[ https://issues.apache.org/jira/browse/XERCESC-2189?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Scott Cantor updated XERCESC-2189: ---------------------------------- Issue Type: Bug (was: New Feature) > XMLChar with NEED_TO_GEN_TABLE has 2 buffer out of bounds reads > --------------------------------------------------------------- > > Key: XERCESC-2189 > URL: https://issues.apache.org/jira/browse/XERCESC-2189 > Project: Xerces-C++ > Issue Type: Bug > Components: Utilities > Affects Versions: 3.2.2 > Reporter: Alexey Roytman > Assignee: Scott Cantor > Priority: Minor > Fix For: 3.2.3 > > > During scan with cppcheck 1.90, the XMLChar's code under #ifdef > NEED_TO_GEN_TABLE has two out-of-bounds reads in initCharFlagTable() and in > initCharFlagTable1_1(): > fprintf(outFl, "XMLByte ...[0x10000] =\n{"); > for (unsigned int index = 0; index <= 0xFFFF; index += 16) > { > fprintf(... > , (unsigned int)gTmpCharTable[index] > ... > , (unsigned int)gTmpCharTable[index+15]); > } > fprintf(outFl, "};\n"); > > But the gTmpCharTable's size is 0xffff (which is 1 less than 0x10000), and at > the last loop, when index==0xFFF0, we access gTmpCharTable[0xFFF0+15] which > is gTmpCharTable[0xFFFF], which is 1 after the end of buffer. > > I'd say that gTmpCharTable shall have 0x10000 elements, and not 0xFFFF... > -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org