Commit Graph

1353 Commits

Author SHA1 Message Date
Sebastian Pipping
5a912171fd qa.sh: Polish and make more flexible 2016-05-25 19:04:03 +02:00
Sebastian Pipping
a12e78cb1b Fix uninitialized read of size 1 in little2_updatePosition
Reported by Pascal Cuoq

Valgrind's view:
==4416== Conditional jump or move depends on uninitialised value(s)
==4416==    at 0x41F187: little2_updatePosition (xmltok_impl.c:1748)
==4416==    by 0x405F85: XML_GetCurrentColumnNumber (xmlparse.c:1931)
==4416==    by 0x402F7B: reportError (xmlfile.c:67)
==4416==    by 0x403041: processFile (xmlfile.c:84)
==4416==    by 0x403752: filemap (unixfilemap.c:61)
==4416==    by 0x403523: XML_ProcessFile (xmlfile.c:239)
==4416==    by 0x402EBC: main (xmlwf.c:847)
2016-05-25 18:47:35 +02:00
Sebastian Pipping
4813526e87 Merge branch 'improve-partial-utf8-handling' 2016-05-20 22:46:51 +02:00
Sebastian Pipping
550eb6bbaa Fix UTF-8 auto alignment 2016-05-20 22:30:45 +02:00
Sebastian Pipping
be917d9f84 Cover UTF-8 limit correction; some tests fail
Failing tests are:
[-] UTF-8 case  3: Expected movement by -1 chars, actually moved by  0 chars: "\xdf"
[-] UTF-8 case  4: Expected movement by  0 chars, actually moved by -1 chars: "\xdf\xbf"
[-] UTF-8 case  5: Expected movement by -1 chars, actually moved by  0 chars: "\xef"
[-] UTF-8 case  6: Expected movement by -2 chars, actually moved by -1 chars: "\xef\xbf"
[-] UTF-8 case  7: Expected movement by  0 chars, actually moved by -2 chars: "\xef\xbf\xbf"
[-] UTF-8 case  8: Expected movement by -1 chars, actually moved by  0 chars: "\xf7"
[-] UTF-8 case  9: Expected movement by -2 chars, actually moved by -1 chars: "\xf7\xbf"
[-] UTF-8 case 10: Expected movement by -3 chars, actually moved by -2 chars: "\xf7\xbf\xbf"
[-] UTF-8 case 11: Expected movement by  0 chars, actually moved by -3 chars: "\xf7\xbf\xbf\xbf"
2016-05-20 22:29:47 +02:00
Sebastian Pipping
525be92f78 Extract function align_limit_to_full_utf8_characters 2016-05-20 22:11:56 +02:00
Sebastian Pipping
be4b1c06da Merge branch 'cve-2016-0718-fix-2-2-1'
Conflicts:
  expat/lib/xmltok.c
2016-05-17 21:08:21 +02:00
Pascal Cuoq
a1bc009dd4 Do not compare an out-of-bounds pointer. See https://lwn.net/Articles/278137/ 2016-05-16 16:11:01 +02:00
Pascal Cuoq
5c9cc0eed8 Avoid undefined behavior when computing larger blockSize. The compiler might reason that (end - start)*2 is negative only if (end - start) is negative, see https://godbolt.org/g/wVEoTM 2016-05-16 16:10:57 +02:00
Pascal Cuoq
f0bec73b01 Avoid relying on undefined behavior in CVE-2015-1283 fix. It does not really work: https://godbolt.org/g/Zl8gdF 2016-05-16 15:35:08 +02:00
Sebastian Pipping
a238d7ea7a Makefile.in: Extend target "qa" 2016-05-15 14:11:11 +02:00
Sebastian Pipping
2106ee4050 Fix left shift signed overflow
lib/xmltok.c:1407:11: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
lib/xmltok.c:1409:16: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
2016-05-15 14:04:09 +02:00
Sebastian Pipping
4ae8aed082 Makefile.in: Respect CXXFLAGS if given 2016-05-15 13:50:06 +02:00
Björn Lindahl
d10262c9ef Added suffix "d" to lib/dll to differentiate Debug from Release output so they don't overwrite each other.
Fixes #323
2016-05-14 19:33:32 +02:00
Sebastian Pipping
1eaf75a2c3 Never hide official symbols (for -fvisibility=hidden)
Based on expat-visibility.patch by
Cristian Rodríguez <crrodriguez@opensuse.org>
2016-05-11 20:04:43 +02:00
Cristian Rodríguez
a4c383b722 Annotate memory allocators for GCC 2016-05-11 19:55:19 +02:00
Sebastian Pipping
69746f5ab2 Address all "unused parameter" warnings 2016-05-07 17:24:35 +02:00
Sebastian Pipping
e1196d2f3a doc/Makefile: Resolve use of "$<" for bmake 2016-05-06 21:04:09 +02:00
Ryo ONODERA
778428203d Do not use GNU make extension 2016-05-06 21:01:48 +02:00
Sebastian Pipping
99e0a5c245 Fix "make install" for Git clone 2016-05-06 21:00:49 +02:00
Sebastian Pipping
9eb0c7189f Makefile: Add target "qa" 2016-05-06 03:14:16 +02:00
Sebastian Pipping
e375ac8478 Complete XmlConvert return value handling 2016-05-02 01:00:39 +02:00
Sebastian Pipping
9ff1d645bf Do not grow pool to out-of-memory for incomplete input 2016-05-02 01:00:32 +02:00
Sebastian Pipping
a9b80b4ae4 Make converters tell state on termination (v3) 2016-05-02 01:00:32 +02:00
Sebastian Pipping
e18829b4ff Prevent out-of-bounds access in text conversion
* big2_toUtf8
* little2_toUtf8
* utf8_toUtf8
* utf8_toUtf16
2016-05-02 01:00:32 +02:00
Gustavo Grieco
2cac066cf6 Fix two integer overflows 2016-05-02 01:00:32 +02:00
Karl Waclawek
bb1fd81b98 Fix overflow (v2)
(Some post-processing by Sebastian Pipping)
2016-05-02 01:00:27 +02:00
Sebastian Pipping
379213ca19 Have "make run-xmltest" report on expected output 2016-05-01 16:01:51 +02:00
Sebastian Pipping
aed54a0ec9 Fix "make run-xmltest" more 2016-05-01 15:59:23 +02:00
Sebastian Pipping
2b289b1e78 Fix "make run-xmltest" 2016-04-30 21:11:02 +02:00
Sebastian Pipping
023ed44edd Tests: Cover CDATA sections 2016-03-31 23:19:22 +02:00
Sebastian Pipping
d839aecc61 Tests: Parse XML one byte at a time 2016-03-31 18:53:03 +02:00
Sebastian Pipping
56ceae7046 Sync change log 2016-03-28 22:23:43 +02:00
Sebastian Pipping
6d8696fc55 Address warning "missing initializer for field" 2016-03-28 21:35:55 +02:00
Sebastian Pipping
3bd715bf75 Address "comparison between signed and unsigned integer" warnings 2016-03-28 21:24:36 +02:00
Sebastian Pipping
934bcb0ac6 Address warnings on const correctness 2016-03-28 21:18:29 +02:00
Sebastian Pipping
b280bb8026 Merge branch 'resolve-srand' 2016-03-28 20:42:31 +02:00
Sebastian Pipping
2c346ba0bc Windows: Handling missing getpid and headers 2016-03-28 19:21:44 +02:00
Sebastian Pipping
888df4247c Use GetSystemTimeAsFileTime on Non-Cygwin-Windows with no gettimeofday 2016-03-28 18:19:02 +02:00
Sebastian Pipping
37f7efb878 Define COMPILING_FOR_WINDOWS with CMake on Windows 2016-03-28 18:18:09 +02:00
Sebastian Pipping
bdee307f19 Turn COMPILED_FROM_DSP into COMPILING_FOR_WINDOWS
.. since it is used with that semantic by now
2016-03-28 18:18:09 +02:00
Sebastian Pipping
f627ff74d6 Use a prime that fits 32bits on 32bit platforms
Bug reported by Yann Droneaud, thanks!
https://bugzilla.redhat.com/show_bug.cgi?id=1197087#c21
2016-03-21 20:05:27 +01:00
Sebastian Pipping
ca523deca4 Extract entropy from XML_Parser address
Idea by Yann Droneaud, thanks!
https://bugzilla.redhat.com/show_bug.cgi?id=1197087#c21
2016-03-21 19:58:04 +01:00
Sebastian Pipping
a5f2d04060 Extract method gather_time_entropy 2016-03-20 20:26:46 +01:00
Sebastian Pipping
6acb0a4737 Resolve call to srand, use more entropy
Since commit e3e81a6d9f
(released with Expat 2.1.0) Expat called srand by itself
from inside generate_hash_secret_salt for an instance
of XML_Parser if XML_SetHashSalt was either (a) not called
for that instance or if (b) salt 0 was passed to XML_SetHashSalt
prior to parsing.  That call to srand passed (rather litle)
entropy extracted from the current time as a seed for srand.

That call to srand (1) broke repeatability for code calling
srand with a non-random seed prior to parsing with Expat,
and (2) resulted in a rather small set of hashing salts in
Expat in total.

For a short- to mid-term fix, the new approach avoids calling
srand altogether, extracts more entropy out of the clock and
adds some additional entropy from the process ID, too.

For a long term fix, we may want to read sizeof(long) bytes
from a source like getrandom(..) on Linux, and from similar
sources on other supported architectures.

https://bugzilla.redhat.com/show_bug.cgi?id=1197087
2016-03-20 20:20:57 +01:00
Sebastian Pipping
75a1473981 Merge branch 'patch-90' 2016-03-14 19:12:52 +01:00
tbeu
247cc3af30 Fix VS2010 compilation
Avoid C99 style declaration (MSVC)
2016-03-13 21:17:00 +01:00
Karl Waclawek
a124f43dad Updated copyright year in Win32 setup script. 2016-03-12 16:12:42 -05:00
Sergei Nikulov
5c96e9ce60 Fix for BUILD_shared=OFF case on MSVC 2016-03-12 17:12:31 +01:00
Sebastian Pipping
d9a92249b1 CMakeLists.txt: Move code for upcoming change 2016-03-12 17:09:47 +01:00