Uploaded image for project: 'Xerces-C++'
  1. Xerces-C++
  2. XERCESC-2116

Buffer overflow at XSD Validation

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.4
    • Fix Version/s: 3.2.0
    • Labels:
      None
    • Environment:
      iSeries Release V7R1M0

      Description

      In the DFAContentModel there is a buffer overflow on Systems with a pointer size > 12 bytes.
      The function DFAContentModel::buildDFA creates an array of Occurence pointers with the false size. The size of the Occurence (12 bytes), not of the pointer is used. On systems with a greater pointer size the following loop will write into the false buffer.

      Before:

      DFAContentModel.cpp
          if (elemOccurenceMap != 0) {
              fCountingStates = (Occurence**)fMemoryManager->allocate(fTransTableSize*sizeof(Occurence));
              memset(fCountingStates, 0, fTransTableSize*sizeof(Occurence*));
      

      After:

      DFAContentModel.cpp
          if (elemOccurenceMap != 0) {
              fCountingStates = (Occurence**)fMemoryManager->allocate(fTransTableSize*sizeof(Occurence*));
              memset(fCountingStates, 0, fTransTableSize*sizeof(Occurence*));
      

      --> In the "allocate" statement there is missing the "*" after the Occurence (just like the memset below).

        Attachments

          Activity

            People

            • Assignee:
              scantor Scott Cantor
              Reporter:
              Victor.Horvath Victor Horvath
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: