Uploaded image for project: 'Xerces-C++'
  1. Xerces-C++
  2. XERCESC-2088

Bad casting from DOMTextImpl to DOMElementImpl

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.1, 3.1.2, 3.1.3, 3.1.4
    • Fix Version/s: 3.2.0
    • Component/s: DOM
    • Labels:
      None
    • Environment:
      ubuntu 16.04 LTS, Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz, 16GB

      Description

      Hi all,

      Our recently developed type confusion detection tool reports a type_confusion error in the "xercesc/dom/imple/DOMCasts.hpp"

      xercesc/dom/imple/DOMCasts.hpp, line 146

      static inline DOMNodeImpl *castToNodeImpl(const DOMNode *p)
      {
      DOMElementImpl *pE = (DOMElementImpl *)p;
      return &(pE->fNode);
      }

      p is pointing to the object allocated as DOMTextImpl, and it is casted into DOMElementImpl. However, since DOMElementImpl is not a subobject of DOMTextImpl, it is violating C++ standard rules 5.2.9/11 (down casting is undefined if the object that the pointer to be casted points to is not a suboject of down casting type) and causes undefined behaviors.

      There are similar type-confusion cases as below links.

      I attached a actual type confusion report and object relationship information.

        Attachments

        1. Actual_result.txt
          3 kB
          Yuseok Jeon
        2. casting.patch
          53 kB
          Scott Cantor
        3. DOMNodeBase.hpp
          8 kB
          Scott Cantor
        4. relationship_tree.jpeg
          50 kB
          Yuseok Jeon

          Activity

            People

            • Assignee:
              scantor Scott Cantor
              Reporter:
              Yuseok Jeon Yuseok Jeon
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: