1
0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-26 00:37:43 +03:00
Commit Graph

134 Commits

Author SHA1 Message Date
Nick Wellnhofer
e60c9f4c4b malloc-fail: Fix memory leak after xmlRegNewState
Invoke xmlRegNewState from xmlRegStatePush to simplify error handling.

Found with libFuzzer, see #344.
2023-02-17 17:16:51 +01:00
Nick Wellnhofer
bd33331bb9 regexp: Simplify xmlRegAtomPush 2023-02-17 17:16:50 +01:00
Nick Wellnhofer
0f568c0b73 Consolidate private header files
Private functions were previously declared

- in header files in the root directory
- in public headers guarded with IN_LIBXML
- in libxml.h
- redundantly in source files that used them.

Consolidate all private header files in include/private.
2022-08-26 02:11:56 +02:00
Nick Wellnhofer
145170125a Fix parsing of subtracted regex character classes
Fixes #370.
2022-04-23 19:22:42 +02:00
Nick Wellnhofer
ebb1797030 Remove unneeded #includes 2022-03-04 22:11:49 +01:00
Damjan Jovanovic
37ebf8a8b2 Document support for the non-standard escape sequences.
Support non-BMP code points in surrogate pairs of '\uXXXX\uXXXX'.
2022-03-02 15:25:21 +00:00
Damjan Jovanovic
b66c19612c Use strtoul() instead of sscanf, and correct data types that break GCC. 2022-03-02 15:25:21 +00:00
Damjan Jovanovic
ec8ff95ce3 Add support for some non-standard escapes in regular expressions.
This adds support for some non-standard escape sequences observed
in Microsoft's MSXML DLLs and used by Windows apps, and thus
needed by Wine. Some are also used in other XML implementations,
eg. Java's.

This isn't intended to be final. We probably wish to toggle these
non-standard escape sequences on and off somehow, as needed by
the caller.

Further discussion: https://gitlab.gnome.org/GNOME/libxml2/-/issues/260
2022-03-02 15:25:21 +00:00
Nick Wellnhofer
776d15d383 Don't check for standard C89 headers
Don't check for

- ctype.h
- errno.h
- float.h
- limits.h
- math.h
- signal.h
- stdarg.h
- stdlib.h
- string.h
- time.h

Stop including non-standard headers

- malloc.h
- strings.h
2022-03-02 00:43:54 +01:00
Nick Wellnhofer
ea6e8f998d Fix certain combinations of regex range quantifiers
Fix regex transitions that have both min/max and a counter. In this
case, we want to save the regex state before incrementing the counter.

Fixes #301 and the issue reported here:

https://mail.gnome.org/archives/xml/2016-April/msg00017.html
2022-02-28 16:56:02 +01:00
Nick Wellnhofer
382fb056b5 Fix range quantifier on subregex
Make sure to add counted exit transitions before other counter
transitions. Otherwise, we won't backtrack correctly.

Fixes #65.
2022-02-28 16:56:02 +01:00
Nick Wellnhofer
346c3a930c Remove elfgcchack.h
The same optimization can be enabled with -fno-semantic-interposition
since GCC 5. clang has always used this option by default.
2022-02-20 21:49:04 +01:00
Arne Becker
ec6e3efb06 Patch to forbid epsilon-reduction of final states
When building the internal representation of a regexp, it is possible
that a lot of empty transitions are created. Therefore there is a step
to reduce them in the function xmlFAEliminateSimpleEpsilonTransitions.

There is an error there for this case:

* State 1 has a transition with an atom (in this case "a") to state 2.
* State 2 is final and has an epsilon transition to state 1.

After reduction it looked like:
* State 1 has a transition with an atom (in this case "a") to itself
  and is final.

In other words, the empty string is accepted when it shouldn't be.

The attached patch skips the reduction step for final states.
An alternative would be to insert or increment counters when reducing a
final state, but this seemed error prone and unnecessary, since there
aren't that many final states.

Fixes #282
2021-07-06 21:59:25 +02:00
Nick Wellnhofer
7d6837ba0e Fix caret in regexp character group
Apply Per Hedeland's patch from

    https://bugzilla.gnome.org/show_bug.cgi?id=779751

Fixes #188.
2020-10-25 20:21:43 +01:00
Nick Wellnhofer
68eadabd00 Fix exponential runtime in xmlFARecurseDeterminism
In order to prevent visiting a state twice, states must be marked as
visited for the whole duration of graph traversal because states might
be reached by different paths. Otherwise state graphs like the
following can lead to exponential runtime:

  ->O-->O-->O-->O-->O->
     \ / \ / \ / \ /
      O   O   O   O

Reset the "visited" flag only after the graph was traversed.

xmlFAComputesDeterminism still has massive performance problems when
handling fuzzed input. By design, it has quadratic time complexity in
the number of reachable states. Some issues might also stem from
redundant epsilon transitions. With this fix, fuzzing regexes with a
maximum length of 100 becomes feasible at least.

