1
0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-24 13:33:01 +03:00
Commit Graph

254 Commits

Author SHA1 Message Date
Nick Wellnhofer
4955e0c9e1 io: Don't shrink memory input buffers 2022-11-20 21:16:03 +01:00
Nick Wellnhofer
eef0a7395c xinclude: Implement "streaming" mode
When using xmlreader, XPointer expressions in XIncludes simply cannot
work. Expressions can reference nodes which weren't parsed yet or which
were already deleted.

After fixing nested XIncludes, we reference includes which were parsed
previously. When streaming, these nodes could have been deleted, leading
to use-after-free errors.

Disallow XPointer expressions and truncate the include table in
streaming mode.
2022-10-30 14:12:55 +01:00
Nick Wellnhofer
ad338ca737 Remove explicit integer casts
Remove explicit integer casts as final operation

- in assignments
- when passing arguments
- when returning values

Remove casts

- to the same type
- from certain range-bound values

The main motivation is that these explicit casts don't change the result
of operations and only render UBSan's implicit-conversion checks
useless. Removing these casts allows UBSan to detect cases where
truncation or sign-changes occur unexpectedly.

Document some explicit casts as truncating and add a few missing ones.
2022-09-01 02:33:57 +02:00
Nick Wellnhofer
0f568c0b73 Consolidate private header files
Private functions were previously declared

- in header files in the root directory
- in public headers guarded with IN_LIBXML
- in libxml.h
- redundantly in source files that used them.

Consolidate all private header files in include/private.
2022-08-26 02:11:56 +02:00
David Kilzer
c50196c13d Fix use-after-free bugs when calling xmlTextReaderClose() before xmlFreeTextReader() on post-validating parser
When creating an xmlTextReaderPtr using xmlReaderForMemory(),
there are two optional API functions that can be used:
- xmlTextReaderClose() may be called prior to calling
  xmlFreeTextReader() to free parsing resources and close the
  xmlTextReaderPtr without freeing it.
- xmlTextReaderCurrentDoc() may be called to return an
  xmlDocPtr that's owned by the caller, and must be free using
  xmlFreeDoc() after calling xmlFreeTextReader().

The use-after-free issues occur when calling
xmlTextReaderClose() before xmlFreeTextReader(), with different
issues occurring depending on whether xmlTextReaderCurrentDoc()
is also called.

* xmlreader.c:
(xmlFreeTextReader):
- Move code to xmlTextReaderClose(), remove duplicate code, and
  call xmlTextReaderClose() if it hasn't been called yet.
(xmlTextReaderClose):
- Move call to xmlFreeNode(reader->faketext) from
  xmlFreeTextReader() to fix a use-after-free bug when calling
  xmlTextReaderClose() before xmlFreeTextReader(), but not when
  using xmlTextReaderCurrentDoc().  The bug was introduced in
  2002 by commit beb70bd39.  In 2009 commit f4653dcd8 fixed the
  use-after-free that occurred every time xmlFreeTextReader()
  was called, but not the case where xmlTextReaderClose() was
  called first.
- Move post-parsing validation code from xmlFreeTextReader() to
  fix a second use-after-free when calling xmlTextReaderClose()
  before xmlFreeTextReader().  This regressed in v2.9.10 with
  commit 57a3af56f.
2022-05-18 08:32:18 -07:00
Nick Wellnhofer
d99ddd9bd5 Improve buffer allocation scheme
In most places, we really need the double-it scheme to avoid quadratic
behavior. The hybrid scheme still can cause many reallocations and the
bounded scheme doesn't seem to provide meaningful protection in
xmlreader.c.
2022-03-06 02:26:22 +01:00
Nick Wellnhofer
4a8c71eb7c Remove DOCBparser
This code has been broken and deprecated since version 2.6.0, released
in 2003. Because of a bug in commit 961b535c, DOCBparser.c was never
compiled since 2012. I couldn't find a Debian package using any of its
symbols, so it seems safe to remove this module.
2022-03-04 22:56:21 +01:00
Nick Wellnhofer
776d15d383 Don't check for standard C89 headers
Don't check for

- ctype.h
- errno.h
- float.h
- limits.h
- math.h
- signal.h
- stdarg.h
- stdlib.h
- string.h
- time.h

Stop including non-standard headers

- malloc.h
- strings.h
2022-03-02 00:43:54 +01:00
Nick Wellnhofer
346c3a930c Remove elfgcchack.h
The same optimization can be enabled with -fno-semantic-interposition
since GCC 5. clang has always used this option by default.
2022-02-20 21:49:04 +01:00
Nick Wellnhofer
274a1b5bec Remove unneeded code in xmlreader.c
Now that no references to ID and IDREF attributes are stored in
streaming validation mode, there's no need to try and remove them.

Also remove xmlTextReaderFreeIDTable which was identical to
xmlFreeIDTable.
2022-02-20 21:49:04 +01:00
Nick Wellnhofer
31c6ce3b63 Avoid call stack overflow with XML reader and recursive XIncludes
Don't process XIncludes in the result of another inclusion to avoid
infinite recursion resulting in a call stack overflow.

This is something the XInclude engine shouldn't allow but correct
handling of intra-document includes would require major changes.

Found by OSS-Fuzz.
2020-11-09 17:55:44 +01:00
Nick Wellnhofer
b215c270fa Fix cleanup of attributes in XML reader
xml:id creates ID attributes even in documents without a DTD, so the
check in xmlTextReaderFreeProp must be changed to avoid use after free.

Found by OSS-Fuzz.
2020-09-13 12:19:48 +02:00
Nick Wellnhofer
f0fd1b67fc Limit size of free lists in XML reader when fuzzing
Keeping objects on a free list can hide memory errors. Only allow a
single node on free lists used by the XML reader when fuzzing. This
should hide fewer errors while still exercising the free list logic.
2020-08-26 00:27:53 +02:00
Nick Wellnhofer
ba589adc2f Fix double free in XML reader with XIncludes
An XInclude with empty fallback could lead to a double free in
xmlTextReaderRead.

Found by OSS-Fuzz.
2020-08-26 00:22:47 +02:00
Nick Wellnhofer
2af3c2a8b9 Fix use-after-free with validating reader
Just like IDs, IDREF attributes must be removed from the document's
refs table when they're freed by a reader. This bug is often hidden
because xmlAttr structs are reused and strings are stored in a
dictionary unless XML_PARSE_NODICT is specified.

Found by OSS-Fuzz.
2020-06-08 14:05:42 +02:00
Daniel Cheng
106757e8c1 Guard new calls to xmlValidatePopElement in xml_reader.c
Closes #154.
2020-05-04 13:53:11 +02:00
Łukasz Wojniłowicz
386fb27654 Add LIBXML_VALID_ENABLED to xmlreader
There are already LIBXML_VALID_ENABLED in this file to guard against
"--without-valid" at "./configure" step, but here they were missing.
2020-05-04 13:53:11 +02:00
Nick Wellnhofer
20c60886e4 Fix typos
Resolves #133.
2020-03-08 17:41:53 +01:00
Nick Wellnhofer
c005c7a0f7 Stop calling SAX getEntity handler from XMLReader
The getEntity handler was already invoked by xmlParseReference, so it's
useless to call it again. After the recent change, xmlSAX2GetEntity
won't load any kind of entities anyway.
2020-02-11 17:36:43 +01:00
Nick Wellnhofer
5c7e0a9a46 Copy some XMLReader option flags to parser context
The parser context stores some options both in the "options" bits and
extra members like "validate" or "replaceEntities". Which of these
are actually read is inconsistent, so make sure to also update the
bit field.
2020-02-11 16:37:52 +01:00
Jared Yanovich
2a350ee9b4 Large batch of typo fixes
Closes #109.
2019-09-30 18:04:38 +02:00
Nick Wellnhofer
664f881008 Fix use-after-free in xmlTextReaderFreeNodeList
Recent commit 1fbcf40 caused a use-after-free read because it didn't
account for the fact that xmlTextReaderFreeDoc frees entities before
freeing entity references via xmlTextReaderFreeNodeList.

