1
0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-26 00:37:43 +03:00
Commit Graph

525 Commits

Author SHA1 Message Date
Nick Wellnhofer
8095365b77 Speed up htmlCheckAutoClose
Switch to binary search.
2021-03-04 19:22:35 +01:00
Nick Wellnhofer
b25acce858 Speed up htmlTagLookup
Switch to binary search. This is the first time bsearch is used in the
libxml2 code base. But it's a standard library function since C89 and
should be portable.
2021-03-04 17:44:45 +01:00
Nick Wellnhofer
0fb3ae5840 Revert "Improve HTML fuzzer stability"
This reverts commit de1b51eddc.
2021-02-22 17:31:05 +01:00
Nick Wellnhofer
de1b51eddc Improve HTML fuzzer stability
Call htmlInitAutoClose during fuzzer initialization to fix stability
issue. Leave a note concerning problems with this function.
2021-02-22 13:21:38 +01:00
Nick Wellnhofer
dcb80b92da Fix slow parsing of HTML with encoding errors
Under certain circumstances, the HTML parser would try to guess and
switch input encodings multiple times, leading to slow processing of
documents with encoding errors. The repeated scanning of the input
buffer when guessing encodings could even lead to quadratic behavior.

The code htmlCurrentChar probably assumed that if there's an encoding
handler, it is guaranteed to produce valid UTF-8. This holds true in
general, but if the detected encoding was "UTF-8", the UTF8ToUTF8
encoding handler simply invoked memcpy without checking for invalid
UTF-8. This still must be fixed, preferably by not using this handler
at all.

Also leave a note that switching encodings twice seems impossible to
implement correctly. Add a check when handling UTF-8 encoding errors
in htmlCurrentChar to avoid this situation, even if encoders produce
invalid UTF-8.

Found by OSS-Fuzz.
2021-02-20 21:28:56 +01:00
Nick Wellnhofer
954696e7cf Fix infinite loop in HTML parser introduced with recent commits
Check for XML_PARSER_EOF to avoid an infinite loop introduced with
recent changes to the HTML push parser.

Found by OSS-Fuzz.
2021-02-07 14:38:55 +01:00
Mike Dalessio
a67b63d183 use new htmlParseLookupCommentEnd to find comment ends
Note that the caret in error messages generated during comment parsing
may have moved by one byte.

See guidance provided on incorrectly-closed comments here:

https://html.spec.whatwg.org/multipage/parsing.html#parse-error-incorrectly-closed-comment
2020-12-16 16:12:07 +01:00
Mike Dalessio
29f5d20e84 htmlParseComment: treat --!> as if it closed the comment
See guidance provided on incorrectly-closed comments here:

https://html.spec.whatwg.org/multipage/parsing.html#parse-error-incorrectly-closed-comment
2020-12-16 16:12:07 +01:00
Nick Wellnhofer
94c2e415a9 Fix quadratic runtime in HTML push parser with null bytes
Null bytes in the input stream do not necessarily signal an EOF
condition. Check the stream pointers for EOF to avoid quadratic
rescanning of input data.

Note that the CUR_CHAR macro used in functions like htmlParseCharData
calls htmlCurrentChar which translates null bytes.

Found by OSS-Fuzz.
2020-12-06 16:44:11 +01:00
Nick Wellnhofer
438e595a8c Stop counting nbChars in parser context
The value was inaccurate and never used.
2020-08-09 15:01:45 +02:00
Nick Wellnhofer
f6a9541fb8 Remove unneeded progress checks in HTML parser
The HTML parser should now be guaranteed to make progress, so the
checks became unnecessary.
2020-08-09 14:54:37 +02:00
Nick Wellnhofer
93ce33c2b8 Fix several quadratic runtime issues in HTML push parser
Fix a few remaining cases where the HTML push parser would scan more
content during lookahead than being parsed later.

Make sure that htmlParseDocTypeDecl consumes all content up to the
final '>' in case of errors. The old comment said "We shouldn't try to
resynchronize", but ignoring invalid content is also what the HTML5
spec mandates.

Likewise, make htmlParseEndTag skip to the final '>' in invalid end
tags even if not in recovery mode. This is probably the most visible
change in practice and leads to different output for some tests but is
also more in line with HTML5.

Make sure that htmlParsePI and htmlParseComment don't abort if invalid
characters are encountered but log an error and ignore the character.

Change some other end-of-buffer checks to test for a zero byte instead
of relying on IS_CHAR.

Fix usage of IS_CHAR macro in htmlParseScript.
2020-07-23 20:47:35 +02:00
Nick Wellnhofer
173a0830dc Fix quadratic runtime when push parsing HTML start tags
Make sure that htmlParseStartTag doesn't terminate on characters for
which IS_CHAR_CH is false like control chars.

In htmlParseTryOrFinish, only switch to START_TAG if the next character
starts a valid name. Otherwise, htmlParseStartTag might return without
consuming all characters up to the final '>'.

Found by OSS-Fuzz.
2020-07-22 23:33:04 +02:00
Nick Wellnhofer
6995eed077 Fix quadratic runtime when push parsing HTML entity refs
The HTML push parser would look ahead for characters in "; >/" to
terminate an entity reference but actual parsing could stop earlier,
potentially resulting in quadratic runtime.

Parse char data and references alternately in htmlParseTryOrFinish
and only look ahead once for a terminating '<' character.

Found by OSS-Fuzz.
2020-07-19 14:05:57 +02:00
Nick Wellnhofer
8e219b154e Fix HTML push parser lookahead
The parsing rules when looking for terminating chars or sequences in
the push parser differed from the actual parsing code. This could
result in the lookahead to overshoot and data being rescanned,
potentially leading to quadratic runtime.

Comments must never be handled during lookahead. Attribute values must
only be skipped for start tags and doctype declarations, not for end
tags, comments, PIs and script content.
2020-07-15 16:44:36 +02:00
Nick Wellnhofer
e050062ca9 Make htmlCurrentChar always translate U+0000
The general assumption is that htmlCurrentChar only returns 0 if the
end of the input buffer is reached. The UTF-8 path already logged an
error if a zero byte U+0000 was found and returned a space character
instead. Make the ASCII code path do the same.

htmlParseTryOrFinish skips zero bytes at the beginning of a buffer, so
even if 0 was returned from htmlCurrentChar, the push parser would make
progress. But rescanning the input could cause performance problems.

The pull parser would abort parsing and now handles zero bytes in ASCII
mode the same way as the push parser or as in UTF-8 mode.

It would be better to return the replacement character U+FFFD instead,
but some of the client code assumes that the UTF-8 length of input and
output matches.
2020-07-15 16:10:13 +02:00
Nick Wellnhofer
dfd4e33048 Rework control flow in htmlCurrentChar
Don't call xmlCurrentChar after switching encodings. Rearrange code
blocks and fall through to normal UTF-8 handling.
2020-07-15 16:10:13 +02:00
Nick Wellnhofer
1493130ef2 Fix UTF-8 decoder in HTML parser
Reject sequences starting with a continuation byte as well as overlong
sequences like the XML parser.

Also fixes an infinite loop in connection with previous commit 50078922
since htmlCurrentChar would return 0 even if not at the end of the
buffer.

Found by OSS-Fuzz.
2020-07-15 12:54:25 +02:00
Nick Wellnhofer
500789224b Fix quadratic runtime when parsing HTML script content
If htmlParseScript returns upon hitting an invalid character,
htmlParseLookupSequence will be called again with checkIndex reset to
zero, potentially resulting in quadratic runtime. Make sure that
htmlParseScript consumes all input in one go and simply skips over
invalid characters similar to htmlParseCharDataInternal.

Found by OSS-Fuzz.
2020-07-13 12:19:24 +02:00
Nick Wellnhofer
3f18e7486d Reset HTML parser input before reporting error
Avoid use-after-free, similar to 13ba5b61. Also make sure that
xmlBufSetInputBaseCur sets valid pointers in case of buffer errors.

Found by OSS-Fuzz.
2020-07-11 14:39:52 +02:00
Nick Wellnhofer
3da8d947df Fix more quadratic runtime issues in HTML push parser
Make sure that checkIndex is set when returning without match from
inside a comment. Also track parser state in htmlParseLookupChars.

Found by OSS-Fuzz.
2020-07-09 16:08:38 +02:00
Nick Wellnhofer
741b0d0a8b Fix regression introduced with 477c7f6a
The 'inSubset' member is actually used by the SAX2 handlers. Store
extra parser state in 'hasPErefs'.
2020-07-07 12:57:01 +02:00
Nick Wellnhofer
477c7f6aff Fix quadratic runtime in HTML parser
Commit eeb99329 removed an important optimization avoiding quadratic
runtime when repeatedly scanning the input buffer for terminating
characters in the HTML push parser. The related bug is

    https://bugzilla.gnome.org/show_bug.cgi?id=444994

Make sure that ctxt->checkIndex is always written and store additional
parser state in ctxt->inSubset which is unused in the HTML parser.

