--- libxml2-2.7.8/dict.c 2010-10-12 08:25:31.000000000 +0200
+++ libxml2-2.7.8.patched/dict.c 2012-09-28 12:08:37.432414664 +0200
@@ -2,7 +2,7 @@
* dict.c: dictionary of reusable strings, just used to avoid allocation
* and freeing operations.
*
- * Copyright (C) 2003 Daniel Veillard.
+ * Copyright (C) 2003-2012 Daniel Veillard.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -19,6 +19,28 @@
#define IN_LIBXML
#include "libxml.h"
+#ifdef HAVE_STDLIB_H
+#include <stdlib.h>
+#endif
+#ifdef HAVE_TIME_H
+#include <time.h>
+#endif
+
+/*
+ * Following http://www.ocert.org/advisories/ocert-2011-003.html
+ * it seems that having hash randomization might be a good idea
+ * when using XML with untrusted data
+ * Note1: that it works correctly only if compiled with WITH_BIG_KEY
+ * which is the default.
+ * Note2: the fast function used for a small dict won't protect very
+ * well but since the attack is based on growing a very big hash
+ * list we will use the BigKey algo as soon as the hash size grows
+ * over MIN_DICT_SIZE so this actually works
+ */
+#if defined(HAVE_RAND) && defined(HAVE_SRAND) && defined(HAVE_TIME)
+#define DICT_RANDOMIZATION
+#endif
+
#include <string.h>
#ifdef HAVE_STDINT_H
#include <stdint.h>
@@ -44,23 +66,23 @@
#define WITH_BIG_KEY
#ifdef WITH_BIG_KEY
-#define xmlDictComputeKey(dict, name, len) \
- (((dict)->size == MIN_DICT_SIZE) ? \
- xmlDictComputeFastKey(name, len) : \
- xmlDictComputeBigKey(name, len))
-
-#define xmlDictComputeQKey(dict, prefix, plen, name, len) \
- (((prefix) == NULL) ? \
- (xmlDictComputeKey(dict, name, len)) : \
- (((dict)->size == MIN_DICT_SIZE) ? \
- xmlDictComputeFastQKey(prefix, plen, name, len) : \
- xmlDictComputeBigQKey(prefix, plen, name, len)))
+#define xmlDictComputeKey(dict, name, len) \
+ (((dict)->size == MIN_DICT_SIZE) ? \
+ xmlDictComputeFastKey(name, len, (dict)->seed) : \
+ xmlDictComputeBigKey(name, len, (dict)->seed))
+
+#define xmlDictComputeQKey(dict, prefix, plen, name, len) \
+ (((prefix) == NULL) ? \
+ (xmlDictComputeKey(dict, name, len)) : \
+ (((dict)->size == MIN_DICT_SIZE) ? \
+ xmlDictComputeFastQKey(prefix, plen, name, len, (dict)->seed) : \
+ xmlDictComputeBigQKey(prefix, plen, name, len, (dict)->seed)))
#else /* !WITH_BIG_KEY */
-#define xmlDictComputeKey(dict, name, len) \
- xmlDictComputeFastKey(name, len)
-#define xmlDictComputeQKey(dict, prefix, plen, name, len) \
- xmlDictComputeFastQKey(prefix, plen, name, len)
+#define xmlDictComputeKey(dict, name, len) \
+ xmlDictComputeFastKey(name, len, (dict)->seed)
+#define xmlDictComputeQKey(dict, prefix, plen, name, len) \
+ xmlDictComputeFastQKey(prefix, plen, name, len, (dict)->seed)
#endif /* WITH_BIG_KEY */
/*
@@ -98,6 +120,8 @@
xmlDictStringsPtr strings;
struct _xmlDict *subdict;
+ /* used for randomization */
+ int seed;
};
/*
@@ -125,6 +149,9 @@
if ((xmlDictMutex = xmlNewRMutex()) == NULL)
return(0);
+#ifdef DICT_RANDOMIZATION
+ srand(time(NULL));
+#endif
xmlDictInitialized = 1;
return(1);
}
@@ -277,13 +304,13 @@
*/
static uint32_t
-xmlDictComputeBigKey(const xmlChar* data, int namelen) {
+xmlDictComputeBigKey(const xmlChar* data, int namelen, int seed) {
uint32_t hash;
int i;
if (namelen <= 0 || data == NULL) return(0);
- hash = 0;
+ hash = seed;
for (i = 0;i < namelen; i++) {
hash += data[i];
@@ -310,12 +337,12 @@
*/
static unsigned long
xmlDictComputeBigQKey(const xmlChar *prefix, int plen,
- const xmlChar *name, int len)
+ const xmlChar *name, int len, int seed)
{
uint32_t hash;
int i;
- hash = 0;
+ hash = seed;
for (i = 0;i < plen; i++) {
hash += prefix[i];
@@ -346,8 +373,8 @@
* for low hash table fill.
*/
static unsigned long
-xmlDictComputeFastKey(const xmlChar *name, int namelen) {
- unsigned long value = 0L;
+xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
+ unsigned long value = seed;
if (name == NULL) return(0);
value = *name;
@@ -381,9 +408,9 @@
*/
static unsigned long
xmlDictComputeFastQKey(const xmlChar *prefix, int plen,
- const xmlChar *name, int len)
+ const xmlChar *name, int len, int seed)
{
- unsigned long value = 0L;
+ unsigned long value = (unsigned long) seed;
if (plen == 0)
value += 30 * (unsigned long) ':';
@@ -460,6 +487,11 @@
dict->subdict = NULL;
if (dict->dict) {
memset(dict->dict, 0, MIN_DICT_SIZE * sizeof(xmlDictEntry));
+#ifdef DICT_RANDOMIZATION
+ dict->seed = rand();
+#else
+ dict->seed = 0;
+#endif
return(dict);
}
xmlFree(dict);
@@ -486,6 +518,7 @@
#ifdef DICT_DEBUG_PATTERNS
fprintf(stderr, "R");
#endif
+ dict->seed = sub->seed;
dict->subdict = sub;
xmlDictReference(dict->subdict);
}
--- libxml2-2.7.8/encoding.c 2010-11-04 17:40:06.000000000 +0100
+++ libxml2-2.7.8.patched/encoding.c 2012-09-28 12:08:37.440414665 +0200
@@ -1928,7 +1928,7 @@
if (in == NULL) return(-1);
/* calculate space available */
- written = out->size - out->use;
+ written = out->size - out->use - 1; /* count '\0' */
toconv = in->use;
/*
* echo '<?xml version="1.0" encoding="UCS4"?>' | wc -c => 38
@@ -2059,7 +2059,7 @@
toconv = in->use;
if (toconv == 0)
return (0);
- written = out->size - out->use;
+ written = out->size - out->use - 1; /* count '\0' */
if (toconv * 2 >= written) {
xmlBufferGrow(out, out->size + toconv * 2);
written = out->size - out->use - 1;
--- libxml2-2.7.8/entities.c 2010-10-12 08:25:32.000000000 +0200
+++ libxml2-2.7.8.patched/entities.c 2012-09-28 12:08:37.432414664 +0200
@@ -528,13 +528,13 @@
* Macro used to grow the current buffer.
*/
#define growBufferReentrant() { \
- buffer_size *= 2; \
- buffer = (xmlChar *) \
- xmlRealloc(buffer, buffer_size * sizeof(xmlChar)); \
- if (buffer == NULL) { \
- xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");\
- return(NULL); \
- } \
+ xmlChar *tmp; \
+ size_t new_size = buffer_size * 2; \
+ if (new_size < buffer_size) goto mem_error; \
+ tmp = (xmlChar *) xmlRealloc(buffer, new_size); \
+ if (tmp == NULL) goto mem_error; \
+ buffer = tmp; \
+ buffer_size = new_size; \
}
@@ -555,7 +555,7 @@
const xmlChar *cur = input;
xmlChar *buffer = NULL;
xmlChar *out = NULL;
- int buffer_size = 0;
+ size_t buffer_size = 0;
int html = 0;
if (input == NULL) return(NULL);
@@ -574,8 +574,8 @@
out = buffer;
while (*cur != '\0') {
- if (out - buffer > buffer_size - 100) {
- int indx = out - buffer;
+ size_t indx = out - buffer;
+ if (indx + 100 > buffer_size) {
growBufferReentrant();
out = &buffer[indx];
@@ -692,6 +692,11 @@
}
*out = 0;
return(buffer);
+
+mem_error:
+ xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");
+ xmlFree(buffer);
+ return(NULL);
}
/**
@@ -709,7 +714,7 @@
const xmlChar *cur = input;
xmlChar *buffer = NULL;
xmlChar *out = NULL;
- int buffer_size = 0;
+ size_t buffer_size = 0;
if (input == NULL) return(NULL);
/*
@@ -724,8 +729,8 @@
out = buffer;
while (*cur != '\0') {
- if (out - buffer > buffer_size - 10) {
- int indx = out - buffer;
+ size_t indx = out - buffer;
+ if (indx + 10 > buffer_size) {
growBufferReentrant();
out = &buffer[indx];
@@ -774,6 +779,11 @@
}
*out = 0;
return(buffer);
+
+mem_error:
+ xmlEntitiesErrMemory("xmlEncodeSpecialChars: realloc failed");
+ xmlFree(buffer);
+ return(NULL);
}
/**
--- libxml2-2.7.8/hash.c 2010-10-12 08:25:32.000000000 +0200
+++ libxml2-2.7.8.patched/hash.c 2012-09-28 12:08:37.392414663 +0200
@@ -3,7 +3,7 @@
*
* Reference: Your favorite introductory book on algorithms
*
- * Copyright (C) 2000 Bjorn Reese and Daniel Veillard.
+ * Copyright (C) 2000,2012 Bjorn Reese and Daniel Veillard.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -21,6 +21,22 @@
#include "libxml.h"
#include <string.h>
+#ifdef HAVE_STDLIB_H
+#include <stdlib.h>
+#endif
+#ifdef HAVE_TIME_H
+#include <time.h>
+#endif
+
+/*
+ * Following http://www.ocert.org/advisories/ocert-2011-003.html
+ * it seems that having hash randomization might be a good idea
+ * when using XML with untrusted data
+ */
+#if defined(HAVE_RAND) && defined(HAVE_SRAND) && defined(HAVE_TIME)
+#define HASH_RANDOMIZATION
+#endif
+
#include <libxml/parser.h>
#include <libxml/hash.h>
#include <libxml/xmlmemory.h>
@@ -31,6 +47,10 @@
/* #define DEBUG_GROW */
+#ifdef HASH_RANDOMIZATION
+static int hash_initialized = 0;
+#endif
+
/*
* A single entry in the hash table
*/
@@ -53,6 +73,9 @@
int size;
int nbElems;
xmlDictPtr dict;
+#ifdef HASH_RANDOMIZATION
+ int random_seed;
+#endif
};
/*
@@ -65,6 +88,9 @@
unsigned long value = 0L;
char ch;
+#ifdef HASH_RANDOMIZATION
+ value = table->random_seed;
+#endif
if (name != NULL) {
value += 30 * (*name);
while ((ch = *name++) != 0) {
@@ -92,6 +118,9 @@
unsigned long value = 0L;
char ch;
+#ifdef HASH_RANDOMIZATION
+ value = table->random_seed;
+#endif
if (prefix != NULL)
value += 30 * (*prefix);
else
@@ -156,6 +185,13 @@
table->table = xmlMalloc(size * sizeof(xmlHashEntry));
if (table->table) {
memset(table->table, 0, size * sizeof(xmlHashEntry));
+#ifdef HASH_RANDOMIZATION
+ if (!hash_initialized) {
+ srand(time(NULL));
+ hash_initialized = 1;
+ }
+ table->random_seed = rand();
+#endif
return(table);
}
xmlFree(table);
--- libxml2-2.7.8/parser.c 2010-11-04 16:55:45.000000000 +0100
+++ libxml2-2.7.8.patched/parser.c 2012-09-28 12:08:37.440414665 +0200
@@ -40,6 +40,7 @@
#endif
#include <stdlib.h>
+#include <limits.h>
#include <string.h>
#include <stdarg.h>
#include <libxml/xmlmemory.h>
@@ -114,10 +115,10 @@
* parser option.
*/
static int
-xmlParserEntityCheck(xmlParserCtxtPtr ctxt, unsigned long size,
+xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
xmlEntityPtr ent)
{
- unsigned long consumed = 0;
+ size_t consumed = 0;
if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
return (0);
@@ -2580,15 +2581,17 @@
/*
* Macro used to grow the current buffer.
+ * buffer##_size is expected to be a size_t
+ * mem_error: is expected to handle memory allocation failures
*/
#define growBuffer(buffer, n) { \
xmlChar *tmp; \
- buffer##_size *= 2; \
- buffer##_size += n; \
- tmp = (xmlChar *) \
- xmlRealloc(buffer, buffer##_size * sizeof(xmlChar)); \
+ size_t new_size = buffer##_size * 2 + n; \
+ if (new_size < buffer##_size) goto mem_error; \
+ tmp = (xmlChar *) xmlRealloc(buffer, new_size); \
if (tmp == NULL) goto mem_error; \
buffer = tmp; \
+ buffer##_size = new_size; \
}
/**
@@ -2614,14 +2617,14 @@
xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
int what, xmlChar end, xmlChar end2, xmlChar end3) {
xmlChar *buffer = NULL;
- int buffer_size = 0;
+ size_t buffer_size = 0;
+ size_t nbchars = 0;
xmlChar *current = NULL;
xmlChar *rep = NULL;
const xmlChar *last;
xmlEntityPtr ent;
int c,l;
- int nbchars = 0;
if ((ctxt == NULL) || (str == NULL) || (len < 0))
return(NULL);
@@ -2638,7 +2641,7 @@
* allocate a translation buffer.
*/
buffer_size = XML_PARSER_BIG_BUFFER_SIZE;
- buffer = (xmlChar *) xmlMallocAtomic(buffer_size * sizeof(xmlChar));
+ buffer = (xmlChar *) xmlMallocAtomic(buffer_size);
if (buffer == NULL) goto mem_error;
/*
@@ -2658,7 +2661,7 @@
if (val != 0) {
COPY_BUF(0,buffer,nbchars,val);
}
- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
+ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
}
} else if ((c == '&') && (what & XML_SUBSTITUTE_REF)) {
@@ -2676,7 +2679,7 @@
(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
if (ent->content != NULL) {
COPY_BUF(0,buffer,nbchars,ent->content[0]);
- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
+ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
}
} else {
@@ -2693,8 +2696,7 @@
current = rep;
while (*current != 0) { /* non input consuming loop */
buffer[nbchars++] = *current++;
- if (nbchars >
- buffer_size - XML_PARSER_BUFFER_SIZE) {
+ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
if (xmlParserEntityCheck(ctxt, nbchars, ent))
goto int_error;
growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
@@ -2708,8 +2710,8 @@
const xmlChar *cur = ent->name;
buffer[nbchars++] = '&';
- if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) {
- growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ if (nbchars + i + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE);
}
for (;i > 0;i--)
buffer[nbchars++] = *cur++;
@@ -2736,8 +2738,7 @@
current = rep;
while (*current != 0) { /* non input consuming loop */
buffer[nbchars++] = *current++;
- if (nbchars >
- buffer_size - XML_PARSER_BUFFER_SIZE) {
+ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
if (xmlParserEntityCheck(ctxt, nbchars, ent))
goto int_error;
growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
@@ -2750,8 +2751,8 @@
} else {
COPY_BUF(l,buffer,nbchars,c);
str += l;
- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
- growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
}
}
if (str < last)
@@ -3755,8 +3756,8 @@
xmlChar limit = 0;
xmlChar *buf = NULL;
xmlChar *rep = NULL;
- int len = 0;
- int buf_size = 0;
+ size_t len = 0;
+ size_t buf_size = 0;
int c, l, in_space = 0;
xmlChar *current = NULL;
xmlEntityPtr ent;
@@ -3778,7 +3779,7 @@
* allocate a translation buffer.
*/
buf_size = XML_PARSER_BUFFER_SIZE;
- buf = (xmlChar *) xmlMallocAtomic(buf_size * sizeof(xmlChar));
+ buf = (xmlChar *) xmlMallocAtomic(buf_size);
if (buf == NULL) goto mem_error;
/*
@@ -3795,7 +3796,7 @@
if (val == '&') {
if (ctxt->replaceEntities) {
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
buf[len++] = '&';
@@ -3804,7 +3805,7 @@
* The reparsing will be done in xmlStringGetNodeList()
* called by the attribute() function in SAX.c
*/
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
buf[len++] = '&';
@@ -3814,7 +3815,7 @@
buf[len++] = ';';
}
} else if (val != 0) {
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
len += xmlCopyChar(0, &buf[len], val);
@@ -3826,7 +3827,7 @@
ctxt->nbentities += ent->owner;
if ((ent != NULL) &&
(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
if ((ctxt->replaceEntities == 0) &&
@@ -3854,7 +3855,7 @@
current++;
} else
buf[len++] = *current++;
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
}
@@ -3862,7 +3863,7 @@
rep = NULL;
}
} else {
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
if (ent->content != NULL)
@@ -3890,7 +3891,7 @@
* Just output the reference
*/
buf[len++] = '&';
- while (len > buf_size - i - 10) {
+ while (len + i + 10 > buf_size) {
growBuffer(buf, i + 10);
}
for (;i > 0;i--)
@@ -3903,7 +3904,7 @@
if ((len != 0) || (!normalize)) {
if ((!normalize) || (!in_space)) {
COPY_BUF(l,buf,len,0x20);
- while (len > buf_size - 10) {
+ while (len + 10 > buf_size) {
growBuffer(buf, 10);
}
}
@@ -3912,7 +3913,7 @@
} else {
in_space = 0;
COPY_BUF(l,buf,len,c);
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
}
@@ -3937,7 +3938,18 @@
}
} else
NEXT;
- if (attlen != NULL) *attlen = len;
+
+ /*
+ * There we potentially risk an overflow, don't allow attribute value of
+ * lenght more than INT_MAX it is a very reasonnable assumption !
+ */
+ if (len >= INT_MAX) {
+ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+ "AttValue lenght too long\n");
+ goto mem_error;
+ }
+
+ if (attlen != NULL) *attlen = (int) len;
return(buf);
mem_error:
@@ -4949,7 +4961,8 @@
(ctxt->sax->processingInstruction != NULL))
ctxt->sax->processingInstruction(ctxt->userData,
target, NULL);
- ctxt->instate = state;
+ if (ctxt->instate != XML_PARSER_EOF)
+ ctxt->instate = state;
return;
}
buf = (xmlChar *) xmlMallocAtomic(size * sizeof(xmlChar));
@@ -5029,7 +5042,8 @@
} else {
xmlFatalErr(ctxt, XML_ERR_PI_NOT_STARTED, NULL);
}
- ctxt->instate = state;
+ if (ctxt->instate != XML_PARSER_EOF)
+ ctxt->instate = state;
}
}
@@ -9588,6 +9602,8 @@
else
name = xmlParseStartTag(ctxt);
#endif /* LIBXML_SAX1_ENABLED */
+ if (ctxt->instate == XML_PARSER_EOF)
+ return;
if (name == NULL) {
spacePop(ctxt);
return;
@@ -10967,6 +10983,8 @@
else
name = xmlParseStartTag(ctxt);
#endif /* LIBXML_SAX1_ENABLED */
+ if (ctxt->instate == XML_PARSER_EOF)
+ goto done;
if (name == NULL) {
spacePop(ctxt);
ctxt->instate = XML_PARSER_EOF;
@@ -11153,7 +11171,9 @@
else
xmlParseEndTag1(ctxt, 0);
#endif /* LIBXML_SAX1_ENABLED */
- if (ctxt->nameNr == 0) {
+ if (ctxt->instate == XML_PARSER_EOF) {
+ /* Nothing */
+ } else if (ctxt->nameNr == 0) {
ctxt->instate = XML_PARSER_EPILOG;
} else {
ctxt->instate = XML_PARSER_CONTENT;
--- libxml2-2.7.8/xmllint.c 2010-11-03 15:49:11.000000000 +0100
+++ libxml2-2.7.8.patched/xmllint.c 2012-09-28 12:08:37.436414665 +0200
@@ -2976,7 +2976,7 @@
printf("\t--huge : remove any internal arbitrary parser limits\n");
printf("\t--noent : substitute entity references by their value\n");
printf("\t--noout : don't output the result tree\n");
- printf("\t--path 'paths': provide a set of paths for resources\n");
+ printf("\t--path 'paths' : provide a set of paths for resources\n");
printf("\t--load-trace : print trace of all external entites loaded\n");
printf("\t--nonet : refuse to fetch DTDs or entities over network\n");
printf("\t--nocompact : do not generate compact text nodes\n");
@@ -3032,7 +3032,7 @@
printf("\t--catalogs : use SGML catalogs from $SGML_CATALOG_FILES\n");
printf("\t otherwise XML Catalogs starting from \n");
printf("\t %s are activated by default\n", XML_XML_DEFAULT_CATALOG);
- printf("\t--nocatalogs: deactivate all catalogs\n");
+ printf("\t--nocatalogs : deactivate all catalogs\n");
#endif
printf("\t--auto : generate a small doc on the fly\n");
#ifdef LIBXML_XINCLUDE_ENABLED
--- libxml2-2.7.8/xpath.c 2010-11-03 20:18:27.000000000 +0100
+++ libxml2-2.7.8.patched/xpath.c 2012-09-28 12:08:37.444414664 +0200
@@ -252,6 +252,7 @@
"Encoding error\n",
"Char out of XML range\n",
"Invalid or incomplete context\n",
+ "Stack usage errror\n",
"?? Unknown error ??\n" /* Must be last in the list! */
};
#define MAXERRNO ((int)(sizeof(xmlXPathErrorMessages) / \
@@ -2398,6 +2399,42 @@
************************************************************************/
/**
+ * xmlXPathSetFrame:
+ * @ctxt: an XPath parser context
+ *
+ * Set the callee evaluation frame
+ *
+ * Returns the previous frame value to be restored once done
+ */
+static int
+xmlXPathSetFrame(xmlXPathParserContextPtr ctxt) {
+ int ret;
+
+ if (ctxt == NULL)
+ return(0);
+ ret = ctxt->valueFrame;
+ ctxt->valueFrame = ctxt->valueNr;
+ return(ret);
+}
+
+/**
+ * xmlXPathPopFrame:
+ * @ctxt: an XPath parser context
+ * @frame: the previous frame value
+ *
+ * Remove the callee evaluation frame
+ */
+static void
+xmlXPathPopFrame(xmlXPathParserContextPtr ctxt, int frame) {
+ if (ctxt == NULL)
+ return;
+ if (ctxt->valueNr < ctxt->valueFrame) {
+ xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR);
+ }
+ ctxt->valueFrame = frame;
+}
+
+/**
* valuePop:
* @ctxt: an XPath evaluation context
*
@@ -2412,6 +2449,12 @@
if ((ctxt == NULL) || (ctxt->valueNr <= 0))
return (NULL);
+
+ if (ctxt->valueNr <= ctxt->valueFrame) {
+ xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR);
+ return (NULL);
+ }
+
ctxt->valueNr--;
if (ctxt->valueNr > 0)
ctxt->value = ctxt->valueTab[ctxt->valueNr - 1];
@@ -3522,13 +3565,13 @@
} else if (cur->nodeNr == cur->nodeMax) {
xmlNodePtr *temp;
- cur->nodeMax *= 2;
- temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax *
+ temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * 2 *
sizeof(xmlNodePtr));
if (temp == NULL) {
xmlXPathErrMemory(NULL, "growing nodeset\n");
return;
}
+ cur->nodeMax *= 2;
cur->nodeTab = temp;
}
cur->nodeTab[cur->nodeNr++] = xmlXPathNodeSetDupNs(node, ns);
@@ -3627,14 +3670,14 @@
} else if (cur->nodeNr == cur->nodeMax) {
xmlNodePtr *temp;
- cur->nodeMax *= 2;
- temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax *
+ temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * 2 *
sizeof(xmlNodePtr));
if (temp == NULL) {
xmlXPathErrMemory(NULL, "growing nodeset\n");
return;
}
cur->nodeTab = temp;
+ cur->nodeMax *= 2;
}
if (val->type == XML_NAMESPACE_DECL) {
xmlNsPtr ns = (xmlNsPtr) val;
@@ -3738,14 +3781,14 @@
} else if (val1->nodeNr == val1->nodeMax) {
xmlNodePtr *temp;
- val1->nodeMax *= 2;
- temp = (xmlNodePtr *) xmlRealloc(val1->nodeTab, val1->nodeMax *
+ temp = (xmlNodePtr *) xmlRealloc(val1->nodeTab, val1->nodeMax * 2 *
sizeof(xmlNodePtr));
if (temp == NULL) {
xmlXPathErrMemory(NULL, "merging nodeset\n");
return(NULL);
}
val1->nodeTab = temp;
+ val1->nodeMax *= 2;
}
if (n2->type == XML_NAMESPACE_DECL) {
xmlNsPtr ns = (xmlNsPtr) n2;
@@ -3907,14 +3950,14 @@
} else if (set1->nodeNr >= set1->nodeMax) {
xmlNodePtr *temp;
- set1->nodeMax *= 2;
temp = (xmlNodePtr *) xmlRealloc(
- set1->nodeTab, set1->nodeMax * sizeof(xmlNodePtr));
+ set1->nodeTab, set1->nodeMax * 2 * sizeof(xmlNodePtr));
if (temp == NULL) {
xmlXPathErrMemory(NULL, "merging nodeset\n");
return(NULL);
}
set1->nodeTab = temp;
+ set1->nodeMax *= 2;
}
if (n2->type == XML_NAMESPACE_DECL) {
xmlNsPtr ns = (xmlNsPtr) n2;
@@ -3991,14 +4034,14 @@
} else if (set1->nodeNr >= set1->nodeMax) {
xmlNodePtr *temp;
- set1->nodeMax *= 2;
temp = (xmlNodePtr *) xmlRealloc(
- set1->nodeTab, set1->nodeMax * sizeof(xmlNodePtr));
+ set1->nodeTab, set1->nodeMax * 2 * sizeof(xmlNodePtr));
if (temp == NULL) {
xmlXPathErrMemory(NULL, "merging nodeset\n");
return(NULL);
}
set1->nodeTab = temp;
+ set1->nodeMax *= 2;
}
set1->nodeTab[set1->nodeNr++] = n2;
}
@@ -6154,6 +6197,7 @@
ret->valueNr = 0;
ret->valueMax = 10;
ret->value = NULL;
+ ret->valueFrame = 0;
ret->context = ctxt;
ret->comp = comp;
@@ -11712,6 +11756,7 @@
xmlXPathObjectPtr contextObj = NULL, exprRes = NULL;
xmlNodePtr oldContextNode, contextNode = NULL;
xmlXPathContextPtr xpctxt = ctxt->context;
+ int frame;
#ifdef LIBXML_XPTR_ENABLED
/*
@@ -11731,6 +11776,8 @@
*/
exprOp = &ctxt->comp->steps[op->ch2];
for (i = 0; i < set->nodeNr; i++) {
+ xmlXPathObjectPtr tmp;
+
if (set->nodeTab[i] == NULL)
continue;
@@ -11758,18 +11805,25 @@
xmlXPathNodeSetAddUnique(contextObj->nodesetval,
contextNode);
+ frame = xmlXPathSetFrame(ctxt);
valuePush(ctxt, contextObj);
res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
+ tmp = valuePop(ctxt);
+ xmlXPathPopFrame(ctxt, frame);
if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
- xmlXPathObjectPtr tmp;
- /* pop the result */
- tmp = valuePop(ctxt);
- xmlXPathReleaseObject(xpctxt, tmp);
- /* then pop off contextObj, which will be freed later */
- valuePop(ctxt);
+ while (tmp != contextObj) {
+ /*
+ * Free up the result
+ * then pop off contextObj, which will be freed later
+ */
+ xmlXPathReleaseObject(xpctxt, tmp);
+ tmp = valuePop(ctxt);
+ }
goto evaluation_error;
}
+ /* push the result back onto the stack */
+ valuePush(ctxt, tmp);
if (res)
pos++;
@@ -13357,6 +13411,7 @@
xmlGenericError(xmlGenericErrorContext,
"xmlXPathCompOpEval: variable %s bound to undefined prefix %s\n",
(char *) op->value4, (char *)op->value5);
+ ctxt->error = XPATH_UNDEF_PREFIX_ERROR;
return (total);
}
val = xmlXPathVariableLookupNS(ctxt->context,
@@ -13373,7 +13428,9 @@
xmlXPathFunction func;
const xmlChar *oldFunc, *oldFuncURI;
int i;
+ int frame;
+ frame = xmlXPathSetFrame(ctxt);
if (op->ch1 != -1)
total +=
xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
@@ -13381,15 +13438,18 @@
xmlGenericError(xmlGenericErrorContext,
"xmlXPathCompOpEval: parameter error\n");
ctxt->error = XPATH_INVALID_OPERAND;
+ xmlXPathPopFrame(ctxt, frame);
return (total);
}
- for (i = 0; i < op->value; i++)
+ for (i = 0; i < op->value; i++) {
if (ctxt->valueTab[(ctxt->valueNr - 1) - i] == NULL) {
xmlGenericError(xmlGenericErrorContext,
"xmlXPathCompOpEval: parameter error\n");
ctxt->error = XPATH_INVALID_OPERAND;
+ xmlXPathPopFrame(ctxt, frame);
return (total);
}
+ }
if (op->cache != NULL)
XML_CAST_FPTR(func) = op->cache;
else {
@@ -13405,6 +13465,8 @@
xmlGenericError(xmlGenericErrorContext,
"xmlXPathCompOpEval: function %s bound to undefined prefix %s\n",
(char *)op->value4, (char *)op->value5);
+ ctxt->error = XPATH_UNDEF_PREFIX_ERROR;
+ xmlXPathPopFrame(ctxt, frame);
return (total);
}
func = xmlXPathFunctionLookupNS(ctxt->context,
@@ -13426,6 +13488,7 @@
func(ctxt, op->value);
ctxt->context->function = oldFunc;
ctxt->context->functionURI = oldFuncURI;
+ xmlXPathPopFrame(ctxt, frame);
return (total);
}
case XPATH_OP_ARG:
@@ -14329,6 +14392,7 @@
ctxt->valueNr = 0;
ctxt->valueMax = 10;
ctxt->value = NULL;
+ ctxt->valueFrame = 0;
}
#ifdef XPATH_STREAMING
if (ctxt->comp->stream) {
--- libxml2-2.7.8/xpointer.c 2010-10-12 08:25:33.000000000 +0200
+++ libxml2-2.7.8.patched/xpointer.c 2012-09-28 12:08:37.428414664 +0200
@@ -1007,21 +1007,14 @@
NEXT;
break;
}
- *cur++ = CUR;
} else if (CUR == '(') {
level++;
- *cur++ = CUR;
} else if (CUR == '^') {
- NEXT;
- if ((CUR == ')') || (CUR == '(') || (CUR == '^')) {
- *cur++ = CUR;
- } else {
- *cur++ = '^';
- *cur++ = CUR;
- }
- } else {
- *cur++ = CUR;
+ if ((NXT(1) == ')') || (NXT(1) == '(') || (NXT(1) == '^')) {
+ NEXT;
+ }
}
+ *cur++ = CUR;
NEXT;
}
*cur = 0;
@@ -1269,6 +1262,7 @@
ctxt->valueNr = 0;
ctxt->valueMax = 10;
ctxt->value = NULL;
+ ctxt->valueFrame = 0;
}
SKIP_BLANKS;
if (CUR == '/') {
--- libxml2-2.7.8/libxml.h 2010-10-12 08:25:32.000000000 +0200
+++ libxml2-2.7.8.patched/libxml.h 2012-09-28 12:08:37.432414664 +0200
@@ -13,6 +13,9 @@
#ifndef _LARGEFILE_SOURCE
#define _LARGEFILE_SOURCE
#endif
+#ifndef _LARGEFILE64_SOURCE
+#define _LARGEFILE64_SOURCE
+#endif
#ifndef _FILE_OFFSET_BITS
#define _FILE_OFFSET_BITS 64
#endif
--- libxml2-2.7.8/include/libxml/xpath.h 2010-10-12 08:25:32.000000000 +0200
+++ libxml2-2.7.8.patched/include/libxml/xpath.h 2012-09-28 12:08:37.456414665 +0200
@@ -68,7 +68,8 @@
XPATH_UNDEF_PREFIX_ERROR,
XPATH_ENCODING_ERROR,
XPATH_INVALID_CHAR_ERROR,
- XPATH_INVALID_CTXT
+ XPATH_INVALID_CTXT,
+ XPATH_STACK_ERROR
} xmlXPathError;
/*
@@ -380,6 +381,8 @@
xmlXPathCompExprPtr comp; /* the precompiled expression */
int xptr; /* it this an XPointer expression */
xmlNodePtr ancestor; /* used for walking preceding axis */
+
+ int valueFrame; /* used to limit Pop on the stack */
};
/************************************************************************