1
0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-03-13 20:58:16 +03:00

471 Commits

Author SHA1 Message Date
Nick Wellnhofer
69936b129f Revert "Print error messages for truncated UTF-8 sequences"
This reverts commit 79c8a6b which caused a serious regression in
streaming mode.

Also reverts part of commit 52ceced "Fix infinite loops with push
parser in recovery mode".

Fixes bug 786554.
2017-08-30 14:19:06 +02:00
Nick Wellnhofer
899a5d9f0e Detect infinite recursion in parameter entities
When expanding a parameter entity in a DTD, infinite recursion could
lead to an infinite loop or memory exhaustion.

Thanks to Wei Lei for the first of many reports.

Fixes bug 759579.
2017-07-25 15:21:12 +02:00
Nick Wellnhofer
872fea9485 Get rid of "blanks wrapper" for parameter entities
Now that replacement of parameter entities goes exclusively through
xmlSkipBlankChars, we can account for the surrounding space characters
there and remove the "blanks wrapper" hack.
2017-06-20 13:19:47 +02:00
Nick Wellnhofer
24246c7626 Fix xmlHaltParser
Pop all extra input streams before resetting the input. Otherwise,
a call to xmlPopInput could make input available again.

Also set input->end to input->cur.

Changes the test output for some error tests. Unfortunately, some
fuzzed test cases were added to the test suite without manual cleanup.
This makes it almost impossible to review the impact of later changes
on the test output.
2017-06-20 13:15:43 +02:00
Nick Wellnhofer
8bbe4508ef Spelling and grammar fixes
Fixes bug 743172, bug 743489, bug 769632, bug 782400 and a few other
misspellings.
2017-06-17 16:34:23 +02:00
Nick Wellnhofer
5f440d8cad Rework entity boundary checks
Make sure to finish all entities in the internal subset. Nevertheless,
readd a sanity check in xmlParseStartTag2 that was lost in my previous
commit. Also add a sanity check in xmlPopInput. Popping an input
unexpectedly was the source of many recent memory bugs. The check
doesn't mitigate such issues but helps with diagnosis.

Always base entity boundary checks on the input ID, not the input
pointer. The pointer could have been reallocated to the old address.

Always throw a well-formedness error if a boundary check fails. In a
few places, a validity error was thrown.

Fix a few error codes and improve indentation.
2017-06-17 13:25:53 +02:00
Nick Wellnhofer
dbaab1f369 Test SAX2 callbacks with entity substitution
This detects regressions like bug 760367.
2017-06-16 21:38:57 +02:00
Nick Wellnhofer
67f9f9d6c8 Misc fixes for 'make tests'
- Silence test output.
- Clean up after doc/examples tests.
- Adjust expected output for script tests.
- Add missing results for relaxng/pattern3

There are still two test failures I can't comment on:

- regexp/bug316338
- schemas/any4_0
2017-06-12 19:46:56 +02:00
Nick Wellnhofer
0b2d5c48e3 Initialize keepBlanks in HTML parser
This caused failures in the HTML push tests but the fix required to
change the expected output of the HTML SAX tests.
2017-06-12 19:11:54 +02:00
David Kilzer
85c112a082 Add test cases for bug 758518
test/HTML/758518-entity.html exposed a bug in pushParseTest() in
runtest.c which assumed that an input file was at least 4 bytes long.
That test case is only 3 bytes, so we now take the minimum of 4 bytes
or the length of the test input.  We also now use 'chunkSize' in place
of the hard-coded value '1024' later in the function.
2017-06-12 18:26:11 +02:00
Nick Wellnhofer
79c8a6b105 Print error messages for truncated UTF-8 sequences
Before, truncated UTF-8 sequences at the end of a file were treated as
EOF. Create an error message containing the offending bytes.

xmlStringCurrentChar would also print characters from the input stream,
not the string it's working on.
2017-06-10 18:11:58 +02:00
Nick Wellnhofer
932cc9896a Fix buffer size checks in xmlSnprintfElementContent
xmlSnprintfElementContent failed to correctly check the available
buffer space in two locations.

Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).

Thanks to Marcel Böhme and Thuan Pham for the report.
2017-06-05 19:38:19 +02:00
Nick Wellnhofer
e26630548e Fix handling of parameter-entity references
There were two bugs where parameter-entity references could lead to an
unexpected change of the input buffer in xmlParseNameComplex and
xmlDictLookup being called with an invalid pointer.

Percent sign in DTD Names
=========================

The NEXTL macro used to call xmlParserHandlePEReference. When parsing
"complex" names inside the DTD, this could result in entity expansion
which created a new input buffer. The fix is to simply remove the call
to xmlParserHandlePEReference from the NEXTL macro. This is safe because
no users of the macro require expansion of parameter entities.

- xmlParseNameComplex
- xmlParseNCNameComplex
- xmlParseNmtoken

The percent sign is not allowed in names, which are grammatical tokens.

- xmlParseEntityValue

Parameter-entity references in entity values are expanded but this
happens in a separate step in this function.

- xmlParseSystemLiteral

Parameter-entity references are ignored in the system literal.

- xmlParseAttValueComplex
- xmlParseCharDataComplex
- xmlParseCommentComplex
- xmlParsePI
- xmlParseCDSect

Parameter-entity references are ignored outside the DTD.

- xmlLoadEntityContent

This function is only called from xmlStringLenDecodeEntities and
entities are replaced in a separate step immediately after the function
call.

This bug could also be triggered with an internal subset and double
entity expansion.

This fixes bug 766956 initially reported by Wei Lei and independently by
Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
involved.

xmlParseNameComplex with XML_PARSE_OLD10
========================================

When parsing Names inside an expanded parameter entity with the
XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the
GROW macro if the input buffer was exhausted. At the end of the
parameter entity's replacement text, this function would then call
xmlPopInput which invalidated the input buffer.

There should be no need to invoke GROW in this situation because the
buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,
at least for UTF-8, in xmlCurrentChar. This also matches the code path
executed when XML_PARSE_OLD10 is not set.

This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
Thanks to Marcel Böhme and Thuan Pham for the report.

Additional hardening
====================

A separate check was added in xmlParseNameComplex to validate the
buffer size.
2017-06-05 18:38:33 +02:00
Nick Wellnhofer
7482f41f61 Check for integer overflow in xmlXPathFormatNumber
Check for overflow before casting double to int.

Found with afl-fuzz and UBSan.
2017-06-01 22:00:19 +02:00
Nick Wellnhofer
855c19efb7 Avoid reparsing in xmlParseStartTag2
The code in xmlParseStartTag2 must handle the case that the input
buffer was grown and reallocated which can invalidate pointers to
attribute values. Before, this was handled by detecting changes of
the input buffer "base" pointer and, in case of a change, jumping
back to the beginning of the function and reparsing the start tag.

The major problem of this approach is that whether an input buffer is
reallocated is nondeterministic, resulting in seemingly random test
failures. See the mailing list thread "runtest mystery bug: name2.xml
error case regression test" from 2012, for example.

If a reallocation was detected, the code also made no attempts to
continue parsing in case of errors which makes a difference in
the lax "recover" mode.

Now we store the current input buffer "base" pointer for each (not
separately allocated) attribute in the namespace URI field, which isn't
used until later. After the whole start tag was parsed, the pointers
to the attribute values are reconstructed using the offset between the
new and the old input buffer. This relies on arithmetic on dangling
pointers which is technically undefined behavior. But it seems like
the easiest and most efficient fix and a similar approach is used in
xmlParserInputGrow.

This changes the error output of several tests, typically making it
more verbose because we try harder to continue parsing in case of
errors.

(Another possible solution is to check not only the "base" pointer
but the size of the input buffer as well. But this would result in
even more reparsing.)
2017-06-01 14:31:28 +02:00
Nick Wellnhofer
f4029cd413 Check XPath exponents for overflow
Avoid undefined behavior and wrong results with huge exponents.

Found with afl-fuzz and UBSan.
2017-05-31 16:04:37 +02:00
Nick Wellnhofer
a58331a6ee Check for overflow in xmlXPathIsPositionalPredicate
Avoid undefined behavior when casting from double to int.

Found with afl-fuzz and UBSan.
2017-05-31 16:04:26 +02:00
Nick Wellnhofer
a851868a75 Parse small XPath numbers more accurately
Don't count leading zeros towards the fraction size limit. This allows
to parse numbers like

    0.0000000000000000000000000000000000000000000000000000000001

which is the only standard-conformant way to represent such numbers, as
scientific notation isn't allowed in XPath 1.0. (It is allowed in XPath
2.0 and in libxml2 as an extension, though.)

Overall accuracy is still bad, see bug 783238.
2017-05-31 15:46:29 +02:00
Nick Wellnhofer
4bebb030db Rework XPath rounding functions
Use the C library's floor and ceil functions. The old code was overly
complicated for no apparent reason and could result in undefined
behavior when handling NaNs (found with afl-fuzz and UBSan).

Fix wrong comment in xmlXPathRoundFunction. The implementation was
already following the spec and rounding half up.
2017-05-31 15:38:42 +02:00
Nick Wellnhofer
40f5852149 Fix axis traversal from attribute and namespace nodes
When traversing the "preceding" axis from an attribute node, we must
first go up to the attribute's containing element. Otherwise, text
children of other attributes could be returned. This made it possible
to hit a code path in xmlXPathNextAncestor which contained another bug:
The attribute node was initialized with the context node instead of the
current node. Normally, this code path is only hit via
xmlXPathNextAncestorOrSelf in which case the current and context node
are the same.

The combination of the two bugs could result in an infinite loop, found
with libFuzzer.

Traversing the "following" and the "preceding" axis from namespace nodes
should be handled similarly. This wasn't supported at all previously.
2017-05-31 14:57:46 +02:00
Nick Wellnhofer
9ab01a277d Fix XPointer paths beginning with range-to
The old code would invoke the broken xmlXPtrRangeToFunction. range-to
isn't really a function but a special kind of location step. Remove
this function and always handle range-to in the XPath code.

The old xmlXPtrRangeToFunction could also be abused to trigger a
use-after-free error with the potential for remote code execution.

Found with afl-fuzz.

Fixes CVE-2016-5131.
2016-10-12 13:12:18 +02:00
Nick Wellnhofer
d8083bf779 Fix NULL pointer deref in XPointer range-to
- Check for errors after evaluating first operand.
- Add sanity check for empty stack.

Found with afl-fuzz.
2016-06-25 14:24:51 +02:00
Pranjal Jumde
0bcd05c5cd Heap-based buffer overread in htmlCurrentChar
For https://bugzilla.gnome.org/show_bug.cgi?id=758606

* parserInternals.c:
(xmlNextChar): Add an test to catch other issues on ctxt->input
corruption proactively.
For non-UTF-8 charsets, xmlNextChar() failed to check for the end
of the input buffer and would continuing reading.  Fix this by
pulling out the check for the end of the input buffer into common
code, and return if we reach the end of the input buffer
prematurely.
* result/HTML/758606.html: Added.
* result/HTML/758606.html.err: Added.
* result/HTML/758606.html.sax: Added.
* result/HTML/758606_2.html: Added.
* result/HTML/758606_2.html.err: Added.
* result/HTML/758606_2.html.sax: Added.
* test/HTML/758606.html: Added test case.
* test/HTML/758606_2.html: Added test case.
2016-05-23 15:01:07 +08:00
David Kilzer
0090675905 Heap-based buffer-underreads due to xmlParseName
For https://bugzilla.gnome.org/show_bug.cgi?id=759573

* parser.c:
(xmlParseElementDecl): Return early on invalid input to fix
non-minimized test case (759573-2.xml).  Otherwise the parser
gets into a bad state in SKIP(3) at the end of the function.
(xmlParseConditionalSections): Halt parsing when hitting invalid
input that would otherwise caused xmlParserHandlePEReference()
to recurse unexpectedly.  This fixes the minimized test case
(759573.xml).

* result/errors/759573-2.xml: Add.
* result/errors/759573-2.xml.err: Add.
* result/errors/759573-2.xml.str: Add.
* result/errors/759573.xml: Add.
* result/errors/759573.xml.err: Add.
* result/errors/759573.xml.str: Add.
* test/errors/759573-2.xml: Add.
* test/errors/759573.xml: Add.
2016-05-23 15:01:07 +08:00
Pranjal Jumde
38eae57111 Heap use-after-free in xmlSAX2AttributeNs
For https://bugzilla.gnome.org/show_bug.cgi?id=759020

* parser.c:
(xmlParseStartTag2): Attribute strings are only valid if the
base does not change, so add another check where the base may
change.  Make sure to set 'attvalue' to NULL after freeing it.
* result/errors/759020.xml: Added.
* result/errors/759020.xml.err: Added.
* result/errors/759020.xml.str: Added.
* test/errors/759020.xml: Added test case.
2016-05-23 15:01:07 +08:00
Hugh Davenport
beca86e8c8 Detect change of encoding when parsing HTML names
From https://bugzilla.gnome.org/show_bug.cgi?id=758518

Happens when a file has a name getting parsed, but no valid encoding
set, so libxml has to guess what the encoding is. This patch detects
when the buffer location changes, and if it does, restarts the parsing
of the name.

This slightly change a couple of regression tests output
2016-05-23 15:01:07 +08:00
Pranjal Jumde
45752d2c33 Bug 759398: Heap use-after-free in xmlDictComputeFastKey <https://bugzilla.gnome.org/show_bug.cgi?id=759398>
* parser.c:
(xmlParseNCNameComplex): Store start position instead of a
pointer to the name since the underlying buffer may change,
resulting in a stale pointer being used.
* result/errors/759398.xml: Added.
* result/errors/759398.xml.err: Added.
* result/errors/759398.xml.str: Added.
* test/errors/759398.xml: Added test case.
2016-05-23 15:01:07 +08:00
Pranjal Jumde
a820dbeac2 Bug 758605: Heap-based buffer overread in xmlDictAddString <https://bugzilla.gnome.org/show_bug.cgi?id=758605>
Reviewed by David Kilzer.

* HTMLparser.c:
(htmlParseName): Add bounds check.
(htmlParseNameComplex): Ditto.
* result/HTML/758605.html: Added.
* result/HTML/758605.html.err: Added.
* result/HTML/758605.html.sax: Added.
* runtest.c:
(pushParseTest): The input for the new test case was so small
(4 bytes) that htmlParseChunk() was never called after
htmlCreatePushParserCtxt(), thereby creating a false positive
test failure.  Fixed by using a do-while loop so we always call
htmlParseChunk() at least once.
* test/HTML/758605.html: Added.
2016-05-23 15:01:07 +08:00
David Kilzer
db07dd613e Bug 758588: Heap-based buffer overread in xmlParserPrintFileContextInternal <https://bugzilla.gnome.org/show_bug.cgi?id=758588>
* parser.c:
(xmlParseEndTag2): Add bounds checks before dereferencing
ctxt->input->cur past the end of the buffer, or incrementing the
pointer past the end of the buffer.

* result/errors/758588.xml: Add test result.
* result/errors/758588.xml.err: Ditto.
* result/errors/758588.xml.str: Ditto.
* test/errors/758588.xml: Add regression test.
2016-05-23 15:01:07 +08:00
Nick Wellnhofer
6eb0894a96 Fix memory leak with XPath namespace nodes
Set hasNsNodes to 1 when adding namespace nodes via XP_TEST_HIT.
2016-05-05 17:38:27 +02:00
Nick Wellnhofer
82b73039dc Fix namespace axis traversal
When the namespace axis is traversed in "toBool" mode, the traversal
can exit early, before visiting all nodes. In this case, the XPath
context still contains a non-NULL tmpNsList.

This means that

- the check when to start a new traversal was wrong and
- the tmpNsList could be leaked.

Fixes bug #750037 and, by accident, bug #756075:

https://bugzilla.gnome.org/show_bug.cgi?id=750037
https://bugzilla.gnome.org/show_bug.cgi?id=756075
2016-05-05 15:30:00 +02:00
Nick Wellnhofer
839689a9a8 Don't recurse into OP_VALUEs in xmlXPathOptimizeExpression
The ch1 slot of OP_VALUEs contains an invalid value. Ignore it.

Fixes bug #760325:

https://bugzilla.gnome.org/show_bug.cgi?id=760325
2016-04-27 18:05:06 +02:00
Nick Wellnhofer
f39fd66ea7 Fix namespace::node() XPath expression
Make sure that xmlXPathNodeSetAddNs is called for namespace nodes when
matched with a namespace::node() step. This correctly sets the parent
of namespace nodes. Note that xmlXPathNodeSetAddNs must only be called
if working on the namespace axis. Otherwise, the context node is not
the parent of the namespace node and the standard XP_TEST_HIT macro
must be invoked. This explains the errors in the C14N tests that the
old TODO comment mentioned.
2016-04-27 11:21:35 +02:00
Nick Wellnhofer
e289390362 Fix parsing of NCNames in XPath
The NCName parser would allow any NameChar as start character. For
example, the following XPath expressions would compile:

    self::-abc
    self::0abc
    self::.abc
2016-04-23 19:12:47 +02:00
Audric Schiltknecht
cad102b861 Do normalize string-based datatype value in RelaxNG facet checking
Original patch is from Jan Pokorný <jpokorny redhat com>
https://mail.gnome.org/archives/xml/2013-November/msg00028.html

Improve it according to reviews and add test files.
2016-04-15 22:41:24 +08:00
David Kilzer
5be1a6e8e0 Bug 760861: REGRESSION (bf9c1dad): Missing results for test/schemas/regexp-char-ref_[01].xsd <https://bugzilla.gnome.org/show_bug.cgi?id=760861>
Add missing test results to fix the following errors when
running "make Schemastests":

    ## Schemas regression tests
    diff: ./result/schemas/regexp-char-ref_0_0.err: No such file or directory
    diff: ./result/schemas/regexp-char-ref_1_0.err: No such file or directory

* result/schemas/regexp-char-ref_0_0.err: Added.
* result/schemas/regexp-char-ref_1_0.err: Added.
2016-04-08 10:33:09 +08:00
David Kilzer
49bbfdb6c9 Add missing RNG test files
For https://bugzilla.gnome.org/show_bug.cgi?id=760249

Add missing test results from Bug 710744 for commit
6473a41a49601da8355c4b407b99474ada170213.
2016-04-08 10:20:22 +08:00
David Kilzer
4f8606c13c Bug 760183: REGRESSION (v2.9.3): XML push parser fails with bogus UTF-8 encoding error when multi-byte character in large CDATA section is split across buffer <https://bugzilla.gnome.org/show_bug.cgi?id=760183>
* parser.c:
(xmlCheckCdataPush): Add 'complete' argument to describe whether
the buffer passed in is the whole CDATA buffer, or if there is
more data to parse.  If there is more data to parse, don't
return a negative value for an invalid multi-byte UTF-8
character that is split between buffers.
(xmlParseTryOrFinish): Pass 'complete' argument to
xmlCheckCdataPush() as appropriate.

* result/cdata-2-byte-UTF-8.xml: Added.
* result/cdata-2-byte-UTF-8.xml.rde: Added.
* result/cdata-2-byte-UTF-8.xml.rdr: Added.
* result/cdata-2-byte-UTF-8.xml.sax: Added.
* result/cdata-2-byte-UTF-8.xml.sax2: Added.
* result/cdata-3-byte-UTF-8.xml: Added.
* result/cdata-3-byte-UTF-8.xml.rde: Added.
* result/cdata-3-byte-UTF-8.xml.rdr: Added.
* result/cdata-3-byte-UTF-8.xml.sax: Added.
* result/cdata-3-byte-UTF-8.xml.sax2: Added.
* result/cdata-4-byte-UTF-8.xml: Added.
* result/cdata-4-byte-UTF-8.xml.rde: Added.
* result/cdata-4-byte-UTF-8.xml.rdr: Added.
* result/cdata-4-byte-UTF-8.xml.sax: Added.
* result/cdata-4-byte-UTF-8.xml.sax2: Added.
* result/noent/cdata-2-byte-UTF-8.xml: Added.
* result/noent/cdata-3-byte-UTF-8.xml: Added.
* result/noent/cdata-4-byte-UTF-8.xml: Added.
* test/cdata-2-byte-UTF-8.xml: Added.
* test/cdata-3-byte-UTF-8.xml: Added.
* test/cdata-4-byte-UTF-8.xml: Added.
- Add tests and results.  Only 'make Readertests XMLPushtests'
  fails prior to the fix.
2016-04-08 10:18:52 +08:00
Daniel Veillard
a7a94612aa Heap-based buffer overread in xmlNextChar
For https://bugzilla.gnome.org/show_bug.cgi?id=759671

when the end of the internal subset isn't properly detected
xmlParseInternalSubset should just return instead of trying
to process input further.
2016-02-09 12:55:29 +01:00
Daniel Veillard
f1063fdbe7 CVE-2015-7500 Fix memory access error due to incorrect entities boundaries
For https://bugzilla.gnome.org/show_bug.cgi?id=756525
handle properly the case where we popped out of the current entity
while processing a start tag
Reported by Kostya Serebryany @ Google

This slightly modifies the output of 754946 in regression tests
2015-11-20 16:06:59 +08:00
Daniel Veillard
4a5d80aded Fix a bug in CData error handling in the push parser
For https://bugzilla.gnome.org/show_bug.cgi?id=754947

The checking function was returning incorrect args in some cases
Adds the test to teh reg suite and fix one of the existing test output
2015-09-18 15:06:46 +08:00
Daniel Veillard
51f02b0a03 Fix a bug on name parsing at the end of current input buffer
For https://bugzilla.gnome.org/show_bug.cgi?id=754946

When hitting the end of the current input buffer while parsing
a name we could end up loosing the beginning of the name, which
led to various issues.
2015-09-15 16:50:32 +08:00
Daniel Veillard
ef709ce2f7 Fix the spurious ID already defined error
For https://bugzilla.gnome.org/show_bug.cgi?id=737840
the fix for 724903 introduced a regression on external entities carrying
IDs, revert that patch in part and add a specific test to avoid readding it
2015-09-10 19:46:46 +08:00
Daniel Veillard
2fab235d10 Fix support for except in nameclasses
For https://bugzilla.gnome.org/show_bug.cgi?id=565219

The code was imply missing even if simple, added a few regression
tests.
2015-03-16 08:43:37 +08:00
Nick Wellnhofer
02b252d7a2 Regression test for bug #695699 2015-03-08 17:00:37 +01:00
Nick Wellnhofer
342658a132 Add a couple of XPath tests 2015-03-08 16:46:04 +01:00
Nick Wellnhofer
f6aaabce85 Allow attributes on descendant-or-self axis
If the context node is an attribute, the attribute itself is on the
descendant-or-self axis. The principal node type of this axis is element,
so the only node test that can return the attribute is "node()". In other
words, "@attr/descendant-or-self::node()" is equivalent to "@attr".

This matches the behavior of Saxon-CE.
2015-03-08 16:25:52 +01:00
Daniel Veillard
df23f584fd Adding example from bugs 738805 to regression tests
For https://bugzilla.gnome.org/show_bug.cgi?id=738805

Tortuous test case provided by pierre.labastie@neuf.fr
2014-10-23 13:52:47 +08:00
Shaun McCance
6473a41a49 Implement choice for name classes on attributes
https://bugzilla.gnome.org/show_bug.cgi?id=710744
2013-11-28 16:09:00 +08:00
Daniel Veillard
dcc1950319 Fix a parsing bug on non-ascii element and CR/LF usage
https://bugzilla.gnome.org/show_bug.cgi?id=698550

Somehow the behaviour of the internal parser routine changed
slightly when encountering CR/LF, which led to a bug when
parsing document with non-ascii Names
2013-05-22 22:56:45 +02:00