Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Fixed seg fault in reporting certain invalid xpath exprs with a number with nr of digits in a certain range. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
ad8242fa185fbb45ceaf83d8d53c0af3 |
| User & Date: | rolf 2019-07-10 23:27:53 |
Context
|
2019-07-11
| ||
| 02:02 | Fixed possible seg fault with malicious input. check-in: d22f55f9a3 user: rolf tags: trunk | |
|
2019-07-10
| ||
| 23:27 | Fixed seg fault in reporting certain invalid xpath exprs with a number with nr of digits in a certain range. check-in: ad8242fa18 user: rolf tags: trunk | |
| 21:56 | Replaced the last two atof(). check-in: 52d6965abb user: rolf tags: trunk | |
Changes
Changes to generic/domxpath.c.
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
....
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
|
ast *t,
char **errMsg
)
{
XPathTokens tokens;
int i, l, len, newlen, slen;
int useNamespaceAxis = 0;
char tmp[900];
DDBG(fprintf(stderr, "\nLex output following tokens for '%s':\n", xpath);)
*errMsg = NULL;
tokens = xpathLexer(xpath, exprContext, prefixMappings, &useNamespaceAxis,
varParseCB, errMsg);
if (*errMsg != NULL) {
if (tokens != NULL) xpathFreeTokens (tokens);
return XPATH_LEX_ERR;
}
DDBG(
for (i=0; tokens[i].token != EOS; i++) {
fprintf(stderr, "%3d %-12s %5ld %8.3f %5d %s\n",
i,
token2str[tokens[i].token-LPAR],
tokens[i].intvalue,
tokens[i].realvalue,
tokens[i].pos,
tokens[i].strvalue
);
................................................................................
newlen = strlen(xpath);
*errMsg = (char*)REALLOC(*errMsg, len+newlen+10);
memmove(*errMsg + len, " for '", 6);
memmove(*errMsg + len+6, xpath, newlen);
memmove(*errMsg + len+6+newlen, "' ", 3);
for (i=0; tokens[i].token != EOS; i++) {
sprintf(tmp, "%s\n%3s%3d %-12s %5ld %09.3f %5d ",
(i==0) ? "\n\nParsed symbols:" : "",
(i==l) ? "-->" : " ",
i,
token2str[tokens[i].token-LPAR],
tokens[i].intvalue,
tokens[i].realvalue,
tokens[i].pos
|
|
|
|
|
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
....
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
|
ast *t,
char **errMsg
)
{
XPathTokens tokens;
int i, l, len, newlen, slen;
int useNamespaceAxis = 0;
char tmp[200];
DDBG(fprintf(stderr, "\nLex output following tokens for '%s':\n", xpath);)
*errMsg = NULL;
tokens = xpathLexer(xpath, exprContext, prefixMappings, &useNamespaceAxis,
varParseCB, errMsg);
if (*errMsg != NULL) {
if (tokens != NULL) xpathFreeTokens (tokens);
return XPATH_LEX_ERR;
}
DDBG(
for (i=0; tokens[i].token != EOS; i++) {
fprintf(stderr, "%3d %-12s %5ld %8.3g %5d %s\n",
i,
token2str[tokens[i].token-LPAR],
tokens[i].intvalue,
tokens[i].realvalue,
tokens[i].pos,
tokens[i].strvalue
);
................................................................................
newlen = strlen(xpath);
*errMsg = (char*)REALLOC(*errMsg, len+newlen+10);
memmove(*errMsg + len, " for '", 6);
memmove(*errMsg + len+6, xpath, newlen);
memmove(*errMsg + len+6+newlen, "' ", 3);
for (i=0; tokens[i].token != EOS; i++) {
sprintf(tmp, "%s\n%3s%3d %-12s %5ld %09.3g %5d ",
(i==0) ? "\n\nParsed symbols:" : "",
(i==l) ? "-->" : " ",
i,
token2str[tokens[i].token-LPAR],
tokens[i].intvalue,
tokens[i].realvalue,
tokens[i].pos
|
Changes to tests/xpath.test.
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
....
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
|
set nodeName1 "a/b"
set result [list]
lappend result [$doc selectNodes string(%nodeName0/%nodeName1)]
lappend result [$doc selectNodes string(a/a/b)]
$doc delete
set result
} {a/b b}
set doc [dom parse {
<root>
<asub>asub2</asub>
<asub>asub3</asub>
<asub>asub4</asub>
<bsub>bsub1</bsub>
................................................................................
set result ""
foreach node [$root selectNodes {bsub|asub}] {
append result "[$node text] "
}
set result
} {asub1 asub2 asub3 asub4 bsub1 bsub2 }
$doc delete
set doc [dom parse {
<!-- comment 1 -->
<!-- comment 2 -->
<?api pi data?>
<!-- still not the document element -->
|
>
>
>
>
>
>
>
|
|
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
....
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
|
set nodeName1 "a/b"
set result [list]
lappend result [$doc selectNodes string(%nodeName0/%nodeName1)]
lappend result [$doc selectNodes string(a/a/b)]
$doc delete
set result
} {a/b b}
test xpath-5.57 {afl-fuzz found seg fault in reporting error in invalid expr} {
set doc [dom createDocument doc]
catch {$doc selectNodes /[string repeat 1 2500]}
catch {$doc selectNodes /[string repeat 1 250]}
$doc delete
} {}
set doc [dom parse {
<root>
<asub>asub2</asub>
<asub>asub3</asub>
<asub>asub4</asub>
<bsub>bsub1</bsub>
................................................................................
set result ""
foreach node [$root selectNodes {bsub|asub}] {
append result "[$node text] "
}
set result
} {asub1 asub2 asub3 asub4 bsub1 bsub2 }
catch {$doc delete}
set doc [dom parse {
<!-- comment 1 -->
<!-- comment 2 -->
<?api pi data?>
<!-- still not the document element -->
|