From 673fdd09814d9d40b8bcf3ef5a13e3811b68241f Mon Sep 17 00:00:00 2001 From: yang_zhuang_zhuang <1162011203@qq.com> Date: Tue, 8 Sep 2020 19:28:17 +0800 Subject: [PATCH] Fix some issues found in fuzzing tesecases --- ...blings-of-root-in-xmlXIncludeProcess.patch | 88 +++++ ...to-xi-include-children-in-xmlXInclud.patch | 208 ++++++++++++ ...dle-namespaces-when-building-HTML-do.patch | 115 +++++++ Fix-UTF-8-decoder-in-HTML-parser.patch | 58 ++++ ...ression-introduced-with-recent-commi.patch | 128 +++++++ ...emory-leak-in-xmlSchemaValAtomicType.patch | 28 ++ ...le-free-in-XML-reader-with-XIncludes.patch | 29 ++ ...runtime-and-memory-in-xi-fallback-pr.patch | 317 ++++++++++++++++++ ...ger-overflow-in-_xmlSchemaParseGYear.patch | 33 ++ ...integer-overflow-in-htmlParseCharRef.patch | 65 ++++ ...overflow-when-comparing-schema-dates.patch | 41 +++ ...overflow-when-parsing-min-max-Occurs.patch | 55 +++ Fix-memory-leak-in-runtest.c.patch | 37 ++ ...ak-in-xmlXIncludeAddNode-error-paths.patch | 52 +++ ...in-xmlXIncludeIncludeNode-error-path.patch | 33 ++ ...eak-in-xmlXIncludeLoadDoc-error-path.patch | 33 ++ ...k-when-shared-libxml-dll-is-unloaded.patch | 40 +++ ...ic-runtime-issues-in-HTML-push-parse.patch | 57 ++++ ...ntime-when-parsing-HTML-script-conte.patch | 62 ++++ ...behavior-in-xmlXPathTryStreamCompile.patch | 27 ++ Fuzz-XInclude-engine.patch | 65 ++++ ...ree-lists-in-XML-reader-when-fuzzing.patch | 60 ++++ ...-parser-input-before-reporting-error.patch | 49 +++ libxml2.spec | 28 +- 24 files changed, 1707 insertions(+), 1 deletion(-) create mode 100644 Don-t-process-siblings-of-root-in-xmlXIncludeProcess.patch create mode 100644 Don-t-recurse-into-xi-include-children-in-xmlXInclud.patch create mode 100644 Don-t-try-to-handle-namespaces-when-building-HTML-do.patch create mode 100644 Fix-UTF-8-decoder-in-HTML-parser.patch create mode 100644 Fix-XInclude-regression-introduced-with-recent-commi.patch create mode 100644 Fix-another-memory-leak-in-xmlSchemaValAtomicType.patch create mode 100644 Fix-double-free-in-XML-reader-with-XIncludes.patch create mode 100644 Fix-exponential-runtime-and-memory-in-xi-fallback-pr.patch create mode 100644 Fix-integer-overflow-in-_xmlSchemaParseGYear.patch create mode 100644 Fix-integer-overflow-in-htmlParseCharRef.patch create mode 100644 Fix-integer-overflow-when-comparing-schema-dates.patch create mode 100644 Fix-integer-overflow-when-parsing-min-max-Occurs.patch create mode 100644 Fix-memory-leak-in-runtest.c.patch create mode 100644 Fix-memory-leak-in-xmlXIncludeAddNode-error-paths.patch create mode 100644 Fix-memory-leak-in-xmlXIncludeIncludeNode-error-path.patch create mode 100644 Fix-memory-leak-in-xmlXIncludeLoadDoc-error-path.patch create mode 100644 Fix-memory-leak-when-shared-libxml-dll-is-unloaded.patch create mode 100644 Fix-more-quadratic-runtime-issues-in-HTML-push-parse.patch create mode 100644 Fix-quadratic-runtime-when-parsing-HTML-script-conte.patch create mode 100644 Fix-undefined-behavior-in-xmlXPathTryStreamCompile.patch create mode 100644 Fuzz-XInclude-engine.patch create mode 100644 Limit-size-of-free-lists-in-XML-reader-when-fuzzing.patch create mode 100644 Reset-HTML-parser-input-before-reporting-error.patch diff --git a/Don-t-process-siblings-of-root-in-xmlXIncludeProcess.patch b/Don-t-process-siblings-of-root-in-xmlXIncludeProcess.patch new file mode 100644 index 0000000..2c8fb72 --- /dev/null +++ b/Don-t-process-siblings-of-root-in-xmlXIncludeProcess.patch @@ -0,0 +1,88 @@ +From 11b5745927481d6a716acef5408da20899eab8a2 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 7 Aug 2020 18:39:19 +0200 +Subject: [PATCH 108/139] Don't process siblings of root in xmlXIncludeProcess + +xmlXIncludeDoProcess would follow the siblings of the tree root and +also expand these nodes. When using an XML reader, this could lead to +siblings of the current node being expanded without having been parsed +completely. +--- + xinclude.c | 38 ++++++++++++++++++-------------------- + 1 file changed, 18 insertions(+), 20 deletions(-) + +diff --git a/xinclude.c b/xinclude.c +index 0f1af9c..2917d45 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -1980,6 +1980,8 @@ xmlXIncludeLoadFallback(xmlXIncludeCtxtPtr ctxt, xmlNodePtr fallback, int nr) { + (ctxt == NULL)) + return(-1); + if (fallback->children != NULL) { ++ xmlNodePtr child, next; ++ + /* + * It's possible that the fallback also has 'includes' + * (Bug 129969), so we re-process the fallback just in case +@@ -1990,11 +1992,13 @@ xmlXIncludeLoadFallback(xmlXIncludeCtxtPtr ctxt, xmlNodePtr fallback, int nr) { + newctxt->_private = ctxt->_private; + newctxt->base = xmlStrdup(ctxt->base); /* Inherit the base from the existing context */ + xmlXIncludeSetFlags(newctxt, ctxt->parseFlags); +- ret = xmlXIncludeDoProcess(newctxt, ctxt->doc, fallback->children); ++ for (child = fallback->children; child != NULL; child = next) { ++ next = child->next; ++ if (xmlXIncludeDoProcess(newctxt, ctxt->doc, child) < 0) ++ ret = -1; ++ } + if (ctxt->nbErrors > oldNbErrors) + ret = -1; +- else if (ret > 0) +- ret = 0; /* xmlXIncludeDoProcess can return +ve number */ + xmlXIncludeFreeContext(newctxt); + + ctxt->incTab[nr]->inc = xmlDocCopyNodeList(ctxt->doc, +@@ -2396,7 +2400,7 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { + * First phase: lookup the elements in the document + */ + cur = tree; +- while ((cur != NULL) && (cur != tree->parent)) { ++ do { + /* TODO: need to work on entities -> stack */ + if (xmlXIncludeTestNode(ctxt, cur) == 1) { + xmlXIncludePreProcessNode(ctxt, cur); +@@ -2407,22 +2411,16 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { + cur = cur->children; + continue; + } +- if (cur->next != NULL) { +- cur = cur->next; +- } else { +- if (cur == tree) +- break; +- do { +- cur = cur->parent; +- if ((cur == NULL) || (cur == tree->parent)) +- break; /* do */ +- if (cur->next != NULL) { +- cur = cur->next; +- break; /* do */ +- } +- } while (cur != NULL); +- } +- } ++ do { ++ if (cur == tree) ++ break; ++ if (cur->next != NULL) { ++ cur = cur->next; ++ break; ++ } ++ cur = cur->parent; ++ } while (cur != NULL); ++ } while ((cur != NULL) && (cur != tree)); + + /* + * Second Phase : collect the infosets fragments +-- +1.8.3.1 + diff --git a/Don-t-recurse-into-xi-include-children-in-xmlXInclud.patch b/Don-t-recurse-into-xi-include-children-in-xmlXInclud.patch new file mode 100644 index 0000000..5e69695 --- /dev/null +++ b/Don-t-recurse-into-xi-include-children-in-xmlXInclud.patch @@ -0,0 +1,208 @@ +From 0f9817c75b50a77c6aeb8f36801966fdadad229a Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 10 Jun 2020 16:34:52 +0200 +Subject: [PATCH 107/139] Don't recurse into xi:include children in + xmlXIncludeDoProcess + +Otherwise, nested xi:include