The problem can occur if one of the arguments is NULL.
Test argument and fix assertion.
(cherry picked from commit 3d7c1dbd5901300d0ad7db6653e8008aa54ab89c)
1. Test Instr before dereference it in http_RecvPostMessage.
(Though it never becomes NULL because NULL is not passed to
the static method)
2. Avoid strdup(NULL) in ixmlElement_setAttributeNS.
Those are detected by llvm scan-build.
(cherry picked from commit a383cbb8e20545222880f064a5b27c15abbf9280)
Check return code of ixmlDocument_CreateElementEx in
ixmlDocument_CreateElement.
Check return code of ixmlNode_setNodeName and ixmlNode_setNodeValue in
ixmlNode_cloneCDATASect and ixmlNode_cloneTextNode.
(cherry picked from commit d3d17da6e5ddb8be5e1085ac653d79e46708169a)
Comment unused SERVER from DeviceShutdown.
Comment unused max from parse_hostport.
Comment unused nodeptr from ixmlNode_cloneDoc.
Comment unused newNode from Parser_hasDefaultNamespace.
Comment unused Parser_parseReference function
Check return code of shutdown and display an error if needed.
(forward port of commit cb07623ddece5c5cd1f2867336d92aee938a1334)
Commit d48d73720bd325062c4d3b9ce85f3944be4f562d added a bug in
ixmlNode_allowChildren, this function was returning FALSE instead of
TRUE when newChild->nodeName was eELEMENT_NODE.
(cherry picked from commit 76eb3f869b3fabf06057bcfe28f9a6b9fd57131f)
Replace if statements with switch when using enums in ixml.
Remove uneeded initialization in ixmlAttr_init, Parser_init and
ixmlNode_init which was added by wrongly added in commit
06660b6383c438e4e2c9ca9854077cecc4da9e5d.
(cherry picked from commit d48d73720bd325062c4d3b9ce85f3944be4f562d)
Submitted: Terry Farnham ( tfarnham ) - 2011-02-07 09:25:25 PST
Details: The strcmp(pNode->prefix,pCur->prefix) crashes on pCur->prefix
being NULL. This occurs on invalidly formatted xml where a node uses an
undefined namespace. I would expect to receive IXML_FAILED in this
situation.
(cherry picked from commit 2fb791c9bbab69bcb39153a663b8da95ae44a9c0)
Check that newNode is not NULL ixmlNode_cloneNodeTree and pass newAttr
as the return node in the ixmlElement_setAttributeNodeNS call of
ixmlElement_setAttributeNS.
(cherry picked from commit 9b616a08df3613bf27473d176b1b72cd671b75a5)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 04:54:40 PST
If ixmlNode_isParent(nodeptr, newChild) returns TRUE,
ixmlNode_removeChild(nodeptr, newChild, NULL) will free newChild before
the modifications of newChild->nextSibling and newChild->prevSibling.
(cherry picked from commit 4f34a12a83101830e88a6e86013a47f57858d996)
Submitted: zephyrus ( zephyrus00jp ) - 2012-03-07 02:31:14 PST
Details: a function is declared as
EXPORT_SPEC IXML_Document *ixmlDocument_createDocument();
This should read as follows in order to suppress strict prototype checking by GCC.
EXPORT_SPEC IXML_Document *ixmlDocument_createDocument(void);
(cherry picked from commit 9965f0272750469985e71a37c5696a35070d916e)
xmlParser->pCurElement was dereferenced before null check.
Affects debug build only.
(cherry picked from commit 71ab707e817379c45563ca01f2aadc1959b00829)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-07 02:30:57 PST
attr is not freed if ixmlNode_setNodeProperties or
ixmlNode_setAttributeNode return an error in
Parser_processAttributeName.
(cherry picked from commit 268abf72fb63332a4d6185176f2c334926c36eb8)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 14:20:58 PST
fileSize = ftell( xmlFilePtr ); can return a negative value, in this
case the function should exit (at the moment, the function exits only
if ftell returns 0).
(cherry picked from commit a8bcbe94911d13718d07f5dd6f5fdb1f76c58ded)
Submitted: Terry Farnham ( tfarnham ) - 2011-06-23 09:45:54 PDT
Details: The following bit of xml results in a memory leak from the xml
parser:
const char *xmlbuffer="<?xml version=\"1.0\" encoding=\"utf-8\"?>
<root xmlns=\"urn:schemas-upnp-org:device-1-0\" xmlns:dlna=\"urn:schemas-dlna-org:device-1-0\">
<dlna:X_DLNADOC xmlns:dlna=\"urn:schemas-dlna-org:device-1-0\">DMS-1.50</dlna:X_DLNADOC></root>";
When I execute the following code:
IXML_Document *doc = ixmlParseBuffer(xmlbuffer);
ixmlDocument_free(doc);
It results in a memory leak in ixmlparser.c line 2107 where it calls
safe_strdup( newElement->namespaceURI ); It's difficult to figure out why.
(cherry picked from commit d6f1e4112ec112a0e4e401fa95589ab5eae000c6)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-02-29 02:09:43 PST
newAttrNode is not freed if newAttr->n.nodeValue = strdup(value); returns
NULL or if ixmlElement_setAttributeNodeNS(element, newAttr, NULL) does
not return IXML_SUCCESS.
(cherry picked from commit a79a149e6a77946701ab32a54eb95f734461ee24)
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-02-28 04:01:02 PST
There is a memory leak in ixmlDocument_createElementEx:
newElement->tagName is not freed if
newElement->n.nodeName = strdup(tagName); returns NULL.
(cherry picked from commit 076f8e5be6e2813883f2573e3001047a6614799f)
I discovered a reliable denial-of-service issue on the last stable
release of libupnp (1.6.6) remotely triggerable by any
unauthenticated user. The issue is related with a bad parsing of
malformed XML.
(cherry picked from commit 25a4bd6d253cec60ee11d7a43491e1b1a6be5465)
Thanks for the load of updates, I'm still assimilating them ! Could I make
a suggestion though? The addition of printNodes(IXML_Node) to upnpdebug a
dds a new dependency on ixml.h for anything using upnpdebug.h. I'm making
quite a bit of use of upnpdebug in porting things to version 1.8.0, and I'd
prefer it if printNodes could be added to ixmldebug.h instead. I'm attach
ing a patch, what do you think ?
Nick
git-svn-id: https://pupnp.svn.sourceforge.net/svnroot/pupnp/trunk@532 119443c7-1b9e-41f8-b6fc-b9c35fce742c
