kmx git

Commit	Date	Message
e64653c0	2023-02-17T15:20:33	malloc-fail: Fix leak of xmlRegAtom Found with libFuzzer, see #344.
ed615967	2023-02-17T15:23:42	malloc-fail: Fix memory leak in xmlRegexpCompile Found with libFuzzer, see #344.
53d1cc98	2023-02-16T15:09:32	malloc-fail: Fix error code in htmlParseChunk Found with libFuzzer, see #344.
15b0ed08	2023-02-16T15:09:02	malloc-fail: Fix infinite loop in htmlParseDocTypeDecl Found with libFuzzer, see #344.
041789d9	2023-02-16T15:02:08	malloc-fail: Fix null deref in htmlnamePush Found with libFuzzer, see #344.
0ec9c910	2023-02-16T14:57:24	malloc-fail: Fix infinite loop in htmlParseStartTag Found with libFuzzer, see #344.
04c29551	2023-02-16T14:53:29	malloc-fail: Fix infinite loop in htmlParseContentInternal Found with libFuzzer, see #344.
f3e62035	2023-02-16T14:49:06	malloc-fail: Fix memory leak in htmlCreatePushParserCtxt Found with libFuzzer, see #344.
fc256953	2023-02-16T14:47:41	malloc-fail: Fix memory leak in htmlCreateMemoryParserCtxt Found with libFuzzer, see #344.
3dc64522	2023-02-15T14:30:40	malloc-fail: Fix memory leak in xmlXPathEqualValuesCommon Found with libFuzzer, see #344.
643b4e90	2023-02-16T14:45:06	malloc-fail: Fix infinite loop in htmlParseStartTag Found with libFuzzer, see #344.
ec05f04d	2023-02-16T12:40:02	malloc-fail: Fix memory leak in xmlXIncludeLoadTxt Found with libFuzzer, see #344.
c02df686	2023-02-16T12:10:36	malloc-fail: Fix memory leak in xmlXIncludeLoadDoc Found with libFuzzer, see #344.
bc7740b3	2023-02-16T11:45:58	malloc-fail: Fix memory leak in xmlCopyPropList Found with libFuzzer, see #344.
8d22e065	2023-02-15T14:41:11	malloc-fail: Fix memory leak after calling xmlXPathNodeSetMerge Destroy the first argument in xmlXPathNodeSetMerge if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.
d31a0e8e	2023-02-15T14:47:29	malloc-fail: Fix memory leak after calling xmlXPathWrapString Destroy the string in xmlXPathWrapString if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.
691f7eb4	2023-02-15T14:05:13	malloc-fail: Fix memory leak in xmlXPathCompareValues Found with libFuzzer, see #344.
ac746afd	2023-02-15T13:54:55	malloc-fail: Fix memory leak in xmlXPathTryStreamCompile Found with libFuzzer, see #344.
85bc313e	2023-02-15T13:49:28	malloc-fail: Fix memory leak after calling valuePush Destroy the object in valuePush if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.
f5e11749	2023-02-15T13:48:18	malloc-fail: Fix memory leak after calling xmlXPathWrapNodeSet Destroy the node set in xmlXPathWrapNodeSet if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.
3b59fdf0	2023-02-15T13:28:24	malloc-fail: Fix memory leak in xmlXIncludeAddNode Found with libFuzzer, see #344.
e60c9f4c	2023-02-15T01:00:03	malloc-fail: Fix memory leak after xmlRegNewState Invoke xmlRegNewState from xmlRegStatePush to simplify error handling. Found with libFuzzer, see #344.
cb4334b7	2023-02-14T18:10:14	malloc-fail: Fix memory leak in xmlSAX2StartElementNs Found with libFuzzer, see #344.
9fa1b228	2023-02-14T16:43:35	malloc-fail: Fix memory leak in xmlGetDtdElementDesc2 Found with libFuzzer, see #344.
c82701ff	2023-02-14T15:13:06	malloc-fail: Fix memory leak in xmlDocDumpFormatMemoryEnc Found with libFuzzer, see #344.
97086fd7	2023-02-14T14:45:58	malloc-fail: Fix memory leak in xmlParserInputBufferCreateMem Found with libFuzzer, see #344.
1c5e1fc1	2023-02-14T13:56:21	malloc-fail: Check for malloc failure in xmlFindCharEncodingHandler Don't return encoding handlers with a NULL name. Found with libFuzzer, see #344.
d18f9c11	2023-02-14T13:50:46	malloc-fail: Fix leak of xmlCharEncodingHandler Also free handler if its name is NULL. Found with libFuzzer, see #344.
f8852184	2023-02-14T13:03:13	malloc-fail: Fix memory leak in xmlParseEntityDecl Found with libFuzzer, see #344.
bd33331b	2023-02-17T15:19:37	regexp: Simplify xmlRegAtomPush
3cc900f0	2023-02-16T11:50:52	encoding: Cast toupper argument to unsigned char Fixes undefined behavior. Also cast return value explicitly to fix implicit-integer-sign-change checks.
e20f4d7a	2023-02-13T14:38:05	xinclude: Fix quadratic behavior in xmlXIncludeLoadTxt Also make text inclusions work with memory buffers, for example when using a custom entity loader, and fix a memory leak in case of invalid characters. Fixes #483.
a96312db	2023-02-03T14:55:53	xinclude: Avoid timeouts when fuzzing Fix the check for maximum number of inclusions.
be0ec005	2023-02-03T14:37:49	xinclude: Abort immediately if max depth was exceeded Avoids resource exhaustion if the maximum recursion depth was exceeded. Note that the XInclude engine offers no protection against other "billion laughs"-style amplification attacks as long as they stay below the maximum depth.
dc2dde1a	2023-02-04T15:00:54	malloc-fail: Fix null deref in xmlXIncludeLoadTxt Found with libFuzzer, see #344.
a3749551	2023-02-03T14:00:13	malloc-fail: Fix reallocation in xmlXIncludeNewRef Avoid null deref. Found with libFuzzer, see #344.
d1272c2e	2023-02-13T11:16:57	fuzz: Add xinclude to .gitignore
905386ec	2023-02-13T11:14:34	autotools: Fix make distcheck - Add private/xinclude.h to EXTRA_DIST - Add runsuite.log to CLEANFILES Fixes #485.
15c9f435	2023-01-31T12:58:32	xpath: Only report the first error Don't overwrite the original error code. Besides, subsequent error reports are somewhat unreliable and not really useful.
6a12be77	2023-01-31T12:46:30	malloc-fail: Avoid use-after-free after unsuccessful valuePush In xpath.c there's a lot of code like: valuePush(ctxt, xmlCacheNewX()); ... valuePop(ctxt); If xmlCacheNewX fails, no value will be pushed on the stack. If there's no error check in between, valuePop will pop an unrelated value which can lead to use-after-free errors. Instead of trying to fix all call sites, we simply stop popping values if an error was signaled. This requires to change the CHECK_TYPE macro which is often used to determine whether a value can be safely popped. Found with libFuzzer, see #344.
7ec314ef	2023-01-30T15:59:55	malloc-fail: Add error checks in xmlXPathEqualValuesCommon Avoid null deref. Found with libFuzzer, see #344.
08695683	2023-01-30T15:52:00	malloc-fail: Add error check in xmlXPathEqualNodeSetFloat Avoid null deref. Found with libFuzzer, see #344.
621c222e	2023-01-30T15:48:11	malloc-fail: Fix error check in xmlXPathCompareValues Avoid null deref. Found with libFuzzer, see #344.
75534401	2023-01-30T15:40:23	malloc-fail: Record malloc failure in xmlXPathCompLiteral Avoid OOB array access. Found with libFuzzer, see #344.
0e4421e7	2023-01-30T15:05:58	malloc-fail: Check return value of xmlXPathNodeSetDupNs Avoid null deref if allocation fails. Found with libFuzzer, see #344.
c7260a47	2023-01-23T10:19:59	malloc-fail: Don't call xmlErrMemory in xmlstring.c Functions like xmlStrdup are called in the error handling code (__xmlRaiseError) which can cause problems like use-after-free or infinite loops when invoked recursively. Calling xmlErrMemory without a context argument isn't helpful anyway. Found with libFuzzer, see #344.
e6d22f92	2023-01-23T01:48:37	malloc-fail: Fix reallocation in inputPush Store xmlRealloc result in temporary variable to avoid null deref in error handler. Found with libFuzzer, see #344.
6fd89041	2023-01-22T19:42:41	malloc-fail: Fix use-after-free in xmlParseStartTag2 Fix error handling in xmlCtxtGrowAttrs. Found with libFuzzer, see #344.
c266a220	2023-01-22T18:18:00	malloc-fail: Handle memory errors in xmlTextReaderEntPush Unfortunately, there's no way to properly report memory errors. Found with libFuzzer, see #344.
d1b87856	2023-01-22T17:42:09	malloc-fail: Fix infinite loop in xmlParseTextDecl Memory errors can set `instate` to `XML_PARSER_EOF` which results in `NEXT` making no progress. Found with libFuzzer, see #344.
bd9de3a3	2023-01-22T16:52:39	malloc-fail: Fix null deref in xmlAddDefAttrs Found with libFuzzer, see #344.
2355eac5	2023-01-22T14:52:06	malloc-fail: Fix null deref if growing input buffer fails Also add some error checks. Found with libFuzzer, see #344.
0c5f40b7	2023-01-22T13:27:41	malloc-fail: Fix null deref in xmlSAX2AttributeInternal Found with libFuzzer, see #344.
1aabc9db	2023-01-22T13:20:15	malloc-fail: Fix null deref in xmlBufResize Found with libFuzzer, see #344.
b3b53dcc	2023-01-22T11:28:46	malloc-fail: Fix null deref in xmlSAX2Text Found with libFuzzer, see #344.
33d4a0fe	2023-01-22T15:41:00	parser: Fix progress check in xmlParseExternalSubset Avoid infinite loop. Short-lived regression from f61b8a62. Found with libFuzzer.
f65133fc	2023-01-22T14:13:56	uri: Add explicit cast in xmlSaveUri Fix -fsanitize=implicit-conversion error. We should probably percent-escape the host name here.
f8c5e7fb	2023-01-22T13:49:19	buf: Fix return value of xmlBufGetInputBase Don't return (size_t) -1 in error case. Found with libFuzzer and -fsanitize=implicit-conversion.
74aa61e0	2023-01-22T13:09:03	parser: Halt parser on DTD errors If we try to continue parsing after an error in the internal or external subset, entity expansion accounting gets more complicated. Simply halt the parser. Found with libFuzzer.
d9a8dab3	2023-01-22T12:00:59	error: Don't move past current position Make sure that we never move past the current position in xmlParserPrintFileContextInternal. Found with libFuzzer and -fsanitize=implicit-conversion.
608c65bb	2023-01-18T15:15:41	xpath: number('-') should return NaN Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/81
bbb2b8f1	2023-01-17T16:08:06	Remove symbols from version script The version script didn't account for symbols disabled by configuration options. This has caused problems on some OSs in the past and breaks lld 16 which enables --no-undefined-version by default. A proper fix would be rather involved, so we simply remove all symbols from the version script. This is an ELF-only feature and libxml2 never made use of symbol versioning anyway. Ultimately, this removes the need for a lot of bookkeeping without tangible benefits. We have to keep the version nodes to avoid errors when running binaries linked against older versions of libxml2. Fixes #473.
e6401b68	2023-01-17T14:01:23	tree: Fix recursion check in xmlStringGetNodeList Use the new entity flag to check for recursion.
d320a683	2023-01-17T13:50:51	parser: Fix entity check in attributes Don't set the "checked" flag when checking entities in default attribute values. These entities could reference other entities which weren't defined yet, so the check isn't reliable. This fixes a short-lived regression which could lead to a call stack overflow later in xmlStringGetNodeList.
59b33661	2022-12-27T14:15:51	error: Limit number of parser errors Reporting errors is expensive and some abusive test cases can generate an error for each invalid input byte. This causes the parser to spend most of the time with error handling. Limit the number of errors and warnings to 100.
ba910d34	2022-12-26T17:58:33	fuzz: Add test/recurse to seed corpus
09dac45a	2022-12-26T17:49:27	fuzz: Add separate XInclude fuzzer XIncludes involve XPath processing which can still lead to timeouts when fuzzing. This will probably take a while to fix. The rest of the XML parsing code should hopefully run without timeouts now. OSS-Fuzz only shows a single timeout test case, so separate the XInclude from the core XML fuzzer.
66e9fd66	2022-12-25T21:26:17	parser: Fix infinite loop with push parser in recovery mode Short-lived regression from commit b1f9c193. Found by OSS-Fuzz.
49b54d7e	2022-12-25T15:06:51	parser: Fix null deref in xmlStringDecodeEntitiesInt Short-lived regression.
c885bebb	2022-12-23T23:06:32	fuzz: Remove size limit, disable XInclude Now that entity expansion issues should be fixed, we should get more interesting timeout errors from OSS-Fuzz. Disable XInclude for now, since it often timeouts in XPath computations. The XInclude tests should be moved to a separate fuzz target.
1865668b	2022-12-23T22:44:40	parser: Fix accounting of consumed input bytes Only add consumed bytes if - we're not parsing an entity - we're parsing external parameter entities for the first time. Always ignore internal parameter entities.
bc18f4a6	2022-12-23T21:55:38	parser: Lower entity nesting limit with XML_PARSE_HUGE The old limit of 1024 could lead to excessively deep call stacks. This could probably be set much lower without causing issues.
dd62e541	2022-12-23T21:53:30	parser: Don't increase depth twice when parsing internal entities Fix xmlParseBalancedChunkMemoryInternal.
a41b09c7	2022-12-23T21:29:28	parser: Improve detection of entity loops Set a flag to detect entity loops at once instead of processing until the depth limit is exceeded.
d972393f	2022-12-23T21:01:20	parser: Only report a single entity error Don't report errors multiple times for nested entity references.
28b3777e	2022-12-22T15:35:28	runsuite: Some errors are expected
077df27e	2022-12-22T15:22:01	parser: Fix integer overflow of input ID Applies a patch from Chromium. Also stop incrementing input ID of subcontexts. This isn't necessary. Fixes #465.
0bd4e4e0	2022-12-21T19:21:30	xmlParseStartTag2() contains typo when checking for default definitions for an attribute in a namespace * parser.c: (xmlParseStartTag2): - Fix index into defaults->values. It is only correct the first time through the loop when i == 0. Fixes #467.
78c4430f	2022-12-22T00:03:10	doc: Remove ancient files
4c763dd0	2022-12-21T22:20:43	gitlab-ci: Revert accidental change to setup_mingw.sh Commit 3aaaf5ca shouldn't have changed this line. We need these libraries for a full libxml2 build.
c74e5903	2022-12-21T22:24:50	Remove ancient TODOs
101a542e	2022-12-21T21:47:10	Remove RPM build, Makefile.tests, README.tests
b47ebf04	2022-12-21T00:02:47	parser: Deprecate xmlString*DecodeEntities These are internal functions.
ec6633af	2022-12-20T03:09:11	parser: Remove useless ent->etype test in xmlParseReference If ent->etype is invalid, ret can't equal XML_ERR_OK.
7ee7f036	2022-12-20T02:06:38	parser: Remove useless ent->children tests in xmlParseReference The if-block before always returns if ent->children == NULL.
cfc036bd	2022-12-21T19:27:45	testrecurse: Test parameter entity accounting
106c4cdd	2022-12-21T17:05:54	testrecurse: Support multiple huge docs
079da5b2	2022-12-21T03:26:31	testrecurse: Add external entities to huge test
01bcb23d	2022-12-21T01:01:36	testrecurse: Add test cases for external entities Add test cases for external general and parameter entities.
046f99c5	2022-12-21T05:15:51	testrecurse: Add lol_param.xml Add test case contributed by Sebastian Pipping for CVE-2021-3541.
fafa0252	2022-12-21T01:01:07	testrecurse: Rename test files
69aeff53	2022-12-20T22:33:28	testrecurse: Also test without entity substitution
4c7cb8f4	2022-12-20T22:42:24	testrecurse: Also test SAX parser
583cd2f6	2022-12-21T05:13:23	testrecurse: Start to test entity expansion stats
ce76ebfd	2022-12-19T20:56:23	entities: Stop counting entities This was only used in the old version of xmlParserEntityCheck.
a3c8b180	2022-12-19T20:51:52	entities: Add entity flag for loop check
463bbeec	2022-12-19T18:39:45	entities: Rework entity amplification checks This commit implements robust detection of entity amplification attacks, better known as the "billion laughs" attack. We now limit the size of the document after substitution of entities to 10 times the size before expansion. This guarantees linear behavior by definition. There already was a similar check before, but the accounting of "sizeentities" (size of external entities) and "sizeentcopy" (size of all copies created by entity references) wasn't accurate. We also need saturation arithmetic since we're historically limited to "unsigned long" which is 32-bit on many platforms. A maximum of 10 MB of substitutions is always allowed. This should make use cases like DITA work which have caused problems in the past. The old checks based on the number of entities were removed. This is accounted for by adding a fixed cost to each entity reference. Entity amplification checks are now enabled even if XML_PARSE_HUGE is set. This option is mainly used to allow larger text nodes. Most users were unaware that it also disabled entity expansion checks. Some of the limits might be adjusted later. If this change turns out to affect legitimate use cases, we can add a separate parser option to disable the checks. Fixes #294. Fixes #345.
7e3f469b	2022-12-19T15:59:49	entities: Use flags to store '<' check results Instead of abusing the LSB of the "checked" member, store the result of testing for occurrence of '<' character in "flags". Also use the flags in xmlParseStringEntityRef instead of rescanning every time.
481d79d4	2022-12-19T15:26:46	entities: Add XML_ENT_PARSED flag To check whether an entity was already parsed, the code previously tested whether "checked" was non-zero or "children" was non-null. The "children" check could be unreliable because an empty entity also results in an empty (NULL) node list. Use a separate flag to make this check more reliable.
f34f184f	2022-12-19T15:24:53	entities: Add "flags" member to struct xmlEntity This will hold various flags and eventually replace the "checked" member.

e64653c0

2023-02-17T15:20:33

malloc-fail: Fix leak of xmlRegAtom Found with libFuzzer, see #344.

ed615967

2023-02-17T15:23:42

malloc-fail: Fix memory leak in xmlRegexpCompile Found with libFuzzer, see #344.

53d1cc98

2023-02-16T15:09:32

malloc-fail: Fix error code in htmlParseChunk Found with libFuzzer, see #344.

15b0ed08

2023-02-16T15:09:02

malloc-fail: Fix infinite loop in htmlParseDocTypeDecl Found with libFuzzer, see #344.

041789d9

2023-02-16T15:02:08

malloc-fail: Fix null deref in htmlnamePush Found with libFuzzer, see #344.

0ec9c910

2023-02-16T14:57:24

malloc-fail: Fix infinite loop in htmlParseStartTag Found with libFuzzer, see #344.

04c29551

2023-02-16T14:53:29

malloc-fail: Fix infinite loop in htmlParseContentInternal Found with libFuzzer, see #344.

f3e62035

2023-02-16T14:49:06

malloc-fail: Fix memory leak in htmlCreatePushParserCtxt Found with libFuzzer, see #344.

fc256953

2023-02-16T14:47:41

malloc-fail: Fix memory leak in htmlCreateMemoryParserCtxt Found with libFuzzer, see #344.

3dc64522

2023-02-15T14:30:40

malloc-fail: Fix memory leak in xmlXPathEqualValuesCommon Found with libFuzzer, see #344.

643b4e90

2023-02-16T14:45:06

malloc-fail: Fix infinite loop in htmlParseStartTag Found with libFuzzer, see #344.

ec05f04d

2023-02-16T12:40:02

malloc-fail: Fix memory leak in xmlXIncludeLoadTxt Found with libFuzzer, see #344.

c02df686

2023-02-16T12:10:36

malloc-fail: Fix memory leak in xmlXIncludeLoadDoc Found with libFuzzer, see #344.

bc7740b3

2023-02-16T11:45:58

malloc-fail: Fix memory leak in xmlCopyPropList Found with libFuzzer, see #344.

8d22e065

2023-02-15T14:41:11

malloc-fail: Fix memory leak after calling xmlXPathNodeSetMerge Destroy the first argument in xmlXPathNodeSetMerge if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.

d31a0e8e

2023-02-15T14:47:29

malloc-fail: Fix memory leak after calling xmlXPathWrapString Destroy the string in xmlXPathWrapString if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.

691f7eb4

2023-02-15T14:05:13

malloc-fail: Fix memory leak in xmlXPathCompareValues Found with libFuzzer, see #344.

ac746afd

2023-02-15T13:54:55

malloc-fail: Fix memory leak in xmlXPathTryStreamCompile Found with libFuzzer, see #344.

85bc313e

2023-02-15T13:49:28

malloc-fail: Fix memory leak after calling valuePush Destroy the object in valuePush if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.

f5e11749

2023-02-15T13:48:18

malloc-fail: Fix memory leak after calling xmlXPathWrapNodeSet Destroy the node set in xmlXPathWrapNodeSet if the function fails. This is somewhat dangerous but matches the expectations of users. Found with libFuzzer, see #344.

3b59fdf0

2023-02-15T13:28:24

malloc-fail: Fix memory leak in xmlXIncludeAddNode Found with libFuzzer, see #344.

e60c9f4c

2023-02-15T01:00:03

malloc-fail: Fix memory leak after xmlRegNewState Invoke xmlRegNewState from xmlRegStatePush to simplify error handling. Found with libFuzzer, see #344.

cb4334b7

2023-02-14T18:10:14

malloc-fail: Fix memory leak in xmlSAX2StartElementNs Found with libFuzzer, see #344.

9fa1b228

2023-02-14T16:43:35

malloc-fail: Fix memory leak in xmlGetDtdElementDesc2 Found with libFuzzer, see #344.

c82701ff

2023-02-14T15:13:06

malloc-fail: Fix memory leak in xmlDocDumpFormatMemoryEnc Found with libFuzzer, see #344.

97086fd7

2023-02-14T14:45:58

malloc-fail: Fix memory leak in xmlParserInputBufferCreateMem Found with libFuzzer, see #344.

1c5e1fc1

2023-02-14T13:56:21

malloc-fail: Check for malloc failure in xmlFindCharEncodingHandler Don't return encoding handlers with a NULL name. Found with libFuzzer, see #344.

d18f9c11

2023-02-14T13:50:46

malloc-fail: Fix leak of xmlCharEncodingHandler Also free handler if its name is NULL. Found with libFuzzer, see #344.

f8852184

2023-02-14T13:03:13

malloc-fail: Fix memory leak in xmlParseEntityDecl Found with libFuzzer, see #344.

bd33331b

2023-02-17T15:19:37

regexp: Simplify xmlRegAtomPush

3cc900f0

2023-02-16T11:50:52

encoding: Cast toupper argument to unsigned char Fixes undefined behavior. Also cast return value explicitly to fix implicit-integer-sign-change checks.

e20f4d7a

2023-02-13T14:38:05

xinclude: Fix quadratic behavior in xmlXIncludeLoadTxt Also make text inclusions work with memory buffers, for example when using a custom entity loader, and fix a memory leak in case of invalid characters. Fixes #483.

a96312db

2023-02-03T14:55:53

xinclude: Avoid timeouts when fuzzing Fix the check for maximum number of inclusions.

be0ec005

2023-02-03T14:37:49

xinclude: Abort immediately if max depth was exceeded Avoids resource exhaustion if the maximum recursion depth was exceeded. Note that the XInclude engine offers no protection against other "billion laughs"-style amplification attacks as long as they stay below the maximum depth.

dc2dde1a

2023-02-04T15:00:54

malloc-fail: Fix null deref in xmlXIncludeLoadTxt Found with libFuzzer, see #344.

a3749551

2023-02-03T14:00:13

malloc-fail: Fix reallocation in xmlXIncludeNewRef Avoid null deref. Found with libFuzzer, see #344.

d1272c2e

2023-02-13T11:16:57

fuzz: Add xinclude to .gitignore

905386ec

2023-02-13T11:14:34

autotools: Fix make distcheck - Add private/xinclude.h to EXTRA_DIST - Add runsuite.log to CLEANFILES Fixes #485.

15c9f435

2023-01-31T12:58:32

xpath: Only report the first error Don't overwrite the original error code. Besides, subsequent error reports are somewhat unreliable and not really useful.

6a12be77

2023-01-31T12:46:30

malloc-fail: Avoid use-after-free after unsuccessful valuePush In xpath.c there's a lot of code like: valuePush(ctxt, xmlCacheNewX()); ... valuePop(ctxt); If xmlCacheNewX fails, no value will be pushed on the stack. If there's no error check in between, valuePop will pop an unrelated value which can lead to use-after-free errors. Instead of trying to fix all call sites, we simply stop popping values if an error was signaled. This requires to change the CHECK_TYPE macro which is often used to determine whether a value can be safely popped. Found with libFuzzer, see #344.

7ec314ef

2023-01-30T15:59:55

malloc-fail: Add error checks in xmlXPathEqualValuesCommon Avoid null deref. Found with libFuzzer, see #344.

08695683

2023-01-30T15:52:00

malloc-fail: Add error check in xmlXPathEqualNodeSetFloat Avoid null deref. Found with libFuzzer, see #344.

621c222e

2023-01-30T15:48:11

malloc-fail: Fix error check in xmlXPathCompareValues Avoid null deref. Found with libFuzzer, see #344.

75534401

2023-01-30T15:40:23

malloc-fail: Record malloc failure in xmlXPathCompLiteral Avoid OOB array access. Found with libFuzzer, see #344.

0e4421e7

2023-01-30T15:05:58

malloc-fail: Check return value of xmlXPathNodeSetDupNs Avoid null deref if allocation fails. Found with libFuzzer, see #344.

c7260a47

2023-01-23T10:19:59

malloc-fail: Don't call xmlErrMemory in xmlstring.c Functions like xmlStrdup are called in the error handling code (__xmlRaiseError) which can cause problems like use-after-free or infinite loops when invoked recursively. Calling xmlErrMemory without a context argument isn't helpful anyway. Found with libFuzzer, see #344.

e6d22f92

2023-01-23T01:48:37

malloc-fail: Fix reallocation in inputPush Store xmlRealloc result in temporary variable to avoid null deref in error handler. Found with libFuzzer, see #344.

6fd89041

2023-01-22T19:42:41

malloc-fail: Fix use-after-free in xmlParseStartTag2 Fix error handling in xmlCtxtGrowAttrs. Found with libFuzzer, see #344.

c266a220

2023-01-22T18:18:00

malloc-fail: Handle memory errors in xmlTextReaderEntPush Unfortunately, there's no way to properly report memory errors. Found with libFuzzer, see #344.

d1b87856

2023-01-22T17:42:09

malloc-fail: Fix infinite loop in xmlParseTextDecl Memory errors can set `instate` to `XML_PARSER_EOF` which results in `NEXT` making no progress. Found with libFuzzer, see #344.

bd9de3a3

2023-01-22T16:52:39

malloc-fail: Fix null deref in xmlAddDefAttrs Found with libFuzzer, see #344.

2355eac5

2023-01-22T14:52:06

malloc-fail: Fix null deref if growing input buffer fails Also add some error checks. Found with libFuzzer, see #344.

0c5f40b7

2023-01-22T13:27:41

malloc-fail: Fix null deref in xmlSAX2AttributeInternal Found with libFuzzer, see #344.

1aabc9db

2023-01-22T13:20:15

malloc-fail: Fix null deref in xmlBufResize Found with libFuzzer, see #344.

b3b53dcc

2023-01-22T11:28:46

malloc-fail: Fix null deref in xmlSAX2Text Found with libFuzzer, see #344.

33d4a0fe

2023-01-22T15:41:00

parser: Fix progress check in xmlParseExternalSubset Avoid infinite loop. Short-lived regression from f61b8a62. Found with libFuzzer.

f65133fc

2023-01-22T14:13:56

uri: Add explicit cast in xmlSaveUri Fix -fsanitize=implicit-conversion error. We should probably percent-escape the host name here.

f8c5e7fb

2023-01-22T13:49:19

buf: Fix return value of xmlBufGetInputBase Don't return (size_t) -1 in error case. Found with libFuzzer and -fsanitize=implicit-conversion.

74aa61e0

2023-01-22T13:09:03

parser: Halt parser on DTD errors If we try to continue parsing after an error in the internal or external subset, entity expansion accounting gets more complicated. Simply halt the parser. Found with libFuzzer.

d9a8dab3

2023-01-22T12:00:59

error: Don't move past current position Make sure that we never move past the current position in xmlParserPrintFileContextInternal. Found with libFuzzer and -fsanitize=implicit-conversion.

608c65bb

2023-01-18T15:15:41

xpath: number('-') should return NaN Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/81

bbb2b8f1

2023-01-17T16:08:06

Remove symbols from version script The version script didn't account for symbols disabled by configuration options. This has caused problems on some OSs in the past and breaks lld 16 which enables --no-undefined-version by default. A proper fix would be rather involved, so we simply remove all symbols from the version script. This is an ELF-only feature and libxml2 never made use of symbol versioning anyway. Ultimately, this removes the need for a lot of bookkeeping without tangible benefits. We have to keep the version nodes to avoid errors when running binaries linked against older versions of libxml2. Fixes #473.

e6401b68

2023-01-17T14:01:23

tree: Fix recursion check in xmlStringGetNodeList Use the new entity flag to check for recursion.

d320a683

2023-01-17T13:50:51

parser: Fix entity check in attributes Don't set the "checked" flag when checking entities in default attribute values. These entities could reference other entities which weren't defined yet, so the check isn't reliable. This fixes a short-lived regression which could lead to a call stack overflow later in xmlStringGetNodeList.

59b33661

2022-12-27T14:15:51

error: Limit number of parser errors Reporting errors is expensive and some abusive test cases can generate an error for each invalid input byte. This causes the parser to spend most of the time with error handling. Limit the number of errors and warnings to 100.

ba910d34

2022-12-26T17:58:33

fuzz: Add test/recurse to seed corpus

09dac45a

2022-12-26T17:49:27

fuzz: Add separate XInclude fuzzer XIncludes involve XPath processing which can still lead to timeouts when fuzzing. This will probably take a while to fix. The rest of the XML parsing code should hopefully run without timeouts now. OSS-Fuzz only shows a single timeout test case, so separate the XInclude from the core XML fuzzer.

66e9fd66

2022-12-25T21:26:17

parser: Fix infinite loop with push parser in recovery mode Short-lived regression from commit b1f9c193. Found by OSS-Fuzz.

49b54d7e

2022-12-25T15:06:51

parser: Fix null deref in xmlStringDecodeEntitiesInt Short-lived regression.

c885bebb

2022-12-23T23:06:32

fuzz: Remove size limit, disable XInclude Now that entity expansion issues should be fixed, we should get more interesting timeout errors from OSS-Fuzz. Disable XInclude for now, since it often timeouts in XPath computations. The XInclude tests should be moved to a separate fuzz target.

1865668b

2022-12-23T22:44:40

parser: Fix accounting of consumed input bytes Only add consumed bytes if - we're not parsing an entity - we're parsing external parameter entities for the first time. Always ignore internal parameter entities.

bc18f4a6

2022-12-23T21:55:38

parser: Lower entity nesting limit with XML_PARSE_HUGE The old limit of 1024 could lead to excessively deep call stacks. This could probably be set much lower without causing issues.

dd62e541

2022-12-23T21:53:30

parser: Don't increase depth twice when parsing internal entities Fix xmlParseBalancedChunkMemoryInternal.

a41b09c7

2022-12-23T21:29:28

parser: Improve detection of entity loops Set a flag to detect entity loops at once instead of processing until the depth limit is exceeded.

d972393f

2022-12-23T21:01:20

parser: Only report a single entity error Don't report errors multiple times for nested entity references.

