c/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2 synced 2025-03-28 21:33:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

io: Fix memory lifetime issue with input buffers

Browse Source 
xmlParserInputBufferCreateMem must make a copy of the buffer.

This fixes a regression from 2.11 which could cause reads from freed
memory depending on the use case.

Undeprecate xmlParserInputBufferCreateStatic which can avoid copying
the whole buffer.
This commit is contained in:
Nick Wellnhofer 2023-12-12 23:51:32 +01:00
parent 0e4a11bb30
commit c2bbeed1fd
5 changed files with 70 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
HTMLparser.c
View File

@ -6719,7 +6719,8 @@ htmlCtxtReadMemory(htmlParserCtxtPtr ctxt, const char *buffer, int size,
htmlCtxtReset(ctxt); htmlCtxtReset(ctxt);
input = xmlParserInputBufferCreateMem(buffer, size, XML_CHAR_ENCODING_NONE); input = xmlParserInputBufferCreateStatic(buffer, size,
XML_CHAR_ENCODING_NONE);
if (input == NULL) { if (input == NULL) {
htmlErrMemory(ctxt, NULL); htmlErrMemory(ctxt, NULL);
return(NULL); return(NULL);

1
include/libxml/xmlIO.h
View File

@ -216,7 +216,6 @@ XMLPUBFUN xmlParserInputBufferPtr
XMLPUBFUN xmlParserInputBufferPtr XMLPUBFUN xmlParserInputBufferPtr
xmlParserInputBufferCreateMem (const char *mem, int size, xmlParserInputBufferCreateMem (const char *mem, int size,
xmlCharEncoding enc); xmlCharEncoding enc);
XML_DEPRECATED
XMLPUBFUN xmlParserInputBufferPtr XMLPUBFUN xmlParserInputBufferPtr
xmlParserInputBufferCreateStatic (const char *mem, int size, xmlParserInputBufferCreateStatic (const char *mem, int size,
xmlCharEncoding enc); xmlCharEncoding enc);

3
parser.c
View File

@ -14871,7 +14871,8 @@ xmlCtxtReadMemory(xmlParserCtxtPtr ctxt, const char *buffer, int size,
xmlCtxtReset(ctxt); xmlCtxtReset(ctxt);
input = xmlParserInputBufferCreateMem(buffer, size, XML_CHAR_ENCODING_NONE); input = xmlParserInputBufferCreateStatic(buffer, size,
XML_CHAR_ENCODING_NONE);
if (input == NULL) { if (input == NULL) {
xmlErrMemory(ctxt, NULL); xmlErrMemory(ctxt, NULL);
return(NULL); return(NULL);

4
testchar.c
View File

@ -648,8 +648,8 @@ static int testCharRanges(void) {
fprintf(stderr, "Failed to allocate parser context\n"); fprintf(stderr, "Failed to allocate parser context\n");
return(1); return(1);
} }
buf = xmlParserInputBufferCreateMem(data, sizeof(data), buf = xmlParserInputBufferCreateStatic(data, sizeof(data),
XML_CHAR_ENCODING_NONE); XML_CHAR_ENCODING_NONE);
if (buf == NULL) { if (buf == NULL) {
fprintf(stderr, "Failed to allocate input buffer\n"); fprintf(stderr, "Failed to allocate input buffer\n");
test_ret = 1; test_ret = 1;

