b71f	2023-02-26T15:17:15	Revert "xpath: Fix popping of values in xmlXPathPopNodeset" This reverts commit 47b0e0a620d1e0e657b858986e3ebde80d4645b4.
bc9f372c	2023-02-26T18:00:30	malloc-fail: Fix memory leak in xmlXPathDistinctSorted Found with libFuzzer, see #344.
6f9604f0	2023-02-26T16:09:50	malloc-fail: Fix memory leak in xmlXPathCacheNewNodeSet Found with libFuzzer, see #344.
44947afb	2023-02-26T14:41:35	malloc-fail: Fix null deref after xmlPointerListAddSize Found with libFuzzer, see #344.
70b21c9f	2023-02-26T14:33:16	malloc-fail: Fix null deref in xmlXPathCompiledEvalInternal Found with libFuzzer, see #344.
0f112d02	2023-02-24T18:00:03	malloc-fail: Fix use-after-free related to xmlXPathNodeSetFilter Found with libFuzzer, see #344.
a3e11b38	2023-02-25T16:05:24	malloc-fail: Fix memory leak in xmlXPathEqualNodeSetFloat Found with libFuzzer, see #344.
b51478dc	2023-02-24T16:21:17	Revert "malloc-fail: Avoid use-after-free after unsuccessful valuePush" This reverts commit 6a12be77c6a94c374ab7476087edcee2ba41d9b4. There's too much code reading ctxt->value directly and making the wrong assumptions.
47b0e0a6	2023-02-23T15:43:15	xpath: Fix popping of values in xmlXPathPopNodeset After 6a12be77, valuePop can fail even if ctxt->value is non-NULL. If it turns out that too much code relies on this assumption, a better fix is needed.
8d22e065	2023-02-15T14:41:11	malloc-fail: Fix memory leak after calling xmlXPathNodeSetMerge Destroy the first argument in xmlXPathNodeSetMerge if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.
d31a0e8e	2023-02-15T14:47:29	malloc-fail: Fix memory leak after calling xmlXPathWrapString Destroy the string in xmlXPathWrapString if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.
3dc64522	2023-02-15T14:30:40	malloc-fail: Fix memory leak in xmlXPathEqualValuesCommon Found with libFuzzer, see #344.
691f7eb4	2023-02-15T14:05:13	malloc-fail: Fix memory leak in xmlXPathCompareValues Found with libFuzzer, see #344.
ac746afd	2023-02-15T13:54:55	malloc-fail: Fix memory leak in xmlXPathTryStreamCompile Found with libFuzzer, see #344.
85bc313e	2023-02-15T13:49:28	malloc-fail: Fix memory leak after calling valuePush Destroy the object in valuePush if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.
f5e11749	2023-02-15T13:48:18	malloc-fail: Fix memory leak after calling xmlXPathWrapNodeSet Destroy the node set in xmlXPathWrapNodeSet if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.
15c9f435	2023-01-31T12:58:32	xpath: Only report the first error Don't overwrite the original error code. Besides, subsequent error reports are somewhat unreliable and not really useful.
6a12be77	2023-01-31T12:46:30	malloc-fail: Avoid use-after-free after unsuccessful valuePush In xpath.c there's a lot of code like: valuePush(ctxt, xmlCacheNewX()); ... valuePop(ctxt); If xmlCacheNewX fails, no value will be pushed on the stack. If there's no error check in between, valuePop will pop an unrelated value which can lead to use-after-free errors. Instead of trying to fix all call sites, we simply stop popping values if an error was signaled. This requires to change the CHECK_TYPE macro which is often used to determine whether a value can be safely popped. Found with libFuzzer, see #344.
7ec314ef	2023-01-30T15:59:55	malloc-fail: Add error checks in xmlXPathEqualValuesCommon Avoid null deref. Found with libFuzzer, see #344.
08695683	2023-01-30T15:52:00	malloc-fail: Add error check in xmlXPathEqualNodeSetFloat Avoid null deref. Found with libFuzzer, see #344.
621c222e	2023-01-30T15:48:11	malloc-fail: Fix error check in xmlXPathCompareValues Avoid null deref. Found with libFuzzer, see #344.
75534401	2023-01-30T15:40:23	malloc-fail: Record malloc failure in xmlXPathCompLiteral Avoid OOB array access. Found with libFuzzer, see #344.
0e4421e7	2023-01-30T15:05:58	malloc-fail: Check return value of xmlXPathNodeSetDupNs Avoid null deref if allocation fails. Found with libFuzzer, see #344.
608c65bb	2023-01-18T15:15:41	xpath: number('-') should return NaN Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/81
c16fd705	2022-11-25T14:52:37	xpath: Make init function private
b6f1298a	2022-10-24T20:47:10	warnings: Remove set-but-unused variables Fixes compiler warnings with clang 15.
27c8ba60	2022-09-07T22:34:42	xpath: Lower XPath recursion limit on Windows
0d901258	2022-09-04T16:41:43	Fix Windows compiler warnings in python/types.c
6843fc72	2022-09-01T02:58:00	Remove or annotate char casts
2cac6269	2022-09-01T03:14:13	Don't use sizeof(xmlChar) or sizeof(char)
ad338ca7	2022-09-01T01:18:30	Remove explicit integer casts Remove explicit integer casts as final operation - in assignments - when passing arguments - when returning values Remove casts - to the same type - from certain range-bound values The main motivation is that these explicit casts don't change the result of operations and only render UBSan's implicit-conversion checks useless. Removing these casts allows UBSan to detect cases where truncation or sign-changes occur unexpectedly. Document some explicit casts as truncating and add a few missing ones.
8016c8ed	2022-08-26T15:12:21	Remove set-but-unused variable in xmlXPathScanName Fix clang warning.
0f568c0b	2022-08-26T01:22:33	Consolidate private header files Private functions were previously declared - in header files in the root directory - in public headers guarded with IN_LIBXML - in libxml.h - redundantly in source files that used them. Consolidate all private header files in include/private.
677a4264	2022-07-28T20:21:24	Make XPath depth check work with recursive invocations EXSLT functions like dyn:map or dyn:evaluate invoke xmlXPathRunEval recursively. Don't set depth to zero but keep and restore the original value to avoid stack overflows when abusing these functions.
c9925454	2022-07-06T17:08:26	Use NAN/INFINITY if available to init XPath NaN/Inf
67070107	2022-04-20T23:17:14	Add configuration flag for XPointer locations support Add a new configuration flag that controls whether the outdated support for XPointer locations (ranges and points) is enabled. --with-xptr-locs # Autotools LIBXML2_WITH_XPTR_LOCS # CMake The latest spec for what it essentially an XPath extension seems to be this working draft from 2002: https://www.w3.org/TR/xptr-xpointer/ The xpointer() scheme is listed as "being reviewed" in the XPointer registry since at least 2006. libxml2 seems to be the only modern software that tries to implement this spec, but the code has many bugs and quality issues. The flag defaults to "off" and support for this extensions has to be requested explicitly. The relevant API functions are deprecated.
21561e83	2016-05-20T15:21:43	Mark more static data as `const` Similar to 8f5710379, mark more static data structures with `const` keyword. Also fix placement of `const` in encoding.c. Original patch by Sarah Wilkin.
0e9776b0	2022-04-03T17:09:50	Initialize XPath floating-point globals Should fix #138.
74263eff	2022-03-30T06:02:31	fix: xmlXPathParserContext could be double-delete in OOM case.
40483d0c	2022-03-06T13:55:48	Deprecate module init and cleanup functions These functions shouldn't be part of the public API. Most init functions are only thread-safe when called from xmlInitParser. Global variables should only be cleaned up by calling xmlCleanupParser.
57b81c20	2022-03-05T18:20:29	Normalize XPath strings in-place Simplify the code and fix a potential memory leak. Fixes #343.
4a8c71eb	2022-03-04T03:35:57	Remove DOCBparser This code has been broken and deprecated since version 2.6.0, released in 2003. Because of a bug in commit 961b535c, DOCBparser.c was never compiled since 2012. I couldn't find a Debian package using any of its symbols, so it seems safe to remove this module.
ebb17970	2022-03-04T02:31:59	Remove unneeded #includes
776d15d3	2022-03-02T00:29:17	Don't check for standard C89 headers Don't check for - ctype.h - errno.h - float.h - limits.h - math.h - signal.h - stdarg.h - stdlib.h - string.h - time.h Stop including non-standard headers - malloc.h - strings.h
346c3a93	2022-02-20T18:46:42	Remove elfgcchack.h The same optimization can be enabled with -fno-semantic-interposition since GCC 5. clang has always used this option by default.
67953a9f	2022-01-16T15:30:02	Fix memory leak in xmlXPathCompNodeTest Found by Coverity.
3e1aad4f	2021-06-02T17:31:49	Fix XPath recursion limit Fix accounting of recursion depth when parsing XPath expressions. This silly bug introduced in commit 804c5297 could lead to spurious errors when parsing larger expressions or XSLT documents. Should fix #264.
868e49cf	2021-03-16T10:36:04	Allow FP division by zero in xmlXPathInit
d25460da	2021-03-13T19:12:00	Fix XPath NaN/Inf for older GCC versions The DBL_MAX approach could lead to errors caused by excess precision. Switch back to the division-by-zero approach with a work-around for MSVC and use the extern globals instead of macro expressions.
e6ec58ec	2020-09-21T12:49:36	Fix null deref in XPointer expression error path Make sure that the filter functions introduced with commit c2f4da1a return node-sets without NULL pointers also in the error case. Found by OSS-Fuzz.
8b88503a	2020-09-18T19:15:27	Don't call xmlXPathInit directly Call xmlInitParser which uses a lock to avoid race conditions. Fixes #184.
6f1470a5	2020-08-25T18:50:45	Hardcode maximum XPath recursion depth Always limit nested functions calls to 5000. This avoids call stack overflows with deeply nested expressions. The expression parser produces about 10 nested function calls when parsing a subexpression in parentheses, so the effective nesting limit is about 500 which should be more than enough. Use a lower limit when fuzzing to account for increased memory usage when using sanitizers.
804c5297	2020-08-17T03:37:18	Stop using maxParserDepth in xpath.c Only use a single maxDepth value.
beb7d71a	2020-07-13T12:41:19	Remove misleading comments in xpath.c Fixes #169
9f42f6ba	2020-06-24T15:33:38	Don't follow next pointer on documents in xmlXPathRunStreamEval RVTs from libxslt are document nodes which are linked using the 'next' pointer. These pointers must never be used to navigate the document tree. Otherwise, random content from other RVTs could be returned when evaluating XPath expressions. It's interesting that this seemingly long-standing bug wasn't discovered earlier. This issue could also cause severe performance degradation. Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/37
487871b0	2020-06-10T13:23:43	Fix undefined behavior in xmlXPathTryStreamCompile &NULL[0] is undefined behavior.
20c60886	2020-03-08T17:19:42	Fix typos Resolves #133.
2c80fc91	2019-12-02T11:30:30	Fix more memory leaks in error paths of XPath parser Found by OSS-Fuzz.
d5f2f74d	2019-11-11T11:27:40	Fix memory leak in error path of XPath expr parser Also propagate memory errors. Found by OSS-Fuzz.
bfc0f674	2019-10-20T14:39:46	Audit memory error handling in xpath.c Memory allocation errors in the following functions a often ignored. Add TODO comments. - xmlXPathNodeSetCreate - xmlXPathNodeSetAdd* - xmlXPathNodeSetMerge* - xmlXPathNodeSetDupNs Note that the following functions currently lack a way to propagate memory errors: - xmlXPathCompareNodeSets - xmlXPathEqualNodeSets
429d4eca	2019-10-20T14:22:20	Propagate memory errors in valuePush Currently, many memory allocation errors in xpath.c aren't propagated to the parser/evaluation context and for the most part ignored. Most XPath objects allocated via one of the New, Wrap or Copy functions end up being pushed on the stack, so adding a check in valuePush handles many cases without much effort. Also simplify the code a little and make sure to return -1 in case of error.
390f05e7	2019-10-20T13:42:19	Propagate memory errors in xmlXPathCompExprAdd Make sure that memory errors in xmlXPathCompExprAdd are propagated to the parser context. Hitting the step limit or running out of memory without raising an error could also lead to an out-of-bounds read. Also fixes a memory leak in xmlXPathErrMemory. Found by OSS-Fuzz.
2a350ee9	2019-09-30T17:04:54	Large batch of typo fixes Closes #109.
6705f4d2	2019-09-16T15:45:27	Remove executable bit from non-executable files
5c0e48b8	2019-07-25T18:46:30	Fix typo: xpath: simpli{ -> fi}ed Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
59028ba0	2019-08-07T14:38:07	Fix possible null dereference in xmlXPathIdFunction If a certain memory allocation fails, xmlXPathIdFunction would dereference a null pointer. Closes #77.

30ef7755

2024-07-02T04:02:16

parser: Don't use deprecated xmlCopyChar

598ee0d2

2024-06-26T01:18:55

error: Remove underscores from xmlRaiseError

217e9b7a

2024-06-08T12:27:45

clang-tidy: don't return in void functions Found with readability-redundant-control-flow Signed-off-by: Rosen Penev <rosenp@gmail.com>

f307237e

2024-06-15T23:53:04

schemas: Use private copy of global NaN and Inf Simplify symbol availability logic.

669bd349

2024-06-12T18:20:01

xpointer: Remove support for XPointer locations The latest spec for what it essentially an XPath extension seems to be this working draft from 2002: https://www.w3.org/TR/xptr-xpointer/ The xpointer() scheme is listed as "being reviewed" in the XPointer registry since at least 2006. libxml2 seems to be the only modern software that tries to implement this spec, but the code has many bugs and quality issues. If you configure --with-legacy, old symbols are retained for ABI compatibility.

e75e878e

2024-05-20T13:58:22

doc: Update and fix documentation

8d215ac5

2024-05-14T15:55:18

xpath: Fix quadratic runtime accounting

63ce5f9a

2024-04-28T17:32:35

Make some globals const

20b0bd98

2024-04-09T18:00:13

fuzz: Account for quadratic runtime in xmlXPathTranslateFunction Avoid fuzzer timeouts caused by this known issue.

047ea3ec

2024-03-17T16:23:31

Revert "tree: Allocate XML namespace statically" This reverts commit 2840e33c5e4b51589a0b96e8102638eeaea6df72.

05adfbf8

2024-03-11T13:42:15

buf: Don't use default buffer size for small strings Detaching strings from a buffer with a default size of 4096 can waste a lot of memory.

2840e33c

2024-03-04T07:34:25

tree: Allocate XML namespace statically

2963a097

2024-02-05T15:35:54

xpath: Report malloc failure in xmlXPathTranslateFunction

37d474ff

2024-01-17T14:19:42

xpath: Fix return of empty node-set in xmlXPathNodeCollectAndTest Don't return NULL node-sets. Ultimately, we should make sure that obj->nodesetval is always non-NULL even for empty node-sets. See #663.

b8313b58

2023-12-26T21:59:08

xpath: Rewrite substring-before and substring-after Don't use buffers. Check malloc failures.

c8f1f4a2

2023-12-21T17:30:38

doc: Improve documentation of error handlers

531d06ad

2023-12-18T22:48:24

error: Stop printing some errors by default Unfortunately, it's long-standing behavior for libxml2 to print all reported errors to stderr by default. This default behavior is now partially disabled. If no error handler is set, only parser and validation errors are passed to a generic error handler or printed to stderr. Other errors are still available via xmlGetLastError and can be captured with a structured error handler.

954b8984

2023-12-18T19:39:38

xpath: Improve error handling Introduce xmlXPathSetErrorHandler allowing to set a structured error handler for an XPath context. Remove arguments from memory error handlers. Use xmlRaiseMemoryError. Remove TODO, STRANGE and CHECK_CTXT macros. Remove remaining uses of xmlGenericError.

