[jira] [Commented] (XERCESC-2241) Integer overflows in DFAContentModel class
[ https://issues.apache.org/jira/browse/XERCESC-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17612153#comment-17612153 ] Even Rouault commented on XERCESC-2241: --- Fix in https://github.com/apache/xerces-c/pull/51 > Integer overflows in DFAContentModel class > -- > > Key: XERCESC-2241 > URL: https://issues.apache.org/jira/browse/XERCESC-2241 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (XML Schema) >Reporter: Even Rouault >Priority: Major > > On .xsd files like the following ones (generated by ossfuzz, so broken), > integer overflows can happen in DFAContentModel::countLeafNodes() and > DFAContentModel::buildDFA() which can later cause out-of-bounds access. > Found in [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52025] > > ``` > http://www.w3.org/2001/XMLSchema; > xmlns:myns="http://myns; > targetNamespace="http://myns; > elementFormDefault="qualified" attributeFormDefault="unqualified"> > > > > > > > > > > > > > > ame="x" type="xs:int" maxOccurs="1"/> > > > > > > > ``` -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Created] (XERCESC-2241) Integer overflows in DFAContentModel class
Even Rouault created XERCESC-2241: - Summary: Integer overflows in DFAContentModel class Key: XERCESC-2241 URL: https://issues.apache.org/jira/browse/XERCESC-2241 Project: Xerces-C++ Issue Type: Bug Components: Validating Parser (XML Schema) Reporter: Even Rouault On .xsd files like the following ones (generated by ossfuzz, so broken), integer overflows can happen in DFAContentModel::countLeafNodes() and DFAContentModel::buildDFA() which can later cause out-of-bounds access. Found in [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52025] ``` http://www.w3.org/2001/XMLSchema; xmlns:myns="http://myns; targetNamespace="http://myns; elementFormDefault="qualified" attributeFormDefault="unqualified"> ame="x" type="xs:int" maxOccurs="1"/> ``` -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2188) Use-after-free on external DTD scan
[ https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17480656#comment-17480656 ] Even Rouault commented on XERCESC-2188: --- My attempt at fixing the issue in https://github.com/apache/xerces-c/pull/47 > Use-after-free on external DTD scan > --- > > Key: XERCESC-2188 > URL: https://issues.apache.org/jira/browse/XERCESC-2188 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, > 3.1.4, 3.2.1, 3.2.2 >Reporter: Scott Cantor >Priority: Major > Attachments: Apache-496067-disclosure-report.pdf > > > This is a record of an unfixed bug reported in 2018 in the DTD scanner, per > the attached PDF, corresponding to CVE-2018-1311. -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Created] (XERCESC-2235) DFAContentModel::buildDFA(): correctly zero-initialize fFollowList
Even Rouault created XERCESC-2235: - Summary: DFAContentModel::buildDFA(): correctly zero-initialize fFollowList Key: XERCESC-2235 URL: https://issues.apache.org/jira/browse/XERCESC-2235 Project: Xerces-C++ Issue Type: Bug Reporter: Even Rouault Due to a copy issue, the intended zero-initialization of fFollowList wasn't done (copy issue), and thus in case of OutOfMemory exception when initializing the array, the memory freeing in cleanup() could access uninitialized elements. Follow-up of https://github.com/apache/xerces-c/pull/40 / a65990d79d3fc333d7481f010da4e165a88b6cb3 Fixes GDAL's https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42636 -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Created] (XERCESC-2233) DFAContentModel::buildDFA(): fix memory leaks when OutOfMemoryException occurs
Even Rouault created XERCESC-2233: - Summary: DFAContentModel::buildDFA(): fix memory leaks when OutOfMemoryException occurs Key: XERCESC-2233 URL: https://issues.apache.org/jira/browse/XERCESC-2233 Project: Xerces-C++ Issue Type: Bug Reporter: Even Rouault Fixes GDAL's [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41335] -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Created] (XERCESC-2230) DFAContentModel::buildSyntaxTree(): fix memory leaks when OutOfMemoryException occurs
Even Rouault created XERCESC-2230: - Summary: DFAContentModel::buildSyntaxTree(): fix memory leaks when OutOfMemoryException occurs Key: XERCESC-2230 URL: https://issues.apache.org/jira/browse/XERCESC-2230 Project: Xerces-C++ Issue Type: Bug Reporter: Even Rouault Fixes GDAL's [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40866] -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Created] (XERCESC-2229) IGXMLScanner::scanDocTypeDecl(): fix memory leak on exception
