Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Fixed possible seg fault with malicious input. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
d22f55f9a3abcad5eb8ecb25ace085e7 |
| User & Date: | rolf 2019-07-11 02:02:31 |
Context
|
2019-07-18
| ||
| 10:23 | Merged from trunk. check-in: a505e6bc02 user: rolf tags: fuzzer-instrumentation | |
|
2019-07-11
| ||
| 14:07 | Fixed possible floating point exception with arithmetic operator 'mod'. check-in: 7cf8bdeb6c user: rolf tags: trunk | |
| 02:02 | Fixed possible seg fault with malicious input. check-in: d22f55f9a3 user: rolf tags: trunk | |
|
2019-07-10
| ||
| 23:27 | Fixed seg fault in reporting certain invalid xpath exprs with a number with nr of digits in a certain range. check-in: ad8242fa18 user: rolf tags: trunk | |
Changes
Changes to generic/domxpath.c.
2720 2721 2722 2723 2724 2725 2726 2727 2728 2729 2730 2731 2732 2733 2734 |
case RealResult:
if (IS_NAN (rs->realvalue)) return tdomstrdup ("NaN");
else if (IS_INF (rs->realvalue)) {
if (IS_INF (rs->realvalue) == 1) return tdomstrdup ("Infinity");
else return tdomstrdup ("-Infinity");
}
sprintf(tmp, "%f", rs->realvalue);
/* strip trailing 0 and . */
len = strlen(tmp);
for (; (len > 0) && (tmp[len-1] == '0'); len--) tmp[len-1] = '\0';
if ((len > 0) && (tmp[len-1] == '.')) tmp[len-1] = '\0';
return (tdomstrdup(tmp));
case NaNResult:
|
| |
2720 2721 2722 2723 2724 2725 2726 2727 2728 2729 2730 2731 2732 2733 2734 |
case RealResult:
if (IS_NAN (rs->realvalue)) return tdomstrdup ("NaN");
else if (IS_INF (rs->realvalue)) {
if (IS_INF (rs->realvalue) == 1) return tdomstrdup ("Infinity");
else return tdomstrdup ("-Infinity");
}
sprintf(tmp, "%g", rs->realvalue);
/* strip trailing 0 and . */
len = strlen(tmp);
for (; (len > 0) && (tmp[len-1] == '0'); len--) tmp[len-1] = '\0';
if ((len > 0) && (tmp[len-1] == '.')) tmp[len-1] = '\0';
return (tdomstrdup(tmp));
case NaNResult:
|
Changes to tests/xpath.test.
544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 .... 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 .... 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 |
test xpath-5.1 {erroneous XPath expr: missing right brace in predicate} {
set result [catch {$root selectNodes {*[1}} errMsg]
list $result $errMsg
} {1 {Predicate: Expected "RBRACKET" for '*[1'
Parsed symbols:
0 WCARDNAME 0 00000.000 0 *
1 LBRACKET 0 00000.000 1
2 INTNUMBER 1 00001.000 2 }}
test xpath-5.2 {erroneous XPath expr: missing right brace in predicate} {
set result [catch {$root selectNodes {*[1][@attr}} errMsg]
list $result $errMsg
} {1 {Predicate: Expected "RBRACKET" for '*[1][@attr'
Parsed symbols:
0 WCARDNAME 0 00000.000 0 *
1 LBRACKET 0 00000.000 1
2 INTNUMBER 1 00001.000 2
3 RBRACKET 0 00000.000 3
4 LBRACKET 0 00000.000 4
5 ATTRIBUTE 0 00000.000 9 attr}}
test xpath-5.3 {erroneous XPath expr: missing left brace in predicate} {
catch {$root selectNodes {*1]}}
} {1}
test xpath-5.4 {erroneous XPath expr} {
catch {$root selectNodes {myNS: bar}} errMsg
................................................................................
set result [catch {$doc selectNodes {a[b %nodeName='another value']}} errMsg]
lappend result $errMsg
$doc delete
set result
} {1 {Predicate: Expected "RBRACKET" for 'a[b %nodeName='another value']'
Parsed symbols:
0 WCARDNAME 0 00000.000 0 a
1 LBRACKET 0 00000.000 1
2 WCARDNAME 0 00000.000 2 b
--> 3 WCARDNAME 1 00000.000 12 with spaces
4 EQUAL 0 00000.000 13
5 LITERAL 0 00000.000 28 another value
6 RBRACKET 0 00000.000 29 }}
test xpath-5.47 {Element name injected with tcl variable} {
set doc [dom parse -json {{"a":{"":"the value"},"a":{"":"another value"}}}]
set nodeName ""
set node [$doc selectNodes {a[%nodeName='another value']}]
set result [list]
lappend result [$node nodeName]
................................................................................