6fdc20ba

2023-12-20T18:33:29

xpath: Don't free nodes of XSLT result value trees This feature hasn't been required for a long time and libxslt works around by manually setting 'boolval' to 0.

bcefef20

2023-12-20T14:40:27

malloc-fail: Report malloc failure in xmlXPathNumberFunction

6ae98ebc

2023-12-15T14:53:44

malloc-fail: Report malloc failure in xmlXPathTranslateFunction

8583b9f1

2023-12-12T15:00:44

malloc-fail: Fix null deref in xmlXPathTranslateFunction Short-lived regression.

e632d9f0

2023-12-10T16:56:16

xpath: Report malloc failures Fix many places where malloc failures aren't reported. Rework XPath object cache to store free objects in a linked list to avoid allocating an additional array. Remove some unneeded object pools.

8c084ebd

2023-09-21T22:57:33

doc: Make apibuild.py happy

9b5cce7a

2023-09-21T00:44:50

include: Remove more unnecessary includes

699299ca

2023-09-20T18:54:39

globals: Stop including globals.h

4e1c13eb

2023-09-18T14:45:10

debug: Remove debugging code This is barely useful these days and only clutters the code base.

6273df6c

2023-05-30T12:30:27

xpath: Ignore entity ref nodes when computing node hash XPath queries only work reliably if entities are substituted. Nevertheless, it's possible to query a document with entity reference nodes. xmllint even deletes entities when the `--dropdtd` option is passed, resulting in dangling pointers, so it's best to skip entity reference nodes to avoid a use-after-free. Fixes #550.

01723fc6

2023-05-08T23:12:33

xpath: Fix build without LIBXML_XPATH_ENABLED Move static function declaration into XPATH block. Also move comparison functions. Fixes #537.

b1319c90

2023-03-18T16:34:01

malloc-fail: Check for malloc failures when creating XPath strings Prevent null derefs. Found by OSS-Fuzz, see #344.

48379394

2023-03-13T17:11:27

malloc-fail: Stop using XPath stack frames There's too much code which assumes that if ctxt->value is non-null, a value can be successfully popped off the stack. This assumption can break with stack frames when malloc fails. Instead of trying to fix all call sites, remove the stack frame logic. It only offered very little protection against misbehaving extension functions. We already check the stack size after a function call which should be enough. Found by OSS-Fuzz.

bd6fa2c1

2023-03-09T22:33:19

malloc-fail: Fix memory leak in xmlXPathRegisterNs Found by OSS-Fuzz.

282b75f1

2023-02-28T12:14:33

malloc-fail: Fix memory leak in xmlXPathNameFunction Found with libFuzzer, see #344.

524654ed

2023-02-26T17:19:47

xpath: Fix harmless integer overflow in xmlXPathTranslateFunction

8608b71f

2023-02-26T15:17:15

Revert "xpath: Fix popping of values in xmlXPathPopNodeset" This reverts commit 47b0e0a620d1e0e657b858986e3ebde80d4645b4.

bc9f372c

2023-02-26T18:00:30

malloc-fail: Fix memory leak in xmlXPathDistinctSorted Found with libFuzzer, see #344.

6f9604f0

2023-02-26T16:09:50

malloc-fail: Fix memory leak in xmlXPathCacheNewNodeSet Found with libFuzzer, see #344.

44947afb

2023-02-26T14:41:35

malloc-fail: Fix null deref after xmlPointerListAddSize Found with libFuzzer, see #344.

70b21c9f

2023-02-26T14:33:16

malloc-fail: Fix null deref in xmlXPathCompiledEvalInternal Found with libFuzzer, see #344.

