summaryrefslogtreecommitdiff
path: root/tree.c
Commit message (Collapse)AuthorAgeFilesLines
* malloc-fail: Fix memory leak in xmlCopyNamespaceListNick Wellnhofer2023-03-081-0/+4
| | | | Found with libFuzzer, see #344.
* malloc-fail: Fix memory leak in xmlGetNsListNick Wellnhofer2023-02-271-16/+9
| | | | Found with libFuzzer, see #344.
* malloc-fail: Fix memory leak in xmlCopyPropListNick Wellnhofer2023-02-171-1/+3
| | | | Found with libFuzzer, see #344.
* tree: Fix recursion check in xmlStringGetNodeListNick Wellnhofer2023-01-171-6/+16
| | | | Use the new entity flag to check for recursion.
* entities: Add XML_ENT_PARSED flagNick Wellnhofer2022-12-191-2/+6
| | | | | | | | To check whether an entity was already parsed, the code previously tested whether "checked" was non-zero or "children" was non-null. The "children" check could be unreliable because an empty entity also results in an empty (NULL) node list. Use a separate flag to make this check more reliable.
* buf: Deprecate static/immutable buffersNick Wellnhofer2022-11-201-44/+9
|
* malloc-fail: Fix memory leak in xmlStringGetNodeListNick Wellnhofer2022-11-021-18/+18
| | | | | | Also make sure to return NULL on error instead of a partial node list. Found with libFuzzer, see #344.
* malloc-fail: Fix memory leak in xmlNewDocNodeEatNameNick Wellnhofer2022-11-021-2/+3
| | | | Found with libFuzzer, see #344.
* malloc-fail: Fix memory leak in xmlNewPropInternalNick Wellnhofer2022-11-021-1/+2
| | | | | | Also fixes a memory leak if called with a non-element node. Found with libFuzzer, see #344.
* malloc-fail: Fix memory leak in xmlStaticCopyNodeListNick Wellnhofer2022-11-021-2/+5
| | | | Found with libFuzzer, see #344.
* xinclude: Make xmlXIncludeCopyNode non-recursiveNick Wellnhofer2022-10-231-5/+2
| | | | | | | Avoid call stack overflows. Also switch to xmlStaticCopyNode which avoids duplicate namespace definitions.
* Remove "runtime debugging"Nick Wellnhofer2022-09-021-5/+0
| | | | This doesn't seem useful as configuration option.
* Move xmlIsXHTML to tree.cNick Wellnhofer2022-09-021-0/+45
| | | | | It's declared in tree.h and not guarded by LIBXML_OUTPUT_ENABLED like the other functions in xmlsave.c.
* Don't use sizeof(xmlChar) or sizeof(char)Nick Wellnhofer2022-09-011-6/+6
|
* Remove explicit integer castsNick Wellnhofer2022-09-011-1/+1
| | | | | | | | | | | | | | | | | | | | Remove explicit integer casts as final operation - in assignments - when passing arguments - when returning values Remove casts - to the same type - from certain range-bound values The main motivation is that these explicit casts don't change the result of operations and only render UBSan's implicit-conversion checks useless. Removing these casts allows UBSan to detect cases where truncation or sign-changes occur unexpectedly. Document some explicit casts as truncating and add a few missing ones.
* Silence -Warray-bounds warningNick Wellnhofer2022-08-261-1/+2
| | | | | | This is a hack, but works for now. Fixes #389.
* Consolidate private header filesNick Wellnhofer2022-08-261-2/+4
| | | | | | | | | | | Private functions were previously declared - in header files in the root directory - in public headers guarded with IN_LIBXML - in libxml.h - redundantly in source files that used them. Consolidate all private header files in include/private.
* Improve documentation of tree manipulation APINick Wellnhofer2022-08-021-1/+31
| | | | | | - Discourage use of node constructors without document. - Mention that xmlReconciliateNs is crucial when moving nodes from one document to another.
* Avoid calling xmlSetTreeDocNick Wellnhofer2022-06-201-1/+1
| | | | | Create text nodes with xmlNewDocText or set the document directly to avoid xmlSetTreeDoc being called when the node is inserted.
* Simplify xmlFreeNodeNick Wellnhofer2022-06-201-17/+12
|
* Don't reset nsDef when changing node contentNick Wellnhofer2022-06-201-3/+0
| | | | nsDef is only used for element nodes.
* Fix unintended fall-through in xmlNodeAddContentLenNick Wellnhofer2022-06-201-3/+4
|
* Reserve byte for NUL terminator and report errors consistently in xmlBuf and ↵David Kilzer2022-06-161-6/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | xmlBuffer This is a follow-up to commit 6c283d83. * buf.c: (xmlBufGrowInternal): - Call xmlBufMemoryError() when the buffer size would overflow. - Account for NUL terminator byte when using XML_MAX_TEXT_LENGTH. - Do not include NUL terminator byte when returning length. (xmlBufAdd): - Call xmlBufMemoryError() when the buffer size would overflow. * tree.c: (xmlBufferGrow): - Call xmlTreeErrMemory() when the buffer size would overflow. - Do not include NUL terminator byte when returning length. (xmlBufferResize): - Update error message in xmlTreeErrMemory() to be consistent with other similar messages. (xmlBufferAdd): - Call xmlTreeErrMemory() when the buffer size would overflow. (xmlBufferAddHead): - Add overflow checks similar to those in xmlBufferAdd().
* Fix missing NUL terminators in xmlBuf and xmlBuffer functionsDavid Kilzer2022-06-161-0/+3
| | | | | | | | | | | | | | | | | | * buf.c: (xmlBufAddLen): - Change check for remaining space to account for the NUL terminator. When adding a length exactly equal to the number of unused bytes, a NUL terminator was not written. (xmlBufResize): - Set `buf->use` and NUL terminator when allocating a new buffer. * tree.c: (xmlBufferResize): - Set `buf->use` and NUL terminator when allocating a new buffer. (xmlBufferAddHead): - Set NUL terminator before returning early when shifting contents.
* Fix integer overflow in xmlBufferDump()David Kilzer2022-06-021-2/+2
| | | | | | * tree.c: (xmlBufferDump): - Cap the return value to INT_MAX.
* Fix double colon typos in xmlBufferResize()David Kilzer2022-05-251-2/+2
| | | | Introduced in commit 6c283d83e.
* Fix ownership of xmlNodePtr & xmlAttrPtr fields in xmlSetTreeDoc()David Kilzer2022-05-251-1/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When changing `doc` on an xmlNodePtr or xmlAttrPtr, certain fields must either be a free-standing string, or they must be owned by `doc->dict`. The code to make this change was simply missing, so the crash happened when an xmlAttrPtr was being torn down after `doc` changed from non-NULL to NULL, but the `name` field was not copied. This is scenario 1 below. The xmlNodePtr->name and xmlNodePtr->content fields are also fixed at the same time. Note that xmlNodePtr->content is never added to the dictionary, so NULL is used instead of `newDict` to force a free-standing copy. This change covers all cases of dictionary changes: 1. Owned by old dictionary -> NULL new dictionary - Create free-standing copy of string. 2. Owned by old dictionary -> Non-NULL new dictionary - Get string from new dictionary pool. 3. Not owned by old dictionary -> Non-NULL new dictionary - No action necessary (already a free-standing string). 4. Not owned by old dictionary -> NULL new dictionary - No action necessary (already a free-standing string). * tree.c: (_copyStringForNewDictIfNeeded): Add. (xmlSetTreeDoc): - Update xmlNodePtr->name, xmlNodePtr->content and xmlAttrPtr->name when changing the document, if needed. Found by OSS-Fuzz Issue 45132.
* [CVE-2022-29824] Fix integer overflows in xmlBuf and xmlBufferNick Wellnhofer2022-05-021-45/+27
| | | | | | | | | In several places, the code handling string buffers didn't check for integer overflow or used wrong types for buffer sizes. This could result in out-of-bounds writes or other memory errors when working on large, multi-gigabyte buffers. Thanks to Felix Wilhelm for the report.
* Don't try to copy children of entity referencesNick Wellnhofer2022-04-231-1/+2
| | | | | | | This would result in an error, aborting the whole copy operation. Regressed in commit 7618a3b1. Fixes #371.
* Fix short-lived regression in xmlStaticCopyNodeNick Wellnhofer2022-04-101-6/+17
| | | | | | | | | Commit 7618a3b1 didn't account for coalesced text nodes. I think it would be better if xmlStaticCopyNode didn't try to coalesce text nodes at all. This code path can only be triggered if some other code doesn't coalesce text nodes properly. In this case, OSS-Fuzz found such behavior in xinclude.c.
* Make xmlStaticCopyNode non-recursiveNick Wellnhofer2022-04-021-2/+39
|
* Improve buffer allocation schemeNick Wellnhofer2022-03-061-2/+5
| | | | | | | In most places, we really need the double-it scheme to avoid quadratic behavior. The hybrid scheme still can cause many reallocations and the bounded scheme doesn't seem to provide meaningful protection in xmlreader.c.
* Remove DOCBparserNick Wellnhofer2022-03-041-37/+1
| | | | | | | This code has been broken and deprecated since version 2.6.0, released in 2003. Because of a bug in commit 961b535c, DOCBparser.c was never compiled since 2012. I couldn't find a Debian package using any of its symbols, so it seems safe to remove this module.
* Don't check for standard C89 headersNick Wellnhofer2022-03-021-4/+1
| | | | | | | | | | | | | | | | | | | | Don't check for - ctype.h - errno.h - float.h - limits.h - math.h - signal.h - stdarg.h - stdlib.h - string.h - time.h Stop including non-standard headers - malloc.h - strings.h
* Fix unused variable warnings with disabled featuresNick Wellnhofer2022-02-221-0/+3
|
* Remove elfgcchack.hNick Wellnhofer2022-02-201-2/+0
| | | | | The same optimization can be enabled with -fno-semantic-interposition since GCC 5. clang has always used this option by default.
