summaryrefslogtreecommitdiff
path: root/test
Commit message (Collapse)AuthorAgeFilesLines
* [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexTypeNick Wellnhofer2023-04-112-0/+19
| | | | | | | | Fix a null pointer dereference when parsing (invalid) XML schemas. Thanks to Robby Simpson for the report! Fixes #491.
* SAX2: Ignore namespaces in HTML documentsNick Wellnhofer2023-03-311-0/+5
| | | | | | | | | In commit 21ca8829, we started to ignore namespaces in HTML element names but we still called xmlSplitQName, effectively stripping the namespace prefix. This would cause elements like <o:p> being parsed as <p>. Now we leave the name untouched. Fixes #508.
* parser: Tighten expansion limitsNick Wellnhofer2023-03-082-486/+0
| | | | | | | - Lower the amount of expansion which is always allowed from 10MB to 1MB. - Lower the maximum amplification factor from 10 to 5. - Lower the "fixed cost" from 50 to 20.
* xinclude: Fix quadratic behavior in xmlXIncludeLoadTxtNick Wellnhofer2023-02-142-0/+4
| | | | | | | | Also make text inclusions work with memory buffers, for example when using a custom entity loader, and fix a memory leak in case of invalid characters. Fixes #483.
* xpath: number('-') should return NaNNick Wellnhofer2023-01-181-0/+1
| | | | Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/81
* parser: Fix entity check in attributesNick Wellnhofer2023-01-171-0/+6
| | | | | | | | | Don't set the "checked" flag when checking entities in default attribute values. These entities could reference other entities which weren't defined yet, so the check isn't reliable. This fixes a short-lived regression which could lead to a call stack overflow later in xmlStringGetNodeList.
* testrecurse: Test parameter entity accountingNick Wellnhofer2022-12-214-0/+8
|
* testrecurse: Add external entities to huge testNick Wellnhofer2022-12-213-0/+3
|
* testrecurse: Add test cases for external entitiesNick Wellnhofer2022-12-2112-0/+63
| | | | Add test cases for external general and parameter entities.
* testrecurse: Add lol_param.xmlNick Wellnhofer2022-12-211-0/+63
| | | | Add test case contributed by Sebastian Pipping for CVE-2021-3541.
* testrecurse: Rename test filesNick Wellnhofer2022-12-2110-21/+5
|
* uri: Fix handling of port numbersNick Wellnhofer2022-12-133-0/+6
| | | | | | | | Allow port number without host, real fix for #71. Also compare port numbers in xmlBuildRelativeURI. Fix handling of port numbers in xmlUriEscape.
* error: Make sure that error messages are valid UTF-8Nick Wellnhofer2022-12-042-0/+2
| | | | | | This has caused issues with the Python bindings for a long time. Should fix #64.
* test: Add test for push parser boundariesNick Wellnhofer2022-11-201-0/+16
|
* xinclude: Always allow XPtr expressions in external documentsNick Wellnhofer2022-10-315-0/+0
|
* xinclude: Implement "streaming" modeNick Wellnhofer2022-10-305-0/+0
| | | | | | | | | | | | | When using xmlreader, XPointer expressions in XIncludes simply cannot work. Expressions can reference nodes which weren't parsed yet or which were already deleted. After fixing nested XIncludes, we reference includes which were parsed previously. When streaming, these nodes could have been deleted, leading to use-after-free errors. Disallow XPointer expressions and truncate the include table in streaming mode.
* xinclude: Avoid creation of subcontextsNick Wellnhofer2022-10-251-0/+12
| | | | | | | | | | | Don't create subcontext in xmlXIncludeRecurseDoc. Save and restore 'doc' and 'incTab' instead. Make xmlXIncludeLoadFallback call xmlXIncludeCopyNode which seems safer than xmlXIncludeDoProcess since the latter may modify the document. This should also be more performant since we need to copy the whole fallback subtree anyway. Also make sure to avoid replacements in fallback elements in xmlXIncludeDoProcess.
* xinclude: Limit recursion depthNick Wellnhofer2022-10-231-0/+104
| | | | This avoids call stack overflows.
* xinclude: Test for inclusion loopsNick Wellnhofer2022-10-231-0/+4
|
* xinclude: Expand includes in xmlXIncludeCopyNodeNick Wellnhofer2022-10-232-0/+10
| | | | | | This should make nested includes work reliably. Fixes #424.
* xinclude: Also test error messagesNick Wellnhofer2022-10-231-0/+0
| | | | | | The reader interface with XIncludes is somewhat broken and can generate different error messages. Start to move tests which are sketchy with reader to a separate directory.
* Revert "xinclude: Fix regression with nested includes"Nick Wellnhofer2022-10-211-5/+0
| | | | | | | This reverts commit 7f04e297318b1b908cec20711f74f75625afed7f which caused memory errors. See #424.
* xinclude: Fix regression with nested includesNick Wellnhofer2022-10-181-0/+5
| | | | | | This reverts commits 74dcc10b and 87d20b55. Fixes #424.
* schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOKNick Wellnhofer2022-09-132-0/+5
| | | | Found by OSS-Fuzz.
* Skip incorrectly opened HTML commentsNick Wellnhofer2022-08-021-0/+5
| | | | | | | | Commit 4fd69f3e fixed handling of '<' characters not followed by an ASCII letter. But a '<!' sequence followed by invalid characters should be treated as bogus comment and skipped. Fixes #380.
* Fix parsing of subtracted regex character classesNick Wellnhofer2022-04-231-0/+3
| | | | Fixes #370.
* Implement xpath1() XPointer schemeNick Wellnhofer2022-04-217-0/+12
| | | | See https://www.w3.org/2005/04/xpointer-schemes/
* Fix short-lived regression in xmlStaticCopyNodeNick Wellnhofer2022-04-102-0/+9
| | | | | | | | | Commit 7618a3b1 didn't account for coalesced text nodes. I think it would be better if xmlStaticCopyNode didn't try to coalesce text nodes at all. This code path can only be triggered if some other code doesn't coalesce text nodes properly. In this case, OSS-Fuzz found such behavior in xinclude.c.
* Normalize XPath strings in-placeNick Wellnhofer2022-03-051-0/+8
| | | | | | Simplify the code and fix a potential memory leak. Fixes #343.
* Fix recursion check in xinclude.cNick Wellnhofer2022-03-021-0/+10
| | | | | | | Compare the included URL with the document's URL to detect local inclusions. Fixes #348.
* test coverage for abruptly-closed commentsMike Dalessio2022-03-021-0/+17
| | | | | These establish baseline behavior so that the subsequent commit is clear about the behavior it will modify.
* Add whitespace folding for some atomic data types that it's missing on.Damjan Jovanovic2022-03-021-0/+5
| | | | | | | | | | XSD validation fails when some atomic types contain surrounding whitespace even though XML Schema Part 2: Datatypes Second Edition, section 4.3.6 says they should be collapsed. Fix this. (I am not sure whether the test is correct.) Issue: #278
* Fix certain combinations of regex range quantifiersNick Wellnhofer2022-02-281-0/+4
| | | | | | | | | Fix regex transitions that have both min/max and a counter. In this case, we want to save the regex state before incrementing the counter. Fixes #301 and the issue reported here: https://mail.gnome.org/archives/xml/2016-April/msg00017.html
* Fix range quantifier on subregexNick Wellnhofer2022-02-281-0/+2
| | | | | | | Make sure to add counted exit transitions before other counter transitions. Otherwise, we won't backtrack correctly. Fixes #65.
* Only warn on invalid redeclarations of predefined entitiesNick Wellnhofer2022-02-201-0/+4
| | | | | | | | | | | | Downgrade the error message to a warning since the error was ignored, anyway. Also print the name of redeclared entity. For a proper fix that also shows filename and line number of the invalid redeclaration, we'd have to - pass the parser context to the entity functions somehow, or - make these functions return distinct error codes. Partial fix for #308.
* Fix double counting of CRLF in commentsNick Wellnhofer2022-02-071-0/+9
| | | | Fixes #151.
* Don't normalize namespace URIs in XPointer xmlns() schemeNick Wellnhofer2022-02-042-0/+4
| | | | | | | | Namespace URIs should be compared without escaping or unescaping: https://www.w3.org/TR/REC-xml-names/#NSNameComparison Fixes #289.
* Fix handling of XSD with empty namespaceNick Wellnhofer2022-02-032-0/+20
| | | | | | An empty namespace means no default namespace. Fixes #303.
* Update NewsML DTD in test suiteNick Wellnhofer2022-02-032-471/+842
| | | | | | Switch to version 1.2 which has a clearer license. Fixes #291.
* Fix regression with PEs in external DTDNick Wellnhofer2022-01-162-0/+5
| | | | | | | Fix a regression introduced with commit a28f7d87. In some cases, parameter entity references in external DTDs wouldn't be expanded. Fixes #306.
