1
0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-24 13:33:01 +03:00
Commit Graph

122 Commits

Author SHA1 Message Date
Arne Becker
ec6e3efb06 Patch to forbid epsilon-reduction of final states
When building the internal representation of a regexp, it is possible
that a lot of empty transitions are created. Therefore there is a step
to reduce them in the function xmlFAEliminateSimpleEpsilonTransitions.

There is an error there for this case:

* State 1 has a transition with an atom (in this case "a") to state 2.
* State 2 is final and has an epsilon transition to state 1.

After reduction it looked like:
* State 1 has a transition with an atom (in this case "a") to itself
  and is final.

In other words, the empty string is accepted when it shouldn't be.

The attached patch skips the reduction step for final states.
An alternative would be to insert or increment counters when reducing a
final state, but this seemed error prone and unnecessary, since there
aren't that many final states.

Fixes #282
2021-07-06 21:59:25 +02:00
Nick Wellnhofer
7d6837ba0e Fix caret in regexp character group
Apply Per Hedeland's patch from

    https://bugzilla.gnome.org/show_bug.cgi?id=779751

Fixes #188.
2020-10-25 20:21:43 +01:00
Nick Wellnhofer
68eadabd00 Fix exponential runtime in xmlFARecurseDeterminism
In order to prevent visiting a state twice, states must be marked as
visited for the whole duration of graph traversal because states might
be reached by different paths. Otherwise state graphs like the
following can lead to exponential runtime:

  ->O-->O-->O-->O-->O->
     \ / \ / \ / \ /
      O   O   O   O

Reset the "visited" flag only after the graph was traversed.

xmlFAComputesDeterminism still has massive performance problems when
handling fuzzed input. By design, it has quadratic time complexity in
the number of reachable states. Some issues might also stem from
redundant epsilon transitions. With this fix, fuzzing regexes with a
maximum length of 100 becomes feasible at least.

Found with libFuzzer.
2020-07-31 11:55:13 +02:00
Nick Wellnhofer
fc842f6eba Limit regexp nesting depth
Enforce a maximum nesting depth of 50 for regular expressions. Avoids
stack overflows with deeply nested regexes.

Found by OSS-Fuzz.
2020-07-06 15:22:12 +02:00
Nick Wellnhofer
f8329fdc23 Report error for invalid regexp quantifiers 2020-07-02 11:54:28 +02:00
Nick Wellnhofer
1e7851b5ae Fix integer overflow in xmlFAParseQuantExact
Found by OSS-Fuzz.
2020-06-25 12:18:21 +02:00
Nick Wellnhofer
20c60886e4 Fix typos
Resolves #133.
2020-03-08 17:41:53 +01:00
Nick Wellnhofer
52649b63eb Check for overflow when allocating two-dimensional arrays
Found by lgtm.com
2020-01-02 15:24:23 +01:00
Nick Wellnhofer
9bd7abfba4 Remove useless comparisons
Found by lgtm.com
2020-01-02 14:14:48 +01:00
Jared Yanovich
2a350ee9b4 Large batch of typo fixes
Closes #109.
2019-09-30 18:04:38 +02:00
Nick Wellnhofer
99a864a1f7 Fix Regextests
- One of the bug316338 test cases is expected to succeed.
- Memory leak in testRegexp.c.
- Refcount handling in xmlExpHashGetEntry.
2019-09-25 15:27:45 +02:00
Nick Wellnhofer
c2b0a184a9 Fix empty branch in regex
Fixes bug 649244:
https://bugzilla.gnome.org/show_bug.cgi?id=649244

Closes #57.
2019-09-25 14:22:47 +02:00
Nick Wellnhofer
e8c9cd5c7a Fix Schema determinism check of ##other namespaces
Non-compound (##local) and compound string atoms are always disjoint
regardless of whether the compound atom is negated (##other).

Closes #40.
2019-09-16 15:36:02 +02:00
zhouzhongyuan
0b793591ac Fix memory leak in xmlRegEpxFromParse
Merge request !39
2019-09-13 15:37:56 +02:00
Nick Wellnhofer
09797c139e Fix null deref in xmlregexp error path
Thanks to Shaobo He for the report.
2019-03-05 15:14:34 +01:00
J. Peter Mugaas
d2c329a9a4 Fix -Wimplicit-fallthrough warnings
Add "falls through" comments to quench implicit-fallthrough warnings
which are enabled by -Wextra under GCC 7.
2017-10-21 13:49:31 +02:00
David Kilzer
fb56f80eef Heap-buffer-overflow read of size 1 in xmlFAParsePosCharGroup
Credit to OSS-Fuzz.

Add a check to xmlFAParseCharRange() for the end of the buffer
to prevent reading past the end of it.

