1. 17 Aug, 2022 7 commits
  2. 15 Aug, 2022 1 commit
    • Nick Wellnhofer's avatar
      Fix memory leak with invalid XSD · a09c8954
      Nick Wellnhofer authored
      xmlSchemaClearElemInfo can add new items to the "matcher" cache, so the
      cache must be cleared after calling this function, not before. This
      only seems to affect invalid XSDs.
      
      Fixes #390.
      a09c8954
  3. 05 Aug, 2022 1 commit
  4. 02 Aug, 2022 3 commits
  5. 28 Jul, 2022 2 commits
  6. 18 Jul, 2022 1 commit
  7. 14 Jul, 2022 2 commits
  8. 06 Jul, 2022 1 commit
  9. 28 Jun, 2022 2 commits
  10. 19 Jun, 2022 5 commits
  11. 16 Jun, 2022 2 commits
    • David Kilzer's avatar
      Reserve byte for NUL terminator and report errors consistently in xmlBuf and xmlBuffer · 6ef16dee
      David Kilzer authored and Nick Wellnhofer's avatar Nick Wellnhofer committed
      This is a follow-up to commit 6c283d83.
      
      * buf.c:
      (xmlBufGrowInternal):
      - Call xmlBufMemoryError() when the buffer size would overflow.
      - Account for NUL terminator byte when using XML_MAX_TEXT_LENGTH.
      - Do not include NUL terminator byte when returning length.
      (xmlBufAdd):
      - Call xmlBufMemoryError() when the buffer size would overflow.
      
      * tree.c:
      (xmlBufferGrow):
      - Call xmlTreeErrMemory() when the buffer size would overflow.
      - Do not include NUL terminator byte when returning length.
      (xmlBufferResize):
      - Update error message in xmlTreeErrMemory() to be consistent
        with other similar messages.
      (xmlBufferAdd):
      - Call xmlTreeErrMemory() when the buffer size would overflow.
      (xmlBufferAddHead):
      - Add overflow checks similar to those in xmlBufferAdd().
      6ef16dee
    • David Kilzer's avatar
      Fix missing NUL terminators in xmlBuf and xmlBuffer functions · 4ce2abf6
      David Kilzer authored and Nick Wellnhofer's avatar Nick Wellnhofer committed
      * buf.c:
      (xmlBufAddLen):
      - Change check for remaining space to account for the NUL
        terminator.  When adding a length exactly equal to the number
        of unused bytes, a NUL terminator was not written.
      (xmlBufResize):
      - Set `buf->use` and NUL terminator when allocating a new
        buffer.
      * tree.c:
      (xmlBufferResize):
      - Set `buf->use` and NUL terminator when allocating a new
        buffer.
      (xmlBufferAddHead):
      - Set NUL terminator before returning early when shifting
        contents.
      4ce2abf6
  12. 15 Jun, 2022 2 commits
    • Nick Wellnhofer's avatar
      Fix xmlCleanupThreads on Windows · d70e548f
      Nick Wellnhofer authored
      Fix #ifdef logic:
      
      - Also free TLS key in static build.
      - Always reset 'run_once' state.
      d70e548f
    • Nick Wellnhofer's avatar
      Fix reinitialization of library on Windows · 65f8a620
      Nick Wellnhofer authored
      Reset the 'run_once' state in xmlCleanupThreads, so the global
      variables can be reinitialized later.
      
      While it's generally unsafe to call xmlCleanupParser and continue to
      use the library afterwards, this fix should avoid an outright crash if
      you do so on Windows. This should help with applications erroneously
      calling xmlCleanupParser.
      
      See #376.
      65f8a620
  13. 02 Jun, 2022 1 commit
  14. 26 May, 2022 1 commit
    • David Kilzer's avatar
      xmlBufAvail() should return length without including a byte for NUL terminator · c14cac8b
      David Kilzer authored
      * buf.c:
      (xmlBufAvail):
      - Return the number of bytes available in the buffer, but do not
        include a byte for the NUL terminator so that it is reserved.
      
      * encoding.c:
      (xmlCharEncFirstLineInput):
      (xmlCharEncInput):
      (xmlCharEncOutput):
      * xmlIO.c:
      (xmlOutputBufferWriteEscape):
      - Remove code that subtracts 1 from the return value of
        xmlBufAvail().  It was implemented inconsistently anyway.
      c14cac8b
  15. 25 May, 2022 3 commits
    • David Kilzer's avatar
      Remove unused xmlBuf functions · fe9f76eb
      David Kilzer authored
      Remove the following functions:
      - xmlBufAddHead()
      - xmlBufErase()
      - xmlBufInflate()
      - xmlBufWriteCHAR()
      - xmlBufWriteChar()
      fe9f76eb
    • David Kilzer's avatar
      Fix double colon typos in xmlBufferResize() · 461ef8ac
      David Kilzer authored
      Introduced in commit 6c283d83.
      461ef8ac
    • David Kilzer's avatar
      Fix ownership of xmlNodePtr & xmlAttrPtr fields in xmlSetTreeDoc() · 4bc3ebf3
      David Kilzer authored and David Kilzer's avatar David Kilzer committed
      When changing `doc` on an xmlNodePtr or xmlAttrPtr, certain
      fields must either be a free-standing string, or they must be
      owned by `doc->dict`.
      
      The code to make this change was simply missing, so the crash
      happened when an xmlAttrPtr was being torn down after `doc`
      changed from non-NULL to NULL, but the `name` field was not
      copied.  This is scenario 1 below.
      
      The xmlNodePtr->name and xmlNodePtr->content fields are also
      fixed at the same time.  Note that xmlNodePtr->content is never
      added to the dictionary, so NULL is used instead of `newDict` to
      force a free-standing copy.
      
      This change covers all cases of dictionary changes:
      1. Owned by old dictionary -> NULL new dictionary
         - Create free-standing copy of string.
      2. Owned by old dictionary -> Non-NULL new dictionary
         - Get string from new dictionary pool.
      3. Not owned by old dictionary -> Non-NULL new dictionary
         - No action necessary (already a free-standing string).
      4. Not owned by old dictionary -> NULL new dictionary
         - No action necessary (already a free-standing string).
      
      * tree.c:
      (_copyStringForNewDictIfNeeded): Add.
      (xmlSetTreeDoc):
      - Update xmlNodePtr->name, xmlNodePtr->content and
        xmlAttrPtr->name when changing the document, if needed.
      
      Found by OSS-Fuzz Issue 45132.
      4bc3ebf3
  16. 20 May, 2022 2 commits
    • Nick Wellnhofer's avatar
      Use xmlNewDocText in xmlXIncludeCopyRange · 0aa8652e
      Nick Wellnhofer authored
      Otherwise, the initial node of the copy could be a text node with a
      NULL document. This results in the NULL document being propagated to
      copies of other nodes, losing information about the dictionary in which
      node data is stored, and freeing a dict-allocated string.
      
      See discussion in !175.
      0aa8652e
    • Nick Wellnhofer's avatar
      Disable network in API tests · 351dbdfe
      Nick Wellnhofer authored
      Avoids hangs when trying to make network connections.
      351dbdfe
  17. 18 May, 2022 1 commit
    • David Kilzer's avatar
      Fix use-after-free bugs when calling xmlTextReaderClose() before... · c50196c1
      David Kilzer authored
      Fix use-after-free bugs when calling xmlTextReaderClose() before xmlFreeTextReader() on post-validating parser
      
      When creating an xmlTextReaderPtr using xmlReaderForMemory(),
      there are two optional API functions that can be used:
      - xmlTextReaderClose() may be called prior to calling
        xmlFreeTextReader() to free parsing resources and close the
        xmlTextReaderPtr without freeing it.
      - xmlTextReaderCurrentDoc() may be called to return an
        xmlDocPtr that's owned by the caller, and must be free using
        xmlFreeDoc() after calling xmlFreeTextReader().
      
      The use-after-free issues occur when calling
      xmlTextReaderClose() before xmlFreeTextReader(), with different
      issues occurring depending on whether xmlTextReaderCurrentDoc()
      is also called.
      
      * xmlreader.c:
      (xmlFreeTextReader):
      - Move code to xmlTextReaderClose(), remove duplicate code, and
        call xmlTextReaderClose() if it hasn't been called yet.
      (xmlTextReaderClose):
      - Move call to xmlFreeNode(reader->faketext) from
        xmlFreeTextReader() to fix a use-after-free bug when calling
        xmlTextReaderClose() before xmlFreeTextReader(), but not when
        using xmlTextReaderCurrentDoc().  The bug was introduced in
        2002 by commit beb70bd3.  In 2009 commit f4653dcd fixed the
        use-after-free that occurred every time xmlFreeTextReader()
        was called, but not the case where xmlTextReaderClose() was
        called first.
      - Move post-parsing validation code from xmlFreeTextReader() to
        fix a second use-after-free when calling xmlTextReaderClose()
        before xmlFreeTextReader().  This regressed in v2.9.10 with
        commit 57a3af56.
      c50196c1
  18. 14 May, 2022 1 commit
  19. 06 May, 2022 2 commits