Found by OSS-Fuzz.
2019-09-26 11:09:17 +02:00
Nick Wellnhofer
1fbcf4098b Make xmlTextReaderFreeNodeList non-recursive
Avoid call stack overflow when freeing deeply nested documents.

Found by OSS-Fuzz.
2019-09-23 17:46:32 +02:00
Nick Wellnhofer
6705f4d28e Remove executable bit from non-executable files 2019-09-16 15:48:59 +02:00
zhouzhongyuan
0571b4e607 Fix null deref in xmlreader buffer 2019-08-25 13:30:10 +02:00
Nick Wellnhofer
8161b463f5 Remove debug printf in xmlreader.c
Fixes #46.
2019-02-28 12:25:05 +01:00
Nick Wellnhofer
2c8dc7158a Fix null pointer dereference in xmlTextReaderReadOuterXml
Fix a regression caused by commit 39fbfb4f. If xmlTextReaderReadOuterXml
is called on a pristine xmlReader, the current node is NULL and must not
be dereferenced. Move the call to xmlTextReaderExpand to the start of
the function to make sure that we have a valid node.

Fixes #43.
2019-02-25 12:08:48 +01:00
Nick Wellnhofer
26828cb3a1 Fix commit "Memory leak in xmlFreeID (xmlreader.c)"
The recent commit "Memory leak in xmlFreeID (xmlreader.c)" introduced
a double-free.
2019-01-07 18:07:00 +01:00
Nick Wellnhofer
157cd3aed7 Fix NULL pointer deref in xmlTextReaderValidateEntity
Found by OSS-Fuzz.
2019-01-06 14:05:36 +01:00
Nick Wellnhofer
57a3af56f4 Memory leak in xmlFreeTextReader
In error cases, there might still be elements in the vstate table.
Since vstateVPop in valid.c is private, we have to pop the elements
with xmlValidatePopElement. This inspects nodes of the document, so
the reader doc must be freed after the clearing the vstate table.

Found by OSS-Fuzz.
2019-01-06 14:05:36 +01:00
Nick Wellnhofer
efe8c093c4 Memory leak in xmlFreeID (xmlreader.c)
Fix a memory leak in xmlReader's private copy of xmlFreeID. Only
affects validation with NODICT.

Found by OSS-Fuzz.
2019-01-06 14:05:36 +01:00
Nick Wellnhofer
6fc04d714a Revert "Support xmlTextReaderNextSibling w/o preparsed doc"
This reverts commit bfec41b3de which
caused problems with the XML::LibXML Perl bindings.

https://mail.gnome.org/archives/xml/2018-November/msg00010.html
2018-12-01 14:32:58 +01:00
Mohammed Sadiq
c7461f6547 reader: Fix documentation comment 2018-11-29 21:57:45 +01:00
Nick Wellnhofer
39fbfb4fd0 Use actual doc in xmlTextReaderRead*Xml
Otherwise the encoding of the document is ignored and non-ASCII
characters are serialized as numeric references even if the encoding
is specified as UTF-8.
2018-09-25 13:55:46 +02:00
Felix Bünemann
bfec41b3de Support xmlTextReaderNextSibling w/o preparsed doc
This implements missing support for readers that are not based on a
preparsed document in xmlTextReaderNextSibling.
2018-09-01 14:32:25 +02:00
Felix Bünemann
d2ef114c6b Fix xmlTextReaderNext with preparsed document
This fixes the traversal of parent nodes using xmlTextReaderNext()
when the reader is based on a preparsed document (created using
xmlReaderWalker(doc)).

Without this fix the parser will abort even though there are parent
nodes it should traverse to, if it is not currently on an element or
attribute node. This is incorrect, since it can be for example on a
text node when it needs to enter backtracking.
2018-09-01 14:31:34 +02:00
Nick Wellnhofer
e03f0a199a Fix hash callback signatures
Make sure that all parameters and return values of hash callback
functions exactly match the callback function type. This is required
to pass clang's Control Flow Integrity checks and to allow compilation
to asm.js with Emscripten.

