Uploaded image for project: 'Xerces-C++'
  1. Xerces-C++
  2. XERCESC-1921

Buffer overflow in XMLString::replaceTokens()

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Invalid
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Utilities
    • Labels:
      None
    • Environment:
      Probably any C++ Environment

      Description

      The function XMLString::replaceTokens() does not take its terminating NULL into account when comparing with the maxChars limit passed by the caller. Consequently, when passed a too-large string, it will overwrite one XMLCh after the buffer.

      It should be changed to test (curOutInd+1 < maxChars), and increment curOutInd when setting the null.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                sacolcor Scott Colcord
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: