In order to prevent visiting a state twice, states must be marked as
visited for the whole duration of graph traversal because states might
be reached by different paths. Otherwise state graphs like the
following can lead to exponential runtime:
->O-->O-->O-->O-->O->
\ / \ / \ / \ /
O O O O
Reset the "visited" flag only after the graph was traversed.
xmlFAComputesDeterminism still has massive performance problems when
handling fuzzed input. By design, it has quadratic time complexity in
the number of reachable states. Some issues might also stem from
redundant epsilon transitions. With this fix, fuzzing regexes with a
maximum length of 100 becomes feasible at least.
Found with libFuzzer.
* xmlregexp.c:
(xmlFAParseCharRange): Only advance to the next character if
there is no error. Advancing to the next character in case of
an error while parsing regexp leads to an out of bounds access.
As reported by Sven <sven@e7o.de>:
The following pattern will cause a segmentation fault in my
Apache (using PHP5 to validate a XML against a XSD):
<xs:pattern value="(.*)|"/>
Fix a cascade of error handling failures which led to the
crash in that scenario.
* xmlregexp.c: other fixes in 2.7.4 raised this internal error
when comparing ranges, this affects among others detection of
the determinism
* test/relaxng/libvirt* result/relaxng/libvirt*: add a test case
based on libvirt schemas and tests
* SAX2.c dict.c error.c hash.c nanohttp.c parser.c python/libxml.c
relaxng.c runtest.c tree.c valid.c xinclude.c xmlregexp.c xmlsave.c
xmlschemas.c xpath.c xpointer.c: mostly removing unneded affectations,
but this led to a few real bugs and some part not yet understood
(relaxng/interleave)
* HTMLparser.c c14n.c debugXML.c entities.c nanohttp.c parser.c
testC14N.c uri.c xmlcatalog.c xmllint.c xmlregexp.c xpath.c:
fix unused variables, or unneeded increments as well as a couple
of space issues
* runtest.c: check for NULL before calling unlink()
* relaxng.c xmlregexp.c: a subtle problem when checking for compileable
content model, if using the same elements in cases of choices. Handled
by adding a special flag to the regexp compilation to detect
transitions with different atoms using same strings.
* test/relaxng/492317* result/relaxng/492317*: add the test to the
regression suite
* xmlregexp.c: xmlFAComputesDeterminism was bugged as it removed as
coalesced transitions on with sane source destination and atoms but
not looking at counters
* Makefile.am: add the testchar to 'make check'
* xmlschemas.c: Volker Grabsch pointed out a typo
* xmlregexp.c: production [19] from XML Schemas regexps were a
mistake removed in version REC-xmlschema-2-20041028, Volker Grabsch
provided a patch to remove it
* test/schemas/regexp-char-ref_0.xml test/schemas/regexp-char-ref_0.xsd
test/schemas/regexp-char-ref_1.xsd result/schemas/regexp-char-ref_0_0
result/schemas/regexp-char-ref_1_0: Volker Grabsch also provided
regession tests for this
Daniel
svn path=/trunk/; revision=3776
* xmlregexp.c: apply patch from Andrew Tosh to fix behaviour
when '.' is used in a posCharGroup
* test/schemas/poschargrp0_0.* result/schemas/poschargrp0_0_0*:
added the test to the regression suite
Daniel
svn path=/trunk/; revision=3687
* xmlregexp.c: another nasty regexp case fixed.
* test/regexp/ranges2 result/regexp/ranges2: added to regression
suite
Daniel
svn path=/trunk/; revision=3658
* nanohttp.c: Enhanced to include port number (if not == 80) on the
"Header:" URL (bug #469681).
* xmlregexp.c: Fixed a typo causing a warning message.
svn path=/trunk/; revision=3657
* xmlregexp.c: try to fix for the nth time the automata generation
in case of complex ranges. I suppose that time it is actually okay
Daniel
svn path=/trunk/; revision=3650
* xstc/Makefile.am doc/examples/Makefile.am Makefile.am: applied
patch from Richard Jones to for the silent flag on valgrind
when doing "make valgrind"
* xmlregexp.c: raise a regexp error when '\' is misused to escape
a standard character.
Daniel
svn path=/trunk/; revision=3606
* xmlregexp.c: fixed problem with 0x2d in Char Range (bug #420596)
* test/regexp/bug420596, result/regexp/bug420596: added regression
test for this
svn path=/trunk/; revision=3594
* tree.c: applied documentation patches from Markus Keim
* xmlregexp.c: fixed one bug and added a couple of optimisations
while working on bug #362989
Daniel
* xmlregexp.c: applied patch from Youri Golovanov fixing bug
#316338 and adding a couple of optimizations in the regexp
compilation engine.
* test/regexp/bug316338 result/regexp/bug316338: added regression
tests based on the examples provided in the bug report.
Daniel
