tDOM

Check-in [d22f55f9a3]
Login

Check-in [d22f55f9a3]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fixed possible seg fault with malicious input.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: d22f55f9a3abcad5eb8ecb25ace085e77cc00ac78bfb465c807c66ebd159f546
User & Date: rolf 2019-07-11 02:02:31.768
Context
2019-07-18
10:23
Merged from trunk. check-in: a505e6bc02 user: rolf tags: fuzzer-instrumentation
2019-07-11
14:07
Fixed possible floating point exception with arithmetic operator 'mod'. check-in: 7cf8bdeb6c user: rolf tags: trunk
02:02
Fixed possible seg fault with malicious input. check-in: d22f55f9a3 user: rolf tags: trunk
2019-07-10
23:27
Fixed seg fault in reporting certain invalid xpath exprs with a number with nr of digits in a certain range. check-in: ad8242fa18 user: rolf tags: trunk
Changes
Unified Diff Ignore Whitespace Patch
Changes to generic/domxpath.c. 
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734


        case RealResult:
            if (IS_NAN (rs->realvalue)) return tdomstrdup ("NaN");
            else if (IS_INF (rs->realvalue)) {
                if (IS_INF (rs->realvalue) == 1) return tdomstrdup ("Infinity");
                else                             return tdomstrdup ("-Infinity");
            }
            sprintf(tmp, "%f", rs->realvalue);
            /* strip trailing 0 and . */
            len = strlen(tmp);
            for (; (len > 0) && (tmp[len-1] == '0'); len--) tmp[len-1] = '\0';
            if ((len > 0) && (tmp[len-1] == '.'))   tmp[len-1] = '\0';
            return (tdomstrdup(tmp));
            
        case NaNResult:








|








2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734


        case RealResult:
            if (IS_NAN (rs->realvalue)) return tdomstrdup ("NaN");
            else if (IS_INF (rs->realvalue)) {
                if (IS_INF (rs->realvalue) == 1) return tdomstrdup ("Infinity");
                else                             return tdomstrdup ("-Infinity");
            }
            sprintf(tmp, "%g", rs->realvalue);
            /* strip trailing 0 and . */
            len = strlen(tmp);
            for (; (len > 0) && (tmp[len-1] == '0'); len--) tmp[len-1] = '\0';
            if ((len > 0) && (tmp[len-1] == '.'))   tmp[len-1] = '\0';
            return (tdomstrdup(tmp));
            
        case NaNResult:
Changes to tests/xpath.test. 
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573


test xpath-5.1 {erroneous XPath expr: missing right brace in predicate} {
    set result [catch {$root selectNodes {*[1}} errMsg]
    list $result $errMsg
} {1 {Predicate: Expected "RBRACKET" for '*[1' 

Parsed symbols:
     0 WCARDNAME        0 00000.000     0  *
     1 LBRACKET         0 00000.000     1  
     2 INTNUMBER        1 00001.000     2  }}

test xpath-5.2 {erroneous XPath expr: missing right brace in predicate} {
    set result [catch {$root selectNodes {*[1][@attr}} errMsg]
    list $result $errMsg
} {1 {Predicate: Expected "RBRACKET" for '*[1][@attr' 

Parsed symbols:
     0 WCARDNAME        0 00000.000     0  *
     1 LBRACKET         0 00000.000     1  
     2 INTNUMBER        1 00001.000     2  
     3 RBRACKET         0 00000.000     3  
     4 LBRACKET         0 00000.000     4  
     5 ATTRIBUTE        0 00000.000     9  attr}}

test xpath-5.3 {erroneous XPath expr: missing left brace in predicate} {
    catch {$root selectNodes {*1]}}
} {1}

test xpath-5.4 {erroneous XPath expr} {
    catch {$root selectNodes {myNS: bar}} errMsg








|
|
|







|
|
|
|
|
|








544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573


test xpath-5.1 {erroneous XPath expr: missing right brace in predicate} {
    set result [catch {$root selectNodes {*[1}} errMsg]
    list $result $errMsg
} {1 {Predicate: Expected "RBRACKET" for '*[1' 

Parsed symbols:
     0 WCARDNAME        0 000000000     0  *
     1 LBRACKET         0 000000000     1  
     2 INTNUMBER        1 000000001     2  }}

test xpath-5.2 {erroneous XPath expr: missing right brace in predicate} {
    set result [catch {$root selectNodes {*[1][@attr}} errMsg]
    list $result $errMsg
} {1 {Predicate: Expected "RBRACKET" for '*[1][@attr' 

Parsed symbols:
     0 WCARDNAME        0 000000000     0  *
     1 LBRACKET         0 000000000     1  
     2 INTNUMBER        1 000000001     2  
     3 RBRACKET         0 000000000     3  
     4 LBRACKET         0 000000000     4  
     5 ATTRIBUTE        0 000000000     9  attr}}

test xpath-5.3 {erroneous XPath expr: missing left brace in predicate} {
    catch {$root selectNodes {*1]}}
} {1}

test xpath-5.4 {erroneous XPath expr} {
    catch {$root selectNodes {myNS: bar}} errMsg

1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090

    set result [catch {$doc selectNodes {a[b %nodeName='another value']}} errMsg]
    lappend result $errMsg
    $doc delete
    set result
} {1 {Predicate: Expected "RBRACKET" for 'a[b %nodeName='another value']' 

