- 25 May, 2022 3 commits
-
-
David Kilzer authored
Remove the following functions: - xmlBufAddHead() - xmlBufErase() - xmlBufInflate() - xmlBufWriteCHAR() - xmlBufWriteChar()
-
David Kilzer authored
Introduced in commit 6c283d83.
-
When changing `doc` on an xmlNodePtr or xmlAttrPtr, certain fields must either be a free-standing string, or they must be owned by `doc->dict`. The code to make this change was simply missing, so the crash happened when an xmlAttrPtr was being torn down after `doc` changed from non-NULL to NULL, but the `name` field was not copied. This is scenario 1 below. The xmlNodePtr->name and xmlNodePtr->content fields are also fixed at the same time. Note that xmlNodePtr->content is never added to the dictionary, so NULL is used instead of `newDict` to force a free-standing copy. This change covers all cases of dictionary changes: 1. Owned by old dictionary -> NULL new dictionary - Create free-standing copy of string. 2. Owned by old dictionary -> Non-NULL new dictionary - Get string from new dictionary pool. 3. Not owned by old dictionary -> Non-NULL new dictionary - No action necessary (already a free-standing string). 4. Not owned by old dictionary -> NULL new dictionary - No action necessary (already a free-standing string). * tree.c: (_copyStringForNewDictIfNeeded): Add. (xmlSetTreeDoc): - Update xmlNodePtr->name, xmlNodePtr->content and xmlAttrPtr->name when changing the document, if needed. Found by OSS-Fuzz Issue 45132.
-
- 20 May, 2022 2 commits
-
-
Nick Wellnhofer authored
Otherwise, the initial node of the copy could be a text node with a NULL document. This results in the NULL document being propagated to copies of other nodes, losing information about the dictionary in which node data is stored, and freeing a dict-allocated string. See discussion in !175.
-
Nick Wellnhofer authored
Avoids hangs when trying to make network connections.
-
- 18 May, 2022 1 commit
-
-
David Kilzer authored
Fix use-after-free bugs when calling xmlTextReaderClose() before xmlFreeTextReader() on post-validating parser When creating an xmlTextReaderPtr using xmlReaderForMemory(), there are two optional API functions that can be used: - xmlTextReaderClose() may be called prior to calling xmlFreeTextReader() to free parsing resources and close the xmlTextReaderPtr without freeing it. - xmlTextReaderCurrentDoc() may be called to return an xmlDocPtr that's owned by the caller, and must be free using xmlFreeDoc() after calling xmlFreeTextReader(). The use-after-free issues occur when calling xmlTextReaderClose() before xmlFreeTextReader(), with different issues occurring depending on whether xmlTextReaderCurrentDoc() is also called. * xmlreader.c: (xmlFreeTextReader): - Move code to xmlTextReaderClose(), remove duplicate code, and call xmlTextReaderClose() if it hasn't been called yet. (xmlTextReaderClose): - Move call to xmlFreeNode(reader->faketext) from xmlFreeTextReader() to fix a use-after-free bug when calling xmlTextReaderClose() before xmlFreeTextReader(), but not when using xmlTextReaderCurrentDoc(). The bug was introduced in 2002 by commit beb70bd3. In 2009 commit f4653dcd fixed the use-after-free that occurred every time xmlFreeTextReader() was called, but not the case where xmlTextReaderClose() was called first. - Move post-parsing validation code from xmlFreeTextReader() to fix a second use-after-free when calling xmlTextReaderClose() before xmlFreeTextReader(). This regressed in v2.9.10 with commit 57a3af56.
-
- 14 May, 2022 1 commit
-
-
David Kilzer authored
Patch by J Pascoe of Apple. * HTMLtree.c: (htmlDocContentDumpFormatOutput): - Prior to commit b79ab6e6, xmlDoc.type was set to XML_HTML_DOCUMENT_NODE before dumping the HTML output, then restored before returning.
-
- 06 May, 2022 3 commits
-
-
Joey Arhar authored
The xptr_locs flag was added in commit 67070107 but no flag was added to win32/configure.js, leading a compile error I had on windows where the @WITH_XPTR_LOCS@ macro was not replaced properly on windows.
-
Mehltretter Karl authored
-
Mehltretter Karl authored
-
- 02 May, 2022 1 commit
-
-
Nick Wellnhofer authored
In several places, the code handling string buffers didn't check for integer overflow or used wrong types for buffer sizes. This could result in out-of-bounds writes or other memory errors when working on large, multi-gigabyte buffers. Thanks to Felix Wilhelm for the report.
-
- 27 Apr, 2022 1 commit
-
-
Nick Wellnhofer authored
xmlstring.h includes stdarg.h, so it must be included after defining macros like _FILE_OFFSET_BITS.
-
- 23 Apr, 2022 5 commits
-
-
Nick Wellnhofer authored
Fixes #370.
-
Nick Wellnhofer authored
Regressed in commit c61e1273.
-
Nick Wellnhofer authored
This would result in an error, aborting the whole copy operation. Regressed in commit 7618a3b1. Fixes #371.
-
Nick Wellnhofer authored
-
Mike Gilbert authored
Fixes an error when running tests in a sandbox on Gentoo Linux. Bug: https://bugs.gentoo.org/839804
-
- 21 Apr, 2022 5 commits
-
-
Nick Wellnhofer authored
-
Nick Wellnhofer authored
-
Nick Wellnhofer authored
There's no simple way to make the doc/examples tests handle different configurations. But these tests aren't especially valuable, so remove the result file checks.
-
-
Nick Wellnhofer authored
Add a new configuration flag that controls whether the outdated support for XPointer locations (ranges and points) is enabled. --with-xptr-locs # Autotools LIBXML2_WITH_XPTR_LOCS # CMake The latest spec for what it essentially an XPath extension seems to be this working draft from 2002: https://www.w3.org/TR/xptr-xpointer/ The xpointer() scheme is listed as "being reviewed" in the XPointer registry since at least 2006. libxml2 seems to be the only modern software that tries to implement this spec, but the code has many bugs and quality issues. The flag defaults to "off" and support for this extensions has to be requested explicitly. The relevant API functions are deprecated.
-
- 20 Apr, 2022 5 commits
-
-
Nick Wellnhofer authored
-
Nick Wellnhofer authored
-
Nick Wellnhofer authored
Sync with Autotools build.
-
Nick Wellnhofer authored
-
Nick Wellnhofer authored
Move configure_file(config.h) below pthreads check. Fix regression caused by commit f5659a12.
-
- 13 Apr, 2022 6 commits
-
-
Nick Wellnhofer authored
-
Nick Wellnhofer authored
-
Nick Wellnhofer authored
Sync with Autotools build.
-
Nick Wellnhofer authored
These modules are disabled by default. Enable them when testing.
-
Nick Wellnhofer authored
Add more deprecated functions to avoid compiler warnings when building the Python bindings.
-
Nick Wellnhofer authored
Only check for pthread.h if threads are enabled. Fixes #367.
-
- 11 Apr, 2022 1 commit
-
-
David Kilzer authored
* HTMLparser.c: (htmlSkipBlankChars): * parser.c: (xmlSkipBlankChars): - Cap the return value at INT_MAX. - The commit range that OSS-Fuzz listed for the fix didn't make any changes to xmlSkipBlankChars(), so it seems like this issue may still exist. Found by OSS-Fuzz Issue 44803.
-
- 10 Apr, 2022 2 commits
-
-
* buf.c: (xmlBufCreate): (xmlBufCreateSize): (xmlBufDetach): (xmlBufCreateStatic): (xmlBufFromBuffer):
-
Nick Wellnhofer authored
Commit 7618a3b1 didn't account for coalesced text nodes. I think it would be better if xmlStaticCopyNode didn't try to coalesce text nodes at all. This code path can only be triggered if some other code doesn't coalesce text nodes properly. In this case, OSS-Fuzz found such behavior in xinclude.c.
-
- 08 Apr, 2022 2 commits
-
-
Nick Wellnhofer authored
Sync with recent Autotools change.
-
- 07 Apr, 2022 2 commits
-
-
David Kilzer authored
Similar to 8f571037, mark more static data structures with `const` keyword. Also fix placement of `const` in encoding.c. Original patch by Sarah Wilkin.
-
* valid.c: (xmlCopyDocElementContent): - Set `tmp->parent` properly to fix a leak that occurs in xmlFreeDocElementContent(). - Appears to be a regresion from cee2b3a5. Found by OSS-Fuzz Issue 44509.
-