Re: [xml] Why does libxml2 limit port numbers to 999,999,999?

On Oct 17, 2020, at 12:24 , Richard W.M. Jones via xml wrote: > It seems like libxml2 chose to do this for convenience rather than > correctness. Yes, this is an arbitrary limit introduced to avoid integer overflow. > I think it should accept port numbers at least up to > signed int (the type

Re: [xml] Fix character column number of XML parse error on line with closing tag of element with namespace preceding it

On Jun 15, 2020, at 17:29 , Frederic Vancraeyveldt wrote: > I traced the code and I have a suggested fix in libxml_parser.patch. Thanks, this should be fixed now with this commit: https://gitlab.gnome.org/GNOME/libxml2/-/commit/b82fa3dd26a72c89ced293d06269eb97bb252d76 > I also modified

Re: [xml] ping //Re: [PATCH] xmlschemastypes.c: xmlSchemaGetFacetValueAsULong add check "facet->val"

On 01/12/2020 08:05, Xiaoming Ni wrote: ping Your previous email didn't make it to the mailing list. On 2020/11/24 14:55, Xiaoming Ni wrote: The xmlSchemaGetFacetValueAsUlong() API is an external API. The validity of external input parameters must be strictly verified. Before accessing

Re: [xml] [PATCH] encoding: fix memleak in xmlRegisterCharEncodingHandler()

On 07/12/2020 13:19, Xiaoming Ni wrote: The return type of xmlRegisterCharEncodingHandler() is void. The invoker cannot determine whether xmlRegisterCharEncodingHandler() is executed successfully. when nbCharEncodingHandler >= MAX_ENCODING_HANDLERS, the "handler" is not added to the array

Re: [xml] [PATCH] xmlschemastypes.c: xmlSchemaGetFacetValueAsULong add, check "facet->val"

On 07/12/2020 13:17, Xiaoming Ni wrote: The xmlSchemaGetFacetValueAsUlong() API is an external API. The validity of external input parameters must be strictly verified. Before accessing "facet->val->value", we need check whether "facet->val" is a null pointer. Signed-off-by: wuqing

Re: [xml] Fwd: Windows libxml2.lib missing?

On 09/12/2020 01:49, Pro Turm via xml wrote: do you know why the provided Windows binaries dont contain any .lib files? No .lib has been provided here http://xmlsoft.org/sources/win32/64bit/ It's explained in readme.txt. Nick

Re: [xml] [PATCH] Fix xmlURIEscape memory leaks.

Merged here: https://gitlab.gnome.org/GNOME/libxml2/-/commit/7c06d99e1f4f853e3c5b307c0dc79c8a32a09855 Nick On 27/10/2020 19:33, enh via xml wrote: Found by running the fuzz/uri.c fuzzer under asan (internal Android bug 171610679). Always free `ret` when exiting on failure. I've moved the

Re: [xml] [PATCH] Fix xmlURIEscape memory leaks.

On 06/11/2020 00:54, enh via xml wrote: ping? (let me know if this should be a pull request somewhere instead...) Sending patches to the mailing list is fine. It might take another week or two, but the issue will be addressed eventually. Nick ___

Re: [xml] Constraint validation for huge documents

The XML Schemas code hasn't been actively maintained for more than 10 years, so it's unlikely to receive a helpful answer regarding the code. There was a recent patch which might help: https://gitlab.gnome.org/GNOME/libxml2/-/commit/faea2fa9b890cc329f33ce518dfa1648e64e14d6 Other than that,

Re: [xml] Issue in building for arm...

On 18/01/2021 12:30, Abu Muttalib via xml wrote: In file included from /usr/include/python2.7/Python.h:8:0,                  from libxml.c:15: /usr/include/python2.7/pyconfig.h:14:54: fatal error: arm-linux-gnueabihf/python2.7/pyconfig.h: No such file or directory compilation terminated.

Re: [xml] Release of libxml2 2.9.11

On 13/05/2021 23:13, Stefan Behnel wrote: Difficult to say if this is an improvement or deliberate breakage. Technically, it's not a semantic change in the XML output, rather a byte level change in ignorable whitespace. But I'll need to look into it further to understand what the best adaptation

Re: [xml] xmlGetNodePath() returns invalid path for XML_DTD_NODE

On 28/01/2021 14:51, Christoph M. Becker via xml wrote: -if ((node == NULL) || (node->type == XML_NAMESPACE_DECL)) +if ((node == NULL) || (node->type == XML_NAMESPACE_DECL) +|| (node->type == XML_DTD_NODE)) return (NULL); This should be fixed for other node types as

Re: [xml] warning: cast from 'unsigned char *' to 'unsigned short *'

On 23/03/2021 00:38, Jeffrey Walton via xml wrote: encoding.c:500:26: warning: cast from 'const unsigned char *' to 'unsigned short *' increases required alignment from 1 to 2 [-Wcast-align] unsigned short* in = (unsigned short*) inb; If the buffers are aligned, then you can use

