1
0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-26 00:37:43 +03:00
Commit Graph

521 Commits

Author SHA1 Message Date
Nick Wellnhofer
7abec67147 NaN and Inf fixes for pre-C99 compilers
On some pre-C99 compilers, the NAN and INFINITY macros don't expand to
constant expressions.

Some MSVC versions complain about floating point division by zero in
constants.

Thanks to Fabrice Manfroi for the report.
2018-03-16 15:09:42 +01:00
Nick Wellnhofer
ddbb075b70 Fix xmlXPathIsNaN broken by recent commit 2017-11-27 14:33:26 +01:00
Nick Wellnhofer
b21895717d Fix -Wenum-compare warnings
Also fixes a serious bug in xmlXPtrNewRangeNodePoint.
2017-11-27 13:42:30 +01:00
Nick Wellnhofer
13acadbb1c Ignore function pointer cast warnings
Use GCC pragmas as these warnings are enabled by -Wpedantic and there's
no way to disable them selectively.
2017-11-14 16:01:48 +01:00
Nick Wellnhofer
8813f397f8 Simplify XPath NaN, inf and -0 handling
Use C99 macros NAN, INFINITY, isnan, isinf. If they're not available:

- Assume that (0.0 / 0.0) generates a NaN and !(x == x) tests for NaN.
- Use C89's HUGE_VAL for INFINITY.

Remove manual handling of NaN, infinity and negative zero in functions
xmlXPathValueFlipSign and xmlXPathDivValues.

Remove xmlXPathGetSign. All the tests for negative zero can be replaced
with a test for negative or positive zero.

Simplify xmlXPathRoundFunction.

Remove Trio dependency.

This should work on IEEE 754 compliant implementations even if the C99
macros aren't available, but will likely break some ancient platforms.
If problems arise, my plan is to port the relevant trionan.c solution
to xpath.c. Note that non-compliant implementations are impossible
to fully support, anyway, since XPath requires IEEE 754.
2017-11-14 15:58:40 +01:00
Nick Wellnhofer
e03f0a199a Fix hash callback signatures
Make sure that all parameters and return values of hash callback
functions exactly match the callback function type. This is required
to pass clang's Control Flow Integrity checks and to allow compilation
to asm.js with Emscripten.

Fixes bug 784861.
2017-11-09 16:42:47 +01:00
J. Peter Mugaas
d2c329a9a4 Fix -Wimplicit-fallthrough warnings
Add "falls through" comments to quench implicit-fallthrough warnings
which are enabled by -Wextra under GCC 7.
2017-10-21 13:49:31 +02:00
Nick Wellnhofer
d422b954be Fix pointer/int cast warnings on 64-bit Windows
On 64-bit Windows, `long` is 32 bits wide and can't hold a pointer.
Switch to ptrdiff_t instead which should be the same size as a pointer
on every somewhat sane platform without requiring C99 types like
intptr_t.

Fixes bug 788312.

Thanks to J. Peter Mugaas for the report and initial patch.
2017-10-09 13:47:49 +02:00
Nick Wellnhofer
5af594d8bc Fix comparison of nodesets to strings
Fix two bugs in xmlXPathNodeValHash which could lead to errors when
comparing nodesets to strings:

- Only use contents of text nodes to compute the hash for element nodes.
  Comments, PIs, and other node types don't affect the string-value and
  must be ignored.
- Reset `string` to NULL for node types other than text.

Reported by Aleksei on the mailing list:

    https://mail.gnome.org/archives/xml/2017-September/msg00016.html
2017-10-07 15:22:57 +02:00
Nick Wellnhofer
0f3b843b35 Fix XPath stack frame logic
Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in
xmlXPathCompOpEvalPositionalPredicate to make sure that the context
object on the stack is actually protected. Otherwise, memory corruption
can occur when calling sloppily coded XPath extension functions.

Fixes bug 783160.
2017-09-21 17:55:39 +02:00
Nick Wellnhofer
3157cf4e53 Report undefined XPath variable error message
Commit c851970 removed a redundant error message if XPath evaluation
failed. This uncovered a case where an undefined XPath variable error
wasn't reported correctly.