Found with libFuzzer.
2020-07-31 11:55:13 +02:00
Nick Wellnhofer
fc842f6eba Limit regexp nesting depth
Enforce a maximum nesting depth of 50 for regular expressions. Avoids
stack overflows with deeply nested regexes.

Found by OSS-Fuzz.
2020-07-06 15:22:12 +02:00
Nick Wellnhofer
f8329fdc23 Report error for invalid regexp quantifiers 2020-07-02 11:54:28 +02:00
Nick Wellnhofer
1e7851b5ae Fix integer overflow in xmlFAParseQuantExact
Found by OSS-Fuzz.
2020-06-25 12:18:21 +02:00
Nick Wellnhofer
20c60886e4 Fix typos
Resolves #133.
2020-03-08 17:41:53 +01:00
Nick Wellnhofer
52649b63eb Check for overflow when allocating two-dimensional arrays
Found by lgtm.com
2020-01-02 15:24:23 +01:00
Nick Wellnhofer
9bd7abfba4 Remove useless comparisons
Found by lgtm.com
2020-01-02 14:14:48 +01:00
Jared Yanovich
2a350ee9b4 Large batch of typo fixes
Closes #109.
2019-09-30 18:04:38 +02:00
Nick Wellnhofer
99a864a1f7 Fix Regextests
- One of the bug316338 test cases is expected to succeed.
- Memory leak in testRegexp.c.
- Refcount handling in xmlExpHashGetEntry.
2019-09-25 15:27:45 +02:00
Nick Wellnhofer
c2b0a184a9 Fix empty branch in regex
Fixes bug 649244:
https://bugzilla.gnome.org/show_bug.cgi?id=649244

Closes #57.
2019-09-25 14:22:47 +02:00
Nick Wellnhofer
e8c9cd5c7a Fix Schema determinism check of ##other namespaces
Non-compound (##local) and compound string atoms are always disjoint
regardless of whether the compound atom is negated (##other).

Closes #40.
2019-09-16 15:36:02 +02:00
zhouzhongyuan
0b793591ac Fix memory leak in xmlRegEpxFromParse
Merge request !39
2019-09-13 15:37:56 +02:00
Nick Wellnhofer
09797c139e Fix null deref in xmlregexp error path
Thanks to Shaobo He for the report.
2019-03-05 15:14:34 +01:00
J. Peter Mugaas
d2c329a9a4 Fix -Wimplicit-fallthrough warnings
Add "falls through" comments to quench implicit-fallthrough warnings
which are enabled by -Wextra under GCC 7.
2017-10-21 13:49:31 +02:00
David Kilzer
fb56f80eef Heap-buffer-overflow read of size 1 in xmlFAParsePosCharGroup
Credit to OSS-Fuzz.

Add a check to xmlFAParseCharRange() for the end of the buffer
to prevent reading past the end of it.

This fixes Bug 784017.
2017-07-04 18:51:29 +02:00
Nick Wellnhofer
8a0c66986e Fix NULL pointer deref in xmlFAParseCharClassEsc
Found with libFuzzer.
2017-07-04 18:51:29 +02:00
Nick Wellnhofer
34e445674d Fix undefined behavior in xmlRegExecPushStringInternal
It's stupid, but the behavior of memcpy(NULL, NULL, 0) is undefined.
2017-06-01 14:31:27 +02:00
Pranjal Jumde
cbb271655c Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup <https://bugzilla.gnome.org/show_bug.cgi?id=757711>
* xmlregexp.c:
(xmlFAParseCharRange): Only advance to the next character if
there is no error.  Advancing to the next character in case of
an error while parsing regexp leads to an out of bounds access.
2016-05-23 15:01:07 +08:00
Daniel Veillard
34b350048d Fix an error with regexp on nullable counted char transition
This is the first of the two issues raised by Pete Cordell
in https://mail.gnome.org/archives/xml/2016-April/msg00030.html
2016-05-09 09:28:38 +08:00
Jan Pokorný
bb654feb9a Fix typos: dictio{ nn -> n }ar{y,ies}
Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
2016-04-15 22:22:48 +08:00
Gaurav
41b0d1c4e5 Avoid Double Null Check
Cleanup
For https://bugzilla.gnome.org/show_bug.cgi?id=729851
2014-05-09 16:52:32 +08:00
Gaurav
2671b013d8 Fix potential NULL pointer dereferences in regexp code
https://bugzilla.gnome.org/show_bug.cgi?id=707749

