Author: johns
Date: Fri Aug 22 04:10:05 2008
New Revision: 688055
URL: http://svn.apache.org/viewvc?rev=688055&view=rev
Log:
Fixed a buffer overrun in TranscodeFromStr.
Modified:
xerces/c/trunk/src/xercesc/util/TransService.cpp
Modified: xerces/c/trunk/src/xercesc/util/TransService.cpp
URL:
http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/util/TransService.cpp?rev=688055&r1=688054&r2=688055&view=diff
==============================================================================
--- xerces/c/trunk/src/xercesc/util/TransService.cpp (original)
+++ xerces/c/trunk/src/xercesc/util/TransService.cpp Fri Aug 22 04:10:05 2008
@@ -676,7 +676,7 @@
{
if(!in) return;
- XMLSize_t allocSize = length;
+ XMLSize_t allocSize = length + 1;
fString = (XMLCh*)fMemoryManager->allocate(allocSize * sizeof(XMLCh));
XMLSize_t csSize = length;
@@ -694,7 +694,7 @@
if(bytesDone == length) break;
allocSize *= 2;
- XMLCh *newBuf = (XMLCh*)fMemoryManager->allocate(allocSize);
+ XMLCh *newBuf = (XMLCh*)fMemoryManager->allocate(allocSize *
sizeof(XMLCh));
memcpy(newBuf, fString, fCharsWritten);
fMemoryManager->deallocate(fString);
fString = newBuf;
@@ -708,8 +708,8 @@
// null terminate
if(fCharsWritten == allocSize) {
- allocSize += sizeof(XMLCh);
- XMLCh *newBuf = (XMLCh*)fMemoryManager->allocate(allocSize);
+ allocSize += 1;
+ XMLCh *newBuf = (XMLCh*)fMemoryManager->allocate(allocSize *
sizeof(XMLCh));
memcpy(newBuf, fString, fCharsWritten);
fMemoryManager->deallocate(fString);
fString = newBuf;
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
