- 24 Jan, 2023 15 commits
-
-
Nick Wellnhofer authored
Functions like xmlStrdup are called in the error handling code (__xmlRaiseError) which can cause problems like use-after-free or infinite loops when invoked recursively. Calling xmlErrMemory without a context argument isn't helpful anyway. Found with libFuzzer, see #344.
-
Nick Wellnhofer authored
Store xmlRealloc result in temporary variable to avoid null deref in error handler. Found with libFuzzer, see #344.
-
Nick Wellnhofer authored
Fix error handling in xmlCtxtGrowAttrs. Found with libFuzzer, see #344.
-
Nick Wellnhofer authored
Unfortunately, there's no way to properly report memory errors. Found with libFuzzer, see #344.
-
Nick Wellnhofer authored
Memory errors can set `instate` to `XML_PARSER_EOF` which results in `NEXT` making no progress. Found with libFuzzer, see #344.
-
Nick Wellnhofer authored
Found with libFuzzer, see #344.
-
Nick Wellnhofer authored
Also add some error checks. Found with libFuzzer, see #344.
-
Nick Wellnhofer authored
Found with libFuzzer, see #344.
-
Nick Wellnhofer authored
Found with libFuzzer, see #344.
-
Nick Wellnhofer authored
Found with libFuzzer, see #344.
-
Nick Wellnhofer authored
Avoid infinite loop. Short-lived regression from f61b8a62. Found with libFuzzer.
-
Nick Wellnhofer authored
Fix -fsanitize=implicit-conversion error. We should probably percent-escape the host name here.
-
Nick Wellnhofer authored
Don't return (size_t) -1 in error case. Found with libFuzzer and -fsanitize=implicit-conversion.
-
Nick Wellnhofer authored
If we try to continue parsing after an error in the internal or external subset, entity expansion accounting gets more complicated. Simply halt the parser. Found with libFuzzer.
-
Nick Wellnhofer authored
Make sure that we never move past the current position in xmlParserPrintFileContextInternal. Found with libFuzzer and -fsanitize=implicit-conversion.
-
- 18 Jan, 2023 1 commit
-
-
Nick Wellnhofer authored
Fixes libxslt#81
-
- 17 Jan, 2023 3 commits
-
-
Nick Wellnhofer authored
The version script didn't account for symbols disabled by configuration options. This has caused problems on some OSs in the past and breaks lld 16 which enables --no-undefined-version by default. A proper fix would be rather involved, so we simply remove all symbols from the version script. This is an ELF-only feature and libxml2 never made use of symbol versioning anyway. Ultimately, this removes the need for a lot of bookkeeping without tangible benefits. We have to keep the version nodes to avoid errors when running binaries linked against older versions of libxml2. Fixes #473.
-
Nick Wellnhofer authored
Use the new entity flag to check for recursion.
-
Nick Wellnhofer authored
Don't set the "checked" flag when checking entities in default attribute values. These entities could reference other entities which weren't defined yet, so the check isn't reliable. This fixes a short-lived regression which could lead to a call stack overflow later in xmlStringGetNodeList.
-
- 27 Dec, 2022 1 commit
-
-
Nick Wellnhofer authored
Reporting errors is expensive and some abusive test cases can generate an error for each invalid input byte. This causes the parser to spend most of the time with error handling. Limit the number of errors and warnings to 100.
-
- 26 Dec, 2022 2 commits
-
-
Nick Wellnhofer authored
-
Nick Wellnhofer authored
XIncludes involve XPath processing which can still lead to timeouts when fuzzing. This will probably take a while to fix. The rest of the XML parsing code should hopefully run without timeouts now. OSS-Fuzz only shows a single timeout test case, so separate the XInclude from the core XML fuzzer.
-
- 25 Dec, 2022 2 commits
-
-
Nick Wellnhofer authored
Short-lived regression from commit b1f9c193. Found by OSS-Fuzz.
-
Nick Wellnhofer authored
Short-lived regression.
-
- 23 Dec, 2022 6 commits
-
-
Nick Wellnhofer authored
Now that entity expansion issues should be fixed, we should get more interesting timeout errors from OSS-Fuzz. Disable XInclude for now, since it often timeouts in XPath computations. The XInclude tests should be moved to a separate fuzz target.
-
Nick Wellnhofer authored
Only add consumed bytes if - we're not parsing an entity - we're parsing external parameter entities for the first time. Always ignore internal parameter entities.
-
Nick Wellnhofer authored
The old limit of 1024 could lead to excessively deep call stacks. This could probably be set much lower without causing issues.
-
Nick Wellnhofer authored
Fix xmlParseBalancedChunkMemoryInternal.
-
Nick Wellnhofer authored
Set a flag to detect entity loops at once instead of processing until the depth limit is exceeded.
-
Nick Wellnhofer authored
Don't report errors multiple times for nested entity references.
-
- 22 Dec, 2022 3 commits
-
-
Nick Wellnhofer authored
-
Nick Wellnhofer authored
Applies a patch from Chromium. Also stop incrementing input ID of subcontexts. This isn't necessary. Fixes #465.
-
David Kilzer authored
xmlParseStartTag2() contains typo when checking for default definitions for an attribute in a namespace * parser.c: (xmlParseStartTag2): - Fix index into defaults->values. It is only correct the first time through the loop when i == 0. Fixes #467.
-
- 21 Dec, 2022 7 commits
-
-
Nick Wellnhofer authored
-
Nick Wellnhofer authored
Commit 3aaaf5ca shouldn't have changed this line. We need these libraries for a full libxml2 build.
-
Nick Wellnhofer authored
-
Nick Wellnhofer authored
-
Nick Wellnhofer authored
These are internal functions.
-
Nick Wellnhofer authored
If ent->etype is invalid, ret can't equal XML_ERR_OK.
-
Nick Wellnhofer authored
The if-block before always returns if ent->children == NULL.
-