Uploaded image for project: 'Xerces-C++'
  1. Xerces-C++
  2. XERCESC-1969

Double-free in ~XMLBuffer

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.1.1
    • Fix Version/s: None
    • Labels:
      None
    • Environment:
      Embedded linux on ARM-6, cross compliled using gcc for arm-1136jfs-linux-gnueabi

      Description

      I use the following code:

      TProt* pProt = new TProt(TProt::LoadFromString(std::string(pBuf), &XMLerror, "http://www.foobar.org/Protocol " + "/var/schema.xsd"));

      Which then calls:

      Cprotocol Cprotocol::LoadFromString(const string_type& text,xercesc::ErrorHandler* errHandler /* = NULL */, const string_type& schemaLocation)
      {
      return Cprotocol(XercesTreeOperations::LoadXml(text, errHandler, schemaLocation));
      }

      The stack trace which leads up to the double free:

      Thread [8] 1141 (Suspended : Container)
      ~XMLBuffer() at XMLBuffer.hpp:76 0x523fac
      ~IGXMLScanner() at IGXMLScanner.cpp:163 0x523fac
      xercesc_3_1::AbstractDOMParser::cleanUp() at AbstractDOMParser.cpp:160 0x438240
      ~AbstractDOMParser() at AbstractDOMParser.cpp:130 0x438534
      ~XercesDOMParser() at XercesDOMParser.cpp:66 0x447c84
      ~XSDDOMParser() at XSDDOMParser.cpp:66 0x49a8ac
      xercesc_3_1::IGXMLScanner::resolveSchemaGrammar() at IGXMLScanner2.cpp:1,981 0x52cc84
      xercesc_3_1::IGXMLScanner::parseSchemaLocation() at IGXMLScanner2.cpp:1,727 0x52d548
      xercesc_3_1::IGXMLScanner::scanStartTagNS() at IGXMLScanner.cpp:2,205 0x526c74
      xercesc_3_1::IGXMLScanner::scanContent() at IGXMLScanner.cpp:890 0x528a64
      xercesc_3_1::IGXMLScanner::scanDocument() at IGXMLScanner.cpp:217 0x528c58
      xercesc_3_1::AbstractDOMParser::parse() at AbstractDOMParser.cpp:545 0x438f0c
      XercesTreeOperations::LoadXml() at Node.cpp:708 0x2364d8
      protocol::prot::Cprotocol::LoadFromString() at protocol.cpp:2,270 0x2904f0
      CProtocolHelperFunctions::LoadXMLRequest() at CProtocolBase.cpp:34 0xc56cc

      And it dies at this:

      ~XMLBuffer()

      { => fMemoryManager->deallocate(fBuffer); //delete [] fBuffer; }

      It is worth mentioning that LoadFromString is called several times before this error occurs.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              nebula Jasper
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated: