kmx git

Commit	Date	Message
27c8ba60	2022-09-07T22:34:42	xpath: Lower XPath recursion limit on Windows
0d901258	2022-09-04T16:41:43	Fix Windows compiler warnings in python/types.c
6843fc72	2022-09-01T02:58:00	Remove or annotate char casts
2cac6269	2022-09-01T03:14:13	Don't use sizeof(xmlChar) or sizeof(char)
ad338ca7	2022-09-01T01:18:30	Remove explicit integer casts Remove explicit integer casts as final operation - in assignments - when passing arguments - when returning values Remove casts - to the same type - from certain range-bound values The main motivation is that these explicit casts don't change the result of operations and only render UBSan's implicit-conversion checks useless. Removing these casts allows UBSan to detect cases where truncation or sign-changes occur unexpectedly. Document some explicit casts as truncating and add a few missing ones.
8016c8ed	2022-08-26T15:12:21	Remove set-but-unused variable in xmlXPathScanName Fix clang warning.
0f568c0b	2022-08-26T01:22:33	Consolidate private header files Private functions were previously declared - in header files in the root directory - in public headers guarded with IN_LIBXML - in libxml.h - redundantly in source files that used them. Consolidate all private header files in include/private.
677a4264	2022-07-28T20:21:24	Make XPath depth check work with recursive invocations EXSLT functions like dyn:map or dyn:evaluate invoke xmlXPathRunEval recursively. Don't set depth to zero but keep and restore the original value to avoid stack overflows when abusing these functions.
c9925454	2022-07-06T17:08:26	Use NAN/INFINITY if available to init XPath NaN/Inf
67070107	2022-04-20T23:17:14	Add configuration flag for XPointer locations support Add a new configuration flag that controls whether the outdated support for XPointer locations (ranges and points) is enabled. --with-xptr-locs # Autotools LIBXML2_WITH_XPTR_LOCS # CMake The latest spec for what it essentially an XPath extension seems to be this working draft from 2002: https://www.w3.org/TR/xptr-xpointer/ The xpointer() scheme is listed as "being reviewed" in the XPointer registry since at least 2006. libxml2 seems to be the only modern software that tries to implement this spec, but the code has many bugs and quality issues. The flag defaults to "off" and support for this extensions has to be requested explicitly. The relevant API functions are deprecated.
21561e83	2016-05-20T15:21:43	Mark more static data as `const` Similar to 8f5710379, mark more static data structures with `const` keyword. Also fix placement of `const` in encoding.c. Original patch by Sarah Wilkin.
0e9776b0	2022-04-03T17:09:50	Initialize XPath floating-point globals Should fix #138.
74263eff	2022-03-30T06:02:31	fix: xmlXPathParserContext could be double-delete in OOM case.
40483d0c	2022-03-06T13:55:48	Deprecate module init and cleanup functions These functions shouldn't be part of the public API. Most init functions are only thread-safe when called from xmlInitParser. Global variables should only be cleaned up by calling xmlCleanupParser.
57b81c20	2022-03-05T18:20:29	Normalize XPath strings in-place Simplify the code and fix a potential memory leak. Fixes #343.
4a8c71eb	2022-03-04T03:35:57	Remove DOCBparser This code has been broken and deprecated since version 2.6.0, released in 2003. Because of a bug in commit 961b535c, DOCBparser.c was never compiled since 2012. I couldn't find a Debian package using any of its symbols, so it seems safe to remove this module.
ebb17970	2022-03-04T02:31:59	Remove unneeded #includes
776d15d3	2022-03-02T00:29:17	Don't check for standard C89 headers Don't check for - ctype.h - errno.h - float.h - limits.h - math.h - signal.h - stdarg.h - stdlib.h - string.h - time.h Stop including non-standard headers - malloc.h - strings.h
346c3a93	2022-02-20T18:46:42	Remove elfgcchack.h The same optimization can be enabled with -fno-semantic-interposition since GCC 5. clang has always used this option by default.
67953a9f	2022-01-16T15:30:02	Fix memory leak in xmlXPathCompNodeTest Found by Coverity.
3e1aad4f	2021-06-02T17:31:49	Fix XPath recursion limit Fix accounting of recursion depth when parsing XPath expressions. This silly bug introduced in commit 804c5297 could lead to spurious errors when parsing larger expressions or XSLT documents. Should fix #264.
868e49cf	2021-03-16T10:36:04	Allow FP division by zero in xmlXPathInit
d25460da	2021-03-13T19:12:00	Fix XPath NaN/Inf for older GCC versions The DBL_MAX approach could lead to errors caused by excess precision. Switch back to the division-by-zero approach with a work-around for MSVC and use the extern globals instead of macro expressions.
e6ec58ec	2020-09-21T12:49:36	Fix null deref in XPointer expression error path Make sure that the filter functions introduced with commit c2f4da1a return node-sets without NULL pointers also in the error case. Found by OSS-Fuzz.
8b88503a	2020-09-18T19:15:27	Don't call xmlXPathInit directly Call xmlInitParser which uses a lock to avoid race conditions. Fixes #184.
6f1470a5	2020-08-25T18:50:45	Hardcode maximum XPath recursion depth Always limit nested functions calls to 5000. This avoids call stack overflows with deeply nested expressions. The expression parser produces about 10 nested function calls when parsing a subexpression in parentheses, so the effective nesting limit is about 500 which should be more than enough. Use a lower limit when fuzzing to account for increased memory usage when using sanitizers.
804c5297	2020-08-17T03:37:18	Stop using maxParserDepth in xpath.c Only use a single maxDepth value.
beb7d71a	2020-07-13T12:41:19	Remove misleading comments in xpath.c Fixes #169
