[
https://issues.apache.org/jira/browse/XERCESC-1921?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12859364#action_12859364
]
Scott Colcord commented on XERCESC-1921:
----------------------------------------
I ran into this via a call from the Xalan-C library in
<http://svn.apache.org/repos/asf/xalan/c/trunk/src/xalanc/PlatformSupport/XalanMessageLoader.cpp>.
One of the XalanMessageLoader::load() overloads there is calling
XMLString::replaceTokens(), and not properly accounting for the NULL. I will
re-file this issue against Xalan-C.
In general, I do think that it would be better not to require the caller to
account for the NULL, under the principle that the easiest way to call a
function should also be the correct way, but you're right; it correctly
documents its current behavior.
> Buffer overflow in XMLString::replaceTokens()
> ---------------------------------------------
>
> Key: XERCESC-1921
> URL: https://issues.apache.org/jira/browse/XERCESC-1921
> Project: Xerces-C++
> Issue Type: Bug
> Components: Utilities
> Environment: Probably any C++ Environment
> Reporter: Scott Colcord
>
> The function XMLString::replaceTokens() does not take its terminating NULL
> into account when comparing with the maxChars limit passed by the caller.
> Consequently, when passed a too-large string, it will overwrite one XMLCh
> after the buffer.
> It should be changed to test (curOutInd+1 < maxChars), and increment
> curOutInd when setting the null.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
