1. 04 Jul, 2017 2 commits
  2. 20 Jun, 2017 6 commits
    • Nick Wellnhofer's avatar
      Fix NULL deref in xmlParseExternalEntityPrivate · 3eef3f39
      Nick Wellnhofer authored
      If called from xmlParseExternalEntity, oldctxt is NULL which leads to
      a NULL deref if an error occurs. This only affects external code that
      calls xmlParseExternalEntity.
      
      Patch from David Kilzer with minor changes.
      
      Fixes bug 780159.
      3eef3f39
    • Nick Wellnhofer's avatar
      Get rid of "blanks wrapper" for parameter entities · 872fea94
      Nick Wellnhofer authored
      Now that replacement of parameter entities goes exclusively through
      xmlSkipBlankChars, we can account for the surrounding space characters
      there and remove the "blanks wrapper" hack.
      872fea94
    • Nick Wellnhofer's avatar
      Make sure not to call IS_BLANK_CH when parsing the DTD · d9e43c7d
      Nick Wellnhofer authored
      This is required to get rid of the "blanks wrapper" hack. Checking the
      return value of xmlSkipBlankChars is more efficient, too.
      d9e43c7d
    • Nick Wellnhofer's avatar
      Remove unnecessary calls to xmlPopInput · 453dff1e
      Nick Wellnhofer authored
      It's enough if xmlPopInput is called from xmlSkipBlankChars. Since the
      replacement text of a parameter entity is surrounded with space
      characters, that's the only place where the replacement can end in a
      well-formed document.
      
      This is also required to get rid of the "blanks wrapper" hack.
      453dff1e
    • Nick Wellnhofer's avatar
      Simplify handling of parameter entity references · aa267cd1
      Nick Wellnhofer authored
      There are only two places where parameter entity references must be
      handled. For the internal subset in xmlParseInternalSubset. For the
      external subset or content from other external PEs in xmlSkipBlankChars.
      
      Make sure that xmlSkipBlankChars skips over sequences of PEs and
      whitespace. Rely on xmlSkipBlankChars instead of calling
      xmlParsePEReference directly when in the external subset or a
      conditional section.
      
      xmlParserHandlePEReference is unused now.
      aa267cd1
    • Nick Wellnhofer's avatar
      Fix xmlHaltParser · 24246c76
      Nick Wellnhofer authored
      Pop all extra input streams before resetting the input. Otherwise,
      a call to xmlPopInput could make input available again.
      
      Also set input->end to input->cur.
      
      Changes the test output for some error tests. Unfortunately, some
      fuzzed test cases were added to the test suite without manual cleanup.
      This makes it almost impossible to review the impact of later changes
      on the test output.
      24246c76
  3. 19 Jun, 2017 2 commits
    • Nick Wellnhofer's avatar
      Fix pathological performance when outputting charrefs · e5107772
      Nick Wellnhofer authored
      If a character can't be represented in the output encoding, it is
      converted to a character reference. This used to to replace the
      character in the input stream by calling xmlBufAddHead or
      xmlBufferAddHead. These functions shifted the entire input array
      around, leading to quadratic performance when converting a run of
      non-representable characters. This is most pronounced when dumping to
      memory.
      
      Output the charref directly instead.
      
      Found with libFuzzer.
      e5107772
    • Nick Wellnhofer's avatar
      Deduplicate code in encoding.c · c9ccbd6a
      Nick Wellnhofer authored
      Introduce static functions xmlEncInputChunk and xmlEncOutputChunk
      that handle the internal/iconv/ICU branching.
      c9ccbd6a
  4. 18 Jun, 2017 1 commit
  5. 17 Jun, 2017 12 commits
    • Nick Wellnhofer's avatar
      Spelling and grammar fixes · 8bbe4508
      Nick Wellnhofer authored
      Fixes bug 743172, bug 743489, bug 769632, bug 782400 and a few other
      misspellings.
      8bbe4508
    • Nick Wellnhofer's avatar
      Make HTML parser functions take const pointers · 576912fa
      Nick Wellnhofer authored
      The 'cur' parameter of htmlParseDoc and htmlSAXParseDoc should be
      'const xmlChar *'.
      
      Fixes bug 770650.
      576912fa
    • Nick Wellnhofer's avatar
      Build test programs only when needed · 988a5a3b
      Nick Wellnhofer authored
      Add test programs to 'check_PROGRAMS' instead of 'noinst_PROGRAMS'.
      
      Fixes bug 760457.
      988a5a3b
    • Nick Wellnhofer's avatar
      Fix doc/examples/index.py · b9b4b6b5
      Nick Wellnhofer authored
      In my previous commit that silenced some test output I didn't realize
      that doc/examples/Makefile.am was autogenerated.
      
      Also make index.py output deterministic by sorting the glob results.
      b9b4b6b5
    • Nick Wellnhofer's avatar
      Fix compiler warnings in threads.c · 1f09aea2
      Nick Wellnhofer authored
      Use '#pragma weak' to declare weak functions.
      1f09aea2
    • Nick Wellnhofer's avatar
      Fix empty-body warning in nanohttp.c · 629e47e7
      Nick Wellnhofer authored
      629e47e7
    • Nick Wellnhofer's avatar
      Fix cast-align warnings · 1a595cd1
      Nick Wellnhofer authored
      - Suppress warnings in xmlmemory.c by casting to 'void *'.
      - Remove unneeded cast in xmlschemas.c that caused a macro precedence
        error.
      - Add dummy fields to short structs in xmlschemas.c. This increases the
        size of the structs, but I can't see a better solution without using
        C11's _Alignof operator.
      
      There are still a couple of cast-align warnings in encoding.c. These
      are legitimate portability issues that can't be fixed without reworking
      the conversion functions.
      1a595cd1
    • Nick Wellnhofer's avatar
      Fix unused-parameter warnings · 81c01ee9
      Nick Wellnhofer authored
      81c01ee9
    • Nick Wellnhofer's avatar
      Fix invalid-source-encoding warnings in testWriter.c · 1ce1f785
      Nick Wellnhofer authored
      Use hex escapes instead of binary data in source file.
      1ce1f785
    • Nick Wellnhofer's avatar
      Rework entity boundary checks · 5f440d8c
      Nick Wellnhofer authored
      Make sure to finish all entities in the internal subset. Nevertheless,
      readd a sanity check in xmlParseStartTag2 that was lost in my previous
      commit. Also add a sanity check in xmlPopInput. Popping an input
      unexpectedly was the source of many recent memory bugs. The check
      doesn't mitigate such issues but helps with diagnosis.
      
      Always base entity boundary checks on the input ID, not the input
      pointer. The pointer could have been reallocated to the old address.
      
      Always throw a well-formedness error if a boundary check fails. In a
      few places, a validity error was thrown.
      
      Fix a few error codes and improve indentation.
      5f440d8c
    • Nick Wellnhofer's avatar
      Don't switch encoding for internal parameter entities · 46dc9890
      Nick Wellnhofer authored
      This is only needed for external entities. Trying to switch the encoding
      for internal entities could also cause a memory leak in recovery mode.
      46dc9890
    • Nick Wellnhofer's avatar
      Merge duplicate code paths handling PE references · 03904159
      Nick Wellnhofer authored
      xmlParsePEReference is essentially a subset of
      xmlParserHandlePEReference, so make xmlParserHandlePEReference call
      xmlParsePEReference. The code paths in these functions differed
      slighty, but the code from xmlParserHandlePEReference seems more solid
      and tested.
      03904159
  6. 16 Jun, 2017 3 commits
  7. 12 Jun, 2017 4 commits
    • Nick Wellnhofer's avatar
      Treat URIs with scheme as absolute in C14N · 3939178e
      Nick Wellnhofer authored
      Fixes bug 783656.
      3939178e
    • Nick Wellnhofer's avatar
      Misc fixes for 'make tests' · 67f9f9d6
      Nick Wellnhofer authored
      - Silence test output.
      - Clean up after doc/examples tests.
      - Adjust expected output for script tests.
      - Add missing results for relaxng/pattern3
      
      There are still two test failures I can't comment on:
      
      - regexp/bug316338
      - schemas/any4_0
      67f9f9d6
    • Nick Wellnhofer's avatar
      Initialize keepBlanks in HTML parser · 0b2d5c48
      Nick Wellnhofer authored
      This caused failures in the HTML push tests but the fix required to
      change the expected output of the HTML SAX tests.
      0b2d5c48
    • David Kilzer's avatar
      Add test cases for bug 758518 · 85c112a0
      David Kilzer authored
      test/HTML/758518-entity.html exposed a bug in pushParseTest() in
      runtest.c which assumed that an input file was at least 4 bytes long.
      That test case is only 3 bytes, so we now take the minimum of 4 bytes
      or the length of the test input.  We also now use 'chunkSize' in place
      of the hard-coded value '1024' later in the function.
      85c112a0
  8. 11 Jun, 2017 3 commits
  9. 10 Jun, 2017 7 commits
    • Nick Wellnhofer's avatar
      Print error messages for truncated UTF-8 sequences · 79c8a6b1
      Nick Wellnhofer authored
      Before, truncated UTF-8 sequences at the end of a file were treated as
      EOF. Create an error message containing the offending bytes.
      
      xmlStringCurrentChar would also print characters from the input stream,
      not the string it's working on.
      79c8a6b1
    • Nick Wellnhofer's avatar
      Fix potential infinite loop in xmlStringLenDecodeEntities · fb2f518c
      Nick Wellnhofer authored
      Make sure that xmlParseStringPEReference advances the "str" pointer
      even if the parser was stopped. Otherwise xmlStringLenDecodeEntities
      can loop infinitely.
      fb2f518c
    • Nick Wellnhofer's avatar
      Remove useless check in xmlParseAttributeListDecl · 4ba8cc85
      Nick Wellnhofer authored
      Since we already successfully parsed the attribute name and other
      items, it is guaranteed that we made progress in the input stream.
      
      Comparing the input pointer to a previous value also looks fragile to
      me. What if the input buffer was reallocated and the new "cur" pointer
      happens to be the same as the old one? There are a couple of similar
      checks which also take "consumed" into account. This seems to be safer
      but I'm not convinced that it couldn't lead to false alarms in rare
      situations.
      4ba8cc85
    • Nick Wellnhofer's avatar
      Reset parser input pointers on encoding failure · f9e7997e
      Nick Wellnhofer authored
      Call xmlBufResetInput before bailing out if switching the encoding
      fails. Otherwise, the input pointers are left in an invalid state.
      This would typically lead to an internal error in xmlGROW but could also
      cause other unforeseen problems.
      f9e7997e
    • Nick Wellnhofer's avatar
      Fix memory leak in xmlParseEntityDecl error path · bedbef80
      Nick Wellnhofer authored
      When parsing the entity value, it can happen that an external entity
      with an unsupported encoding is loaded and the parser is stopped. This
      would lead to a memory leak.
      
      A custom SAX callback could also stop the parser.
      
      Found with libFuzzer and ASan.
      bedbef80
    • Nick Wellnhofer's avatar
      Allow zero sized memory input buffers · 94f6ce83
      Nick Wellnhofer authored
      Useful for a fuzz target I'm working on.
      94f6ce83
    • Nick Wellnhofer's avatar
      Fix xmlBuildRelativeURI for URIs starting with './' · 91e54967
      Nick Wellnhofer authored
      If the relative URI started with './', the 'pos' index was increased
      which also affected indexing into the base path. Aside from producing
      wrong results, this could also lead to a heap overread of the base
      path buffer. The data read from beyond the buffer was only compared
      to some char values, so this is mostly harmless.
      
      Inside libxml2, xmlBuildRelativeURI is only called from xinclude.c.
      
      Found with libFuzzer and ASan.
      91e54967