0f112d02

2023-02-24T18:00:03

malloc-fail: Fix use-after-free related to xmlXPathNodeSetFilter Found with libFuzzer, see #344.

a3e11b38

2023-02-25T16:05:24

malloc-fail: Fix memory leak in xmlXPathEqualNodeSetFloat Found with libFuzzer, see #344.

b51478dc

2023-02-24T16:21:17

Revert "malloc-fail: Avoid use-after-free after unsuccessful valuePush" This reverts commit 6a12be77c6a94c374ab7476087edcee2ba41d9b4. There's too much code reading ctxt->value directly and making the wrong assumptions.

47b0e0a6

2023-02-23T15:43:15

xpath: Fix popping of values in xmlXPathPopNodeset After 6a12be77, valuePop can fail even if ctxt->value is non-NULL. If it turns out that too much code relies on this assumption, a better fix is needed.

8d22e065

2023-02-15T14:41:11

malloc-fail: Fix memory leak after calling xmlXPathNodeSetMerge Destroy the first argument in xmlXPathNodeSetMerge if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.

d31a0e8e

2023-02-15T14:47:29

malloc-fail: Fix memory leak after calling xmlXPathWrapString Destroy the string in xmlXPathWrapString if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.

3dc64522

2023-02-15T14:30:40

malloc-fail: Fix memory leak in xmlXPathEqualValuesCommon Found with libFuzzer, see #344.

691f7eb4

2023-02-15T14:05:13

malloc-fail: Fix memory leak in xmlXPathCompareValues Found with libFuzzer, see #344.

ac746afd

2023-02-15T13:54:55

malloc-fail: Fix memory leak in xmlXPathTryStreamCompile Found with libFuzzer, see #344.

85bc313e

2023-02-15T13:49:28

malloc-fail: Fix memory leak after calling valuePush Destroy the object in valuePush if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.

f5e11749

2023-02-15T13:48:18

malloc-fail: Fix memory leak after calling xmlXPathWrapNodeSet Destroy the node set in xmlXPathWrapNodeSet if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.

15c9f435

2023-01-31T12:58:32

xpath: Only report the first error Don't overwrite the original error code. Besides, subsequent error reports are somewhat unreliable and not really useful.

6a12be77

2023-01-31T12:46:30

malloc-fail: Avoid use-after-free after unsuccessful valuePush In xpath.c there's a lot of code like: valuePush(ctxt, xmlCacheNewX()); ... valuePop(ctxt); If xmlCacheNewX fails, no value will be pushed on the stack. If there's no error check in between, valuePop will pop an unrelated value which can lead to use-after-free errors. Instead of trying to fix all call sites, we simply stop popping values if an error was signaled. This requires to change the CHECK_TYPE macro which is often used to determine whether a value can be safely popped. Found with libFuzzer, see #344.

7ec314ef

2023-01-30T15:59:55

malloc-fail: Add error checks in xmlXPathEqualValuesCommon Avoid null deref. Found with libFuzzer, see #344.

08695683

2023-01-30T15:52:00

malloc-fail: Add error check in xmlXPathEqualNodeSetFloat Avoid null deref. Found with libFuzzer, see #344.

621c222e

2023-01-30T15:48:11

malloc-fail: Fix error check in xmlXPathCompareValues Avoid null deref. Found with libFuzzer, see #344.

75534401

2023-01-30T15:40:23

malloc-fail: Record malloc failure in xmlXPathCompLiteral Avoid OOB array access. Found with libFuzzer, see #344.

0e4421e7

2023-01-30T15:05:58

malloc-fail: Check return value of xmlXPathNodeSetDupNs Avoid null deref if allocation fails. Found with libFuzzer, see #344.

608c65bb

2023-01-18T15:15:41

xpath: number('-') should return NaN Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/81

c16fd705

2022-11-25T14:52:37

xpath: Make init function private

b6f1298a

2022-10-24T20:47:10

warnings: Remove set-but-unused variables Fixes compiler warnings with clang 15.