90
xmlIO.c
View File

@ -2833,7 +2833,8 @@ xmlParserInputBufferCreateFd(int fd, xmlCharEncoding enc) {
} }
typedef struct { typedef struct {
const char *mem; char *mem;
const char *cur;
size_t size; size_t size;
} xmlMemIOCtxt; } xmlMemIOCtxt;
@ -2844,8 +2845,8 @@ xmlMemRead(void *vctxt, char *buf, int size) {
if ((size_t) size > ctxt->size) if ((size_t) size > ctxt->size)
size = ctxt->size; size = ctxt->size;
memcpy(buf, ctxt->mem, size); memcpy(buf, ctxt->cur, size);
ctxt->mem += size; ctxt->cur += size;
ctxt->size -= size; ctxt->size -= size;
return size; return size;
@ -2853,7 +2854,11 @@ xmlMemRead(void *vctxt, char *buf, int size) {
static int static int
xmlMemClose(void *vctxt) { xmlMemClose(void *vctxt) {
xmlFree(vctxt); xmlMemIOCtxt *ctxt = vctxt;
if (ctxt->mem != 0)
xmlFree(ctxt->mem);
xmlFree(ctxt);
return(0); return(0);
} }
@ -2863,22 +2868,70 @@ xmlMemClose(void *vctxt) {
* @size: the length of the memory block * @size: the length of the memory block
* @enc: the charset encoding if known (deprecated) * @enc: the charset encoding if known (deprecated)
* *
* Create a buffered parser input for the progressive parsing for the input * Create a parser input buffer for parsing from a memory area.
* from a memory area. *
* This function makes a copy of the whole input buffer. If you are sure
* that the contents of the buffer will remain valid until the document
* was parsed, you can avoid the copy by using
* xmlParserInputBufferCreateStatic.
* *
* The encoding argument is deprecated and should be set to * The encoding argument is deprecated and should be set to
* XML_CHAR_ENCODING_NONE. The encoding can be changed with * XML_CHAR_ENCODING_NONE. The encoding can be changed with
* xmlSwitchEncoding or xmlSwitchEncodingName later on. * xmlSwitchEncoding or xmlSwitchEncodingName later on.
* *
* Returns the new parser input or NULL * Returns the new parser input or NULL in case of error.
*/ */
xmlParserInputBufferPtr xmlParserInputBufferPtr
xmlParserInputBufferCreateMem(const char *mem, int size, xmlCharEncoding enc) { xmlParserInputBufferCreateMem(const char *mem, int size, xmlCharEncoding enc) {
xmlParserInputBufferPtr buf;
xmlMemIOCtxt *ctxt;
char *copy;
if ((size < 0) || (mem == NULL))
return(NULL);
copy = (char *) xmlStrndup((const xmlChar *) mem, size);
if (copy == NULL)
return(NULL);
buf = xmlParserInputBufferCreateStatic(copy, size, enc);
if (buf == NULL) {
xmlFree(copy);
return(NULL);
}
ctxt = buf->context;
ctxt->mem = copy;
return(buf);
}
/**
* xmlParserInputBufferCreateStatic:
* @mem: the memory input
* @size: the length of the memory block
* @enc: the charset encoding if known
*
* Create a parser input buffer for parsing from a memory area.
*
* This functions assumes that the contents of the input buffer remain
* valid until the document was parsed. Use xmlParserInputBufferCreateMem
* otherwise.
*
* The encoding argument is deprecated and should be set to
* XML_CHAR_ENCODING_NONE. The encoding can be changed with
* xmlSwitchEncoding or xmlSwitchEncodingName later on.
*
* Returns the new parser input or NULL in case of error.
*/
xmlParserInputBufferPtr
xmlParserInputBufferCreateStatic(const char *mem, int size,
xmlCharEncoding enc) {
xmlParserInputBufferPtr ret; xmlParserInputBufferPtr ret;
xmlMemIOCtxt *ctxt; xmlMemIOCtxt *ctxt;
if (size < 0) return(NULL); if ((size < 0) || (mem == NULL))
if (mem == NULL) return(NULL); return(NULL);
ret = xmlAllocParserInputBuffer(enc); ret = xmlAllocParserInputBuffer(enc);
if (ret == NULL) if (ret == NULL)
@ -2889,7 +2942,8 @@ xmlParserInputBufferCreateMem(const char *mem, int size, xmlCharEncoding enc) {
xmlFreeParserInputBuffer(ret); xmlFreeParserInputBuffer(ret);
return(NULL); return(NULL);
} }
ctxt->mem = mem; ctxt->mem = NULL;
ctxt->cur = mem;
ctxt->size = size; ctxt->size = size;
ret->context = ctxt; ret->context = ctxt;
@ -2899,22 +2953,6 @@ xmlParserInputBufferCreateMem(const char *mem, int size, xmlCharEncoding enc) {
return(ret); return(ret);
} }
/**
* xmlParserInputBufferCreateStatic:
* @mem: the memory input
* @size: the length of the memory block
* @enc: the charset encoding if known
*
* DEPRECATED: Use xmlParserInputBufferCreateMem.
*
* Returns the new parser input or NULL
*/
xmlParserInputBufferPtr
xmlParserInputBufferCreateStatic(const char *mem, int size,
xmlCharEncoding enc) {
return(xmlParserInputBufferCreateMem(mem, size, enc));
}
typedef struct { typedef struct {
const xmlChar *str; const xmlChar *str;
} xmlStringIOCtxt; } xmlStringIOCtxt;