nodes might result in a use-after-free +if XML_PARSE_NOXINCNODE is specified. + +Found with libFuzzer and ASan. +--- + result/XInclude/fallback3.xml | 8 ++++++++ + result/XInclude/fallback3.xml.err | 0 + result/XInclude/fallback3.xml.rdr | 25 +++++++++++++++++++++++++ + result/XInclude/fallback4.xml | 10 ++++++++++ + result/XInclude/fallback4.xml.err | 0 + result/XInclude/fallback4.xml.rdr | 29 +++++++++++++++++++++++++++++ + test/XInclude/docs/fallback3.xml | 9 +++++++++ + test/XInclude/docs/fallback4.xml | 7 +++++++ + xinclude.c | 24 ++++++++++-------------- + 9 files changed, 98 insertions(+), 14 deletions(-) + create mode 100644 result/XInclude/fallback3.xml + create mode 100644 result/XInclude/fallback3.xml.err + create mode 100644 result/XInclude/fallback3.xml.rdr + create mode 100644 result/XInclude/fallback4.xml + create mode 100644 result/XInclude/fallback4.xml.err + create mode 100644 result/XInclude/fallback4.xml.rdr + create mode 100644 test/XInclude/docs/fallback3.xml + create mode 100644 test/XInclude/docs/fallback4.xml + +diff --git a/result/XInclude/fallback3.xml b/result/XInclude/fallback3.xml +new file mode 100644 +index 0000000..b423551 +--- /dev/null ++++ b/result/XInclude/fallback3.xml +@@ -0,0 +1,8 @@ ++ ++ ++ ++

something

++

really

++

simple

++ ++ +diff --git a/result/XInclude/fallback3.xml.err b/result/XInclude/fallback3.xml.err +new file mode 100644 +index 0000000..e69de29 +diff --git a/result/XInclude/fallback3.xml.rdr b/result/XInclude/fallback3.xml.rdr +new file mode 100644 +index 0000000..aa2f137 +--- /dev/null ++++ b/result/XInclude/fallback3.xml.rdr +@@ -0,0 +1,25 @@ ++0 1 a 0 0 ++1 14 #text 0 1 ++ ++1 1 doc 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 something ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 really ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 simple ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++1 15 doc 0 0 ++1 14 #text 0 1 ++ ++0 15 a 0 0 +diff --git a/result/XInclude/fallback4.xml b/result/XInclude/fallback4.xml +new file mode 100644 +index 0000000..9883fd5 +--- /dev/null ++++ b/result/XInclude/fallback4.xml +@@ -0,0 +1,10 @@ ++ ++ ++ ++ ++

something

++

really

++

simple

++ ++ ++ +diff --git a/result/XInclude/fallback4.xml.err b/result/XInclude/fallback4.xml.err +new file mode 100644 +index 0000000..e69de29 +diff --git a/result/XInclude/fallback4.xml.rdr b/result/XInclude/fallback4.xml.rdr +new file mode 100644 +index 0000000..628b951 +--- /dev/null ++++ b/result/XInclude/fallback4.xml.rdr +@@ -0,0 +1,29 @@ ++0 1 a 0 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 doc 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 something ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 really ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++2 1 p 0 0 ++3 3 #text 0 1 simple ++2 15 p 0 0 ++2 14 #text 0 1 ++ ++1 15 doc 0 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++0 15 a 0 0 +diff --git a/test/XInclude/docs/fallback3.xml b/test/XInclude/docs/fallback3.xml +new file mode 100644 +index 0000000..0c8b6c9 +--- /dev/null ++++ b/test/XInclude/docs/fallback3.xml +@@ -0,0 +1,9 @@ ++ ++ ++ ++ ++ There is no c.xml ... ++ ++ ++ ++ +diff --git a/test/XInclude/docs/fallback4.xml b/test/XInclude/docs/fallback4.xml +new file mode 100644 +index 0000000..b500a63 +--- /dev/null ++++ b/test/XInclude/docs/fallback4.xml +@@ -0,0 +1,7 @@ ++ ++ ++ ++ ++ ++ ++ +diff --git a/xinclude.c b/xinclude.c +index 461c1a5..0f1af9c 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -2396,21 +2396,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { + * First phase: lookup the elements in the document + */ + cur = tree; +- if (xmlXIncludeTestNode(ctxt, cur) == 1) +- xmlXIncludePreProcessNode(ctxt, cur); + while ((cur != NULL) && (cur != tree->parent)) { + /* TODO: need to work on entities -> stack */ +- if ((cur->children != NULL) && +- (cur->children->type != XML_ENTITY_DECL) && +- (cur->children->type != XML_XINCLUDE_START) && +- (cur->children->type != XML_XINCLUDE_END)) { +- cur = cur->children; +- if (xmlXIncludeTestNode(ctxt, cur)) +- xmlXIncludePreProcessNode(ctxt, cur); +- } else if (cur->next != NULL) { ++ if (xmlXIncludeTestNode(ctxt, cur) == 1) { ++ xmlXIncludePreProcessNode(ctxt, cur); ++ } else if ((cur->children != NULL) && ++ (cur->children->type != XML_ENTITY_DECL) && ++ (cur->children->type != XML_XINCLUDE_START) && ++ (cur->children->type != XML_XINCLUDE_END)) { ++ cur = cur->children; ++ continue; ++ } ++ if (cur->next != NULL) { + cur = cur->next; +- if (xmlXIncludeTestNode(ctxt, cur)) +- xmlXIncludePreProcessNode(ctxt, cur); + } else { + if (cur == tree) + break; +@@ -2420,8 +2418,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { + break; /* do */ + if (cur->next != NULL) { + cur = cur->next; +- if (xmlXIncludeTestNode(ctxt, cur)) +- xmlXIncludePreProcessNode(ctxt, cur); + break; /* do */ + } + } while (cur != NULL); +-- +1.8.3.1 + diff --git a/Don-t-try-to-handle-namespaces-when-building-HTML-do.patch b/Don-t-try-to-handle-namespaces-when-building-HTML-do.patch new file mode 100644 index 0000000..eba1670 --- /dev/null +++ b/Don-t-try-to-handle-namespaces-when-building-HTML-do.patch @@ -0,0 +1,115 @@ +From 21ca8829a7366d72995adfeb21296d959fbb3777 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 25 Jul 2020 17:57:29 +0200 +Subject: [PATCH 095/139] Don't try to handle namespaces when building HTML + documents + +Don't try to resolve namespace in xmlSAX2StartElement when parsing +HTML documents. This useless operation could slow down the parser +considerably. + +Found by OSS-Fuzz. +--- + SAX2.c | 76 +++++++++++++++++++++++++++++++++--------------------------------- + 1 file changed, 38 insertions(+), 38 deletions(-) + +diff --git a/SAX2.c b/SAX2.c +index 9df0184..4450a3f 100644 +--- a/SAX2.c ++++ b/SAX2.c +@@ -1663,23 +1663,23 @@ xmlSAX2StartElement(void *ctx, const xmlChar *fullname, const xmlChar **atts) + } + } + +- /* +- * Insert all the defaulted attributes from the DTD especially namespaces +- */ +- if ((!ctxt->html) && +- ((ctxt->myDoc->intSubset != NULL) || +- (ctxt->myDoc->extSubset != NULL))) { +- xmlCheckDefaultedAttributes(ctxt, name, prefix, atts); +- } ++ if (!ctxt->html) { ++ /* ++ * Insert all the defaulted attributes from the DTD especially ++ * namespaces ++ */ ++ if ((ctxt->myDoc->intSubset != NULL) || ++ (ctxt->myDoc->extSubset != NULL)) { ++ xmlCheckDefaultedAttributes(ctxt, name, prefix, atts); ++ } + +- /* +- * process all the attributes whose name start with "xmlns" +- */ +- if (atts != NULL) { +- i = 0; +- att = atts[i++]; +- value = atts[i++]; +- if (!ctxt->html) { ++ /* ++ * process all the attributes whose name start with "xmlns" ++ */ ++ if (atts != NULL) { ++ i = 0; ++ att = atts[i++]; ++ value = atts[i++]; + while ((att != NULL) && (value != NULL)) { + if ((att[0] == 'x') && (att[1] == 'm') && (att[2] == 'l') && + (att[3] == 'n') && (att[4] == 's')) +@@ -1688,30 +1688,30 @@ xmlSAX2StartElement(void *ctx, const xmlChar *fullname, const xmlChar **atts) + att = atts[i++]; + value = atts[i++]; + } +- } +- } ++ } + +- /* +- * Search the namespace, note that since the attributes have been +- * processed, the local namespaces are available. +- */ +- ns = xmlSearchNs(ctxt->myDoc, ret, prefix); +- if ((ns == NULL) && (parent != NULL)) +- ns = xmlSearchNs(ctxt->myDoc, parent, prefix); +- if ((prefix != NULL) && (ns == NULL)) { +- ns = xmlNewNs(ret, NULL, prefix); +- xmlNsWarnMsg(ctxt, XML_NS_ERR_UNDEFINED_NAMESPACE, +- "Namespace prefix %s is not defined\n", +- prefix, NULL); +- } ++ /* ++ * Search the namespace, note that since the attributes have been ++ * processed, the local namespaces are available. ++ */ ++ ns = xmlSearchNs(ctxt->myDoc, ret, prefix); ++ if ((ns == NULL) && (parent != NULL)) ++ ns = xmlSearchNs(ctxt->myDoc, parent, prefix); ++ if ((prefix != NULL) && (ns == NULL)) { ++ ns = xmlNewNs(ret, NULL, prefix); ++ xmlNsWarnMsg(ctxt, XML_NS_ERR_UNDEFINED_NAMESPACE, ++ "Namespace prefix %s is not defined\n", ++ prefix, NULL); ++ } + +- /* +- * set the namespace node, making sure that if the default namespace +- * is unbound on a parent we simply keep it NULL +- */ +- if ((ns != NULL) && (ns->href != NULL) && +- ((ns->href[0] != 0) || (ns->prefix != NULL))) +- xmlSetNs(ret, ns); ++ /* ++ * set the namespace node, making sure that if the default namespace ++ * is unbound on a parent we simply keep it NULL ++ */ ++ if ((ns != NULL) && (ns->href != NULL) && ++ ((ns->href[0] != 0) || (ns->prefix != NULL))) ++ xmlSetNs(ret, ns); ++ } + + /* + * process all the other attributes +-- +1.8.3.1 + diff --git a/Fix-UTF-8-decoder-in-HTML-parser.patch b/Fix-UTF-8-decoder-in-HTML-parser.patch new file mode 100644 index 0000000..f193916 --- /dev/null +++ b/Fix-UTF-8-decoder-in-HTML-parser.patch @@ -0,0 +1,58 @@ +From 1493130ef24f8af2e1e70fdf12827374f670f7bf Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 15 Jul 2020 12:54:25 +0200 +Subject: [PATCH 085/139] Fix UTF-8 decoder in HTML parser + +Reject sequences starting with a continuation byte as well as overlong +sequences like the XML parser. + +Also fixes an infinite loop in connection with previous commit 50078922 +since htmlCurrentChar would return 0 even if not at the end of the +buffer. + +Found by OSS-Fuzz. +--- + HTMLparser.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 26ed124..d31e2ec 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -439,6 +439,8 @@ htmlCurrentChar(xmlParserCtxtPtr ctxt, int *len) { + + c = *cur; + if (c & 0x80) { ++ if ((c & 0x40) == 0) ++ goto encoding_error; + if (cur[1] == 0) { + xmlParserInputGrow(ctxt->input, INPUT_CHUNK); + cur = ctxt->input->cur; +@@ -467,18 +469,24 @@ htmlCurrentChar(xmlParserCtxtPtr ctxt, int *len) { + val |= (cur[1] & 0x3f) << 12; + val |= (cur[2] & 0x3f) << 6; + val |= cur[3] & 0x3f; ++ if (val < 0x10000) ++ goto encoding_error; + } else { + /* 3-byte code */ + *len = 3; + val = (cur[0] & 0xf) << 12; + val |= (cur[1] & 0x3f) << 6; + val |= cur[2] & 0x3f; ++ if (val < 0x800) ++ goto encoding_error; + } + } else { + /* 2-byte code */ + *len = 2; + val = (cur[0] & 0x1f) << 6; + val |= cur[1] & 0x3f; ++ if (val < 0x80) ++ goto encoding_error; + } + if (!IS_CHAR(val)) { + htmlParseErrInt(ctxt, XML_ERR_INVALID_CHAR, +-- +1.8.3.1 + diff --git a/Fix-XInclude-regression-introduced-with-recent-commi.patch b/Fix-XInclude-regression-introduced-with-recent-commi.patch new file mode 100644 index 0000000..e69cab6 --- /dev/null +++ b/Fix-XInclude-regression-introduced-with-recent-commi.patch @@ -0,0 +1,128 @@ +From dba82a8c0453b7d4d138167a771c1c2988b889be Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 16 Aug 2020 23:02:20 +0200 +Subject: [PATCH 121/139] Fix XInclude regression introduced with recent commit + +The change to xmlXIncludeLoadFallback in commit 11b57459 could +process already freed nodes if text nodes were merged after deleting +nodes with an empty fallback. + +Found by OSS-Fuzz. +--- + xinclude.c | 31 +++++++++++++++++-------------- + 1 file changed, 17 insertions(+), 14 deletions(-) + +diff --git a/xinclude.c b/xinclude.c +index 41ff4e5..ff265eb 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -91,7 +91,8 @@ struct _xmlXIncludeCtxt { + }; + + static int +-xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree); ++xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree, ++ int skipRoot); + + + /************************************************************************ +@@ -732,7 +733,7 @@ xmlXIncludeRecurseDoc(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, + */ + newctxt->parseFlags = ctxt->parseFlags; + newctxt->incTotal = ctxt->incTotal; +- xmlXIncludeDoProcess(newctxt, doc, xmlDocGetRootElement(doc)); ++ xmlXIncludeDoProcess(newctxt, doc, xmlDocGetRootElement(doc), 0); + ctxt->incTotal = newctxt->incTotal; + for (i = 0;i < ctxt->incNr;i++) { + newctxt->incTab[i]->count--; +@@ -1984,8 +1985,6 @@ xmlXIncludeLoadFallback(xmlXIncludeCtxtPtr ctxt, xmlNodePtr fallback, int nr) { + (ctxt == NULL)) + return(-1); + if (fallback->children != NULL) { +- xmlNodePtr child, next; +- + /* + * It's possible that the fallback also has 'includes' + * (Bug 129969), so we re-process the fallback just in case +@@ -1997,11 +1996,8 @@ xmlXIncludeLoadFallback(xmlXIncludeCtxtPtr ctxt, xmlNodePtr fallback, int nr) { + newctxt->base = xmlStrdup(ctxt->base); /* Inherit the base from the existing context */ + xmlXIncludeSetFlags(newctxt, ctxt->parseFlags); + newctxt->incTotal = ctxt->incTotal; +- for (child = fallback->children; child != NULL; child = next) { +- next = child->next; +- if (xmlXIncludeDoProcess(newctxt, ctxt->doc, child) < 0) +- ret = -1; +- } ++ if (xmlXIncludeDoProcess(newctxt, ctxt->doc, fallback, 1) < 0) ++ ret = -1; + ctxt->incTotal = newctxt->incTotal; + if (ctxt->nbErrors > oldNbErrors) + ret = -1; +@@ -2386,6 +2382,7 @@ xmlXIncludeTestNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node) { + * @ctxt: the XInclude processing context + * @doc: an XML document + * @tree: the top of the tree to process ++ * @skipRoot: don't process the root node of the tree + * + * Implement the XInclude substitution on the XML document @doc + * +@@ -2393,13 +2390,16 @@ xmlXIncludeTestNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node) { + * or the number of substitutions done. + */ + static int +-xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { ++xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree, ++ int skipRoot) { + xmlNodePtr cur; + int ret = 0; + int i, start; + + if ((doc == NULL) || (tree == NULL) || (tree->type == XML_NAMESPACE_DECL)) + return(-1); ++ if ((skipRoot) && (tree->children == NULL)) ++ return(-1); + if (ctxt == NULL) + return(-1); + +@@ -2413,7 +2413,10 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { + /* + * First phase: lookup the elements in the document + */ +- cur = tree; ++ if (skipRoot) ++ cur = tree->children; ++ else ++ cur = tree; + do { + /* TODO: need to work on entities -> stack */ + if (xmlXIncludeTestNode(ctxt, cur) == 1) { +@@ -2521,7 +2524,7 @@ xmlXIncludeProcessTreeFlagsData(xmlNodePtr tree, int flags, void *data) { + ctxt->_private = data; + ctxt->base = xmlStrdup((xmlChar *)tree->doc->URL); + xmlXIncludeSetFlags(ctxt, flags); +- ret = xmlXIncludeDoProcess(ctxt, tree->doc, tree); ++ ret = xmlXIncludeDoProcess(ctxt, tree->doc, tree, 0); + if ((ret >= 0) && (ctxt->nbErrors > 0)) + ret = -1; + +@@ -2605,7 +2608,7 @@ xmlXIncludeProcessTreeFlags(xmlNodePtr tree, int flags) { + return(-1); + ctxt->base = xmlNodeGetBase(tree->doc, tree); + xmlXIncludeSetFlags(ctxt, flags); +- ret = xmlXIncludeDoProcess(ctxt, tree->doc, tree); ++ ret = xmlXIncludeDoProcess(ctxt, tree->doc, tree, 0); + if ((ret >= 0) && (ctxt->nbErrors > 0)) + ret = -1; + +@@ -2645,7 +2648,7 @@ xmlXIncludeProcessNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr node) { + if ((node == NULL) || (node->type == XML_NAMESPACE_DECL) || + (node->doc == NULL) || (ctxt == NULL)) + return(-1); +- ret = xmlXIncludeDoProcess(ctxt, node->doc, node); ++ ret = xmlXIncludeDoProcess(ctxt, node->doc, node, 0); + if ((ret >= 0) && (ctxt->nbErrors > 0)) + ret = -1; + return(ret); +-- +1.8.3.1 + diff --git a/Fix-another-memory-leak-in-xmlSchemaValAtomicType.patch b/Fix-another-memory-leak-in-xmlSchemaValAtomicType.patch new file mode 100644 index 0000000..2e4ba48 --- /dev/null +++ b/Fix-another-memory-leak-in-xmlSchemaValAtomicType.patch @@ -0,0 +1,28 @@ +From 50f18830e179f273c244d4969485c4154c81cc01 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 21 Jun 2020 15:21:45 +0200 +Subject: [PATCH 058/139] Fix another memory leak in xmlSchemaValAtomicType + +Don't collapse language IDs twice. + +Found with libFuzzer and ASan. +--- + xmlschemastypes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmlschemastypes.c b/xmlschemastypes.c +index 1a44052..35edfd6 100644 +--- a/xmlschemastypes.c ++++ b/xmlschemastypes.c +@@ -2636,7 +2636,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value, + goto return0; + } + case XML_SCHEMAS_LANGUAGE: +- if (normOnTheFly) { ++ if ((norm == NULL) && (normOnTheFly)) { + norm = xmlSchemaCollapseString(value); + if (norm != NULL) + value = norm; +-- +1.8.3.1 + diff --git a/Fix-double-free-in-XML-reader-with-XIncludes.patch b/Fix-double-free-in-XML-reader-with-XIncludes.patch new file mode 100644 index 0000000..6d1a2e4 --- /dev/null +++ b/Fix-double-free-in-XML-reader-with-XIncludes.patch @@ -0,0 +1,29 @@ +From ba589adc2f86c6be9ad7e0d771d4c9b09d059b89 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 25 Aug 2020 23:50:39 +0200 +Subject: [PATCH 138/139] Fix double free in XML reader with XIncludes + +An XInclude with empty fallback could lead to a double free in +xmlTextReaderRead. + +Found by OSS-Fuzz. +--- + xmlreader.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xmlreader.c b/xmlreader.c +index 6ae6e92..1ab15ba 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -1491,6 +1491,8 @@ get_next_node: + (reader->node->prev->type != XML_DTD_NODE)) { + xmlNodePtr tmp = reader->node->prev; + if ((tmp->extra & NODE_IS_PRESERVED) == 0) { ++ if (oldnode == tmp) ++ oldnode = NULL; + xmlUnlinkNode(tmp); + xmlTextReaderFreeNode(reader, tmp); + } +-- +1.8.3.1 + diff --git a/Fix-exponential-runtime-and-memory-in-xi-fallback-pr.patch b/Fix-exponential-runtime-and-memory-in-xi-fallback-pr.patch new file mode 100644 index 0000000..f6303b7 --- /dev/null +++ b/Fix-exponential-runtime-and-memory-in-xi-fallback-pr.patch @@ -0,0 +1,317 @@ +From 1abf2967f955858764a6de5d7b7fe247cb637853 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 6 Aug 2020 17:51:57 +0200 +Subject: [PATCH 109/139] Fix exponential runtime and memory in xi:fallback + processing + +When creating XML_XINCLUDE_START nodes, the children of the original +xi:include node must be freed, otherwise fallback content is copied +twice, doubling runtime and memory consumption for each nested +xi:fallback/xi:include pair. + +Found with libFuzzer. +--- + result/XInclude/fallback5.xml | 51 +++++++++++++++++ + result/XInclude/fallback5.xml.rdr | 116 ++++++++++++++++++++++++++++++++++++++ + test/XInclude/docs/fallback5.xml | 83 +++++++++++++++++++++++++++ + xinclude.c | 8 +++ + 4 files changed, 258 insertions(+) + create mode 100644 result/XInclude/fallback5.xml + create mode 100644 result/XInclude/fallback5.xml.rdr + create mode 100644 test/XInclude/docs/fallback5.xml + +diff --git a/result/XInclude/fallback5.xml b/result/XInclude/fallback5.xml +new file mode 100644 +index 0000000..0ba503d +--- /dev/null ++++ b/result/XInclude/fallback5.xml +@@ -0,0 +1,51 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/result/XInclude/fallback5.xml.rdr b/result/XInclude/fallback5.xml.rdr +new file mode 100644 +index 0000000..0e1dab7 +--- /dev/null ++++ b/result/XInclude/fallback5.xml.rdr +@@ -0,0 +1,116 @@ ++0 1 a 0 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 elem 1 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 elem 1 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 elem 1 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 elem 1 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 elem 1 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 elem 1 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 elem 1 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 elem 1 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 elem 1 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 elem 1 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 elem 1 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 elem 1 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 elem 1 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 elem 1 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 elem 1 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 1 elem 1 0 ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++1 14 #text 0 1 ++ ++0 15 a 0 0 +diff --git a/test/XInclude/docs/fallback5.xml b/test/XInclude/docs/fallback5.xml +new file mode 100644 +index 0000000..d3ad424 +--- /dev/null ++++ b/test/XInclude/docs/fallback5.xml +@@ -0,0 +1,83 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/xinclude.c b/xinclude.c +index 2917d45..5ea87ad 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -2260,11 +2260,19 @@ xmlXIncludeIncludeNode(xmlXIncludeCtxtPtr ctxt, int nr) { + xmlUnlinkNode(cur); + xmlFreeNode(cur); + } else { ++ xmlNodePtr child, next; ++ + /* + * Change the current node as an XInclude start one, and add an + * XInclude end one + */ + cur->type = XML_XINCLUDE_START; ++ /* Remove fallback children */ ++ for (child = cur->children; child != NULL; child = next) { ++ next = child->next; ++ xmlUnlinkNode(child); ++ xmlFreeNode(child); ++ } + end = xmlNewDocNode(cur->doc, cur->ns, cur->name, NULL); + if (end == NULL) { + xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, +-- +1.8.3.1 + diff --git a/Fix-integer-overflow-in-_xmlSchemaParseGYear.patch b/Fix-integer-overflow-in-_xmlSchemaParseGYear.patch new file mode 100644 index 0000000..1b6bedd --- /dev/null +++ b/Fix-integer-overflow-in-_xmlSchemaParseGYear.patch @@ -0,0 +1,33 @@ +From 18425d3ad5a9bbe5c6e7fd4a9a45691e6c8862d1 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 21 Jun 2020 19:14:23 +0200 +Subject: [PATCH 060/139] Fix integer overflow in _xmlSchemaParseGYear + +Found with libFuzzer and UBSan. +--- + xmlschemastypes.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/xmlschemastypes.c b/xmlschemastypes.c +index 35edfd6..164db94 100644 +--- a/xmlschemastypes.c ++++ b/xmlschemastypes.c +@@ -1222,7 +1222,14 @@ _xmlSchemaParseGYear (xmlSchemaValDatePtr dt, const xmlChar **str) { + firstChar = cur; + + while ((*cur >= '0') && (*cur <= '9')) { +- dt->year = dt->year * 10 + (*cur - '0'); ++ int digit = *cur - '0'; ++ ++ if (dt->year > LONG_MAX / 10) ++ return 2; ++ dt->year *= 10; ++ if (dt->year > LONG_MAX - digit) ++ return 2; ++ dt->year += digit; + cur++; + digcnt++; + } +-- +1.8.3.1 + diff --git a/Fix-integer-overflow-in-htmlParseCharRef.patch b/Fix-integer-overflow-in-htmlParseCharRef.patch new file mode 100644 index 0000000..615cf1c --- /dev/null +++ b/Fix-integer-overflow-in-htmlParseCharRef.patch @@ -0,0 +1,65 @@ +From 31ca4a728cf96c9a341d0bfe489d2c0ba71dc6ff Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 15 Jun 2020 18:47:53 +0200 +Subject: [PATCH 054/139] Fix integer overflow in htmlParseCharRef + +Fixes #115. +--- + HTMLparser.c | 27 +++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 5dd62df..be7e14f 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -3400,13 +3400,16 @@ htmlParseCharRef(htmlParserCtxtPtr ctxt) { + ((NXT(2) == 'x') || NXT(2) == 'X')) { + SKIP(3); + while (CUR != ';') { +- if ((CUR >= '0') && (CUR <= '9')) +- val = val * 16 + (CUR - '0'); +- else if ((CUR >= 'a') && (CUR <= 'f')) +- val = val * 16 + (CUR - 'a') + 10; +- else if ((CUR >= 'A') && (CUR <= 'F')) +- val = val * 16 + (CUR - 'A') + 10; +- else { ++ if ((CUR >= '0') && (CUR <= '9')) { ++ if (val < 0x110000) ++ val = val * 16 + (CUR - '0'); ++ } else if ((CUR >= 'a') && (CUR <= 'f')) { ++ if (val < 0x110000) ++ val = val * 16 + (CUR - 'a') + 10; ++ } else if ((CUR >= 'A') && (CUR <= 'F')) { ++ if (val < 0x110000) ++ val = val * 16 + (CUR - 'A') + 10; ++ } else { + htmlParseErr(ctxt, XML_ERR_INVALID_HEX_CHARREF, + "htmlParseCharRef: missing semicolon\n", + NULL, NULL); +@@ -3419,9 +3422,10 @@ htmlParseCharRef(htmlParserCtxtPtr ctxt) { + } else if ((CUR == '&') && (NXT(1) == '#')) { + SKIP(2); + while (CUR != ';') { +- if ((CUR >= '0') && (CUR <= '9')) +- val = val * 10 + (CUR - '0'); +- else { ++ if ((CUR >= '0') && (CUR <= '9')) { ++ if (val < 0x110000) ++ val = val * 10 + (CUR - '0'); ++ } else { + htmlParseErr(ctxt, XML_ERR_INVALID_DEC_CHARREF, + "htmlParseCharRef: missing semicolon\n", + NULL, NULL); +@@ -3440,6 +3444,9 @@ htmlParseCharRef(htmlParserCtxtPtr ctxt) { + */ + if (IS_CHAR(val)) { + return(val); ++ } else if (val >= 0x110000) { ++ htmlParseErr(ctxt, XML_ERR_INVALID_CHAR, ++ "htmlParseCharRef: value too large\n", NULL, NULL); + } else { + htmlParseErrInt(ctxt, XML_ERR_INVALID_CHAR, + "htmlParseCharRef: invalid xmlChar value %d\n", +-- +1.8.3.1 + diff --git a/Fix-integer-overflow-when-comparing-schema-dates.patch b/Fix-integer-overflow-when-comparing-schema-dates.patch new file mode 100644 index 0000000..51c0e17 --- /dev/null +++ b/Fix-integer-overflow-when-comparing-schema-dates.patch @@ -0,0 +1,41 @@ +From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 3 Aug 2020 17:30:41 +0200 +Subject: [PATCH 103/139] Fix integer overflow when comparing schema dates + +Found by OSS-Fuzz. +--- + xmlschemastypes.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/xmlschemastypes.c b/xmlschemastypes.c +index 4249d70..d6b9f92 100644 +--- a/xmlschemastypes.c ++++ b/xmlschemastypes.c +@@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y) + minday = 0; + maxday = 0; + } else { ++ if (myear > LONG_MAX / 366) ++ return -2; + /* FIXME: This doesn't take leap year exceptions every 100/400 years + into account. */ + maxday = 365 * myear + (myear + 3) / 4; +@@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) + if ((x == NULL) || (y == NULL)) + return -2; + ++ if ((x->value.date.year > LONG_MAX / 366) || ++ (x->value.date.year < LONG_MIN / 366) || ++ (y->value.date.year > LONG_MAX / 366) || ++ (y->value.date.year < LONG_MIN / 366)) { ++ /* Possible overflow when converting to days. */ ++ return -2; ++ } ++ + if (x->value.date.tz_flag) { + + if (!y->value.date.tz_flag) { +-- +1.8.3.1 + diff --git a/Fix-integer-overflow-when-parsing-min-max-Occurs.patch b/Fix-integer-overflow-when-parsing-min-max-Occurs.patch new file mode 100644 index 0000000..262997b --- /dev/null +++ b/Fix-integer-overflow-when-parsing-min-max-Occurs.patch @@ -0,0 +1,55 @@ +From 070d635e771a24f33e8480fa60689a881c9fa636 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 21 Jun 2020 16:26:38 +0200 +Subject: [PATCH 059/139] Fix integer overflow when parsing {min,max}Occurs + +Clamp value to INT_MAX. + +Found with libFuzzer and UBSan. +--- + xmlschemas.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 81c47bc..cc20063 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -6074,7 +6074,16 @@ xmlGetMaxOccurs(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, + return (def); + } + while ((*cur >= '0') && (*cur <= '9')) { +- ret = ret * 10 + (*cur - '0'); ++ if (ret > INT_MAX / 10) { ++ ret = INT_MAX; ++ } else { ++ int digit = *cur - '0'; ++ ret *= 10; ++ if (ret > INT_MAX - digit) ++ ret = INT_MAX; ++ else ++ ret += digit; ++ } + cur++; + } + while (IS_BLANK_CH(*cur)) +@@ -6126,7 +6135,16 @@ xmlGetMinOccurs(xmlSchemaParserCtxtPtr ctxt, xmlNodePtr node, + return (def); + } + while ((*cur >= '0') && (*cur <= '9')) { +- ret = ret * 10 + (*cur - '0'); ++ if (ret > INT_MAX / 10) { ++ ret = INT_MAX; ++ } else { ++ int digit = *cur - '0'; ++ ret *= 10; ++ if (ret > INT_MAX - digit) ++ ret = INT_MAX; ++ else ++ ret += digit; ++ } + cur++; + } + while (IS_BLANK_CH(*cur)) +-- +1.8.3.1 + diff --git a/Fix-memory-leak-in-runtest.c.patch b/Fix-memory-leak-in-runtest.c.patch new file mode 100644 index 0000000..8706704 --- /dev/null +++ b/Fix-memory-leak-in-runtest.c.patch @@ -0,0 +1,37 @@ +From e1c2d0adf02692fd668cfbb7025db437f1f5490b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 16 Aug 2020 22:22:57 +0200 +Subject: [PATCH 120/139] Fix memory leak in runtest.c + +--- + runtest.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/runtest.c b/runtest.c +index 19ed629..0f178cb 100644 +--- a/runtest.c ++++ b/runtest.c +@@ -2108,16 +2108,16 @@ errParseTest(const char *filename, const char *result, const char *err, + xmlDocDumpMemory(doc, (xmlChar **) &base, &size); + } + res = compareFileMem(result, base, size); +- if (res != 0) { +- fprintf(stderr, "Result for %s failed in %s\n", filename, result); +- return(-1); +- } + } + if (doc != NULL) { + if (base != NULL) + xmlFree((char *)base); + xmlFreeDoc(doc); + } ++ if (res != 0) { ++ fprintf(stderr, "Result for %s failed in %s\n", filename, result); ++ return(-1); ++ } + if (err != NULL) { + res = compareFileMem(err, testErrors, testErrorsSize); + if (res != 0) { +-- +1.8.3.1 + diff --git a/Fix-memory-leak-in-xmlXIncludeAddNode-error-paths.patch b/Fix-memory-leak-in-xmlXIncludeAddNode-error-paths.patch new file mode 100644 index 0000000..e198701 --- /dev/null +++ b/Fix-memory-leak-in-xmlXIncludeAddNode-error-paths.patch @@ -0,0 +1,52 @@ +From fbb7fa9a9ad8269834d32ff872b1477ff7b9c705 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 19 Aug 2020 13:13:20 +0200 +Subject: [PATCH 131/139] Fix memory leak in xmlXIncludeAddNode error paths + +Found by OSS-Fuzz. +--- + xinclude.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/xinclude.c b/xinclude.c +index 9024535..aac30d5 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -627,8 +627,8 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) { + xmlXIncludeErr(ctxt, cur, XML_XINCLUDE_RECURSION, + "detected a local recursion with no xpointer in %s\n", + URL); +- if (fragment != NULL) +- xmlFree(fragment); ++ xmlFree(URL); ++ xmlFree(fragment); + return(-1); + } + +@@ -640,12 +640,15 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) { + if (xmlStrEqual(URL, ctxt->urlTab[i])) { + xmlXIncludeErr(ctxt, cur, XML_XINCLUDE_RECURSION, + "detected a recursion in %s\n", URL); ++ xmlFree(URL); ++ xmlFree(fragment); + return(-1); + } + } + } + + ref = xmlXIncludeNewRef(ctxt, URL, cur); ++ xmlFree(URL); + if (ref == NULL) { + return(-1); + } +@@ -653,7 +656,6 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) { + ref->doc = NULL; + ref->xml = xml; + ref->count = 1; +- xmlFree(URL); + return(0); + } + +-- +1.8.3.1 + diff --git a/Fix-memory-leak-in-xmlXIncludeIncludeNode-error-path.patch b/Fix-memory-leak-in-xmlXIncludeIncludeNode-error-path.patch new file mode 100644 index 0000000..d872d22 --- /dev/null +++ b/Fix-memory-leak-in-xmlXIncludeIncludeNode-error-path.patch @@ -0,0 +1,33 @@ +From 5725c1153a74d997aa8ea8547574c049b040d5cb Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 10 Jun 2020 15:11:40 +0200 +Subject: [PATCH 106/139] Fix memory leak in xmlXIncludeIncludeNode error paths + +Found with libFuzzer and ASan. +--- + xinclude.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xinclude.c b/xinclude.c +index baeb8db..461c1a5 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -2238,6 +2238,7 @@ xmlXIncludeIncludeNode(xmlXIncludeCtxtPtr ctxt, int nr) { + XML_XINCLUDE_MULTIPLE_ROOT, + "XInclude error: would result in multiple root nodes\n", + NULL); ++ xmlFreeNodeList(list); + return(-1); + } + } +@@ -2265,6 +2266,7 @@ xmlXIncludeIncludeNode(xmlXIncludeCtxtPtr ctxt, int nr) { + xmlXIncludeErr(ctxt, ctxt->incTab[nr]->ref, + XML_XINCLUDE_BUILD_FAILED, + "failed to build node\n", NULL); ++ xmlFreeNodeList(list); + return(-1); + } + end->type = XML_XINCLUDE_END; +-- +1.8.3.1 + diff --git a/Fix-memory-leak-in-xmlXIncludeLoadDoc-error-path.patch b/Fix-memory-leak-in-xmlXIncludeLoadDoc-error-path.patch new file mode 100644 index 0000000..320c1f8 --- /dev/null +++ b/Fix-memory-leak-in-xmlXIncludeLoadDoc-error-path.patch @@ -0,0 +1,33 @@ +From ff009f991314ce8711f8a6a7f99107c10fb0a807 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 30 May 2020 15:32:25 +0200 +Subject: [PATCH 042/139] Fix memory leak in xmlXIncludeLoadDoc error path + +Found by OSS-Fuzz. +--- + xinclude.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/xinclude.c b/xinclude.c +index 5d44df4..baeb8db 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -1608,6 +1608,7 @@ loaded: + XML_XINCLUDE_XPTR_RESULT, + "XPointer is not a range: #%s\n", + fragment); ++ xmlXPathFreeObject(xptr); + xmlXPathFreeContext(xptrctxt); + xmlFree(URL); + xmlFree(fragment); +@@ -1615,6 +1616,7 @@ loaded: + case XPATH_NODESET: + if ((xptr->nodesetval == NULL) || + (xptr->nodesetval->nodeNr <= 0)) { ++ xmlXPathFreeObject(xptr); + xmlXPathFreeContext(xptrctxt); + xmlFree(URL); + xmlFree(fragment); +-- +1.8.3.1 + diff --git a/Fix-memory-leak-when-shared-libxml-dll-is-unloaded.patch b/Fix-memory-leak-when-shared-libxml-dll-is-unloaded.patch new file mode 100644 index 0000000..0d1274a --- /dev/null +++ b/Fix-memory-leak-when-shared-libxml-dll-is-unloaded.patch @@ -0,0 +1,40 @@ +From c7c526d6d0f605ed090f8fc1bbede9e439d3185c Mon Sep 17 00:00:00 2001 +From: Kevin Puetz +Date: Mon, 13 Jan 2020 18:49:01 -0600 +Subject: [PATCH 021/139] Fix memory leak when shared libxml.dll is unloaded + +When a multiple modules (process/plugins) all link to libxml2.dll +they will in fact share a single loaded instance of it. +It is unsafe for any of them to call xmlCleanupParser, +as this would deinitialize the shared state and break others that might +still have ongoing use. + +However, on windows atexit is per-module (rather process-wide), so if used +*within* libxml2 it is possible to register a clean up when all users +are done and libxml2.dll is about to actually unload. + +This allows multiple plugins to link with and share libxml2 without +a premature cleanup if one is unloaded, while still cleaning up if *all* +such callers are themselves unloaded. +--- + parser.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/parser.c b/parser.c +index 43a1a0a..1ba988c 100644 +--- a/parser.c ++++ b/parser.c +@@ -14741,6 +14741,10 @@ xmlInitParser(void) { + if (xmlParserInitialized != 0) + return; + ++#if defined(WIN32) && (!defined(LIBXML_STATIC) || defined(LIBXML_STATIC_FOR_DLL)) ++ atexit(xmlCleanupParser); ++#endif ++ + #ifdef LIBXML_THREAD_ENABLED + __xmlGlobalInitMutexLock(); + if (xmlParserInitialized == 0) { +-- +1.8.3.1 + diff --git a/Fix-more-quadratic-runtime-issues-in-HTML-push-parse.patch b/Fix-more-quadratic-runtime-issues-in-HTML-push-parse.patch new file mode 100644 index 0000000..dff0094 --- /dev/null +++ b/Fix-more-quadratic-runtime-issues-in-HTML-push-parse.patch @@ -0,0 +1,57 @@ +From 3da8d947df1f84e54b12145ca2cfa1ff6456f532 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 9 Jul 2020 16:08:38 +0200 +Subject: [PATCH] Fix more quadratic runtime issues in HTML push parser + +Make sure that checkIndex is set when returning without match from +inside a comment. Also track parser state in htmlParseLookupChars. + +Found by OSS-Fuzz. + +diff --git a/HTMLparser.c b/HTMLparser.c +index 366c19b..9b12dd1 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -5205,7 +5205,7 @@ htmlParseLookupSequence(htmlParserCtxtPtr ctxt, xmlChar first, + } + if (incomment) { + if (base + 3 > len) +- return (-1); ++ break; + if ((buf[base] == '-') && (buf[base + 1] == '-') && + (buf[base + 2] == '>')) { + incomment = 0; +@@ -5294,8 +5294,11 @@ htmlParseLookupChars(htmlParserCtxtPtr ctxt, const xmlChar * stop, + if (base < 0) + return (-1); + +- if (ctxt->checkIndex > base) ++ if (ctxt->checkIndex > base) { + base = ctxt->checkIndex; ++ /* Abuse hasPErefs member to restore current state. */ ++ incomment = ctxt->hasPErefs & 1 ? 1 : 0; ++ } + + if (in->buf == NULL) { + buf = in->base; +@@ -5316,7 +5319,7 @@ htmlParseLookupChars(htmlParserCtxtPtr ctxt, const xmlChar * stop, + } + if (incomment) { + if (base + 3 > len) +- return (-1); ++ break; + if ((buf[base] == '-') && (buf[base + 1] == '-') && + (buf[base + 2] == '>')) { + incomment = 0; +@@ -5332,6 +5335,8 @@ htmlParseLookupChars(htmlParserCtxtPtr ctxt, const xmlChar * stop, + } + } + ctxt->checkIndex = base; ++ /* Abuse hasPErefs member to track current state. */ ++ ctxt->hasPErefs = incomment; + return (-1); + } + +-- +1.8.3.1 + diff --git a/Fix-quadratic-runtime-when-parsing-HTML-script-conte.patch b/Fix-quadratic-runtime-when-parsing-HTML-script-conte.patch new file mode 100644 index 0000000..7c1fbd4 --- /dev/null +++ b/Fix-quadratic-runtime-when-parsing-HTML-script-conte.patch @@ -0,0 +1,62 @@ +From 500789224b59fa70d6837be5cd1edb8e2f1eccb6 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 12 Jul 2020 20:28:47 +0200 +Subject: [PATCH 083/139] Fix quadratic runtime when parsing HTML script + content + +If htmlParseScript returns upon hitting an invalid character, +htmlParseLookupSequence will be called again with checkIndex reset to +zero, potentially resulting in quadratic runtime. Make sure that +htmlParseScript consumes all input in one go and simply skips over +invalid characters similar to htmlParseCharDataInternal. + +Found by OSS-Fuzz. +--- + HTMLparser.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 1dea794..26ed124 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -2928,7 +2928,7 @@ htmlParseScript(htmlParserCtxtPtr ctxt) { + + SHRINK; + cur = CUR_CHAR(l); +- while (IS_CHAR_CH(cur)) { ++ while (cur != 0) { + if ((cur == '<') && (NXT(1) == '/')) { + /* + * One should break here, the specification is clear: +@@ -2959,7 +2959,12 @@ htmlParseScript(htmlParserCtxtPtr ctxt) { + } + } + } +- COPY_BUF(l,buf,nbchar,cur); ++ if (IS_CHAR_CH(cur)) { ++ COPY_BUF(l,buf,nbchar,cur); ++ } else { ++ htmlParseErrInt(ctxt, XML_ERR_INVALID_CHAR, ++ "Invalid char in CDATA 0x%X\n", cur); ++ } + if (nbchar >= HTML_PARSER_BIG_BUFFER_SIZE) { + buf[nbchar] = 0; + if (ctxt->sax->cdataBlock!= NULL) { +@@ -2977,14 +2982,6 @@ htmlParseScript(htmlParserCtxtPtr ctxt) { + cur = CUR_CHAR(l); + } + +- if ((!(IS_CHAR_CH(cur))) && (!((cur == 0) && (ctxt->progressive)))) { +- htmlParseErrInt(ctxt, XML_ERR_INVALID_CHAR, +- "Invalid char in CDATA 0x%X\n", cur); +- if (ctxt->input->cur < ctxt->input->end) { +- NEXT; +- } +- } +- + if ((nbchar != 0) && (ctxt->sax != NULL) && (!ctxt->disableSAX)) { + buf[nbchar] = 0; + if (ctxt->sax->cdataBlock!= NULL) { +-- +1.8.3.1 + diff --git a/Fix-undefined-behavior-in-xmlXPathTryStreamCompile.patch b/Fix-undefined-behavior-in-xmlXPathTryStreamCompile.patch new file mode 100644 index 0000000..cfb67d3 --- /dev/null +++ b/Fix-undefined-behavior-in-xmlXPathTryStreamCompile.patch @@ -0,0 +1,27 @@ +From 487871b0e39bcc69ec0c1f69c30e2697712c6829 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 10 Jun 2020 13:23:43 +0200 +Subject: [PATCH 048/139] Fix undefined behavior in xmlXPathTryStreamCompile + +&NULL[0] is undefined behavior. +--- + xpath.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 1510d69..74848cd 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -14104,8 +14104,7 @@ xmlXPathTryStreamCompile(xmlXPathContextPtr ctxt, const xmlChar *str) { + } + } + +- stream = xmlPatterncompile(str, dict, XML_PATTERN_XPATH, +- &namespaces[0]); ++ stream = xmlPatterncompile(str, dict, XML_PATTERN_XPATH, namespaces); + if (namespaces != NULL) { + xmlFree((xmlChar **)namespaces); + } +-- +1.8.3.1 + diff --git a/Fuzz-XInclude-engine.patch b/Fuzz-XInclude-engine.patch new file mode 100644 index 0000000..8126a02 --- /dev/null +++ b/Fuzz-XInclude-engine.patch @@ -0,0 +1,65 @@ +From 6c128fd58a0e4641c23a345d413672494622db1b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 5 Jun 2020 13:43:45 +0200 +Subject: [PATCH 111/139] Fuzz XInclude engine + +--- + xinclude.c | 15 +++++++++++++++ + 1 files changed, 15 insertions(+) + +diff --git a/xinclude.c b/xinclude.c +index 5ea87ad..41ff4e5 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -86,6 +86,8 @@ struct _xmlXIncludeCtxt { + xmlChar * base; /* the current xml:base */ + + void *_private; /* application data */ ++ ++ unsigned long incTotal; /* total number of processed inclusions */ + }; + + static int +@@ -729,7 +731,9 @@ xmlXIncludeRecurseDoc(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, + * (bug 132597) + */ + newctxt->parseFlags = ctxt->parseFlags; ++ newctxt->incTotal = ctxt->incTotal; + xmlXIncludeDoProcess(newctxt, doc, xmlDocGetRootElement(doc)); ++ ctxt->incTotal = newctxt->incTotal; + for (i = 0;i < ctxt->incNr;i++) { + newctxt->incTab[i]->count--; + newctxt->incTab[i] = NULL; +@@ -1992,11 +1996,13 @@ xmlXIncludeLoadFallback(xmlXIncludeCtxtPtr ctxt, xmlNodePtr fallback, int nr) { + newctxt->_private = ctxt->_private; + newctxt->base = xmlStrdup(ctxt->base); /* Inherit the base from the existing context */ + xmlXIncludeSetFlags(newctxt, ctxt->parseFlags); ++ newctxt->incTotal = ctxt->incTotal; + for (child = fallback->children; child != NULL; child = next) { + next = child->next; + if (xmlXIncludeDoProcess(newctxt, ctxt->doc, child) < 0) + ret = -1; + } ++ ctxt->incTotal = newctxt->incTotal; + if (ctxt->nbErrors > oldNbErrors) + ret = -1; + xmlXIncludeFreeContext(newctxt); +@@ -2411,6 +2417,15 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) { + do { + /* TODO: need to work on entities -> stack */ + if (xmlXIncludeTestNode(ctxt, cur) == 1) { ++#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION ++ /* ++ * Avoid superlinear expansion by limiting the total number ++ * of replacements. ++ */ ++ if (ctxt->incTotal >= 20) ++ return(-1); ++#endif ++ ctxt->incTotal++; + xmlXIncludePreProcessNode(ctxt, cur); + } else if ((cur->children != NULL) && + (cur->children->type != XML_ENTITY_DECL) && +-- +1.8.3.1 + diff --git a/Limit-size-of-free-lists-in-XML-reader-when-fuzzing.patch b/Limit-size-of-free-lists-in-XML-reader-when-fuzzing.patch new file mode 100644 index 0000000..a33649a --- /dev/null +++ b/Limit-size-of-free-lists-in-XML-reader-when-fuzzing.patch @@ -0,0 +1,60 @@ +From f0fd1b67fc883a24cdd039abb3d4fe4696104d72 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 26 Aug 2020 00:16:38 +0200 +Subject: [PATCH 139/139] Limit size of free lists in XML reader when fuzzing + +Keeping objects on a free list can hide memory errors. Only allow a +single node on free lists used by the XML reader when fuzzing. This +should hide fewer errors while still exercising the free list logic. +--- + xmlreader.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/xmlreader.c b/xmlreader.c +index 1ab15ba..a9b9ef9 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -48,6 +48,13 @@ + + #define MAX_ERR_MSG_SIZE 64000 + ++#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION ++/* Keeping free objects can hide memory errors. */ ++#define MAX_FREE_NODES 1 ++#else ++#define MAX_FREE_NODES 100 ++#endif ++ + /* + * The following VA_COPY was coded following an example in + * the Samba project. It may not be sufficient for some +@@ -365,7 +372,7 @@ xmlTextReaderFreeProp(xmlTextReaderPtr reader, xmlAttrPtr cur) { + + DICT_FREE(cur->name); + if ((reader != NULL) && (reader->ctxt != NULL) && +- (reader->ctxt->freeAttrsNr < 100)) { ++ (reader->ctxt->freeAttrsNr < MAX_FREE_NODES)) { + cur->next = reader->ctxt->freeAttrs; + reader->ctxt->freeAttrs = cur; + reader->ctxt->freeAttrsNr++; +@@ -466,7 +473,7 @@ xmlTextReaderFreeNodeList(xmlTextReaderPtr reader, xmlNodePtr cur) { + if (((cur->type == XML_ELEMENT_NODE) || + (cur->type == XML_TEXT_NODE)) && + (reader != NULL) && (reader->ctxt != NULL) && +- (reader->ctxt->freeElemsNr < 100)) { ++ (reader->ctxt->freeElemsNr < MAX_FREE_NODES)) { + cur->next = reader->ctxt->freeElems; + reader->ctxt->freeElems = cur; + reader->ctxt->freeElemsNr++; +@@ -554,7 +561,7 @@ xmlTextReaderFreeNode(xmlTextReaderPtr reader, xmlNodePtr cur) { + if (((cur->type == XML_ELEMENT_NODE) || + (cur->type == XML_TEXT_NODE)) && + (reader != NULL) && (reader->ctxt != NULL) && +- (reader->ctxt->freeElemsNr < 100)) { ++ (reader->ctxt->freeElemsNr < MAX_FREE_NODES)) { + cur->next = reader->ctxt->freeElems; + reader->ctxt->freeElems = cur; + reader->ctxt->freeElemsNr++; +-- +1.8.3.1 + diff --git a/Reset-HTML-parser-input-before-reporting-error.patch b/Reset-HTML-parser-input-before-reporting-error.patch new file mode 100644 index 0000000..39f7ab3 --- /dev/null +++ b/Reset-HTML-parser-input-before-reporting-error.patch @@ -0,0 +1,49 @@ +From 3f18e7486d5feb8ae41911ce3c122e05641a4c3d Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 11 Jul 2020 14:34:57 +0200 +Subject: [PATCH] Reset HTML parser input before reporting error + +Avoid use-after-free, similar to 13ba5b61. Also make sure that +xmlBufSetInputBaseCur sets valid pointers in case of buffer errors. + +Found by OSS-Fuzz. + +diff --git a/HTMLparser.c b/HTMLparser.c +index 9b12dd1..1dea794 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -6150,12 +6150,12 @@ htmlParseChunk(htmlParserCtxtPtr ctxt, const char *chunk, int size, + int res; + + res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk); ++ xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur); + if (res < 0) { + ctxt->errNo = XML_PARSER_EOF; + ctxt->disableSAX = 1; + return (XML_PARSER_EOF); + } +- xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur); + #ifdef DEBUG_PUSH + xmlGenericError(xmlGenericErrorContext, "HPP: pushed %d\n", size); + #endif +diff --git a/buf.c b/buf.c +index 8ad18a1..24368d3 100644 +--- a/buf.c ++++ b/buf.c +@@ -1334,8 +1334,12 @@ xmlBufGetInputBase(xmlBufPtr buf, xmlParserInputPtr input) { + int + xmlBufSetInputBaseCur(xmlBufPtr buf, xmlParserInputPtr input, + size_t base, size_t cur) { +- if ((input == NULL) || (buf == NULL) || (buf->error)) ++ if (input == NULL) ++ return(-1); ++ if ((buf == NULL) || (buf->error)) { ++ input->base = input->cur = input->end = BAD_CAST ""; + return(-1); ++ } + CHECK_COMPAT(buf) + input->base = &buf->content[base]; + input->cur = input->base + cur; +-- +1.8.3.1 + diff --git a/libxml2.spec b/libxml2.spec index 1b142cd..0251676 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.9.10 -Release: 5 +Release: 6 License: MIT Group: Development/Libraries Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz @@ -31,6 +31,29 @@ Patch21: Report-error-for-invalid-regexp-quantifiers.patch Patch22: Add-regexp-regression-tests.patch Patch23: Limit-regexp-nesting-depth.patch Patch24: Fix-exponential-runtime-in-xmlFARecurseDeterminism.patch +Patch25: Fix-more-quadratic-runtime-issues-in-HTML-push-parse.patch +Patch26: Reset-HTML-parser-input-before-reporting-error.patch +Patch27: Fix-memory-leak-when-shared-libxml-dll-is-unloaded.patch +Patch28: Fix-memory-leak-in-xmlXIncludeLoadDoc-error-path.patch +Patch29: Fix-undefined-behavior-in-xmlXPathTryStreamCompile.patch +Patch30: Fix-integer-overflow-in-htmlParseCharRef.patch +Patch31: Fix-another-memory-leak-in-xmlSchemaValAtomicType.patch +Patch32: Fix-integer-overflow-when-parsing-min-max-Occurs.patch +Patch33: Fix-integer-overflow-in-_xmlSchemaParseGYear.patch +Patch34: Fix-quadratic-runtime-when-parsing-HTML-script-conte.patch +Patch35: Fix-UTF-8-decoder-in-HTML-parser.patch +Patch36: Don-t-try-to-handle-namespaces-when-building-HTML-do.patch +Patch37: Fix-integer-overflow-when-comparing-schema-dates.patch +Patch38: Fix-memory-leak-in-xmlXIncludeIncludeNode-error-path.patch +Patch39: Don-t-recurse-into-xi-include-children-in-xmlXInclud.patch +Patch40: Don-t-process-siblings-of-root-in-xmlXIncludeProcess.patch +Patch41: Fix-exponential-runtime-and-memory-in-xi-fallback-pr.patch +Patch42: Fuzz-XInclude-engine.patch +Patch43: Fix-memory-leak-in-runtest.c.patch +Patch44: Fix-XInclude-regression-introduced-with-recent-commi.patch +Patch45: Fix-memory-leak-in-xmlXIncludeAddNode-error-paths.patch +Patch46: Fix-double-free-in-XML-reader-with-XIncludes.patch +Patch47: Limit-size-of-free-lists-in-XML-reader-when-fuzzing.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python2-devel @@ -222,6 +245,9 @@ rm -fr %{buildroot} %changelog +* Tue Sep 8 2020 yangzhuangzhuang - 2.9.10-6 +- Fix some issues found in fuzzing tesecases + * Wed Aug 12 2020 Liquor - 2.9.10-5 - Limit regexp nesting depth - Fix exponential runtime in xmlFARecurseDeterminism -- Gitee