platform_external_libxml2/result/XPath, branch master Unnamed repository; edit this file 'description' to name the repository. Upgrade libxml2 to 1a360c1c2ec950f478d55b31722ecf78f5698e97 2020-07-31T07:02:25+00:00 Haibo Huang hhb@google.com 2020-07-31T06:01:33+00:00 cfd91dcb1d8895a6e567a9ff975c3ff6e08202d4 Also change upstream to github. This change moves away from stable release. Because we need CMakeLists.txt. It is not in any release yet. They are likely to release another stable version within this year. We can upgrade to that version when it is available. Bug: 157157503 Change-Id: If6f245dbabe36a114563d209c8e100b7e3083f20 
Also change upstream to github.

This change moves away from stable release. Because we need CMakeLists.txt. It is not in any release yet.

They are likely to release another stable version within this year. We can upgrade to that version when it is available.

Bug: 157157503
Change-Id: If6f245dbabe36a114563d209c8e100b7e3083f20
Fix comparison of nodesets to strings 2017-10-07T13:22:57+00:00 Nick Wellnhofer wellnhofer@aevum.de 2017-10-07T12:54:45+00:00 5af594d8bc55121ae454cba4d05793d1db7ff612 Fix two bugs in xmlXPathNodeValHash which could lead to errors when comparing nodesets to strings: - Only use contents of text nodes to compute the hash for element nodes. Comments, PIs, and other node types don't affect the string-value and must be ignored. - Reset `string` to NULL for node types other than text. Reported by Aleksei on the mailing list: https://mail.gnome.org/archives/xml/2017-September/msg00016.html 
Fix two bugs in xmlXPathNodeValHash which could lead to errors when
comparing nodesets to strings:

- Only use contents of text nodes to compute the hash for element nodes.
  Comments, PIs, and other node types don't affect the string-value and
  must be ignored.
- Reset `string` to NULL for node types other than text.

Reported by Aleksei on the mailing list:

    https://mail.gnome.org/archives/xml/2017-September/msg00016.html
Check for integer overflow in xmlXPathFormatNumber 2017-06-01T20:00:19+00:00 Nick Wellnhofer wellnhofer@aevum.de 2017-06-01T20:00:19+00:00 7482f41f61d733656d588b4d8c300b1ecdff7f5f Check for overflow before casting double to int. Found with afl-fuzz and UBSan. 
Check for overflow before casting double to int.

Found with afl-fuzz and UBSan.
Check XPath exponents for overflow 2017-05-31T14:04:37+00:00 Nick Wellnhofer wellnhofer@aevum.de 2016-04-21T14:37:26+00:00 f4029cd413940677a310b48cd6cf6acf9cf33008 Avoid undefined behavior and wrong results with huge exponents. Found with afl-fuzz and UBSan. 
Avoid undefined behavior and wrong results with huge exponents.

Found with afl-fuzz and UBSan.
Check for overflow in xmlXPathIsPositionalPredicate 2017-05-31T14:04:26+00:00 Nick Wellnhofer wellnhofer@aevum.de 2017-05-29T19:02:21+00:00 a58331a6ee4d4c161cebfa4e0d9a090945c6bf23 Avoid undefined behavior when casting from double to int. Found with afl-fuzz and UBSan. 
Avoid undefined behavior when casting from double to int.

Found with afl-fuzz and UBSan.
Parse small XPath numbers more accurately 2017-05-31T13:46:29+00:00 Nick Wellnhofer wellnhofer@aevum.de 2017-05-29T18:14:42+00:00 a851868a75c108e3b8fc507f5d6555b09abb51c9 Don't count leading zeros towards the fraction size limit. This allows to parse numbers like 0.0000000000000000000000000000000000000000000000000000000001 which is the only standard-conformant way to represent such numbers, as scientific notation isn't allowed in XPath 1.0. (It is allowed in XPath 2.0 and in libxml2 as an extension, though.) Overall accuracy is still bad, see bug 783238. 
Don't count leading zeros towards the fraction size limit. This allows
to parse numbers like

    0.0000000000000000000000000000000000000000000000000000000001

which is the only standard-conformant way to represent such numbers, as
scientific notation isn't allowed in XPath 1.0. (It is allowed in XPath
2.0 and in libxml2 as an extension, though.)

Overall accuracy is still bad, see bug 783238.
Rework XPath rounding functions 2017-05-31T13:38:42+00:00 Nick Wellnhofer wellnhofer@aevum.de 2016-04-21T11:41:09+00:00 4bebb030db2100fce5b43fbbae413d372ee70497 Use the C library's floor and ceil functions. The old code was overly complicated for no apparent reason and could result in undefined behavior when handling NaNs (found with afl-fuzz and UBSan). Fix wrong comment in xmlXPathRoundFunction. The implementation was already following the spec and rounding half up. 
Use the C library's floor and ceil functions. The old code was overly
complicated for no apparent reason and could result in undefined
behavior when handling NaNs (found with afl-fuzz and UBSan).

Fix wrong comment in xmlXPathRoundFunction. The implementation was
already following the spec and rounding half up.
Fix axis traversal from attribute and namespace nodes 2017-05-31T12:57:46+00:00 Nick Wellnhofer wellnhofer@aevum.de 2017-05-26T18:16:35+00:00 40f58521493e6a5429ea92964dec7bc09168224f When traversing the "preceding" axis from an attribute node, we must first go up to the attribute's containing element. Otherwise, text children of other attributes could be returned. This made it possible to hit a code path in xmlXPathNextAncestor which contained another bug: The attribute node was initialized with the context node instead of the current node. Normally, this code path is only hit via xmlXPathNextAncestorOrSelf in which case the current and context node are the same. The combination of the two bugs could result in an infinite loop, found with libFuzzer. Traversing the "following" and the "preceding" axis from namespace nodes should be handled similarly. This wasn't supported at all previously. 
When traversing the "preceding" axis from an attribute node, we must
first go up to the attribute's containing element. Otherwise, text
children of other attributes could be returned. This made it possible
to hit a code path in xmlXPathNextAncestor which contained another bug:
The attribute node was initialized with the context node instead of the
current node. Normally, this code path is only hit via
xmlXPathNextAncestorOrSelf in which case the current and context node
are the same.

The combination of the two bugs could result in an infinite loop, found
with libFuzzer.

Traversing the "following" and the "preceding" axis from namespace nodes
should be handled similarly. This wasn't supported at all previously.
Fix XPointer paths beginning with range-to 2016-10-12T11:12:18+00:00 Nick Wellnhofer wellnhofer@aevum.de 2016-06-28T12:22:23+00:00 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e The old code would invoke the broken xmlXPtrRangeToFunction. range-to isn't really a function but a special kind of location step. Remove this function and always handle range-to in the XPath code. The old xmlXPtrRangeToFunction could also be abused to trigger a use-after-free error with the potential for remote code execution. Found with afl-fuzz. Fixes CVE-2016-5131. 
The old code would invoke the broken xmlXPtrRangeToFunction. range-to
isn't really a function but a special kind of location step. Remove
this function and always handle range-to in the XPath code.

The old xmlXPtrRangeToFunction could also be abused to trigger a
use-after-free error with the potential for remote code execution.

Found with afl-fuzz.

Fixes CVE-2016-5131.
Fix NULL pointer deref in XPointer range-to 2016-06-25T12:24:51+00:00 Nick Wellnhofer wellnhofer@aevum.de 2016-06-25T10:35:50+00:00 d8083bf77955b7879c1290f0c0a24ab8cc70f7fb - Check for errors after evaluating first operand. - Add sanity check for empty stack. Found with afl-fuzz. 
- Check for errors after evaluating first operand.
- Add sanity check for empty stack.

Found with afl-fuzz.