[XERCESC-1081] Array Bound Read, causing inconsistent segmentation violation in XMLFormatter::formatBuf - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Resolution: Fixed
Affects Version/s: 2.3.0
Fix Version/s: 2.4.0
Component/s: Utilities
Labels:
None
Environment:
Operating System: All
Platform: All

Bugzilla Id:
25218

Description

from XMLFormatter.cpp, line 363

when tmpPtr == endPtr it still gets dereferenced:

while (!inEscapeList(actualEsc, *tmpPtr) && (tmpPtr < endPtr))
tmpPtr++;

this should have been:

while ((tmpPtr < endPtr)) && !inEscapeList(actualEsc, *tmpPtr))
tmpPtr++;

It shows up as an array bound read in Purify when the array of characters is
not null terminated.
This is very evil since it will only cause a problem if the string was
allocated at the very end of the free store.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Jeroen Dirks

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 05/Dec/03 02:25

Updated:: 12/Mar/18 03:54

Resolved:: 09/Apr/04 16:47