kmx git

Commit	Date	Message
22f9d730	2025-10-15T15:39:43	io: Handle clashing error codes on AIX Regressed with 2c2578b6f. Fixes #999.
870c0363	2025-10-13T22:58:38	fuzz: Make fuzzy encoding match more lenient This should account for possible iconv suffixes.
367a283b	2025-10-07T01:05:03	tree: Undeprecate several struct members
3a3faaa2	2025-09-30T18:05:32	Document process to remove API functions in MAINTAINERS.md
2f62ebb3	2025-09-29T11:04:03	io: Undeprecate xmlOutputBuffer members The public API is too buggy, so direct access to struct members is required by projects like libxslt.
d87d9477	2025-09-29T10:46:47	Revert "globals: Don't export DllMain on Windows" This reverts commit bd2072f8d025e7a37d527b23b84698460c5798bf. Apparently, this change would require to recompile downstream code.
bd2072f8	2025-09-27T19:07:38	globals: Don't export DllMain on Windows This shouldn't be done and lld 21 warns about it: https://github.com/msys2/MINGW-packages/issues/17820 https://github.com/msys2/MINGW-packages/issues/25716 Regressed with f05af837.
a30a2764	2025-09-26T16:29:10	valid: Undeprecate xmlValidGetPotentialChildren Fixes #988.
c537ccf0	2025-09-25T11:29:05	Fixed compilation error on GCC versions prior to 4.5 The deprecated attribute started accepting an optional string argument in GCC version 4.5. Compiling libxml2 with GCC versions prior to that would cause compilation errors such as: ``` ./include/libxml/xmlmemory.h:134: error: wrong number of arguments specified for 'deprecated' attribute ``` Now the string argument is omitted for older versions of GCC. Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
da45a190	2025-09-19T13:39:41	parser: Fix attribute normalization and standalone check Regressed with e4cbc295.
dc307e31	2025-09-17T11:10:51	meson: Fix install dir of man pages Regressed when reworking documentation in 2.15. Fixes #985.
48df82f6	2025-09-15T13:57:12	Bump version to 2.16.0
0bea77c8	2025-09-15T13:34:13	Release v2.15.0
b9943bca	2025-09-10T18:04:57	Remove legacy win32 build system
347147b5	2025-09-08T16:02:59	Update NEWS
1763281c	2025-09-08T15:29:23	Remove LZMA support
063add1b	2025-09-08T15:14:33	parser: Always require XML_PARSE_UNZIP to enable decompression
8c107b69	2025-09-08T14:59:24	Revert "dict: Rework reference counting" This reverts commit 18bbdb51175f309aef40fa5254af34e322be7783 due to lack of feedback.
13962f82	2025-08-25T12:29:55	valid: Fix null deref in xmlValidateOneAttribute Short-lived regression from d53ba058.
e397651a	2025-08-24T20:08:17	cmake: Omit version number from cmake install dir Align with other build systems. Fixes #973.
d53ba058	2025-08-23T14:59:50	valid: Don't add ids when validating entity content The id table shouldn't reference ids in entities. The id will be created when expanding the entity. Probably regressed with d025cfbb. Note that we still register ids in entities if entities are not replaced. This is required to make IDREF checks work. Fixes #974.
56199b5c	2025-08-17T15:58:09	catalog: Prepare to make SGML catalog support optional
e2fdef45	2025-08-17T15:54:04	tests: Update testapi.c
591f19eb	2025-08-17T14:35:08	catalog: Deprecate low-level internal functions
5bd6b44d	2025-08-20T10:18:25	Fix initGenericErrorDefaultFunc(NULL) Calling initGenericErrorDefaultFunc(NULL) currently yields to /usr/include/libxml2/libxml/xmlerror.h:23:45: error: invalid use of void expression 23 \| xmlSetGenericErrorFunc(NULL, (h) ? (h) : NULL) Indeed, even if h is nul, the compiler will try to give a type to (h), which can't work.
ca10c7d7	2025-07-24T18:10:25	relaxng: Added xmlRelaxNGValidCtxtClearErrors to recover from errors during streaming validation This allows to perform XML element validation skipping errors without recreating a validation context. Tested it in runsuite.c in the rngTestStreaming() method. Also added xmlRegExecClearErrors(exec) as necessary.
f92a7a50	2025-08-16T14:55:29	ci: Fix MSVC test by setting CMake generator manually Visual Studio 2017 was removed from the Windows runners, but CMake still picked it up for some reason.
18bbdb51	2025-08-16T14:36:43	dict: Rework reference counting Use C11 atomics if available. Otherwise, fall back to pthread mutex inlined in xmlDict struct or Win32 atomics. This should fix lock contention reported in #970.
24caea63	2025-08-12T13:18:46	regexp: Avoid integer overflow and OOB array access Limit size of 2D arrays to XML_MAX_ITEMS (1e9) to avoid overflow of int indexes. Fixes #950.
c4b278ec	2025-08-11T13:44:56	valid: Undeprecate xmlAdd*Decl Fixes #969.
f1e1f13b	2025-08-05T22:26:27	tree: Guard against atype corruption Always remove ids if `id` member is set. Untested, but this should fix CVE-2025-7425 reported against libxslt: https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
152fbb60	2025-08-02T21:27:32	parser: Make sure to stop parser before checking max errors Short-lived regression from 7a41b18c.
149c04c0	2025-08-02T14:59:02	html: Escape < and > when serializing attributes This reverts the change in cdaf657f. Coincidentally, the HTML spec just changed to mandate the old escaping behavior: https://github.com/whatwg/html/issues/6235 Fixes #957.
3b96ec75	2025-08-02T14:12:17	doc: Document deprecated default SAX handler globals
00314882	2025-08-01T15:30:33	meson: Add -Wmissing-variable-declarations Originally clang-only, gcc supports this option since version 14. This catches errors like #961.
37bd4b28	2025-08-01T15:30:08	globals: Include HTMLparser.h, fixing Windows build Regressed with c011e760 and 85bd58ef. Fixes #961.
43f7ff0a	2025-08-01T15:27:11	tests: Make global variables static
84369160	2025-07-27T12:55:11	doc: Add another warning to XML_PARSE_DTDVALID While most parts of libxml2, including the parser, are still vulnerable to such attacks, it is unlikely that DTD validation will ever be fixed.
859899a8	2025-07-26T22:20:58	doc: Document option handling of deprecated "SAX1" functions
ab4a7f30	2025-07-23T02:22:43	doc: Document deprecated xmlBuffer members
af464de1	2025-07-23T02:20:13	io: Deprecate xmlOutputBuffer members
6c018854	2025-07-23T02:15:40	io: Deprecate xmlParserInputBuffer members
2cc77c3a	2025-07-31T15:05:55	fuzz: Stop using xmlParserInputBuffer
7deae0f8	2025-07-31T14:35:11	python: Switch to *CreateIO functions Avoid using deprecated struct members.
d1c3391e	2025-07-23T01:05:46	tests: Silence testparser Regressed with bd9d5e39.
8689523a	2025-07-22T23:57:03	parser: Implement xmlCtxtGetInputWindow See #762.
469c847f	2025-07-22T23:44:10	parser: Split out xmlParserInputGetWindow
8aaa53d7	2025-07-22T22:38:50	parser: Implement xmlCtxtGetInputPosition See #762.
144ed959	2025-07-22T22:38:05	parser: Move xmlSaturatedAdd to private header
e3daef5c	2025-07-22T22:31:02	parser: Fix xmlSaturatedAddSizeT argument type This is only used for entity size accounting. The bug only affected platforms where sizeof(long) != sizeof(size_t) and was probably harmless.
a7fc9e1a	2025-07-22T20:50:13	parser: Add more parser context accessors The only thing remaining is access to parser input, see #762.
a2562b9d	2025-07-22T12:15:37	doc: Improve documentation of error levels
7a41b18c	2025-07-22T01:08:38	parser: Remove xmlHaltParser Always halt the parser on resource limit and entity loop errors and remove the remaining calls which seem unnecessary.
cdf4c6f1	2025-07-21T22:43:57	doc: Mention XML_PARSE_NOERROR in more places
77700d3d	2025-07-21T13:00:19	doc: Mention tree API bugs in old versions
c5e7ff09	2025-07-21T12:26:36	tree: More xmlNodeParseContent cleanup - Rename to xmlNodeParseAttValue - Rework argument types - Remove wrapper function
408bd0e1	2025-07-24T11:09:29	const up allowPCData similar to htmlScriptAttributes
0a4fe2f9	2025-07-20T18:52:06	io: Fix argument type See c70d88f1 and #951.
e1174057	2025-07-20T13:05:25	tree: Don't reference recursive entities in xmlNodeParseContent Improve protection against entity cycles when using tree API.
c70d88f1	2025-07-20T13:03:59	io: Fix reading from pipes like stdin on Windows On Windows, lseek doesn't return an error on unseekable streams like pipes. Fixes #951.
8f1cc915	2025-07-18T22:43:49	CMake: Add selector to CMAKE_DL_LIBS transformation At the time of writing, on AIX, the CMAKE_DL_LIBS is set to "-lld", which presents the dependency for using dynamic loading on some old AIX versions. This ensures that resulting list of linker flags on AIX is also properly formatted (without adding additional "-l").
a3d2c177	2025-07-17T16:01:11	CMake: Fix dlopen check Systems can have dlopen symbol in various libraries. For example, on Haiku, dlopen is in 'root' library, which is linked by default. The CMAKE_DL_LIBS variable is automatically set by CMake and contains the name of the library or libraries that contain dynamic loading functionality. CMakePushCheckState checks for the symbol in isolation, so the required libraries variable can be modified.
4d69f91b	2025-07-14T17:19:01	valid: Make validation fail if warnings cause OOM error Make xmlErrValidWarning return -1 on malloc failures.
0c948334	2025-07-10T11:23:44	html: Add newline to error message
bc0bb67b	2025-07-10T11:20:22	html: Don't abort on encoding errors Always enable recovery mode when parsing HTML, so we don't raise fatal errors. Regressed with 462bf0b7. Fixes #947.
3773bb3f	2025-07-09T16:08:10	tree: Make sure that SIZE_MAX is defined
6340f392	2025-07-05T17:08:00	doc: Document HTML type aliases
bd9d5e39	2025-07-09T13:10:31	parser: Fix handling of invalid char refs in recovery mode Revert to the old behavior which handles invalid char refs more gracefully. Probably regressed with 37c6618b (version 2.13.0).
6c796b37	2025-06-22T17:46:13	doc: Misc fixes
c7a9ef1d	2025-07-04T16:20:28	doc: Document struct typedefs Unfortunately, Doxygen's TYPDEF_HIDES_STRUCT option is too broken. Document struct typedefs to make autolinks work.
71e1e8af	2025-07-04T14:28:26	schematron: Fix memory safety issues in xmlSchematronReportOutput Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796) in xmlSchematronReportOutput. Fixes #931. Fixes #933.
24d7e159	2025-07-04T12:19:20	schematron: Complete fix for CVE-2025-49795 - Fix memory leaks - Fix tests
499bcb78	2025-06-21T12:11:30	Schematron: Fix null pointer dereference leading to DoS (CVE-2025-49795) Fixes #932
069bcda1	2025-06-20T23:05:00	Fix potential buffer overflows of interactive shell CVE-2025-6170 Fixes #941
c34742f3	2025-06-30T16:23:03	tests: Fix build --without-output
9553695d	2025-06-30T16:15:15	relaxng: Make xmlRelaxNGDump depend on debug option
9760a14f	2025-06-30T13:47:33	relaxng: In the simplification step also unlink notAllowed refs from choice This fixes false reports of non allowed content compared to notAllowed as tag within the choice tag.
56a767ed	2025-06-28T02:35:14	doc: Small fix
0d52684e	2025-06-28T02:34:33	parser: Don't set dict limit when setting options This is done in xmlCtxtInitializeLate.
1b737cc8	2025-06-27T19:52:54	parser: Another fix to ]]> detection in push parser The original fix for issue #850 in commit 9efe1414 was incomplete.
70dc8ca0	2025-06-27T18:54:18	xpath: Add extra info to some error messages Fixes #660.
ac5fcb0e	2025-06-25T15:24:24	relaxng: ensure thread safe global initialization Relying on a plain integer flag, with no synchronization primitives does not give thread-safe initialization. All reads & writes of the xmlSchemaTypesInitialized flag need to be protected by a mutex to ensure suitable memory barriers & thus correct ordering wrt any speculative execution. A separate internal initializer tied to xmlParserInit is used to create the mutex used for synchronization, similarly to how catalog.c works. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
80798c40	2025-06-25T15:24:24	xmlschemastypes: ensure thread safe global initialization Relying on a plain integer flag, with no synchronization primitives does not give thread-safe initialization. All reads & writes of the xmlSchemaTypesInitialized flag need to be protected by a mutex to ensure suitable memory barriers & thus correct ordering wrt any speculative execution. A separate internal initializer tied to xmlParserInit is used to create the mutex used for synchronization, similarly to how catalog.c works. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
63f98ee8	2025-06-25T14:27:37	tests: Skip functions taking va_lists in testapi.c See !325.
d4355722	2025-06-25T13:45:32	xmllint: Print document even in case of XInclude errors Keep printing the document while still reporting XInclude errors to match the old behavior.
413cdfb3	2025-06-25T12:37:37	html: Fix push parsing of doctype decls Don't set state to "content" as we might still be in "misc" or "prolog".
ad0f5d27	2025-06-24T13:02:13	tree: Fix xmlGetNodePath - Fix quadratic behavior - Don't truncate names Fixes #715.
22246f21	2025-06-23T22:49:28	schemas: Fix compilation with pre-C99 MSVC Regressed with f307237e. Fixes #944.
7cfa3a26	2025-06-22T22:52:47	reader: Remove unused member xinclude_name
6c5b5552	2025-06-22T22:49:58	debug: Remove obsolete handling of special case The "nbktext" code was removed.
24628f25	2025-06-22T22:18:36	valid: Don't store attribute defaults in dictionary In general, we should only use dicts for names and not values.
600742f0	2025-06-22T20:18:40	valid: Unconst local variable in xmlValidateElement
7c913850	2025-06-22T20:12:48	parser: Remove unnecessary dict checks when freeing strings The following strings are never allocated from a dict: - xmlParserCtxt.version - xmlParserCtxt.encoding - xmlParserCtxt.extSubURI - xmlParserCtxt.extSubSystem - xmlDoc.version - xmlDoc.encoding - xmlDoc.URL - xmlDTD.ExternalID - xmlDTD.SystemID - xmlID.value Also make the struct members point to non-const chars to avoid casts when freeing.
607708b3	2025-06-22T19:18:20	valid: Don't store ID values in document's dictionary ID values are unique. There's some potential for them to be reused as references, but storing them in the dictionary can make the dictionary grow in proportion to the document. Users like lxml replace the `ids` hash table to avoid this. It seems like a good idea to stop using the dictionary for ID values.
ea91a507	2025-06-22T16:45:49	doc: Generate documentation with Doxygen 1.14 The 1.14.0 release fixes a serious bug with autolinks. Note that the downstream tests now run on Ubuntu with libxml2 and libxslt built on Arch. This seems to work but could break at a later point. Fixes #929.
3652fc28	2025-06-22T17:09:42	doc: Fix installation with newer Doxygen Newer versions don't generate PNG files anymore. Simply use . as wildcard.
404aedbd	2025-06-22T15:46:09	doc: Improve xmllint documentation
dd2b4091	2025-06-18T13:55:37	xmllint: Add --strict-namespace option Use xmlCtxtGetStatus() after parsing. If status indicates a namespace error while the --strict-namespace option is enabled, xmllint will exit with XMLLINT_ERR_RDFILE error Fixes #698
bf26cf9d	2025-06-20T21:24:44	xmllint: Replace boolean application options with single flag member Take all of the boolean application options and create a bitmask for each of them. Then use just a single unsigned member to keep track off all of them (regardless of precompile directives)
be812e1e	2025-06-20T19:34:12	xmllint: Rename options -> parseOptions Make it more obvious the options are related to XML parsing

22f9d730

2025-10-15T15:39:43

io: Handle clashing error codes on AIX Regressed with 2c2578b6f. Fixes #999.

870c0363

2025-10-13T22:58:38

fuzz: Make fuzzy encoding match more lenient This should account for possible iconv suffixes.

367a283b

2025-10-07T01:05:03

tree: Undeprecate several struct members

3a3faaa2

2025-09-30T18:05:32

Document process to remove API functions in MAINTAINERS.md

2f62ebb3

2025-09-29T11:04:03

io: Undeprecate xmlOutputBuffer members The public API is too buggy, so direct access to struct members is required by projects like libxslt.

d87d9477

2025-09-29T10:46:47

Revert "globals: Don't export DllMain on Windows" This reverts commit bd2072f8d025e7a37d527b23b84698460c5798bf. Apparently, this change would require to recompile downstream code.

bd2072f8

2025-09-27T19:07:38

globals: Don't export DllMain on Windows This shouldn't be done and lld 21 warns about it: https://github.com/msys2/MINGW-packages/issues/17820 https://github.com/msys2/MINGW-packages/issues/25716 Regressed with f05af837.

a30a2764

2025-09-26T16:29:10

valid: Undeprecate xmlValidGetPotentialChildren Fixes #988.

c537ccf0

2025-09-25T11:29:05

Fixed compilation error on GCC versions prior to 4.5 The deprecated attribute started accepting an optional string argument in GCC version 4.5. Compiling libxml2 with GCC versions prior to that would cause compilation errors such as: ``` ./include/libxml/xmlmemory.h:134: error: wrong number of arguments specified for 'deprecated' attribute ``` Now the string argument is omitted for older versions of GCC. Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>

da45a190

2025-09-19T13:39:41

parser: Fix attribute normalization and standalone check Regressed with e4cbc295.

dc307e31

2025-09-17T11:10:51

meson: Fix install dir of man pages Regressed when reworking documentation in 2.15. Fixes #985.

48df82f6

2025-09-15T13:57:12

Bump version to 2.16.0

0bea77c8

2025-09-15T13:34:13

Release v2.15.0

b9943bca

2025-09-10T18:04:57

Remove legacy win32 build system

347147b5

2025-09-08T16:02:59

Update NEWS

1763281c

2025-09-08T15:29:23

Remove LZMA support

063add1b

2025-09-08T15:14:33

parser: Always require XML_PARSE_UNZIP to enable decompression

8c107b69

2025-09-08T14:59:24

Revert "dict: Rework reference counting" This reverts commit 18bbdb51175f309aef40fa5254af34e322be7783 due to lack of feedback.

13962f82

2025-08-25T12:29:55

valid: Fix null deref in xmlValidateOneAttribute Short-lived regression from d53ba058.

e397651a

2025-08-24T20:08:17

cmake: Omit version number from cmake install dir Align with other build systems. Fixes #973.

d53ba058

2025-08-23T14:59:50

valid: Don't add ids when validating entity content The id table shouldn't reference ids in entities. The id will be created when expanding the entity. Probably regressed with d025cfbb. Note that we still register ids in entities if entities are not replaced. This is required to make IDREF checks work. Fixes #974.

56199b5c

2025-08-17T15:58:09

catalog: Prepare to make SGML catalog support optional

e2fdef45

2025-08-17T15:54:04

tests: Update testapi.c

591f19eb

2025-08-17T14:35:08

catalog: Deprecate low-level internal functions

5bd6b44d

2025-08-20T10:18:25

Fix initGenericErrorDefaultFunc(NULL) Calling initGenericErrorDefaultFunc(NULL) currently yields to /usr/include/libxml2/libxml/xmlerror.h:23:45: error: invalid use of void expression 23 | xmlSetGenericErrorFunc(NULL, (h) ? *(h) : NULL) Indeed, even if h is nul, the compiler will try to give a type to *(h), which can't work.

ca10c7d7

2025-07-24T18:10:25

relaxng: Added xmlRelaxNGValidCtxtClearErrors to recover from errors during streaming validation This allows to perform XML element validation skipping errors without recreating a validation context. Tested it in runsuite.c in the rngTestStreaming() method. Also added xmlRegExecClearErrors(exec) as necessary.

f92a7a50

2025-08-16T14:55:29

ci: Fix MSVC test by setting CMake generator manually Visual Studio 2017 was removed from the Windows runners, but CMake still picked it up for some reason.

