[
https://issues.apache.org/jira/browse/XALANC-762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15996982#comment-15996982
]
Nicolas GREGOIRE commented on XALANC-762:
-----------------------------------------
This 2-year old bug still exists and can be triggered with the following inputs.
[=] XSLT
<xsl:transform xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
xmlns:exsl="http://exslt.org/common"; version="1.0">
<xsl:template match="@*|node()" mode="copy">
<a><b>
<xsl:value-of select="."/>
</b></a>
<xsl:value-of select="***"/>
<xsl:apply-templates select="@*|node()" mode="copy"/>
</xsl:template>
<xsl:template match="/">
<xsl:variable name="v"><xsl:apply-templates mode="copy"/></xsl:variable>
<xsl:apply-templates select="exsl:node-set($v)"/>
</xsl:template>
</xsl:transform>
[=] XML
<a b="1234567890123456789012345678901234567890"/>
[=] ASan output
ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe60ae1125 at pc
0x7f0dc5ce59f5 bp 0x7ffe60ae0f40 sp 0x7ffe60ae06d0
WRITE of size 169 at 0x7ffe60ae1125 thread T0
#0 0x7f0dc5ce59f4 in __interceptor_vsprintf
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x619f4)
#1 0x7f0dc5ce5cc9 in __interceptor_sprintf
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x61cc9)
#2 0x7f0dc077a750 in
xalanc_1_11::DOMStringHelper::NumberToCharacters(double,
xalanc_1_11::FormatterListener&, void
(xalanc_1_11::FormatterListener::*)(unsigned short const*, unsigned long))
/work/xalan-c/src/xalanc/PlatformSupport/DOMStringHelper.cpp:1471
#3 0x7f0dc0b19b0d in xalanc_1_11::XObject::string(double,
xalanc_1_11::FormatterListener&, void
(xalanc_1_11::FormatterListener::*)(unsigned short const*, unsigned long))
/work/xalan-c/src/xalanc/XPath/XObject.hpp:485
#4 0x7f0dc0b19b0d in xalanc_1_11::XPath::mult(xalanc_1_11::XalanNode*, int
const*, xalanc_1_11::XPathExecutionContext&, xalanc_1_11::FormatterListener&,
void (xalanc_1_11::FormatterListener::*)(unsigned short const*, unsigned long))
const /work/xalan-c/src/xalanc/XPath/XPath.cpp:1982
#5 0x7f0dc0b27ec9 in
xalanc_1_11::XPath::executeMore(xalanc_1_11::XalanNode*, int const*,
xalanc_1_11::XPathExecutionContext&, xalanc_1_11::FormatterListener&, void
(xalanc_1_11::FormatterListener::*)(unsigned short const*, unsigned long))
const /work/xalan-c/src/xalanc/XPath/XPath.cpp:1149
#6 0x7f0dc1657d6a in
xalanc_1_11::XPath::execute(xalanc_1_11::PrefixResolver const&,
xalanc_1_11::XPathExecutionContext&, xalanc_1_11::FormatterListener&, void
(xalanc_1_11::FormatterListener::*)(unsigned short const*, unsigned long))
const /work/xalan-c/src/xalanc/XPath/XPath.hpp:761
#7 0x7f0dc1657d6a in
xalanc_1_11::ElemValueOf::startElement(xalanc_1_11::StylesheetExecutionContext&)
const /work/xalan-c/src/xalanc/XSLT/ElemValueOf.cpp:286
#8 0x7f0dc1665e74 in
xalanc_1_11::ElemTemplateElement::execute(xalanc_1_11::StylesheetExecutionContext&)
const /work/xalan-c/src/xalanc/XSLT/ElemTemplateElement.cpp:253
#9 0x7f0dc14dea16 in
xalanc_1_11::StylesheetRoot::process(xalanc_1_11::XalanNode*,
xalanc_1_11::XSLTResultTarget&, xalanc_1_11::StylesheetExecutionContext&) const
/work/xalan-c/src/xalanc/XSLT/StylesheetRoot.cpp:267
#10 0x7f0dc15e40c5 in
xalanc_1_11::XSLTEngineImpl::process(xalanc_1_11::XSLTInputSource const&,
xalanc_1_11::XSLTInputSource const&, xalanc_1_11::XSLTResultTarget&,
xalanc_1_11::StylesheetConstructionContext&,
xalanc_1_11::StylesheetExecutionContext&)
/work/xalan-c/src/xalanc/XSLT/XSLTEngineImpl.cpp:402
#11 0x7f0dc18aba72 in
xalanc_1_11::XalanTransformer::doTransform(xalanc_1_11::XalanParsedSource
const&, xalanc_1_11::XalanCompiledStylesheet const*,
xalanc_1_11::XSLTInputSource const*, xalanc_1_11::XSLTResultTarget const&)
/work/xalan-c/src/xalanc/XalanTransformer/XalanTransformer.cpp:1420
#12 0x7f0dc18ae32f in
xalanc_1_11::XalanTransformer::transform(xalanc_1_11::XalanParsedSource const&,
xalanc_1_11::XSLTInputSource const&, xalanc_1_11::XSLTResultTarget const&)
/work/xalan-c/src/xalanc/XalanTransformer/XalanTransformer.hpp:193
#13 0x7f0dc18ae32f in
xalanc_1_11::XalanTransformer::transform(xalanc_1_11::XSLTInputSource const&,
xalanc_1_11::XSLTInputSource const&, xalanc_1_11::XSLTResultTarget const&)
/work/xalan-c/src/xalanc/XalanTransformer/XalanTransformer.cpp:355
#14 0x418218 in transform(xalanc_1_11::XalanTransformer&, Params const&,
xalanc_1_11::XSLTInputSource const&, xalanc_1_11::XSLTInputSource const&,
xalanc_1_11::XSLTResultTarget const&)
/work/xalan-c/src/xalanc/XalanExe/XalanExe.cpp:645
#15 0x418218 in transform(xalanc_1_11::XalanTransformer&, Params const&,
xalanc_1_11::XSLTInputSource const&, xalanc_1_11::XSLTInputSource const&)
/work/xalan-c/src/xalanc/XalanExe/XalanExe.cpp:763
#16 0x408e86 in transform(xalanc_1_11::XalanTransformer&, Params const&,
xalanc_1_11::XSLTInputSource const&)
/work/xalan-c/src/xalanc/XalanExe/XalanExe.cpp:795
#17 0x408e86 in transform(xalanc_1_11::XalanTransformer&, Params const&)
/work/xalan-c/src/xalanc/XalanExe/XalanExe.cpp:821
#18 0x408e86 in xsltMain(int, char**)
/work/xalan-c/src/xalanc/XalanExe/XalanExe.cpp:960
#19 0x409fa6 in main /work/xalan-c/src/xalanc/XalanExe/XalanExe.cpp:996
#20 0x7f0dbb76a82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#21 0x403bc8 in _start (/usr/local/bin/Xalan+0x403bc8)
Address 0x7ffe60ae1125 is located in stack of thread T0 at offset 133 in frame
#0 0x7f0dc0779f03 in
xalanc_1_11::DOMStringHelper::NumberToCharacters(double,
xalanc_1_11::FormatterListener&, void
(xalanc_1_11::FormatterListener::*)(unsigned short const*, unsigned long))
/work/xalan-c/src/xalanc/PlatformSupport/DOMStringHelper.cpp:1425
This frame has 2 object(s):
[32, 133) 'theBuffer'
[192, 394) 'theResult' <== Memory access at offset 133 partially underflows
this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 __interceptor_vsprintf
> Stack is corrupted in DOMStringHelper::NumberToCharacters() if value is
> really big
> ----------------------------------------------------------------------------------
>
> Key: XALANC-762
> URL: https://issues.apache.org/jira/browse/XALANC-762
> Project: XalanC
> Issue Type: Bug
> Components: XalanC
> Affects Versions: 1.11
> Reporter: Sergey Kurenkov
> Assignee: Steven J. Hathaway
> Priority: Minor
>
> in functions
> void
> DOMStringHelper::NumberToCharacters(
> double theValue,
> FormatterListener& formatterListener,
> MemberFunctionPtr function)
> and
> NumberToDOMString(
> double theValue,
> XalanDOMString& theResult)
> an array is created on stack in order to convert theValue:
> char theBuffer[MAX_PRINTF_DIGITS + 1];
> If theValue is quite big for example 1.79769e+308 which is the biggest
> possible double value than theBuffer is overritten since it just allocates
> only 100 bytes for storing theValue whereas when this format string is used
> "%.35f" it requires around 350 bytes to store the converted double.
> I think, first MAX_PRINTF_DIGITS is used by mistake in this context. Instead
> MAX_FLOAT_CHARACTERS should have been used. And MAX_FLOAT_CHARACTERS must be
> defined like this:
> // The maximum number of characters for a floating point number.
>
> const size_t MAX_FLOAT_CHARACTERS = 400;
> in order to have enough space to store 308 digits before the point, a point
> and up to 35 digits after the point and the NULL terminator at the end
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
