Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
1.11
-
None
-
None
Description
in functions
void
DOMStringHelper::NumberToCharacters(
double theValue,
FormatterListener& formatterListener,
MemberFunctionPtr function)
and
NumberToDOMString(
double theValue,
XalanDOMString& theResult)
an array is created on stack in order to convert theValue:
char theBuffer[MAX_PRINTF_DIGITS + 1];
If theValue is quite big for example 1.79769e+308 which is the biggest possible double value than theBuffer is overritten since it just allocates only 100 bytes for storing theValue whereas when this format string is used "%.35f" it requires around 350 bytes to store the converted double.
I think, first MAX_PRINTF_DIGITS is used by mistake in this context. Instead MAX_FLOAT_CHARACTERS should have been used. And MAX_FLOAT_CHARACTERS must be defined like this:
// The maximum number of characters for a floating point number. const size_t MAX_FLOAT_CHARACTERS = 400;
in order to have enough space to store 308 digits before the point, a point and up to 35 digits after the point and the NULL terminator at the end