IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The latest spec for what it essentially an XPath extension seems to be
this working draft from 2002:
https://www.w3.org/TR/xptr-xpointer/
The xpointer() scheme is listed as "being reviewed" in the XPointer
registry since at least 2006. libxml2 seems to be the only modern
software that tries to implement this spec, but the code has many bugs
and quality issues.
If you configure --with-legacy, old symbols are retained for ABI
compatibility.
Unfortunately, it's long-standing behavior for libxml2 to print all
reported errors to stderr by default. This default behavior is now
partially disabled. If no error handler is set, only parser and
validation errors are passed to a generic error handler or printed to
stderr. Other errors are still available via xmlGetLastError and can be
captured with a structured error handler.
Introduce xmlXPathSetErrorHandler allowing to set a structured error
handler for an XPath context.
Remove arguments from memory error handlers.
Use xmlRaiseMemoryError.
Remove TODO, STRANGE and CHECK_CTXT macros.
Remove remaining uses of xmlGenericError.
Fix many places where malloc failures aren't reported.
Rework XPath object cache to store free objects in a linked list to
avoid allocating an additional array. Remove some unneeded object pools.
XPath queries only work reliably if entities are substituted.
Nevertheless, it's possible to query a document with entity reference
nodes. xmllint even deletes entities when the `--dropdtd` option is
passed, resulting in dangling pointers, so it's best to skip entity
reference nodes to avoid a use-after-free.
Fixes#550.
There's too much code which assumes that if ctxt->value is non-null,
a value can be successfully popped off the stack. This assumption can
break with stack frames when malloc fails.
Instead of trying to fix all call sites, remove the stack frame logic.
It only offered very little protection against misbehaving extension
functions. We already check the stack size after a function call which
should be enough.
Found by OSS-Fuzz.
After 6a12be77, valuePop can fail even if ctxt->value is non-NULL.
If it turns out that too much code relies on this assumption, a better
fix is needed.
Destroy the first argument in xmlXPathNodeSetMerge if the function
fails. This is somewhat dangerous but matches the expectations of users.
Found with libFuzzer, see #344.
Destroy the string in xmlXPathWrapString if the function fails. This is
somewhat dangerous but matches the expectations of users.
Found with libFuzzer, see #344.
Destroy the object in valuePush if the function fails. This is somewhat
dangerous but matches the expectations of users.
Found with libFuzzer, see #344.
Destroy the node set in xmlXPathWrapNodeSet if the function fails.
This is somewhat dangerous but matches the expectations of users.
Found with libFuzzer, see #344.
In xpath.c there's a lot of code like:
valuePush(ctxt, xmlCacheNewX());
...
valuePop(ctxt);
If xmlCacheNewX fails, no value will be pushed on the stack. If there's
no error check in between, valuePop will pop an unrelated value which
can lead to use-after-free errors.
Instead of trying to fix all call sites, we simply stop popping values
if an error was signaled. This requires to change the CHECK_TYPE macro
which is often used to determine whether a value can be safely popped.
Found with libFuzzer, see #344.