Found by OSS-Fuzz.
2020-07-06 12:17:20 +02:00
Nick Wellnhofer
13ba5b619a Reset HTML parser input before reporting encoding error
If charset conversion fails, reset the input pointers before reporting
the error and bailing out. Otherwise, the input pointers are left in an
invalid state which could lead to use-after-free and other memory
errors.

Similar to f9e7997e. Found by OSS-Fuzz.
2020-06-28 13:21:50 +02:00
Nick Wellnhofer
681f094e5b Fix unsigned integer overflow in htmlParseTryOrFinish
Cast to signed type before subtraction to avoid unsigned integer
overflow. Also use ptrdiff_t to avoid potential integer truncation.

Found with libFuzzer and UBSan.
2020-06-15 21:25:22 +02:00
Nick Wellnhofer
31ca4a728c Fix integer overflow in htmlParseCharRef
Fixes #115.
2020-06-15 21:23:54 +02:00
Nick Wellnhofer
20c60886e4 Fix typos
Resolves #133.
2020-03-08 17:41:53 +01:00
Nick Wellnhofer
f9f8df0a31 Fix uninitialized memory access in HTML parser
The SAX2 character handler expects NULL-terminated buffer.

Closes #106.

Also see https://github.com/lxml/lxml/pull/288
2019-10-14 16:39:21 +02:00
Jared Yanovich
2a350ee9b4 Large batch of typo fixes
Closes #109.
2019-09-30 18:04:38 +02:00
Nick Wellnhofer
dbc6b55b59 Fix warnings when compiling without reader or push parser 2019-05-16 21:06:56 +02:00
Nick Wellnhofer
60173c821e Reset HTML parser input pointers on encoding failure
Call xmlBufResetInput before bailing out if switching the encoding
fails. Otherwise, the input pointers could be left in an invalid state.

Similar to commit f9e7997e80 for the
XML parser.

Thanks to Yunho Kim for the report.

Closes: #27
2018-09-11 14:08:39 +02:00
Daniel Veillard
35e8348850 HTML noscript should not close p
For https://bugzilla.gnome.org/show_bug.cgi?id=795343

- HTMLparser.c: noscript should not close <p> but it should close <script>
2018-04-18 16:04:27 +02:00
Nick Wellnhofer
7a1bd7f649 Revert "Change calls to xmlCharEncInput to set flush false"
This reverts commit 6e6ae5daa6 which
broke decoding of larger documents with ICU.

See https://bugs.chromium.org/p/chromium/issues/detail?id=820163
2018-03-17 00:03:24 +01:00
Joel Hockey
6e6ae5daa6 Change calls to xmlCharEncInput to set flush false when not final call. Having flush incorrectly set to true causes errors for ICU. 2018-01-08 19:57:53 +01:00
Nick Wellnhofer
cb5541c9f3 Fix libz and liblzma detection
If libz or liblzma are detected with pkg-config, AC_CHECK_HEADERS must
not be run because the correct CPPFLAGS aren't set. It is actually not
required have separate checks for LIBXML_ZLIB_ENABLED and HAVE_ZLIB_H.
Only check for LIBXML_ZLIB_ENABLED and remove HAVE_ZLIB_H macro.

Fixes bug 764657, bug 787041.
2017-11-27 14:33:37 +01:00
Nick Wellnhofer
e03f0a199a Fix hash callback signatures
Make sure that all parameters and return values of hash callback
functions exactly match the callback function type. This is required
to pass clang's Control Flow Integrity checks and to allow compilation
to asm.js with Emscripten.

Fixes bug 784861.
2017-11-09 16:42:47 +01:00
Nick Wellnhofer
576912fa04 Make HTML parser functions take const pointers
The 'cur' parameter of htmlParseDoc and htmlSAXParseDoc should be
'const xmlChar *'.

