| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
| |
Revert another change from commit 98840d40.
Decode the whole buffer when reading from memory and switching to the
initial encoding. Add some comments about potential improvements.
|
|
|
|
|
|
|
|
| |
Revert some changes from commit 98840d40.
WebKit/Chromium can actually switch from ISO-8859-1 to UTF-16 in the
middle of parsing. This is a bad idea, but we have to keep supporting
this use case.
|
|
|
|
|
| |
This should fix a short-lived regression when push parsing with
encodings.
|
|
|
|
|
|
| |
Avoids buffer overread in htmlParseHTMLAttribute.
Found by OSS-Fuzz.
|
|
|
|
| |
Short-lived regression found by OSS-Fuzz.
|
|
|
|
| |
Make more bytes available after invoking CUR_CHAR or NEXT.
|
|
|
|
|
|
|
|
|
|
| |
To detect EBCDIC code pages, we used to switch the encoding twice and
had to be very careful not to decode data after the XML declaration
before the second switch. This relied on a hard-coded expected size of
the XML declaration and was complicated and unreliable.
Now we convert the first 200 bytes to EBCDIC-US and parse the encoding
declaration manually.
|
|
|
|
|
|
|
|
|
|
| |
Don't try to grow the input buffer in xmlParserShrink. This makes sure
that no memory allocations are made and the function always succeeds.
Remove unnecessary invocations of SHRINK. Invoke SHRINK at the end of
DTD parsing loops.
Shrink before growing.
|
|
|
|
|
| |
xmlHaltParser must be called after reporting an error. Switch to
xmlBufSetInputBaseCur.
|
|
|
|
| |
Found by OSS-Fuzz, see #344.
|
|
|
|
|
| |
Fix 3eb6bf03. We really have to halt the parser, so the input buffer
gets reset.
|
| |
|
|
|
|
|
| |
Introduce xmlParserShrink which takes a parser context to simplify error
handling.
|
|
|
|
| |
Found by OSS-Fuzz.
|
|
|
|
|
| |
Introduce xmlParserGrow which takes a parser context to simplify error
handling.
|
|
|
|
|
|
| |
Also add some error checks.
Found with libFuzzer, see #344.
|
|
|
|
|
|
|
| |
Applies a patch from Chromium. Also stop incrementing input ID of
subcontexts. This isn't necessary.
Fixes #465.
|
|
|
|
| |
This was only used in the old version of xmlParserEntityCheck.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit implements robust detection of entity amplification attacks,
better known as the "billion laughs" attack.
We now limit the size of the document after substitution of entities to
10 times the size before expansion. This guarantees linear behavior by
definition. There already was a similar check before, but the accounting
of "sizeentities" (size of external entities) and "sizeentcopy" (size of
all copies created by entity references) wasn't accurate.
We also need saturation arithmetic since we're historically limited to
"unsigned long" which is 32-bit on many platforms.
A maximum of 10 MB of substitutions is always allowed. This should make
use cases like DITA work which have caused problems in the past.
The old checks based on the number of entities were removed. This is
accounted for by adding a fixed cost to each entity reference.
Entity amplification checks are now enabled even if XML_PARSE_HUGE is
set. This option is mainly used to allow larger text nodes. Most users
were unaware that it also disabled entity expansion checks.
Some of the limits might be adjusted later. If this change turns out to
affect legitimate use cases, we can add a separate parser option to
disable the checks.
Fixes #294.
Fixes #345.
|
|
|
|
| |
Skip over zero bytes to guarantee progress. Short-lived regression.
|
| |
|
|
|
|
|
| |
There are still many places where arithmetic on "consumed" stats isn't
checked for overflow, affecting platforms with a 32-bit long type.
|
|
|
|
| |
No functional change.
|
|
|
|
|
|
|
|
|
|
|
| |
In some cases, for example when using encoders, the read callback was
set to NULL, in other cases it was set to xmlInputReadCallbackNop.
xmlGROW only tested for xmlInputReadCallbackNop, resulting in errors
when parsing large encoded content from memory.
Always use a NULL callback for memory buffers to avoid ambiguities.
Fixes #262.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove explicit integer casts as final operation
- in assignments
- when passing arguments
- when returning values
Remove casts
- to the same type
- from certain range-bound values
The main motivation is that these explicit casts don't change the result
of operations and only render UBSan's implicit-conversion checks
useless. Removing these casts allows UBSan to detect cases where
truncation or sign-changes occur unexpectedly.
Document some explicit casts as truncating and add a few missing ones.
|
|
|
|
| |
Also improve documentation.
|
|
|
|
|
|
|
|
|
|
|
| |
Private functions were previously declared
- in header files in the root directory
- in public headers guarded with IN_LIBXML
- in libxml.h
- redundantly in source files that used them.
Consolidate all private header files in include/private.
|
| |
|
|
|
|
| |
No compiler warnings generated yet.
|
|
|
|
|
| |
Add API functions to create a parser context with a custom SAX handler
without having to mess with ctxt->sax manually.
|
|
|
|
| |
xmlStrlen handles buffers larger than INT_MAX more gracefully.
|
|
|
|
|
|
|
| |
Create an input stream with a buffer in xmlNewStringInputStream.
Otherwise, switching encodings won't work.
See #34.
|
|
|
|
|
|
|
|
| |
- Remove xmlSwitchToEncodingInt which was basically just a wrapper
around xmlSwitchInputEncodingInt.
- Simplify xmlSwitchEncoding.
- Improve error handling in xmlSwitchInputEncodingInt.
- Deprecate xmlSwitchInputEncoding.
|
|
|
|
| |
Only use xmlInitParser/xmlCleanupParser.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't check for
- ctype.h
- errno.h
- float.h
- limits.h
- math.h
- signal.h
- stdarg.h
- stdlib.h
- string.h
- time.h
Stop including non-standard headers
- malloc.h
- strings.h
|
|
|
|
|
|
|
|
|
|
| |
From what I can tell, some really early Cygwin versions from around
1998-2000 used to erroneously define _WIN32. This was eventually fixed,
but these days, the `defined(_WIN32) && !defined(__CYGWIN__)` idiom is
unnecessary.
Now, we only check for __CYGWIN__ in xmlexports.h when deciding whether
to use __declspec.
|
|
|
|
|
| |
The same optimization can be enabled with -fno-semantic-interposition
since GCC 5. clang has always used this option by default.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a bitmask instead of magic values to
- keep track whether the validation context is part of a parser context
- keep track whether xmlValidateDtdFinal was called
This allows to add addtional flags later.
Note that this deliberately changes the name of a public struct member,
assuming that this was always private data never to be used by client
code.
|
|
|
|
|
|
| |
Found by Coverity.
https://bugzilla.redhat.com/show_bug.cgi?id=1938806
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Under certain circumstances, the HTML parser would try to guess and
switch input encodings multiple times, leading to slow processing of
documents with encoding errors. The repeated scanning of the input
buffer when guessing encodings could even lead to quadratic behavior.
The code htmlCurrentChar probably assumed that if there's an encoding
handler, it is guaranteed to produce valid UTF-8. This holds true in
general, but if the detected encoding was "UTF-8", the UTF8ToUTF8
encoding handler simply invoked memcpy without checking for invalid
UTF-8. This still must be fixed, preferably by not using this handler
at all.
Also leave a note that switching encodings twice seems impossible to
implement correctly. Add a check when handling UTF-8 encoding errors
in htmlCurrentChar to avoid this situation, even if encoders produce
invalid UTF-8.
Found by OSS-Fuzz.
|
|
|
|
| |
The value was inaccurate and never used.
|
|
|
|
| |
Resolves #133.
|
|
|
|
| |
Closes #109.
|
|
|
|
| |
Found by OSS-Fuzz.
|
|
|
|
|
|
|
| |
This reverts commit 6e6ae5daa6cd9640c9a83c1070896273e9b30d14 which
broke decoding of larger documents with ICU.
See https://bugs.chromium.org/p/chromium/issues/detail?id=820163
|