| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Prevent null derefs.
Found by OSS-Fuzz, see #344.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
There's too much code which assumes that if ctxt->value is non-null,
a value can be successfully popped off the stack. This assumption can
break with stack frames when malloc fails.
Instead of trying to fix all call sites, remove the stack frame logic.
It only offered very little protection against misbehaving extension
functions. We already check the stack size after a function call which
should be enough.
Found by OSS-Fuzz.
|
| |
|
|
| |
Found by OSS-Fuzz.
|
| |
|
|
| |
Found with libFuzzer, see #344.
|
| | |
|
| |
|
|
| |
This reverts commit 47b0e0a620d1e0e657b858986e3ebde80d4645b4.
|
| |
|
|
| |
Found with libFuzzer, see #344.
|
| |
|
|
| |
Found with libFuzzer, see #344.
|
| |
|
|
| |
Found with libFuzzer, see #344.
|
| |
|
|
| |
Found with libFuzzer, see #344.
|
| |
|
|
| |
Found with libFuzzer, see #344.
|
| |
|
|
| |
Found with libFuzzer, see #344.
|
| |
|
|
|
|
|
| |
This reverts commit 6a12be77c6a94c374ab7476087edcee2ba41d9b4.
There's too much code reading ctxt->value directly and making the wrong
assumptions.
|
| |
|
|
|
|
|
| |
After 6a12be77, valuePop can fail even if ctxt->value is non-NULL.
If it turns out that too much code relies on this assumption, a better
fix is needed.
|
| |
|
|
|
|
|
| |
Destroy the first argument in xmlXPathNodeSetMerge if the function
fails. This is somewhat dangerous but matches the expectations of users.
Found with libFuzzer, see #344.
|
| |
|
|
|
|
|
| |
Destroy the string in xmlXPathWrapString if the function fails. This is
somewhat dangerous but matches the expectations of users.
Found with libFuzzer, see #344.
|
| |
|
|
| |
Found with libFuzzer, see #344.
|
| |
|
|
| |
Found with libFuzzer, see #344.
|
| |
|
|
| |
Found with libFuzzer, see #344.
|
| |
|
|
|
|
|
| |
Destroy the object in valuePush if the function fails. This is somewhat
dangerous but matches the expectations of users.
Found with libFuzzer, see #344.
|
| |
|
|
|
|
|
| |
Destroy the node set in xmlXPathWrapNodeSet if the function fails.
This is somewhat dangerous but matches the expectations of users.
Found with libFuzzer, see #344.
|
| |
|
|
|
| |
Don't overwrite the original error code. Besides, subsequent error
reports are somewhat unreliable and not really useful.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In xpath.c there's a lot of code like:
valuePush(ctxt, xmlCacheNewX());
...
valuePop(ctxt);
If xmlCacheNewX fails, no value will be pushed on the stack. If there's
no error check in between, valuePop will pop an unrelated value which
can lead to use-after-free errors.
Instead of trying to fix all call sites, we simply stop popping values
if an error was signaled. This requires to change the CHECK_TYPE macro
which is often used to determine whether a value can be safely popped.
Found with libFuzzer, see #344.
|
| |
|
|
|
|
| |
Avoid null deref.
Found with libFuzzer, see #344.
|
| |
|
|
|
|
| |
Avoid null deref.
Found with libFuzzer, see #344.
|
| |
|
|
|
|
| |
Avoid null deref.
Found with libFuzzer, see #344.
|
| |
|
|
|
|
| |
Avoid OOB array access.
Found with libFuzzer, see #344.
|
| |
|
|
|
|
| |
Avoid null deref if allocation fails.
Found with libFuzzer, see #344.
|
| |
|
|
| |
Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/81
|
| | |
|
| |
|
|
| |
Fixes compiler warnings with clang 15.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove explicit integer casts as final operation
- in assignments
- when passing arguments
- when returning values
Remove casts
- to the same type
- from certain range-bound values
The main motivation is that these explicit casts don't change the result
of operations and only render UBSan's implicit-conversion checks
useless. Removing these casts allows UBSan to detect cases where
truncation or sign-changes occur unexpectedly.
Document some explicit casts as truncating and add a few missing ones.
|
| |
|
|
| |
Fix clang warning.
|
| |
|
|
|
|
|
|
|
|
|
| |
Private functions were previously declared
- in header files in the root directory
- in public headers guarded with IN_LIBXML
- in libxml.h
- redundantly in source files that used them.
Consolidate all private header files in include/private.
|
| |
|
|
|
|
| |
EXSLT functions like dyn:map or dyn:evaluate invoke xmlXPathRunEval
recursively. Don't set depth to zero but keep and restore the original
value to avoid stack overflows when abusing these functions.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new configuration flag that controls whether the outdated support
for XPointer locations (ranges and points) is enabled.
--with-xptr-locs # Autotools
LIBXML2_WITH_XPTR_LOCS # CMake
The latest spec for what it essentially an XPath extension seems to be
this working draft from 2002:
https://www.w3.org/TR/xptr-xpointer/
The xpointer() scheme is listed as "being reviewed" in the XPointer
registry since at least 2006. libxml2 seems to be the only modern
software that tries to implement this spec, but the code has many bugs
and quality issues.
The flag defaults to "off" and support for this extensions has to be
requested explicitly. The relevant API functions are deprecated.
|
| |
|
|
|
|
|
|
|
| |
Similar to 8f5710379, mark more static data structures with
`const` keyword.
Also fix placement of `const` in encoding.c.
Original patch by Sarah Wilkin.
|
| |
|
|
| |
Should fix #138.
|
| | |
|
| |
|
|
|
|
| |
These functions shouldn't be part of the public API. Most init
functions are only thread-safe when called from xmlInitParser. Global
variables should only be cleaned up by calling xmlCleanupParser.
|
| |
|
|
|
|
| |
Simplify the code and fix a potential memory leak.
Fixes #343.
|
| |
|
|
|
|
|
| |
This code has been broken and deprecated since version 2.6.0, released
in 2003. Because of a bug in commit 961b535c, DOCBparser.c was never
compiled since 2012. I couldn't find a Debian package using any of its
symbols, so it seems safe to remove this module.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't check for
- ctype.h
- errno.h
- float.h
- limits.h
- math.h
- signal.h
- stdarg.h
- stdlib.h
- string.h
- time.h
Stop including non-standard headers
- malloc.h
- strings.h
|
| |
|
|
|
| |
The same optimization can be enabled with -fno-semantic-interposition
since GCC 5. clang has always used this option by default.
|
