Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Fixed seg fault in reporting certain invalid xpath exprs with a number with nr of digits in a certain range. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
ad8242fa185fbb45ceaf83d8d53c0af3 |
User & Date: | rolf 2019-07-10 23:27:53.501 |
Context
2019-07-11
| ||
02:02 | Fixed possible seg fault with malicious input. check-in: d22f55f9a3 user: rolf tags: trunk | |
2019-07-10
| ||
23:27 | Fixed seg fault in reporting certain invalid xpath exprs with a number with nr of digits in a certain range. check-in: ad8242fa18 user: rolf tags: trunk | |
21:56 | Replaced the last two atof(). check-in: 52d6965abb user: rolf tags: trunk | |
Changes
Changes to generic/domxpath.c.
︙ | ︙ | |||
2274 2275 2276 2277 2278 2279 2280 | ast *t, char **errMsg ) { XPathTokens tokens; int i, l, len, newlen, slen; int useNamespaceAxis = 0; | | | | 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 2286 2287 2288 2289 2290 2291 2292 2293 2294 2295 2296 2297 2298 2299 2300 | ast *t, char **errMsg ) { XPathTokens tokens; int i, l, len, newlen, slen; int useNamespaceAxis = 0; char tmp[200]; DDBG(fprintf(stderr, "\nLex output following tokens for '%s':\n", xpath);) *errMsg = NULL; tokens = xpathLexer(xpath, exprContext, prefixMappings, &useNamespaceAxis, varParseCB, errMsg); if (*errMsg != NULL) { if (tokens != NULL) xpathFreeTokens (tokens); return XPATH_LEX_ERR; } DDBG( for (i=0; tokens[i].token != EOS; i++) { fprintf(stderr, "%3d %-12s %5ld %8.3g %5d %s\n", i, token2str[tokens[i].token-LPAR], tokens[i].intvalue, tokens[i].realvalue, tokens[i].pos, tokens[i].strvalue ); |
︙ | ︙ | |||
2319 2320 2321 2322 2323 2324 2325 | newlen = strlen(xpath); *errMsg = (char*)REALLOC(*errMsg, len+newlen+10); memmove(*errMsg + len, " for '", 6); memmove(*errMsg + len+6, xpath, newlen); memmove(*errMsg + len+6+newlen, "' ", 3); for (i=0; tokens[i].token != EOS; i++) { | | | 2319 2320 2321 2322 2323 2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 | newlen = strlen(xpath); *errMsg = (char*)REALLOC(*errMsg, len+newlen+10); memmove(*errMsg + len, " for '", 6); memmove(*errMsg + len+6, xpath, newlen); memmove(*errMsg + len+6+newlen, "' ", 3); for (i=0; tokens[i].token != EOS; i++) { sprintf(tmp, "%s\n%3s%3d %-12s %5ld %09.3g %5d ", (i==0) ? "\n\nParsed symbols:" : "", (i==l) ? "-->" : " ", i, token2str[tokens[i].token-LPAR], tokens[i].intvalue, tokens[i].realvalue, tokens[i].pos |
︙ | ︙ |
Changes to tests/xpath.test.
︙ | ︙ | |||
1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 | set nodeName1 "a/b" set result [list] lappend result [$doc selectNodes string(%nodeName0/%nodeName1)] lappend result [$doc selectNodes string(a/a/b)] $doc delete set result } {a/b b} set doc [dom parse { <root> <asub>asub2</asub> <asub>asub3</asub> <asub>asub4</asub> <bsub>bsub1</bsub> | > > > > > > > | 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 | set nodeName1 "a/b" set result [list] lappend result [$doc selectNodes string(%nodeName0/%nodeName1)] lappend result [$doc selectNodes string(a/a/b)] $doc delete set result } {a/b b} test xpath-5.57 {afl-fuzz found seg fault in reporting error in invalid expr} { set doc [dom createDocument doc] catch {$doc selectNodes /[string repeat 1 2500]} catch {$doc selectNodes /[string repeat 1 250]} $doc delete } {} set doc [dom parse { <root> <asub>asub2</asub> <asub>asub3</asub> <asub>asub4</asub> <bsub>bsub1</bsub> |
︙ | ︙ | |||
1197 1198 1199 1200 1201 1202 1203 | set result "" foreach node [$root selectNodes {bsub|asub}] { append result "[$node text] " } set result } {asub1 asub2 asub3 asub4 bsub1 bsub2 } | | | 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 | set result "" foreach node [$root selectNodes {bsub|asub}] { append result "[$node text] " } set result } {asub1 asub2 asub3 asub4 bsub1 bsub2 } catch {$doc delete} set doc [dom parse { <!-- comment 1 --> <!-- comment 2 --> <?api pi data?> <!-- still not the document element --> |
︙ | ︙ |