Thanks to Petr Pisar for the report.

Fixes bug 787941.
2017-09-20 16:13:29 +02:00
Nick Wellnhofer
ca8635bfc2 Fix debug dump of streaming XPath expressions
The debug function xmlXPathDebugDumpCompExpr would crash when
called with a "streaming" expression.

Fixes bug 787368.
2017-09-07 15:46:12 +02:00
Daniel Veillard
dbb828feb9 Fix missing part of comment for function xmlXPathEvalExpression() 2017-08-28 20:38:53 +02:00
Stéphane Michaut
454e397eb7 Porting libxml2 on zOS encoding of code
First set of patches for zOS
- entities.c parser.c tree.c xmlschemas.c xmlschemastypes.c xpath.c xpointer.c:
  ask conversion of code to ISO Latin 1 to avoid having the compiler assume
  EBCDIC codepoint for characters.
- xmlmodule.c: make sure we have support for modules
- xmlIO.c: zOS path names are special avoid dsome of the expectstions from
  Unix/Windows
2017-08-28 14:30:43 +02:00
Nick Wellnhofer
7482f41f61 Check for integer overflow in xmlXPathFormatNumber
Check for overflow before casting double to int.

Found with afl-fuzz and UBSan.
2017-06-01 22:00:19 +02:00
Nick Wellnhofer
f4029cd413 Check XPath exponents for overflow
Avoid undefined behavior and wrong results with huge exponents.

Found with afl-fuzz and UBSan.
2017-05-31 16:04:37 +02:00
Nick Wellnhofer
a58331a6ee Check for overflow in xmlXPathIsPositionalPredicate
Avoid undefined behavior when casting from double to int.

Found with afl-fuzz and UBSan.
2017-05-31 16:04:26 +02:00
Nick Wellnhofer
a851868a75 Parse small XPath numbers more accurately
Don't count leading zeros towards the fraction size limit. This allows
to parse numbers like

    0.0000000000000000000000000000000000000000000000000000000001

which is the only standard-conformant way to represent such numbers, as
scientific notation isn't allowed in XPath 1.0. (It is allowed in XPath
2.0 and in libxml2 as an extension, though.)

Overall accuracy is still bad, see bug 783238.
2017-05-31 15:46:29 +02:00
Nick Wellnhofer
4bebb030db Rework XPath rounding functions
Use the C library's floor and ceil functions. The old code was overly
complicated for no apparent reason and could result in undefined
behavior when handling NaNs (found with afl-fuzz and UBSan).

Fix wrong comment in xmlXPathRoundFunction. The implementation was
already following the spec and rounding half up.
2017-05-31 15:38:42 +02:00
Nick Wellnhofer
40f5852149 Fix axis traversal from attribute and namespace nodes
When traversing the "preceding" axis from an attribute node, we must
first go up to the attribute's containing element. Otherwise, text
children of other attributes could be returned. This made it possible
to hit a code path in xmlXPathNextAncestor which contained another bug:
The attribute node was initialized with the context node instead of the
current node. Normally, this code path is only hit via
xmlXPathNextAncestorOrSelf in which case the current and context node
are the same.

The combination of the two bugs could result in an infinite loop, found
with libFuzzer.

Traversing the "following" and the "preceding" axis from namespace nodes
should be handled similarly. This wasn't supported at all previously.
2017-05-31 14:57:46 +02:00
Nick Wellnhofer
a07a4e96d0 Fix spurious error message
Commit c851970 introduced a spurious error message when evaluating
XPath expressions with xmlXPathCompiledEvalToBoolean.
2017-05-27 17:07:53 +02:00
Nick Wellnhofer
aed407c14b Check for trailing characters in XPath expressions earlier
Move the check for trailing characters from xmlXPathEval to
xmlXPathEvalExpr. Otherwise, a valid portion of a syntactically invalid
expression would be evaluated before returning an error.
2017-05-27 16:04:07 +02:00
Nick Wellnhofer
c851970c6e Rework final handling of XPath results
Move cleanup of XPath stack to xmlXPathFreeParserContext. This avoids
memory leaks if valuePop fails in some error cases. Found with
libFuzzer and ASan.

