Victor Horvath created XERCESC-2116:
---------------------------------------
Summary: Buffer overflow at XSD Validation
Key: XERCESC-2116
URL: https://issues.apache.org/jira/browse/XERCESC-2116
Project: Xerces-C++
Issue Type: Bug
Components: Validating Parser (XML Schema)
Affects Versions: 3.1.4
Environment: iSeries Release V7R1M0
Reporter: Victor Horvath
In the DFAContentModel there is a buffer overflow on Systems with a pointer
size > 12 bytes.
The function DFAContentModel::buildDFA creates an array of Occurence pointers
with the false size. The size of the Occurence (12 bytes), not of the pointer
is used. On systems with a greater pointer size the following loop will write
into the false buffer.
Before:
if (elemOccurenceMap != 0) {
fCountingStates =
(Occurence**)fMemoryManager->allocate(fTransTableSize*sizeof(Occurence));
memset(fCountingStates, 0, fTransTableSize*sizeof(Occurence*));
After:
if (elemOccurenceMap != 0) {
fCountingStates =
(Occurence**)fMemoryManager->allocate(fTransTableSize*sizeof(Occurence*));
memset(fCountingStates, 0, fTransTableSize*sizeof(Occurence*));
--> In the "allocate" statement there is missing the "*" after the Occurence
(just like the memset below).
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
