Uploaded image for project: 'XalanC'
  1. XalanC
  2. XALANC-762

Stack is corrupted in DOMStringHelper::NumberToCharacters() if value is really big

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 1.11
    • Fix Version/s: None
    • Component/s: XalanC
    • Labels:
      None

      Description

      in functions
      void
      DOMStringHelper::NumberToCharacters(
      double theValue,
      FormatterListener& formatterListener,
      MemberFunctionPtr function)

      and

      NumberToDOMString(
      double theValue,
      XalanDOMString& theResult)

      an array is created on stack in order to convert theValue:
      char theBuffer[MAX_PRINTF_DIGITS + 1];

      If theValue is quite big for example 1.79769e+308 which is the biggest possible double value than theBuffer is overritten since it just allocates only 100 bytes for storing theValue whereas when this format string is used "%.35f" it requires around 350 bytes to store the converted double.

      I think, first MAX_PRINTF_DIGITS is used by mistake in this context. Instead MAX_FLOAT_CHARACTERS should have been used. And MAX_FLOAT_CHARACTERS must be defined like this:

      // The maximum number of characters for a floating point number. const size_t MAX_FLOAT_CHARACTERS = 400;

      in order to have enough space to store 308 digits before the point, a point and up to 35 digits after the point and the NULL terminator at the end

        Attachments

          Activity

            People

            • Assignee:
              shathaway Steven J. Hathaway
              Reporter:
              Sergey.Kurenkov Sergey Kurenkov
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: