Alexey Roytman created XERCESC-2189:
---------------------------------------
Summary: XMLChar with NEED_TO_GEN_TABLE has 2 buffer out of bounds
reads
Key: XERCESC-2189
URL: https://issues.apache.org/jira/browse/XERCESC-2189
Project: Xerces-C++
Issue Type: New Feature
Components: Utilities
Affects Versions: 3.2.2
Reporter: Alexey Roytman
During scan with cppcheck 1.90, the XMLChar's code under #ifdef
NEED_TO_GEN_TABLE has two out-of-bounds reads in initCharFlagTable() and in
initCharFlagTable1_1():
fprintf(outFl, "XMLByte ...[0x10000] =\n{");
for (unsigned int index = 0; index <= 0xFFFF; index += 16)
{
fprintf(...
, (unsigned int)gTmpCharTable[index]
...
, (unsigned int)gTmpCharTable[index+15]);
}
fprintf(outFl, "};\n");
But the gTmpCharTable's size is 0xffff (which is 1 less than 0x10000), and at
the last loop, when index==0xFFF0, we access gTmpCharTable[0xFFF0+15] which is
gTmpCharTable[0xFFFF], which is 1 after the end of buffer.
I'd say that gTmpCharTable shall have 0x10000 elements, and not 0xFFFF...
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org
