1
0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-24 13:33:01 +03:00
Commit Graph

1005 Commits

Author SHA1 Message Date
Nick Wellnhofer
a0a8059b2c Revert "Fix memory leak in xmlParseBalancedChunkMemoryRecover"
This reverts commit 5a02583c7e.

Fixes #161.
2020-05-30 15:43:34 +02:00
Samuel Thibault
9fa3200cb3 Call xmlCleanupParser on ELF destruction
Fixes #153.
2020-05-04 13:53:11 +02:00
Nick Wellnhofer
20c60886e4 Fix typos
Resolves #133.
2020-03-08 17:41:53 +01:00
Nick Wellnhofer
1a3e584a5a Merge code paths loading external entities
Merge xmlParseCtxtExternalEntity into xmlParseExternalEntityPrivate.
2020-02-11 16:55:00 +01:00
Nick Wellnhofer
f9ea1a24ed Fix copying of entities in xmlParseReference
Before, reader mode would end up in a branch that didn't handle
entities with multiple children and failed to update ent->last, so the
hack copying the "extra" reader data wouldn't trigger. Consequently,
some empty nodes in entities are correctly detected now in the test
suite. (The detection of empty nodes in entities is still buggy,
though.)
2020-02-11 16:37:52 +01:00
Kevin Puetz
c7c526d6d0 Fix memory leak when shared libxml.dll is unloaded
When a multiple modules (process/plugins) all link to libxml2.dll
they will in fact share a single loaded instance of it.
It is unsafe for any of them to call xmlCleanupParser,
as this would deinitialize the shared state and break others that might
still have ongoing use.

However, on windows atexit is per-module (rather process-wide), so if used
*within* libxml2 it is possible to register a clean up when all users
are done and libxml2.dll is about to actually unload.

This allows multiple plugins to link with and share libxml2 without
a premature cleanup if one is unloaded, while still cleaning up if *all*
such callers are themselves unloaded.
2020-02-11 11:34:59 +01:00
Nick Wellnhofer
9bd7abfba4 Remove useless comparisons
Found by lgtm.com
2020-01-02 14:14:48 +01:00
Zhipeng Xie
0e1a49c890 Fix infinite loop in xmlStringLenDecodeEntities
When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
return NULL which cause a infinite loop in xmlStringLenDecodeEntities

Found with libFuzzer.

Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
2020-01-02 13:48:29 +01:00
Nick Wellnhofer
9737ec0717 Another fix for conditional sections at end of document
The previous fix introduced an uninitialized read.
2019-10-29 16:20:32 +01:00
Nick Wellnhofer
c1035664f9 Fix for conditional sections at end of document
Parsing conditional sections would fail if the final ']]>' was at the
end of the document. Short-lived regression caused by commit c51e38cb.
2019-10-23 11:40:34 +02:00
Jared Yanovich
2a350ee9b4 Large batch of typo fixes
Closes #109.
2019-09-30 18:04:38 +02:00
Nick Wellnhofer
c2f209c09f Disallow conditional sections in internal subset
Conditional sections are only allowed in *external* parameter entities
referenced from the internal subset.
2019-09-30 15:47:30 +02:00
Nick Wellnhofer
c51e38cb3a Make xmlParseConditionalSections non-recursive
Avoid call stack overflow in deeply nested conditional sections.

Found by OSS-Fuzz.
2019-09-30 15:47:30 +02:00
Nick Wellnhofer
62150ed2ab Make xmlParseContent and xmlParseElement non-recursive
Split xmlParseElement into subfunctions. Use nameNsPush to store prefix,
URI and nsNr on the heap, similar to the push parser.

Closes #84.
2019-09-23 17:45:50 +02:00
Nick Wellnhofer
a28bc75158 Fix integer overflow in entity recursion check 2019-09-20 13:46:58 +02:00
Nick Wellnhofer
e91cbcf639 Don't read external entities or XIncludes from stdin
The file input callbacks try to read from stdin if "-" is passed as URL.
This should never be done when loading indirect resources like external
entities or XIncludes. Unfortunately, the stdin substitution happens
deep inside the IO code, so we simply replace "-" with "./-" in specific
locations.

This issue also affects other users of the library like libxslt.
Ideally, stdin should only be substituted on explicit request. But more
intrusive changes could break existing code.

Closes #90 and #102.
2019-09-20 13:26:51 +02:00
Zhipeng Xie
5a02583c7e Fix memory leak in xmlParseBalancedChunkMemoryRecover
When doc is NULL, namespace created in xmlTreeEnsureXMLDecl
is bind to newDoc->oldNs, in this case, set newDoc->oldNs to
NULL and free newDoc will cause a memory leak.

Found with libFuzzer.

Closes #82.
2019-08-26 11:20:49 +02:00
Stephen Chenney
87125732cc Switched from unsigned long to ptrdiff_t in parser.c
Using unsigned long instead of ptrdiff_t results in non-zero
pointer deltas being stored as zero delta, giving incorrect offsets
into arrays and hence out of bounds reads.

This patch fixes the issue in all places in parser.c and adds a macro
to reduce the chances of cut-and-paste errors.

Only affects platforms where 'sizeof(long) < sizeof(size_t)' like
64-bit Windows.

See https://bugs.chromium.org/p/chromium/issues/detail?id=894933

Closes #44.
2019-07-08 13:00:12 +02:00
Nick Wellnhofer
01ea9c5af7 Fix another code path in xmlParseQName
Check for buffer errors in another code path missed in the previous
commit.

Found by OSS-Fuzz.
2019-07-08 11:29:40 +02:00
Nick Wellnhofer
5ccac8cecf Make sure that xmlParseQName returns NULL in error case
If there's an error growing the input buffer when recovering from
invalid QNames, make sure to return NULL. Otherwise, callers could be
confused. In xmlParseStartTag2, for example, `tlen` could become
negative.

Found by OSS-Fuzz.
2019-06-27 10:23:36 +02:00
Nick Wellnhofer
f9fce96313 Fix unsigned integer overflow
It's defined behavior but -fsanitize=unsigned-integer-overflow is
useful to discover bugs.
2019-05-20 13:38:22 +02:00
David Warring
3c0d62b419 Fix parser termination from "Double hyphen within comment" error
The patch fixes the parser not halting immediately when the error
handler attempts to stop the parser.

Rather it was running on and continuing to reference the freed buffer
in the while loop termination test.

This is only a problem if xmlStopParser is called from an error
handler. Probably caused by commit 123234f2. Fixes #58.
2019-05-14 15:55:12 +02:00
Nick Wellnhofer
b48226f78c Fix memory leaks in xmlParseStartTag2 error paths
Found by OSS-Fuzz.
2019-01-07 18:07:00 +01:00
Nick Wellnhofer
8919885ff9 Fix -Wformat-truncation warnings (GCC 8) 2019-01-06 14:24:59 +01:00
Nick Wellnhofer
123234f2cf Free input buffer in xmlHaltParser
This avoids miscalculation of available bytes.

Thanks to Yunho Kim for the report.

Closes: #26
2018-09-11 15:06:17 +02:00
Nick Wellnhofer
707ad080e6 Fix xmlParserEntityCheck
A previous commit removed the check for XML_ERR_ENTITY_LOOP which is
required to abort early in case of excessive entity recursion.
2018-01-23 16:37:54 +01:00
Nick Wellnhofer
ab362ab0ad Halt parser in case of encoding error
Should fix crbug.com/793715, although I wasn't able to reproduce the
issue.
2018-01-22 15:42:26 +01:00
Nick Wellnhofer
60dded12cb Clear entity content in case of errors
This only affects recovery mode and avoids integer overflow in
xmlStringGetNodeList and possibly other nasty surprises.

See bug 783052 and

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3874
https://bugs.chromium.org/p/chromium/issues/detail?id=796804
2018-01-22 15:23:22 +01:00
Nick Wellnhofer
132af1a0d1 Fix buffer over-read in xmlParseNCNameComplex
Calling GROW can halt the parser if the buffer grows too large. This
will set the buffer to an empty string. Return immediately in this case,
otherwise the "current" pointer is advanced leading to a buffer over-read.