* Fix xmlSetTreeDoc with entity referencesNick Wellnhofer2022-02-071-1/+8
| | | | | | | | | | | | The children member of entity reference nodes points to the entity declaration and must never be followed when traversing a tree. In the worst case, this could lead to an infinite loop. It's somewhat unclear how moving entity references to other documents should work exactly. For now we simply set the children pointer to NULL to avoid a reference to the original document. Fixes #42.
* Properly handle nested documents in xmlFreeNodeNick Wellnhofer2022-02-071-14/+12
| | | | | | | | | Client code should never add document nodes as children of other nodes, but even our own XPointer code has a bug that can produce such trees. Make sure to really free nested documents. Also see commits 0815302d and 0762c9b6. Should fix #269.
* Fix null pointer deref in xmlStringGetNodeListNick Wellnhofer2022-01-161-0/+4
| | | | Check for malloc failure to avoid null deref.
* Fix xmlGetNodePath with invalid node typesNick Wellnhofer2021-03-131-1/+3
| | | | | | | | | | | Make xmlGetNodePath return NULL instead of invalid XPath when hitting unsupported node types like DTD content. Reported here: https://mail.gnome.org/archives/xml/2021-January/msg00012.html Original report: https://bugs.php.net/bug.php?id=80680
* Clarify xmlNewDocProp documentationNick Wellnhofer2021-03-021-0/+5
|
* Stop checking attributes for UTF-8 validityNick Wellnhofer2021-03-021-12/+0
| | | | | | | | | | | | | | | I can't see a reason to check attribute content for UTF-8 validity. Other parts of the API like xmlNewText have always assumed valid UTF-8 as extra checks only slow down processing. Besides, setting doc->encoding to "ISO-8859-1" seems pointless, and not freeing the old encoding would cause a memory leak. Note that this was last changed in 2008 with commit 6f8611fd which removed unnecessary encoding/decoding steps. Setting attributes should be even faster now. Found by OSS-Fuzz.
* Fix quadratic behavior when looking up xml:* attributesNick Wellnhofer2021-03-011-0/+10
| | | | | | | | | | | | | | Add a special case for the predefined XML namespace when looking up DTD attribute defaults in xmlGetPropNodeInternal to avoid calling xmlGetNsList. This fixes quadratic behavior in - xmlNodeGetBase - xmlNodeGetLang - xmlNodeGetSpacePreserve Found by OSS-Fuzz.
* Check for invalid redeclarations of predefined entitiesNick Wellnhofer2021-02-081-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement section "4.6 Predefined Entities" of the XML 1.0 spec and check whether redeclarations of predefined entities match the original definitions. Note that some test cases declared <!ENTITY lt "<"> But the XML spec clearly states that this is illegal: > If the entities lt or amp are declared, they MUST be declared as > internal entities whose replacement text is a character reference to > the respective character (less-than sign or ampersand) being escaped; > the double escaping is REQUIRED for these entities so that references > to them produce a well-formed result. Also fixes #217 but the connection is only tangential. The integer overflow discovered by fuzzing was more related to the fact that various parts of the parser disagreed on whether to prefer predefined entities over their redeclarations. The whole situation is a mess and even depends on legacy parser options. But now that redeclarations are validated, it shouldn't make a difference. As noted in the added comment, this is also one of the cases where overly defensive checks can hide interesting logic bugs from fuzzers.
* Add the copy of type from original xmlDoc in xmlCopyDoc()SVGAnimate2021-02-081-0/+1
| | | | | | | | | A bug related to php DOMDocument: https://bugs.php.net/bug.php?id=80665 When copy/clone an html document, the xmlDoc->type goes from XML_HTML_DOCUMENT_NODE to XML_DOCUMENT_NODE.
* Fix null deref in xmlStringGetNodeListNick Wellnhofer2020-12-181-0/+4
| | | | | | Check for malloc failure to avoid null deref. Found with libFuzzer.
* Fix typosNick Wellnhofer2020-03-081-7/+7
| | | | Resolves #133.
* Fix integer overflow in xmlBufferResizeNick Wellnhofer2020-01-101-2/+7
| | | | Found by OSS-Fuzz.
* Fix freeing of nested documentsNick Wellnhofer2019-12-061-0/+5
| | | | | | | | Apparently, some libxslt RVTs can contain nested document nodes, see issue #132. I'm not sure how this happens exactly but it can cause a segfault in xmlFreeNodeList after the changes in commit 0762c9b6. Make sure not to touch the (nonexistent) `content` member of xmlDocs.
* Enable more undefined behavior sanitizersNick Wellnhofer2019-11-021-1/+3
| | | | | | | | | | | Minor fix to xmlStringLenGetNodeList to avoid a pointer overflow during API test. Enable pointer-overflow and unsigned-integer-overflow sanitizers in CI tests. Technically, unsigned integer overflows aren't undefined behavior, but they typically indicate programming errors. Some hash functions that really require unsigned integer overflows have already been annotated.
View Lorry Controller Status