Fixes bug 770650.
2017-06-17 15:59:13 +02:00
Nick Wellnhofer
0b2d5c48e3 Initialize keepBlanks in HTML parser
This caused failures in the HTML push tests but the fix required to
change the expected output of the HTML SAX tests.
2017-06-12 19:11:54 +02:00
Nick Wellnhofer
9a366a3748 Fix compiler warning in htmlParseElementInternal 2017-06-11 12:43:59 +02:00
Nick Wellnhofer
f39e3be0dd Fix sanity check in htmlParseNameComplex
- (cur - len) can overflow.
- Throw an internal error.

Fixes bug 780077.
2017-06-11 12:43:37 +02:00
Pranjal Jumde
11ed4a7a90 Heap use-after-free in htmlParsePubidLiteral and htmlParseSystemiteral
For https://bugzilla.gnome.org/show_bug.cgi?id=760263

* HTMLparser.c: Add BASE_PTR convenience macro.
(htmlParseSystemLiteral): Store length and start position instead
of a pointer while iterating through the public identifier since
the underlying buffer may change, resulting in a stale pointer
being used.
(htmlParsePubidLiteral): Ditto.
2016-05-23 15:01:07 +08:00
David Kilzer
4472c3a5a5 Fix some format string warnings with possible format string vulnerability
For https://bugzilla.gnome.org/show_bug.cgi?id=761029

Decorate every method in libxml2 with the appropriate
LIBXML_ATTR_FORMAT(fmt,args) macro and add some cleanups
following the reports.
2016-05-23 15:01:07 +08:00
Hugh Davenport
beca86e8c8 Detect change of encoding when parsing HTML names
From https://bugzilla.gnome.org/show_bug.cgi?id=758518

Happens when a file has a name getting parsed, but no valid encoding
set, so libxml has to guess what the encoding is. This patch detects
when the buffer location changes, and if it does, restarts the parsing
of the name.

This slightly change a couple of regression tests output
2016-05-23 15:01:07 +08:00
Pranjal Jumde
a820dbeac2 Bug 758605: Heap-based buffer overread in xmlDictAddString <https://bugzilla.gnome.org/show_bug.cgi?id=758605>
Reviewed by David Kilzer.

* HTMLparser.c:
(htmlParseName): Add bounds check.
(htmlParseNameComplex): Ditto.
* result/HTML/758605.html: Added.
* result/HTML/758605.html.err: Added.
* result/HTML/758605.html.sax: Added.
* runtest.c:
(pushParseTest): The input for the new test case was so small
(4 bytes) that htmlParseChunk() was never called after
htmlCreatePushParserCtxt(), thereby creating a false positive
test failure.  Fixed by using a do-while loop so we always call
htmlParseChunk() at least once.
* test/HTML/758605.html: Added.
2016-05-23 15:01:07 +08:00
Jan Pokorný
bb654feb9a Fix typos: dictio{ nn -> n }ar{y,ies}
Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
2016-04-15 22:22:48 +08:00
Hugh Davenport
8fb4a77007 CVE-2015-8242 Buffer overead with HTML parser in push mode
For https://bugzilla.gnome.org/show_bug.cgi?id=756372
Error in the code pointing to the codepoint in the stack for the
current char value instead of the pointer in the input that the SAX
callback expects
Reported and fixed by Hugh Davenport
2015-11-20 17:16:06 +08:00
Daniel Veillard
e724879d96 Fix parsing short unclosed comment uninitialized access
For https://bugzilla.gnome.org/show_bug.cgi?id=746048
The HTML parser was too optimistic when processing comments and
didn't check for the end of the stream on the first 2 characters
2015-10-30 21:14:55 +08:00
Daniel Veillard
140c251e8e Recover unescaped less-than character in HTML recovery parsing
As pointed by Christian Schoenebeck <schoenebeck@crudebyte.com>
on the list and based on some of his early patches, this preserve
content when unescaped opening angle brackets are not escaped in
textual content like:
  <p>  a < b </p>
  <p> a <0 </p>
  <p> a <=0 </p>

while still reporting the error.
2015-06-30 11:36:28 +08:00
Daniel Veillard
292a9f293d Possible overflow in HTMLParser.c
For https://bugzilla.gnome.org/show_bug.cgi?id=720615

make sure that the encoding string passed is of reasonable size
2014-10-06 18:51:04 +08:00
Philip Withnall
579ebbcb3c HTMLparser: Correctly initialise a stack allocated structure
If not initialised, the ‘node’ member remains undefined.

Coverity issue: #60466

https://bugzilla.gnome.org/show_bug.cgi?id=731990
2014-07-26 20:09:42 +08:00