Buffer overflow in XMLString::replaceTokens()
---------------------------------------------
Key: XERCESC-1921
URL: https://issues.apache.org/jira/browse/XERCESC-1921
Project: Xerces-C++
Issue Type: Bug
Components: Utilities
Environment: Probably any C++ Environment
Reporter: Scott Colcord
The function XMLString::replaceTokens() does not take its terminating NULL into
account when comparing with the maxChars limit passed by the caller.
Consequently, when passed a too-large string, it will overwrite one XMLCh after
the buffer.
It should be changed to test (curOutInd+1 < maxChars), and increment curOutInd
when setting the null.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