Fix 3 cases where we might dereference NULL
2013-09-11 14:59:06 +08:00
Michael Wood
fb27e2cd20 Fix spelling of "length". 2012-10-30 10:18:49 +08:00
Daniel Veillard
f8e3db0445 Big space and tab cleanup
Remove all space before tabs and space and tabs at end of lines.
2012-09-11 13:26:36 +08:00
Daniel Veillard
466fcdaa33 Avoid a potential infinite recursion
Which can happen when eliminating epsilon transitions, as reported
by Pavel Madr <pmadr@opentext.com>
2012-08-27 12:03:40 +08:00
Daniel Veillard
40851d0c59 Fix a segfault on XSD validation on pattern error
As reported by Sven <sven@e7o.de>:
The following pattern will cause a segmentation fault in my
Apache (using PHP5 to validate a XML against a XSD):

<xs:pattern value="(.*)|"/>

Fix a cascade of error handling failures which led to the
crash in that scenario.
2012-08-17 22:59:10 +08:00
Patrick R. Gansterer
204f1f144c undef ERROR if already defined 2012-05-10 20:24:00 +08:00
Daniel Veillard
9543aee99b Fix broken escape behaviour in regexp ranges 2010-03-15 11:13:39 +01:00
Daniel Veillard
9332b48f16 Fix a Relaxng bug raised by libvirt test suite
* xmlregexp.c: other fixes in 2.7.4 raised this internal error
  when comparing ranges, this affects among others detection of
  the determinism
* test/relaxng/libvirt* result/relaxng/libvirt*: add a test case
  based on libvirt schemas and tests
2009-09-23 18:28:43 +02:00
Daniel Veillard
293416828e Release of libxml2-2.7.4
* configure.in: new version
* libxml.spec.in: cleanup
* xmlregexp.c: fix a comment
* doc/apibuild.py: update
* doc/*: regenerate everything
2009-09-10 18:23:39 +02:00
Daniel Veillard
594e5dfb48 Chasing dead assignments reported by clang-scan
* SAX2.c dict.c error.c hash.c nanohttp.c parser.c python/libxml.c
  relaxng.c runtest.c tree.c valid.c xinclude.c xmlregexp.c xmlsave.c
  xmlschemas.c xpath.c xpointer.c: mostly removing unneded affectations,
  but this led to a few real bugs and some part not yet understood
  (relaxng/interleave)
2009-09-07 14:58:47 +02:00
Daniel Veillard
13cee4e37b Fix a bunch of scan 'dead increments' and cleanup
* HTMLparser.c c14n.c debugXML.c entities.c nanohttp.c parser.c
  testC14N.c uri.c xmlcatalog.c xmllint.c xmlregexp.c xpath.c:
  fix unused variables, or unneeded increments as well as a couple
  of space issues
* runtest.c: check for NULL before calling unlink()
2009-09-05 14:52:55 +02:00
Daniel Veillard
1ba2aca3eb 492317 Fix Relax-NG validation problems
* relaxng.c xmlregexp.c: a subtle problem when checking for compileable
  content model, if using the same elements in cases of choices. Handled
  by adding a special flag to the regexp compilation to detect
  transitions with different atoms using same strings.
* test/relaxng/492317* result/relaxng/492317*: add the test to the
  regression suite
2009-08-31 16:47:39 +02:00
Daniel Veillard
d80d0728bf 559410 - Regexp bug on (...)? constructs
* xmlregexp.c: fix a regexp bug on some (...)? constructs
* test/schemas/nvdcve* result/schemas/nvdcve*: add the tests to the
  regression suite
2009-08-22 18:56:01 +02:00
Daniel Veillard
11e28e4dfb 570702 fix a bug in regexp determinism checking
* xmlregexp.c: xmlFAComputesDeterminism was bugged as it removed as
  coalesced transitions on with sane source destination and atoms but
  not looking at counters
2009-08-12 12:21:42 +02:00
Daniel Veillard
bf9c1dad3a add the testchar to 'make check' Volker Grabsch pointed out a typo
* Makefile.am: add the testchar to 'make check'
* xmlschemas.c: Volker Grabsch pointed out a typo
* xmlregexp.c: production [19] from XML Schemas regexps were a
  mistake removed in version REC-xmlschema-2-20041028, Volker Grabsch
  provided a patch to remove it
* test/schemas/regexp-char-ref_0.xml test/schemas/regexp-char-ref_0.xsd
  test/schemas/regexp-char-ref_1.xsd result/schemas/regexp-char-ref_0_0
  result/schemas/regexp-char-ref_1_0: Volker Grabsch also provided
  regession tests for this
Daniel

svn path=/trunk/; revision=3776
2008-08-26 07:46:42 +00:00