| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
This makes sure that memory and streaming tests will report the same
messages.
|
|
|
|
|
|
|
|
| |
Fix a null pointer dereference when parsing (invalid) XML schemas.
Thanks to Robby Simpson for the report!
Fixes #491.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Covered by: test/VC/ElementValid5
This only affects XML Reader API with LIBXML_REGEXP_ENABLED and
LIBXML_VALID_ENABLED turned on.
* result/VC/ElementValid5.rdr:
- Update result to add missing error message.
* python/tests/reader2.py:
* result/VC/ElementValid6.rdr:
* result/VC/ElementValid7.rdr:
* result/valid/781333.xml.err.rdr:
- Update result to fix grammar issue.
* valid.c:
(xmlValidatePopElement):
- Check return value of xmlRegExecPushString() to handle -1, and
assign 'ret = 0;' to return 0 from xmlValidatePopElement().
This change affects xmlTextReaderValidatePop() from
xmlreader.c.
- Fix grammar of error message by changing 'child' to
'children'.
|
|
|
|
|
|
|
|
|
| |
In commit 21ca8829, we started to ignore namespaces in HTML element
names but we still called xmlSplitQName, effectively stripping the
namespace prefix. This would cause elements like <o:p> being parsed
as <p>. Now we leave the name untouched.
Fixes #508.
|
|
|
|
|
|
|
|
| |
Also make text inclusions work with memory buffers, for example when
using a custom entity loader, and fix a memory leak in case of invalid
characters.
Fixes #483.
|
|
|
|
|
|
|
|
| |
Avoids resource exhaustion if the maximum recursion depth was exceeded.
Note that the XInclude engine offers no protection against other
"billion laughs"-style amplification attacks as long as they stay below
the maximum depth.
|
|
|
|
|
|
|
|
| |
If we try to continue parsing after an error in the internal or external
subset, entity expansion accounting gets more complicated. Simply halt
the parser.
Found with libFuzzer.
|
|
|
|
| |
Fixes https://gitlab.gnome.org/GNOME/libxslt/-/issues/81
|
|
|
|
|
|
|
|
|
| |
Don't set the "checked" flag when checking entities in default attribute
values. These entities could reference other entities which weren't
defined yet, so the check isn't reliable.
This fixes a short-lived regression which could lead to a call stack
overflow later in xmlStringGetNodeList.
|
|
|
|
|
| |
Set a flag to detect entity loops at once instead of processing until
the depth limit is exceeded.
|
|
|
|
| |
Don't report errors multiple times for nested entity references.
|
|
|
|
|
|
|
|
| |
Allow port number without host, real fix for #71.
Also compare port numbers in xmlBuildRelativeURI.
Fix handling of port numbers in xmlUriEscape.
|
|
|
|
|
|
| |
This has caused issues with the Python bindings for a long time.
Should fix #64.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Remove inaccurate xmlParseCheckTransition check.
Remove non-incremental xmlParseGetLasts check.
Add functions that check for several boundary constructs more
accurately, keeping track of progress in ctxt->checkIndex.
Fixes #439.
|
|
|
|
|
|
|
| |
In several cases, href attributes can contain ASCII characters which are
illegal in URIs. Escaping them often does more harm than good.
Fixes #321.
|
|
|
|
|
|
| |
This is another attempt at fixing parser progress checks. Instead of
relying on in->consumed, which could overflow, change some DTD parser
functions to make guaranteed progress on certain byte sequences.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using xmlreader, XPointer expressions in XIncludes simply cannot
work. Expressions can reference nodes which weren't parsed yet or which
were already deleted.
After fixing nested XIncludes, we reference includes which were parsed
previously. When streaming, these nodes could have been deleted, leading
to use-after-free errors.
Disallow XPointer expressions and truncate the include table in
streaming mode.
|
|
|
|
|
|
|
|
|
|
|
| |
Don't create subcontext in xmlXIncludeRecurseDoc. Save and restore 'doc'
and 'incTab' instead.
Make xmlXIncludeLoadFallback call xmlXIncludeCopyNode which seems safer
than xmlXIncludeDoProcess since the latter may modify the document.
This should also be more performant since we need to copy the whole
fallback subtree anyway. Also make sure to avoid replacements in
fallback elements in xmlXIncludeDoProcess.
|
|
|
|
| |
This avoids call stack overflows.
|
| |
|
|
|
|
|
|
| |
This should make nested includes work reliably.
Fixes #424.
|
| |
|
|
|
|
|
|
| |
The reader interface with XIncludes is somewhat broken and can generate
different error messages. Start to move tests which are sketchy with
reader to a separate directory.
|
|
|
|
|
|
|
| |
This reverts commit 7f04e297318b1b908cec20711f74f75625afed7f which
caused memory errors.
See #424.
|
|
|
|
|
|
| |
This reverts commits 74dcc10b and 87d20b55.
Fixes #424.
|
|
|
|
| |
Found by OSS-Fuzz.
|
|
|
|
|
|
|
|
|
|
| |
This build config resulted in segfaults in 'runtest' because a special
xmlElementContentPtr showed up in a few places. I'm not sure if this is
the right fix.
An error message was changed to conform to the --with-regexps build.
There are still a few missing validity errors, so the tests don't pass.
|
|
|
|
|
|
|
|
| |
Commit 4fd69f3e fixed handling of '<' characters not followed by an
ASCII letter. But a '<!' sequence followed by invalid characters should
be treated as bogus comment and skipped.
Fixes #380.
|
|
|
|
| |
Fixes #370.
|
|
|
|
| |
See https://www.w3.org/2005/04/xpointer-schemes/
|
|
|
|
|
|
|
|
|
| |
Commit 7618a3b1 didn't account for coalesced text nodes.
I think it would be better if xmlStaticCopyNode didn't try to coalesce
text nodes at all. This code path can only be triggered if some other
code doesn't coalesce text nodes properly. In this case, OSS-Fuzz found
such behavior in xinclude.c.
|
| |
|
|
|
|
| |
Treat missing files as empty.
|
|
|
|
| |
Also update the test results for the first time since 2000.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove all the parts of the old test suite which are covered by
runtest.c for quite some time.
The following test programs are removed:
- testC14N
- testHTML
- testReader
- testRelax
- testSAX
- testSchemas
- testURI
- testXPath
This also removes a few results of unimportant tests only run by the old
test suite.
|
|
|
|
|
|
| |
Simplify the code and fix a potential memory leak.
Fixes #343.
|
|
|
|
|
|
|
| |
Compare the included URL with the document's URL to detect local
inclusions.
Fixes #348.
|
|
|
|
|
|
| |
See guidance provided on abrutply-closed comments here:
https://html.spec.whatwg.org/multipage/parsing.html#parse-error-abrupt-closing-of-empty-comment
|
|
|
|
|
| |
These establish baseline behavior so that the subsequent commit is
clear about the behavior it will modify.
|
|
|
|
|
|
|
|
|
| |
Fix regex transitions that have both min/max and a counter. In this
case, we want to save the regex state before incrementing the counter.
Fixes #301 and the issue reported here:
https://mail.gnome.org/archives/xml/2016-April/msg00017.html
|
|
|
|
|
|
|
| |
Make sure to add counted exit transitions before other counter
transitions. Otherwise, we won't backtrack correctly.
Fixes #65.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Downgrade the error message to a warning since the error was ignored,
anyway. Also print the name of redeclared entity. For a proper fix that
also shows filename and line number of the invalid redeclaration, we'd
have to
- pass the parser context to the entity functions somehow, or
- make these functions return distinct error codes.
Partial fix for #308.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a document is parsed with XML_PARSE_DTDVALID and without
XML_PARSE_NOENT, the value of ID attributes has to be normalized after
potentially expanding entities in xmlRemoveID. Otherwise, later calls
to xmlGetID can return a pointer to previously freed memory.
ID attributes which are empty or contain only whitespace after
entity expansion are affected in a similar way. This is fixed by
not storing such attributes in the ID table.
The test to detect streaming mode when validating against a DTD was
broken. In connection with the defects above, this could result in a
use-after-free when using the xmlReader interface with validation.
Fix detection of streaming mode to avoid similar issues. (This changes
the expected result of a test case. But as far as I can tell, using the
XML reader with XIncludes referencing the root document never worked
properly, anyway.)
All of these issues can result in denial of service. Using xmlReader
with validation could result in disclosure of memory via the error
channel, typically stderr. The security impact of xmlGetID returning
a pointer to freed memory depends on the application. The typical use
case of calling xmlGetID on an unmodified document is not affected.
|
|
|
|
| |
Fixes #151.
|
|
|
|
|
|
|
|
| |
Namespace URIs should be compared without escaping or unescaping:
https://www.w3.org/TR/REC-xml-names/#NSNameComparison
Fixes #289.
|
|
|
|
|
|
| |
An empty namespace means no default namespace.
Fixes #303.
|
|
|
|
|
|
| |
Switch to version 1.2 which has a clearer license.
Fixes #291.
|
|
|
|
|
|
|
| |
Fix a regression introduced with commit a28f7d87. In some cases,
parameter entity references in external DTDs wouldn't be expanded.
Fixes #306.
|