kmx git

Commit	Date	Message
faea2fa9	2020-11-21T01:21:56	Avoid quadratic checking of identity-constraints key/unique/keyref schema attributes currently use qudratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). That becomes extremely slow if there are many elements with keys. This happens in the wild with e.g. the OVAL XML descriptions of security patches. You need the openscap schemata, and then an example xml file: % zypper in openscap-utils % wget ftp://ftp.suse.com/pub/projects/security/oval/opensuse.leap.15.1.xml % time xmllint --schema /usr/share/openscap/schemas/oval/5.5/oval-definitions-schema.xsd opensuse.leap.15.1.xml > /dev/null opensuse.leap.15.1.xml validates real 16m59,857s user 16m55,787s sys 0m1,060s This patch makes libxml use a hash table to avoid the quadratic behaviour. The existing hash table only accepts strings as keys, so we're mostly reusing the canonical representation of key values to derive such strings (with the caveat given in a comment). The alternative would be to rework the hash table code to accept either numbers or free functions as hash workers, but the code is fast enough as is. With the patch we have this then: % time LD_LIBRARY_PATH=./libxml2/.libs/ ./libxml2/.libs/xmllint --schema /usr/share/openscap/schemas/oval/5.5/oval-definitions-schema.xsd opensuse.leap.15.1.xml > /dev/null opensuse.leap.15.1.xml validates real 0m3,531s user 0m3,427s sys 0m0,103s So, a ~300x speedup. This patch survives 'make check' and 'make tests'.
8272db53	2020-11-28T22:54:40	Use NAMELINK_COMPONENT in CMake install
5c7bdbc9	2020-11-25T18:41:14	Add CMake files to EXTRA_DIST
7a62870a	2020-11-19T22:06:23	Add missing compile definition for static builds to CMake
e028d293	2020-11-19T17:58:46	Add CI for CMake on Linux and MinGW
b516ed18	2020-11-12T12:53:43	Fix building with ICU 68. ICU 68 no longer defines the TRUE macro. Closes #204.
f42a0524	2020-11-09T18:19:31	Build the Python extension with PY_SSIZE_T_CLEAN The Python extension module now uses Py_ssize_t rather than int for string lengths. This change makes the extension compatible with Python 3.10. Fixes #203.
0ace6c4d	2020-11-19T17:35:11	Add CI test for Python 3
ac5e9991	2020-11-10T15:42:36	Convert python/libxml.c to PY_SSIZE_T_CLEAN Define PY_SSIZE_T_CLEAN macro in python/libxml.c and cast the string length (int len) explicitly to Py_ssize_t when passing a string to a function call using PyObject_CallMethod() with the "s#" format.
7c06d99e	2020-10-27T11:29:20	Fix xmlURIEscape memory leaks. Found by running the fuzz/uri.c fuzzer under asan (internal Android bug 171610679). Always free `ret` when exiting on failure. I've moved the definition of NULLCHK down past where ret is always initialized to make it clear that this is safe. This patch also fixes the indentation of two of the NULLCHK call sites to make it more obvious that NULLCHK isn't `if`-like.
31c6ce3b	2020-11-09T17:55:44	Avoid call stack overflow with XML reader and recursive XIncludes Don't process XIncludes in the result of another inclusion to avoid infinite recursion resulting in a call stack overflow. This is something the XInclude engine shouldn't allow but correct handling of intra-document includes would require major changes. Found by OSS-Fuzz.
7d6837ba	2020-10-25T20:21:43	Fix caret in regexp character group Apply Per Hedeland's patch from https://bugzilla.gnome.org/show_bug.cgi?id=779751 Fixes #188.
8a85263f	2020-10-25T20:08:16	Add fuzzing dictionaries to EXTRA_DIST Also add static seed corpus for the URI fuzzer.
1bde1040	2020-10-25T20:02:23	Add 'fuzz' subdirectory to DIST_SUBDIRS Fixes #191.
c0c26ff2	2020-10-11T16:33:07	parser.c: xmlParseCharData peek behavior fixed wrt newlines Previously, xmlParseCharData and xmlParseComment would consider 0xA to be unhandleable when seen as the first byte of an input chunk, and fall back to xmlParseCharDataComplex and xmlParseCommentComplex, which have different memory and performance characteristics. Fixes GNOME/libxml2#192
b46016b8	2020-10-17T18:03:09	Allow port numbers up to INT_MAX Also return an error on overflow.
46837d47	2020-10-03T01:13:35	Fix memory leaks in XPointer string-range function Found by OSS-Fuzz.
0b3c64d9	2020-09-29T18:08:37	Handle dumps of corrupted documents more gracefully Check parent pointers for NULL after the non-recursive rewrite of the serialization code. This avoids segfaults with corrupted documents which can apparently be seen with lxml, see issue #187.
847a3a11	2020-09-28T12:28:29	Fix use-after-free when XIncluding text from Reader The XML Reader can free text nodes coming from the XInclude engine before parsing has finished. Cache a copy of the text string, not the included node to avoid use after free. Found by OSS-Fuzz.
7929f057	2020-08-30T10:34:01	Fix SEGV in xmlSAXParseFileWithData Fixes #181.
e6ec58ec	2020-09-21T12:49:36	Fix null deref in XPointer expression error path Make sure that the filter functions introduced with commit c2f4da1a return node-sets without NULL pointers also in the error case. Found by OSS-Fuzz.
4e9cc18b	2020-09-21T11:00:23	Fix variable name in win32/configure.js Fix copy/paste error from previous commit.
5614c078	2020-09-21T10:55:45	Fix version parsing in win32/configure.js Adjust to configure.ac changes. Should fix #185.
8b88503a	2020-09-18T19:15:27	Don't call xmlXPathInit directly Call xmlInitParser which uses a lock to avoid race conditions. Fixes #184.
b215c270	2020-09-13T12:19:48	Fix cleanup of attributes in XML reader xml:id creates ID attributes even in documents without a DTD, so the check in xmlTextReaderFreeProp must be changed to avoid use after free. Found by OSS-Fuzz.
f0fd1b67	2020-08-26T00:16:38	Limit size of free lists in XML reader when fuzzing Keeping objects on a free list can hide memory errors. Only allow a single node on free lists used by the XML reader when fuzzing. This should hide fewer errors while still exercising the free list logic.
ba589adc	2020-08-25T23:50:39	Fix double free in XML reader with XIncludes An XInclude with empty fallback could lead to a double free in xmlTextReaderRead. Found by OSS-Fuzz.
6f1470a5	2020-08-25T18:50:45	Hardcode maximum XPath recursion depth Always limit nested functions calls to 5000. This avoids call stack overflows with deeply nested expressions. The expression parser produces about 10 nested function calls when parsing a subexpression in parentheses, so the effective nesting limit is about 500 which should be more than enough. Use a lower limit when fuzzing to account for increased memory usage when using sanitizers.
8c3ef083	2020-08-24T23:17:34	Pass URL of main entity in XML fuzzer
0d5f3710	2020-08-24T16:28:54	Consolidate seed corpus generation Implement file handling in C to speed up corpus generation.
0d9da029	2020-08-24T03:16:25	Test fuzz targets with dummy driver Run fuzz targets with files in seed corpus during test.
3fcf3193	2020-08-22T00:43:18	Fix regression introduced with commit d88df4b Revert the commit and use a different approach. Found by OSS-Fuzz.
87d20b55	2020-08-19T13:52:08	Fix regression introduced with commit 74dcc10b The code wasn't dead after all, but I can see no reason in delaying the XPointer evaluation. This could lead to nodes included earlier appearing in XPointer results.
fbb7fa9a	2020-08-19T13:13:20	Fix memory leak in xmlXIncludeAddNode error paths Found by OSS-Fuzz.
19cae17f	2020-08-19T13:07:28	Revert "Fix quadratic runtime in xi:fallback processing" This reverts commit 27119ec33c9f6b9830efa1e0da0acfa353dfa55a. Not copying fallback children didn't fix up namespaces and could lead to use-after-free errors. Found by OSS-Fuzz.
d63cfeca	2020-08-17T15:40:06	Add TODO comment in xinclude.c Add some thoughts on the major remaining problems with the XInclude implementation.
804c5297	2020-08-17T03:37:18	Stop using maxParserDepth in xpath.c Only use a single maxDepth value.
74dcc10b	2020-08-17T03:24:56	Remove dead code in xinclude.c 'doc' is checked for NULL in xmlXIncludeLoadDoc, so several code paths can be eliminated.
0ff52748	2020-08-17T02:54:28	Fix autotools warnings
2c747129	2020-08-17T00:54:12	Fix error reporting with xi:fallback When reporting errors, don't use href of xi:include if xi:fallback was used. I think this can only be reproduced with "xmllint --postvalid", see the original bug report: https://bugzilla.gnome.org/show_bug.cgi?id=152623
27119ec3	2020-08-17T00:05:19	Fix quadratic runtime in xi:fallback processing Copying the tree would lead to runtime quadratic in nested fallback depth, similar to naive string concatenation.
d88df4bd	2020-08-16T23:38:48	Fix corner case with empty xi:fallback xi:fallback could become empty after recursive expansion. Use a flag to track whether nodes should be skipped.
00a86d41	2020-08-16T23:38:00	Don't add formatting newlines to XInclude nodes
dba82a8c	2020-08-16T23:02:20	Fix XInclude regression introduced with recent commit The change to xmlXIncludeLoadFallback in commit 11b57459 could process already freed nodes if text nodes were merged after deleting nodes with an empty fallback. Found by OSS-Fuzz.
e1c2d0ad	2020-08-16T22:22:57	Fix memory leak in runtest.c
2b4769a6	2020-08-16T22:02:04	Make "xmllint --push --recovery" work
99fc048d	2020-08-14T14:18:50	Don't use SAX1 if all element handlers are NULL Running xmllint with "--sax --noout" installs a SAX2 handler with all callbacks set to NULL. In this case or similar situations, we don't want to switch to SAX1 parsing.
c1ba6f54	2020-08-15T18:32:29	Revert "Do not URI escape in server side includes" This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588. This commit introduced - an infinite loop, found by OSS-Fuzz, which could be easily fixed. - an algorithm with quadratic runtime - a security issue, see https://bugzilla.gnome.org/show_bug.cgi?id=769760 A better approach is to add an option not to escape URLs at all which libxml2 should have possibly done in the first place.
b82fa3dd	2020-08-09T14:50:46	Fix column number accounting in xmlParse*NameAndCompare Thanks to Frederic Vancraeyveldt for the report.
438e595a	2020-08-09T14:43:53	Stop counting nbChars in parser context The value was inaccurate and never used.
f6a9541f	2020-08-09T14:29:35	Remove unneeded progress checks in HTML parser The HTML parser should now be guaranteed to make progress, so the checks became unnecessary.
9de7b94d	2020-08-08T20:37:30	Use strcmp when fuzzing This should improve data-flow-guided fuzzing.
10a07948	2020-08-08T17:46:11	Fix XPath fuzzer
6c128fd5	2020-06-05T13:43:45	Fuzz XInclude engine
50f06b3e	2020-08-07T21:54:27	Fix out-of-bounds read with 'xmllint --htmlout' Make sure that truncated UTF-8 sequences don't cause an out-of-bounds array access. Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for the report. Fixes #178.
1abf2967	2020-08-06T17:51:57	Fix exponential runtime and memory in xi:fallback processing When creating XML_XINCLUDE_START nodes, the children of the original xi:include node must be freed, otherwise fallback content is copied twice, doubling runtime and memory consumption for each nested xi:fallback/xi:include pair. Found with libFuzzer.
11b57459	2020-08-07T18:39:19	Don't process siblings of root in xmlXIncludeProcess xmlXIncludeDoProcess would follow the siblings of the tree root and also expand these nodes. When using an XML reader, this could lead to siblings of the current node being expanded without having been parsed completely.
0f9817c7	2020-06-10T16:34:52	Don't recurse into xi:include children in xmlXIncludeDoProcess Otherwise, nested xi:include nodes might result in a use-after-free if XML_PARSE_NOXINCNODE is specified. Found with libFuzzer and ASan.
5725c115	2020-06-10T15:11:40	Fix memory leak in xmlXIncludeIncludeNode error paths Found with libFuzzer and ASan.
ad26a60f	2020-08-06T13:20:01	Add XPath and XPointer fuzzer
956534e0	2020-08-04T19:27:13	Check for custom free function in global destructor Calling a custom deallocation function in the global destructor could cause all kinds of unexpected problems. See for example https://github.com/sparklemotion/nokogiri/issues/2059 Only clean up if memory is managed with malloc/free.
8e7c20a1	2020-08-03T17:30:41	Fix integer overflow when comparing schema dates Found by OSS-Fuzz.
68eadabd	2020-07-11T21:32:10	Fix exponential runtime in xmlFARecurseDeterminism In order to prevent visiting a state twice, states must be marked as visited for the whole duration of graph traversal because states might be reached by different paths. Otherwise state graphs like the following can lead to exponential runtime: ->O-->O-->O-->O-->O-> \ / \ / \ / \ / O O O O Reset the "visited" flag only after the graph was traversed. xmlFAComputesDeterminism still has massive performance problems when handling fuzzed input. By design, it has quadratic time complexity in the number of reachable states. Some issues might also stem from redundant epsilon transitions. With this fix, fuzzing regexes with a maximum length of 100 becomes feasible at least. Found with libFuzzer.
905820a4	2020-07-12T22:59:39	Update fuzzing code - Shorten timeouts - Align options from Makefile and options files - Add section headers to Makefile - Skip invalid UTF-8 in regexp fuzzer - Update regexp.dict - Generate HTML seed corpus in correct format
1a360c1c	2020-07-29T00:39:15	More *NodeDumpOutput fixes When leaving nodes, restrict more operations to XML_ELEMENT_NODEs.
7b2e5172	2020-07-28T21:52:55	Fix *NodeDumpOutput functions Only output end tag for elements. Should fix serialization of document fragments.
dc6f0092	2020-07-28T19:07:19	Make xmlNodeDumpOutputInternal non-recursive Fixes stack overflow with deeply nested documents.
5330153d	2020-07-28T18:33:50	Make xhtmlNodeDumpOutput non-recursive Fixes stack overflow with deeply nested documents.
b79ab6e6	2020-07-28T02:42:37	Make htmlNodeDumpFormatOutput non-recursive Fixes stack overflow with deeply nested HTML documents. Found by OSS-Fuzz.
21ca8829	2020-07-25T17:57:29	Don't try to handle namespaces when building HTML documents Don't try to resolve namespace in xmlSAX2StartElement when parsing HTML documents. This useless operation could slow down the parser considerably. Found by OSS-Fuzz.
93ce33c2	2020-07-23T17:34:08	Fix several quadratic runtime issues in HTML push parser Fix a few remaining cases where the HTML push parser would scan more content during lookahead than being parsed later. Make sure that htmlParseDocTypeDecl consumes all content up to the final '>' in case of errors. The old comment said "We shouldn't try to resynchronize", but ignoring invalid content is also what the HTML5 spec mandates. Likewise, make htmlParseEndTag skip to the final '>' in invalid end tags even if not in recovery mode. This is probably the most visible change in practice and leads to different output for some tests but is also more in line with HTML5. Make sure that htmlParsePI and htmlParseComment don't abort if invalid characters are encountered but log an error and ignore the character. Change some other end-of-buffer checks to test for a zero byte instead of relying on IS_CHAR. Fix usage of IS_CHAR macro in htmlParseScript.
10d09472	2020-07-23T19:16:21	Fix .gitattributes The files in 'test' and 'result' have mixed line endings, so disable end-of-line conversion.
173a0830	2020-07-22T23:15:35	Fix quadratic runtime when push parsing HTML start tags Make sure that htmlParseStartTag doesn't terminate on characters for which IS_CHAR_CH is false like control chars. In htmlParseTryOrFinish, only switch to START_TAG if the next character starts a valid name. Otherwise, htmlParseStartTag might return without consuming all characters up to the final '>'. Found by OSS-Fuzz.
0e5c4fec	2020-07-13T15:20:45	Reset XML parser input before reporting errors Apply changes to htmlParseChunk() in 13ba5b61 and 3f18e748 to xmlParseChunk().
6995eed0	2020-07-19T13:54:52	Fix quadratic runtime when push parsing HTML entity refs The HTML push parser would look ahead for characters in "; >/" to terminate an entity reference but actual parsing could stop earlier, potentially resulting in quadratic runtime. Parse char data and references alternately in htmlParseTryOrFinish and only look ahead once for a terminating '<' character. Found by OSS-Fuzz.
8e219b15	2020-07-12T21:43:44	Fix HTML push parser lookahead The parsing rules when looking for terminating chars or sequences in the push parser differed from the actual parsing code. This could result in the lookahead to overshoot and data being rescanned, potentially leading to quadratic runtime. Comments must never be handled during lookahead. Attribute values must only be skipped for start tags and doctype declarations, not for end tags, comments, PIs and script content.
e050062c	2020-07-15T14:38:55	Make htmlCurrentChar always translate U+0000 The general assumption is that htmlCurrentChar only returns 0 if the end of the input buffer is reached. The UTF-8 path already logged an error if a zero byte U+0000 was found and returned a space character instead. Make the ASCII code path do the same. htmlParseTryOrFinish skips zero bytes at the beginning of a buffer, so even if 0 was returned from htmlCurrentChar, the push parser would make progress. But rescanning the input could cause performance problems. The pull parser would abort parsing and now handles zero bytes in ASCII mode the same way as the push parser or as in UTF-8 mode. It would be better to return the replacement character U+FFFD instead, but some of the client code assumes that the UTF-8 length of input and output matches.
dfd4e330	2020-07-15T14:22:08	Rework control flow in htmlCurrentChar Don't call xmlCurrentChar after switching encodings. Rearrange code blocks and fall through to normal UTF-8 handling.
922bebcc	2020-07-15T14:20:42	Make 'xmllint --html --push -' read from stdin
1493130e	2020-07-15T12:54:25	Fix UTF-8 decoder in HTML parser Reject sequences starting with a continuation byte as well as overlong sequences like the XML parser. Also fixes an infinite loop in connection with previous commit 50078922 since htmlCurrentChar would return 0 even if not at the end of the buffer. Found by OSS-Fuzz.
beb7d71a	2020-07-13T12:41:19	Remove misleading comments in xpath.c Fixes #169
50078922	2020-07-12T20:28:47	Fix quadratic runtime when parsing HTML script content If htmlParseScript returns upon hitting an invalid character, htmlParseLookupSequence will be called again with checkIndex reset to zero, potentially resulting in quadratic runtime. Make sure that htmlParseScript consumes all input in one go and simply skips over invalid characters similar to htmlParseCharDataInternal. Found by OSS-Fuzz.
d6761e70	2020-07-13T11:59:45	Update to Devhelp index file format version 2 Fixes #89
d514e2bd	2020-07-12T18:42:49	Set project language to C
5ddf02f2	2020-06-07T16:06:17	Update config.h.cmake.in
8bec210d	2020-06-04T17:37:21	Add variable for working directory of XML Conformance Test Suite
270e1655	2020-06-04T14:45:48	Add additional tests and XML Conformance Test Suite
e6ba4bd7	2020-06-04T11:58:04	Add command line option for temp directory in runtest
40e7ceaa	2020-06-04T11:57:28	Ensure LF line endings for test files
9ecf5ad6	2020-06-04T00:16:15	Enable runtests and testThreads
3f18e748	2020-07-11T14:34:57	Reset HTML parser input before reporting error Avoid use-after-free, similar to 13ba5b61. Also make sure that xmlBufSetInputBaseCur sets valid pointers in case of buffer errors. Found by OSS-Fuzz.
3da8d947	2020-07-09T16:08:38	Fix more quadratic runtime issues in HTML push parser Make sure that checkIndex is set when returning without match from inside a comment. Also track parser state in htmlParseLookupChars. Found by OSS-Fuzz.
741b0d0a	2020-07-07T12:54:34	Fix regression introduced with 477c7f6a The 'inSubset' member is actually used by the SAX2 handlers. Store extra parser state in 'hasPErefs'.
fc842f6e	2020-07-06T15:22:12	Limit regexp nesting depth Enforce a maximum nesting depth of 50 for regular expressions. Avoids stack overflows with deeply nested regexes. Found by OSS-Fuzz.
1e41e4fa	2020-06-30T02:43:57	Fix return values and documentation in encoding.c Make xmlEncInputChunk and xmlEncOutputChunk return 0 on success and never a positive value. Make xmlCharEncFirstLineInt, xmlCharEncFirstLineInt and xmlCharEncOutFunc return the number of bytes written.
6b4717d6	2020-07-06T12:36:27	Add regexp regression tests - Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup <https://bugzilla.gnome.org/show_bug.cgi?id=757711> - Bug 783015 - Integer-overflow in xmlFAParseQuantExact <https://bugzilla.gnome.org/show_bug.cgi?id=783015> (Regexptests): Add support for checking stderr output when running regexp tests. This makes it possible to check in test cases that fail and not see false-positive error output when running the tests. Unlike other libxml2 test suites, if there is no stderr output, no *.err file needs to be created.
477c7f6a	2020-06-28T15:54:23	Fix quadratic runtime in HTML parser Commit eeb99329 removed an important optimization avoiding quadratic runtime when repeatedly scanning the input buffer for terminating characters in the HTML push parser. The related bug is https://bugzilla.gnome.org/show_bug.cgi?id=444994 Make sure that ctxt->checkIndex is always written and store additional parser state in ctxt->inSubset which is unused in the HTML parser. Found by OSS-Fuzz.
f8329fdc	2020-07-02T11:51:31	Report error for invalid regexp quantifiers
13ba5b61	2020-06-28T13:16:46	Reset HTML parser input before reporting encoding error If charset conversion fails, reset the input pointers before reporting the error and bailing out. Otherwise, the input pointers are left in an invalid state which could lead to use-after-free and other memory errors. Similar to f9e7997e. Found by OSS-Fuzz.
1e7851b5	2020-06-25T12:17:50	Fix integer overflow in xmlFAParseQuantExact Found by OSS-Fuzz.

faea2fa9

2020-11-21T01:21:56

Avoid quadratic checking of identity-constraints key/unique/keyref schema attributes currently use qudratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). That becomes extremely slow if there are many elements with keys. This happens in the wild with e.g. the OVAL XML descriptions of security patches. You need the openscap schemata, and then an example xml file: % zypper in openscap-utils % wget ftp://ftp.suse.com/pub/projects/security/oval/opensuse.leap.15.1.xml % time xmllint --schema /usr/share/openscap/schemas/oval/5.5/oval-definitions-schema.xsd opensuse.leap.15.1.xml > /dev/null opensuse.leap.15.1.xml validates real 16m59,857s user 16m55,787s sys 0m1,060s This patch makes libxml use a hash table to avoid the quadratic behaviour. The existing hash table only accepts strings as keys, so we're mostly reusing the canonical representation of key values to derive such strings (with the caveat given in a comment). The alternative would be to rework the hash table code to accept either numbers or free functions as hash workers, but the code is fast enough as is. With the patch we have this then: % time LD_LIBRARY_PATH=./libxml2/.libs/ ./libxml2/.libs/xmllint --schema /usr/share/openscap/schemas/oval/5.5/oval-definitions-schema.xsd opensuse.leap.15.1.xml > /dev/null opensuse.leap.15.1.xml validates real 0m3,531s user 0m3,427s sys 0m0,103s So, a ~300x speedup. This patch survives 'make check' and 'make tests'.

8272db53

2020-11-28T22:54:40

Use NAMELINK_COMPONENT in CMake install

5c7bdbc9

2020-11-25T18:41:14

Add CMake files to EXTRA_DIST

7a62870a

2020-11-19T22:06:23

Add missing compile definition for static builds to CMake

e028d293

2020-11-19T17:58:46

Add CI for CMake on Linux and MinGW

b516ed18

2020-11-12T12:53:43

Fix building with ICU 68. ICU 68 no longer defines the TRUE macro. Closes #204.

f42a0524

2020-11-09T18:19:31

Build the Python extension with PY_SSIZE_T_CLEAN The Python extension module now uses Py_ssize_t rather than int for string lengths. This change makes the extension compatible with Python 3.10. Fixes #203.

0ace6c4d

2020-11-19T17:35:11

Add CI test for Python 3

ac5e9991

2020-11-10T15:42:36

Convert python/libxml.c to PY_SSIZE_T_CLEAN Define PY_SSIZE_T_CLEAN macro in python/libxml.c and cast the string length (int len) explicitly to Py_ssize_t when passing a string to a function call using PyObject_CallMethod() with the "s#" format.

7c06d99e

2020-10-27T11:29:20

Fix xmlURIEscape memory leaks. Found by running the fuzz/uri.c fuzzer under asan (internal Android bug 171610679). Always free `ret` when exiting on failure. I've moved the definition of NULLCHK down past where ret is always initialized to make it clear that this is safe. This patch also fixes the indentation of two of the NULLCHK call sites to make it more obvious that NULLCHK isn't `if`-like.

31c6ce3b

2020-11-09T17:55:44

Avoid call stack overflow with XML reader and recursive XIncludes Don't process XIncludes in the result of another inclusion to avoid infinite recursion resulting in a call stack overflow. This is something the XInclude engine shouldn't allow but correct handling of intra-document includes would require major changes. Found by OSS-Fuzz.

7d6837ba

2020-10-25T20:21:43

Fix caret in regexp character group Apply Per Hedeland's patch from https://bugzilla.gnome.org/show_bug.cgi?id=779751 Fixes #188.

8a85263f

2020-10-25T20:08:16

Add fuzzing dictionaries to EXTRA_DIST Also add static seed corpus for the URI fuzzer.

1bde1040

2020-10-25T20:02:23

Add 'fuzz' subdirectory to DIST_SUBDIRS Fixes #191.

c0c26ff2

2020-10-11T16:33:07

parser.c: xmlParseCharData peek behavior fixed wrt newlines Previously, xmlParseCharData and xmlParseComment would consider 0xA to be unhandleable when seen as the first byte of an input chunk, and fall back to xmlParseCharDataComplex and xmlParseCommentComplex, which have different memory and performance characteristics. Fixes GNOME/libxml2#192

b46016b8

2020-10-17T18:03:09

Allow port numbers up to INT_MAX Also return an error on overflow.

46837d47

2020-10-03T01:13:35

Fix memory leaks in XPointer string-range function Found by OSS-Fuzz.

0b3c64d9

2020-09-29T18:08:37

Handle dumps of corrupted documents more gracefully Check parent pointers for NULL after the non-recursive rewrite of the serialization code. This avoids segfaults with corrupted documents which can apparently be seen with lxml, see issue #187.

847a3a11

2020-09-28T12:28:29

Fix use-after-free when XIncluding text from Reader The XML Reader can free text nodes coming from the XInclude engine before parsing has finished. Cache a copy of the text string, not the included node to avoid use after free. Found by OSS-Fuzz.

7929f057

2020-08-30T10:34:01

Fix SEGV in xmlSAXParseFileWithData Fixes #181.

e6ec58ec

2020-09-21T12:49:36

Fix null deref in XPointer expression error path Make sure that the filter functions introduced with commit c2f4da1a return node-sets without NULL pointers also in the error case. Found by OSS-Fuzz.

4e9cc18b

2020-09-21T11:00:23

Fix variable name in win32/configure.js Fix copy/paste error from previous commit.

5614c078

2020-09-21T10:55:45

Fix version parsing in win32/configure.js Adjust to configure.ac changes. Should fix #185.

8b88503a

2020-09-18T19:15:27

Don't call xmlXPathInit directly Call xmlInitParser which uses a lock to avoid race conditions. Fixes #184.

b215c270

2020-09-13T12:19:48

Fix cleanup of attributes in XML reader xml:id creates ID attributes even in documents without a DTD, so the check in xmlTextReaderFreeProp must be changed to avoid use after free. Found by OSS-Fuzz.

f0fd1b67

2020-08-26T00:16:38

Limit size of free lists in XML reader when fuzzing Keeping objects on a free list can hide memory errors. Only allow a single node on free lists used by the XML reader when fuzzing. This should hide fewer errors while still exercising the free list logic.

ba589adc

2020-08-25T23:50:39

Fix double free in XML reader with XIncludes An XInclude with empty fallback could lead to a double free in xmlTextReaderRead. Found by OSS-Fuzz.

6f1470a5

2020-08-25T18:50:45

Hardcode maximum XPath recursion depth Always limit nested functions calls to 5000. This avoids call stack overflows with deeply nested expressions. The expression parser produces about 10 nested function calls when parsing a subexpression in parentheses, so the effective nesting limit is about 500 which should be more than enough. Use a lower limit when fuzzing to account for increased memory usage when using sanitizers.

8c3ef083

2020-08-24T23:17:34

Pass URL of main entity in XML fuzzer

0d5f3710

2020-08-24T16:28:54

Consolidate seed corpus generation Implement file handling in C to speed up corpus generation.

0d9da029

2020-08-24T03:16:25

Test fuzz targets with dummy driver Run fuzz targets with files in seed corpus during test.

3fcf3193

2020-08-22T00:43:18

Fix regression introduced with commit d88df4b Revert the commit and use a different approach. Found by OSS-Fuzz.

87d20b55

2020-08-19T13:52:08

Fix regression introduced with commit 74dcc10b The code wasn't dead after all, but I can see no reason in delaying the XPointer evaluation. This could lead to nodes included earlier appearing in XPointer results.

fbb7fa9a

2020-08-19T13:13:20

Fix memory leak in xmlXIncludeAddNode error paths Found by OSS-Fuzz.

19cae17f

2020-08-19T13:07:28

Revert "Fix quadratic runtime in xi:fallback processing" This reverts commit 27119ec33c9f6b9830efa1e0da0acfa353dfa55a. Not copying fallback children didn't fix up namespaces and could lead to use-after-free errors. Found by OSS-Fuzz.

d63cfeca

2020-08-17T15:40:06

Add TODO comment in xinclude.c Add some thoughts on the major remaining problems with the XInclude implementation.

804c5297

2020-08-17T03:37:18

Stop using maxParserDepth in xpath.c Only use a single maxDepth value.

74dcc10b

2020-08-17T03:24:56

Remove dead code in xinclude.c 'doc' is checked for NULL in xmlXIncludeLoadDoc, so several code paths can be eliminated.

0ff52748

2020-08-17T02:54:28

Fix autotools warnings

2c747129

2020-08-17T00:54:12

Fix error reporting with xi:fallback When reporting errors, don't use href of xi:include if xi:fallback was used. I think this can only be reproduced with "xmllint --postvalid", see the original bug report: https://bugzilla.gnome.org/show_bug.cgi?id=152623

27119ec3

2020-08-17T00:05:19

Fix quadratic runtime in xi:fallback processing Copying the tree would lead to runtime quadratic in nested fallback depth, similar to naive string concatenation.

d88df4bd

2020-08-16T23:38:48

Fix corner case with empty xi:fallback xi:fallback could become empty after recursive expansion. Use a flag to track whether nodes should be skipped.

00a86d41

2020-08-16T23:38:00

Don't add formatting newlines to XInclude nodes

dba82a8c

2020-08-16T23:02:20

Fix XInclude regression introduced with recent commit The change to xmlXIncludeLoadFallback in commit 11b57459 could process already freed nodes if text nodes were merged after deleting nodes with an empty fallback. Found by OSS-Fuzz.

e1c2d0ad

2020-08-16T22:22:57

Fix memory leak in runtest.c

2b4769a6

2020-08-16T22:02:04

Make "xmllint --push --recovery" work

99fc048d

2020-08-14T14:18:50

Don't use SAX1 if all element handlers are NULL Running xmllint with "--sax --noout" installs a SAX2 handler with all callbacks set to NULL. In this case or similar situations, we don't want to switch to SAX1 parsing.

c1ba6f54

2020-08-15T18:32:29

Revert "Do not URI escape in server side includes" This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588. This commit introduced - an infinite loop, found by OSS-Fuzz, which could be easily fixed. - an algorithm with quadratic runtime - a security issue, see https://bugzilla.gnome.org/show_bug.cgi?id=769760 A better approach is to add an option not to escape URLs at all which libxml2 should have possibly done in the first place.

b82fa3dd

2020-08-09T14:50:46

Fix column number accounting in xmlParse*NameAndCompare Thanks to Frederic Vancraeyveldt for the report.

438e595a

2020-08-09T14:43:53

Stop counting nbChars in parser context The value was inaccurate and never used.

f6a9541f

2020-08-09T14:29:35

Remove unneeded progress checks in HTML parser The HTML parser should now be guaranteed to make progress, so the checks became unnecessary.

9de7b94d

2020-08-08T20:37:30

Use strcmp when fuzzing This should improve data-flow-guided fuzzing.

10a07948

2020-08-08T17:46:11

Fix XPath fuzzer

6c128fd5

2020-06-05T13:43:45

Fuzz XInclude engine

50f06b3e

2020-08-07T21:54:27

Fix out-of-bounds read with 'xmllint --htmlout' Make sure that truncated UTF-8 sequences don't cause an out-of-bounds array access. Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for the report. Fixes #178.

1abf2967

2020-08-06T17:51:57

Fix exponential runtime and memory in xi:fallback processing When creating XML_XINCLUDE_START nodes, the children of the original xi:include node must be freed, otherwise fallback content is copied twice, doubling runtime and memory consumption for each nested xi:fallback/xi:include pair. Found with libFuzzer.

11b57459

2020-08-07T18:39:19

Don't process siblings of root in xmlXIncludeProcess xmlXIncludeDoProcess would follow the siblings of the tree root and also expand these nodes. When using an XML reader, this could lead to siblings of the current node being expanded without having been parsed completely.

0f9817c7

2020-06-10T16:34:52

Don't recurse into xi:include children in xmlXIncludeDoProcess Otherwise, nested xi:include nodes might result in a use-after-free if XML_PARSE_NOXINCNODE is specified. Found with libFuzzer and ASan.

5725c115

2020-06-10T15:11:40

Fix memory leak in xmlXIncludeIncludeNode error paths Found with libFuzzer and ASan.

ad26a60f

2020-08-06T13:20:01

Add XPath and XPointer fuzzer

956534e0

2020-08-04T19:27:13

Check for custom free function in global destructor Calling a custom deallocation function in the global destructor could cause all kinds of unexpected problems. See for example https://github.com/sparklemotion/nokogiri/issues/2059 Only clean up if memory is managed with malloc/free.

8e7c20a1

2020-08-03T17:30:41

Fix integer overflow when comparing schema dates Found by OSS-Fuzz.

68eadabd

2020-07-11T21:32:10

Fix exponential runtime in xmlFARecurseDeterminism In order to prevent visiting a state twice, states must be marked as visited for the whole duration of graph traversal because states might be reached by different paths. Otherwise state graphs like the following can lead to exponential runtime: ->O-->O-->O-->O-->O-> \ / \ / \ / \ / O O O O Reset the "visited" flag only after the graph was traversed. xmlFAComputesDeterminism still has massive performance problems when handling fuzzed input. By design, it has quadratic time complexity in the number of reachable states. Some issues might also stem from redundant epsilon transitions. With this fix, fuzzing regexes with a maximum length of 100 becomes feasible at least. Found with libFuzzer.

905820a4

2020-07-12T22:59:39

Update fuzzing code - Shorten timeouts - Align options from Makefile and options files - Add section headers to Makefile - Skip invalid UTF-8 in regexp fuzzer - Update regexp.dict - Generate HTML seed corpus in correct format

1a360c1c

2020-07-29T00:39:15

More *NodeDumpOutput fixes When leaving nodes, restrict more operations to XML_ELEMENT_NODEs.

7b2e5172

2020-07-28T21:52:55

Fix *NodeDumpOutput functions Only output end tag for elements. Should fix serialization of document fragments.

dc6f0092

2020-07-28T19:07:19

Make xmlNodeDumpOutputInternal non-recursive Fixes stack overflow with deeply nested documents.

5330153d

2020-07-28T18:33:50

Make xhtmlNodeDumpOutput non-recursive Fixes stack overflow with deeply nested documents.

b79ab6e6

2020-07-28T02:42:37

Make htmlNodeDumpFormatOutput non-recursive Fixes stack overflow with deeply nested HTML documents. Found by OSS-Fuzz.

21ca8829

2020-07-25T17:57:29

Don't try to handle namespaces when building HTML documents Don't try to resolve namespace in xmlSAX2StartElement when parsing HTML documents. This useless operation could slow down the parser considerably. Found by OSS-Fuzz.

93ce33c2

2020-07-23T17:34:08

Fix several quadratic runtime issues in HTML push parser Fix a few remaining cases where the HTML push parser would scan more content during lookahead than being parsed later. Make sure that htmlParseDocTypeDecl consumes all content up to the final '>' in case of errors. The old comment said "We shouldn't try to resynchronize", but ignoring invalid content is also what the HTML5 spec mandates. Likewise, make htmlParseEndTag skip to the final '>' in invalid end tags even if not in recovery mode. This is probably the most visible change in practice and leads to different output for some tests but is also more in line with HTML5. Make sure that htmlParsePI and htmlParseComment don't abort if invalid characters are encountered but log an error and ignore the character. Change some other end-of-buffer checks to test for a zero byte instead of relying on IS_CHAR. Fix usage of IS_CHAR macro in htmlParseScript.

10d09472

2020-07-23T19:16:21

Fix .gitattributes The files in 'test' and 'result' have mixed line endings, so disable end-of-line conversion.

173a0830

2020-07-22T23:15:35

Fix quadratic runtime when push parsing HTML start tags Make sure that htmlParseStartTag doesn't terminate on characters for which IS_CHAR_CH is false like control chars. In htmlParseTryOrFinish, only switch to START_TAG if the next character starts a valid name. Otherwise, htmlParseStartTag might return without consuming all characters up to the final '>'. Found by OSS-Fuzz.

0e5c4fec

2020-07-13T15:20:45

Reset XML parser input before reporting errors Apply changes to htmlParseChunk() in 13ba5b61 and 3f18e748 to xmlParseChunk().

6995eed0

2020-07-19T13:54:52

Fix quadratic runtime when push parsing HTML entity refs The HTML push parser would look ahead for characters in "; >/" to terminate an entity reference but actual parsing could stop earlier, potentially resulting in quadratic runtime. Parse char data and references alternately in htmlParseTryOrFinish and only look ahead once for a terminating '<' character. Found by OSS-Fuzz.

8e219b15

2020-07-12T21:43:44

Fix HTML push parser lookahead The parsing rules when looking for terminating chars or sequences in the push parser differed from the actual parsing code. This could result in the lookahead to overshoot and data being rescanned, potentially leading to quadratic runtime. Comments must never be handled during lookahead. Attribute values must only be skipped for start tags and doctype declarations, not for end tags, comments, PIs and script content.

e050062c

2020-07-15T14:38:55

Make htmlCurrentChar always translate U+0000 The general assumption is that htmlCurrentChar only returns 0 if the end of the input buffer is reached. The UTF-8 path already logged an error if a zero byte U+0000 was found and returned a space character instead. Make the ASCII code path do the same. htmlParseTryOrFinish skips zero bytes at the beginning of a buffer, so even if 0 was returned from htmlCurrentChar, the push parser would make progress. But rescanning the input could cause performance problems. The pull parser would abort parsing and now handles zero bytes in ASCII mode the same way as the push parser or as in UTF-8 mode. It would be better to return the replacement character U+FFFD instead, but some of the client code assumes that the UTF-8 length of input and output matches.

dfd4e330

2020-07-15T14:22:08

Rework control flow in htmlCurrentChar Don't call xmlCurrentChar after switching encodings. Rearrange code blocks and fall through to normal UTF-8 handling.

922bebcc

2020-07-15T14:20:42

Make 'xmllint --html --push -' read from stdin

1493130e

2020-07-15T12:54:25

Fix UTF-8 decoder in HTML parser Reject sequences starting with a continuation byte as well as overlong sequences like the XML parser. Also fixes an infinite loop in connection with previous commit 50078922 since htmlCurrentChar would return 0 even if not at the end of the buffer. Found by OSS-Fuzz.

beb7d71a

2020-07-13T12:41:19

Remove misleading comments in xpath.c Fixes #169

50078922

2020-07-12T20:28:47

Fix quadratic runtime when parsing HTML script content If htmlParseScript returns upon hitting an invalid character, htmlParseLookupSequence will be called again with checkIndex reset to zero, potentially resulting in quadratic runtime. Make sure that htmlParseScript consumes all input in one go and simply skips over invalid characters similar to htmlParseCharDataInternal. Found by OSS-Fuzz.

d6761e70

2020-07-13T11:59:45

Update to Devhelp index file format version 2 Fixes #89

d514e2bd

2020-07-12T18:42:49

Set project language to C

5ddf02f2

2020-06-07T16:06:17

Update config.h.cmake.in

8bec210d

2020-06-04T17:37:21

Add variable for working directory of XML Conformance Test Suite

270e1655

2020-06-04T14:45:48

Add additional tests and XML Conformance Test Suite

e6ba4bd7

2020-06-04T11:58:04

Add command line option for temp directory in runtest

40e7ceaa

2020-06-04T11:57:28

Ensure LF line endings for test files

9ecf5ad6

2020-06-04T00:16:15

Enable runtests and testThreads

3f18e748

2020-07-11T14:34:57

Reset HTML parser input before reporting error Avoid use-after-free, similar to 13ba5b61. Also make sure that xmlBufSetInputBaseCur sets valid pointers in case of buffer errors. Found by OSS-Fuzz.

3da8d947

2020-07-09T16:08:38

Fix more quadratic runtime issues in HTML push parser Make sure that checkIndex is set when returning without match from inside a comment. Also track parser state in htmlParseLookupChars. Found by OSS-Fuzz.

741b0d0a

2020-07-07T12:54:34

Fix regression introduced with 477c7f6a The 'inSubset' member is actually used by the SAX2 handlers. Store extra parser state in 'hasPErefs'.

fc842f6e

2020-07-06T15:22:12

Limit regexp nesting depth Enforce a maximum nesting depth of 50 for regular expressions. Avoids stack overflows with deeply nested regexes. Found by OSS-Fuzz.

1e41e4fa

2020-06-30T02:43:57

Fix return values and documentation in encoding.c Make xmlEncInputChunk and xmlEncOutputChunk return 0 on success and never a positive value. Make xmlCharEncFirstLineInt, xmlCharEncFirstLineInt and xmlCharEncOutFunc return the number of bytes written.

6b4717d6

2020-07-06T12:36:27

Add regexp regression tests - Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup <https://bugzilla.gnome.org/show_bug.cgi?id=757711> - Bug 783015 - Integer-overflow in xmlFAParseQuantExact <https://bugzilla.gnome.org/show_bug.cgi?id=783015> (Regexptests): Add support for checking stderr output when running regexp tests. This makes it possible to check in test cases that fail and not see false-positive error output when running the tests. Unlike other libxml2 test suites, if there is no stderr output, no *.err file needs to be created.

477c7f6a

2020-06-28T15:54:23

Fix quadratic runtime in HTML parser Commit eeb99329 removed an important optimization avoiding quadratic runtime when repeatedly scanning the input buffer for terminating characters in the HTML push parser. The related bug is https://bugzilla.gnome.org/show_bug.cgi?id=444994 Make sure that ctxt->checkIndex is always written and store additional parser state in ctxt->inSubset which is unused in the HTML parser. Found by OSS-Fuzz.

f8329fdc

2020-07-02T11:51:31

Report error for invalid regexp quantifiers

13ba5b61

2020-06-28T13:16:46

Reset HTML parser input before reporting encoding error If charset conversion fails, reset the input pointers before reporting the error and bailing out. Otherwise, the input pointers are left in an invalid state which could lead to use-after-free and other memory errors. Similar to f9e7997e. Found by OSS-Fuzz.

1e7851b5

2020-06-25T12:17:50

Fix integer overflow in xmlFAParseQuantExact Found by OSS-Fuzz.

kc3-lang/libxml2

Log