18bbdb51

2025-08-16T14:36:43

dict: Rework reference counting Use C11 atomics if available. Otherwise, fall back to pthread mutex inlined in xmlDict struct or Win32 atomics. This should fix lock contention reported in #970.

24caea63

2025-08-12T13:18:46

regexp: Avoid integer overflow and OOB array access Limit size of 2D arrays to XML_MAX_ITEMS (1e9) to avoid overflow of int indexes. Fixes #950.

c4b278ec

2025-08-11T13:44:56

valid: Undeprecate xmlAdd*Decl Fixes #969.

f1e1f13b

2025-08-05T22:26:27

tree: Guard against atype corruption Always remove ids if `id` member is set. Untested, but this should fix CVE-2025-7425 reported against libxslt: https://gitlab.gnome.org/GNOME/libxslt/-/issues/140

152fbb60

2025-08-02T21:27:32

parser: Make sure to stop parser before checking max errors Short-lived regression from 7a41b18c.

149c04c0

2025-08-02T14:59:02

html: Escape < and > when serializing attributes This reverts the change in cdaf657f. Coincidentally, the HTML spec just changed to mandate the old escaping behavior: https://github.com/whatwg/html/issues/6235 Fixes #957.

3b96ec75

2025-08-02T14:12:17

doc: Document deprecated default SAX handler globals

00314882

2025-08-01T15:30:33

meson: Add -Wmissing-variable-declarations Originally clang-only, gcc supports this option since version 14. This catches errors like #961.

37bd4b28

2025-08-01T15:30:08

globals: Include HTMLparser.h, fixing Windows build Regressed with c011e760 and 85bd58ef. Fixes #961.

43f7ff0a

2025-08-01T15:27:11

tests: Make global variables static

84369160

2025-07-27T12:55:11

doc: Add another warning to XML_PARSE_DTDVALID While most parts of libxml2, including the parser, are still vulnerable to such attacks, it is unlikely that DTD validation will ever be fixed.

859899a8

2025-07-26T22:20:58

doc: Document option handling of deprecated "SAX1" functions

ab4a7f30

2025-07-23T02:22:43

doc: Document deprecated xmlBuffer members

af464de1

2025-07-23T02:20:13

io: Deprecate xmlOutputBuffer members

6c018854

2025-07-23T02:15:40

io: Deprecate xmlParserInputBuffer members

2cc77c3a

2025-07-31T15:05:55

fuzz: Stop using xmlParserInputBuffer

7deae0f8

2025-07-31T14:35:11

python: Switch to *CreateIO functions Avoid using deprecated struct members.

d1c3391e

2025-07-23T01:05:46

tests: Silence testparser Regressed with bd9d5e39.

8689523a

2025-07-22T23:57:03

parser: Implement xmlCtxtGetInputWindow See #762.

469c847f

2025-07-22T23:44:10

parser: Split out xmlParserInputGetWindow

8aaa53d7

2025-07-22T22:38:50

parser: Implement xmlCtxtGetInputPosition See #762.

144ed959

2025-07-22T22:38:05

parser: Move xmlSaturatedAdd to private header

e3daef5c

2025-07-22T22:31:02

parser: Fix xmlSaturatedAddSizeT argument type This is only used for entity size accounting. The bug only affected platforms where sizeof(long) != sizeof(size_t) and was probably harmless.

a7fc9e1a

2025-07-22T20:50:13

parser: Add more parser context accessors The only thing remaining is access to parser input, see #762.

a2562b9d

2025-07-22T12:15:37

doc: Improve documentation of error levels

7a41b18c

2025-07-22T01:08:38

parser: Remove xmlHaltParser Always halt the parser on resource limit and entity loop errors and remove the remaining calls which seem unnecessary.

