[XERCESC-2180] Handle surrogate pairs when reading a QName instead of ASSERTing - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.2.0, 3.2.1, 3.2.2
Fix Version/s: 3.2.3
Component/s: Miscellaneous
Labels:
None

Description

As discovered by Vincent Ulitzsch:

The assertion fails when parsing a malformed xml-file, we attached a crashing testcase. We would suggest fixing this assertion, since it opens up the possibility
for Denial of Service attacks via malformed xml files.

The code expects that tre transcoder places a pair of surrogate characters in the Unicode buffers, but the UTF16 transcoder simply copies the data without checking if it ends in the middle of a surrogate pair. So the fix is to replace the assertion with a request for more data, and if there is no data or if it's not the other part of the surrogate, exit the method as we would be doing if we found the invalid character inside the buffer

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

crash.xml
09/Nov/19 18:40
0.0 kB
Alberto Massari

Activity

People

Assignee:: Alberto Massari

Reporter:: Alberto Massari

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 09/Nov/19 18:43

Updated:: 10/Oct/22 14:07

Resolved:: 15/Dec/19 21:19