| commit | 776e1c312dc273a031ef0c3f4d67ba702c5308d3 | [log] [tgz] |
|---|---|---|
| author | David Kilzer <ddkilzer@apple.com> | Fri May 13 14:43:33 2022 -0700 |
| committer | David Kilzer <ddkilzer@apple.com> | Wed May 25 18:29:41 2022 -0700 |
| tree | 9b9b80bcdf198b4d500f594da6a017bfe5c12958 | |
| parent | fe9f76ebb8127e77cbbf25d9235ceb523d3a4a92 [diff] |
Fix more overflow checks, off-by-ones and missing NUL terminators in xmlBuf and xmlBuffer In broad strokes, this does the following: - Do not include the NUL terminator byte for lengths returned from functions. This lets functions be more defensive. - Set error messages when returning early due to out-of-memory or buffer-too-large errors. - Set NUL terminator consistently on buffer boundaries before returning. - Add a few more integer overflow checks. * buf.c: (xmlBufGrowInternal): - Do not include NUL terminator byte when returning length. - Always set NUL terminator at the end of the new buffer length before returning. - Call xmlBufMemoryError() when the buffer size would overflow. - Account for NUL terminator byte when using XML_MAX_TEXT_LENGTH. - Always set NUL terminator at the end of the current buffer after resizing the buffer. (xmlBufAddLen): - Return an error if the buffer does not have free space for the NUL terminator byte. (xmlBufAvail): - Do not include the NUL terminator byte in the length returned. (See changes to encoding.c and xmlIO.c.) (xmlBufResize): - Move setting of NUL terminator to common code. More than one path through the function failed to set it. (xmlBufAdd): - Call xmlBufMemoryError() when the buffer size would overflow. * encoding.c: (xmlCharEncFirstLineInput): (xmlCharEncInput): (xmlCharEncOutput): - No longer need to subtract one from the return value of xmlBufAvail() since the function does this now. * testchar.c: (testCharRanges): - Pass the string length without the NUL terminator. * tree.c: (xmlBufferGrow): - Do not include NUL terminator byte when returning length. - Always set NUL terminator at the end of the new buffer length before returning. - Call xmlTreeErrMemory() when the buffer size would overflow. - Always set NUL terminator at the end of the current buffer after resizing the buffer. (xmlBufferDump): - Change type of the return variable to match fwrite(). - Clamp return value to INT_MAX to prevent overflow. (xmlBufferResize): - Update error message in xmlTreeErrMemory() to be consistent with other similar messages. - Move setting of NUL terminator to common code. More than one path through the function failed to set it. (xmlBufferAdd): - Call xmlTreeErrMemory() when the buffer size would overflow. (xmlBufferAddHead): - Set NUL terminator before returning early when shifting contents. - Add overflow checks similar to those in xmlBufferAdd(). * xmlIO.c: (xmlOutputBufferWriteEscape): - No longer need to subtract one from the return value of xmlBufAvail() since the function does this now.
libxml2 is an XML toolkit implemented in C, originally developed for the GNOME Project.
Full documentation is available at https://gitlab.gnome.org/GNOME/libxml2/-/wikis.
Bugs should be reported at https://gitlab.gnome.org/GNOME/libxml2/-/issues.
A mailing list xml@gnome.org is available. You can subscribe at https://mail.gnome.org/mailman/listinfo/xml. The list archive is at https://mail.gnome.org/archives/xml/.
This code is released under the MIT License, see the Copyright file.
libxml2 can be built with GNU Autotools, CMake, or several other build systems in platform-specific subdirectories.
If you build from a Git tree, you have to install Autotools and start by generating the configuration files with:
./autogen.sh
If you build from a source tarball, extract the archive with:
tar xf libxml2-xxx.tar.gz cd libxml2-xxx
To see a list of build options:
./configure --help
Also see the INSTALL file for additional instructions. Then you can configure and build the library:
./configure [possible options] make
Note that by default, no optimization options are used. You have to enable them manually, for example with:
CFLAGS='-O2 -fno-semantic-interposition' ./configure
Now you can run the test suite with:
make check
Please report test failures to the mailing list or bug tracker.
Then you can install the library:
make install
At that point you may have to rerun ldconfig or a similar utility to update your list of installed shared libs.
Another option for compiling libxml is using CMake:
cmake -E tar xf libxml2-xxx.tar.gz cmake -S libxml2-xxx -B libxml2-xxx-build [possible options] cmake --build libxml2-xxx-build cmake --install libxml2-xxx-build
Common CMake options include:
-D BUILD_SHARED_LIBS=OFF # build static libraries -D CMAKE_BUILD_TYPE=Release # specify build type -D CMAKE_INSTALL_PREFIX=/usr/local # specify the install path -D LIBXML2_WITH_ICONV=OFF # disable iconv -D LIBXML2_WITH_LZMA=OFF # disable liblzma -D LIBXML2_WITH_PYTHON=OFF # disable Python -D LIBXML2_WITH_ZLIB=OFF # disable libz
You can also open the libxml source directory with its CMakeLists.txt directly in various IDEs such as CLion, QtCreator, or Visual Studio.
Libxml does not require any other libraries. A platform with somewhat recent POSIX support should be sufficient (please report any violation to this rule you may find).
However, if found at configuration time, libxml will detect and use the following libraries:
The current version of the code can be found in GNOME's GitLab at at https://gitlab.gnome.org/GNOME/libxml2. The best way to get involved is by creating issues and merge requests on GitLab. Alternatively, you can start discussions and send patches to the mailing list. If you want to work with patches, please format them with git-format-patch and use plain text attachments.
All code must conform to C89 and pass the GitLab CI tests. Add regression tests if possible.