[ https://issues.apache.org/jira/browse/XERCESC-2116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Victor Horvath updated XERCESC-2116: ------------------------------------ Description: In the DFAContentModel there is a buffer overflow on Systems with a pointer size > 12 bytes. The function DFAContentModel::buildDFA creates an array of Occurence pointers with the false size. The size of the Occurence (12 bytes), not of the pointer is used. On systems with a greater pointer size the following loop will write into the false buffer. Before: {code:title=DFAContentModel.cpp|borderStyle=solid} if (elemOccurenceMap != 0) { fCountingStates = (Occurence**)fMemoryManager->allocate(fTransTableSize*sizeof(Occurence)); memset(fCountingStates, 0, fTransTableSize*sizeof(Occurence*)); {code} After: {code:title=DFAContentModel.cpp|borderStyle=solid} if (elemOccurenceMap != 0) { fCountingStates = (Occurence**)fMemoryManager->allocate(fTransTableSize*sizeof(Occurence*)); memset(fCountingStates, 0, fTransTableSize*sizeof(Occurence*)); {code} --> In the "allocate" statement there is missing the "*" after the Occurence (just like the memset below). was: In the DFAContentModel there is a buffer overflow on Systems with a pointer size > 12 bytes. The function DFAContentModel::buildDFA creates an array of Occurence pointers with the false size. The size of the Occurence (12 bytes), not of the pointer is used. On systems with a greater pointer size the following loop will write into the false buffer. Before: if (elemOccurenceMap != 0) { fCountingStates = (Occurence**)fMemoryManager->allocate(fTransTableSize*sizeof(Occurence)); memset(fCountingStates, 0, fTransTableSize*sizeof(Occurence*)); After: {code:title=DFAContentModel.cpp|borderStyle=solid} if (elemOccurenceMap != 0) { fCountingStates = (Occurence**)fMemoryManager->allocate(fTransTableSize*sizeof(Occurence*)); memset(fCountingStates, 0, fTransTableSize*sizeof(Occurence*)); {code} --> In the "allocate" statement there is missing the "*" after the Occurence (just like the memset below). > Buffer overflow at XSD Validation > ---------------------------------- > > Key: XERCESC-2116 > URL: https://issues.apache.org/jira/browse/XERCESC-2116 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (XML Schema) > Affects Versions: 3.1.4 > Environment: iSeries Release V7R1M0 > Reporter: Victor Horvath > > In the DFAContentModel there is a buffer overflow on Systems with a pointer > size > 12 bytes. > The function DFAContentModel::buildDFA creates an array of Occurence pointers > with the false size. The size of the Occurence (12 bytes), not of the pointer > is used. On systems with a greater pointer size the following loop will write > into the false buffer. > Before: > {code:title=DFAContentModel.cpp|borderStyle=solid} > if (elemOccurenceMap != 0) { > fCountingStates = > (Occurence**)fMemoryManager->allocate(fTransTableSize*sizeof(Occurence)); > memset(fCountingStates, 0, fTransTableSize*sizeof(Occurence*)); > {code} > After: > {code:title=DFAContentModel.cpp|borderStyle=solid} > if (elemOccurenceMap != 0) { > fCountingStates = > (Occurence**)fMemoryManager->allocate(fTransTableSize*sizeof(Occurence*)); > memset(fCountingStates, 0, fTransTableSize*sizeof(Occurence*)); > {code} > --> In the "allocate" statement there is missing the "*" after the Occurence > (just like the memset below). -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org