| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
These arguments should be non-zero, but add a sanity check to avoid
division by zero.
Fixes #450.
|
|
|
|
| |
Found with libFuzzer, see #344.
|
|
|
|
| |
Found with libFuzzer, see #344.
|
|
|
|
| |
Found with libFuzzer, see #344.
|
|
|
|
| |
Found with libFuzzer, see #344.
|
|
|
|
|
|
| |
Invoke xmlRegNewState from xmlRegStatePush to simplify error handling.
Found with libFuzzer, see #344.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Private functions were previously declared
- in header files in the root directory
- in public headers guarded with IN_LIBXML
- in libxml.h
- redundantly in source files that used them.
Consolidate all private header files in include/private.
|
|
|
|
| |
Fixes #370.
|
| |
|
|
|
|
| |
Support non-BMP code points in surrogate pairs of '\uXXXX\uXXXX'.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds support for some non-standard escape sequences observed
in Microsoft's MSXML DLLs and used by Windows apps, and thus
needed by Wine. Some are also used in other XML implementations,
eg. Java's.
This isn't intended to be final. We probably wish to toggle these
non-standard escape sequences on and off somehow, as needed by
the caller.
Further discussion: https://gitlab.gnome.org/GNOME/libxml2/-/issues/260
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't check for
- ctype.h
- errno.h
- float.h
- limits.h
- math.h
- signal.h
- stdarg.h
- stdlib.h
- string.h
- time.h
Stop including non-standard headers
- malloc.h
- strings.h
|
|
|
|
|
|
|
|
|
| |
Fix regex transitions that have both min/max and a counter. In this
case, we want to save the regex state before incrementing the counter.
Fixes #301 and the issue reported here:
https://mail.gnome.org/archives/xml/2016-April/msg00017.html
|
|
|
|
|
|
|
| |
Make sure to add counted exit transitions before other counter
transitions. Otherwise, we won't backtrack correctly.
Fixes #65.
|
|
|
|
|
| |
The same optimization can be enabled with -fno-semantic-interposition
since GCC 5. clang has always used this option by default.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When building the internal representation of a regexp, it is possible
that a lot of empty transitions are created. Therefore there is a step
to reduce them in the function xmlFAEliminateSimpleEpsilonTransitions.
There is an error there for this case:
* State 1 has a transition with an atom (in this case "a") to state 2.
* State 2 is final and has an epsilon transition to state 1.
After reduction it looked like:
* State 1 has a transition with an atom (in this case "a") to itself
and is final.
In other words, the empty string is accepted when it shouldn't be.
The attached patch skips the reduction step for final states.
An alternative would be to insert or increment counters when reducing a
final state, but this seemed error prone and unnecessary, since there
aren't that many final states.
Fixes #282
|
|
|
|
|
|
|
|
| |
Apply Per Hedeland's patch from
https://bugzilla.gnome.org/show_bug.cgi?id=779751
Fixes #188.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to prevent visiting a state twice, states must be marked as
visited for the whole duration of graph traversal because states might
be reached by different paths. Otherwise state graphs like the
following can lead to exponential runtime:
->O-->O-->O-->O-->O->
\ / \ / \ / \ /
O O O O
Reset the "visited" flag only after the graph was traversed.
xmlFAComputesDeterminism still has massive performance problems when
handling fuzzed input. By design, it has quadratic time complexity in
the number of reachable states. Some issues might also stem from
redundant epsilon transitions. With this fix, fuzzing regexes with a
maximum length of 100 becomes feasible at least.
Found with libFuzzer.
|
|
|
|
|
|
|
| |
Enforce a maximum nesting depth of 50 for regular expressions. Avoids
stack overflows with deeply nested regexes.
Found by OSS-Fuzz.
|
| |
|
|
|
|
| |
Found by OSS-Fuzz.
|
|
|
|
| |
Resolves #133.
|
|
|
|
| |
Found by lgtm.com
|
|
|
|
| |
Found by lgtm.com
|
|
|
|
| |
Closes #109.
|
|
|
|
|
|
| |
- One of the bug316338 test cases is expected to succeed.
- Memory leak in testRegexp.c.
- Refcount handling in xmlExpHashGetEntry.
|
|
|
|
|
|
|
| |
Fixes bug 649244:
https://bugzilla.gnome.org/show_bug.cgi?id=649244
Closes #57.
|
|
|
|
|
|
|
| |
Non-compound (##local) and compound string atoms are always disjoint
regardless of whether the compound atom is negated (##other).
Closes #40.
|
|
|
|
| |
Merge request !39
|
|
|
|
| |
Thanks to Shaobo He for the report.
|
|
|
|
|
| |
Add "falls through" comments to quench implicit-fallthrough warnings
which are enabled by -Wextra under GCC 7.
|
|
|
|
|
|
|
|
|
| |
Credit to OSS-Fuzz.
Add a check to xmlFAParseCharRange() for the end of the buffer
to prevent reading past the end of it.
This fixes Bug 784017.
|
|
|
|
| |
Found with libFuzzer.
|
|
|
|
| |
It's stupid, but the behavior of memcpy(NULL, NULL, 0) is undefined.
|
|
|
|
|
|
|
|
|
| |
<https://bugzilla.gnome.org/show_bug.cgi?id=757711>
* xmlregexp.c:
(xmlFAParseCharRange): Only advance to the next character if
there is no error. Advancing to the next character in case of
an error while parsing regexp leads to an out of bounds access.
|
|
|
|
|
| |
This is the first of the two issues raised by Pete Cordell
in https://mail.gnome.org/archives/xml/2016-April/msg00030.html
|
|
|
|
| |
Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
|
|
|
|
|
| |
Cleanup
For https://bugzilla.gnome.org/show_bug.cgi?id=729851
|
|
|
|
|
|
| |
https://bugzilla.gnome.org/show_bug.cgi?id=707749
Fix 3 cases where we might dereference NULL
|
| |
|
|
|
|
| |
Remove all space before tabs and space and tabs at end of lines.
|
|
|
|
|
| |
Which can happen when eliminating epsilon transitions, as reported
by Pavel Madr <pmadr@opentext.com>
|
|
|
|
|
|
|
|
|
|
|
| |
As reported by Sven <sven@e7o.de>:
The following pattern will cause a segmentation fault in my
Apache (using PHP5 to validate a XML against a XSD):
<xs:pattern value="(.*)|"/>
Fix a cascade of error handling failures which led to the
crash in that scenario.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
* xmlregexp.c: other fixes in 2.7.4 raised this internal error
when comparing ranges, this affects among others detection of
the determinism
* test/relaxng/libvirt* result/relaxng/libvirt*: add a test case
based on libvirt schemas and tests
|
|
|
|
|
|
|
|
| |
* configure.in: new version
* libxml.spec.in: cleanup
* xmlregexp.c: fix a comment
* doc/apibuild.py: update
* doc/*: regenerate everything
|
|
|
|
|
|
|
|
| |
* SAX2.c dict.c error.c hash.c nanohttp.c parser.c python/libxml.c
relaxng.c runtest.c tree.c valid.c xinclude.c xmlregexp.c xmlsave.c
xmlschemas.c xpath.c xpointer.c: mostly removing unneded affectations,
but this led to a few real bugs and some part not yet understood
(relaxng/interleave)
|