GitLab

Remove the following functions:
- xmlBufAddHead()
- xmlBufErase()
- xmlBufInflate()
- xmlBufWriteCHAR()
- xmlBufWriteChar()

Introduced in commit 6c283d83.

David Kilzer authored Mar 19, 2022 and David Kilzer committed May 25, 2022

When changing `doc` on an xmlNodePtr or xmlAttrPtr, certain
fields must either be a free-standing string, or they must be
owned by `doc->dict`.

The code to make this change was simply missing, so the crash
happened when an xmlAttrPtr was being torn down after `doc`
changed from non-NULL to NULL, but the `name` field was not
copied.  This is scenario 1 below.

The xmlNodePtr->name and xmlNodePtr->content fields are also
fixed at the same time.  Note that xmlNodePtr->content is never
added to the dictionary, so NULL is used instead of `newDict` to
force a free-standing copy.

This change covers all cases of dictionary changes:
1. Owned by old dictionary -> NULL new dictionary
   - Create free-standing copy of string.
2. Owned by old dictionary -> Non-NULL new dictionary
   - Get string from new dictionary pool.
3. Not owned by old dictionary -> Non-NULL new dictionary
   - No action necessary (already a free-standing string).
4. Not owned by old dictionary -> NULL new dictionary
   - No action necessary (already a free-standing string).

* tree.c:
(_copyStringForNewDictIfNeeded): Add.
(xmlSetTreeDoc):
- Update xmlNodePtr->name, xmlNodePtr->content and
  xmlAttrPtr->name when changing the document, if needed.

Found by OSS-Fuzz Issue 45132.

Otherwise, the initial node of the copy could be a text node with a
NULL document. This results in the NULL document being propagated to
copies of other nodes, losing information about the dictionary in which
node data is stored, and freeing a dict-allocated string.

See discussion in !175.

Avoids hangs when trying to make network connections.

Fix use-after-free bugs when calling xmlTextReaderClose() before xmlFreeTextReader() on post-validating parser

When creating an xmlTextReaderPtr using xmlReaderForMemory(),
there are two optional API functions that can be used:
- xmlTextReaderClose() may be called prior to calling
  xmlFreeTextReader() to free parsing resources and close the
  xmlTextReaderPtr without freeing it.
- xmlTextReaderCurrentDoc() may be called to return an
  xmlDocPtr that's owned by the caller, and must be free using
  xmlFreeDoc() after calling xmlFreeTextReader().

The use-after-free issues occur when calling
xmlTextReaderClose() before xmlFreeTextReader(), with different
issues occurring depending on whether xmlTextReaderCurrentDoc()
is also called.

* xmlreader.c:
(xmlFreeTextReader):
- Move code to xmlTextReaderClose(), remove duplicate code, and
  call xmlTextReaderClose() if it hasn't been called yet.
(xmlTextReaderClose):
- Move call to xmlFreeNode(reader->faketext) from
  xmlFreeTextReader() to fix a use-after-free bug when calling
  xmlTextReaderClose() before xmlFreeTextReader(), but not when
  using xmlTextReaderCurrentDoc().  The bug was introduced in
  2002 by commit beb70bd3.  In 2009 commit f4653dcd fixed the
  use-after-free that occurred every time xmlFreeTextReader()
  was called, but not the case where xmlTextReaderClose() was
  called first.
- Move post-parsing validation code from xmlFreeTextReader() to
  fix a second use-after-free when calling xmlTextReaderClose()
  before xmlFreeTextReader().  This regressed in v2.9.10 with
  commit 57a3af56.

Patch by J Pascoe of Apple.

* HTMLtree.c:
(htmlDocContentDumpFormatOutput):
- Prior to commit b79ab6e6, xmlDoc.type was set to
  XML_HTML_DOCUMENT_NODE before dumping the HTML output, then
  restored before returning.

The xptr_locs flag was added in commit 67070107 but no flag was added to
win32/configure.js, leading a compile error I had on windows where the
@WITH_XPTR_LOCS@ macro was not replaced properly on windows.

In several places, the code handling string buffers didn't check for
integer overflow or used wrong types for buffer sizes. This could
result in out-of-bounds writes or other memory errors when working on
large, multi-gigabyte buffers.

Thanks to Felix Wilhelm for the report.

xmlstring.h includes stdarg.h, so it must be included after defining
macros like _FILE_OFFSET_BITS.

Fixes #370.

Regressed in commit c61e1273.

This would result in an error, aborting the whole copy operation.
Regressed in commit 7618a3b1.

Fixes #371.

Fixes an error when running tests in a sandbox on Gentoo Linux.

Bug: https://bugs.gentoo.org/839804

There's no simple way to make the doc/examples tests handle different
configurations. But these tests aren't especially valuable, so remove
the result file checks.

See https://www.w3.org/2005/04/xpointer-schemes/

Add a new configuration flag that controls whether the outdated support
for XPointer locations (ranges and points) is enabled.

    --with-xptr-locs          # Autotools
    LIBXML2_WITH_XPTR_LOCS    # CMake

The latest spec for what it essentially an XPath extension seems to be
this working draft from 2002:

    https://www.w3.org/TR/xptr-xpointer/

The xpointer() scheme is listed as "being reviewed" in the XPointer
registry since at least 2006. libxml2 seems to be the only modern
software that tries to implement this spec, but the code has many bugs
and quality issues.

The flag defaults to "off" and support for this extensions has to be
requested explicitly. The relevant API functions are deprecated.

Sync with Autotools build.

Move configure_file(config.h) below pthreads check.

Fix regression caused by commit f5659a12.

Sync with Autotools build.

These modules are disabled by default. Enable them when testing.

Add more deprecated functions to avoid compiler warnings when building
the Python bindings.

Only check for pthread.h if threads are enabled.

Fixes #367.

* HTMLparser.c:
(htmlSkipBlankChars):
* parser.c:
(xmlSkipBlankChars):
- Cap the return value at INT_MAX.
- The commit range that OSS-Fuzz listed for the fix didn't make
  any changes to xmlSkipBlankChars(), so it seems like this
  issue may still exist.

Found by OSS-Fuzz Issue 44803.

David Kilzer authored Apr 08, 2022 and Nick Wellnhofer committed Apr 10, 2022

* buf.c:
(xmlBufCreate):
(xmlBufCreateSize):
(xmlBufDetach):
(xmlBufCreateStatic):
(xmlBufFromBuffer):

Commit 7618a3b1 didn't account for coalesced text nodes.

I think it would be better if xmlStaticCopyNode didn't try to coalesce
text nodes at all. This code path can only be triggered if some other
code doesn't coalesce text nodes properly. In this case, OSS-Fuzz found
such behavior in xinclude.c.

Sync with recent Autotools change.

Sync with commit 95766541
Don't install man pages in docs directory, these are already installed
in the correct path and while at it sort list

Similar to 8f571037, mark more static data structures with
`const` keyword.

Also fix placement of `const` in encoding.c.

Original patch by Sarah Wilkin.

David Kilzer authored Apr 06, 2022 and Nick Wellnhofer committed Apr 07, 2022

* valid.c:
(xmlCopyDocElementContent):
- Set `tmp->parent` properly to fix a leak that occurs in
  xmlFreeDocElementContent().
- Appears to be a regresion from cee2b3a5.

Found by OSS-Fuzz Issue 44509.