1. 20 May, 2022 2 commits
    • Nick Wellnhofer's avatar
      Use xmlNewDocText in xmlXIncludeCopyRange · 0aa8652e
      Nick Wellnhofer authored
      Otherwise, the initial node of the copy could be a text node with a
      NULL document. This results in the NULL document being propagated to
      copies of other nodes, losing information about the dictionary in which
      node data is stored, and freeing a dict-allocated string.
      
      See discussion in !175.
      0aa8652e
    • Nick Wellnhofer's avatar
      Disable network in API tests · 351dbdfe
      Nick Wellnhofer authored
      Avoids hangs when trying to make network connections.
      351dbdfe
  2. 18 May, 2022 1 commit
    • David Kilzer's avatar
      Fix use-after-free bugs when calling xmlTextReaderClose() before... · c50196c1
      David Kilzer authored
      Fix use-after-free bugs when calling xmlTextReaderClose() before xmlFreeTextReader() on post-validating parser
      
      When creating an xmlTextReaderPtr using xmlReaderForMemory(),
      there are two optional API functions that can be used:
      - xmlTextReaderClose() may be called prior to calling
        xmlFreeTextReader() to free parsing resources and close the
        xmlTextReaderPtr without freeing it.
      - xmlTextReaderCurrentDoc() may be called to return an
        xmlDocPtr that's owned by the caller, and must be free using
        xmlFreeDoc() after calling xmlFreeTextReader().
      
      The use-after-free issues occur when calling
      xmlTextReaderClose() before xmlFreeTextReader(), with different
      issues occurring depending on whether xmlTextReaderCurrentDoc()
      is also called.
      
      * xmlreader.c:
      (xmlFreeTextReader):
      - Move code to xmlTextReaderClose(), remove duplicate code, and
        call xmlTextReaderClose() if it hasn't been called yet.
      (xmlTextReaderClose):
      - Move call to xmlFreeNode(reader->faketext) from
        xmlFreeTextReader() to fix a use-after-free bug when calling
        xmlTextReaderClose() before xmlFreeTextReader(), but not when
        using xmlTextReaderCurrentDoc().  The bug was introduced in
        2002 by commit beb70bd3.  In 2009 commit f4653dcd fixed the
        use-after-free that occurred every time xmlFreeTextReader()
        was called, but not the case where xmlTextReaderClose() was
        called first.
      - Move post-parsing validation code from xmlFreeTextReader() to
        fix a second use-after-free when calling xmlTextReaderClose()
        before xmlFreeTextReader().  This regressed in v2.9.10 with
        commit 57a3af56.
      c50196c1
  3. 14 May, 2022 1 commit
  4. 06 May, 2022 3 commits
  5. 02 May, 2022 1 commit
    • Nick Wellnhofer's avatar
      [CVE-2022-29824] Fix integer overflows in xmlBuf and xmlBuffer · 6c283d83
      Nick Wellnhofer authored
      In several places, the code handling string buffers didn't check for
      integer overflow or used wrong types for buffer sizes. This could
      result in out-of-bounds writes or other memory errors when working on
      large, multi-gigabyte buffers.
      
      Thanks to Felix Wilhelm for the report.
      6c283d83
  6. 27 Apr, 2022 1 commit
  7. 23 Apr, 2022 5 commits
  8. 21 Apr, 2022 5 commits
  9. 20 Apr, 2022 5 commits
  10. 13 Apr, 2022 6 commits
  11. 11 Apr, 2022 1 commit
  12. 10 Apr, 2022 2 commits
  13. 08 Apr, 2022 2 commits
  14. 07 Apr, 2022 3 commits
  15. 06 Apr, 2022 1 commit
  16. 04 Apr, 2022 1 commit