kmx git

Commit	Date	Message
dbc893f5	2023-03-03T13:02:11	malloc-fail: Fix memory leak in xmlCopyNamespaceList Found with libFuzzer, see #344.
282b75f1	2023-02-28T12:14:33	malloc-fail: Fix memory leak in xmlXPathNameFunction Found with libFuzzer, see #344.
791a1e80	2023-02-28T19:14:57	fuzz: Set filename in xmlFuzzEntityLoader
cbd9c6c5	2023-02-28T19:14:22	fuzz: Allow xmlFuzzReadString(NULL)
f560065f	2023-02-28T21:16:12	fuzz: Fix duplicate detection in fuzzEntityRecorder Store a non-NULL value in the hash.
aa6b7ed1	2023-02-17T14:54:13	fuzz: Fix Makefile dependencies
8608b71f	2023-02-26T15:17:15	Revert "xpath: Fix popping of values in xmlXPathPopNodeset" This reverts commit 47b0e0a620d1e0e657b858986e3ebde80d4645b4.
524654ed	2023-02-26T17:19:47	xpath: Fix harmless integer overflow in xmlXPathTranslateFunction
bc9f372c	2023-02-26T18:00:30	malloc-fail: Fix memory leak in xmlXPathDistinctSorted Found with libFuzzer, see #344.
6f9604f0	2023-02-26T16:09:50	malloc-fail: Fix memory leak in xmlXPathCacheNewNodeSet Found with libFuzzer, see #344.
4499143a	2023-02-26T15:43:50	malloc-fail: Check for malloc failure in xmlHashAddEntry Found with libFuzzer, see #344.
a442d16a	2023-02-26T14:48:23	malloc-fail: Fix memory leak in xmlGetNsList Found with libFuzzer, see #344.
44947afb	2023-02-26T14:41:35	malloc-fail: Fix null deref after xmlPointerListAddSize Found with libFuzzer, see #344.
70b21c9f	2023-02-26T14:33:16	malloc-fail: Fix null deref in xmlXPathCompiledEvalInternal Found with libFuzzer, see #344.
0f112d02	2023-02-24T18:00:03	malloc-fail: Fix use-after-free related to xmlXPathNodeSetFilter Found with libFuzzer, see #344.
a3e11b38	2023-02-25T16:05:24	malloc-fail: Fix memory leak in xmlXPathEqualNodeSetFloat Found with libFuzzer, see #344.
b51478dc	2023-02-24T16:21:17	Revert "malloc-fail: Avoid use-after-free after unsuccessful valuePush" This reverts commit 6a12be77c6a94c374ab7476087edcee2ba41d9b4. There's too much code reading ctxt->value directly and making the wrong assumptions.
f931178e	2023-02-24T12:45:01	cmake: Link against `dl` and `dld` only when `LIBXML2_WITH_MODULES` is enabled
47b0e0a6	2023-02-23T15:43:15	xpath: Fix popping of values in xmlXPathPopNodeset After 6a12be77, valuePop can fail even if ctxt->value is non-NULL. If it turns out that too much code relies on this assumption, a better fix is needed.
359313c1	2023-02-23T14:26:32	threads: Really fix crash with weak pthread symbols Fix more regressions from 7010d877 and 71931233. Fixes #488.
ae8a12f1	2023-02-22T14:25:29	schematron: Use logical and
4f0a0fb7	2023-02-22T14:24:24	xinclude: Fix include guard
1eb2ca9f	2023-02-21T15:39:44	relaxng: Remove useless if statement ctxt and define are non-NULL at this point. Fixes #482.
0ce1f842	2023-02-21T15:38:04	schemas: Remove useless if statement bucket->origTargetNamespace is always NULL in this branch. Fixes #481.
a509694c	2023-02-21T15:35:57	pattern: Merge identical branches Fixes #479.
85057e51	2023-02-21T15:24:19	regexp: Add sanity check in xmlRegCalloc2 These arguments should be non-zero, but add a sanity check to avoid division by zero. Fixes #450.
c9e4c6d4	2023-02-21T15:22:01	catalog: Fix memory leaks Fixes #377.
7bd77873	2023-02-20T10:56:03	threads: Fix crash with weak pthread symbols Regressed in 7010d877. Should fix #488.
5d55315e	2023-02-18T17:29:07	parser: Fix OOB read when formatting error message Don't try to print characters beyond the end of the buffer. Found by OSS-Fuzz.
1743c4c3	2023-02-17T15:53:07	malloc-fail: Fix OOB read after xmlRegGetCounter Found with libFuzzer, see #344.
e64653c0	2023-02-17T15:20:33	malloc-fail: Fix leak of xmlRegAtom Found with libFuzzer, see #344.
ed615967	2023-02-17T15:23:42	malloc-fail: Fix memory leak in xmlRegexpCompile Found with libFuzzer, see #344.
40bc1c69	2023-02-17T15:40:32	malloc-fail: Fix memory leak in xmlFAParseCharProp Found with libFuzzer, see #344.
53d1cc98	2023-02-16T15:09:32	malloc-fail: Fix error code in htmlParseChunk Found with libFuzzer, see #344.
15b0ed08	2023-02-16T15:09:02	malloc-fail: Fix infinite loop in htmlParseDocTypeDecl Found with libFuzzer, see #344.
041789d9	2023-02-16T15:02:08	malloc-fail: Fix null deref in htmlnamePush Found with libFuzzer, see #344.
0ec9c910	2023-02-16T14:57:24	malloc-fail: Fix infinite loop in htmlParseStartTag Found with libFuzzer, see #344.
04c29551	2023-02-16T14:53:29	malloc-fail: Fix infinite loop in htmlParseContentInternal Found with libFuzzer, see #344.
f3e62035	2023-02-16T14:49:06	malloc-fail: Fix memory leak in htmlCreatePushParserCtxt Found with libFuzzer, see #344.
fc256953	2023-02-16T14:47:41	malloc-fail: Fix memory leak in htmlCreateMemoryParserCtxt Found with libFuzzer, see #344.
643b4e90	2023-02-16T14:45:06	malloc-fail: Fix infinite loop in htmlParseStartTag Found with libFuzzer, see #344.
ec05f04d	2023-02-16T12:40:02	malloc-fail: Fix memory leak in xmlXIncludeLoadTxt Found with libFuzzer, see #344.
c02df686	2023-02-16T12:10:36	malloc-fail: Fix memory leak in xmlXIncludeLoadDoc Found with libFuzzer, see #344.
bc7740b3	2023-02-16T11:45:58	malloc-fail: Fix memory leak in xmlCopyPropList Found with libFuzzer, see #344.
8d22e065	2023-02-15T14:41:11	malloc-fail: Fix memory leak after calling xmlXPathNodeSetMerge Destroy the first argument in xmlXPathNodeSetMerge if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.
d31a0e8e	2023-02-15T14:47:29	malloc-fail: Fix memory leak after calling xmlXPathWrapString Destroy the string in xmlXPathWrapString if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.
3dc64522	2023-02-15T14:30:40	malloc-fail: Fix memory leak in xmlXPathEqualValuesCommon Found with libFuzzer, see #344.
691f7eb4	2023-02-15T14:05:13	malloc-fail: Fix memory leak in xmlXPathCompareValues Found with libFuzzer, see #344.
ac746afd	2023-02-15T13:54:55	malloc-fail: Fix memory leak in xmlXPathTryStreamCompile Found with libFuzzer, see #344.
85bc313e	2023-02-15T13:49:28	malloc-fail: Fix memory leak after calling valuePush Destroy the object in valuePush if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.
f5e11749	2023-02-15T13:48:18	malloc-fail: Fix memory leak after calling xmlXPathWrapNodeSet Destroy the node set in xmlXPathWrapNodeSet if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.
3b59fdf0	2023-02-15T13:28:24	malloc-fail: Fix memory leak in xmlXIncludeAddNode Found with libFuzzer, see #344.
e60c9f4c	2023-02-15T01:00:03	malloc-fail: Fix memory leak after xmlRegNewState Invoke xmlRegNewState from xmlRegStatePush to simplify error handling. Found with libFuzzer, see #344.
cb4334b7	2023-02-14T18:10:14	malloc-fail: Fix memory leak in xmlSAX2StartElementNs Found with libFuzzer, see #344.
9fa1b228	2023-02-14T16:43:35	malloc-fail: Fix memory leak in xmlGetDtdElementDesc2 Found with libFuzzer, see #344.
c82701ff	2023-02-14T15:13:06	malloc-fail: Fix memory leak in xmlDocDumpFormatMemoryEnc Found with libFuzzer, see #344.
97086fd7	2023-02-14T14:45:58	malloc-fail: Fix memory leak in xmlParserInputBufferCreateMem Found with libFuzzer, see #344.
1c5e1fc1	2023-02-14T13:56:21	malloc-fail: Check for malloc failure in xmlFindCharEncodingHandler Don't return encoding handlers with a NULL name. Found with libFuzzer, see #344.
d18f9c11	2023-02-14T13:50:46	malloc-fail: Fix leak of xmlCharEncodingHandler Also free handler if its name is NULL. Found with libFuzzer, see #344.
f8852184	2023-02-14T13:03:13	malloc-fail: Fix memory leak in xmlParseEntityDecl Found with libFuzzer, see #344.
bd33331b	2023-02-17T15:19:37	regexp: Simplify xmlRegAtomPush
3cc900f0	2023-02-16T11:50:52	encoding: Cast toupper argument to unsigned char Fixes undefined behavior. Also cast return value explicitly to fix implicit-integer-sign-change checks.
e20f4d7a	2023-02-13T14:38:05	xinclude: Fix quadratic behavior in xmlXIncludeLoadTxt Also make text inclusions work with memory buffers, for example when using a custom entity loader, and fix a memory leak in case of invalid characters. Fixes #483.
a96312db	2023-02-03T14:55:53	xinclude: Avoid timeouts when fuzzing Fix the check for maximum number of inclusions.
be0ec005	2023-02-03T14:37:49	xinclude: Abort immediately if max depth was exceeded Avoids resource exhaustion if the maximum recursion depth was exceeded. Note that the XInclude engine offers no protection against other "billion laughs"-style amplification attacks as long as they stay below the maximum depth.
dc2dde1a	2023-02-04T15:00:54	malloc-fail: Fix null deref in xmlXIncludeLoadTxt Found with libFuzzer, see #344.
a3749551	2023-02-03T14:00:13	malloc-fail: Fix reallocation in xmlXIncludeNewRef Avoid null deref. Found with libFuzzer, see #344.
d1272c2e	2023-02-13T11:16:57	fuzz: Add xinclude to .gitignore
905386ec	2023-02-13T11:14:34	autotools: Fix make distcheck - Add private/xinclude.h to EXTRA_DIST - Add runsuite.log to CLEANFILES Fixes #485.
15c9f435	2023-01-31T12:58:32	xpath: Only report the first error Don't overwrite the original error code. Besides, subsequent error reports are somewhat unreliable and not really useful.
6a12be77	2023-01-31T12:46:30	malloc-fail: Avoid use-after-free after unsuccessful valuePush In xpath.c there's a lot of code like: valuePush(ctxt, xmlCacheNewX()); ... valuePop(ctxt); If xmlCacheNewX fails, no value will be pushed on the stack. If there's no error check in between, valuePop will pop an unrelated value which can lead to use-after-free errors. Instead of trying to fix all call sites, we simply stop popping values if an error was signaled. This requires to change the CHECK_TYPE macro which is often used to determine whether a value can be safely popped. Found with libFuzzer, see #344.
7ec314ef	2023-01-30T15:59:55	malloc-fail: Add error checks in xmlXPathEqualValuesCommon Avoid null deref. Found with libFuzzer, see #344.
08695683	2023-01-30T15:52:00	malloc-fail: Add error check in xmlXPathEqualNodeSetFloat Avoid null deref. Found with libFuzzer, see #344.
621c222e	2023-01-30T15:48:11	malloc-fail: Fix error check in xmlXPathCompareValues Avoid null deref. Found with libFuzzer, see #344.
75534401	2023-01-30T15:40:23	malloc-fail: Record malloc failure in xmlXPathCompLiteral Avoid OOB array access. Found with libFuzzer, see #344.
0e4421e7	2023-01-30T15:05:58	malloc-fail: Check return value of xmlXPathNodeSetDupNs Avoid null deref if allocation fails. Found with libFuzzer, see #344.
c7260a47	2023-01-23T10:19:59	malloc-fail: Don't call xmlErrMemory in xmlstring.c Functions like xmlStrdup are called in the error handling code (__xmlRaiseError) which can cause problems like use-after-free or infinite loops when invoked recursively. Calling xmlErrMemory without a context argument isn't helpful anyway. Found with libFuzzer, see #344.
e6d22f92	2023-01-23T01:48:37	malloc-fail: Fix reallocation in inputPush Store xmlRealloc result in temporary variable to avoid null deref in error handler. Found with libFuzzer, see #344.
6fd89041	2023-01-22T19:42:41	malloc-fail: Fix use-after-free in xmlParseStartTag2 Fix error handling in xmlCtxtGrowAttrs. Found with libFuzzer, see #344.
c266a220	2023-01-22T18:18:00	malloc-fail: Handle memory errors in xmlTextReaderEntPush Unfortunately, there's no way to properly report memory errors. Found with libFuzzer, see #344.
d1b87856	2023-01-22T17:42:09	malloc-fail: Fix infinite loop in xmlParseTextDecl Memory errors can set `instate` to `XML_PARSER_EOF` which results in `NEXT` making no progress. Found with libFuzzer, see #344.