This fixes Bug 784017.
2017-07-04 18:51:29 +02:00
Nick Wellnhofer
8a0c66986e Fix NULL pointer deref in xmlFAParseCharClassEsc
Found with libFuzzer.
2017-07-04 18:51:29 +02:00
Nick Wellnhofer
34e445674d Fix undefined behavior in xmlRegExecPushStringInternal
It's stupid, but the behavior of memcpy(NULL, NULL, 0) is undefined.
2017-06-01 14:31:27 +02:00
Pranjal Jumde
cbb271655c Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup <https://bugzilla.gnome.org/show_bug.cgi?id=757711>
* xmlregexp.c:
(xmlFAParseCharRange): Only advance to the next character if
there is no error.  Advancing to the next character in case of
an error while parsing regexp leads to an out of bounds access.
2016-05-23 15:01:07 +08:00
Daniel Veillard
34b350048d Fix an error with regexp on nullable counted char transition
This is the first of the two issues raised by Pete Cordell
in https://mail.gnome.org/archives/xml/2016-April/msg00030.html
2016-05-09 09:28:38 +08:00
Jan Pokorný
bb654feb9a Fix typos: dictio{ nn -> n }ar{y,ies}
Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
2016-04-15 22:22:48 +08:00
Gaurav
41b0d1c4e5 Avoid Double Null Check
Cleanup
For https://bugzilla.gnome.org/show_bug.cgi?id=729851
2014-05-09 16:52:32 +08:00
Gaurav
2671b013d8 Fix potential NULL pointer dereferences in regexp code
https://bugzilla.gnome.org/show_bug.cgi?id=707749

Fix 3 cases where we might dereference NULL
2013-09-11 14:59:06 +08:00
Michael Wood
fb27e2cd20 Fix spelling of "length". 2012-10-30 10:18:49 +08:00
Daniel Veillard
f8e3db0445 Big space and tab cleanup
Remove all space before tabs and space and tabs at end of lines.
2012-09-11 13:26:36 +08:00
Daniel Veillard
466fcdaa33 Avoid a potential infinite recursion
Which can happen when eliminating epsilon transitions, as reported
by Pavel Madr <pmadr@opentext.com>
2012-08-27 12:03:40 +08:00
Daniel Veillard
40851d0c59 Fix a segfault on XSD validation on pattern error
As reported by Sven <sven@e7o.de>:
The following pattern will cause a segmentation fault in my
Apache (using PHP5 to validate a XML against a XSD):

<xs:pattern value="(.*)|"/>

Fix a cascade of error handling failures which led to the
crash in that scenario.
2012-08-17 22:59:10 +08:00
Patrick R. Gansterer
204f1f144c undef ERROR if already defined 2012-05-10 20:24:00 +08:00
Daniel Veillard
9543aee99b Fix broken escape behaviour in regexp ranges 2010-03-15 11:13:39 +01:00
Daniel Veillard
9332b48f16 Fix a Relaxng bug raised by libvirt test suite
* xmlregexp.c: other fixes in 2.7.4 raised this internal error
  when comparing ranges, this affects among others detection of
  the determinism
* test/relaxng/libvirt* result/relaxng/libvirt*: add a test case
  based on libvirt schemas and tests
2009-09-23 18:28:43 +02:00
Daniel Veillard
293416828e Release of libxml2-2.7.4
* configure.in: new version
* libxml.spec.in: cleanup
* xmlregexp.c: fix a comment
* doc/apibuild.py: update
* doc/*: regenerate everything
2009-09-10 18:23:39 +02:00
Daniel Veillard
594e5dfb48 Chasing dead assignments reported by clang-scan
* SAX2.c dict.c error.c hash.c nanohttp.c parser.c python/libxml.c
  relaxng.c runtest.c tree.c valid.c xinclude.c xmlregexp.c xmlsave.c
  xmlschemas.c xpath.c xpointer.c: mostly removing unneded affectations,
  but this led to a few real bugs and some part not yet understood
  (relaxng/interleave)
2009-09-07 14:58:47 +02:00
Daniel Veillard
13cee4e37b Fix a bunch of scan 'dead increments' and cleanup
* HTMLparser.c c14n.c debugXML.c entities.c nanohttp.c parser.c
  testC14N.c uri.c xmlcatalog.c xmllint.c xmlregexp.c xpath.c:
  fix unused variables, or unneeded increments as well as a couple
  of space issues
* runtest.c: check for NULL before calling unlink()
2009-09-05 14:52:55 +02:00
Daniel Veillard
1ba2aca3eb 492317 Fix Relax-NG validation problems
* relaxng.c xmlregexp.c: a subtle problem when checking for compileable
  content model, if using the same elements in cases of choices. Handled
  by adding a special flag to the regexp compilation to detect
  transitions with different atoms using same strings.
* test/relaxng/492317* result/relaxng/492317*: add the test to the
  regression suite
2009-08-31 16:47:39 +02:00
Daniel Veillard
d80d0728bf 559410 - Regexp bug on (...)? constructs
* xmlregexp.c: fix a regexp bug on some (...)? constructs
* test/schemas/nvdcve* result/schemas/nvdcve*: add the tests to the
  regression suite
2009-08-22 18:56:01 +02:00
Daniel Veillard
11e28e4dfb 570702 fix a bug in regexp determinism checking
* xmlregexp.c: xmlFAComputesDeterminism was bugged as it removed as
  coalesced transitions on with sane source destination and atoms but
  not looking at counters
2009-08-12 12:21:42 +02:00
Daniel Veillard
bf9c1dad3a add the testchar to 'make check' Volker Grabsch pointed out a typo
* Makefile.am: add the testchar to 'make check'
* xmlschemas.c: Volker Grabsch pointed out a typo
* xmlregexp.c: production [19] from XML Schemas regexps were a
  mistake removed in version REC-xmlschema-2-20041028, Volker Grabsch
  provided a patch to remove it
* test/schemas/regexp-char-ref_0.xml test/schemas/regexp-char-ref_0.xsd
  test/schemas/regexp-char-ref_1.xsd result/schemas/regexp-char-ref_0_0
  result/schemas/regexp-char-ref_1_0: Volker Grabsch also provided
  regession tests for this
Daniel

svn path=/trunk/; revision=3776
2008-08-26 07:46:42 +00:00
Daniel Veillard
ad55998f74 avoid a regexp crash, should fix #523738 Daniel
* xmlregexp.c: avoid a regexp crash, should fix #523738
Daniel

svn path=/trunk/; revision=3744
2008-05-12 13:15:35 +00:00
Daniel Veillard
10bda629bf found a nasty bug in regexp automata build, reported by Ashwin and Bjorn
* xmlregexp.c: found a nasty bug in regexp automata build,
  reported by Ashwin and Bjorn Reese
Daniel

svn path=/trunk/; revision=3705
2008-03-13 07:27:24 +00:00
Daniel Veillard
041b687e93 apply patch from Andrew Tosh to fix behaviour when '.' is used in a
* xmlregexp.c: apply patch from Andrew Tosh to fix behaviour
  when '.' is used in a posCharGroup
* test/schemas/poschargrp0_0.* result/schemas/poschargrp0_0_0*:
  added the test to the regression suite
Daniel

svn path=/trunk/; revision=3687
2008-02-08 10:37:18 +00:00
Daniel Veillard
00fde4e490 remove a cut-and-paste copy error Daniel
* xmlregexp.c: remove a cut-and-paste copy error
Daniel

svn path=/trunk/; revision=3665
2007-11-19 17:38:33 +00:00
Daniel Veillard
c821e03c66 another nasty regexp case fixed. added to regression suite Daniel
* xmlregexp.c: another nasty regexp case fixed.
* test/regexp/ranges2 result/regexp/ranges2: added to regression
  suite
Daniel

svn path=/trunk/; revision=3658
2007-08-28 17:33:45 +00:00
William M. Brack
ec72008ba7 Enhanced to include port number (if not == 80) on the "Header:" URL (bug
* nanohttp.c: Enhanced to include port number (if not == 80) on the
  "Header:" URL (bug #469681).
* xmlregexp.c: Fixed a typo causing a warning message.

svn path=/trunk/; revision=3657
2007-08-24 02:57:38 +00:00
Daniel Veillard
76d59b6d6f try to fix for the nth time the automata generation in case of complex
* xmlregexp.c: try to fix for the nth time the automata generation
  in case of complex ranges. I suppose that time it is actually okay
Daniel

svn path=/trunk/; revision=3650
2007-08-22 16:29:21 +00:00
Daniel Veillard
cb4284e296 applied patch from Richard Jones to for the silent flag on valgrind when
* xstc/Makefile.am doc/examples/Makefile.am Makefile.am: applied
  patch from Richard Jones to for the silent flag on valgrind
  when doing "make valgrind"
* xmlregexp.c: raise a regexp error when '\' is misused to escape
  a standard character.
Daniel

svn path=/trunk/; revision=3606
2007-04-25 13:55:20 +00:00
William M. Brack
5657837103 small enhancement for quantifier range with min occurs of 0; fixes bug
* xmlregexp.c: small enhancement for quantifier range with
  min occurs of 0; fixes bug 425542.

svn path=/trunk/; revision=3597
2007-04-11 14:33:46 +00:00
William M. Brack
a9cbf28361 fixed problem with 0x2d in Char Range (bug #420596) added regression test
* xmlregexp.c: fixed problem with 0x2d in Char Range (bug #420596)
* test/regexp/bug420596, result/regexp/bug420596: added regression
  test for this

svn path=/trunk/; revision=3594
2007-03-21 13:16:33 +00:00
Daniel Veillard
fcd18ff8f7 another small change on the algorithm for the elimination of epsilon
* xmlregexp.c: another small change on the algorithm for the
  elimination of epsilon transitions, should help on #362989 too
Daniel
2006-11-02 10:28:04 +00:00
Daniel Veillard
0e05f4c2e0 applied documentation patches from Markus Keim fixed one bug and added a
* tree.c: applied documentation patches from Markus Keim
* xmlregexp.c: fixed one bug and added a couple of optimisations
  while working on bug #362989
Daniel
2006-11-01 15:33:04 +00:00