28b3777e

2022-12-22T15:35:28

runsuite: Some errors are expected

077df27e

2022-12-22T15:22:01

parser: Fix integer overflow of input ID Applies a patch from Chromium. Also stop incrementing input ID of subcontexts. This isn't necessary. Fixes #465.

0bd4e4e0

2022-12-21T19:21:30

xmlParseStartTag2() contains typo when checking for default definitions for an attribute in a namespace * parser.c: (xmlParseStartTag2): - Fix index into defaults->values. It is only correct the first time through the loop when i == 0. Fixes #467.

78c4430f

2022-12-22T00:03:10

doc: Remove ancient files

4c763dd0

2022-12-21T22:20:43

gitlab-ci: Revert accidental change to setup_mingw.sh Commit 3aaaf5ca shouldn't have changed this line. We need these libraries for a full libxml2 build.

c74e5903

2022-12-21T22:24:50

Remove ancient TODOs

101a542e

2022-12-21T21:47:10

Remove RPM build, Makefile.tests, README.tests

b47ebf04

2022-12-21T00:02:47

parser: Deprecate xmlString*DecodeEntities These are internal functions.

ec6633af

2022-12-20T03:09:11

parser: Remove useless ent->etype test in xmlParseReference If ent->etype is invalid, ret can't equal XML_ERR_OK.

7ee7f036

2022-12-20T02:06:38

parser: Remove useless ent->children tests in xmlParseReference The if-block before always returns if ent->children == NULL.

cfc036bd

2022-12-21T19:27:45

testrecurse: Test parameter entity accounting

106c4cdd

2022-12-21T17:05:54

testrecurse: Support multiple huge docs

079da5b2

2022-12-21T03:26:31

testrecurse: Add external entities to huge test

01bcb23d

2022-12-21T01:01:36

testrecurse: Add test cases for external entities Add test cases for external general and parameter entities.

046f99c5

2022-12-21T05:15:51

testrecurse: Add lol_param.xml Add test case contributed by Sebastian Pipping for CVE-2021-3541.

fafa0252

2022-12-21T01:01:07

testrecurse: Rename test files

69aeff53

2022-12-20T22:33:28

testrecurse: Also test without entity substitution

4c7cb8f4

2022-12-20T22:42:24

testrecurse: Also test SAX parser

583cd2f6

2022-12-21T05:13:23

testrecurse: Start to test entity expansion stats

ce76ebfd

2022-12-19T20:56:23

entities: Stop counting entities This was only used in the old version of xmlParserEntityCheck.

a3c8b180

2022-12-19T20:51:52

entities: Add entity flag for loop check

463bbeec

2022-12-19T18:39:45

entities: Rework entity amplification checks This commit implements robust detection of entity amplification attacks, better known as the "billion laughs" attack. We now limit the size of the document after substitution of entities to 10 times the size before expansion. This guarantees linear behavior by definition. There already was a similar check before, but the accounting of "sizeentities" (size of external entities) and "sizeentcopy" (size of all copies created by entity references) wasn't accurate. We also need saturation arithmetic since we're historically limited to "unsigned long" which is 32-bit on many platforms. A maximum of 10 MB of substitutions is always allowed. This should make use cases like DITA work which have caused problems in the past. The old checks based on the number of entities were removed. This is accounted for by adding a fixed cost to each entity reference. Entity amplification checks are now enabled even if XML_PARSE_HUGE is set. This option is mainly used to allow larger text nodes. Most users were unaware that it also disabled entity expansion checks. Some of the limits might be adjusted later. If this change turns out to affect legitimate use cases, we can add a separate parser option to disable the checks. Fixes #294. Fixes #345.

7e3f469b

2022-12-19T15:59:49

entities: Use flags to store '<' check results Instead of abusing the LSB of the "checked" member, store the result of testing for occurrence of '<' character in "flags". Also use the flags in xmlParseStringEntityRef instead of rescanning every time.

481d79d4

2022-12-19T15:26:46

entities: Add XML_ENT_PARSED flag To check whether an entity was already parsed, the code previously tested whether "checked" was non-zero or "children" was non-null. The "children" check could be unreliable because an empty entity also results in an empty (NULL) node list. Use a separate flag to make this check more reliable.

f34f184f

2022-12-19T15:24:53

entities: Add "flags" member to struct xmlEntity This will hold various flags and eventually replace the "checked" member.

kc3-lang/libxml2

Log