| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Merge to pi-dev and restore Android.mk
Bug: 79662501
Bug: 36809766
Bug: 36810305
Bug: 62151041
Test: manually verify functionality for regression
Change-Id: Ife351c91c932eb92992656f8ea5c08724a220306
(cherry picked from commit 4e91cfdbb1a8624e5cd5a850d6e17da11d1e34a8)
|
| |
|
|
|
|
|
|
|
|
| |
Patch from ddkilzer@apple.com
See https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=598
and https://bugzilla.gnome.org/show_bug.cgi?id=780228
Bug: 37104170
Change-Id: I0286459ff9066b664dc26f7f1ff65a1388de3d92
(cherry picked from commit eb80f32c3c9e5cb1cb6f6adc0bf35b3ec46c0963)
|
| |
|
|
|
|
|
|
| |
https://bugzilla.gnome.org/show_bug.cgi?id=780691
Bug: 36556310
Change-Id: I9450743e167c3c73af5e4071f3fc85e81d061648
(cherry picked from commit bef9af3d89d241bcb518c20cba6da2a2fd9ba049)
|
| |
|
|
|
|
|
|
|
| |
no upstream report yet, add it here when we have it
issue found & patch by nmehta@
Bug: 36555370
Change-Id: Ibf1efea554b95f514e23e939363d608021de4614
(cherry picked from commit b62884fb49fe92081e414966d9b5fe58250ae53c)
|
| |
|
|
|
|
|
|
| |
see https://bugs.chromium.org/p/chromium/issues/detail?id=705445
Bug: 36809819
Change-Id: I4832550032669a8e921bd46068281d9daf594ae1
(cherry picked from commit 7f671748797331e20da23db2d95a6116bb1c6c55)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The old code would invoke the broken xmlXPtrRangeToFunction. range-to
isn't really a function but a special kind of location step. Remove
this function and always handle range-to in the XPath code.
The old xmlXPtrRangeToFunction could also be abused to trigger a
use-after-free error with the potential for remote code execution.
Found with afl-fuzz.
Fixes CVE-2016-5131.
Bug: 36554209
Change-Id: I2bd369290a884c432d16796884d48db6285f8502
(cherry picked from commit e875e1cd1fc92fd2daa57826024125cbd0b195c7)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Namespace nodes must be copied to avoid use-after-free errors.
But they don't necessarily have a physical representation in a
document, so simply disallow them in XPointer ranges.
Found with afl-fuzz.
Fixes CVE-2016-4658.
Bug: 36554207
Change-Id: Ie570c4a53ae8ca82ed4ca19701ab7d8ba9b0468f
(cherry picked from commit cde4b40a9c17aec816c6b2577250fff9354a6f3c)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Give up looking up interned names if the encoding changed during parsing
NEXTL may process encoding changes by refilling the parser's input
buffer, which makes the accumulated length 'len' inaccurate.
Chromium bug: http://crbug.com/620679
Review-Url: https://codereview.chromium.org/2603933002
Cr-Commit-Position: refs/heads/master@{#442517}
Bug: 36553781
Change-Id: Id3484fbee201d1e19b684b109009d6590354b1d9
(cherry picked from commit 008262d3e46b3d5aae2d2f981e26ca69c8bd2b51)
|
| |\
| |
| |
| |
| |
| | |
am: a136fc2e5a
Change-Id: Iaaa0c434f4528d32005d021c9e246ad64f13e8fe
|
| |/
|
|
|
|
| |
BUG: 29834751
Change-Id: I88fc1d4f86bcbd0ac0fe9acdbe764f3d738c5f32
(cherry picked from commit e3d78e1fe0669e9c7083a4de19f1e06171849b28)
|
| |
|
|
|
|
|
|
| |
Disabling HTML support from libxml2 as it has vulnerabilities
(see bug) and is not used in Android.
Bug: 27338391
Change-Id: Ibd41b7b6024f1749f14d0caca92cf2602adc368b
|
| |\
| |
| |
| |
| |
| |
| | |
am: 77e1b191a3
* commit '77e1b191a3391823e59ad5e62b22ba9a520f3dd9':
libxml2: silence -Wunused-parameter.
|
| | |\ |
|
| | |/
| |
| |
| | |
Change-Id: I7c7a4ebec0c6c21b350df787ea7dbd6caa69701b
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
am: 6be364848c
* commit '6be364848cb20f3345abc12fedff35cdd464a600':
Release of libxml2-2.9.3
CVE-2015-8242 Buffer overead with HTML parser in push mode
CVE-2015-7500 Fix memory access error due to incorrect entities boundaries
Bug on creating new stream from entity
Fix some loop issues embedding NEXT
Detect incoherency on GROW
Do not print error context when there is none
Reuse xmlHaltParser() where it makes sense
Add xmlHaltParser() to stop the parser
CVE-2015-5312 Another entity expansion issue
CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey
xmlStopParser reset errNo
Avoid processing entities after encoding conversion failures
Avoid extra processing of MarkupDecl when EOF
Reenable xz support by default
CVE-2015-8035 Fix XZ compression support loop
Fix parsing short unclosed comment uninitialized access
Fix an error in previous Conditional section patch
Correct spelling of "calling"
|
| | |\ |
|
| | | |
| | |
| | |
| | |
| | | |
* configure.ac: updated
* doc/*: regenerated
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
For https://bugzilla.gnome.org/show_bug.cgi?id=756372
Error in the code pointing to the codepoint in the stack for the
current char value instead of the pointer in the input that the SAX
callback expects
Reported and fixed by Hugh Davenport
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
For https://bugzilla.gnome.org/show_bug.cgi?id=756525
handle properly the case where we popped out of the current entity
while processing a start tag
Reported by Kostya Serebryany @ Google
This slightly modifies the output of 754946 in regression tests
|
| | | |
| | |
| | |
| | |
| | | |
sometimes the entity could have a lenght of 0, i.e. it wasn't
parsed or used yet, and we ended up with an incoherent input state
|
| | | |
| | |
| | |
| | |
| | | |
Next can switch the parser back to XML_PARSER_EOF state, we
need to consider those in loops consuming input
|
| | | |
| | |
| | |
| | |
| | | |
the current pointer to the input has to be between the base and end
if not stop everything we have an internal state error.
|
| | | |
| | |
| | |
| | | |
Which now happens more frequently du to xmlHaltParser use
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Unify the various place where either xmlStopParser was called
(which resets the error as a side effect) and places where we
used ctxt->instate = XML_PARSER_EOF to stop further processing
|
| | | |
| | |
| | |
| | |
| | |
| | | |
The problem is doing it in a consistent and safe fashion
It's more complex than just setting ctxt->instate = XML_PARSER_EOF
Update the public function to reuse that new internal routine
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
For https://bugzilla.gnome.org/show_bug.cgi?id=756733
It is one case where the code in place to detect entities expansions
failed to exit when the situation was detected, leading to DoS
Problem reported by Kostya Serebryany @ Google
Patch provided by David Drysdale @ Google
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
For https://bugzilla.gnome.org/show_bug.cgi?id=756528
It was possible to hit a negative offset in the name indexing
used to randomize the dictionary key generation
Reported and fix provided by David Drysdale @ Google
|
| | | |
| | |
| | |
| | | |
I had used it in contexts where that information ought to be preserved
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
For https://bugzilla.gnome.org/show_bug.cgi?id=756527
and was also raised by Chromium team in the past
When we hit a convwersion failure when switching encoding
it is bestter to stop parsing there, this was treated as a
fatal error but the parser was continuing to process to extract
more errors, unfortunately that makes little sense as the data
is obviously corrupt and can potentially lead to unexpected behaviour.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
For https://bugzilla.gnome.org/show_bug.cgi?id=756263
One place where ctxt->instate == XML_PARSER_EOF whic was set up
by entity detection issues doesn't get noticed, and even overrided
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
For https://bugzilla.gnome.org/show_bug.cgi?id=757466
problem was introduced by commit f3f86ff465c92c79f834d7b981f3c7274a8bb5c8
for https://bugzilla.gnome.org/show_bug.cgi?id=711026
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
For https://bugzilla.gnome.org/show_bug.cgi?id=757466
DoS when parsing specially crafted XML document if XZ support
is compiled in (which wasn't the case for 2.9.2 and master since
Nov 2013, fixed in next commit !)
