1. 25 May, 2022 3 commits
    • David Kilzer's avatar
      Remove unused xmlBuf functions · fe9f76eb
      David Kilzer authored
      Remove the following functions:
      - xmlBufAddHead()
      - xmlBufErase()
      - xmlBufInflate()
      - xmlBufWriteCHAR()
      - xmlBufWriteChar()
      fe9f76eb
    • David Kilzer's avatar
      Fix double colon typos in xmlBufferResize() · 461ef8ac
      David Kilzer authored
      Introduced in commit 6c283d83.
      461ef8ac
    • David Kilzer's avatar
      Fix ownership of xmlNodePtr & xmlAttrPtr fields in xmlSetTreeDoc() · 4bc3ebf3
      David Kilzer authored and David Kilzer's avatar David Kilzer committed
      When changing `doc` on an xmlNodePtr or xmlAttrPtr, certain
      fields must either be a free-standing string, or they must be
      owned by `doc->dict`.
      
      The code to make this change was simply missing, so the crash
      happened when an xmlAttrPtr was being torn down after `doc`
      changed from non-NULL to NULL, but the `name` field was not
      copied.  This is scenario 1 below.
      
      The xmlNodePtr->name and xmlNodePtr->content fields are also
      fixed at the same time.  Note that xmlNodePtr->content is never
      added to the dictionary, so NULL is used instead of `newDict` to
      force a free-standing copy.
      
      This change covers all cases of dictionary changes:
      1. Owned by old dictionary -> NULL new dictionary
         - Create free-standing copy of string.
      2. Owned by old dictionary -> Non-NULL new dictionary
         - Get string from new dictionary pool.
      3. Not owned by old dictionary -> Non-NULL new dictionary
         - No action necessary (already a free-standing string).
      4. Not owned by old dictionary -> NULL new dictionary
         - No action necessary (already a free-standing string).
      
      * tree.c:
      (_copyStringForNewDictIfNeeded): Add.
      (xmlSetTreeDoc):
      - Update xmlNodePtr->name, xmlNodePtr->content and
        xmlAttrPtr->name when changing the document, if needed.
      
      Found by OSS-Fuzz Issue 45132.
      4bc3ebf3
  2. 20 May, 2022 2 commits
    • Nick Wellnhofer's avatar
      Use xmlNewDocText in xmlXIncludeCopyRange · 0aa8652e
      Nick Wellnhofer authored
      Otherwise, the initial node of the copy could be a text node with a
      NULL document. This results in the NULL document being propagated to
      copies of other nodes, losing information about the dictionary in which
      node data is stored, and freeing a dict-allocated string.
      
      See discussion in !175.
      0aa8652e
    • Nick Wellnhofer's avatar
      Disable network in API tests · 351dbdfe
      Nick Wellnhofer authored
      Avoids hangs when trying to make network connections.
      351dbdfe
  3. 18 May, 2022 1 commit
    • David Kilzer's avatar
      Fix use-after-free bugs when calling xmlTextReaderClose() before... · c50196c1
      David Kilzer authored
      Fix use-after-free bugs when calling xmlTextReaderClose() before xmlFreeTextReader() on post-validating parser
      
      When creating an xmlTextReaderPtr using xmlReaderForMemory(),
      there are two optional API functions that can be used:
      - xmlTextReaderClose() may be called prior to calling
        xmlFreeTextReader() to free parsing resources and close the
        xmlTextReaderPtr without freeing it.
      - xmlTextReaderCurrentDoc() may be called to return an
        xmlDocPtr that's owned by the caller, and must be free using
        xmlFreeDoc() after calling xmlFreeTextReader().
      
      The use-after-free issues occur when calling
      xmlTextReaderClose() before xmlFreeTextReader(), with different
      issues occurring depending on whether xmlTextReaderCurrentDoc()
      is also called.
      
      * xmlreader.c:
      (xmlFreeTextReader):
      - Move code to xmlTextReaderClose(), remove duplicate code, and
        call xmlTextReaderClose() if it hasn't been called yet.
      (xmlTextReaderClose):
      - Move call to xmlFreeNode(reader->faketext) from
        xmlFreeTextReader() to fix a use-after-free bug when calling
        xmlTextReaderClose() before xmlFreeTextReader(), but not when
        using xmlTextReaderCurrentDoc().  The bug was introduced in
        2002 by commit beb70bd3.  In 2009 commit f4653dcd fixed the
        use-after-free that occurred every time xmlFreeTextReader()
        was called, but not the case where xmlTextReaderClose() was
        called first.
      - Move post-parsing validation code from xmlFreeTextReader() to
        fix a second use-after-free when calling xmlTextReaderClose()
        before xmlFreeTextReader().  This regressed in v2.9.10 with
        commit 57a3af56.
      c50196c1
  4. 14 May, 2022 1 commit
  5. 06 May, 2022 3 commits
  6. 02 May, 2022 1 commit
    • Nick Wellnhofer's avatar
      [CVE-2022-29824] Fix integer overflows in xmlBuf and xmlBuffer · 6c283d83
      Nick Wellnhofer authored
      In several places, the code handling string buffers didn't check for
      integer overflow or used wrong types for buffer sizes. This could
      result in out-of-bounds writes or other memory errors when working on
      large, multi-gigabyte buffers.
      
      Thanks to Felix Wilhelm for the report.
      6c283d83
  7. 27 Apr, 2022 1 commit
  8. 23 Apr, 2022 5 commits
  9. 21 Apr, 2022 5 commits
  10. 20 Apr, 2022 5 commits
  11. 13 Apr, 2022 6 commits
  12. 11 Apr, 2022 1 commit
  13. 10 Apr, 2022 2 commits
  14. 08 Apr, 2022 2 commits
  15. 07 Apr, 2022 2 commits