Found with OSS-Fuzz. See

https://oss-fuzz.com/testcase?key=6683819592646656
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5031
2018-01-08 18:48:01 +01:00
Daniel Veillard
ad88b54f1a Improve handling of context input_id
For https://bugzilla.gnome.org/show_bug.cgi?id=772726
This was used in xmlsec to detect issues with accessing external entities
and prevent them, but was unreliable, based on a patch from Aleksey Sanin

* parser.c: make sure input_id is incremented when creating sub-entities
            for parsing or when parsing out of context
2017-12-08 09:42:31 +01:00
Nick Wellnhofer
cb5541c9f3 Fix libz and liblzma detection
If libz or liblzma are detected with pkg-config, AC_CHECK_HEADERS must
not be run because the correct CPPFLAGS aren't set. It is actually not
required have separate checks for LIBXML_ZLIB_ENABLED and HAVE_ZLIB_H.
Only check for LIBXML_ZLIB_ENABLED and remove HAVE_ZLIB_H macro.

Fixes bug 764657, bug 787041.
2017-11-27 14:33:37 +01:00
Nick Wellnhofer
e03f0a199a Fix hash callback signatures
Make sure that all parameters and return values of hash callback
functions exactly match the callback function type. This is required
to pass clang's Control Flow Integrity checks and to allow compilation
to asm.js with Emscripten.

Fixes bug 784861.
2017-11-09 16:42:47 +01:00
Vlad Tsyrklevich
28f52fe89d Refactor name and type signature for xmlNop
Update xmlNop's name to xmlInputReadCallbackNop and its type signature
to match xmlInputReadCallback.

Fixes bug 786134.
2017-11-09 13:43:08 +01:00
Nick Wellnhofer
e3890546d7 Fix the Windows header mess
Don't include windows.h and wsockcompat.h from config.h but only when
needed.

Don't define _WINSOCKAPI_ manually. This was apparently done to stop
windows.h from including winsock.h which is a problem if winsock2.h
wasn't included first. But on MinGW, this causes compiler warnings.
Define WIN32_LEAN_AND_MEAN instead which has the same effect.

Always use the compiler-defined _WIN32 macro instead of WIN32.
2017-10-09 14:35:40 +02:00
Nick Wellnhofer
d422b954be Fix pointer/int cast warnings on 64-bit Windows
On 64-bit Windows, `long` is 32 bits wide and can't hold a pointer.
Switch to ptrdiff_t instead which should be the same size as a pointer
on every somewhat sane platform without requiring C99 types like
intptr_t.

Fixes bug 788312.

Thanks to J. Peter Mugaas for the report and initial patch.
2017-10-09 13:47:49 +02:00
Nick Wellnhofer
b90d8989d3 Fix regression with librsvg
Instead of using xmlCreateIOParserCtxt, librsvg pushes its own
xmlParserInput on top of a memory push parser. This incorrect use of
the API confuses several parser checks and, since 2.9.5, completely
breaks documents with internal subsets. Work around the problem with
internal subsets.

Thanks to Petr Sumbera for the report:

    https://mail.gnome.org/archives/xml/2017-September/msg00011.html

Also see

    https://bugzilla.gnome.org/show_bug.cgi?id=787895
2017-09-19 16:45:49 +02:00
Nick Wellnhofer
abbda93c72 Handle more invalid entity values in recovery mode
In attribute content, don't emit entity references if there are
problems with the entity value. Otherwise some illegal entity values
like

    <!ENTITY a '&#38;#x123456789;'>

would later cause problems like integer overflow.

Make xmlStringLenDecodeEntities return NULL on more error conditions
including invalid char refs and errors from recursive calls. Remove
some fragile error checks based on lastError that shouldn't be
needed now. Clear the entity content in xmlParseAttValueComplex if
an error was found.

Found by OSS-Fuzz. Should fix bug 783052.

Also see https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3343
2017-09-13 17:21:04 +02:00
Nick Wellnhofer
0fcab658a2 Handle illegal entity values in recovery mode
Make xmlParseEntityValue always return NULL on error. Otherwise some
illegal entity values like

    <!ENTITY e '&%#4294967298;'>

would later cause problems like integer overflow.

Found by OSS-Fuzz. Should fix bug 783052.

Also see

    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=592
    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2732
2017-09-07 19:08:43 +02:00
Nick Wellnhofer
69936b129f Revert "Print error messages for truncated UTF-8 sequences"
This reverts commit 79c8a6b which caused a serious regression in
streaming mode.

Also reverts part of commit 52ceced "Fix infinite loops with push
parser in recovery mode".

