Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
3.1.4
-
None
-
iSeries Release V7R1M0
Description
In the DFAContentModel there is a buffer overflow on Systems with a pointer size > 12 bytes.
The function DFAContentModel::buildDFA creates an array of Occurence pointers with the false size. The size of the Occurence (12 bytes), not of the pointer is used. On systems with a greater pointer size the following loop will write into the false buffer.
Before:
DFAContentModel.cpp
if (elemOccurenceMap != 0) {
fCountingStates = (Occurence**)fMemoryManager->allocate(fTransTableSize*sizeof(Occurence));
memset(fCountingStates, 0, fTransTableSize*sizeof(Occurence*));
After:
DFAContentModel.cpp
if (elemOccurenceMap != 0) {
fCountingStates = (Occurence**)fMemoryManager->allocate(fTransTableSize*sizeof(Occurence*));
memset(fCountingStates, 0, fTransTableSize*sizeof(Occurence*));
--> In the "allocate" statement there is missing the "*" after the Occurence (just like the memset below).