summaryrefslogtreecommitdiff
path: root/result
Commit message (Collapse)AuthorAgeFilesLines
* runtest: Skip element name in schema error messagesNick Wellnhofer2023-04-3074-93/+93
| | | | | This makes sure that memory and streaming tests will report the same messages.
* [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexTypeNick Wellnhofer2023-04-111-0/+1
| | | | | | | | Fix a null pointer dereference when parsing (invalid) XML schemas. Thanks to Robby Simpson for the report! Fixes #491.
* xmlValidatePopElement() can return invalid value (-1)David Kilzer2023-04-104-3/+6
| | | | | | | | | | | | | | | | | | | | | | | | | Covered by: test/VC/ElementValid5 This only affects XML Reader API with LIBXML_REGEXP_ENABLED and LIBXML_VALID_ENABLED turned on. * result/VC/ElementValid5.rdr: - Update result to add missing error message. * python/tests/reader2.py: * result/VC/ElementValid6.rdr: * result/VC/ElementValid7.rdr: * result/valid/781333.xml.err.rdr: - Update result to fix grammar issue. * valid.c: (xmlValidatePopElement): - Check return value of xmlRegExecPushString() to handle -1, and assign 'ret = 0;' to return 0 from xmlValidatePopElement(). This change affects xmlTextReaderValidatePop() from xmlreader.c. - Fix grammar of error message by changing 'child' to 'children'.
* SAX2: Ignore namespaces in HTML documentsNick Wellnhofer2023-03-313-0/+29
| | | | | | | | | In commit 21ca8829, we started to ignore namespaces in HTML element names but we still called xmlSplitQName, effectively stripping the namespace prefix. This would cause elements like <o:p> being parsed as <p>. Now we leave the name untouched. Fixes #508.
* xinclude: Fix quadratic behavior in xmlXIncludeLoadTxtNick Wellnhofer2023-02-142-0/+9
| | | | | | | | Also make text inclusions work with memory buffers, for example when using a custom entity loader, and fix a memory leak in case of invalid characters. Fixes #483.
* xinclude: Abort immediately if max depth was exceededNick Wellnhofer2023-02-131-1/+0
| | | | | | | | Avoids resource exhaustion if the maximum recursion depth was exceeded. Note that the XInclude engine offers no protection against other "billion laughs"-style amplification attacks as long as they stay below the maximum depth.
* parser: Halt parser on DTD errorsNick Wellnhofer2023-01-2418-168/+0
| | | | | | | | If we try to continue parsing after an error in the internal or external subset, entity expansion accounting gets more complicated. Simply halt the parser. Found with libFuzzer.
* xpath: number('-') should return NaNNick Wellnhofer2023-01-181-0/+4
| | | | Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/81
* parser: Fix entity check in attributesNick Wellnhofer2023-01-173-0/+19
| | | | | | | | | Don't set the "checked" flag when checking entities in default attribute values. These entities could reference other entities which weren't defined yet, so the check isn't reliable. This fixes a short-lived regression which could lead to a call stack overflow later in xmlStringGetNodeList.
* parser: Improve detection of entity loopsNick Wellnhofer2022-12-233-9/+9
| | | | | Set a flag to detect entity loops at once instead of processing until the depth limit is exceeded.
* parser: Only report a single entity errorNick Wellnhofer2022-12-231-120/+0
| | | | Don't report errors multiple times for nested entity references.
* uri: Fix handling of port numbersNick Wellnhofer2022-12-133-0/+6
| | | | | | | | Allow port number without host, real fix for #71. Also compare port numbers in xmlBuildRelativeURI. Fix handling of port numbers in xmlUriEscape.
* error: Make sure that error messages are valid UTF-8Nick Wellnhofer2022-12-0416-22/+66
| | | | | | This has caused issues with the Python bindings for a long time. Should fix #64.
* test: Add test for push parser boundariesNick Wellnhofer2022-11-207-0/+167
|
* parser: Rewrite push parser boundary checksNick Wellnhofer2022-11-203-9/+75
| | | | | | | | | | | Remove inaccurate xmlParseCheckTransition check. Remove non-incremental xmlParseGetLasts check. Add functions that check for several boundary constructs more accurately, keeping track of progress in ctxt->checkIndex. Fixes #439.
* html: Don't escape ASCII chars in href attributesNick Wellnhofer2022-11-203-5/+5
| | | | | | | In several cases, href attributes can contain ASCII characters which are illegal in URIs. Escaping them often does more harm than good. Fixes #321.
* parser: Fix DTD parser progress checksNick Wellnhofer2022-11-206-18/+12
| | | | | | This is another attempt at fixing parser progress checks. Instead of relying on in->consumed, which could overflow, change some DTD parser functions to make guaranteed progress on certain byte sequences.
* xinclude: Always allow XPtr expressions in external documentsNick Wellnhofer2022-10-315-1/+80
|
* xinclude: Implement "streaming" modeNick Wellnhofer2022-10-305-80/+1
| | | | | | | | | | | | | When using xmlreader, XPointer expressions in XIncludes simply cannot work. Expressions can reference nodes which weren't parsed yet or which were already deleted. After fixing nested XIncludes, we reference includes which were parsed previously. When streaming, these nodes could have been deleted, leading to use-after-free errors. Disallow XPointer expressions and truncate the include table in streaming mode.
* xinclude: Avoid creation of subcontextsNick Wellnhofer2022-10-252-0/+16
| | | | | | | | | | | Don't create subcontext in xmlXIncludeRecurseDoc. Save and restore 'doc' and 'incTab' instead. Make xmlXIncludeLoadFallback call xmlXIncludeCopyNode which seems safer than xmlXIncludeDoProcess since the latter may modify the document. This should also be more performant since we need to copy the whole fallback subtree anyway. Also make sure to avoid replacements in fallback elements in xmlXIncludeDoProcess.
* xinclude: Limit recursion depthNick Wellnhofer2022-10-231-0/+2
| | | | This avoids call stack overflows.
* xinclude: Test for inclusion loopsNick Wellnhofer2022-10-231-0/+1
|
* xinclude: Expand includes in xmlXIncludeCopyNodeNick Wellnhofer2022-10-232-0/+12
| | | | | | This should make nested includes work reliably. Fixes #424.
* xinclude: Don't create result doc for test with errorsNick Wellnhofer2022-10-231-5/+0
|
* xinclude: Also test error messagesNick Wellnhofer2022-10-238-23/+24
| | | | | | The reader interface with XIncludes is somewhat broken and can generate different error messages. Start to move tests which are sketchy with reader to a separate directory.
* Revert "xinclude: Fix regression with nested includes"Nick Wellnhofer2022-10-212-23/+0
| | | | | | | This reverts commit 7f04e297318b1b908cec20711f74f75625afed7f which caused memory errors. See #424.
* xinclude: Fix regression with nested includesNick Wellnhofer2022-10-182-0/+23
| | | | | | This reverts commits 74dcc10b and 87d20b55. Fixes #424.
* schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOKNick Wellnhofer2022-09-131-0/+2
| | | | Found by OSS-Fuzz.
* Fix --with-valid --without-regexps buildNick Wellnhofer2022-09-022-2/+2
| | | | | | | | | | This build config resulted in segfaults in 'runtest' because a special xmlElementContentPtr showed up in a few places. I'm not sure if this is the right fix. An error message was changed to conform to the --with-regexps build. There are still a few missing validity errors, so the tests don't pass.
* Skip incorrectly opened HTML commentsNick Wellnhofer2022-08-023-0/+32
| | | | | | | | Commit 4fd69f3e fixed handling of '<' characters not followed by an ASCII letter. But a '<!' sequence followed by invalid characters should be treated as bogus comment and skipped. Fixes #380.
* Fix parsing of subtracted regex character classesNick Wellnhofer2022-04-231-0/+3
| | | | Fixes #370.
* Implement xpath1() XPointer schemeNick Wellnhofer2022-04-217-0/+91
| | | | See https://www.w3.org/2005/04/xpointer-schemes/
* Fix short-lived regression in xmlStaticCopyNodeNick Wellnhofer2022-04-102-0/+27
| | | | | | | | | Commit 7618a3b1 didn't account for coalesced text nodes. I think it would be better if xmlStaticCopyNode didn't try to coalesce text nodes at all. This code path can only be triggered if some other code doesn't coalesce text nodes properly. In this case, OSS-Fuzz found such behavior in xinclude.c.
* Remove unused result filesNick Wellnhofer2022-04-042-25/+0
|
* Allow missing result files in runtestNick Wellnhofer2022-04-04534-0/+0
| | | | Treat missing files as empty.
* Move SVG tests to runtest.cNick Wellnhofer2022-04-0445-200/+220
| | | | Also update the test results for the first time since 2000.
* Remove major parts of old test suiteNick Wellnhofer2022-04-04104-122/+0
| | | | | | | | | | | | | | | | | | | Remove all the parts of the old test suite which are covered by runtest.c for quite some time. The following test programs are removed: - testC14N - testHTML - testReader - testRelax - testSAX - testSchemas - testURI - testXPath This also removes a few results of unimportant tests only run by the old test suite.
* Normalize XPath strings in-placeNick Wellnhofer2022-03-051-0/+24
| | | | | | Simplify the code and fix a potential memory leak. Fixes #343.
* Fix recursion check in xinclude.cNick Wellnhofer2022-03-022-0/+35
| | | | | | | Compare the included URL with the document's URL to detect local inclusions. Fixes #348.
* htmlParseComment: handle abruptly-closed commentsMike Dalessio2022-03-023-8/+12
| | | | | | See guidance provided on abrutply-closed comments here: https://html.spec.whatwg.org/multipage/parsing.html#parse-error-abrupt-closing-of-empty-comment
* test coverage for abruptly-closed commentsMike Dalessio2022-03-023-0/+69
| | | | | These establish baseline behavior so that the subsequent commit is clear about the behavior it will modify.
* Fix certain combinations of regex range quantifiersNick Wellnhofer2022-02-281-0/+4
| | | | | | | | | Fix regex transitions that have both min/max and a counter. In this case, we want to save the regex state before incrementing the counter. Fixes #301 and the issue reported here: https://mail.gnome.org/archives/xml/2016-April/msg00017.html
* Fix range quantifier on subregexNick Wellnhofer2022-02-281-0/+2
| | | | | | | Make sure to add counted exit transitions before other counter transitions. Otherwise, we won't backtrack correctly. Fixes #65.
* Only warn on invalid redeclarations of predefined entitiesNick Wellnhofer2022-02-204-0/+6
| | | | | | | | | | | | Downgrade the error message to a warning since the error was ignored, anyway. Also print the name of redeclared entity. For a proper fix that also shows filename and line number of the invalid redeclaration, we'd have to - pass the parser context to the entity functions somehow, or - make these functions return distinct error codes. Partial fix for #308.
* [CVE-2022-23308] Use-after-free of ID and IDREF attributesNick Wellnhofer2022-02-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | If a document is parsed with XML_PARSE_DTDVALID and without XML_PARSE_NOENT, the value of ID attributes has to be normalized after potentially expanding entities in xmlRemoveID. Otherwise, later calls to xmlGetID can return a pointer to previously freed memory. ID attributes which are empty or contain only whitespace after entity expansion are affected in a similar way. This is fixed by not storing such attributes in the ID table. The test to detect streaming mode when validating against a DTD was broken. In connection with the defects above, this could result in a use-after-free when using the xmlReader interface with validation. Fix detection of streaming mode to avoid similar issues. (This changes the expected result of a test case. But as far as I can tell, using the XML reader with XIncludes referencing the root document never worked properly, anyway.) All of these issues can result in denial of service. Using xmlReader with validation could result in disclosure of memory via the error channel, typically stderr. The security impact of xmlGetID returning a pointer to freed memory depends on the application. The typical use case of calling xmlGetID on an unmodified document is not affected.
* Fix double counting of CRLF in commentsNick Wellnhofer2022-02-074-0/+16
| | | | Fixes #151.
* Don't normalize namespace URIs in XPointer xmlns() schemeNick Wellnhofer2022-02-041-0/+7
| | | | | | | | Namespace URIs should be compared without escaping or unescaping: https://www.w3.org/TR/REC-xml-names/#NSNameComparison Fixes #289.
* Fix handling of XSD with empty namespaceNick Wellnhofer2022-02-031-0/+1
| | | | | | An empty namespace means no default namespace. Fixes #303.
* Update NewsML DTD in test suiteNick Wellnhofer2022-02-031-1/+1
| | | | | | Switch to version 1.2 which has a clearer license. Fixes #291.
* Fix regression with PEs in external DTDNick Wellnhofer2022-01-163-0/+3
| | | | | | | Fix a regression introduced with commit a28f7d87. In some cases, parameter entity references in external DTDs wouldn't be expanded. Fixes #306.
View Lorry Controller Status