* Fix parse failure when 4-byte character in UTF-16 BE is split across a chunkDavid Kilzer2022-01-164-0/+0
| | | | | | | | | | | | | | | | | | | | | | | This makes the logic in UTF16BEToUTF8() match UTF16LEToUTF8(). * encoding.c: (UTF16LEToUTF8): - Fix comment to describe what the code does. (UTF16BEToUTF8): - Fix undefined behavior which was applied to UTF16LEToUTF8() in 2f9382033e. - Add bounds check to while() loop which was applied to UTF16LEToUTF8() in be803967db. - Do not return -2 when (in >= inend) to fix the bug. This was applied to UTF16LEToUTF8() in 496a1cf592. - Inline (<< 8) statements to match UTF16LEToUTF8(). Add the following tests and results: test/text-4-byte-UTF-16-BE-offset.xml test/text-4-byte-UTF-16-BE.xml test/text-4-byte-UTF-16-LE-offset.xml test/text-4-byte-UTF-16-LE.xml
* Fix regression parsing public IDs literals in HTMLNick Wellnhofer2022-01-101-0/+6
| | | | | | | Fix regression introduced when reworking htmlParsePubidLiteral in commit 93ce33c2. Fixes #318.
* Check for invalid redeclarations of predefined entitiesNick Wellnhofer2021-02-084-3/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement section "4.6 Predefined Entities" of the XML 1.0 spec and check whether redeclarations of predefined entities match the original definitions. Note that some test cases declared <!ENTITY lt "<"> But the XML spec clearly states that this is illegal: > If the entities lt or amp are declared, they MUST be declared as > internal entities whose replacement text is a character reference to > the respective character (less-than sign or ampersand) being escaped; > the double escaping is REQUIRED for these entities so that references > to them produce a well-formed result. Also fixes #217 but the connection is only tangential. The integer overflow discovered by fuzzing was more related to the fact that various parts of the parser disagreed on whether to prefer predefined entities over their redeclarations. The whole situation is a mess and even depends on legacy parser options. But now that redeclarations are validated, it shouldn't make a difference. As noted in the added comment, this is also one of the cases where overly defensive checks can hide interesting logic bugs from fuzzers.
* add test coverage for incorrectly-closed commentsMike Dalessio2020-12-162-0/+28
| | | | | this establishes the baseline behavior so that subsequent commits which modify this behavior are clear about what's being changed.
* Fix regression introduced with commit 74dcc10bNick Wellnhofer2020-08-191-0/+12
| | | | | | The code wasn't dead after all, but I can see no reason in delaying the XPointer evaluation. This could lead to nodes included earlier appearing in XPointer results.
* Fix corner case with empty xi:fallbackNick Wellnhofer2020-08-171-0/+6
| | | | | xi:fallback could become empty after recursive expansion. Use a flag to track whether nodes should be skipped.
* Fix exponential runtime and memory in xi:fallback processingNick Wellnhofer2020-08-071-0/+83
| | | | | | | | | When creating XML_XINCLUDE_START nodes, the children of the original xi:include node must be freed, otherwise fallback content is copied twice, doubling runtime and memory consumption for each nested xi:fallback/xi:include pair. Found with libFuzzer.
* Don't recurse into xi:include children in xmlXIncludeDoProcessNick Wellnhofer2020-08-062-0/+16
| | | | | | | Otherwise, nested xi:include nodes might result in a use-after-free if XML_PARSE_NOXINCNODE is specified. Found with libFuzzer and ASan.
* Add regexp regression testsDavid Kilzer2020-07-062-0/+5
| | | | | | | | | | | | | - Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup <https://bugzilla.gnome.org/show_bug.cgi?id=757711> - Bug 783015 - Integer-overflow in xmlFAParseQuantExact <https://bugzilla.gnome.org/show_bug.cgi?id=783015> (Regexptests): Add support for checking stderr output when running regexp tests. This makes it possible to check in test cases that fail and not see false-positive error output when running the tests. Unlike other libxml2 test suites, if there is no stderr output, no *.err file needs to be created.
* Fix quadratic runtime in HTML parserNick Wellnhofer2020-07-061-0/+53
| | | | | | | | | | | | | Commit eeb99329 removed an important optimization avoiding quadratic runtime when repeatedly scanning the input buffer for terminating characters in the HTML push parser. The related bug is https://bugzilla.gnome.org/show_bug.cgi?id=444994 Make sure that ctxt->checkIndex is always written and store additional parser state in ctxt->inSubset which is unused in the HTML parser. Found by OSS-Fuzz.