Minor Description
The documentation for SAX2XMLReader states that one may change the handlers (e.g. content handler) during a parse (i.e. from a handler callback) and the new handler will be used immediately. This is true but in some circumstances it is possible cause a null-pointer exception by removing a handler from within a callback.
For example consider an application which has installed an advanced document handler but also wants access to the Locator object so initially sets a regular content handler (this is how I came across this issue). The content handler need only implement the setDocumentLocator method and once this method has been called and the pointer to the locator saved it can be removed. Indeed it is desirable to remove it once its work is done to reduce overhead.
However a call to setContentHandler(NULL) of the SAX2XMLReader from within the setDocumentLocator handler method causes a null-pointer exception. This is because the startDocument handler method is called immediately afterwards without checking that the handler pointer is still valid. Of course the work-around is trivial; move the setContentHandler(NULL) call to the startDocument handler.
There are various other handler methods where similar problems could occur. For example endElement is called after startElement in the case of an empty element and again it is assumed that the handler pointer remains valid. The situation here might be an application which needs to examine only the root element (e.g. to obtain information about the namespace) but wishes to parse the whole document to obtain any error information (so only the content handler is removed in startElement, not the error handler). This would work fine for most documents and the flaw would likely not be noticed but a document with an empty root element would crash the application (potential a security issue).
The LexicalHandler also has one instance where this problem could arise.