1
0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-10-24 13:33:01 +03:00
Commit Graph

746 Commits

Author SHA1 Message Date
Nick Wellnhofer
07b7428b69 Simplify control flow in xmlParseStartTag2
Remove some goto labels and deduplicate a bit of code after handling
namespaces.

Before:

    loop {
        parseAttribute
        if (ok) {
            if (defaultNamespace) {
                handleDefaultNamespace
                if (error)
                    goto skip_default_ns;
                handleDefaultNamespace
    skip_default_ns:
                freeAttr
                nextAttr
                continue;
            }
            if (namespace) {
                handleNamespace
                if (error)
                    goto skip_ns;
                handleNamespace
    skip_ns:
                freeAttr
                nextAttr;
                continue;
            }
            handleAttr
        } else {
            freeAttr
        }
        nextAttr
    }

After:

    loop {
        parseAttribute
        if (!ok)
            goto next_attr;
        if (defaultNamespace) {
            handleDefaultNamespace
            if (error)
                goto next_attr;
            handleDefaultNamespace
        } else if (namespace) {
            handleNamespace
            if (error)
                goto next_attr;
            handleNamespace
        } else {
            handleAttr
        }
    next_attr:
        freeAttr
        nextAttr
    }
2017-06-01 14:31:28 +02:00
Nick Wellnhofer
474967241c Avoid spurious UBSan errors in parser.c
If available, use a C99 flexible array member to avoid spurious UBSan
errors.
2017-06-01 14:31:27 +02:00
Nick Wellnhofer
8627e4ed20 Fix memory leak in parser error path
Triggered in mixed content ELEMENT declarations if there's an invalid
name after the first valid name:

    <!ELEMENT para (#PCDATA|a|<invalid>)*>

Found with libFuzzer and ASan.
2017-05-27 15:59:18 +02:00
Neel Mehta
90ccb58242 Prevent unwanted external entity reference
For https://bugzilla.gnome.org/show_bug.cgi?id=780691

* parser.c: add a specific check to avoid PE reference
2017-04-07 17:45:14 +02:00
Doran Moppert
2304078555 Add an XML_PARSE_NOXXE flag to block all entities loading even local
For https://bugzilla.gnome.org/show_bug.cgi?id=772726

* include/libxml/parser.h: Add a new parser flag XML_PARSE_NOXXE
* elfgcchack.h, xmlIO.h, xmlIO.c: associated loading routine
* include/libxml/xmlerror.h: new error raised
* xmllint.c: adds --noxxe flag to activate the option
2017-04-07 16:55:05 +02:00
Daniel Veillard
bdd66182ef Avoid building recursive entities
For https://bugzilla.gnome.org/show_bug.cgi?id=762100

When we detect a recusive entity we should really not
build the associated data, moreover if someone bypass
libxml2 fatal errors and still tries to serialize a broken
entity make sure we don't risk to get ito a recursion

* parser.c: xmlParserEntityCheck() don't build if entity loop
  were found and remove the associated text content
* tree.c: xmlStringGetNodeList() avoid a potential recursion
2016-05-23 15:01:07 +08:00
David Kilzer
0090675905 Heap-based buffer-underreads due to xmlParseName
For https://bugzilla.gnome.org/show_bug.cgi?id=759573

* parser.c:
(xmlParseElementDecl): Return early on invalid input to fix
non-minimized test case (759573-2.xml).  Otherwise the parser
gets into a bad state in SKIP(3) at the end of the function.
(xmlParseConditionalSections): Halt parsing when hitting invalid
input that would otherwise caused xmlParserHandlePEReference()
to recurse unexpectedly.  This fixes the minimized test case
(759573.xml).

* result/errors/759573-2.xml: Add.
* result/errors/759573-2.xml.err: Add.
* result/errors/759573-2.xml.str: Add.
* result/errors/759573.xml: Add.
* result/errors/759573.xml.err: Add.
* result/errors/759573.xml.str: Add.
* test/errors/759573-2.xml: Add.
* test/errors/759573.xml: Add.
2016-05-23 15:01:07 +08:00
Pranjal Jumde
38eae57111 Heap use-after-free in xmlSAX2AttributeNs
For https://bugzilla.gnome.org/show_bug.cgi?id=759020