9f42f6ba	2020-06-24T15:33:38	Don't follow next pointer on documents in xmlXPathRunStreamEval RVTs from libxslt are document nodes which are linked using the 'next' pointer. These pointers must never be used to navigate the document tree. Otherwise, random content from other RVTs could be returned when evaluating XPath expressions. It's interesting that this seemingly long-standing bug wasn't discovered earlier. This issue could also cause severe performance degradation. Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/37
487871b0	2020-06-10T13:23:43	Fix undefined behavior in xmlXPathTryStreamCompile &NULL[0] is undefined behavior.
20c60886	2020-03-08T17:19:42	Fix typos Resolves #133.
2c80fc91	2019-12-02T11:30:30	Fix more memory leaks in error paths of XPath parser Found by OSS-Fuzz.
d5f2f74d	2019-11-11T11:27:40	Fix memory leak in error path of XPath expr parser Also propagate memory errors. Found by OSS-Fuzz.
bfc0f674	2019-10-20T14:39:46	Audit memory error handling in xpath.c Memory allocation errors in the following functions a often ignored. Add TODO comments. - xmlXPathNodeSetCreate - xmlXPathNodeSetAdd* - xmlXPathNodeSetMerge* - xmlXPathNodeSetDupNs Note that the following functions currently lack a way to propagate memory errors: - xmlXPathCompareNodeSets - xmlXPathEqualNodeSets
429d4eca	2019-10-20T14:22:20	Propagate memory errors in valuePush Currently, many memory allocation errors in xpath.c aren't propagated to the parser/evaluation context and for the most part ignored. Most XPath objects allocated via one of the New, Wrap or Copy functions end up being pushed on the stack, so adding a check in valuePush handles many cases without much effort. Also simplify the code a little and make sure to return -1 in case of error.
390f05e7	2019-10-20T13:42:19	Propagate memory errors in xmlXPathCompExprAdd Make sure that memory errors in xmlXPathCompExprAdd are propagated to the parser context. Hitting the step limit or running out of memory without raising an error could also lead to an out-of-bounds read. Also fixes a memory leak in xmlXPathErrMemory. Found by OSS-Fuzz.
2a350ee9	2019-09-30T17:04:54	Large batch of typo fixes Closes #109.
6705f4d2	2019-09-16T15:45:27	Remove executable bit from non-executable files
5c0e48b8	2019-07-25T18:46:30	Fix typo: xpath: simpli{ -> fi}ed Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
59028ba0	2019-08-07T14:38:07	Fix possible null dereference in xmlXPathIdFunction If a certain memory allocation fails, xmlXPathIdFunction would dereference a null pointer. Closes #77.
b17e3d1c	2019-08-01T15:04:16	Work around buggy ceil() function on AIX AIX has a buggy ceil() function that does not handle negative-zero correctly. Closes #79.
e79a903f	2019-05-20T13:22:49	Remove redundant code in xmlXPathCompRelationalExpr Thanks to Anish K Kurian for the report. Closes #59.
44e7a0d5	2019-05-16T21:17:28	Annotate functions with __attribute__((no_sanitize))
14ed63b7	2019-05-08T12:00:51	Limit recursion depth in xmlXPathCompOpEvalPredicate
f75256e7	2019-04-23T17:23:39	Remove unreachable code in xmlXPathCountFunction After the initial test, the condition (type == XPATH_NODESET) \|\| (type == XPATH_XSLT_TREE) always holds true.
949eced4	2019-04-22T16:04:26	Fix null deref in previous commit
c2f4da1a	2017-05-21T22:08:50	Improve XPath predicate and filter evaluation Consolidate code paths evaluating XPath predicates and filters. Don't push context node on stack when evaluating predicates. I have no idea why this was done. It seems completely useless and trying to pop the context node from a corrupted stack has already caused security issues. Filter nodesets in-place and don't create node sets with NULL gaps which allows to simplify merging a great deal. Simply move matched nodes backward and create a compact node set. Merge xmlXPathCompOpEvalPositionalPredicate into xmlXPathCompOpEvalPredicate.
012f8e92	2019-04-20T17:01:19	Limit recursion depth in xmlXPathOptimizeExpression
93a1d223	2019-04-16T13:37:47	Fix memory leaks in xmlXPathParseNameComplex error paths Found by OSS-Fuzz.
2d97a97a	2019-03-15T16:27:58	Optional recursion limit when parsing XPath expressions Useful to avoid call stack overflows when fuzzing. Note that parsing a parenthesized expression currently consumes more than 10 stack frames, so this limit should be set rather low.
64115ed6	2019-03-18T11:34:26	Optional recursion limit when evaluating XPath expressions Useful to avoid call stack overflows when fuzzing.
5153c7ba	2019-03-18T11:18:31	Use break statements in xmlXPathCompOpEval This prepares for the next commit.
852c93a2	2019-03-12T16:12:05	Optional XPath operation limit Optionally limit the maximum numbers of XPath operations when evaluating an expression. Useful to avoid timeouts when fuzzing. The following operations count towards the limit: - XPath operations - Location step iterations - Union operations Enabled by setting opLimit to a non-zero value. Note that it's the user's responsibility to reset opCount. This allows to enforce the operation limit across multiple reuses of an XPath context.
236dd6ab	2019-03-13T18:21:02	Check XPath stack after calling functions Check that there's exactly one return value on the stack after calling XPath functions. Otherwise, functions that corrupt the stack without signaling an error could lead to memory errors. Found with libFuzzer and UBSan.
30a6533e	2019-03-08T12:15:17	Fix float casts in xmlXPathSubstringFunction Rewrite conversion of double to int in xmlXPathSubstringFunction, adding range checks to avoid undefined behavior. Make sure to add start and length as floating-point numbers before converting to int. Fix a bug when rounding negative start indices. Remove unneeded calls to xmlXPathIs{Inf,NaN} and rely on IEEE math instead. Avoid computing the string length. xmlUTF8Strsub works as expected if the length of the requested substring exceeds the input. Found with libFuzzer and UBSan.
a4363749	2018-07-30T12:54:38	Fix nullptr deref with XPath logic ops If the XPath stack is corrupted, for example by a misbehaving extension function, the "and" and "or" XPath operators could dereference NULL pointers. Check that the XPath stack isn't empty and optimize the logic operators slightly. Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5 Also see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 https://bugzilla.redhat.com/show_bug.cgi?id=1595985 This is CVE-2018-14404. Thanks to Guy Inbar for the report.
b7c50b8d	2018-04-17T12:07:08	Remove stray character from comment Fixes bug #795316: https://bugzilla.gnome.org/show_bug.cgi?id=795316
fa33bf31	2017-05-25T00:45:10	Improve restoring of context size and position Restore context size and position where it is modified, not in seemingly random places.
665df41d	2018-04-16T19:37:34	Simplify and harden nodeset filtering If a nodeset to be filtered is empty, it can be returned without popping it from the stack. Make sure to restore the context node in all error paths and never set it to NULL. Save and restore the context node in RANGETO operations.
029d0e96	2017-05-25T01:28:27	Avoid unnecessary backups of the context node
938835e7	2017-05-25T01:21:57	Don't change context node in xmlXPathRoot
e22a83b1	2017-05-25T01:18:36	Stop using XPATH_OP_RESET It only sets the context node to NULL which doesn't seem useful and can even cause bugs like bug #795299: https://bugzilla.gnome.org/show_bug.cgi?id=795299
ebe12882	2018-04-16T18:18:11	Fix inconsistency in xmlXPathIsInf We don't use HUGE_VAL for INFINITY after the most recent fix.
7abec671	2018-03-15T19:33:52	NaN and Inf fixes for pre-C99 compilers On some pre-C99 compilers, the NAN and INFINITY macros don't expand to constant expressions. Some MSVC versions complain about floating point division by zero in constants. Thanks to Fabrice Manfroi for the report.
ddbb075b	2017-11-27T14:30:19	Fix xmlXPathIsNaN broken by recent commit
b2189571	2017-11-13T21:23:17	Fix -Wenum-compare warnings Also fixes a serious bug in xmlXPtrNewRangeNodePoint.
13acadbb	2017-11-12T17:28:12	Ignore function pointer cast warnings Use GCC pragmas as these warnings are enabled by -Wpedantic and there's no way to disable them selectively.
8813f397	2017-09-21T00:11:26	Simplify XPath NaN, inf and -0 handling Use C99 macros NAN, INFINITY, isnan, isinf. If they're not available: - Assume that (0.0 / 0.0) generates a NaN and !(x == x) tests for NaN. - Use C89's HUGE_VAL for INFINITY. Remove manual handling of NaN, infinity and negative zero in functions xmlXPathValueFlipSign and xmlXPathDivValues. Remove xmlXPathGetSign. All the tests for negative zero can be replaced with a test for negative or positive zero. Simplify xmlXPathRoundFunction. Remove Trio dependency. This should work on IEEE 754 compliant implementations even if the C99 macros aren't available, but will likely break some ancient platforms. If problems arise, my plan is to port the relevant trionan.c solution to xpath.c. Note that non-compliant implementations are impossible to fully support, anyway, since XPath requires IEEE 754.
e03f0a19	2017-11-09T16:42:47	Fix hash callback signatures Make sure that all parameters and return values of hash callback functions exactly match the callback function type. This is required to pass clang's Control Flow Integrity checks and to allow compilation to asm.js with Emscripten. Fixes bug 784861.
d2c329a9	2017-10-21T13:49:31	Fix -Wimplicit-fallthrough warnings Add "falls through" comments to quench implicit-fallthrough warnings which are enabled by -Wextra under GCC 7.
d422b954	2017-10-09T13:37:42	Fix pointer/int cast warnings on 64-bit Windows On 64-bit Windows, `long` is 32 bits wide and can't hold a pointer. Switch to ptrdiff_t instead which should be the same size as a pointer on every somewhat sane platform without requiring C99 types like intptr_t. Fixes bug 788312. Thanks to J. Peter Mugaas for the report and initial patch.
5af594d8	2017-10-07T14:54:45	Fix comparison of nodesets to strings Fix two bugs in xmlXPathNodeValHash which could lead to errors when comparing nodesets to strings: - Only use contents of text nodes to compute the hash for element nodes. Comments, PIs, and other node types don't affect the string-value and must be ignored. - Reset `string` to NULL for node types other than text. Reported by Aleksei on the mailing list: https://mail.gnome.org/archives/xml/2017-September/msg00016.html
0f3b843b	2017-06-01T23:12:19	Fix XPath stack frame logic Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in xmlXPathCompOpEvalPositionalPredicate to make sure that the context object on the stack is actually protected. Otherwise, memory corruption can occur when calling sloppily coded XPath extension functions. Fixes bug 783160.
3157cf4e	2017-09-20T16:13:29	Report undefined XPath variable error message Commit c851970 removed a redundant error message if XPath evaluation failed. This uncovered a case where an undefined XPath variable error wasn't reported correctly. Thanks to Petr Pisar for the report. Fixes bug 787941.
ca8635bf	2017-09-07T15:46:12	Fix debug dump of streaming XPath expressions The debug function xmlXPathDebugDumpCompExpr would crash when called with a "streaming" expression. Fixes bug 787368.
dbb828fe	2017-08-28T20:38:53	Fix missing part of comment for function xmlXPathEvalExpression()
454e397e	2017-08-28T14:30:43	Porting libxml2 on zOS encoding of code First set of patches for zOS - entities.c parser.c tree.c xmlschemas.c xmlschemastypes.c xpath.c xpointer.c: ask conversion of code to ISO Latin 1 to avoid having the compiler assume EBCDIC codepoint for characters. - xmlmodule.c: make sure we have support for modules - xmlIO.c: zOS path names are special avoid dsome of the expectstions from Unix/Windows
7482f41f	2017-06-01T22:00:19	Check for integer overflow in xmlXPathFormatNumber Check for overflow before casting double to int. Found with afl-fuzz and UBSan.
f4029cd4	2016-04-21T16:37:26	Check XPath exponents for overflow Avoid undefined behavior and wrong results with huge exponents. Found with afl-fuzz and UBSan.
a58331a6	2017-05-29T21:02:21	Check for overflow in xmlXPathIsPositionalPredicate Avoid undefined behavior when casting from double to int. Found with afl-fuzz and UBSan.
a851868a	2017-05-29T20:14:42	Parse small XPath numbers more accurately Don't count leading zeros towards the fraction size limit. This allows to parse numbers like 0.0000000000000000000000000000000000000000000000000000000001 which is the only standard-conformant way to represent such numbers, as scientific notation isn't allowed in XPath 1.0. (It is allowed in XPath 2.0 and in libxml2 as an extension, though.) Overall accuracy is still bad, see bug 783238.
4bebb030	2016-04-21T13:41:09	Rework XPath rounding functions Use the C library's floor and ceil functions. The old code was overly complicated for no apparent reason and could result in undefined behavior when handling NaNs (found with afl-fuzz and UBSan). Fix wrong comment in xmlXPathRoundFunction. The implementation was already following the spec and rounding half up.
40f58521	2017-05-26T20:16:35	Fix axis traversal from attribute and namespace nodes When traversing the "preceding" axis from an attribute node, we must first go up to the attribute's containing element. Otherwise, text children of other attributes could be returned. This made it possible to hit a code path in xmlXPathNextAncestor which contained another bug: The attribute node was initialized with the context node instead of the current node. Normally, this code path is only hit via xmlXPathNextAncestorOrSelf in which case the current and context node are the same. The combination of the two bugs could result in an infinite loop, found with libFuzzer. Traversing the "following" and the "preceding" axis from namespace nodes should be handled similarly. This wasn't supported at all previously.
a07a4e96	2017-05-27T17:04:12	Fix spurious error message Commit c851970 introduced a spurious error message when evaluating XPath expressions with xmlXPathCompiledEvalToBoolean.
aed407c1	2017-05-25T16:57:14	Check for trailing characters in XPath expressions earlier Move the check for trailing characters from xmlXPathEval to xmlXPathEvalExpr. Otherwise, a valid portion of a syntactically invalid expression would be evaluated before returning an error.
c851970c	2017-05-27T15:26:11	Rework final handling of XPath results Move cleanup of XPath stack to xmlXPathFreeParserContext. This avoids memory leaks if valuePop fails in some error cases. Found with libFuzzer and ASan. Rework handling of the final XPath result object in xmlXPathCompiledEvalInternal and xmlXPathEval to avoid useless error messages.
640a368c	2017-05-27T14:59:49	Make xmlXPathEvalExpression call xmlXPathEval Both functions are supposed to do exactly the same.
cf60dbe4	2017-05-25T16:20:56	Fix memory leak in xmlXPathCompareNodeSetValue Implement TODO block to free the arguments in error case. Found with libFuzzer and ASan.
9d08b347	2017-05-21T16:46:12	Fix memory leak in xmlXPathNodeSetMergeAndClear Namespaces nodes must not be duplicated when merging. Found with libFuzzer and ASan.
95a9249a	2017-05-21T15:18:58	Fix memory leak in XPath filter optimizations Namespace nodes must be freed when selecting the first or last element of a node set. Found with libFuzzer and ASan.
d42a7063	2017-05-27T14:58:19	Fix memory leaks in XPath error paths Found with libFuzzer and ASan.
229d1f93	2016-08-22T13:21:57	Avoid function/data pointer conversion in xpath.c Fixes a `-pedantic` compiler warning.
9ab01a27	2016-06-28T14:22:23	Fix XPointer paths beginning with range-to The old code would invoke the broken xmlXPtrRangeToFunction. range-to isn't really a function but a special kind of location step. Remove this function and always handle range-to in the XPath code. The old xmlXPtrRangeToFunction could also be abused to trigger a use-after-free error with the potential for remote code execution. Found with afl-fuzz. Fixes CVE-2016-5131.
a0051993	2016-06-28T14:19:58	Fix comparison with root node in xmlXPathCmpNodes This change has already been made in xmlXPathCmpNodesExt but not in xmlXPathCmpNodes.
d8083bf7	2016-06-25T12:35:50	Fix NULL pointer deref in XPointer range-to - Check for errors after evaluating first operand. - Add sanity check for empty stack. Found with afl-fuzz.
4472c3a5	2016-05-13T15:13:17	Fix some format string warnings with possible format string vulnerability For https://bugzilla.gnome.org/show_bug.cgi?id=761029 Decorate every method in libxml2 with the appropriate LIBXML_ATTR_FORMAT(fmt,args) macro and add some cleanups following the reports.
6eb0894a	2016-05-05T16:49:00	Fix memory leak with XPath namespace nodes Set hasNsNodes to 1 when adding namespace nodes via XP_TEST_HIT.
82b73039	2016-04-30T17:53:10	Fix namespace axis traversal When the namespace axis is traversed in "toBool" mode, the traversal can exit early, before visiting all nodes. In this case, the XPath context still contains a non-NULL tmpNsList. This means that - the check when to start a new traversal was wrong and - the tmpNsList could be leaked. Fixes bug #750037 and, by accident, bug #756075: https://bugzilla.gnome.org/show_bug.cgi?id=750037 https://bugzilla.gnome.org/show_bug.cgi?id=756075
839689a9	2016-04-27T18:00:12	Don't recurse into OP_VALUEs in xmlXPathOptimizeExpression The ch1 slot of OP_VALUEs contains an invalid value. Ignore it. Fixes bug #760325: https://bugzilla.gnome.org/show_bug.cgi?id=760325
f39fd66e	2016-04-27T03:01:16	Fix namespace::node() XPath expression Make sure that xmlXPathNodeSetAddNs is called for namespace nodes when matched with a namespace::node() step. This correctly sets the parent of namespace nodes. Note that xmlXPathNodeSetAddNs must only be called if working on the namespace axis. Otherwise, the context node is not the parent of the namespace node and the standard XP_TEST_HIT macro must be invoked. This explains the errors in the C14N tests that the old TODO comment mentioned.

27c8ba60

2022-09-07T22:34:42

xpath: Lower XPath recursion limit on Windows

0d901258

2022-09-04T16:41:43

Fix Windows compiler warnings in python/types.c

6843fc72

2022-09-01T02:58:00

Remove or annotate char casts

2cac6269

2022-09-01T03:14:13

Don't use sizeof(xmlChar) or sizeof(char)

ad338ca7

2022-09-01T01:18:30

Remove explicit integer casts Remove explicit integer casts as final operation - in assignments - when passing arguments - when returning values Remove casts - to the same type - from certain range-bound values The main motivation is that these explicit casts don't change the result of operations and only render UBSan's implicit-conversion checks useless. Removing these casts allows UBSan to detect cases where truncation or sign-changes occur unexpectedly. Document some explicit casts as truncating and add a few missing ones.

8016c8ed

2022-08-26T15:12:21

Remove set-but-unused variable in xmlXPathScanName Fix clang warning.

0f568c0b

2022-08-26T01:22:33

Consolidate private header files Private functions were previously declared - in header files in the root directory - in public headers guarded with IN_LIBXML - in libxml.h - redundantly in source files that used them. Consolidate all private header files in include/private.

677a4264

2022-07-28T20:21:24

Make XPath depth check work with recursive invocations EXSLT functions like dyn:map or dyn:evaluate invoke xmlXPathRunEval recursively. Don't set depth to zero but keep and restore the original value to avoid stack overflows when abusing these functions.

c9925454

2022-07-06T17:08:26

Use NAN/INFINITY if available to init XPath NaN/Inf

67070107

2022-04-20T23:17:14

Add configuration flag for XPointer locations support Add a new configuration flag that controls whether the outdated support for XPointer locations (ranges and points) is enabled. --with-xptr-locs # Autotools LIBXML2_WITH_XPTR_LOCS # CMake The latest spec for what it essentially an XPath extension seems to be this working draft from 2002: https://www.w3.org/TR/xptr-xpointer/ The xpointer() scheme is listed as "being reviewed" in the XPointer registry since at least 2006. libxml2 seems to be the only modern software that tries to implement this spec, but the code has many bugs and quality issues. The flag defaults to "off" and support for this extensions has to be requested explicitly. The relevant API functions are deprecated.

21561e83

2016-05-20T15:21:43

Mark more static data as `const` Similar to 8f5710379, mark more static data structures with `const` keyword. Also fix placement of `const` in encoding.c. Original patch by Sarah Wilkin.

0e9776b0

2022-04-03T17:09:50

Initialize XPath floating-point globals Should fix #138.

74263eff

2022-03-30T06:02:31

fix: xmlXPathParserContext could be double-delete in OOM case.

40483d0c

2022-03-06T13:55:48

Deprecate module init and cleanup functions These functions shouldn't be part of the public API. Most init functions are only thread-safe when called from xmlInitParser. Global variables should only be cleaned up by calling xmlCleanupParser.

57b81c20

2022-03-05T18:20:29

Normalize XPath strings in-place Simplify the code and fix a potential memory leak. Fixes #343.

4a8c71eb

2022-03-04T03:35:57

Remove DOCBparser This code has been broken and deprecated since version 2.6.0, released in 2003. Because of a bug in commit 961b535c, DOCBparser.c was never compiled since 2012. I couldn't find a Debian package using any of its symbols, so it seems safe to remove this module.

ebb17970

2022-03-04T02:31:59

Remove unneeded #includes

776d15d3

2022-03-02T00:29:17

Don't check for standard C89 headers Don't check for - ctype.h - errno.h - float.h - limits.h - math.h - signal.h - stdarg.h - stdlib.h - string.h - time.h Stop including non-standard headers - malloc.h - strings.h

346c3a93

2022-02-20T18:46:42

Remove elfgcchack.h The same optimization can be enabled with -fno-semantic-interposition since GCC 5. clang has always used this option by default.

67953a9f

2022-01-16T15:30:02

Fix memory leak in xmlXPathCompNodeTest Found by Coverity.

3e1aad4f

2021-06-02T17:31:49

Fix XPath recursion limit Fix accounting of recursion depth when parsing XPath expressions. This silly bug introduced in commit 804c5297 could lead to spurious errors when parsing larger expressions or XSLT documents. Should fix #264.

868e49cf

2021-03-16T10:36:04

Allow FP division by zero in xmlXPathInit

d25460da

2021-03-13T19:12:00

Fix XPath NaN/Inf for older GCC versions The DBL_MAX approach could lead to errors caused by excess precision. Switch back to the division-by-zero approach with a work-around for MSVC and use the extern globals instead of macro expressions.

e6ec58ec

2020-09-21T12:49:36

Fix null deref in XPointer expression error path Make sure that the filter functions introduced with commit c2f4da1a return node-sets without NULL pointers also in the error case. Found by OSS-Fuzz.

8b88503a

2020-09-18T19:15:27

Don't call xmlXPathInit directly Call xmlInitParser which uses a lock to avoid race conditions. Fixes #184.

6f1470a5

2020-08-25T18:50:45

Hardcode maximum XPath recursion depth Always limit nested functions calls to 5000. This avoids call stack overflows with deeply nested expressions. The expression parser produces about 10 nested function calls when parsing a subexpression in parentheses, so the effective nesting limit is about 500 which should be more than enough. Use a lower limit when fuzzing to account for increased memory usage when using sanitizers.

804c5297

2020-08-17T03:37:18

Stop using maxParserDepth in xpath.c Only use a single maxDepth value.

beb7d71a

2020-07-13T12:41:19

Remove misleading comments in xpath.c Fixes #169

9f42f6ba

2020-06-24T15:33:38

Don't follow next pointer on documents in xmlXPathRunStreamEval RVTs from libxslt are document nodes which are linked using the 'next' pointer. These pointers must never be used to navigate the document tree. Otherwise, random content from other RVTs could be returned when evaluating XPath expressions. It's interesting that this seemingly long-standing bug wasn't discovered earlier. This issue could also cause severe performance degradation. Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/37

487871b0

2020-06-10T13:23:43

Fix undefined behavior in xmlXPathTryStreamCompile &NULL[0] is undefined behavior.