bd9de3a3	2023-01-22T16:52:39	malloc-fail: Fix null deref in xmlAddDefAttrs Found with libFuzzer, see #344.
2355eac5	2023-01-22T14:52:06	malloc-fail: Fix null deref if growing input buffer fails Also add some error checks. Found with libFuzzer, see #344.
0c5f40b7	2023-01-22T13:27:41	malloc-fail: Fix null deref in xmlSAX2AttributeInternal Found with libFuzzer, see #344.
1aabc9db	2023-01-22T13:20:15	malloc-fail: Fix null deref in xmlBufResize Found with libFuzzer, see #344.
b3b53dcc	2023-01-22T11:28:46	malloc-fail: Fix null deref in xmlSAX2Text Found with libFuzzer, see #344.
33d4a0fe	2023-01-22T15:41:00	parser: Fix progress check in xmlParseExternalSubset Avoid infinite loop. Short-lived regression from f61b8a62. Found with libFuzzer.
f65133fc	2023-01-22T14:13:56	uri: Add explicit cast in xmlSaveUri Fix -fsanitize=implicit-conversion error. We should probably percent-escape the host name here.
f8c5e7fb	2023-01-22T13:49:19	buf: Fix return value of xmlBufGetInputBase Don't return (size_t) -1 in error case. Found with libFuzzer and -fsanitize=implicit-conversion.
74aa61e0	2023-01-22T13:09:03	parser: Halt parser on DTD errors If we try to continue parsing after an error in the internal or external subset, entity expansion accounting gets more complicated. Simply halt the parser. Found with libFuzzer.
d9a8dab3	2023-01-22T12:00:59	error: Don't move past current position Make sure that we never move past the current position in xmlParserPrintFileContextInternal. Found with libFuzzer and -fsanitize=implicit-conversion.
608c65bb	2023-01-18T15:15:41	xpath: number('-') should return NaN Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/81
bbb2b8f1	2023-01-17T16:08:06	Remove symbols from version script The version script didn't account for symbols disabled by configuration options. This has caused problems on some OSs in the past and breaks lld 16 which enables --no-undefined-version by default. A proper fix would be rather involved, so we simply remove all symbols from the version script. This is an ELF-only feature and libxml2 never made use of symbol versioning anyway. Ultimately, this removes the need for a lot of bookkeeping without tangible benefits. We have to keep the version nodes to avoid errors when running binaries linked against older versions of libxml2. Fixes #473.
e6401b68	2023-01-17T14:01:23	tree: Fix recursion check in xmlStringGetNodeList Use the new entity flag to check for recursion.
d320a683	2023-01-17T13:50:51	parser: Fix entity check in attributes Don't set the "checked" flag when checking entities in default attribute values. These entities could reference other entities which weren't defined yet, so the check isn't reliable. This fixes a short-lived regression which could lead to a call stack overflow later in xmlStringGetNodeList.
59b33661	2022-12-27T14:15:51	error: Limit number of parser errors Reporting errors is expensive and some abusive test cases can generate an error for each invalid input byte. This causes the parser to spend most of the time with error handling. Limit the number of errors and warnings to 100.
ba910d34	2022-12-26T17:58:33	fuzz: Add test/recurse to seed corpus
09dac45a	2022-12-26T17:49:27	fuzz: Add separate XInclude fuzzer XIncludes involve XPath processing which can still lead to timeouts when fuzzing. This will probably take a while to fix. The rest of the XML parsing code should hopefully run without timeouts now. OSS-Fuzz only shows a single timeout test case, so separate the XInclude from the core XML fuzzer.
66e9fd66	2022-12-25T21:26:17	parser: Fix infinite loop with push parser in recovery mode Short-lived regression from commit b1f9c193. Found by OSS-Fuzz.
49b54d7e	2022-12-25T15:06:51	parser: Fix null deref in xmlStringDecodeEntitiesInt Short-lived regression.

dbc893f5

2023-03-03T13:02:11

malloc-fail: Fix memory leak in xmlCopyNamespaceList Found with libFuzzer, see #344.

282b75f1

2023-02-28T12:14:33

malloc-fail: Fix memory leak in xmlXPathNameFunction Found with libFuzzer, see #344.

791a1e80

2023-02-28T19:14:57

fuzz: Set filename in xmlFuzzEntityLoader

cbd9c6c5

2023-02-28T19:14:22

fuzz: Allow xmlFuzzReadString(NULL)

f560065f

2023-02-28T21:16:12

fuzz: Fix duplicate detection in fuzzEntityRecorder Store a non-NULL value in the hash.

aa6b7ed1

2023-02-17T14:54:13

fuzz: Fix Makefile dependencies

8608b71f

2023-02-26T15:17:15

Revert "xpath: Fix popping of values in xmlXPathPopNodeset" This reverts commit 47b0e0a620d1e0e657b858986e3ebde80d4645b4.

524654ed

2023-02-26T17:19:47

xpath: Fix harmless integer overflow in xmlXPathTranslateFunction

bc9f372c

2023-02-26T18:00:30

malloc-fail: Fix memory leak in xmlXPathDistinctSorted Found with libFuzzer, see #344.

6f9604f0

2023-02-26T16:09:50

malloc-fail: Fix memory leak in xmlXPathCacheNewNodeSet Found with libFuzzer, see #344.

4499143a

2023-02-26T15:43:50

malloc-fail: Check for malloc failure in xmlHashAddEntry Found with libFuzzer, see #344.

a442d16a

2023-02-26T14:48:23

malloc-fail: Fix memory leak in xmlGetNsList Found with libFuzzer, see #344.

44947afb

2023-02-26T14:41:35

malloc-fail: Fix null deref after xmlPointerListAddSize Found with libFuzzer, see #344.

70b21c9f

2023-02-26T14:33:16

malloc-fail: Fix null deref in xmlXPathCompiledEvalInternal Found with libFuzzer, see #344.

0f112d02

2023-02-24T18:00:03

malloc-fail: Fix use-after-free related to xmlXPathNodeSetFilter Found with libFuzzer, see #344.

a3e11b38

2023-02-25T16:05:24

malloc-fail: Fix memory leak in xmlXPathEqualNodeSetFloat Found with libFuzzer, see #344.

b51478dc

2023-02-24T16:21:17

Revert "malloc-fail: Avoid use-after-free after unsuccessful valuePush" This reverts commit 6a12be77c6a94c374ab7476087edcee2ba41d9b4. There's too much code reading ctxt->value directly and making the wrong assumptions.

f931178e

2023-02-24T12:45:01

cmake: Link against `dl` and `dld` only when `LIBXML2_WITH_MODULES` is enabled

47b0e0a6

2023-02-23T15:43:15

xpath: Fix popping of values in xmlXPathPopNodeset After 6a12be77, valuePop can fail even if ctxt->value is non-NULL. If it turns out that too much code relies on this assumption, a better fix is needed.

359313c1

2023-02-23T14:26:32

threads: Really fix crash with weak pthread symbols Fix more regressions from 7010d877 and 71931233. Fixes #488.

ae8a12f1

2023-02-22T14:25:29

schematron: Use logical and

4f0a0fb7

2023-02-22T14:24:24

xinclude: Fix include guard

1eb2ca9f

2023-02-21T15:39:44

relaxng: Remove useless if statement ctxt and define are non-NULL at this point. Fixes #482.

0ce1f842

2023-02-21T15:38:04

schemas: Remove useless if statement bucket->origTargetNamespace is always NULL in this branch. Fixes #481.

a509694c

2023-02-21T15:35:57

pattern: Merge identical branches Fixes #479.

85057e51

2023-02-21T15:24:19

regexp: Add sanity check in xmlRegCalloc2 These arguments should be non-zero, but add a sanity check to avoid division by zero. Fixes #450.

c9e4c6d4

2023-02-21T15:22:01

catalog: Fix memory leaks Fixes #377.

7bd77873

2023-02-20T10:56:03

threads: Fix crash with weak pthread symbols Regressed in 7010d877. Should fix #488.

5d55315e

2023-02-18T17:29:07

parser: Fix OOB read when formatting error message Don't try to print characters beyond the end of the buffer. Found by OSS-Fuzz.

1743c4c3

2023-02-17T15:53:07

malloc-fail: Fix OOB read after xmlRegGetCounter Found with libFuzzer, see #344.

e64653c0

2023-02-17T15:20:33

malloc-fail: Fix leak of xmlRegAtom Found with libFuzzer, see #344.

ed615967

2023-02-17T15:23:42

malloc-fail: Fix memory leak in xmlRegexpCompile Found with libFuzzer, see #344.

40bc1c69

2023-02-17T15:40:32

malloc-fail: Fix memory leak in xmlFAParseCharProp Found with libFuzzer, see #344.

53d1cc98

2023-02-16T15:09:32

malloc-fail: Fix error code in htmlParseChunk Found with libFuzzer, see #344.

15b0ed08

2023-02-16T15:09:02

malloc-fail: Fix infinite loop in htmlParseDocTypeDecl Found with libFuzzer, see #344.

041789d9

2023-02-16T15:02:08

malloc-fail: Fix null deref in htmlnamePush Found with libFuzzer, see #344.

0ec9c910

2023-02-16T14:57:24

malloc-fail: Fix infinite loop in htmlParseStartTag Found with libFuzzer, see #344.

04c29551

2023-02-16T14:53:29

malloc-fail: Fix infinite loop in htmlParseContentInternal Found with libFuzzer, see #344.

f3e62035

2023-02-16T14:49:06

malloc-fail: Fix memory leak in htmlCreatePushParserCtxt Found with libFuzzer, see #344.

fc256953

2023-02-16T14:47:41

malloc-fail: Fix memory leak in htmlCreateMemoryParserCtxt Found with libFuzzer, see #344.

643b4e90

2023-02-16T14:45:06

malloc-fail: Fix infinite loop in htmlParseStartTag Found with libFuzzer, see #344.

ec05f04d

2023-02-16T12:40:02

malloc-fail: Fix memory leak in xmlXIncludeLoadTxt Found with libFuzzer, see #344.

c02df686

2023-02-16T12:10:36

malloc-fail: Fix memory leak in xmlXIncludeLoadDoc Found with libFuzzer, see #344.

bc7740b3

2023-02-16T11:45:58

malloc-fail: Fix memory leak in xmlCopyPropList Found with libFuzzer, see #344.

8d22e065

2023-02-15T14:41:11

malloc-fail: Fix memory leak after calling xmlXPathNodeSetMerge Destroy the first argument in xmlXPathNodeSetMerge if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.

d31a0e8e

2023-02-15T14:47:29

malloc-fail: Fix memory leak after calling xmlXPathWrapString Destroy the string in xmlXPathWrapString if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.

3dc64522

2023-02-15T14:30:40

malloc-fail: Fix memory leak in xmlXPathEqualValuesCommon Found with libFuzzer, see #344.

691f7eb4

2023-02-15T14:05:13

malloc-fail: Fix memory leak in xmlXPathCompareValues Found with libFuzzer, see #344.

ac746afd

2023-02-15T13:54:55

malloc-fail: Fix memory leak in xmlXPathTryStreamCompile Found with libFuzzer, see #344.

85bc313e

2023-02-15T13:49:28

malloc-fail: Fix memory leak after calling valuePush Destroy the object in valuePush if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.

f5e11749

2023-02-15T13:48:18

malloc-fail: Fix memory leak after calling xmlXPathWrapNodeSet Destroy the node set in xmlXPathWrapNodeSet if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.

3b59fdf0

2023-02-15T13:28:24

malloc-fail: Fix memory leak in xmlXIncludeAddNode Found with libFuzzer, see #344.

e60c9f4c

2023-02-15T01:00:03

malloc-fail: Fix memory leak after xmlRegNewState Invoke xmlRegNewState from xmlRegStatePush to simplify error handling. Found with libFuzzer, see #344.

cb4334b7

2023-02-14T18:10:14

malloc-fail: Fix memory leak in xmlSAX2StartElementNs Found with libFuzzer, see #344.

9fa1b228

2023-02-14T16:43:35

malloc-fail: Fix memory leak in xmlGetDtdElementDesc2 Found with libFuzzer, see #344.

c82701ff

2023-02-14T15:13:06

malloc-fail: Fix memory leak in xmlDocDumpFormatMemoryEnc Found with libFuzzer, see #344.

97086fd7

2023-02-14T14:45:58

malloc-fail: Fix memory leak in xmlParserInputBufferCreateMem Found with libFuzzer, see #344.

