Uploaded image for project: 'Xerces-C++'
  1. Xerces-C++
  2. XERCESC-1921

Buffer overflow in XMLString::replaceTokens()

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Invalid
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Utilities
    • Labels:
      None
    • Environment:
      Probably any C++ Environment

      Description

      The function XMLString::replaceTokens() does not take its terminating NULL into account when comparing with the maxChars limit passed by the caller. Consequently, when passed a too-large string, it will overwrite one XMLCh after the buffer.

      It should be changed to test (curOutInd+1 < maxChars), and increment curOutInd when setting the null.

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              sacolcor Scott Colcord

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment