1. 06 Jun, 2017 1 commit
  2. 05 Jun, 2017 2 commits
    • Nick Wellnhofer's avatar
      Fix buffer size checks in xmlSnprintfElementContent · 932cc989
      Nick Wellnhofer authored
      xmlSnprintfElementContent failed to correctly check the available
      buffer space in two locations.
      
      Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
      
      Thanks to Marcel Böhme and Thuan Pham for the report.
      932cc989
    • Nick Wellnhofer's avatar
      Fix handling of parameter-entity references · e2663054
      Nick Wellnhofer authored
      There were two bugs where parameter-entity references could lead to an
      unexpected change of the input buffer in xmlParseNameComplex and
      xmlDictLookup being called with an invalid pointer.
      
      Percent sign in DTD Names
      =========================
      
      The NEXTL macro used to call xmlParserHandlePEReference. When parsing
      "complex" names inside the DTD, this could result in entity expansion
      which created a new input buffer. The fix is to simply remove the call
      to xmlParserHandlePEReference from the NEXTL macro. This is safe because
      no users of the macro require expansion of parameter entities.
      
      - xmlParseNameComplex
      - xmlParseNCNameComplex
      - xmlParseNmtoken
      
      The percent sign is not allowed in names, which are grammatical tokens.
      
      - xmlParseEntityValue
      
      Parameter-entity references in entity values are expanded but this
      happens in a separate step in this function.
      
      - xmlParseSystemLiteral
      
      Parameter-entity references are ignored in the system literal.
      
      - xmlParseAttValueCompl...
      e2663054
  3. 01 Jun, 2017 10 commits
    • Nick Wellnhofer's avatar
      Check for integer overflow in xmlXPathFormatNumber · 7482f41f
      Nick Wellnhofer authored
      Check for overflow before casting double to int.
      
      Found with afl-fuzz and UBSan.
      7482f41f
    • Nick Wellnhofer's avatar
      Make Travis print UBSan stacktraces · 863b5792
      Nick Wellnhofer authored
      863b5792
    • Nick Wellnhofer's avatar
      Add .travis.yml · a2b53178
      Nick Wellnhofer authored
      For now this is mainly useful if you work on a fork of the libxml2
      mirror on GitHub:
      
          https://github.com/GNOME/libxml2
      
      Start with two build setups:
      
      - GCC with as many GNU extensions disabled as possible, trying to
        emulate a C89 compiler on a POSIX system.
      
      - clang with ASan and UBSan.
      
      The Python tests don't set an exit code, so Travis won't detect
      failures. The same goes for "make tests", but we only run "make check"
      anyway.
      a2b53178
    • Nick Wellnhofer's avatar
      83212ff4
    • Nick Wellnhofer's avatar
      Avoid reparsing in xmlParseStartTag2 · 855c19ef
      Nick Wellnhofer authored
      The code in xmlParseStartTag2 must handle the case that the input
      buffer was grown and reallocated which can invalidate pointers to
      attribute values. Before, this was handled by detecting changes of
      the input buffer "base" pointer and, in case of a change, jumping
      back to the beginning of the function and reparsing the start tag.
      
      The major problem of this approach is that whether an input buffer is
      reallocated is nondeterministic, resulting in seemingly random test
      failures. See the mailing list thread "runtest mystery bug: name2.xml
      error case regression test" from 2012, for example.
      
      If a reallocation was detected, the code also made no attempts to
      continue parsing in case of errors which makes a difference in
      the lax "recover" mode.
      
      Now we store the current input buffer "base" pointer for each (not
      separately allocated) attribute in the namespace URI field, which isn't
      used until later. After the whole start tag was parsed, the pointers
      to the attribute values are reconstructed using the offset between the
      new and the old input buffer. This relies on arithmetic on dangling
      pointers which is technically undefined behavior. But it seems like
      the easiest and most efficient fix and a similar approach is used in
      xmlParserInputGrow.
      
      This changes the error output of several tests, typically making it
      more verbose because we try harder to continue parsing in case of
      errors.
      
      (Another possible solution is to check not only the "base" pointer
      but the size of the input buffer as well. But this would result in
      even more reparsing.)
      855c19ef
    • Nick Wellnhofer's avatar
      Simplify control flow in xmlParseStartTag2 · 07b7428b
      Nick Wellnhofer authored
      Remove some goto labels and deduplicate a bit of code after handling
      namespaces.
      
      Before:
      
          loop {
              parseAttribute
              if (ok) {
                  if (defaultNamespace) {
                      handleDefaultNamespace
                      if (error)
                          goto skip_default_ns;
                      handleDefaultNamespace
          skip_default_ns:
                      freeAttr
                      nextAttr
                      continue;
                  }
                  if (namespace) {
                      handleNamespace
                      if (error)
                          goto skip_ns;
                      handleNamespace
          skip_ns:
                      freeAttr
                      nextAttr;
                      continue;
                  }
                  handleAttr
              } else {
                  freeAttr
              }
              nextAttr
          }
      
      After:
      
          loop {
              parseAttribute
              if (!ok)
                  goto next_attr;
              if (defaultNamespace) {
                  handleDefaultNamespace
                  if (error)
                      goto next_attr;
                  handleDefaultNamespace
              } else if (namespace) {
                  handleNamespace
                  if (error)
                      goto next_attr;
                  handleNamespace
              } else {
                  handleAttr
              }
          next_attr:
              freeAttr
              nextAttr
          }
      07b7428b
    • Nick Wellnhofer's avatar
      Disable LeakSanitizer when running API tests · ac9a4560
      Nick Wellnhofer authored
      The autogenerated API tests leak memory.
      ac9a4560
    • Nick Wellnhofer's avatar
      Avoid out-of-bound array access in API tests · ff34ba3e
      Nick Wellnhofer authored
      The API tests combine string buffers with arbitrary length values which
      makes ASan detect out-of-bound array accesses. Even without ASan, this
      could lead to unwanted test failures.
      
      Add a check for "len", "size", and "start" arguments, assuming they
      apply to the nearest char pointer. Skip the test if they exceed the
      buffer size. This is a somewhat naive heuristic but it seems to work
      well.
      ff34ba3e
    • Nick Wellnhofer's avatar
      Fix undefined behavior in xmlRegExecPushStringInternal · 34e44567
      Nick Wellnhofer authored
      It's stupid, but the behavior of memcpy(NULL, NULL, 0) is undefined.
      34e44567
    • Nick Wellnhofer's avatar
      Avoid spurious UBSan errors in parser.c · 47496724
      Nick Wellnhofer authored
      If available, use a C99 flexible array member to avoid spurious UBSan
      errors.
      47496724
  4. 31 May, 2017 6 commits
    • Nick Wellnhofer's avatar
      Check XPath exponents for overflow · f4029cd4
      Nick Wellnhofer authored
      Avoid undefined behavior and wrong results with huge exponents.
      
      Found with afl-fuzz and UBSan.
      f4029cd4
    • Nick Wellnhofer's avatar
      Check for overflow in xmlXPathIsPositionalPredicate · a58331a6
      Nick Wellnhofer authored
      Avoid undefined behavior when casting from double to int.
      
      Found with afl-fuzz and UBSan.
      a58331a6
    • Nick Wellnhofer's avatar
      Parse small XPath numbers more accurately · a851868a
      Nick Wellnhofer authored
      Don't count leading zeros towards the fraction size limit. This allows
      to parse numbers like
      
          0.0000000000000000000000000000000000000000000000000000000001
      
      which is the only standard-conformant way to represent such numbers, as
      scientific notation isn't allowed in XPath 1.0. (It is allowed in XPath
      2.0 and in libxml2 as an extension, though.)
      
      Overall accuracy is still bad, see bug 783238.
      a851868a
    • Nick Wellnhofer's avatar
      Rework XPath rounding functions · 4bebb030
      Nick Wellnhofer authored
      Use the C library's floor and ceil functions. The old code was overly
      complicated for no apparent reason and could result in undefined
      behavior when handling NaNs (found with afl-fuzz and UBSan).
      
      Fix wrong comment in xmlXPathRoundFunction. The implementation was
      already following the spec and rounding half up.
      4bebb030
    • Nick Wellnhofer's avatar
      Fix white space in test output · 43f50f4d
      Nick Wellnhofer authored
      Quote echoed variable to avoid newlines being converted to space.
      43f50f4d
    • Nick Wellnhofer's avatar
      Fix axis traversal from attribute and namespace nodes · 40f58521
      Nick Wellnhofer authored
      When traversing the "preceding" axis from an attribute node, we must
      first go up to the attribute's containing element. Otherwise, text
      children of other attributes could be returned. This made it possible
      to hit a code path in xmlXPathNextAncestor which contained another bug:
      The attribute node was initialized with the context node instead of the
      current node. Normally, this code path is only hit via
      xmlXPathNextAncestorOrSelf in which case the current and context node
      are the same.
      
      The combination of the two bugs could result in an infinite loop, found
      with libFuzzer.
      
      Traversing the "following" and the "preceding" axis from namespace nodes
      should be handled similarly. This wasn't supported at all previously.
      40f58521
  5. 27 May, 2017 12 commits
  6. 07 Apr, 2017 4 commits
  7. 12 Oct, 2016 5 commits