Avoids resource exhaustion if the maximum recursion depth was exceeded.
Note that the XInclude engine offers no protection against other
"billion laughs"-style amplification attacks as long as they stay below
the maximum depth.
In xpath.c there's a lot of code like:
valuePush(ctxt, xmlCacheNewX());
...
valuePop(ctxt);
If xmlCacheNewX fails, no value will be pushed on the stack. If there's
no error check in between, valuePop will pop an unrelated value which
can lead to use-after-free errors.
Instead of trying to fix all call sites, we simply stop popping values
if an error was signaled. This requires to change the CHECK_TYPE macro
which is often used to determine whether a value can be safely popped.
Found with libFuzzer, see #344.
Functions like xmlStrdup are called in the error handling code
(__xmlRaiseError) which can cause problems like use-after-free or
infinite loops when invoked recursively.
Calling xmlErrMemory without a context argument isn't helpful anyway.
Found with libFuzzer, see #344.
If we try to continue parsing after an error in the internal or external
subset, entity expansion accounting gets more complicated. Simply halt
the parser.
Found with libFuzzer.
The version script didn't account for symbols disabled by configuration
options. This has caused problems on some OSs in the past and breaks
lld 16 which enables --no-undefined-version by default.
A proper fix would be rather involved, so we simply remove all symbols
from the version script. This is an ELF-only feature and libxml2 never
made use of symbol versioning anyway. Ultimately, this removes the need
for a lot of bookkeeping without tangible benefits.
We have to keep the version nodes to avoid errors when running binaries
linked against older versions of libxml2.
Fixes#473.
Don't set the "checked" flag when checking entities in default attribute
values. These entities could reference other entities which weren't
defined yet, so the check isn't reliable.
This fixes a short-lived regression which could lead to a call stack
overflow later in xmlStringGetNodeList.
Reporting errors is expensive and some abusive test cases can generate
an error for each invalid input byte. This causes the parser to spend
most of the time with error handling. Limit the number of errors and
warnings to 100.
XIncludes involve XPath processing which can still lead to timeouts when
fuzzing. This will probably take a while to fix. The rest of the XML
parsing code should hopefully run without timeouts now. OSS-Fuzz only
shows a single timeout test case, so separate the XInclude from the core
XML fuzzer.
Now that entity expansion issues should be fixed, we should get more
interesting timeout errors from OSS-Fuzz. Disable XInclude for now,
since it often timeouts in XPath computations. The XInclude tests should
be moved to a separate fuzz target.
Only add consumed bytes if
- we're not parsing an entity
- we're parsing external parameter entities for the first time.
Always ignore internal parameter entities.
