1
0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-03-13 20:58:16 +03:00

4591 Commits

Author SHA1 Message Date
Daniel Veillard
a7a94612aa Heap-based buffer overread in xmlNextChar
For https://bugzilla.gnome.org/show_bug.cgi?id=759671

when the end of the internal subset isn't properly detected
xmlParseInternalSubset should just return instead of trying
to process input further.
CVE-2016-1762
2016-02-09 12:55:29 +01:00
Daniel Veillard
6657afe83a Release of libxml2-2.9.3
* configure.ac: updated
* doc/*: regenerated
v2.9.3
2015-11-20 17:55:11 +08:00
Hugh Davenport
8fb4a77007 CVE-2015-8242 Buffer overead with HTML parser in push mode
For https://bugzilla.gnome.org/show_bug.cgi?id=756372
Error in the code pointing to the codepoint in the stack for the
current char value instead of the pointer in the input that the SAX
callback expects
Reported and fixed by Hugh Davenport
CVE-2015-8242
2015-11-20 17:16:06 +08:00
Daniel Veillard
f1063fdbe7 CVE-2015-7500 Fix memory access error due to incorrect entities boundaries
For https://bugzilla.gnome.org/show_bug.cgi?id=756525
handle properly the case where we popped out of the current entity
while processing a start tag
Reported by Kostya Serebryany @ Google

This slightly modifies the output of 754946 in regression tests
CVE-2015-7500
2015-11-20 16:06:59 +08:00
Daniel Veillard
fdfeecc1b7 Bug on creating new stream from entity
sometimes the entity could have a lenght of 0, i.e. it wasn't
parsed or used yet, and we ended up with an incoherent input state
2015-11-20 15:07:38 +08:00
Daniel Veillard
3bd6ae147e Fix some loop issues embedding NEXT
Next can switch the parser back to XML_PARSER_EOF state, we
need to consider those in loops consuming input
2015-11-20 15:06:02 +08:00
Daniel Veillard
35bcb1d758 Detect incoherency on GROW
the current pointer to the input has to be between the base and end
if not stop everything we have an internal state error.
CVE-2015-7499-2
2015-11-20 15:04:09 +08:00
Daniel Veillard
ce0b0d0d81 Do not print error context when there is none
Which now happens more frequently du to xmlHaltParser use
2015-11-20 15:01:22 +08:00
Daniel Veillard
e3b1597421 Reuse xmlHaltParser() where it makes sense
Unify the various place where either xmlStopParser was called
(which resets the error as a side effect) and places where we
used ctxt->instate = XML_PARSER_EOF to stop further processing
2015-11-20 14:59:30 +08:00
Daniel Veillard
28cd9cb747 Add xmlHaltParser() to stop the parser
The problem is doing it in a consistent and safe fashion
It's more complex than just setting ctxt->instate = XML_PARSER_EOF
Update the public function to reuse that new internal routine
CVE-2015-7499-1
2015-11-20 14:55:30 +08:00
David Drysdale
69030714cd CVE-2015-5312 Another entity expansion issue
For https://bugzilla.gnome.org/show_bug.cgi?id=756733
It is one case where the code in place to detect entities expansions
failed to exit when the situation was detected, leading to DoS
Problem reported by Kostya Serebryany @ Google
Patch provided by David Drysdale @ Google
CVE-2015-5312
2015-11-20 11:18:22 +08:00
David Drysdale
6360a31a84 CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey
For https://bugzilla.gnome.org/show_bug.cgi?id=756528
It was possible to hit a negative offset in the name indexing
used to randomize the dictionary key generation
Reported and fix provided by David Drysdale @ Google
CVE-2015-7497
2015-11-20 10:47:12 +08:00
Daniel Veillard
53ac9c9649 xmlStopParser reset errNo
I had used it in contexts where that information ought to be preserved
2015-11-09 18:16:00 +08:00
Daniel Veillard
afd27c21f6 Avoid processing entities after encoding conversion failures
For https://bugzilla.gnome.org/show_bug.cgi?id=756527
and was also raised by Chromium team in the past

When we hit a convwersion failure when switching encoding
it is bestter to stop parsing there, this was treated as a
fatal error but the parser was continuing to process to extract
more errors, unfortunately that makes little sense as the data
is obviously corrupt and can potentially lead to unexpected behaviour.
CVE-2015-7498
2015-11-09 18:07:18 +08:00
Hugh Davenport
ab2b9a93ff Avoid extra processing of MarkupDecl when EOF
For https://bugzilla.gnome.org/show_bug.cgi?id=756263

One place where ctxt->instate == XML_PARSER_EOF whic was set up
by entity detection issues doesn't get noticed, and even overrided
2015-11-03 20:40:49 +08:00
Daniel Veillard
18b8988511 Reenable xz support by default
For https://bugzilla.gnome.org/show_bug.cgi?id=757466

problem was introduced by commit f3f86ff465c92c79f834d7b981f3c7274a8bb5c8
for https://bugzilla.gnome.org/show_bug.cgi?id=711026
2015-11-03 15:46:29 +08:00
Daniel Veillard
f0709e3ca8 CVE-2015-8035 Fix XZ compression support loop
For https://bugzilla.gnome.org/show_bug.cgi?id=757466
DoS when parsing specially crafted XML document if XZ support
is compiled in (which wasn't the case for 2.9.2 and master since
Nov 2013, fixed in next commit !)
CVE-2015-8035
2015-11-03 15:31:25 +08:00
Daniel Veillard
e724879d96 Fix parsing short unclosed comment uninitialized access
For https://bugzilla.gnome.org/show_bug.cgi?id=746048
The HTML parser was too optimistic when processing comments and
didn't check for the end of the stream on the first 2 characters
2015-10-30 21:14:55 +08:00
Daniel Veillard
41ac9049a2 Fix an error in previous Conditional section patch
an off by one mistake in the change, led to error on correct
document where the end of the included entity was exactly
the end of the conditional section, leading to regtest failure
CVE-2015-7942-2
2015-10-27 10:53:44 +08:00
Alex Henrie
73c50805d9 Correct spelling of "calling" 2015-10-26 18:33:14 +08:00
Fabien Degomme
b40c19405e Fix a small error in xmllint --format description
Obviously it operates on the output not the input
2015-10-23 19:35:02 +08:00
Daniel Veillard
bd0526e66a Another variation of overflow in Conditional sections
Which happen after the previous fix to
https://bugzilla.gnome.org/show_bug.cgi?id=756456

But stopping the parser and exiting we didn't pop the intermediary entities
and doing the SKIP there applies on an input which may be too small
CVE-2015-7942
2015-10-23 19:02:28 +08:00
Gaurav Gupta
cf77e60515 Add missing Null check in xmlParseExternalEntityPrivate
For https://bugzilla.gnome.org/show_bug.cgi?id=755857

a case where we check for NULL but not everywhere
2015-09-30 14:46:29 +02:00
Daniel Veillard
4a5d80aded Fix a bug in CData error handling in the push parser
For https://bugzilla.gnome.org/show_bug.cgi?id=754947

The checking function was returning incorrect args in some cases
Adds the test to teh reg suite and fix one of the existing test output
2015-09-18 15:06:46 +08:00
Daniel Veillard
51f02b0a03 Fix a bug on name parsing at the end of current input buffer
For https://bugzilla.gnome.org/show_bug.cgi?id=754946

When hitting the end of the current input buffer while parsing
a name we could end up loosing the beginning of the name, which
led to various issues.
2015-09-15 16:50:32 +08:00
Daniel Veillard
ef709ce2f7 Fix the spurious ID already defined error
For https://bugzilla.gnome.org/show_bug.cgi?id=737840
the fix for 724903 introduced a regression on external entities carrying
IDs, revert that patch in part and add a specific test to avoid readding it
2015-09-10 19:46:46 +08:00
Nick Wellnhofer
3eaedba1b6 Fix previous change to node sort order
Commit ba58f23 broke comparison of nodes from different documents.
Thanks to Olli Pottonen for the report.
2015-07-11 14:27:34 +02:00
Daniel Veillard
73b2d73df8 Avoid XSS on the search of xmlsoft.org
query string need to be escaped before being displayed back
2015-07-03 20:58:33 +08:00
Daniel Veillard
140c251e8e Recover unescaped less-than character in HTML recovery parsing
As pointed by Christian Schoenebeck <schoenebeck@crudebyte.com>
on the list and based on some of his early patches, this preserve
content when unescaped opening angle brackets are not escaped in
textual content like:
  <p>  a < b </p>
  <p> a <0 </p>
  <p> a <=0 </p>

while still reporting the error.
2015-06-30 11:36:28 +08:00
Scott Graham
58b84e1f82 Fix a self assignment issue raised by clang
For https://bugzilla.gnome.org/show_bug.cgi?id=751679

Also added a few newline cleanups
2015-06-30 10:47:16 +08:00
Daniel Veillard
709a952110 Fail parsing early on if encoding conversion failed
For https://bugzilla.gnome.org/show_bug.cgi?id=751631

If we fail conversing the current input stream while
processing the encoding declaration of the XMLDecl
then it's safer to just abort there and not try to
report further errors.
CVE-2015-8317
2015-06-29 16:10:26 +08:00
Daniel Veillard
9aa37588ee Do not process encoding values if the declaration if broken
For https://bugzilla.gnome.org/show_bug.cgi?id=751603

If the string is not properly terminated do not try to convert
to the given encoding.
2015-06-29 09:08:25 +08:00
Michael Catanzaro
b02a167af3 Silence clang's -Wunknown-attribute
Clang doesn't have perfect feature compatibility with GCC,
unfortunately.

https://bugzilla.gnome.org/show_bug.cgi?id=747870
2015-04-26 16:00:05 -05:00
Patrick Monnerat
22b0415a89 os400: fix various ILE/RPG types definitions. Adjust build scripts.
- A typo caused an undefined symbol reference.
    - A structure field name did not match the corresponding C name due to a typo.
    - Some structured fields were not properly aligned.
    - The long/ulong types were wrongly mapped to 64-bit types.
    - A typo in a /include directive caused a compilation error.
    - Doc files copy now converts from UTF-8 and split long lines.
    - Adjust /include file name mapping translation for proper prefix handling.
2015-04-16 16:04:06 +08:00
Daniel Veillard
213f1fe0d7 CVE-2015-1819 Enforce the reader to run in constant memory
One of the operation on the reader could resolve entities
leading to the classic expansion issue. Make sure the
buffer used for xmlreader operation is bounded.
Introduce a new allocation type for the buffers for this effect.
CVE-2015-1819
2015-04-14 17:41:48 +08:00
Martin von Gagern
8985cde709 xmlMemUsed is not thread-safe
For https://bugzilla.gnome.org/show_bug.cgi?id=747437
just use the mutex to protect access to those variables
2015-04-13 16:32:14 +08:00
Shaun McCance
7607d9dd45 Allow HTML serializer to output HTML5 DOCTYPE
For https://bugzilla.gnome.org/show_bug.cgi?id=747301

Use simple HTML5 DOCTYPE for about:legacy-compat

HTML5 uses a DOCTYPE without a PUBLIC or SYSTEM identifier. It looks
like this:

<!DOCTYPE html>

I can't use XSLT to output this, because to get a DOCTYPE I have to
provide a PUBLIC or SYSTEM identifier. Luckily, the standards folks
recognized this and provided this semantically equivalent form for the
HTML DOCTYPE:

<!DOCTYPE html SYSTEM "about:legacy-compat">

But people don't like seeing the "legacy" identifier in their output.
They'd rather see the shiny new DOCTYPE. Since we know that
about:legacy-compat is defined by the W3C to be semantically equivalent
to the sans-SYSTEM DOCTYPE, we could just special-case it in the HTML
serializer in libxml2. So if you set the SYSTEM identifier to
"about:legacy-compat", you get an HTML5 short-form DOCTYPE.
2015-04-03 22:52:36 +08:00
Daniel Veillard
2fab235d10 Fix support for except in nameclasses
For https://bugzilla.gnome.org/show_bug.cgi?id=565219

The code was imply missing even if simple, added a few regression
tests.
2015-03-16 08:43:37 +08:00
Nick Wellnhofer
02b252d7a2 Regression test for bug #695699 2015-03-08 17:00:37 +01:00
Nick Wellnhofer
342658a132 Add a couple of XPath tests 2015-03-08 16:46:04 +01:00
Nick Wellnhofer
ba58f23c60 Fix order of root nodes
Make sure root nodes are sorted before other nodes.
2015-03-08 16:44:11 +01:00
Nick Wellnhofer
f6aaabce85 Allow attributes on descendant-or-self axis
If the context node is an attribute, the attribute itself is on the
descendant-or-self axis. The principal node type of this axis is element,
so the only node test that can return the attribute is "node()". In other
words, "@attr/descendant-or-self::node()" is equivalent to "@attr".

This matches the behavior of Saxon-CE.
2015-03-08 16:25:52 +01:00
Steve Nairn
620a70615e Fix the fix to Windows locking
For https://bugzilla.gnome.org/show_bug.cgi?id=737851

Unfortunately this change has introduced a problem which results in
occasional hangs on Windows when running multi-threaded on a multi-core
host.

When locking the xmlRMutex the count field is increment inside the
critical section but when unlocking the count field is decremented
outside the critical section. The increment/decrement is not atomic so
this can result in the count field being updated incorrectly.

The solution is to change xmlRMutexUnlock to decrement the count field
before leaving the critical section rather than after.
2015-03-03 19:42:01 +08:00
Christopher Swenson
9b987f8c98 Fix timsort invariant loop re: Envisage article
See http://envisage-project.eu/proving-android-java-and-python-sorting-algorithm-is-broken-and-how-to-fix-it/

We use a "runLen" array of size 128, so it should be nearly impossible
to have our implementation overflow.

But in any case, the fix is relatively simple -- checking two extra
conditions in the invariant calculation.

I also took this opportunity to remove some redundancy in the
left/right merge logic in the invariant loop.
2015-02-27 14:55:49 +08:00
Daniel Veillard
9b8512337d Cleanup conditional section error handling
For https://bugzilla.gnome.org/show_bug.cgi?id=744980

The error handling of Conditional Section also need to be
straightened as the structure of the document can't be
guessed on a failure there and it's better to stop parsing
as further errors are likely to be irrelevant.
CVE-2015-7941_2
2015-02-23 11:29:20 +08:00
Daniel Veillard
a7dfab7411 Stop parsing on entities boundaries errors
For https://bugzilla.gnome.org/show_bug.cgi?id=744980

There are times, like on unterminated entities that it's preferable to
stop parsing, even if that means less error reporting. Entities are
feeding the parser on further processing, and if they are ill defined
then it's possible to get the parser to bug. Also do the same on
Conditional Sections if the input is broken, as the structure of
the document can't be guessed.
CVE-2015-7941_1
2015-02-23 11:17:35 +08:00
Tomas Radej
fb8e9e212f Add Python 3 rpm subpackage
Allow compilation and packaging of both python2 and python3
when present
2015-02-18 22:47:13 +08:00
Samuel Martin
3211973961 libxml2-config.cmake.in: update include directories
Align the include directories on those from the pkg-config module.

Signed-off-by: Samuel Martin <s.martin49@gmail.com>
2015-02-13 01:53:07 +01:00
Nick Wellnhofer
220a7baeee Don't add IDs in xmlSetTreeDoc
This partially reverts my previous commit fixing bug #741919.
2014-12-23 21:28:37 +01:00
Michael Heimpold
fff8a6b87e threads: use forward declarations only for glibc
Fixes bug #704908

The declarations of pthread functions, used to generate weak references
to them, fail to suppress macros. Thus, if any pthread function has
been provided as a macro, compiling threads.c will fail.
This breaks on musl libc, which defines pthread_equal as a macro (in
addition to providing the function, as required).

Prevent the declarations for e.g. musl libc by refining the condition.

The idea for this solution was borrowed from the alpine linux guys, see
http://git.alpinelinux.org/cgit/aports/tree/main/libxml2/libxml2-pthread.patch

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
2014-12-22 11:12:12 +08:00