Fixes bug 784861.
2017-11-09 16:42:47 +01:00
Nick Wellnhofer
5a0ae66d72 Documentation fixes
Fixes bug 347465, bug 599433, bug 624550, bug 698253.
2017-06-18 17:58:38 +02:00
David Kilzer
4472c3a5a5 Fix some format string warnings with possible format string vulnerability
For https://bugzilla.gnome.org/show_bug.cgi?id=761029

Decorate every method in libxml2 with the appropriate
LIBXML_ATTR_FORMAT(fmt,args) macro and add some cleanups
following the reports.
2016-05-23 15:01:07 +08:00
Jan Pokorný
bb654feb9a Fix typos: dictio{ nn -> n }ar{y,ies}
Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
2016-04-15 22:22:48 +08:00
Daniel Veillard
213f1fe0d7 CVE-2015-1819 Enforce the reader to run in constant memory
One of the operation on the reader could resolve entities
leading to the classic expansion issue. Make sure the
buffer used for xmlreader operation is bounded.
Introduce a new allocation type for the buffers for this effect.
2015-04-14 17:41:48 +08:00
Daniel Veillard
91309d3a1d Pointer dereferenced before null check
For https://bugzilla.gnome.org/show_bug.cgi?id=707027

A few pointer dereference before NULL check fixed.
Removed a useless test
2014-10-06 20:07:19 +08:00
Gaurav Gupta
d319eb9223 Fix Enum check and missing break
for https://bugzilla.gnome.org/show_bug.cgi?id=737403

In file xmlreader.c
1. An enum is checked to proper value instead of checking like a boolean.
2. Missing break statement added.
2014-10-06 12:24:17 +08:00
Patrick Monnerat
0f7a26d844 Improve va_list portability
Support for va_list declared as an array (cannot be referenced
explicitly)
2013-12-12 15:04:43 +08:00
Daniel Veillard
eea38159be Cleanup on duplicate test expressions
As pointed out by Thomas Jarosch <thomas.jarosch@intra2net.com>

Daniel
2013-01-28 16:55:30 +01:00
Michael Wood
fb27e2cd20 Fix spelling of "length". 2012-10-30 10:18:49 +08:00
Daniel Veillard
f8e3db0445 Big space and tab cleanup
Remove all space before tabs and space and tabs at end of lines.
2012-09-11 13:26:36 +08:00
Daniel Veillard
97fa5b3c8f Fix file and line report for XSD SAX and reader streaming validation
Things now work correctly at the xmllint level:
thinkpad:~/XML -> xmllint --sax --noout --schema test_schema.xsd
test_xml.xml
test_xml.xml:72721: Schemas validity error : Element 'level1': Missing
child element(s). Expected is ( level2 ).
test_xml.xml fails to validate
thinkpad:~/XML -> xmllint --stream --schema test_schema.xsd test_xml.xml
test_xml.xml:72721: Schemas validity error : Element 'level1': Missing
child element(s). Expected is ( level2 ).
test_xml.xml fails to validate
thinkpad:~/XML ->

* error.c: fix a corner case of not reporting lines when we should
* include/libxml/xmlschemas.h doc/symbols.xml: had to add new entry
  points to set the filename on a validation context and a locator
  callback used to fetch the line and file from the context
* xmlschemas.c: add the new entry points xmlSchemaValidateSetFilename()
  and xmlSchemaValidateSetLocator(), plus make sure the error reporting
  routine gets the information if available. Add a locator for SAX.
* xmlreader.c: add and plug a locator for readers.
2012-08-14 11:01:07 +08:00
Daniel Veillard
3e62adbe39 Adding various checks on node type though the API
Specifially checking against namespace nodes before accessing node
pointers
2012-08-09 14:24:02 +08:00
Daniel Veillard
61551a1eb7 Cleanup function xmlBufResetInput() to set input from Buffer
This was scattered in a number of modules, xmlParserInputPtr
have usually their base, cur and end pointer set from an
xmlBuf used as input.
* buf.c buf.h: add a new function implementing this setup
* parser.c HTMLparser.c catalog.c parserInternals.c xmlreader.c
  use the new function instead of digging into the buffer in
  all those modules
2012-07-23 14:24:27 +08:00