20c60886

2020-03-08T17:19:42

Fix typos Resolves #133.

2c80fc91

2019-12-02T11:30:30

Fix more memory leaks in error paths of XPath parser Found by OSS-Fuzz.

d5f2f74d

2019-11-11T11:27:40

Fix memory leak in error path of XPath expr parser Also propagate memory errors. Found by OSS-Fuzz.

bfc0f674

2019-10-20T14:39:46

Audit memory error handling in xpath.c Memory allocation errors in the following functions a often ignored. Add TODO comments. - xmlXPathNodeSetCreate - xmlXPathNodeSetAdd* - xmlXPathNodeSetMerge* - xmlXPathNodeSetDupNs Note that the following functions currently lack a way to propagate memory errors: - xmlXPathCompareNodeSets - xmlXPathEqualNodeSets

429d4eca

2019-10-20T14:22:20

Propagate memory errors in valuePush Currently, many memory allocation errors in xpath.c aren't propagated to the parser/evaluation context and for the most part ignored. Most XPath objects allocated via one of the New, Wrap or Copy functions end up being pushed on the stack, so adding a check in valuePush handles many cases without much effort. Also simplify the code a little and make sure to return -1 in case of error.

390f05e7

2019-10-20T13:42:19

Propagate memory errors in xmlXPathCompExprAdd Make sure that memory errors in xmlXPathCompExprAdd are propagated to the parser context. Hitting the step limit or running out of memory without raising an error could also lead to an out-of-bounds read. Also fixes a memory leak in xmlXPathErrMemory. Found by OSS-Fuzz.

2a350ee9

2019-09-30T17:04:54

Large batch of typo fixes Closes #109.

6705f4d2

2019-09-16T15:45:27

Remove executable bit from non-executable files

5c0e48b8

2019-07-25T18:46:30

Fix typo: xpath: simpli{ -> fi}ed Signed-off-by: Jan Pokorný <jpokorny@redhat.com>

59028ba0

2019-08-07T14:38:07

Fix possible null dereference in xmlXPathIdFunction If a certain memory allocation fails, xmlXPathIdFunction would dereference a null pointer. Closes #77.

b17e3d1c

2019-08-01T15:04:16

Work around buggy ceil() function on AIX AIX has a buggy ceil() function that does not handle negative-zero correctly. Closes #79.

e79a903f

2019-05-20T13:22:49

Remove redundant code in xmlXPathCompRelationalExpr Thanks to Anish K Kurian for the report. Closes #59.

44e7a0d5

2019-05-16T21:17:28

Annotate functions with __attribute__((no_sanitize))

14ed63b7

2019-05-08T12:00:51

Limit recursion depth in xmlXPathCompOpEvalPredicate

f75256e7

2019-04-23T17:23:39

Remove unreachable code in xmlXPathCountFunction After the initial test, the condition (type == XPATH_NODESET) || (type == XPATH_XSLT_TREE) always holds true.

949eced4

2019-04-22T16:04:26

Fix null deref in previous commit

c2f4da1a

2017-05-21T22:08:50

Improve XPath predicate and filter evaluation Consolidate code paths evaluating XPath predicates and filters. Don't push context node on stack when evaluating predicates. I have no idea why this was done. It seems completely useless and trying to pop the context node from a corrupted stack has already caused security issues. Filter nodesets in-place and don't create node sets with NULL gaps which allows to simplify merging a great deal. Simply move matched nodes backward and create a compact node set. Merge xmlXPathCompOpEvalPositionalPredicate into xmlXPathCompOpEvalPredicate.

012f8e92

2019-04-20T17:01:19

Limit recursion depth in xmlXPathOptimizeExpression

93a1d223

2019-04-16T13:37:47

Fix memory leaks in xmlXPathParseNameComplex error paths Found by OSS-Fuzz.

2d97a97a

2019-03-15T16:27:58

Optional recursion limit when parsing XPath expressions Useful to avoid call stack overflows when fuzzing. Note that parsing a parenthesized expression currently consumes more than 10 stack frames, so this limit should be set rather low.

64115ed6

2019-03-18T11:34:26

Optional recursion limit when evaluating XPath expressions Useful to avoid call stack overflows when fuzzing.

5153c7ba

2019-03-18T11:18:31

Use break statements in xmlXPathCompOpEval This prepares for the next commit.

852c93a2

2019-03-12T16:12:05

Optional XPath operation limit Optionally limit the maximum numbers of XPath operations when evaluating an expression. Useful to avoid timeouts when fuzzing. The following operations count towards the limit: - XPath operations - Location step iterations - Union operations Enabled by setting opLimit to a non-zero value. Note that it's the user's responsibility to reset opCount. This allows to enforce the operation limit across multiple reuses of an XPath context.

236dd6ab

2019-03-13T18:21:02

Check XPath stack after calling functions Check that there's exactly one return value on the stack after calling XPath functions. Otherwise, functions that corrupt the stack without signaling an error could lead to memory errors. Found with libFuzzer and UBSan.

30a6533e

2019-03-08T12:15:17

Fix float casts in xmlXPathSubstringFunction Rewrite conversion of double to int in xmlXPathSubstringFunction, adding range checks to avoid undefined behavior. Make sure to add start and length as floating-point numbers before converting to int. Fix a bug when rounding negative start indices. Remove unneeded calls to xmlXPathIs{Inf,NaN} and rely on IEEE math instead. Avoid computing the string length. xmlUTF8Strsub works as expected if the length of the requested substring exceeds the input. Found with libFuzzer and UBSan.

a4363749

2018-07-30T12:54:38

Fix nullptr deref with XPath logic ops If the XPath stack is corrupted, for example by a misbehaving extension function, the "and" and "or" XPath operators could dereference NULL pointers. Check that the XPath stack isn't empty and optimize the logic operators slightly. Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5 Also see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 https://bugzilla.redhat.com/show_bug.cgi?id=1595985 This is CVE-2018-14404. Thanks to Guy Inbar for the report.

b7c50b8d

2018-04-17T12:07:08

Remove stray character from comment Fixes bug #795316: https://bugzilla.gnome.org/show_bug.cgi?id=795316

fa33bf31

2017-05-25T00:45:10

Improve restoring of context size and position Restore context size and position where it is modified, not in seemingly random places.

665df41d

2018-04-16T19:37:34

Simplify and harden nodeset filtering If a nodeset to be filtered is empty, it can be returned without popping it from the stack. Make sure to restore the context node in all error paths and never set it to NULL. Save and restore the context node in RANGETO operations.

029d0e96

2017-05-25T01:28:27

Avoid unnecessary backups of the context node

938835e7

2017-05-25T01:21:57

Don't change context node in xmlXPathRoot

e22a83b1

2017-05-25T01:18:36

Stop using XPATH_OP_RESET It only sets the context node to NULL which doesn't seem useful and can even cause bugs like bug #795299: https://bugzilla.gnome.org/show_bug.cgi?id=795299

ebe12882

2018-04-16T18:18:11

Fix inconsistency in xmlXPathIsInf We don't use HUGE_VAL for INFINITY after the most recent fix.

7abec671

2018-03-15T19:33:52

NaN and Inf fixes for pre-C99 compilers On some pre-C99 compilers, the NAN and INFINITY macros don't expand to constant expressions. Some MSVC versions complain about floating point division by zero in constants. Thanks to Fabrice Manfroi for the report.

ddbb075b

2017-11-27T14:30:19

Fix xmlXPathIsNaN broken by recent commit

b2189571

2017-11-13T21:23:17

Fix -Wenum-compare warnings Also fixes a serious bug in xmlXPtrNewRangeNodePoint.

13acadbb

2017-11-12T17:28:12

Ignore function pointer cast warnings Use GCC pragmas as these warnings are enabled by -Wpedantic and there's no way to disable them selectively.

8813f397

2017-09-21T00:11:26

Simplify XPath NaN, inf and -0 handling Use C99 macros NAN, INFINITY, isnan, isinf. If they're not available: - Assume that (0.0 / 0.0) generates a NaN and !(x == x) tests for NaN. - Use C89's HUGE_VAL for INFINITY. Remove manual handling of NaN, infinity and negative zero in functions xmlXPathValueFlipSign and xmlXPathDivValues. Remove xmlXPathGetSign. All the tests for negative zero can be replaced with a test for negative or positive zero. Simplify xmlXPathRoundFunction. Remove Trio dependency. This should work on IEEE 754 compliant implementations even if the C99 macros aren't available, but will likely break some ancient platforms. If problems arise, my plan is to port the relevant trionan.c solution to xpath.c. Note that non-compliant implementations are impossible to fully support, anyway, since XPath requires IEEE 754.

e03f0a19

2017-11-09T16:42:47

Fix hash callback signatures Make sure that all parameters and return values of hash callback functions exactly match the callback function type. This is required to pass clang's Control Flow Integrity checks and to allow compilation to asm.js with Emscripten. Fixes bug 784861.

d2c329a9

2017-10-21T13:49:31

Fix -Wimplicit-fallthrough warnings Add "falls through" comments to quench implicit-fallthrough warnings which are enabled by -Wextra under GCC 7.

d422b954

2017-10-09T13:37:42

Fix pointer/int cast warnings on 64-bit Windows On 64-bit Windows, `long` is 32 bits wide and can't hold a pointer. Switch to ptrdiff_t instead which should be the same size as a pointer on every somewhat sane platform without requiring C99 types like intptr_t. Fixes bug 788312. Thanks to J. Peter Mugaas for the report and initial patch.

5af594d8

2017-10-07T14:54:45

Fix comparison of nodesets to strings Fix two bugs in xmlXPathNodeValHash which could lead to errors when comparing nodesets to strings: - Only use contents of text nodes to compute the hash for element nodes. Comments, PIs, and other node types don't affect the string-value and must be ignored. - Reset `string` to NULL for node types other than text. Reported by Aleksei on the mailing list: https://mail.gnome.org/archives/xml/2017-September/msg00016.html

0f3b843b

2017-06-01T23:12:19

Fix XPath stack frame logic Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in xmlXPathCompOpEvalPositionalPredicate to make sure that the context object on the stack is actually protected. Otherwise, memory corruption can occur when calling sloppily coded XPath extension functions. Fixes bug 783160.

3157cf4e

2017-09-20T16:13:29

Report undefined XPath variable error message Commit c851970 removed a redundant error message if XPath evaluation failed. This uncovered a case where an undefined XPath variable error wasn't reported correctly. Thanks to Petr Pisar for the report. Fixes bug 787941.

ca8635bf

2017-09-07T15:46:12

Fix debug dump of streaming XPath expressions The debug function xmlXPathDebugDumpCompExpr would crash when called with a "streaming" expression. Fixes bug 787368.

dbb828fe

2017-08-28T20:38:53

Fix missing part of comment for function xmlXPathEvalExpression()

454e397e

2017-08-28T14:30:43

Porting libxml2 on zOS encoding of code First set of patches for zOS - entities.c parser.c tree.c xmlschemas.c xmlschemastypes.c xpath.c xpointer.c: ask conversion of code to ISO Latin 1 to avoid having the compiler assume EBCDIC codepoint for characters. - xmlmodule.c: make sure we have support for modules - xmlIO.c: zOS path names are special avoid dsome of the expectstions from Unix/Windows

7482f41f

2017-06-01T22:00:19

Check for integer overflow in xmlXPathFormatNumber Check for overflow before casting double to int. Found with afl-fuzz and UBSan.

f4029cd4

2016-04-21T16:37:26

Check XPath exponents for overflow Avoid undefined behavior and wrong results with huge exponents. Found with afl-fuzz and UBSan.

a58331a6

2017-05-29T21:02:21

Check for overflow in xmlXPathIsPositionalPredicate Avoid undefined behavior when casting from double to int. Found with afl-fuzz and UBSan.

a851868a

2017-05-29T20:14:42

Parse small XPath numbers more accurately Don't count leading zeros towards the fraction size limit. This allows to parse numbers like 0.0000000000000000000000000000000000000000000000000000000001 which is the only standard-conformant way to represent such numbers, as scientific notation isn't allowed in XPath 1.0. (It is allowed in XPath 2.0 and in libxml2 as an extension, though.) Overall accuracy is still bad, see bug 783238.