27c8ba60

2022-09-07T22:34:42

xpath: Lower XPath recursion limit on Windows

0d901258

2022-09-04T16:41:43

Fix Windows compiler warnings in python/types.c

6843fc72

2022-09-01T02:58:00

Remove or annotate char casts

2cac6269

2022-09-01T03:14:13

Don't use sizeof(xmlChar) or sizeof(char)

ad338ca7

2022-09-01T01:18:30

Remove explicit integer casts Remove explicit integer casts as final operation - in assignments - when passing arguments - when returning values Remove casts - to the same type - from certain range-bound values The main motivation is that these explicit casts don't change the result of operations and only render UBSan's implicit-conversion checks useless. Removing these casts allows UBSan to detect cases where truncation or sign-changes occur unexpectedly. Document some explicit casts as truncating and add a few missing ones.

8016c8ed

2022-08-26T15:12:21

Remove set-but-unused variable in xmlXPathScanName Fix clang warning.

0f568c0b

2022-08-26T01:22:33

Consolidate private header files Private functions were previously declared - in header files in the root directory - in public headers guarded with IN_LIBXML - in libxml.h - redundantly in source files that used them. Consolidate all private header files in include/private.

677a4264

2022-07-28T20:21:24

Make XPath depth check work with recursive invocations EXSLT functions like dyn:map or dyn:evaluate invoke xmlXPathRunEval recursively. Don't set depth to zero but keep and restore the original value to avoid stack overflows when abusing these functions.

c9925454

2022-07-06T17:08:26

Use NAN/INFINITY if available to init XPath NaN/Inf

67070107

2022-04-20T23:17:14

Add configuration flag for XPointer locations support Add a new configuration flag that controls whether the outdated support for XPointer locations (ranges and points) is enabled. --with-xptr-locs # Autotools LIBXML2_WITH_XPTR_LOCS # CMake The latest spec for what it essentially an XPath extension seems to be this working draft from 2002: https://www.w3.org/TR/xptr-xpointer/ The xpointer() scheme is listed as "being reviewed" in the XPointer registry since at least 2006. libxml2 seems to be the only modern software that tries to implement this spec, but the code has many bugs and quality issues. The flag defaults to "off" and support for this extensions has to be requested explicitly. The relevant API functions are deprecated.

21561e83

2016-05-20T15:21:43

Mark more static data as `const` Similar to 8f5710379, mark more static data structures with `const` keyword. Also fix placement of `const` in encoding.c. Original patch by Sarah Wilkin.

0e9776b0

2022-04-03T17:09:50

Initialize XPath floating-point globals Should fix #138.

74263eff

2022-03-30T06:02:31

fix: xmlXPathParserContext could be double-delete in OOM case.

40483d0c

2022-03-06T13:55:48

Deprecate module init and cleanup functions These functions shouldn't be part of the public API. Most init functions are only thread-safe when called from xmlInitParser. Global variables should only be cleaned up by calling xmlCleanupParser.

57b81c20

2022-03-05T18:20:29

Normalize XPath strings in-place Simplify the code and fix a potential memory leak. Fixes #343.

4a8c71eb

2022-03-04T03:35:57

Remove DOCBparser This code has been broken and deprecated since version 2.6.0, released in 2003. Because of a bug in commit 961b535c, DOCBparser.c was never compiled since 2012. I couldn't find a Debian package using any of its symbols, so it seems safe to remove this module.

ebb17970

2022-03-04T02:31:59

Remove unneeded #includes

776d15d3

2022-03-02T00:29:17

Don't check for standard C89 headers Don't check for - ctype.h - errno.h - float.h - limits.h - math.h - signal.h - stdarg.h - stdlib.h - string.h - time.h Stop including non-standard headers - malloc.h - strings.h

346c3a93

2022-02-20T18:46:42

Remove elfgcchack.h The same optimization can be enabled with -fno-semantic-interposition since GCC 5. clang has always used this option by default.

67953a9f

2022-01-16T15:30:02

Fix memory leak in xmlXPathCompNodeTest Found by Coverity.

3e1aad4f

2021-06-02T17:31:49

Fix XPath recursion limit Fix accounting of recursion depth when parsing XPath expressions. This silly bug introduced in commit 804c5297 could lead to spurious errors when parsing larger expressions or XSLT documents. Should fix #264.

