[XERCESC-1251] makeContentModel in ComplexTypeInfo could crash Xerces when creating a MixedContentModel - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.5.0
Fix Version/s: 2.6.0
Component/s: Validating Parser (XML Schema)
Labels:
None
Environment:
Windows Xp Sp1

Description

In makeContentModel method in complextypeinfo.cpp, the following code could crash Xerces:

aSpecNode = new (fMemoryManager) ContentSpecNode(*fContentSpec);
aSpecNode = convertContentSpecTree(aSpecNode, checkUPA);
retModel = buildContentModel(aSpecNode);
delete aSpecNode;

In the case when buildContentModel creates a MixedContentModel model, the statement "delete aSpecNode" freed fChildren in MixedContentModel. Later access to fChildren could crash Xerces.

We ran into some crashes due to this bug. One possible fix is to create a QName in the class MixedContentModel:

line 212

for (unsigned int index = 0; index < fCount; index++)

{ fChildren[index] = new QName(*children.elementAt(index)); fChildTypes[index] = childTypes.elementAt(index); }

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Andrew Fang

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 10/Aug/04 15:14

Updated:: 12/Mar/18 04:05

Resolved:: 12/Oct/04 16:06