| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
Fix a null pointer dereference when parsing (invalid) XML schemas.
Thanks to Robby Simpson for the report!
Fixes #491.
|
|
|
|
|
|
|
|
|
| |
In commit 21ca8829, we started to ignore namespaces in HTML element
names but we still called xmlSplitQName, effectively stripping the
namespace prefix. This would cause elements like <o:p> being parsed
as <p>. Now we leave the name untouched.
Fixes #508.
|
|
|
|
|
|
|
| |
- Lower the amount of expansion which is always allowed from
10MB to 1MB.
- Lower the maximum amplification factor from 10 to 5.
- Lower the "fixed cost" from 50 to 20.
|
|
|
|
|
|
|
|
| |
Also make text inclusions work with memory buffers, for example when
using a custom entity loader, and fix a memory leak in case of invalid
characters.
Fixes #483.
|
|
|
|
| |
Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/81
|
|
|
|
|
|
|
|
|
| |
Don't set the "checked" flag when checking entities in default attribute
values. These entities could reference other entities which weren't
defined yet, so the check isn't reliable.
This fixes a short-lived regression which could lead to a call stack
overflow later in xmlStringGetNodeList.
|
| |
|
| |
|
|
|
|
| |
Add test cases for external general and parameter entities.
|
|
|
|
| |
Add test case contributed by Sebastian Pipping for CVE-2021-3541.
|
| |
|
|
|
|
|
|
|
|
| |
Allow port number without host, real fix for #71.
Also compare port numbers in xmlBuildRelativeURI.
Fix handling of port numbers in xmlUriEscape.
|
|
|
|
|
|
| |
This has caused issues with the Python bindings for a long time.
Should fix #64.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using xmlreader, XPointer expressions in XIncludes simply cannot
work. Expressions can reference nodes which weren't parsed yet or which
were already deleted.
After fixing nested XIncludes, we reference includes which were parsed
previously. When streaming, these nodes could have been deleted, leading
to use-after-free errors.
Disallow XPointer expressions and truncate the include table in
streaming mode.
|
|
|
|
|
|
|
|
|
|
|
| |
Don't create subcontext in xmlXIncludeRecurseDoc. Save and restore 'doc'
and 'incTab' instead.
Make xmlXIncludeLoadFallback call xmlXIncludeCopyNode which seems safer
than xmlXIncludeDoProcess since the latter may modify the document.
This should also be more performant since we need to copy the whole
fallback subtree anyway. Also make sure to avoid replacements in
fallback elements in xmlXIncludeDoProcess.
|
|
|
|
| |
This avoids call stack overflows.
|
| |
|
|
|
|
|
|
| |
This should make nested includes work reliably.
Fixes #424.
|
|
|
|
|
|
| |
The reader interface with XIncludes is somewhat broken and can generate
different error messages. Start to move tests which are sketchy with
reader to a separate directory.
|
|
|
|
|
|
|
| |
This reverts commit 7f04e297318b1b908cec20711f74f75625afed7f which
caused memory errors.
See #424.
|
|
|
|
|
|
| |
This reverts commits 74dcc10b and 87d20b55.
Fixes #424.
|
|
|
|
| |
Found by OSS-Fuzz.
|
|
|
|
|
|
|
|
| |
Commit 4fd69f3e fixed handling of '<' characters not followed by an
ASCII letter. But a '<!' sequence followed by invalid characters should
be treated as bogus comment and skipped.
Fixes #380.
|
|
|
|
| |
Fixes #370.
|
|
|
|
| |
See https://www.w3.org/2005/04/xpointer-schemes/
|
|
|
|
|
|
|
|
|
| |
Commit 7618a3b1 didn't account for coalesced text nodes.
I think it would be better if xmlStaticCopyNode didn't try to coalesce
text nodes at all. This code path can only be triggered if some other
code doesn't coalesce text nodes properly. In this case, OSS-Fuzz found
such behavior in xinclude.c.
|
|
|
|
|
|
| |
Simplify the code and fix a potential memory leak.
Fixes #343.
|
|
|
|
|
|
|
| |
Compare the included URL with the document's URL to detect local
inclusions.
Fixes #348.
|
|
|
|
|
| |
These establish baseline behavior so that the subsequent commit is
clear about the behavior it will modify.
|
|
|
|
|
|
|
|
|
|
| |
XSD validation fails when some atomic types contain surrounding whitespace
even though XML Schema Part 2: Datatypes Second Edition, section 4.3.6
says they should be collapsed. Fix this.
(I am not sure whether the test is correct.)
Issue: #278
|
|
|
|
|
|
|
|
|
| |
Fix regex transitions that have both min/max and a counter. In this
case, we want to save the regex state before incrementing the counter.
