Details
Description
from XMLFormatter.cpp, line 363
when tmpPtr == endPtr it still gets dereferenced:
while (!inEscapeList(actualEsc, *tmpPtr) && (tmpPtr < endPtr))
tmpPtr++;
this should have been:
while ((tmpPtr < endPtr)) && !inEscapeList(actualEsc, *tmpPtr))
tmpPtr++;
It shows up as an array bound read in Purify when the array of characters is
not null terminated.
This is very evil since it will only cause a problem if the string was
allocated at the very end of the free store.