* parser.c:
(xmlParseStartTag2): Attribute strings are only valid if the
base does not change, so add another check where the base may
change.  Make sure to set 'attvalue' to NULL after freeing it.
* result/errors/759020.xml: Added.
* result/errors/759020.xml.err: Added.
* result/errors/759020.xml.str: Added.
* test/errors/759020.xml: Added test case.
2016-05-23 15:01:07 +08:00
David Kilzer
4472c3a5a5 Fix some format string warnings with possible format string vulnerability
For https://bugzilla.gnome.org/show_bug.cgi?id=761029

Decorate every method in libxml2 with the appropriate
LIBXML_ATTR_FORMAT(fmt,args) macro and add some cleanups
following the reports.
2016-05-23 15:01:07 +08:00
Daniel Veillard
b1d34de46a Fix inappropriate fetch of entities content
For https://bugzilla.gnome.org/show_bug.cgi?id=761430

libfuzzer regression testing exposed another case where the parser would
fetch content of an external entity while not in validating mode.
Plug that hole
2016-05-23 15:01:07 +08:00
Pranjal Jumde
45752d2c33 Bug 759398: Heap use-after-free in xmlDictComputeFastKey <https://bugzilla.gnome.org/show_bug.cgi?id=759398>
* parser.c:
(xmlParseNCNameComplex): Store start position instead of a
pointer to the name since the underlying buffer may change,
resulting in a stale pointer being used.
* result/errors/759398.xml: Added.
* result/errors/759398.xml.err: Added.
* result/errors/759398.xml.str: Added.
* test/errors/759398.xml: Added test case.
2016-05-23 15:01:07 +08:00
David Kilzer
db07dd613e Bug 758588: Heap-based buffer overread in xmlParserPrintFileContextInternal <https://bugzilla.gnome.org/show_bug.cgi?id=758588>
* parser.c:
(xmlParseEndTag2): Add bounds checks before dereferencing
ctxt->input->cur past the end of the buffer, or incrementing the
pointer past the end of the buffer.

* result/errors/758588.xml: Add test result.
* result/errors/758588.xml.err: Ditto.
* result/errors/758588.xml.str: Ditto.
* test/errors/758588.xml: Add regression test.
2016-05-23 15:01:07 +08:00
Peter Simons
8f30bdff69 Add missing increments of recursion depth counter to XML parser.
For https://bugzilla.gnome.org/show_bug.cgi?id=765207
CVE-2016-3705
The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
xmlStringDecodeEntities() in a recursive context without incrementing the
'depth' counter in the parser context. Because of that omission, the parser
failed to detect attribute recursions in certain documents before running out
of stack space.
2016-05-22 09:24:05 +08:00
Jan Pokorný
bb654feb9a Fix typos: dictio{ nn -> n }ar{y,ies}
Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
2016-04-15 22:22:48 +08:00
David Kilzer
4f8606c13c Bug 760183: REGRESSION (v2.9.3): XML push parser fails with bogus UTF-8 encoding error when multi-byte character in large CDATA section is split across buffer <https://bugzilla.gnome.org/show_bug.cgi?id=760183>
* parser.c:
(xmlCheckCdataPush): Add 'complete' argument to describe whether
the buffer passed in is the whole CDATA buffer, or if there is
more data to parse.  If there is more data to parse, don't
return a negative value for an invalid multi-byte UTF-8
character that is split between buffers.
(xmlParseTryOrFinish): Pass 'complete' argument to
xmlCheckCdataPush() as appropriate.

* result/cdata-2-byte-UTF-8.xml: Added.
* result/cdata-2-byte-UTF-8.xml.rde: Added.
* result/cdata-2-byte-UTF-8.xml.rdr: Added.
* result/cdata-2-byte-UTF-8.xml.sax: Added.
* result/cdata-2-byte-UTF-8.xml.sax2: Added.
* result/cdata-3-byte-UTF-8.xml: Added.
* result/cdata-3-byte-UTF-8.xml.rde: Added.
* result/cdata-3-byte-UTF-8.xml.rdr: Added.
* result/cdata-3-byte-UTF-8.xml.sax: Added.
* result/cdata-3-byte-UTF-8.xml.sax2: Added.
* result/cdata-4-byte-UTF-8.xml: Added.
* result/cdata-4-byte-UTF-8.xml.rde: Added.
* result/cdata-4-byte-UTF-8.xml.rdr: Added.
* result/cdata-4-byte-UTF-8.xml.sax: Added.
* result/cdata-4-byte-UTF-8.xml.sax2: Added.
* result/noent/cdata-2-byte-UTF-8.xml: Added.
* result/noent/cdata-3-byte-UTF-8.xml: Added.
* result/noent/cdata-4-byte-UTF-8.xml: Added.
* test/cdata-2-byte-UTF-8.xml: Added.
* test/cdata-3-byte-UTF-8.xml: Added.
* test/cdata-4-byte-UTF-8.xml: Added.
- Add tests and results.  Only 'make Readertests XMLPushtests'
  fails prior to the fix.
2016-04-08 10:18:52 +08:00
Daniel Veillard
a7a94612aa Heap-based buffer overread in xmlNextChar
For https://bugzilla.gnome.org/show_bug.cgi?id=759671