Rework handling of the final XPath result object in
xmlXPathCompiledEvalInternal and xmlXPathEval to avoid useless error
messages.
2017-05-27 16:03:48 +02:00
Nick Wellnhofer
640a368c80 Make xmlXPathEvalExpression call xmlXPathEval
Both functions are supposed to do exactly the same.
2017-05-27 15:59:18 +02:00
Nick Wellnhofer
cf60dbe461 Fix memory leak in xmlXPathCompareNodeSetValue
Implement TODO block to free the arguments in error case.

Found with libFuzzer and ASan.
2017-05-27 15:59:18 +02:00
Nick Wellnhofer
9d08b34716 Fix memory leak in xmlXPathNodeSetMergeAndClear
Namespaces nodes must not be duplicated when merging.

Found with libFuzzer and ASan.
2017-05-27 15:59:18 +02:00
Nick Wellnhofer
95a9249a60 Fix memory leak in XPath filter optimizations
Namespace nodes must be freed when selecting the first or last element
of a node set.

Found with libFuzzer and ASan.
2017-05-27 15:59:05 +02:00
Nick Wellnhofer
d42a7063da Fix memory leaks in XPath error paths
Found with libFuzzer and ASan.
2017-05-27 14:58:19 +02:00
Nick Wellnhofer
229d1f93ce Avoid function/data pointer conversion in xpath.c
Fixes a `-pedantic` compiler warning.
2016-10-12 13:23:16 +02:00
Nick Wellnhofer
9ab01a277d Fix XPointer paths beginning with range-to
The old code would invoke the broken xmlXPtrRangeToFunction. range-to
isn't really a function but a special kind of location step. Remove
this function and always handle range-to in the XPath code.

The old xmlXPtrRangeToFunction could also be abused to trigger a
use-after-free error with the potential for remote code execution.

Found with afl-fuzz.

Fixes CVE-2016-5131.
2016-10-12 13:12:18 +02:00
Nick Wellnhofer
a005199330 Fix comparison with root node in xmlXPathCmpNodes
This change has already been made in xmlXPathCmpNodesExt but not in
xmlXPathCmpNodes.
2016-10-12 13:09:21 +02:00
Nick Wellnhofer
d8083bf779 Fix NULL pointer deref in XPointer range-to
- Check for errors after evaluating first operand.
- Add sanity check for empty stack.

Found with afl-fuzz.
2016-06-25 14:24:51 +02:00
David Kilzer
4472c3a5a5 Fix some format string warnings with possible format string vulnerability
For https://bugzilla.gnome.org/show_bug.cgi?id=761029

Decorate every method in libxml2 with the appropriate
LIBXML_ATTR_FORMAT(fmt,args) macro and add some cleanups
following the reports.
2016-05-23 15:01:07 +08:00
Nick Wellnhofer
6eb0894a96 Fix memory leak with XPath namespace nodes
Set hasNsNodes to 1 when adding namespace nodes via XP_TEST_HIT.
2016-05-05 17:38:27 +02:00
Nick Wellnhofer
82b73039dc Fix namespace axis traversal
When the namespace axis is traversed in "toBool" mode, the traversal
can exit early, before visiting all nodes. In this case, the XPath
context still contains a non-NULL tmpNsList.

This means that

- the check when to start a new traversal was wrong and
- the tmpNsList could be leaked.

Fixes bug #750037 and, by accident, bug #756075:

https://bugzilla.gnome.org/show_bug.cgi?id=750037
https://bugzilla.gnome.org/show_bug.cgi?id=756075
2016-05-05 15:30:00 +02:00
Nick Wellnhofer
839689a9a8 Don't recurse into OP_VALUEs in xmlXPathOptimizeExpression
The ch1 slot of OP_VALUEs contains an invalid value. Ignore it.

