Details
-
Bug
-
Status: Closed
-
Resolution: Fixed
-
2.4.0
-
None
-
Operating System: All
Platform: All
-
18611
Description
Revision 1.40 of xercesc/internal/XMLScanner.cpp in CVS.
I haven't tested this, but just looking at the code, there's no check for
overflow when computing the value of a character reference.
Assuming an unsigned int is 32-bit, it looks like � (2^32) is going
to be treated as if it were . This is a problem for any ref mod 2^32 (ref >
2^32 -1) which falls between 0x10000-0x10FFFF, and less than 0xFFFD.
See bool XMLScanner::scanCharRef(XMLCh& toFill, XMLCh& second).