Namespace nodes must be copied to avoid use-after-free errors.
But they don't necessarily have a physical representation in a
document, so simply disallow them in XPointer ranges.
Found with afl-fuzz.
Fixes CVE-2016-4658.
The old code would invoke the broken xmlXPtrRangeToFunction. range-to
isn't really a function but a special kind of location step. Remove
this function and always handle range-to in the XPath code.
The old xmlXPtrRangeToFunction could also be abused to trigger a
use-after-free error with the potential for remote code execution.
Found with afl-fuzz.
Fixes CVE-2016-5131.
* SAX2.c dict.c error.c hash.c nanohttp.c parser.c python/libxml.c
relaxng.c runtest.c tree.c valid.c xinclude.c xmlregexp.c xmlsave.c
xmlschemas.c xpath.c xpointer.c: mostly removing unneded affectations,
but this led to a few real bugs and some part not yet understood
(relaxng/interleave)
* libxml2.syms: the symbols with history, going back to 2.4.30
* Makefile.am configure.in: linking flags detection and use
* parser.c tree.c valid.c xpointer.c: various cleanup of functions
which could be made static or simply discarded, not that many
* HTMLparser.c SAX2.c encoding.c globals.c parser.c relaxng.c
runsuite.c runtest.c schematron.c testHTML.c testReader.c
testRegexp.c testSAX.c testThreads.c valid.c xinclude.c xmlIO.c
xmllint.c xmlmodule.c xmlschemas.c xpath.c xpointer.c: a lot of
small cleanups based on Linus' sparse check output.
Daniel
* doc/apibuild.py doc/elfgcchack.xsl: revamped the elfgcchack.h
format to cope with gcc4 change of aliasing allowed scopes, had
to add extra informations to doc/libxml2-api.xml to separate
the header from the c module source.
* *.c: updated all c library files to add a #define bottom_xxx
and reimport elfgcchack.h thereafter, and a bit of cleanups.
* doc//* testapi.c: regenerated when rebuilding the API
Daniel
* gentest.py testapi.c: autogenerate a minimal NULL value sequence
for unknown pointer types
* HTMLparser.c SAX2.c chvalid.c encoding.c entities.c parser.c
parserInternals.c relaxng.c valid.c xmlIO.c xmlreader.c
xmlsave.c xmlschemas.c xmlschemastypes.c xmlstring.c xpath.c
xpointer.c: This uncovered an impressive amount of entry points
not checking for NULL pointers when they ought to, closing all
the open gaps.
Daniel
* xinclude.c: enhanced to assure that if xpointer is called
for a document, the XML_PARSE_NOENT flag is set before parsing
the included document so that entities will automatically get
taken care of.
* xpointer.c: corrected code so that, if an XML_ENTITY_REF node
is encountered, it will log it and not crash (bug 135713)
* python/generator.py, python/libxml2class.txt: fixed problem
pointed out by Stphane Bidoul on the list.
* xinclude.c, xpointer.c, xpath.c, include/libxml/xpointer.h:
completed modifications required to fix Bug 129967 (at last!).
Now wait to see how long before further trouble...
* parser.c, xmlmemory.c, include/libxml/xmlmemory.h: Fixed
memory leak reported by Dave Beckett
* xmlschemas.c: Removed spurious comment reported on the mailing
list
* xinclude.c, xpath.c, xpointer.c, libxml/include/xpointer.h:
Further work on Bug 129967 concerning xpointer range handling
and range-to function; much better, but still not complete
* xmlschemas.c: edited a couple of comments in accordance with
posting on the mailing list (no logic change)
* xpointer.c: working on Bug 129967, added check for NULL
nodeset to prevent crash. Further work required.
* xpath.c: working on Bug 129967, added code to handle
XPATH_LOCATIONSET in RANGETO code, also added code to
handle it in xmlXPathEvaluatePredicateResult. Further
work required.
* catalog.c,relaxng.c,testAutomata.c,xpointer.c,genChRanges.py,
chvalid.c,include/libxml/chvalid.h,doc/examples/test1.c:
minor error cleanup for gcc-3.3.[12] compilation warnings.
* HTMLparser.c c14n.c catalog.c error.c globals.c parser.c
parserInternals.c relaxng.c valid.c xinclude.c xmlIO.c xmlregexp.c
xmlschemas.c xpath.c xpointer.c include/libxml/globals.h
include/libxml/parser.h include/libxml/valid.h
include/libxml/xmlerror.h: Setting up the framework for structured
error reporting, touches a lot of modules, but little code now
the error handling trail has been cleaned up.
Daniel
* DOCBparser.c HTMLparser.c c14n.c catalog.c encoding.c globals.c
nanohttp.c parser.c parserInternals.c relaxng.c tree.c uri.c
xmlmemory.c xmlreader.c xmlregexp.c xpath.c xpointer.c
include/libxml/globals.h include/libxml/xmlmemory.h: added
xmlMallocAtomic() to be used when allocating blocks which
do not contains pointers, add xmlGcMemSetup() and xmlGcMemGet()
to allow registering the full set of functions needed by
a garbage collecting allocator like libgc, ref #109944
Daniel
* check-xinclude-test-suite.py: improved the script accordingly
to the XInclude regression tests updates
* xpointer.c: Implemented XPointer element() Scheme W3C PR of 13
November 2002
* result/XPath/xptr/chapterschildseq result/XPath/xptr/vidchildseq
test/XPath/xptr/chapterschildseq test/XPath/xptr/vidchildseq:
augmented the Xpointer testsuite for the element() scheme
Daniel
* configure.in: preparing 2.4.18
* doc/*: updated and rebuilt the web site
* *.c libxml.h: implement the new IN_LIBXML scheme discussed with
the Windows and Cygwin maintainers.
* parser.c: humm, changed the way the SAX parser work when
xmlSubstituteEntitiesDefault(1) is set, it will then
do the entity registration and loading by itself in case the
user provided SAX getEntity() returns NULL.
* testSAX.c: added --noent to test the behaviour.
Daniel
* c14n.c: Fixing #74186, made sure all boolean expressions
get fully parenthesized, ran indent on the output
* configure.in HTMLtree.c SAX.c c14n.c debugXML.c tree.c xpointer.c
include/libxml/tree.h: also #74186 related, removed the
--with-buffers option, and all the preprocessor conditional
sections that were resulting from it.
Daniel
* HTMLtree.c catalog.c debugXML.c entities.c nanoftp.c
parser.c valid.c xmlmemory.c xpath.c xpointer.c: started
integrating the non-controversial parts of Gary Pennington
multithread patches
* catalog.c: corrected a small bug introduced
Daniel
* configure.in: preparing 2.4.6 release
* doc/xml.html doc/html/*: updated and rebuilt the docs
* include/libxml/*.h *.c: fixed a number of teh/the widht/width typos
Daniel
* DOCBparser.c HTMLparser.c HTMLtree.c SAX.c debugXML.c parser.c
tree.c xpointer.c: store the line numbder in element->content,
may break some software, need a configuration mechanism
Daniel
* AUTHORS: added William and Bjorn
* include/libxml/*.h *.c README doc/*.html etc.: changed old email to
daniel@veillard.com hopefully I won't have to do this again
* doc/Makefile.am doc/html/*.html: cleanup makefile, checked that
docs can be rebuilt cleanly now
* include/libxml/xml*version.h*: removed include/libxml/xmlversion.h
from CVs it's generated, added include/libxml/xmlwin32version.h
also generated but which should change far less frequently.
* catalog.c nanoftp.c: made sure to include libxml.h not
libxml/xmlversion.h directly
* include/libxml/*.h: include xmlwin32version.h instead of xmlversion.h
when compiling on WIN32 and MSC
Daniel
- xinclude.c xpath.c xpathInternals.h xpointer.c: cleanup
w.r.t. --without-debug and other include points
- catalog.h testCatalog.c: a bit of cleanup and prepare for XML
Catalogs
- configure.in entities.h tree.h HTMLparser.c: removed
--without-corba, made the _private field mandatory
Daniel
- result/HTML/cf_128.html* test/HTML/cf_128.html: added the test
to the suite
forgot to commit this one yesterday
- encoding.h hash.c nanoftp.h parser.h tree.h uri.h xlink.h xpointer.c:
applied a documentation patch from LotR and filled in a few missing
descriptions
Daniel
Spring cleanup ...:
- configure.in Makefile.am config.h.in xmlversion.h.in: detect if
we need string functions
- trio.[ch] strio.[ch]: embedded the Trio-0.23 string functions
to be able to use them where needed. Applied some changes
to reduce name linking pollution and compile in only what's
needed.
- HTMLtree.c debugXML.c entities.c error.c nanoftp.c valid.c
xlink.c xmlversion.h.in xpath.c: got rid of the #ifdef
for the string manipulation functions
- xmlmemory.[ch]: removed DEBUG_MEMORY_FREED and added it automatically
to the free() function of xmlmemory.c
- entities.c HTMLtree.c parserInternals.c tree.c uri.c valid.c
xinclude.c xmlIO.c xpath.c xpointer.c: removed the MEM_CLEANUP
usage.
Daniel
testHTML.c testSAX.c tree.c valid.c xmlIO.c xmlmemory.c
xmlversion.h.in xpointer.c: of course the way I defined
UNUSED breaks on old gcc version. Try to be smart and
also define it directly in xmlversion.h
- configure.in: removed -ansi flag from the pedantic set
Daniel