[
https://issues.apache.org/jira/browse/XERCESC-2259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17913255#comment-17913255
]
Boris Kolpackov commented on XERCESC-2259:
------------------------------------------
Thanks for the detailed description of the issue and the reproducer. Will try
to take a look if/when I have time to see if this is something easy to fix.
My security assessment of this issue is as follows: I don't believe this
segfault is likely to be triggerable by an attacker since, at least in
production environments, untrusted schemas are normally not loaded.
> Segmentation fauilt in xerces parse when fgXercesDOMHasPSVIInfo is true
> -----------------------------------------------------------------------
>
> Key: XERCESC-2259
> URL: https://issues.apache.org/jira/browse/XERCESC-2259
> Project: Xerces-C++
> Issue Type: Bug
> Components: DOM
> Affects Versions: 3.2.5
> Environment: RHEL 9, x86_64
> Reporter: Lara Blatchford
> Priority: Major
> Attachments: xerces_parse_crash.zip
>
>
> Our application validates against a specific set of schemas, and when a new
> schema is added to the no namespace schema list, xerces segfaults with the
> following stack trace:
> {quote}{{#0 0x00007fd8817b2bca
> _ZN11xercesc_3_212IGXMLScanner12buildAttListERKNS_11RefVectorOfINS_12KVStringPairEEEmPNS_14XMLElementDeclERNS1_INS_7XMLAttrEEE
> (libxerces-c-3.2.so + 0x1b2bca)}}
> {{#1 0x00007fd8817abff0 _ZN11xercesc_3_212IGXMLScanner14scanStartTagNSERb
> (libxerces-c-3.2.so + 0x1abff0)}}
> {{#2 0x00007fd8817ad9e7 _ZN11xercesc_3_212IGXMLScanner11scanContentEv
> (libxerces-c-3.2.so + 0x1ad9e7)}}
> {{#3 0x00007fd8817adc48
> _ZN11xercesc_3_212IGXMLScanner12scanDocumentERKNS_11InputSourceE
> (libxerces-c-3.2.so + 0x1adc48)}}
> {{#4 0x00007fd8817d0b5c _ZN11xercesc_3_210XMLScanner12scanDocumentEPKDs
> (libxerces-c-3.2.so + 0x1d0b5c)}}
> {{#5 0x00007fd8817d4842 _ZN11xercesc_3_210XMLScanner12scanDocumentEPKc
> (libxerces-c-3.2.so + 0x1d4842)}}
> {{#6 0x00007fd8817e7a2e _ZN11xercesc_3_217AbstractDOMParser5parseEPKc
> (libxerces-c-3.2.so + 0x1e7a2e)}}
> {{#7 0x00007fd8817f0fc6 _ZN11xercesc_3_215DOMLSParserImpl8parseURIEPKc
> (libxerces-c-3.2.so + 0x1f0fc6)}}
> {{#8 0x0000000000403d20 main (xercesparse + 0x3d20)}}
> {{#9 0x00007fd880e295d0 __libc_start_call_main (libc.so.6 + 0x295d0)}}
> {{#10 0x00007fd880e29680 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x29680)}}
> {{ #11 0x0000000000403ef5 _start (xercesparse +
> 0x3ef5)}}{quote}
> The crash does not occur if the new schema is removed from the schema list,
> or if fgXercesDOMHasPSVIInfo is set to false – however, operationally this
> parameter must be set to true.
> The attached zip contains source for a small test application that
> demonstrates the crash. The schema that introduced the crash when added is
> schema_xercescrash.xsd, and an example XML file to be validated is
> fs_xercescrash.xml. The poi.xsd schema is included in the namespace schema
> list when the crash occurs. The crashdemo script shows how the test app is
> invoked to demonstrate the crash.
> [^xerces_parse_crash.zip]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org
