1. 20 May, 2019 2 commits
    • Nick Wellnhofer's avatar
      Improve fuzzers · 845ac6bf
      Nick Wellnhofer authored
      - Add more test cases to XSLT seed corpus.
      - Improve some test cases in seed corpus.
      - Remove some simple test cases from XSLT corpus.
      - Call xmlStopParser in XML error handler.
      - Improve dictionaries.
      - Remove overlong items from dictionary for AFL.
      845ac6bf
    • Nick Wellnhofer's avatar
      Fix unsigned integer overflow in date.c · 0921b596
      Nick Wellnhofer authored
      0921b596
  2. 13 May, 2019 1 commit
  3. 12 May, 2019 4 commits
  4. 10 May, 2019 1 commit
    • Nick Wellnhofer's avatar
      Avoid quadratic behavior in xsltSaveResultTo · 8a5dcc6e
      Nick Wellnhofer authored
      xmlNodeDumpOutput tries to detect XHTML documents and calls
      xmlGetIntSubset which iterates the children of the result document
      fragment again, leading to quadratic behavior.
      
      Unfortunately, there's no way to tell xmlNodeDumpOutput which
      serialization mode to use and skip auto-detection. The xmlsave API has
      such an option, but it lacks a function to create an xmlSaveCtxt from
      an existing xmlOutputBuffer.
      
      Temporarily set result->children to NULL. This works because the
      internal subset is always available from result->intSubset.
      
      Found by OSS-Fuzz.
      8a5dcc6e
  5. 08 May, 2019 1 commit
    • Nick Wellnhofer's avatar
      Reorganize fuzzing code · 311da8c8
      Nick Wellnhofer authored
      - Move core fuzzing code into a single file fuzz.c
      - Add tests for fuzz targets
      - Reduce XSLT operation limit
      311da8c8
  6. 30 Apr, 2019 2 commits
  7. 27 Apr, 2019 2 commits
  8. 25 Apr, 2019 2 commits
  9. 23 Apr, 2019 1 commit
  10. 22 Apr, 2019 2 commits
  11. 20 Apr, 2019 1 commit
  12. 16 Apr, 2019 2 commits
  13. 15 Apr, 2019 2 commits
  14. 08 Apr, 2019 2 commits
  15. 29 Mar, 2019 1 commit
    • Nick Wellnhofer's avatar
      Fix security framework bypass · e0355360
      Nick Wellnhofer authored
      xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
      don't check for this condition and allow access. With a specially
      crafted URL, xsltCheckRead could be tricked into returning an error
      because of a supposedly invalid URL that would still be loaded
      succesfully later on.
      
      Fixes #12.
      
      Thanks to Felix Wilhelm for the report.
      e0355360
  16. 13 Mar, 2019 2 commits
  17. 20 Feb, 2019 1 commit
    • Nick Wellnhofer's avatar
      Always set context node before calling XPath iterators · 08b62c25
      Nick Wellnhofer authored
      The xmlXPathNext* iterators rely on the XPath context node being set to
      the start node of the iteration. Some parts of the code base like the
      xsl:key functions also leave the context node in an unspecified state.
      Make sure that the context node is reset before invoking the XPath
      iterators. Also backup and restore the context node in
      xsltNumberFormatGetMultipleLevel for good measure.
      
      This bug could also lead to type confusion and invalid reads in
      connection with namespace nodes.
      
      Fixes #13. Also see the Chromium bug report:
      
      https://bugs.chromium.org/p/chromium/issues/detail?id=930663
      
      Thanks to Nicolas Grégoire for the report.
      08b62c25
  18. 15 Feb, 2019 2 commits
  19. 12 Feb, 2019 9 commits