1
0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-26 00:37:43 +03:00
Commit Graph

225 Commits

Author SHA1 Message Date
Nick Wellnhofer
1a66b17605 [CVE-2024-25062] xmlreader: Don't expand XIncludes when backtracking
Fixes a use-after-free if XML Reader if used with DTD validation and
XInclude expansion.

Fixes #604.
2024-02-04 15:23:49 +01:00
Nick Wellnhofer
12f0bb9478 parser: Synchronize more options 2024-01-05 20:39:40 +01:00
Nick Wellnhofer
a5dcf0f422 parser: Mark more parser context members as unused 2023-12-29 01:20:08 +01:00
Nick Wellnhofer
955c177f69 parser: Stop using 'directory' struct member
This was only used as a pointless fallback for URI resolution.
2023-12-25 23:38:40 +01:00
Nick Wellnhofer
c8f1f4a280 doc: Improve documentation of error handlers 2023-12-21 17:36:17 +01:00
Nick Wellnhofer
23345a1cb1 io: Report IO errors through xmlCtxtErrIO
This is also a new public API function to be used in external entity
loaders.
2023-12-21 15:02:24 +01:00
Nick Wellnhofer
ed6596a47a reader: Simplify error handling
Only use structured error handlers for parser, Schemas and RelaxNG
contexts. Also use structured error handler for XInclude context.

Remove TODO macro.
2023-12-21 02:46:27 +01:00
Nick Wellnhofer
54c70ed57f parser: Improve error handling
Introduce xmlCtxtSetErrorHandler allowing to set a structured error for
a parser context. There already was the "serror" SAX handler but this
always receives the parser context as argument.

Start to use xmlRaiseMemoryError.

Remove useless arguments from memory error functions. Rename
xmlErrMemory to xmlCtxtErrMemory.

Remove a few calls to xmlGenericError.

Remove support for runtime entity debugging.
2023-12-21 02:46:27 +01:00
Nick Wellnhofer
157df34401 xmlreader: Report malloc failures
Fix many places where malloc failures aren't reported.

Introduce a new API function xmlTextReaderGetLastError.
2023-12-11 22:13:06 +01:00
Nick Wellnhofer
5cffba8381 Rework va_copy fallback
va_copy is a macro, so it can be detected without a feature test.
Fallback to __va_copy or memcpy.
2023-11-28 15:59:40 +01:00
Nick Wellnhofer
61034116d0 error: Make more xmlError structs constant
Prepare for future changes, see 45470611.
2023-10-24 15:02:36 +02:00
Nick Wellnhofer
81741ea4c0 xmlreader: Fix EOF detection in xmlTextReaderPushData 2023-09-21 16:29:28 +02:00
Nick Wellnhofer
4e1c13ebfd debug: Remove debugging code
This is barely useful these days and only clutters the code base.
2023-09-19 17:35:09 +02:00
Nick Wellnhofer
ed3bd05284 parser: Allow to set maximum amplification factor 2023-08-20 20:49:16 +02:00
Nick Wellnhofer
e2ab48b9b5 malloc-fail: Fix unsigned integer overflow in xmlTextReaderPushData
Return immediately if xmlParserInputBufferRead fails.

Found by OSS-Fuzz, see #344.
2023-08-14 15:06:31 +02:00
Nick Wellnhofer
320f5084cd parser: Improve handling of encoding and IO errors
Make sure that xmlCharEncInput, xmlParserInputBufferPush and
xmlParserInputBufferGrow set the correct error code in the
xmlParserInputBuffer. Handle errors when calling these functions.
2023-04-30 21:31:54 +02:00
Nick Wellnhofer
c266a22023 malloc-fail: Handle memory errors in xmlTextReaderEntPush
Unfortunately, there's no way to properly report memory errors.

Found with libFuzzer, see #344.
2023-01-24 11:32:15 +01:00
Nick Wellnhofer
f67dc6189f xmlreader: Try to fix regression when reading from memory
This reverts a change from commit 2059df53, see #462.
2022-12-17 00:14:56 +01:00
Nick Wellnhofer
dd3569eaa5 Remove XMLDECL macro from .c files 2022-12-08 02:43:17 +01:00
Nick Wellnhofer
2059df5358 buf: Deprecate static/immutable buffers 2022-11-20 21:16:03 +01:00
Nick Wellnhofer
1ca0dfec35 reader: Switch to xmlParserInputBufferCreateMem
This is less efficient but can't result in input buffer overreads.

Fixes #326.
2022-11-20 21:16:03 +01:00
Nick Wellnhofer
4955e0c9e1 io: Don't shrink memory input buffers 2022-11-20 21:16:03 +01:00
Nick Wellnhofer
eef0a7395c xinclude: Implement "streaming" mode
When using xmlreader, XPointer expressions in XIncludes simply cannot
work. Expressions can reference nodes which weren't parsed yet or which
were already deleted.

After fixing nested XIncludes, we reference includes which were parsed
previously. When streaming, these nodes could have been deleted, leading
to use-after-free errors.

Disallow XPointer expressions and truncate the include table in
streaming mode.
2022-10-30 14:12:55 +01:00
Nick Wellnhofer
ad338ca737 Remove explicit integer casts
Remove explicit integer casts as final operation

- in assignments
- when passing arguments
- when returning values

Remove casts

- to the same type
- from certain range-bound values

The main motivation is that these explicit casts don't change the result
of operations and only render UBSan's implicit-conversion checks
useless. Removing these casts allows UBSan to detect cases where
truncation or sign-changes occur unexpectedly.

Document some explicit casts as truncating and add a few missing ones.
2022-09-01 02:33:57 +02:00
Nick Wellnhofer
0f568c0b73 Consolidate private header files
Private functions were previously declared

- in header files in the root directory
- in public headers guarded with IN_LIBXML
- in libxml.h
- redundantly in source files that used them.

Consolidate all private header files in include/private.
2022-08-26 02:11:56 +02:00
David Kilzer
c50196c13d Fix use-after-free bugs when calling xmlTextReaderClose() before xmlFreeTextReader() on post-validating parser
When creating an xmlTextReaderPtr using xmlReaderForMemory(),
there are two optional API functions that can be used:
- xmlTextReaderClose() may be called prior to calling
  xmlFreeTextReader() to free parsing resources and close the
  xmlTextReaderPtr without freeing it.
- xmlTextReaderCurrentDoc() may be called to return an
  xmlDocPtr that's owned by the caller, and must be free using
  xmlFreeDoc() after calling xmlFreeTextReader().

The use-after-free issues occur when calling
xmlTextReaderClose() before xmlFreeTextReader(), with different
issues occurring depending on whether xmlTextReaderCurrentDoc()
is also called.

* xmlreader.c:
(xmlFreeTextReader):
- Move code to xmlTextReaderClose(), remove duplicate code, and
  call xmlTextReaderClose() if it hasn't been called yet.
(xmlTextReaderClose):
- Move call to xmlFreeNode(reader->faketext) from
  xmlFreeTextReader() to fix a use-after-free bug when calling
  xmlTextReaderClose() before xmlFreeTextReader(), but not when
  using xmlTextReaderCurrentDoc().  The bug was introduced in
  2002 by commit beb70bd39.  In 2009 commit f4653dcd8 fixed the
  use-after-free that occurred every time xmlFreeTextReader()
  was called, but not the case where xmlTextReaderClose() was
  called first.
- Move post-parsing validation code from xmlFreeTextReader() to
  fix a second use-after-free when calling xmlTextReaderClose()
  before xmlFreeTextReader().  This regressed in v2.9.10 with
  commit 57a3af56f.
2022-05-18 08:32:18 -07:00
Nick Wellnhofer
d99ddd9bd5 Improve buffer allocation scheme
In most places, we really need the double-it scheme to avoid quadratic
behavior. The hybrid scheme still can cause many reallocations and the
bounded scheme doesn't seem to provide meaningful protection in
xmlreader.c.
2022-03-06 02:26:22 +01:00
Nick Wellnhofer
4a8c71eb7c Remove DOCBparser
This code has been broken and deprecated since version 2.6.0, released
in 2003. Because of a bug in commit 961b535c, DOCBparser.c was never
compiled since 2012. I couldn't find a Debian package using any of its
symbols, so it seems safe to remove this module.
2022-03-04 22:56:21 +01:00
Nick Wellnhofer
776d15d383 Don't check for standard C89 headers
Don't check for

- ctype.h
- errno.h
- float.h
- limits.h
- math.h
- signal.h
- stdarg.h
- stdlib.h
- string.h
- time.h

Stop including non-standard headers

- malloc.h
- strings.h
2022-03-02 00:43:54 +01:00
Nick Wellnhofer
346c3a930c Remove elfgcchack.h
The same optimization can be enabled with -fno-semantic-interposition
since GCC 5. clang has always used this option by default.
2022-02-20 21:49:04 +01:00
Nick Wellnhofer
274a1b5bec Remove unneeded code in xmlreader.c
Now that no references to ID and IDREF attributes are stored in
streaming validation mode, there's no need to try and remove them.

Also remove xmlTextReaderFreeIDTable which was identical to
xmlFreeIDTable.
2022-02-20 21:49:04 +01:00
Nick Wellnhofer
31c6ce3b63 Avoid call stack overflow with XML reader and recursive XIncludes
Don't process XIncludes in the result of another inclusion to avoid
infinite recursion resulting in a call stack overflow.