cdf4c6f1

2025-07-21T22:43:57

doc: Mention XML_PARSE_NOERROR in more places

77700d3d

2025-07-21T13:00:19

doc: Mention tree API bugs in old versions

c5e7ff09

2025-07-21T12:26:36

tree: More xmlNodeParseContent cleanup - Rename to xmlNodeParseAttValue - Rework argument types - Remove wrapper function

408bd0e1

2025-07-24T11:09:29

const up allowPCData similar to htmlScriptAttributes

0a4fe2f9

2025-07-20T18:52:06

io: Fix argument type See c70d88f1 and #951.

e1174057

2025-07-20T13:05:25

tree: Don't reference recursive entities in xmlNodeParseContent Improve protection against entity cycles when using tree API.

c70d88f1

2025-07-20T13:03:59

io: Fix reading from pipes like stdin on Windows On Windows, lseek doesn't return an error on unseekable streams like pipes. Fixes #951.

8f1cc915

2025-07-18T22:43:49

CMake: Add selector to CMAKE_DL_LIBS transformation At the time of writing, on AIX, the CMAKE_DL_LIBS is set to "-lld", which presents the dependency for using dynamic loading on some old AIX versions. This ensures that resulting list of linker flags on AIX is also properly formatted (without adding additional "-l").

a3d2c177

2025-07-17T16:01:11

CMake: Fix dlopen check Systems can have dlopen symbol in various libraries. For example, on Haiku, dlopen is in 'root' library, which is linked by default. The CMAKE_DL_LIBS variable is automatically set by CMake and contains the name of the library or libraries that contain dynamic loading functionality. CMakePushCheckState checks for the symbol in isolation, so the required libraries variable can be modified.

4d69f91b

2025-07-14T17:19:01

valid: Make validation fail if warnings cause OOM error Make xmlErrValidWarning return -1 on malloc failures.

0c948334

2025-07-10T11:23:44

html: Add newline to error message

bc0bb67b

2025-07-10T11:20:22

html: Don't abort on encoding errors Always enable recovery mode when parsing HTML, so we don't raise fatal errors. Regressed with 462bf0b7. Fixes #947.

3773bb3f

2025-07-09T16:08:10

tree: Make sure that SIZE_MAX is defined

6340f392

2025-07-05T17:08:00

doc: Document HTML type aliases

bd9d5e39

2025-07-09T13:10:31

parser: Fix handling of invalid char refs in recovery mode Revert to the old behavior which handles invalid char refs more gracefully. Probably regressed with 37c6618b (version 2.13.0).

6c796b37

2025-06-22T17:46:13

doc: Misc fixes

c7a9ef1d

2025-07-04T16:20:28

doc: Document struct typedefs Unfortunately, Doxygen's TYPDEF_HIDES_STRUCT option is too broken. Document struct typedefs to make autolinks work.

71e1e8af

2025-07-04T14:28:26

schematron: Fix memory safety issues in xmlSchematronReportOutput Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796) in xmlSchematronReportOutput. Fixes #931. Fixes #933.

24d7e159

2025-07-04T12:19:20

schematron: Complete fix for CVE-2025-49795 - Fix memory leaks - Fix tests

499bcb78

2025-06-21T12:11:30

Schematron: Fix null pointer dereference leading to DoS (CVE-2025-49795) Fixes #932

069bcda1

2025-06-20T23:05:00

Fix potential buffer overflows of interactive shell CVE-2025-6170 Fixes #941

c34742f3

2025-06-30T16:23:03

tests: Fix build --without-output

9553695d

2025-06-30T16:15:15

relaxng: Make xmlRelaxNGDump depend on debug option

9760a14f

2025-06-30T13:47:33

relaxng: In the simplification step also unlink notAllowed refs from choice This fixes false reports of non allowed content compared to notAllowed as tag within the choice tag.

56a767ed

2025-06-28T02:35:14

doc: Small fix

0d52684e

2025-06-28T02:34:33

parser: Don't set dict limit when setting options This is done in xmlCtxtInitializeLate.

1b737cc8

2025-06-27T19:52:54

parser: Another fix to ]]> detection in push parser The original fix for issue #850 in commit 9efe1414 was incomplete.

70dc8ca0

2025-06-27T18:54:18

xpath: Add extra info to some error messages Fixes #660.

ac5fcb0e

2025-06-25T15:24:24

relaxng: ensure thread safe global initialization Relying on a plain integer flag, with no synchronization primitives does not give thread-safe initialization. All reads & writes of the xmlSchemaTypesInitialized flag need to be protected by a mutex to ensure suitable memory barriers & thus correct ordering wrt any speculative execution. A separate internal initializer tied to xmlParserInit is used to create the mutex used for synchronization, similarly to how catalog.c works. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

80798c40

2025-06-25T15:24:24

xmlschemastypes: ensure thread safe global initialization Relying on a plain integer flag, with no synchronization primitives does not give thread-safe initialization. All reads & writes of the xmlSchemaTypesInitialized flag need to be protected by a mutex to ensure suitable memory barriers & thus correct ordering wrt any speculative execution. A separate internal initializer tied to xmlParserInit is used to create the mutex used for synchronization, similarly to how catalog.c works. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

63f98ee8

2025-06-25T14:27:37

tests: Skip functions taking va_lists in testapi.c See !325.

d4355722

2025-06-25T13:45:32

xmllint: Print document even in case of XInclude errors Keep printing the document while still reporting XInclude errors to match the old behavior.

413cdfb3

2025-06-25T12:37:37

html: Fix push parsing of doctype decls Don't set state to "content" as we might still be in "misc" or "prolog".

ad0f5d27

2025-06-24T13:02:13

tree: Fix xmlGetNodePath - Fix quadratic behavior - Don't truncate names Fixes #715.

22246f21

2025-06-23T22:49:28

schemas: Fix compilation with pre-C99 MSVC Regressed with f307237e. Fixes #944.

7cfa3a26

2025-06-22T22:52:47

reader: Remove unused member xinclude_name

6c5b5552

2025-06-22T22:49:58

debug: Remove obsolete handling of special case The "nbktext" code was removed.

24628f25

2025-06-22T22:18:36

valid: Don't store attribute defaults in dictionary In general, we should only use dicts for names and not values.

600742f0

2025-06-22T20:18:40

valid: Unconst local variable in xmlValidateElement

7c913850

2025-06-22T20:12:48

parser: Remove unnecessary dict checks when freeing strings The following strings are never allocated from a dict: - xmlParserCtxt.version - xmlParserCtxt.encoding - xmlParserCtxt.extSubURI - xmlParserCtxt.extSubSystem - xmlDoc.version - xmlDoc.encoding - xmlDoc.URL - xmlDTD.ExternalID - xmlDTD.SystemID - xmlID.value Also make the struct members point to non-const chars to avoid casts when freeing.

607708b3

2025-06-22T19:18:20

valid: Don't store ID values in document's dictionary ID values are unique. There's some potential for them to be reused as references, but storing them in the dictionary can make the dictionary grow in proportion to the document. Users like lxml replace the `ids` hash table to avoid this. It seems like a good idea to stop using the dictionary for ID values.

ea91a507

2025-06-22T16:45:49

doc: Generate documentation with Doxygen 1.14 The 1.14.0 release fixes a serious bug with autolinks. Note that the downstream tests now run on Ubuntu with libxml2 and libxslt built on Arch. This seems to work but could break at a later point. Fixes #929.

3652fc28

2025-06-22T17:09:42

doc: Fix installation with newer Doxygen Newer versions don't generate PNG files anymore. Simply use *.* as wildcard.

404aedbd

2025-06-22T15:46:09

doc: Improve xmllint documentation

dd2b4091

2025-06-18T13:55:37

xmllint: Add --strict-namespace option Use xmlCtxtGetStatus() after parsing. If status indicates a namespace error while the --strict-namespace option is enabled, xmllint will exit with XMLLINT_ERR_RDFILE error Fixes #698

bf26cf9d

2025-06-20T21:24:44

xmllint: Replace boolean application options with single flag member Take all of the boolean application options and create a bitmask for each of them. Then use just a single unsigned member to keep track off all of them (regardless of precompile directives)

be812e1e

2025-06-20T19:34:12

xmllint: Rename options -> parseOptions Make it more obvious the options are related to XML parsing

kc3-lang/libxml2

Log