868e49cf

2021-03-16T10:36:04

Allow FP division by zero in xmlXPathInit

d25460da

2021-03-13T19:12:00

Fix XPath NaN/Inf for older GCC versions The DBL_MAX approach could lead to errors caused by excess precision. Switch back to the division-by-zero approach with a work-around for MSVC and use the extern globals instead of macro expressions.

e6ec58ec

2020-09-21T12:49:36

Fix null deref in XPointer expression error path Make sure that the filter functions introduced with commit c2f4da1a return node-sets without NULL pointers also in the error case. Found by OSS-Fuzz.

8b88503a

2020-09-18T19:15:27

Don't call xmlXPathInit directly Call xmlInitParser which uses a lock to avoid race conditions. Fixes #184.

6f1470a5

2020-08-25T18:50:45

Hardcode maximum XPath recursion depth Always limit nested functions calls to 5000. This avoids call stack overflows with deeply nested expressions. The expression parser produces about 10 nested function calls when parsing a subexpression in parentheses, so the effective nesting limit is about 500 which should be more than enough. Use a lower limit when fuzzing to account for increased memory usage when using sanitizers.

804c5297

2020-08-17T03:37:18

Stop using maxParserDepth in xpath.c Only use a single maxDepth value.

beb7d71a

2020-07-13T12:41:19

Remove misleading comments in xpath.c Fixes #169

9f42f6ba

2020-06-24T15:33:38

Don't follow next pointer on documents in xmlXPathRunStreamEval RVTs from libxslt are document nodes which are linked using the 'next' pointer. These pointers must never be used to navigate the document tree. Otherwise, random content from other RVTs could be returned when evaluating XPath expressions. It's interesting that this seemingly long-standing bug wasn't discovered earlier. This issue could also cause severe performance degradation. Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/37

487871b0

2020-06-10T13:23:43

Fix undefined behavior in xmlXPathTryStreamCompile &NULL[0] is undefined behavior.

20c60886

2020-03-08T17:19:42

Fix typos Resolves #133.

2c80fc91

2019-12-02T11:30:30

Fix more memory leaks in error paths of XPath parser Found by OSS-Fuzz.

d5f2f74d

2019-11-11T11:27:40

Fix memory leak in error path of XPath expr parser Also propagate memory errors. Found by OSS-Fuzz.

bfc0f674

2019-10-20T14:39:46

Audit memory error handling in xpath.c Memory allocation errors in the following functions a often ignored. Add TODO comments. - xmlXPathNodeSetCreate - xmlXPathNodeSetAdd* - xmlXPathNodeSetMerge* - xmlXPathNodeSetDupNs Note that the following functions currently lack a way to propagate memory errors: - xmlXPathCompareNodeSets - xmlXPathEqualNodeSets

429d4eca

2019-10-20T14:22:20

Propagate memory errors in valuePush Currently, many memory allocation errors in xpath.c aren't propagated to the parser/evaluation context and for the most part ignored. Most XPath objects allocated via one of the New, Wrap or Copy functions end up being pushed on the stack, so adding a check in valuePush handles many cases without much effort. Also simplify the code a little and make sure to return -1 in case of error.

390f05e7

2019-10-20T13:42:19

Propagate memory errors in xmlXPathCompExprAdd Make sure that memory errors in xmlXPathCompExprAdd are propagated to the parser context. Hitting the step limit or running out of memory without raising an error could also lead to an out-of-bounds read. Also fixes a memory leak in xmlXPathErrMemory. Found by OSS-Fuzz.

2a350ee9

2019-09-30T17:04:54

Large batch of typo fixes Closes #109.

6705f4d2

2019-09-16T15:45:27

Remove executable bit from non-executable files

5c0e48b8

2019-07-25T18:46:30

Fix typo: xpath: simpli{ -> fi}ed Signed-off-by: Jan Pokorný <jpokorny@redhat.com>

59028ba0

2019-08-07T14:38:07

Fix possible null dereference in xmlXPathIdFunction If a certain memory allocation fails, xmlXPathIdFunction would dereference a null pointer. Closes #77.

kc3-lang/libxml2/xpath.c

xpath.c

Log