when the end of the internal subset isn't properly detected
xmlParseInternalSubset should just return instead of trying
to process input further.
2016-02-09 12:55:29 +01:00
Daniel Veillard
f1063fdbe7 CVE-2015-7500 Fix memory access error due to incorrect entities boundaries
For https://bugzilla.gnome.org/show_bug.cgi?id=756525
handle properly the case where we popped out of the current entity
while processing a start tag
Reported by Kostya Serebryany @ Google

This slightly modifies the output of 754946 in regression tests
2015-11-20 16:06:59 +08:00
Daniel Veillard
3bd6ae147e Fix some loop issues embedding NEXT
Next can switch the parser back to XML_PARSER_EOF state, we
need to consider those in loops consuming input
2015-11-20 15:06:02 +08:00
Daniel Veillard
35bcb1d758 Detect incoherency on GROW
the current pointer to the input has to be between the base and end
if not stop everything we have an internal state error.
2015-11-20 15:04:09 +08:00
Daniel Veillard
e3b1597421 Reuse xmlHaltParser() where it makes sense
Unify the various place where either xmlStopParser was called
(which resets the error as a side effect) and places where we
used ctxt->instate = XML_PARSER_EOF to stop further processing
2015-11-20 14:59:30 +08:00
Daniel Veillard
28cd9cb747 Add xmlHaltParser() to stop the parser
The problem is doing it in a consistent and safe fashion
It's more complex than just setting ctxt->instate = XML_PARSER_EOF
Update the public function to reuse that new internal routine
2015-11-20 14:55:30 +08:00
David Drysdale
69030714cd CVE-2015-5312 Another entity expansion issue
For https://bugzilla.gnome.org/show_bug.cgi?id=756733
It is one case where the code in place to detect entities expansions
failed to exit when the situation was detected, leading to DoS
Problem reported by Kostya Serebryany @ Google
Patch provided by David Drysdale @ Google
2015-11-20 11:18:22 +08:00
Daniel Veillard
53ac9c9649 xmlStopParser reset errNo
I had used it in contexts where that information ought to be preserved
2015-11-09 18:16:00 +08:00
Daniel Veillard
afd27c21f6 Avoid processing entities after encoding conversion failures
For https://bugzilla.gnome.org/show_bug.cgi?id=756527
and was also raised by Chromium team in the past

When we hit a convwersion failure when switching encoding
it is bestter to stop parsing there, this was treated as a
fatal error but the parser was continuing to process to extract
more errors, unfortunately that makes little sense as the data
is obviously corrupt and can potentially lead to unexpected behaviour.
2015-11-09 18:07:18 +08:00
Hugh Davenport
ab2b9a93ff Avoid extra processing of MarkupDecl when EOF
For https://bugzilla.gnome.org/show_bug.cgi?id=756263

One place where ctxt->instate == XML_PARSER_EOF whic was set up
by entity detection issues doesn't get noticed, and even overrided
2015-11-03 20:40:49 +08:00
Daniel Veillard
41ac9049a2 Fix an error in previous Conditional section patch
an off by one mistake in the change, led to error on correct
document where the end of the included entity was exactly
the end of the conditional section, leading to regtest failure
2015-10-27 10:53:44 +08:00
Daniel Veillard
bd0526e66a Another variation of overflow in Conditional sections
Which happen after the previous fix to
https://bugzilla.gnome.org/show_bug.cgi?id=756456

But stopping the parser and exiting we didn't pop the intermediary entities
and doing the SKIP there applies on an input which may be too small
2015-10-23 19:02:28 +08:00
Gaurav Gupta
cf77e60515 Add missing Null check in xmlParseExternalEntityPrivate
For https://bugzilla.gnome.org/show_bug.cgi?id=755857

a case where we check for NULL but not everywhere
2015-09-30 14:46:29 +02:00
Daniel Veillard
4a5d80aded Fix a bug in CData error handling in the push parser
For https://bugzilla.gnome.org/show_bug.cgi?id=754947