Fixes bug 786554.
2017-08-30 14:19:06 +02:00
Stéphane Michaut
454e397eb7 Porting libxml2 on zOS encoding of code
First set of patches for zOS
- entities.c parser.c tree.c xmlschemas.c xmlschemastypes.c xpath.c xpointer.c:
  ask conversion of code to ISO Latin 1 to avoid having the compiler assume
  EBCDIC codepoint for characters.
- xmlmodule.c: make sure we have support for modules
- xmlIO.c: zOS path names are special avoid dsome of the expectstions from
  Unix/Windows
2017-08-28 14:30:43 +02:00
Nick Wellnhofer
899a5d9f0e Detect infinite recursion in parameter entities
When expanding a parameter entity in a DTD, infinite recursion could
lead to an infinite loop or memory exhaustion.

Thanks to Wei Lei for the first of many reports.

Fixes bug 759579.
2017-07-25 15:21:12 +02:00
Nick Wellnhofer
52ceced6e7 Fix infinite loops with push parser in recovery mode
Make sure that the input pointer advances in case of errors. Otherwise,
the push parser can loop infinitely.

Found with libFuzzer.
2017-07-04 18:51:29 +02:00
Nick Wellnhofer
3eef3f39a6 Fix NULL deref in xmlParseExternalEntityPrivate
If called from xmlParseExternalEntity, oldctxt is NULL which leads to
a NULL deref if an error occurs. This only affects external code that
calls xmlParseExternalEntity.

Patch from David Kilzer with minor changes.

Fixes bug 780159.
2017-06-20 16:13:57 +02:00
Nick Wellnhofer
872fea9485 Get rid of "blanks wrapper" for parameter entities
Now that replacement of parameter entities goes exclusively through
xmlSkipBlankChars, we can account for the surrounding space characters
there and remove the "blanks wrapper" hack.
2017-06-20 13:19:47 +02:00
Nick Wellnhofer
d9e43c7db5 Make sure not to call IS_BLANK_CH when parsing the DTD
This is required to get rid of the "blanks wrapper" hack. Checking the
return value of xmlSkipBlankChars is more efficient, too.
2017-06-20 13:19:47 +02:00
Nick Wellnhofer
453dff1e3b Remove unnecessary calls to xmlPopInput
It's enough if xmlPopInput is called from xmlSkipBlankChars. Since the
replacement text of a parameter entity is surrounded with space
characters, that's the only place where the replacement can end in a
well-formed document.

This is also required to get rid of the "blanks wrapper" hack.
2017-06-20 13:19:47 +02:00
Nick Wellnhofer
aa267cd127 Simplify handling of parameter entity references
There are only two places where parameter entity references must be
handled. For the internal subset in xmlParseInternalSubset. For the
external subset or content from other external PEs in xmlSkipBlankChars.

Make sure that xmlSkipBlankChars skips over sequences of PEs and
whitespace. Rely on xmlSkipBlankChars instead of calling
xmlParsePEReference directly when in the external subset or a
conditional section.

xmlParserHandlePEReference is unused now.
2017-06-20 13:19:47 +02:00
Nick Wellnhofer
24246c7626 Fix xmlHaltParser
Pop all extra input streams before resetting the input. Otherwise,
a call to xmlPopInput could make input available again.

Also set input->end to input->cur.

Changes the test output for some error tests. Unfortunately, some
fuzzed test cases were added to the test suite without manual cleanup.
This makes it almost impossible to review the impact of later changes
on the test output.
2017-06-20 13:15:43 +02:00
Nick Wellnhofer
8bbe4508ef Spelling and grammar fixes
Fixes bug 743172, bug 743489, bug 769632, bug 782400 and a few other
misspellings.
2017-06-17 16:34:23 +02:00
Nick Wellnhofer
5f440d8cad Rework entity boundary checks
Make sure to finish all entities in the internal subset. Nevertheless,
readd a sanity check in xmlParseStartTag2 that was lost in my previous
commit. Also add a sanity check in xmlPopInput. Popping an input
unexpectedly was the source of many recent memory bugs. The check
doesn't mitigate such issues but helps with diagnosis.

Always base entity boundary checks on the input ID, not the input
pointer. The pointer could have been reallocated to the old address.

Always throw a well-formedness error if a boundary check fails. In a
few places, a validity error was thrown.

Fix a few error codes and improve indentation.
2017-06-17 13:25:53 +02:00