1c5e1fc1

2023-02-14T13:56:21

malloc-fail: Check for malloc failure in xmlFindCharEncodingHandler Don't return encoding handlers with a NULL name. Found with libFuzzer, see #344.

d18f9c11

2023-02-14T13:50:46

malloc-fail: Fix leak of xmlCharEncodingHandler Also free handler if its name is NULL. Found with libFuzzer, see #344.

f8852184

2023-02-14T13:03:13

malloc-fail: Fix memory leak in xmlParseEntityDecl Found with libFuzzer, see #344.

bd33331b

2023-02-17T15:19:37

regexp: Simplify xmlRegAtomPush

3cc900f0

2023-02-16T11:50:52

encoding: Cast toupper argument to unsigned char Fixes undefined behavior. Also cast return value explicitly to fix implicit-integer-sign-change checks.

e20f4d7a

2023-02-13T14:38:05

xinclude: Fix quadratic behavior in xmlXIncludeLoadTxt Also make text inclusions work with memory buffers, for example when using a custom entity loader, and fix a memory leak in case of invalid characters. Fixes #483.

a96312db

2023-02-03T14:55:53

xinclude: Avoid timeouts when fuzzing Fix the check for maximum number of inclusions.

be0ec005

2023-02-03T14:37:49

xinclude: Abort immediately if max depth was exceeded Avoids resource exhaustion if the maximum recursion depth was exceeded. Note that the XInclude engine offers no protection against other "billion laughs"-style amplification attacks as long as they stay below the maximum depth.

dc2dde1a

2023-02-04T15:00:54

malloc-fail: Fix null deref in xmlXIncludeLoadTxt Found with libFuzzer, see #344.

a3749551

2023-02-03T14:00:13

malloc-fail: Fix reallocation in xmlXIncludeNewRef Avoid null deref. Found with libFuzzer, see #344.

d1272c2e

2023-02-13T11:16:57

fuzz: Add xinclude to .gitignore

905386ec

2023-02-13T11:14:34

autotools: Fix make distcheck - Add private/xinclude.h to EXTRA_DIST - Add runsuite.log to CLEANFILES Fixes #485.

15c9f435

2023-01-31T12:58:32

xpath: Only report the first error Don't overwrite the original error code. Besides, subsequent error reports are somewhat unreliable and not really useful.

6a12be77

2023-01-31T12:46:30

malloc-fail: Avoid use-after-free after unsuccessful valuePush In xpath.c there's a lot of code like: valuePush(ctxt, xmlCacheNewX()); ... valuePop(ctxt); If xmlCacheNewX fails, no value will be pushed on the stack. If there's no error check in between, valuePop will pop an unrelated value which can lead to use-after-free errors. Instead of trying to fix all call sites, we simply stop popping values if an error was signaled. This requires to change the CHECK_TYPE macro which is often used to determine whether a value can be safely popped. Found with libFuzzer, see #344.

7ec314ef

2023-01-30T15:59:55

malloc-fail: Add error checks in xmlXPathEqualValuesCommon Avoid null deref. Found with libFuzzer, see #344.

08695683

2023-01-30T15:52:00

malloc-fail: Add error check in xmlXPathEqualNodeSetFloat Avoid null deref. Found with libFuzzer, see #344.

621c222e

2023-01-30T15:48:11

malloc-fail: Fix error check in xmlXPathCompareValues Avoid null deref. Found with libFuzzer, see #344.

75534401

2023-01-30T15:40:23

malloc-fail: Record malloc failure in xmlXPathCompLiteral Avoid OOB array access. Found with libFuzzer, see #344.

0e4421e7

2023-01-30T15:05:58

malloc-fail: Check return value of xmlXPathNodeSetDupNs Avoid null deref if allocation fails. Found with libFuzzer, see #344.

c7260a47

2023-01-23T10:19:59

malloc-fail: Don't call xmlErrMemory in xmlstring.c Functions like xmlStrdup are called in the error handling code (__xmlRaiseError) which can cause problems like use-after-free or infinite loops when invoked recursively. Calling xmlErrMemory without a context argument isn't helpful anyway. Found with libFuzzer, see #344.

e6d22f92

2023-01-23T01:48:37

malloc-fail: Fix reallocation in inputPush Store xmlRealloc result in temporary variable to avoid null deref in error handler. Found with libFuzzer, see #344.

6fd89041

2023-01-22T19:42:41

malloc-fail: Fix use-after-free in xmlParseStartTag2 Fix error handling in xmlCtxtGrowAttrs. Found with libFuzzer, see #344.

c266a220

2023-01-22T18:18:00

malloc-fail: Handle memory errors in xmlTextReaderEntPush Unfortunately, there's no way to properly report memory errors. Found with libFuzzer, see #344.

d1b87856

2023-01-22T17:42:09

malloc-fail: Fix infinite loop in xmlParseTextDecl Memory errors can set `instate` to `XML_PARSER_EOF` which results in `NEXT` making no progress. Found with libFuzzer, see #344.

bd9de3a3

2023-01-22T16:52:39

malloc-fail: Fix null deref in xmlAddDefAttrs Found with libFuzzer, see #344.

2355eac5

2023-01-22T14:52:06

malloc-fail: Fix null deref if growing input buffer fails Also add some error checks. Found with libFuzzer, see #344.

0c5f40b7

2023-01-22T13:27:41

malloc-fail: Fix null deref in xmlSAX2AttributeInternal Found with libFuzzer, see #344.

1aabc9db

2023-01-22T13:20:15

malloc-fail: Fix null deref in xmlBufResize Found with libFuzzer, see #344.

b3b53dcc

2023-01-22T11:28:46

malloc-fail: Fix null deref in xmlSAX2Text Found with libFuzzer, see #344.

33d4a0fe

2023-01-22T15:41:00

parser: Fix progress check in xmlParseExternalSubset Avoid infinite loop. Short-lived regression from f61b8a62. Found with libFuzzer.

f65133fc

2023-01-22T14:13:56

uri: Add explicit cast in xmlSaveUri Fix -fsanitize=implicit-conversion error. We should probably percent-escape the host name here.

f8c5e7fb

2023-01-22T13:49:19

buf: Fix return value of xmlBufGetInputBase Don't return (size_t) -1 in error case. Found with libFuzzer and -fsanitize=implicit-conversion.

74aa61e0

2023-01-22T13:09:03

parser: Halt parser on DTD errors If we try to continue parsing after an error in the internal or external subset, entity expansion accounting gets more complicated. Simply halt the parser. Found with libFuzzer.

d9a8dab3

2023-01-22T12:00:59

error: Don't move past current position Make sure that we never move past the current position in xmlParserPrintFileContextInternal. Found with libFuzzer and -fsanitize=implicit-conversion.

608c65bb

2023-01-18T15:15:41

xpath: number('-') should return NaN Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/81

bbb2b8f1

2023-01-17T16:08:06

Remove symbols from version script The version script didn't account for symbols disabled by configuration options. This has caused problems on some OSs in the past and breaks lld 16 which enables --no-undefined-version by default. A proper fix would be rather involved, so we simply remove all symbols from the version script. This is an ELF-only feature and libxml2 never made use of symbol versioning anyway. Ultimately, this removes the need for a lot of bookkeeping without tangible benefits. We have to keep the version nodes to avoid errors when running binaries linked against older versions of libxml2. Fixes #473.

e6401b68

2023-01-17T14:01:23

tree: Fix recursion check in xmlStringGetNodeList Use the new entity flag to check for recursion.

d320a683

2023-01-17T13:50:51

parser: Fix entity check in attributes Don't set the "checked" flag when checking entities in default attribute values. These entities could reference other entities which weren't defined yet, so the check isn't reliable. This fixes a short-lived regression which could lead to a call stack overflow later in xmlStringGetNodeList.

59b33661

2022-12-27T14:15:51

error: Limit number of parser errors Reporting errors is expensive and some abusive test cases can generate an error for each invalid input byte. This causes the parser to spend most of the time with error handling. Limit the number of errors and warnings to 100.

ba910d34

2022-12-26T17:58:33

fuzz: Add test/recurse to seed corpus

09dac45a

2022-12-26T17:49:27

fuzz: Add separate XInclude fuzzer XIncludes involve XPath processing which can still lead to timeouts when fuzzing. This will probably take a while to fix. The rest of the XML parsing code should hopefully run without timeouts now. OSS-Fuzz only shows a single timeout test case, so separate the XInclude from the core XML fuzzer.

66e9fd66

2022-12-25T21:26:17

parser: Fix infinite loop with push parser in recovery mode Short-lived regression from commit b1f9c193. Found by OSS-Fuzz.

49b54d7e

2022-12-25T15:06:51

parser: Fix null deref in xmlStringDecodeEntitiesInt Short-lived regression.

kc3-lang/libxml2

Log