Fixes #301 and the issue reported here:
https://mail.gnome.org/archives/xml/2016-April/msg00017.html
|
|
|
|
|
|
|
| |
Make sure to add counted exit transitions before other counter
transitions. Otherwise, we won't backtrack correctly.
Fixes #65.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Downgrade the error message to a warning since the error was ignored,
anyway. Also print the name of redeclared entity. For a proper fix that
also shows filename and line number of the invalid redeclaration, we'd
have to
- pass the parser context to the entity functions somehow, or
- make these functions return distinct error codes.
Partial fix for #308.
|
|
|
|
| |
Fixes #151.
|
|
|
|
|
|
|
|
| |
Namespace URIs should be compared without escaping or unescaping:
https://www.w3.org/TR/REC-xml-names/#NSNameComparison
Fixes #289.
|
|
|
|
|
|
| |
An empty namespace means no default namespace.
Fixes #303.
|
|
|
|
|
|
| |
Switch to version 1.2 which has a clearer license.
Fixes #291.
|
|
|
|
|
|
|
| |
Fix a regression introduced with commit a28f7d87. In some cases,
parameter entity references in external DTDs wouldn't be expanded.
Fixes #306.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This makes the logic in UTF16BEToUTF8() match UTF16LEToUTF8().
* encoding.c:
(UTF16LEToUTF8):
- Fix comment to describe what the code does.
(UTF16BEToUTF8):
- Fix undefined behavior which was applied to UTF16LEToUTF8() in
2f9382033e.
- Add bounds check to while() loop which was applied to
UTF16LEToUTF8() in be803967db.
- Do not return -2 when (in >= inend) to fix the bug. This was
applied to UTF16LEToUTF8() in 496a1cf592.
- Inline (<< 8) statements to match UTF16LEToUTF8().
Add the following tests and results:
test/text-4-byte-UTF-16-BE-offset.xml
test/text-4-byte-UTF-16-BE.xml
test/text-4-byte-UTF-16-LE-offset.xml
test/text-4-byte-UTF-16-LE.xml
|
|
|
|
|
|
|
| |
Fix regression introduced when reworking htmlParsePubidLiteral in
commit 93ce33c2.
Fixes #318.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement section "4.6 Predefined Entities" of the XML 1.0 spec and
check whether redeclarations of predefined entities match the original
definitions.
Note that some test cases declared
<!ENTITY lt "<">
But the XML spec clearly states that this is illegal:
> If the entities lt or amp are declared, they MUST be declared as
> internal entities whose replacement text is a character reference to
> the respective character (less-than sign or ampersand) being escaped;
> the double escaping is REQUIRED for these entities so that references
> to them produce a well-formed result.
Also fixes #217 but the connection is only tangential. The integer
overflow discovered by fuzzing was more related to the fact that various
parts of the parser disagreed on whether to prefer predefined entities
over their redeclarations. The whole situation is a mess and even
depends on legacy parser options. But now that redeclarations are
validated, it shouldn't make a difference.
As noted in the added comment, this is also one of the cases where
overly defensive checks can hide interesting logic bugs from fuzzers.
|
|
|
|
|
| |
this establishes the baseline behavior so that subsequent commits
which modify this behavior are clear about what's being changed.
|
|
|
|
|
|
| |
The code wasn't dead after all, but I can see no reason in delaying
the XPointer evaluation. This could lead to nodes included earlier
appearing in XPointer results.
|
|
|
|
|
| |
xi:fallback could become empty after recursive expansion. Use a flag
to track whether nodes should be skipped.
|
|
|
|
|
|
|
|
|
| |
When creating XML_XINCLUDE_START nodes, the children of the original
xi:include node must be freed, otherwise fallback content is copied
twice, doubling runtime and memory consumption for each nested
xi:fallback/xi:include pair.
Found with libFuzzer.
|
|
|
|
|
|
|
| |
Otherwise, nested xi:include nodes might result in a use-after-free
if XML_PARSE_NOXINCNODE is specified.
Found with libFuzzer and ASan.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup
<https://bugzilla.gnome.org/show_bug.cgi?id=757711>
- Bug 783015 - Integer-overflow in xmlFAParseQuantExact
<https://bugzilla.gnome.org/show_bug.cgi?id=783015>
(Regexptests): Add support for checking stderr output when
running regexp tests. This makes it possible to check in test
cases that fail and not see false-positive error output when
running the tests. Unlike other libxml2 test suites, if there
is no stderr output, no *.err file needs to be created.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit eeb99329 removed an important optimization avoiding quadratic
runtime when repeatedly scanning the input buffer for terminating
characters in the HTML push parser. The related bug is
https://bugzilla.gnome.org/show_bug.cgi?id=444994
Make sure that ctxt->checkIndex is always written and store additional
parser state in ctxt->inSubset which is unused in the HTML parser.
Found by OSS-Fuzz.
|