Re: [xml] xmlGetNodePath() returns invalid path for XML_DTD_NODE

On 08/02/2021 18:01, Christoph M. Becker wrote: On 08.02.2021 at 17:23, Nick Wellnhofer wrote: This should be fixed for other node types as well. Does the attached patch work for you? Yes, that works fine. Thank you! This is fixed in master now:

Re: [xml] [PATCH] fix memory leak when xmlRegStatePush failed

On 12/01/2021 10:42, zhuyan (M) wrote: In the function xmlRegStatePush, if xmlMalloc or xmlRealloc fails, Yes, there are many issues that arise from poor handling of malloc failures. Fortunately, similar issues can be found quite effectively by changing the fuzzers to inject malloc

Re: [xml] libxml2 2.9.10 and Hang after Testing parser : 61 of 70 functions

On 22/03/2021 05:21, Jeffrey Walton via xml wrote: I'm working on my old PowerMac G5, powerpc-apple-darwin9.8.0. I'm trying to build an updated OpenSSH. libxml2 2.9.10 is a distant dependency. First of all, it's great to hear that libxml2 compiled at all and that most of the tests seem to

Re: [xml] about xmlReadMemory()

On 02/03/2021 16:28, nicolas bats via xml wrote: Hi, is there's a reason why xmlReadMemory () accepts int as the size of the array to transform to xmlDocPtr. no doubt there's one... That's simply a design mistake. The API was created

Re: [xml] about xmlReadMemory()

On 03/03/2021 09:30, nicolas bats wrote: Hi Nick, I've experimented with xmlReadIO and it's cool. this message just to check I'm doing right: -I register an xmlInputReadCallback of type: size_t myCallback(void* context, char* buffer, int length) -I do my stuff in the callback and if data I use

Re: [xml] userdata for SAX parsing with schema validation

On 23/12/2021 20:14, Lara Blatchford wrote: Hi - I have a simple SAX handler set up, and schema validation errors are being caught by my structured error handler.  So far so good. It appears that the userdata argument to xmlSAXUserParseMemory /must/ be the xmlSchemaSAXPlugPtr returned by the

[xml] Stepping down

I never really asked for it but in the last years I became de-facto maintainer of both libxml2 and libxslt. Luckily, I was able to fund my involvement through Chrome VRP bug bounties and OSS-Fuzz integration rewards. Big thanks to Google for these outstanding programs. Unfortunately, returns

Re: [xml] Resuming maintenance

On 12/01/2022 17:30, Stefan de Konink wrote: If you're seeing degraded performance on large documents, it's likely another issue with quadratic runtime. Fixing such issues algorithmically should typically yield much better results than trying to work around them with multi-threading. What

Re: [xml] Resuming maintenance

On 10/01/2022 20:47, Mike Dalessio wrote: Although I'm relieved, the potential loss of maintainers from the project was alarming. Perhaps another goal to consider for the year is to expand the pool of contributors and

Re: [xml] Resuming maintenance

On 11/01/2022 11:38, Daniel Veillard wrote: So you want to reintegrate libxml2 within the GNOME framework ? TBH now that I have very limited bandwidth that's probably the right thing to do. I didn't mean the GNOME desktop environment itself, but the infrastructure that the GNOME Foundation

Re: [xml] Resuming maintenance

On 10/01/2022 16:51, Stefan de Konink wrote: This is great news, thanks Google for acknowledging the importance of maintaining core open source products. Your previous improvements on XSD validation made a great difference, but from my prototype in Python (LXML) I assume that multithreaded

[xml] Resuming maintenance

Hello, Thanks to a donation from Google, I'm able to resume maintenance of libxml2 (and libxslt) for the remainder of 2022. My immediate plans are: - Make a bug fix release fixing many regressions. - Establish a new release schedule, possibly with multiple branches being maintained. - Move

[xml] Support libxml2 and libxslt on Open Collective

Hello, You can now support libxml2 and libxslt financially on Open Collective: https://opencollective.com/libxml2 All donations go through the Open Source Collective, a non-profit organization providing financial and legal infrastructure for thousands of open source projects.

[xml] Intent to remove build systems for outdated platforms

I plan to remove several directories from the libxml2 repo containing build systems for outdated platforms. VxWorks https://gitlab.gnome.org/GNOME/libxml2/-/tree/master/VxWorks Bakefile https://gitlab.gnome.org/GNOME/libxml2/-/tree/master/bakefile MacOS 9

[xml] Release of libxml2 2.9.13

Version 2.9.13 of libxml2 is available at: https://download.gnome.org/sources/libxml2/2.9/ Note that starting with this release, libxml2 tarballs are published on download.gnome.org instead of ftp.xmlsoft.org. ### Security - [CVE-2022-23308] Use-after-free of ID and IDREF attributes

Re: [xml] Release of libxml2 2.9.13

On 21/02/2022 14:57, Mike Dalessio wrote: I'm not asking specifically for a CVSS score for this vulnerability, and I'm certainly not asking you to create a CVE for every memory fix that's found. I'm only asking for a more accessible explanation of the conditions under which an application

Re: [xml] Release of libxml2 2.9.13

On 23/02/2022 08:17, Stefan Behnel wrote: Could you make the archives available in a (second) format that matches all (previous) releases? The archives are automatically converted to .tar.xz when uploaded to the GNOME download server. I have no influence on that. Personally, I'd prefer

Re: [xml] Support libxml2 and libxslt on Open Collective

On 23/02/2022 23:39, Eberhard wrote: Dumb question. How do I contribute in dollars? I get Euros and no option to change. E Everything should be set to USD now. Nick ___ xml mailing list, project page http://xmlsoft.org/ xml@gnome.org

Re: [xml] Release of libxml2 2.9.13

On 20/02/2022 20:50, Mike Dalessio wrote: Is there any additional information about CVE-2022-23308 (other than the commit log) that would help downstream projects triage? Was there a CVSS score calculated or severity assigned? In this case, the CVE record is managed by a third party. It

Re: [xml] Schema validation skipping IDC

On 01/02/2022 13:39, Stefan de Konink wrote: Hi, Would a patch be accepted that would create an option to disable identity constraints at runtime? Use case: only syntactically validate a file. I'm always reluctant to add new features, especially if it sounds like it only solves a problem

Re: [xml] Schema validation skipping IDC

On 09/02/2022 14:48, Stefan de Konink wrote: On Wednesday, February 9, 2022 1:25:41 PM CET, Nick Wellnhofer wrote: I'm always reluctant to add new features, especially if it sounds like it only solves a problem for a single user. Do you want to disable checking of identity constraints for

[xml] Is anyone still using XPointer ranges?

I'm curious if there are people out there who still use XPointer ranges, specifically things like the range-to XPath extension function. This part of the code base is extremely buggy and the latest spec seems to be a Working Draft from 2002 which was never finished [1]. The xpointer() scheme is

Re: [xml] Euro sign in xml:id

On 06/04/2022 00:40, Einhard Leichtfuß wrote: I noticed that xmllint complains about the Euro sign ("€") in an xml:id. - "validity error : xml:id : attribute value € is not an NCName" The W3C's XML specification, however, seems to allow this: - https://www.w3.org/TR/xml-id/#processing -

Re: [xml] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43743

On 24/06/2022 21:48, enh via xml wrote: did anyone report https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43743 to libxml2 directly? No, this wasn't reported. For now, these issues should be reported to the libxml2 bug

[xml] Release of libxml2 2.9.14

Version 2.9.14 of libxml2 is available at: https://download.gnome.org/sources/libxml2/2.9/ Note that starting with 2.9.13, libxml2 tarballs are published on download.gnome.org instead of ftp.xmlsoft.org. ### Security - [CVE-2022-29824] Integer overflow in xmlBuf and xmlBuffer - Fix

Re: [xml] How can I parse an XML file whose filesystem path is a Unicode string?

On 31/07/2022 17:40, Paul Kinnucan via xml wrote: My Xerces-c implementation uses a custom entity resolver to resolve file entities. I might need a custom entity resolver to fix the problem with the libxml2 implementation. However, libxml2 does not seem to support custom entity resolvers. At

[xml] Release of libxml2 2.10.1

Version 2.10.1 of libxml2 is available at: https://download.gnome.org/sources/libxml2/2.10/ This fixes some showstoppers reported by early adopters of 2.10.0. Thsnk for the reports! ### Regressions - Fix xmlCtxtReadDoc with encoding ### Bug fixes - Fix HTML parser with threads and

[xml] Release of libxml2 2.10.2

Version 2.10.2 of libxml2 is available at: https://download.gnome.org/sources/libxml2/2.10/ This should really fix the build with Python 3.10. ### Improvements - Remove set-but-unused variable in xmlXPathScanName - Silence -Warray-bounds warning ### Build system - build: require

[xml] This mailing list will be retired by the end of Oct 2022

According to [1], GNOME's Mailman platform is being decommissioned which probably means that this mailing list will go away soon. Nick [1] https://mail.gnome.org/archives/foundation-list/2022-October/msg2.html ___ xml mailing list, project page

[xml] Release of libxml2 2.10.3

Version 2.10.3 of libxml2 is available at: https://download.gnome.org/sources/libxml2/2.10/ ### Security - [CVE-2022-40304] Fix dict corruption caused by entity reference cycles - [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE - Fix overflow check in SAX2.c ### Portability -

[xml] Release of libxml2 2.10.0

Version 2.10.0 of libxml2 is available at: https://download.gnome.org/sources/libxml2/2.10/ In this release, I started to remove a lot of old cruft like build systems for outdated platforms which haven't been touched in 10+ years. The Docbook parser module has been removed completely. As