[XERCESC-2126] Type Confusion from DTDGrammar to SchemaGrammar - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, 3.1.4, 3.2.1, 3.2.2
Fix Version/s: 3.2.3
Component/s: DOM
Labels:
None
Environment:
Ubuntu 16.04 LTS, Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz, 16GB

Description

Hi all,

Our type confusion detection tool reports a type_confusion error in the "xercesc/validators/schema/SchemaValidator.cpp"

xercesc/validators/schema/SchemaValidator.cpp line 772
756 void SchemaValidator::preContentValidation(bool, bool validateDefAttr)
758 {
769 RefHashTableOfEnumerator<Grammar> grammarEnum = fGrammarResolver->getGrammarEnumerator();
770 while (grammarEnum.hasMoreElements())
771 {
772 SchemaGrammar& sGrammar = (SchemaGrammar&) grammarEnum.nextElement();
773 if (sGrammar.getGrammarType() != Grammar::SchemaGrammarType || sGrammar.getValidated())
774 continue;
……………
}

In the line 772, grammarEnum.nextElement() indicates object allocated as DTDGrammar, and it is casted into SchemaGrammar. However, since SchemaGrammar is not a subobject of DTDGrammar, it is violating C++ standard rules 5.2.9/11 (down casting is undefined if the object that the pointer to be casted points to is not a suboject of down casting type) and causes undefined behaviors.

There are similar type-confusion cases as below links.

(Xerces-c++) https://issues.apache.org/jira/browse/XERCESC-2088
(libstdc++) https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
(Firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=1074280

I attached detail type confusion information.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

Xerces-C++ Type confusion Report.pdf
09/Dec/17 13:41
162 kB
Yuseok Jeon

Activity

People

Assignee:: Scott Cantor

Reporter:: Yuseok Jeon

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 09/Dec/17 13:41

Updated:: 01/Apr/20 18:13

Resolved:: 30/Dec/19 17:06