[jira] Created: (XERCESJ-1401) When operating with "continue-after-fatal-error" set to true, it is possible to cause xerces to go into an infinite loop

Mon, 26 Oct 2009 08:43:23 -0700 

When operating with "continue-after-fatal-error" set to true, it is possible to 
cause xerces to go into an infinite loop
------------------------------------------------------------------------------------------------------------------------

                 Key: XERCESJ-1401
                 URL: https://issues.apache.org/jira/browse/XERCESJ-1401
             Project: Xerces2-J
          Issue Type: Bug
          Components: SAX
    Affects Versions: 2.9.1
         Environment: jdk 1.5.0_20
            Reporter: Karl Wright


If the feature "continue-after-fatal-error" is enabled, AND a non-default error 
handler is used under SAX, it is possible with the right feed to cause the 
parser to hang in a tight infinite loop.

Below see the fix delta (from our SVN, so the numbers will not match up with 
yours):

Index: src/org/apache/xerces/impl/XMLDocumentScannerImpl.java
===================================================================
--- src/org/apache/xerces/impl/XMLDocumentScannerImpl.java      (revision 
102478)
+++ src/org/apache/xerces/impl/XMLDocumentScannerImpl.java      (working copy)
@@ -783,6 +783,8 @@
                                 else {
                                     
reportFatalError("MarkupNotRecognizedInProlog",
                                                      null);
+                                    // Don't loop forever!
+                                    fEntityScanner.scanChar();
                                 }
                             }
                             else if 
(isValidNameStartChar(fEntityScanner.peekChar())) {
@@ -802,6 +804,8 @@
                             else {
                                 reportFatalError("MarkupNotRecognizedInProlog",
                                                  null);
+                                // Don't loop forever!
+                                fEntityScanner.scanChar();
                             }
                             break;
                         }
@@ -872,6 +876,8 @@
                         }
                         case SCANNER_STATE_REFERENCE: {
                             reportFatalError("ReferenceIllegalInProlog", null);
+                            // Don't loop forever!
+                            fEntityScanner.scanChar();
                         }
                     }
                 } while (complete || again);
@@ -1277,6 +1283,8 @@
                             else {
                                 reportFatalError("MarkupNotRecognizedInMisc",
                                                  null);
+                               // Skip forward one character, otherwise we 
loop forever.
+                               fEntityScanner.scanChar();
                             }
                             break;
                         } 


I will also be attaching a test harness and example documents as followup 
comments.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to