1. 23 Oct, 2014 1 commit
  2. 17 Oct, 2014 1 commit
  3. 16 Oct, 2014 2 commits
    • Daniel Veillard's avatar
      Fix for CVE-2014-3660 · be2a7eda
      Daniel Veillard authored
      Issues related to the billion laugh entity expansion which happened to
      escape the initial set of fixes
      be2a7eda
    • Bart De Schuymer's avatar
      fix memory leak xml header encoding field with XML_PARSE_IGNORE_ENC · 500c54ef
      Bart De Schuymer authored
      When the xml parser encounters an xml encoding in an xml header while
      configured with option XML_PARSE_IGNORE_ENC, it fails to free memory
      allocated for storing the encoding.
      The patch below fixes this.
      How to reproduce:
      1. Change doc/examples/parse4.c to add xmlCtxtUseOptions(ctxt,
      XML_PARSE_IGNORE_ENC); after the call to xmlCreatePushParserCtxt.
      2. Rebuild
      3. run the following command from the top libxml2 directory:
      LD_LIBRARY_PATH=.libs/ valgrind --leak-check=full
      ./doc/examples/.libs/parse4 ./test.xml , where test.xml contains
      following
      input:
      <?xml version="1.0" encoding="UTF-81" ?><hi/>
      valgrind will report:
      ==1964== 10 bytes in 1 blocks are definitely lost in loss record 1 of 1
      ==1964==    at 0x4C272DB: malloc (in
      /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==1964==    by 0x4E88497: xmlParseEncName (parser.c:10224)
      ==1964==    by 0x4E888FE: xmlParseEncodingDecl (parser.c:10295)
      ==1964==    by 0x4E89630: xmlParseXMLDecl (parser.c:10534)
      ==1964==    by 0x4E8B737: xmlParseTryOrFinish (parser.c:11293)
      ==1964==    by 0x4E8E775: xmlParseChunk (parser.c:12283)
      
      Signed-off-by: Bart De Schuymer <bart at amplidata com>
      500c54ef
  4. 08 Oct, 2014 1 commit
  5. 06 Oct, 2014 2 commits
    • Dennis Filder's avatar
      parser bug on misformed namespace attributes · 7e9bbdf8
      Dennis Filder authored
      For https://bugzilla.gnome.org/show_bug.cgi?id=672539
      Reported by Axel Miller <axel.miller@ppi.de>
      
      Consider the following start-tag:
      <x xmlns=""version="">
      
      The start-tag does not conform to the rule
      
      [40]       STag       ::=       '<' Name (S Attribute)* S? '>'
      
      since there is no whitespace in front of the attribute "version".
      
      Thus, libxml2 should reject the start-tag.
      But it doesn't:
      
      $ echo '<x xmlns=""version=""/>' | xmllint -
      <?xml version="1.0"?>
      <x xmlns="" version=""/>
      
      The error seems to happen only if there is a namespace declaration in
      front of
      the attribute. A missing whitespace between other attributes is handled
      correctly:
      
      $ echo '<x someattr=""version=""/>' | xmllint -
      -:1: parser error : attributes construct error
      <x someattr=""version=""/>
                    ^
      [...]
      7e9bbdf8
    • Juergen Keil's avatar
      wrong error column in structured error when parsing end tag · 24fb4c32
      Juergen Keil authored
      For https://bugzilla.gnome.org/show_bug.cgi?id=734283
      
      libxml2 reports wrong error column numbers (field int2 in xmlError)
      in structured error handler, after parsing an end tag.
      24fb4c32
  6. 07 Aug, 2014 2 commits
    • Juergen Keil's avatar
      wrong error column in structured error when parsing attribute values · 33f658c9
      Juergen Keil authored
      For https://bugzilla.gnome.org/show_bug.cgi?id=734280
      
      libxml2 reports wrong error column numbers (field int2 in xmlError)
      in structured error handler, after parsing XML attribute values.
      
      Example XML:
      
      <?xml version="1.0" encoding="UTF-8"?>
      <root
      xmlns="urn:colbug">&</root>
      <!--
               1         2         3         4
      1234567890123456789012345678901234567890
      -->
      
      Expected location of the error would be line 3, column 21.
      
