[
https://issues.apache.org/jira/browse/XERCESC-2116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Victor Horvath updated XERCESC-2116:
------------------------------------
Description:
In the DFAContentModel there is a buffer overflow on Systems with a pointer
size > 12 bytes.
The function DFAContentModel::buildDFA creates an array of Occurence pointers
with the false size. The size of the Occurence (12 bytes), not of the pointer
is used. On systems with a greater pointer size the following loop will write
into the false buffer.
Before:
if (elemOccurenceMap != 0) {
fCountingStates =
(Occurence**)fMemoryManager->allocate(fTransTableSize*sizeof(Occurence));
memset(fCountingStates, 0, fTransTableSize*sizeof(Occurence*));
After:
if (elemOccurenceMap != 0) {
fCountingStates =
(Occurence**)fMemoryManager->allocate(fTransTableSize*sizeof(Occurence*));
memset(fCountingStates, 0, fTransTableSize*sizeof(Occurence*));
--> In the "allocate" statement there is missing the "*" after the Occurence
(just like the memset below).
was:
In the DFAContentModel there is a buffer overflow on Systems with a pointer
size > 12 bytes.
The function DFAContentModel::buildDFA creates an array of Occurence pointers
with the false size. The size of the Occurence (12 bytes), not of the pointer
is used. On systems with a greater pointer size the following loop will write
into the false buffer.
Before:
if (elemOccurenceMap != 0) {
fCountingStates =
(Occurence**)fMemoryManager->allocate(fTransTableSize*sizeof(Occurence));
memset(fCountingStates, 0, fTransTableSize*sizeof(Occurence*));
After:
if (elemOccurenceMap != 0) {
fCountingStates =
(Occurence**)fMemoryManager->allocate(fTransTableSize*sizeof(Occurence/"*"));
memset(fCountingStates, 0, fTransTableSize*sizeof(Occurence*));
--> In the "allocate" statement there is missing the "*" after the Occurence
(just like the memset below).
> Buffer overflow at XSD Validation
> ----------------------------------
>
> Key: XERCESC-2116
> URL: https://issues.apache.org/jira/browse/XERCESC-2116
> Project: Xerces-C++
> Issue Type: Bug
> Components: Validating Parser (XML Schema)
> Affects Versions: 3.1.4
> Environment: iSeries Release V7R1M0
> Reporter: Victor Horvath
>
> In the DFAContentModel there is a buffer overflow on Systems with a pointer
> size > 12 bytes.
> The function DFAContentModel::buildDFA creates an array of Occurence pointers
> with the false size. The size of the Occurence (12 bytes), not of the pointer
> is used. On systems with a greater pointer size the following loop will write
> into the false buffer.
> Before:
> if (elemOccurenceMap != 0) {
> fCountingStates =
> (Occurence**)fMemoryManager->allocate(fTransTableSize*sizeof(Occurence));
> memset(fCountingStates, 0, fTransTableSize*sizeof(Occurence*));
> After:
> if (elemOccurenceMap != 0) {
> fCountingStates =
> (Occurence**)fMemoryManager->allocate(fTransTableSize*sizeof(Occurence*));
> memset(fCountingStates, 0, fTransTableSize*sizeof(Occurence*));
> --> In the "allocate" statement there is missing the "*" after the Occurence
> (just like the memset below).
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
