[XERCESC-2189] XMLChar with NEED_TO_GEN_TABLE has 2 buffer out of bounds reads - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.2.2
Fix Version/s: 3.2.3
Component/s: Utilities
Labels:
None

Description

During scan with cppcheck 1.90, the XMLChar's code under #ifdef NEED_TO_GEN_TABLE has two out-of-bounds reads in initCharFlagTable() and in initCharFlagTable1_1():

fprintf(outFl, "XMLByte ...[0x10000] =\n{");
for (unsigned int index = 0; index <= 0xFFFF; index += 16)

{ fprintf(... , (unsigned int)gTmpCharTable[index] ... , (unsigned int)gTmpCharTable[index+15]); }

fprintf(outFl, "};\n");

But the gTmpCharTable's size is 0xffff (which is 1 less than 0x10000), and at the last loop, when index==0xFFF0, we access gTmpCharTable[0xFFF0+15] which is gTmpCharTable[0xFFFF], which is 1 after the end of buffer.

I'd say that gTmpCharTable shall have 0x10000 elements, and not 0xFFFF...

Attachments

Activity

People

Assignee:: Scott Cantor

Reporter:: Alexey Roytman

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 19/Jan/20 17:37

Updated:: 01/Apr/20 16:31

Resolved:: 01/Apr/20 16:30