      The actual location of the error is line 3, column 9:
      
      $ ./xmlparse colbug2.xml
      colbug2.xml:3:9: xmlParseEntityRef: no name
      
      The 12 characters of the xmlns attribute value "urn:colbug" are
      not accounted for in the error column value.
      33f658c9
    • Juergen Keil's avatar
      wrong error column in structured error when skipping whitespace in xml decl · 5d4310af
      Juergen Keil authored
      For https://bugzilla.gnome.org/show_bug.cgi?id=734276
      
      libxml2 reports wrong error column numbers (field int2 in xmlError)
      in structured error handler, after an XML declaration containing
      whitespace.
      
      Example XML:
      
      <?xml  version="1.0"  encoding="UTF-8"     ?><root>&</root>
      <!--
               1         2         3         4         5         6
      123456789012345678901234567890123456789012345678901234567890
      -->
      
      Expected location of the error would be line 1, column 53.
      
      The actual location of the error is line 1, column 44:
      
      $ ./xmlparse colbug1.xml
      colbug1.xml:1:44: xmlParseEntityRef: no name
      5d4310af
  7. 26 Jul, 2014 1 commit
  8. 14 Jul, 2014 1 commit
  9. 11 Jun, 2014 1 commit
  10. 06 May, 2014 1 commit
  11. 21 Mar, 2014 1 commit
  12. 06 Feb, 2014 1 commit
  13. 26 Jan, 2014 1 commit
  14. 09 Dec, 2013 1 commit
  15. 30 Nov, 2013 1 commit
  16. 22 May, 2013 1 commit
  17. 10 May, 2013 1 commit
  18. 06 May, 2013 1 commit
  19. 23 Apr, 2013 1 commit
  20. 16 Apr, 2013 1 commit
  21. 11 Apr, 2013 1 commit
  22. 11 Mar, 2013 2 commits
  23. 19 Feb, 2013 1 commit
    • Daniel Veillard's avatar
      Detect excessive entities expansion upon replacement · 23f05e0c
      Daniel Veillard authored
      If entities expansion in the XML parser is asked for,
      it is possble to craft relatively small input document leading
      to excessive on-the-fly content generation.
      This patch accounts for those replacement and stop parsing
      after a given threshold. it can be bypassed as usual with the
      HUGE parser option.
      23f05e0c
  24. 13 Feb, 2013 1 commit
  25. 12 Feb, 2013 1 commit
  26. 04 Jan, 2013 1 commit
  27. 21 Dec, 2012 1 commit
  28. 30 Oct, 2012 1 commit
  29. 29 Oct, 2012 1 commit
  30. 26 Oct, 2012 1 commit
  31. 25 Oct, 2012 2 commits
  32. 13 Sep, 2012 1 commit
  33. 11 Sep, 2012 1 commit
  34. 04 Sep, 2012 1 commit
    • Daniel Veillard's avatar
      Fix potential crash on entities errors · 28f5e1a2
      Daniel Veillard authored
      Related to https://bugs.launchpad.net/lxml/+bug/502959
      
      Basically the core of the issue is that if an entity references another
      entity, then in case we are replacing entities content, we should always
      do so by copying the referenced content as long as the reference is
      done within the entity. Otherwise, if for some reason there is a later
      parsing error that entity content may be freed.
      
      Complex scenario exposed by command:
      thinkpad:~/XML/diveintopython-5.4/xml -> valgrind --db-attach=yes
      ../../xmllint --loaddtd --noout --noent diveintopython.xml
      
        Document references &a;
        a references &b;
        we references b content directly in by linking in the a content
        a has an error further down
        we free a, freeing the chunk from b
        Document references &b; after &a;
        we try to copy b content, but it was freed already => segfault
      
      * parser.c: never reference directly entity content without copying if
        we aren't in the document main entity
      28f5e1a2
  35. 15 Aug, 2012 1 commit
    • Daniel Veillard's avatar
      Cleanup some of the parser code · 1f972e9f
      Daniel Veillard authored
      Prefetching assumptions about the amount of data read in GROW
      should be backed up with test for 0 termination when at the
      end of the buffer.
      1f972e9f