The checking function was returning incorrect args in some cases
Adds the test to teh reg suite and fix one of the existing test output
2015-09-18 15:06:46 +08:00
Daniel Veillard
51f02b0a03 Fix a bug on name parsing at the end of current input buffer
For https://bugzilla.gnome.org/show_bug.cgi?id=754946

When hitting the end of the current input buffer while parsing
a name we could end up loosing the beginning of the name, which
led to various issues.
2015-09-15 16:50:32 +08:00
Daniel Veillard
709a952110 Fail parsing early on if encoding conversion failed
For https://bugzilla.gnome.org/show_bug.cgi?id=751631

If we fail conversing the current input stream while
processing the encoding declaration of the XMLDecl
then it's safer to just abort there and not try to
report further errors.
2015-06-29 16:10:26 +08:00
Daniel Veillard
9aa37588ee Do not process encoding values if the declaration if broken
For https://bugzilla.gnome.org/show_bug.cgi?id=751603

If the string is not properly terminated do not try to convert
to the given encoding.
2015-06-29 09:08:25 +08:00
Daniel Veillard
9b8512337d Cleanup conditional section error handling
For https://bugzilla.gnome.org/show_bug.cgi?id=744980

The error handling of Conditional Section also need to be
straightened as the structure of the document can't be
guessed on a failure there and it's better to stop parsing
as further errors are likely to be irrelevant.
2015-02-23 11:29:20 +08:00
Daniel Veillard
a7dfab7411 Stop parsing on entities boundaries errors
For https://bugzilla.gnome.org/show_bug.cgi?id=744980

There are times, like on unterminated entities that it's preferable to
stop parsing, even if that means less error reporting. Entities are
feeding the parser on further processing, and if they are ill defined
then it's possible to get the parser to bug. Also do the same on
Conditional Sections if the input is broken, as the structure of
the document can't be guessed.
2015-02-23 11:17:35 +08:00
Daniel Veillard
72a46a519c Fix missing entities after CVE-2014-3660 fix
For https://bugzilla.gnome.org/show_bug.cgi?id=738805

The fix for CVE-2014-3660 introduced a regression in some case
where entity substitution is required and the entity is used
first in anotther entity referenced from an attribute value
2014-10-23 11:35:36 +08:00
Daniel Veillard
f65128f382 Revert "Missing initialization for the catalog module"
This reverts commit 054c716ea1.
As this break xmlcatalog command
https://bugzilla.redhat.com/show_bug.cgi?id=1153753
2014-10-17 17:13:41 +08:00
Daniel Veillard
be2a7edaf2 Fix for CVE-2014-3660
Issues related to the billion laugh entity expansion which happened to
escape the initial set of fixes
2014-10-16 13:59:47 +08:00
Bart De Schuymer
500c54ef32 fix memory leak xml header encoding field with XML_PARSE_IGNORE_ENC
When the xml parser encounters an xml encoding in an xml header while
configured with option XML_PARSE_IGNORE_ENC, it fails to free memory
allocated for storing the encoding.
The patch below fixes this.
How to reproduce:
1. Change doc/examples/parse4.c to add xmlCtxtUseOptions(ctxt,
XML_PARSE_IGNORE_ENC); after the call to xmlCreatePushParserCtxt.
2. Rebuild
3. run the following command from the top libxml2 directory:
LD_LIBRARY_PATH=.libs/ valgrind --leak-check=full
./doc/examples/.libs/parse4 ./test.xml , where test.xml contains
following
input:
<?xml version="1.0" encoding="UTF-81" ?><hi/>
valgrind will report:
==1964== 10 bytes in 1 blocks are definitely lost in loss record 1 of 1
==1964==    at 0x4C272DB: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1964==    by 0x4E88497: xmlParseEncName (parser.c:10224)
==1964==    by 0x4E888FE: xmlParseEncodingDecl (parser.c:10295)
==1964==    by 0x4E89630: xmlParseXMLDecl (parser.c:10534)
==1964==    by 0x4E8B737: xmlParseTryOrFinish (parser.c:11293)
==1964==    by 0x4E8E775: xmlParseChunk (parser.c:12283)

Signed-off-by: Bart De Schuymer <bart at amplidata com>
2014-10-16 12:17:20 +08:00
Daniel Veillard
7cf57380b1 Parser error on repeated recursive entity expansion containing &lt;
For https://bugzilla.gnome.org/show_bug.cgi?id=736417

basically a weird side effect and a failure
to properly parenthesize a boolean expression led to this bug
2014-10-08 16:09:56 +08:00
Dennis Filder
7e9bbdf82f parser bug on misformed namespace attributes
For https://bugzilla.gnome.org/show_bug.cgi?id=672539
Reported by Axel Miller <axel.miller@ppi.de>

Consider the following start-tag:
<x xmlns=""version="">

The start-tag does not conform to the rule

[40]       STag       ::=       '<' Name (S Attribute)* S? '>'

since there is no whitespace in front of the attribute "version".

Thus, libxml2 should reject the start-tag.
But it doesn't:

$ echo '<x xmlns=""version=""/>' | xmllint -
<?xml version="1.0"?>
<x xmlns="" version=""/>

The error seems to happen only if there is a namespace declaration in
front of
the attribute. A missing whitespace between other attributes is handled
correctly:

$ echo '<x someattr=""version=""/>' | xmllint -
-:1: parser error : attributes construct error
<x someattr=""version=""/>
              ^
[...]
2014-10-06 20:34:14 +08:00
Juergen Keil
24fb4c329a wrong error column in structured error when parsing end tag
For https://bugzilla.gnome.org/show_bug.cgi?id=734283

libxml2 reports wrong error column numbers (field int2 in xmlError)
in structured error handler, after parsing an end tag.
2014-10-06 18:19:12 +08:00
Juergen Keil
33f658c969 wrong error column in structured error when parsing attribute values
For https://bugzilla.gnome.org/show_bug.cgi?id=734280

libxml2 reports wrong error column numbers (field int2 in xmlError)
in structured error handler, after parsing XML attribute values.

Example XML:

<?xml version="1.0" encoding="UTF-8"?>
<root
xmlns="urn:colbug">&</root>
<!--
         1         2         3         4
1234567890123456789012345678901234567890
-->

Expected location of the error would be line 3, column 21.

The actual location of the error is line 3, column 9:

$ ./xmlparse colbug2.xml
colbug2.xml:3:9: xmlParseEntityRef: no name

The 12 characters of the xmlns attribute value "urn:colbug" are
not accounted for in the error column value.
2014-08-07 17:30:36 +08:00
Juergen Keil
5d4310af45 wrong error column in structured error when skipping whitespace in xml decl
For https://bugzilla.gnome.org/show_bug.cgi?id=734276

libxml2 reports wrong error column numbers (field int2 in xmlError)
in structured error handler, after an XML declaration containing
whitespace.

Example XML:

<?xml  version="1.0"  encoding="UTF-8"     ?><root>&</root>
<!--
         1         2         3         4         5         6
123456789012345678901234567890123456789012345678901234567890
-->

Expected location of the error would be line 1, column 53.

The actual location of the error is line 1, column 44:

$ ./xmlparse colbug1.xml
colbug1.xml:1:44: xmlParseEntityRef: no name
2014-08-07 16:28:09 +08:00
Daniel Veillard
2f9b126a5c typo in error messages "colon are forbidden from..."
For https://bugzilla.gnome.org/show_bug.cgi?id=731511
Pointed byt vincent Lefevre
2014-07-26 20:29:36 +08:00
Daniel Veillard
c836ba66e5 Fix a potential NULL dereference
For https://bugzilla.gnome.org/show_bug.cgi?id=733040

xmlDictLookup() may return NULL in case of allocation error,
though very unlikely it need to be checked.
2014-07-14 16:39:50 +08:00
Daniel Veillard
dd8367da17 Fix regressions introduced by CVE-2014-0191 patch
A number of issues have been raised after the fix, and this patch
tries to correct all of them, though most were related to
postvalidation.
https://bugzilla.gnome.org/show_bug.cgi?id=730290
and other reports on list, off-list and on Red Hat bugzilla
2014-06-11 17:00:39 +08:00
Daniel Veillard
9cd1c3cfbd Do not fetch external parameter entities
Unless explicitely asked for when validating or replacing entities
with their value. Problem pointed out by Daniel Berrange <berrange@redhat.com>
2014-05-06 22:31:51 +08:00
Daniel Veillard
6faa126fc3 Fix xmlParseInNodeContext() if node is not element
We really need to have ctxt->instate == XML_PARSER_CONTENT when
jumping in content parsing
Bug reported by Frank Gross
2014-03-21 17:05:51 +08:00
Longstreth Jon
190a0b8939 Fix a portability issue on Windows
Apparently an verflow when comparing macro and unsigned long
2014-02-06 10:58:17 +01:00
Daniel Veillard
054c716ea1 Missing initialization for the catalog module 2014-01-26 15:02:25 +01:00