4bebb030

2016-04-21T13:41:09

Rework XPath rounding functions Use the C library's floor and ceil functions. The old code was overly complicated for no apparent reason and could result in undefined behavior when handling NaNs (found with afl-fuzz and UBSan). Fix wrong comment in xmlXPathRoundFunction. The implementation was already following the spec and rounding half up.

40f58521

2017-05-26T20:16:35

Fix axis traversal from attribute and namespace nodes When traversing the "preceding" axis from an attribute node, we must first go up to the attribute's containing element. Otherwise, text children of other attributes could be returned. This made it possible to hit a code path in xmlXPathNextAncestor which contained another bug: The attribute node was initialized with the context node instead of the current node. Normally, this code path is only hit via xmlXPathNextAncestorOrSelf in which case the current and context node are the same. The combination of the two bugs could result in an infinite loop, found with libFuzzer. Traversing the "following" and the "preceding" axis from namespace nodes should be handled similarly. This wasn't supported at all previously.

a07a4e96

2017-05-27T17:04:12

Fix spurious error message Commit c851970 introduced a spurious error message when evaluating XPath expressions with xmlXPathCompiledEvalToBoolean.

aed407c1

2017-05-25T16:57:14

Check for trailing characters in XPath expressions earlier Move the check for trailing characters from xmlXPathEval to xmlXPathEvalExpr. Otherwise, a valid portion of a syntactically invalid expression would be evaluated before returning an error.

c851970c

2017-05-27T15:26:11

Rework final handling of XPath results Move cleanup of XPath stack to xmlXPathFreeParserContext. This avoids memory leaks if valuePop fails in some error cases. Found with libFuzzer and ASan. Rework handling of the final XPath result object in xmlXPathCompiledEvalInternal and xmlXPathEval to avoid useless error messages.

640a368c

2017-05-27T14:59:49

Make xmlXPathEvalExpression call xmlXPathEval Both functions are supposed to do exactly the same.

cf60dbe4

2017-05-25T16:20:56

Fix memory leak in xmlXPathCompareNodeSetValue Implement TODO block to free the arguments in error case. Found with libFuzzer and ASan.

9d08b347

2017-05-21T16:46:12

Fix memory leak in xmlXPathNodeSetMergeAndClear Namespaces nodes must not be duplicated when merging. Found with libFuzzer and ASan.

95a9249a

2017-05-21T15:18:58

Fix memory leak in XPath filter optimizations Namespace nodes must be freed when selecting the first or last element of a node set. Found with libFuzzer and ASan.

d42a7063

2017-05-27T14:58:19

Fix memory leaks in XPath error paths Found with libFuzzer and ASan.

229d1f93

2016-08-22T13:21:57

Avoid function/data pointer conversion in xpath.c Fixes a `-pedantic` compiler warning.

9ab01a27

2016-06-28T14:22:23

Fix XPointer paths beginning with range-to The old code would invoke the broken xmlXPtrRangeToFunction. range-to isn't really a function but a special kind of location step. Remove this function and always handle range-to in the XPath code. The old xmlXPtrRangeToFunction could also be abused to trigger a use-after-free error with the potential for remote code execution. Found with afl-fuzz. Fixes CVE-2016-5131.

a0051993

2016-06-28T14:19:58

Fix comparison with root node in xmlXPathCmpNodes This change has already been made in xmlXPathCmpNodesExt but not in xmlXPathCmpNodes.

d8083bf7

2016-06-25T12:35:50

Fix NULL pointer deref in XPointer range-to - Check for errors after evaluating first operand. - Add sanity check for empty stack. Found with afl-fuzz.

4472c3a5

2016-05-13T15:13:17

Fix some format string warnings with possible format string vulnerability For https://bugzilla.gnome.org/show_bug.cgi?id=761029 Decorate every method in libxml2 with the appropriate LIBXML_ATTR_FORMAT(fmt,args) macro and add some cleanups following the reports.

6eb0894a

2016-05-05T16:49:00

Fix memory leak with XPath namespace nodes Set hasNsNodes to 1 when adding namespace nodes via XP_TEST_HIT.

82b73039

2016-04-30T17:53:10

Fix namespace axis traversal When the namespace axis is traversed in "toBool" mode, the traversal can exit early, before visiting all nodes. In this case, the XPath context still contains a non-NULL tmpNsList. This means that - the check when to start a new traversal was wrong and - the tmpNsList could be leaked. Fixes bug #750037 and, by accident, bug #756075: https://bugzilla.gnome.org/show_bug.cgi?id=750037 https://bugzilla.gnome.org/show_bug.cgi?id=756075

839689a9

2016-04-27T18:00:12

Don't recurse into OP_VALUEs in xmlXPathOptimizeExpression The ch1 slot of OP_VALUEs contains an invalid value. Ignore it. Fixes bug #760325: https://bugzilla.gnome.org/show_bug.cgi?id=760325

f39fd66e

2016-04-27T03:01:16

Fix namespace::node() XPath expression Make sure that xmlXPathNodeSetAddNs is called for namespace nodes when matched with a namespace::node() step. This correctly sets the parent of namespace nodes. Note that xmlXPathNodeSetAddNs must only be called if working on the namespace axis. Otherwise, the context node is not the parent of the namespace node and the standard XP_TEST_HIT macro must be invoked. This explains the errors in the C14N tests that the old TODO comment mentioned.

kc3-lang/libxml2/xpath.c

xpath.c

Log