Parsed symbols:
     0 WCARDNAME        0 00000.000     0  a
     1 LBRACKET         0 00000.000     1  
     2 WCARDNAME        0 00000.000     2  b
-->  3 WCARDNAME        1 00000.000    12  with spaces
     4 EQUAL            0 00000.000    13  
     5 LITERAL          0 00000.000    28  another value
     6 RBRACKET         0 00000.000    29  }}

test xpath-5.47 {Element name injected with tcl variable} {
    set doc [dom parse -json {{"a":{"":"the value"},"a":{"":"another value"}}}]
    set nodeName ""
    set node [$doc selectNodes {a[%nodeName='another value']}]
    set result [list]
    lappend result [$node nodeName]








|
|
|
|
|
|
|








1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090

    set result [catch {$doc selectNodes {a[b %nodeName='another value']}} errMsg]
    lappend result $errMsg
    $doc delete
    set result
} {1 {Predicate: Expected "RBRACKET" for 'a[b %nodeName='another value']' 

Parsed symbols:
     0 WCARDNAME        0 000000000     0  a
     1 LBRACKET         0 000000000     1  
     2 WCARDNAME        0 000000000     2  b
-->  3 WCARDNAME        1 000000000    12  with spaces
     4 EQUAL            0 000000000    13  
     5 LITERAL          0 000000000    28  another value
     6 RBRACKET         0 000000000    29  }}

test xpath-5.47 {Element name injected with tcl variable} {
    set doc [dom parse -json {{"a":{"":"the value"},"a":{"":"another value"}}}]
    set nodeName ""
    set node [$doc selectNodes {a[%nodeName='another value']}]
    set result [list]
    lappend result [$node nodeName]

1182
1183
1184
1185
1186
1187
1188






1189
1190
1191
1192
1193
1194
1195


test xpath-5.57 {afl-fuzz found seg fault in reporting error in invalid expr} {
    set doc [dom createDocument doc]
    catch {$doc selectNodes /[string repeat 1 2500]}
    catch {$doc selectNodes /[string repeat 1 250]}
    $doc delete
} {}







set doc [dom parse {
<root>
  <asub>asub2</asub>
  <asub>asub3</asub>
  <asub>asub4</asub>
  <bsub>bsub1</bsub>








>
>
>
>
>
>








1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201


test xpath-5.57 {afl-fuzz found seg fault in reporting error in invalid expr} {
    set doc [dom createDocument doc]
    catch {$doc selectNodes /[string repeat 1 2500]}
    catch {$doc selectNodes /[string repeat 1 250]}
    $doc delete
} {}

test xpath-5.58 {afl-fuzz found seg fault in reporting error in invalid expr} {
    set doc [dom createDocument doc]
    catch {$doc selectNodes concat([string repeat 1 250],1,1)}
    $doc delete
} {}

set doc [dom parse {
<root>
  <asub>asub2</asub>
  <asub>asub3</asub>
  <asub>asub4</asub>
  <bsub>bsub1</bsub>
Changes to tests/xslt.test. 
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170

    catch {$xmldoc xslt $xsltdoc resultDoc} errMsg
    $xmldoc delete
    $xsltdoc delete
    set errMsg
} {The 'current' function is not allowed in Pattern. for '*[current() != 'notthis']' 

Parsed symbols:
     0 WCARDNAME        0 00000.000     0  *
     1 LBRACKET         0 00000.000     1  
     2 FUNCTION         0 00000.000     8  current
     3 LPAR             0 00000.000     9  
     4 RPAR             0 00000.000    10  
     5 NOTEQ            0 00000.000    13  
     6 LITERAL          0 00000.000    23  notthis
     7 RBRACKET         0 00000.000    24  }

set xslt-8.2.xml {<?xml version="1.0"?>
<Workbook xmlns="urn:schemas-microsoft-com:office:spreadsheet" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:html="http://www.w3.org/TR/REC-html40">
	<DocumentProperties xmlns="urn:schemas-microsoft-com:office:office">
	</DocumentProperties>
	<OfficeDocumentSettings xmlns="urn:schemas-microsoft-com:office:office">
	</OfficeDocumentSettings>








|
|
|
|
|
|
|
|








1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170

    catch {$xmldoc xslt $xsltdoc resultDoc} errMsg
    $xmldoc delete
    $xsltdoc delete
    set errMsg
} {The 'current' function is not allowed in Pattern. for '*[current() != 'notthis']' 

Parsed symbols:
     0 WCARDNAME        0 000000000     0  *
     1 LBRACKET         0 000000000     1  
     2 FUNCTION         0 000000000     8  current
     3 LPAR             0 000000000     9  
     4 RPAR             0 000000000    10  
     5 NOTEQ            0 000000000    13  
     6 LITERAL          0 000000000    23  notthis
     7 RBRACKET         0 000000000    24  }

set xslt-8.2.xml {<?xml version="1.0"?>
<Workbook xmlns="urn:schemas-microsoft-com:office:spreadsheet" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:html="http://www.w3.org/TR/REC-html40">
	<DocumentProperties xmlns="urn:schemas-microsoft-com:office:office">
	</DocumentProperties>
	<OfficeDocumentSettings xmlns="urn:schemas-microsoft-com:office:office">
	</OfficeDocumentSettings>