This is something the XInclude engine shouldn't allow but correct
handling of intra-document includes would require major changes.

Found by OSS-Fuzz.
2020-11-09 17:55:44 +01:00
Nick Wellnhofer
b215c270fa Fix cleanup of attributes in XML reader
xml:id creates ID attributes even in documents without a DTD, so the
check in xmlTextReaderFreeProp must be changed to avoid use after free.

Found by OSS-Fuzz.
2020-09-13 12:19:48 +02:00
Nick Wellnhofer
f0fd1b67fc Limit size of free lists in XML reader when fuzzing
Keeping objects on a free list can hide memory errors. Only allow a
single node on free lists used by the XML reader when fuzzing. This
should hide fewer errors while still exercising the free list logic.
2020-08-26 00:27:53 +02:00
Nick Wellnhofer
ba589adc2f Fix double free in XML reader with XIncludes
An XInclude with empty fallback could lead to a double free in
xmlTextReaderRead.

Found by OSS-Fuzz.
2020-08-26 00:22:47 +02:00
Nick Wellnhofer
2af3c2a8b9 Fix use-after-free with validating reader
Just like IDs, IDREF attributes must be removed from the document's
refs table when they're freed by a reader. This bug is often hidden
because xmlAttr structs are reused and strings are stored in a
dictionary unless XML_PARSE_NODICT is specified.

Found by OSS-Fuzz.
2020-06-08 14:05:42 +02:00
Daniel Cheng
106757e8c1 Guard new calls to xmlValidatePopElement in xml_reader.c
Closes #154.
2020-05-04 13:53:11 +02:00
Łukasz Wojniłowicz
386fb27654 Add LIBXML_VALID_ENABLED to xmlreader
There are already LIBXML_VALID_ENABLED in this file to guard against
"--without-valid" at "./configure" step, but here they were missing.
2020-05-04 13:53:11 +02:00
Nick Wellnhofer
20c60886e4 Fix typos
Resolves #133.
2020-03-08 17:41:53 +01:00
Nick Wellnhofer
c005c7a0f7 Stop calling SAX getEntity handler from XMLReader
The getEntity handler was already invoked by xmlParseReference, so it's
useless to call it again. After the recent change, xmlSAX2GetEntity
won't load any kind of entities anyway.
2020-02-11 17:36:43 +01:00
Nick Wellnhofer
5c7e0a9a46 Copy some XMLReader option flags to parser context
The parser context stores some options both in the "options" bits and
extra members like "validate" or "replaceEntities". Which of these
are actually read is inconsistent, so make sure to also update the
bit field.
2020-02-11 16:37:52 +01:00
Jared Yanovich
2a350ee9b4 Large batch of typo fixes
Closes #109.
2019-09-30 18:04:38 +02:00
Nick Wellnhofer
664f881008 Fix use-after-free in xmlTextReaderFreeNodeList
Recent commit 1fbcf40 caused a use-after-free read because it didn't
account for the fact that xmlTextReaderFreeDoc frees entities before
freeing entity references via xmlTextReaderFreeNodeList.

Found by OSS-Fuzz.
2019-09-26 11:09:17 +02:00
Nick Wellnhofer
1fbcf4098b Make xmlTextReaderFreeNodeList non-recursive
Avoid call stack overflow when freeing deeply nested documents.

Found by OSS-Fuzz.
2019-09-23 17:46:32 +02:00
Nick Wellnhofer
6705f4d28e Remove executable bit from non-executable files 2019-09-16 15:48:59 +02:00
zhouzhongyuan
0571b4e607 Fix null deref in xmlreader buffer 2019-08-25 13:30:10 +02:00
Nick Wellnhofer
8161b463f5 Remove debug printf in xmlreader.c
Fixes #46.
2019-02-28 12:25:05 +01:00
Nick Wellnhofer
2c8dc7158a Fix null pointer dereference in xmlTextReaderReadOuterXml
Fix a regression caused by commit 39fbfb4f. If xmlTextReaderReadOuterXml
is called on a pristine xmlReader, the current node is NULL and must not
be dereferenced. Move the call to xmlTextReaderExpand to the start of
the function to make sure that we have a valid node.

Fixes #43.
2019-02-25 12:08:48 +01:00
Nick Wellnhofer
26828cb3a1 Fix commit "Memory leak in xmlFreeID (xmlreader.c)"
The recent commit "Memory leak in xmlFreeID (xmlreader.c)" introduced
a double-free.
2019-01-07 18:07:00 +01:00
Nick Wellnhofer
157cd3aed7 Fix NULL pointer deref in xmlTextReaderValidateEntity
Found by OSS-Fuzz.
2019-01-06 14:05:36 +01:00