Fixes bug #760325:

https://bugzilla.gnome.org/show_bug.cgi?id=760325
2016-04-27 18:05:06 +02:00
Nick Wellnhofer
f39fd66ea7 Fix namespace::node() XPath expression
Make sure that xmlXPathNodeSetAddNs is called for namespace nodes when
matched with a namespace::node() step. This correctly sets the parent
of namespace nodes. Note that xmlXPathNodeSetAddNs must only be called
if working on the namespace axis. Otherwise, the context node is not
the parent of the namespace node and the standard XP_TEST_HIT macro
must be invoked. This explains the errors in the C14N tests that the
old TODO comment mentioned.
2016-04-27 11:21:35 +02:00
Nick Wellnhofer
e289390362 Fix parsing of NCNames in XPath
The NCName parser would allow any NameChar as start character. For
example, the following XPath expressions would compile:

    self::-abc
    self::0abc
    self::.abc
2016-04-23 19:12:47 +02:00
Jan Pokorný
bb654feb9a Fix typos: dictio{ nn -> n }ar{y,ies}
Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
2016-04-15 22:22:48 +08:00
Shlomi Fish
d5bd2a9a40 Correct a typo. 2016-04-11 09:42:23 +08:00
Nick Wellnhofer
3eaedba1b6 Fix previous change to node sort order
Commit ba58f23 broke comparison of nodes from different documents.
Thanks to Olli Pottonen for the report.
2015-07-11 14:27:34 +02:00
Nick Wellnhofer
ba58f23c60 Fix order of root nodes
Make sure root nodes are sorted before other nodes.
2015-03-08 16:44:11 +01:00
Nick Wellnhofer
f6aaabce85 Allow attributes on descendant-or-self axis
If the context node is an attribute, the attribute itself is on the
descendant-or-self axis. The principal node type of this axis is element,
so the only node test that can return the attribute is "node()". In other
words, "@attr/descendant-or-self::node()" is equivalent to "@attr".

This matches the behavior of Saxon-CE.
2015-03-08 16:25:52 +01:00
Nick Wellnhofer
07def30fa7 Restore context size and position after XPATH_OP_ARG
Fixes a bug with predicates:
https://mail.gnome.org/archives/xml/2014-March/msg00014.html
2014-03-24 13:02:06 +01:00
Jan Pokorný
75801652a2 Fix typos in {tree,xpath}.c (errror)
Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
2014-02-06 10:47:47 +01:00
Nick Wellnhofer
03c6723043 Handling of XPath function arguments in error case
The XPath engine tries to guarantee that every XPath function can pop
'nargs' non-NULL values off the stack. libxslt, for example, relies on
this assumption. But the check isn't thorough enough if there are errors
during the evaluation of arguments. This can lead to segfaults:

https://mail.gnome.org/archives/xslt/2013-December/msg00005.html

This commit makes the handling of function arguments more robust.

* Bail out early when evaluation of XPath function arguments fails.
* Make sure that there are 'nargs' arguments in the current call frame.
2013-12-20 17:45:04 +01:00
Gaurav
fcd4583189 Fix XPath node comparison bug
For https://bugzilla.gnome.org/show_bug.cgi?id=715143
2013-11-28 23:01:44 +08:00
Nick Wellnhofer
e8de99f90c Fix XPath expressions of the form '@ns:*'
Use namespace for match-all queries on the attribute axis.
2013-08-05 01:26:25 +02:00
Nick Wellnhofer
b4bcba23f6 Fix XPath '//' optimization with predicates
My attempt to optimize XPath expressions containing '//' caused a
regression reported in bug #695699. This commit disables the
optimization for expressions of the form '//foo[predicate]'.
2013-08-05 00:15:11 +02:00
Denis Pauk
e28c8a1ace #705267 - add additional defines checks for support "./configure --with-minimum"
https://bugzilla.gnome.org/show_bug.cgi?id=705267
2013-08-03 22:00:17 +08:00