|
| | | |
| | |
| | |
| | |
| | |
| | | |
For https://bugzilla.gnome.org/show_bug.cgi?id=746048
The HTML parser was too optimistic when processing comments and
didn't check for the end of the stream on the first 2 characters
|
| | | |
| | |
| | |
| | |
| | |
| | | |
an off by one mistake in the change, led to error on correct
document where the end of the included entity was exactly
the end of the conditional section, leading to regtest failure
|
| | | | |
|
| |\| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
am: 8abae28b3c
* commit '8abae28b3cf3af8772ed9a345503a180ab536f08': (31 commits)
Fix a small error in xmllint --format description
Another variation of overflow in Conditional sections
Add missing Null check in xmlParseExternalEntityPrivate
Fix a bug in CData error handling in the push parser
Fix a bug on name parsing at the end of current input buffer
Fix the spurious ID already defined error
Fix previous change to node sort order
Avoid XSS on the search of xmlsoft.org
Recover unescaped less-than character in HTML recovery parsing
Fix a self assignment issue raised by clang
Fail parsing early on if encoding conversion failed
Do not process encoding values if the declaration if broken
Silence clang's -Wunknown-attribute
os400: fix various ILE/RPG types definitions. Adjust build scripts. - A typo caused an undefined symbol reference. - A structure field name did not match the corresponding C name due to a typo. - Some structured fields were not properly aligned. - The long/ulong types were wrongly mapped to 64-bit types. - A typo in a /include directive caused a compilation error. - Doc files copy now converts from UTF-8 and split long lines. - Adjust /include file name mapping translation for proper prefix handling.
CVE-2015-1819 Enforce the reader to run in constant memory
xmlMemUsed is not thread-safe
Allow HTML serializer to output HTML5 DOCTYPE
Fix support for except in nameclasses
Regression test for bug #695699
Add a couple of XPath tests
...
|
| | |\ \ |
|
| | |/| |
| | |/ |
|
| | | |
| | |
| | |
| | | |
Obviously it operates on the output not the input
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Which happen after the previous fix to
https://bugzilla.gnome.org/show_bug.cgi?id=756456
But stopping the parser and exiting we didn't pop the intermediary entities
and doing the SKIP there applies on an input which may be too small
|
| | | |
| | |
| | |
| | |
| | |
| | | |
For https://bugzilla.gnome.org/show_bug.cgi?id=755857
a case where we check for NULL but not everywhere
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
For https://bugzilla.gnome.org/show_bug.cgi?id=754947
The checking function was returning incorrect args in some cases
Adds the test to teh reg suite and fix one of the existing test output
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
For https://bugzilla.gnome.org/show_bug.cgi?id=754946
When hitting the end of the current input buffer while parsing
a name we could end up loosing the beginning of the name, which
led to various issues.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
For https://bugzilla.gnome.org/show_bug.cgi?id=737840
the fix for 724903 introduced a regression on external entities carrying
IDs, revert that patch in part and add a specific test to avoid readding it
|
| | | |
| | |
| | |
| | |
| | | |
Commit ba58f23 broke comparison of nodes from different documents.
Thanks to Olli Pottonen for the report.
|
| | | |
| | |
| | |
| | | |
query string need to be escaped before being displayed back
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
As pointed by Christian Schoenebeck <schoenebeck@crudebyte.com>
on the list and based on some of his early patches, this preserve
content when unescaped opening angle brackets are not escaped in
textual content like:
<p> a < b </p>
<p> a <0 </p>
<p> a <=0 </p>
while still reporting the error.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
For https://bugzilla.gnome.org/show_bug.cgi?id=751679
Also added a few newline cleanups
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
For https://bugzilla.gnome.org/show_bug.cgi?id=751631
If we fail conversing the current input stream while
processing the encoding declaration of the XMLDecl
then it's safer to just abort there and not try to
report further errors.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
For https://bugzilla.gnome.org/show_bug.cgi?id=751603
If the string is not properly terminated do not try to convert
to the given encoding.
|
