Uploaded image for project: 'Xerces-C++'
  1. Xerces-C++
  2. XERCESC-2116

Buffer overflow at XSD Validation

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.1.4
    • 3.2.0
    • Validating Parser (XML Schema)
    • None
    • iSeries Release V7R1M0

    Description

      In the DFAContentModel there is a buffer overflow on Systems with a pointer size > 12 bytes.
      The function DFAContentModel::buildDFA creates an array of Occurence pointers with the false size. The size of the Occurence (12 bytes), not of the pointer is used. On systems with a greater pointer size the following loop will write into the false buffer.

      Before:

      DFAContentModel.cpp
          if (elemOccurenceMap != 0) {
        fCountingStates = (Occurence**)fMemoryManager->allocate(fTransTableSize*sizeof(Occurence));
        memset(fCountingStates, 0, fTransTableSize*sizeof(Occurence*));

      After:

      DFAContentModel.cpp
          if (elemOccurenceMap != 0) {
        fCountingStates = (Occurence**)fMemoryManager->allocate(fTransTableSize*sizeof(Occurence*));
        memset(fCountingStates, 0, fTransTableSize*sizeof(Occurence*));

      --> In the "allocate" statement there is missing the "*" after the Occurence (just like the memset below).

      Attachments

        Activity

          People

            scantor Scott Cantor
            Victor.Horvath Victor Horvath
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: