Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Fixed seg fault in reporting certain invalid xpath exprs with a number with nr of digits in a certain range. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
ad8242fa185fbb45ceaf83d8d53c0af3 |
| User & Date: | rolf 2019-07-10 23:27:53.501 |
Context
|
2019-07-11
| ||
| 02:02 | Fixed possible seg fault with malicious input. check-in: d22f55f9a3 user: rolf tags: trunk | |
|
2019-07-10
| ||
| 23:27 | Fixed seg fault in reporting certain invalid xpath exprs with a number with nr of digits in a certain range. check-in: ad8242fa18 user: rolf tags: trunk | |
| 21:56 | Replaced the last two atof(). check-in: 52d6965abb user: rolf tags: trunk | |
Changes
Changes to generic/domxpath.c.
| ︙ | ︙ | |||
2274 2275 2276 2277 2278 2279 2280 |
ast *t,
char **errMsg
)
{
XPathTokens tokens;
int i, l, len, newlen, slen;
int useNamespaceAxis = 0;
| | | | 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 2286 2287 2288 2289 2290 2291 2292 2293 2294 2295 2296 2297 2298 2299 2300 |
ast *t,
char **errMsg
)
{
XPathTokens tokens;
int i, l, len, newlen, slen;
int useNamespaceAxis = 0;
char tmp[200];
DDBG(fprintf(stderr, "\nLex output following tokens for '%s':\n", xpath);)
*errMsg = NULL;
tokens = xpathLexer(xpath, exprContext, prefixMappings, &useNamespaceAxis,
varParseCB, errMsg);
if (*errMsg != NULL) {
if (tokens != NULL) xpathFreeTokens (tokens);
return XPATH_LEX_ERR;
}
DDBG(
for (i=0; tokens[i].token != EOS; i++) {
fprintf(stderr, "%3d %-12s %5ld %8.3g %5d %s\n",
i,
token2str[tokens[i].token-LPAR],
tokens[i].intvalue,
tokens[i].realvalue,
tokens[i].pos,
tokens[i].strvalue
);
|
| ︙ | ︙ | |||
2319 2320 2321 2322 2323 2324 2325 |
newlen = strlen(xpath);
*errMsg = (char*)REALLOC(*errMsg, len+newlen+10);
memmove(*errMsg + len, " for '", 6);
memmove(*errMsg + len+6, xpath, newlen);
memmove(*errMsg + len+6+newlen, "' ", 3);
for (i=0; tokens[i].token != EOS; i++) {
| | | 2319 2320 2321 2322 2323 2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 |
newlen = strlen(xpath);
*errMsg = (char*)REALLOC(*errMsg, len+newlen+10);
memmove(*errMsg + len, " for '", 6);
memmove(*errMsg + len+6, xpath, newlen);
memmove(*errMsg + len+6+newlen, "' ", 3);
for (i=0; tokens[i].token != EOS; i++) {
sprintf(tmp, "%s\n%3s%3d %-12s %5ld %09.3g %5d ",
(i==0) ? "\n\nParsed symbols:" : "",
(i==l) ? "-->" : " ",
i,
token2str[tokens[i].token-LPAR],
tokens[i].intvalue,
tokens[i].realvalue,
tokens[i].pos
|
| ︙ | ︙ |
Changes to tests/xpath.test.
| ︙ | ︙ | |||
1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 |
set nodeName1 "a/b"
set result [list]
lappend result [$doc selectNodes string(%nodeName0/%nodeName1)]
lappend result [$doc selectNodes string(a/a/b)]
$doc delete
set result
} {a/b b}
set doc [dom parse {
<root>
<asub>asub2</asub>
<asub>asub3</asub>
<asub>asub4</asub>
<bsub>bsub1</bsub>
| > > > > > > > | 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 |
set nodeName1 "a/b"
set result [list]
lappend result [$doc selectNodes string(%nodeName0/%nodeName1)]
lappend result [$doc selectNodes string(a/a/b)]
$doc delete
set result
} {a/b b}
test xpath-5.57 {afl-fuzz found seg fault in reporting error in invalid expr} {
set doc [dom createDocument doc]
catch {$doc selectNodes /[string repeat 1 2500]}
catch {$doc selectNodes /[string repeat 1 250]}
$doc delete
} {}
set doc [dom parse {
<root>
<asub>asub2</asub>
<asub>asub3</asub>
<asub>asub4</asub>
<bsub>bsub1</bsub>
|
| ︙ | ︙ | |||
1197 1198 1199 1200 1201 1202 1203 |
set result ""
foreach node [$root selectNodes {bsub|asub}] {
append result "[$node text] "
}
set result
} {asub1 asub2 asub3 asub4 bsub1 bsub2 }
| | | 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 |
set result ""
foreach node [$root selectNodes {bsub|asub}] {
append result "[$node text] "
}
set result
} {asub1 asub2 asub3 asub4 bsub1 bsub2 }
catch {$doc delete}
set doc [dom parse {
<!-- comment 1 -->
<!-- comment 2 -->
<?api pi data?>
<!-- still not the document element -->
|
| ︙ | ︙ |