test xpath-5.57 {afl-fuzz found seg fault in reporting error in invalid expr} {
set doc [dom createDocument doc]
catch {$doc selectNodes /[string repeat 1 2500]}
catch {$doc selectNodes /[string repeat 1 250]}
$doc delete
} {}
set doc [dom parse {
<root>
<asub>asub2</asub>
<asub>asub3</asub>
<asub>asub4</asub>
<bsub>bsub1</bsub>
|
| | | | | | | | | | | | | | | | > > > > > > |
544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 .... 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 .... 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 |
test xpath-5.1 {erroneous XPath expr: missing right brace in predicate} {
set result [catch {$root selectNodes {*[1}} errMsg]
list $result $errMsg
} {1 {Predicate: Expected "RBRACKET" for '*[1'
Parsed symbols:
0 WCARDNAME 0 000000000 0 *
1 LBRACKET 0 000000000 1
2 INTNUMBER 1 000000001 2 }}
test xpath-5.2 {erroneous XPath expr: missing right brace in predicate} {
set result [catch {$root selectNodes {*[1][@attr}} errMsg]
list $result $errMsg
} {1 {Predicate: Expected "RBRACKET" for '*[1][@attr'
Parsed symbols:
0 WCARDNAME 0 000000000 0 *
1 LBRACKET 0 000000000 1
2 INTNUMBER 1 000000001 2
3 RBRACKET 0 000000000 3
4 LBRACKET 0 000000000 4
5 ATTRIBUTE 0 000000000 9 attr}}
test xpath-5.3 {erroneous XPath expr: missing left brace in predicate} {
catch {$root selectNodes {*1]}}
} {1}
test xpath-5.4 {erroneous XPath expr} {
catch {$root selectNodes {myNS: bar}} errMsg
................................................................................
set result [catch {$doc selectNodes {a[b %nodeName='another value']}} errMsg]
lappend result $errMsg
$doc delete
set result
} {1 {Predicate: Expected "RBRACKET" for 'a[b %nodeName='another value']'
Parsed symbols:
0 WCARDNAME 0 000000000 0 a
1 LBRACKET 0 000000000 1
2 WCARDNAME 0 000000000 2 b
--> 3 WCARDNAME 1 000000000 12 with spaces
4 EQUAL 0 000000000 13
5 LITERAL 0 000000000 28 another value
6 RBRACKET 0 000000000 29 }}
test xpath-5.47 {Element name injected with tcl variable} {
set doc [dom parse -json {{"a":{"":"the value"},"a":{"":"another value"}}}]
set nodeName ""
set node [$doc selectNodes {a[%nodeName='another value']}]
set result [list]
lappend result [$node nodeName]
................................................................................
test xpath-5.57 {afl-fuzz found seg fault in reporting error in invalid expr} {
set doc [dom createDocument doc]
catch {$doc selectNodes /[string repeat 1 2500]}
catch {$doc selectNodes /[string repeat 1 250]}
$doc delete
} {}
test xpath-5.58 {afl-fuzz found seg fault in reporting error in invalid expr} {
set doc [dom createDocument doc]
catch {$doc selectNodes concat([string repeat 1 250],1,1)}
$doc delete
} {}
set doc [dom parse {
<root>
<asub>asub2</asub>
<asub>asub3</asub>
<asub>asub4</asub>
<bsub>bsub1</bsub>
|
Changes to tests/xslt.test.
1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 |
catch {$xmldoc xslt $xsltdoc resultDoc} errMsg
$xmldoc delete
$xsltdoc delete
set errMsg
} {The 'current' function is not allowed in Pattern. for '*[current() != 'notthis']'
Parsed symbols:
0 WCARDNAME 0 00000.000 0 *
1 LBRACKET 0 00000.000 1
2 FUNCTION 0 00000.000 8 current
3 LPAR 0 00000.000 9
4 RPAR 0 00000.000 10
5 NOTEQ 0 00000.000 13
6 LITERAL 0 00000.000 23 notthis
7 RBRACKET 0 00000.000 24 }
set xslt-8.2.xml {<?xml version="1.0"?>
<Workbook xmlns="urn:schemas-microsoft-com:office:spreadsheet" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:html="http://www.w3.org/TR/REC-html40">
<DocumentProperties xmlns="urn:schemas-microsoft-com:office:office">
</DocumentProperties>
<OfficeDocumentSettings xmlns="urn:schemas-microsoft-com:office:office">
</OfficeDocumentSettings>
|
| | | | | | | | |
1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 |
catch {$xmldoc xslt $xsltdoc resultDoc} errMsg
$xmldoc delete
$xsltdoc delete
set errMsg
} {The 'current' function is not allowed in Pattern. for '*[current() != 'notthis']'
Parsed symbols:
0 WCARDNAME 0 000000000 0 *
1 LBRACKET 0 000000000 1
2 FUNCTION 0 000000000 8 current
3 LPAR 0 000000000 9
4 RPAR 0 000000000 10
5 NOTEQ 0 000000000 13
6 LITERAL 0 000000000 23 notthis
7 RBRACKET 0 000000000 24 }
set xslt-8.2.xml {<?xml version="1.0"?>
<Workbook xmlns="urn:schemas-microsoft-com:office:spreadsheet" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:html="http://www.w3.org/TR/REC-html40">
<DocumentProperties xmlns="urn:schemas-microsoft-com:office:office">
</DocumentProperties>
<OfficeDocumentSettings xmlns="urn:schemas-microsoft-com:office:office">
</OfficeDocumentSettings>
|