Even Rouault created XERCESC-2229: - Summary: IGXMLScanner::scanDocTypeDecl(): fix memory leak on exception Key: XERCESC-2229 URL: https://issues.apache.org/jira/browse/XERCESC-2229 Project: Xerces-C++ Issue Type: Improvement Reporter: Even Rouault The method can leak pubId and sysId when subsequent call to fReaderMgr.skipPastSpaces() throws an exception (e.g. a TranscodingException) -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Created] (XERCESC-2228) DFAContentModel: fix memory leaks when OutOfMemoryException occurs
Even Rouault created XERCESC-2228: - Summary: DFAContentModel: fix memory leaks when OutOfMemoryException occurs Key: XERCESC-2228 URL: https://issues.apache.org/jira/browse/XERCESC-2228 Project: Xerces-C++ Issue Type: Improvement Reporter: Even Rouault Fixes GDAL's [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39159] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Created] (XERCESC-2227) Memleak fixes in ContentSpecNode and ComplexTypeInfo classes
Even Rouault created XERCESC-2227: - Summary: Memleak fixes in ContentSpecNode and ComplexTypeInfo classes Key: XERCESC-2227 URL: https://issues.apache.org/jira/browse/XERCESC-2227 Project: Xerces-C++ Issue Type: Improvement Reporter: Even Rouault when a OutOfMemory exception occurs. Spotted by [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39127] (on GDAL) The commits are a bit in increasing order of triviality. The ownership rules of ContentSpecNode first and second members, as used by ComplexTypeInfo, are super complex. shared_ptr would be much welcome here! I can just tell that valgrind on my test case reports no double-free nor memory leak after those fixes -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Created] (XERCESC-2224) DFAContentModel::checkUniqueParticleAttribution (): speed enhancement
Even Rouault created XERCESC-2224: - Summary: DFAContentModel::checkUniqueParticleAttribution (): speed enhancement Key: XERCESC-2224 URL: https://issues.apache.org/jira/browse/XERCESC-2224 Project: Xerces-C++ Issue Type: Improvement Reporter: Even Rouault The complexity of this method is roughly O(n^3). Fuzzers can generate schemas with n = several thousands. The test fTransTable[i][j] == XMLContentModel::gInvalidTrans is independant of the k loop, and can thus being moved at a upper level to improve runtime. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Created] (XERCESC-2223) SAX2XMLReaderImpl::error(): potential memory leak
Even Rouault created XERCESC-2223: - Summary: SAX2XMLReaderImpl::error(): potential memory leak Key: XERCESC-2223 URL: https://issues.apache.org/jira/browse/XERCESC-2223 Project: Xerces-C++ Issue Type: Bug Reporter: Even Rouault SAX2XMLReaderImpl::error() uses the regular memory manager to create the SAXParseException. It might fail to fully initialize the object, and potentially throw an exception when building it, causing it to leak a bit. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Created] (XERCESC-2222) DFAContentModel::checkUniqueParticleAttribution(): fix memory leak
Even Rouault created XERCESC-: - Summary: DFAContentModel::checkUniqueParticleAttribution(): fix memory leak Key: XERCESC- URL: https://issues.apache.org/jira/browse/XERCESC- Project: Xerces-C++ Issue Type: Bug Components: Validating Parser (XML Schema) Reporter: Even Rouault If a memory allocation of conflictTable[] fails, or later in the function, the array is not freed. Fixes [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38533] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Created] (XERCESC-2221) InMemMsgLoader::loadMsg(): fix memory leak when transcoding fails
Even Rouault created XERCESC-2221: - Summary: InMemMsgLoader::loadMsg(): fix memory leak when transcoding fails Key: XERCESC-2221 URL: https://issues.apache.org/jira/browse/XERCESC-2221 Project: Xerces-C++ Issue Type: Bug Components: Utilities Affects Versions: 3.2.3 Reporter: Even Rouault Seen with the IconvGNU transcoder when parsing "
[jira] [Updated] (XERCESC-2221) InMemMsgLoader::loadMsg(): fix memory leak when transcoding fails
[ https://issues.apache.org/jira/browse/XERCESC-2221?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Even Rouault updated XERCESC-2221: -- Description: Seen with the IconvGNU transcoder when parsing " InMemMsgLoader::loadMsg(): fix memory leak when transcoding fails > - > > Key: XERCESC-2221 > URL: https://issues.apache.org/jira/browse/XERCESC-2221 > Project: Xerces-C++ > Issue Type: Bug > Components: Utilities >Affects Versions: 3.2.3 >Reporter: Even Rouault >Priority: Major > > Seen with the IconvGNU transcoder when parsing " The reason is that XMLString::transcode(repText2, manager) throws a > TranscodingException > which causes the tmp1 string to leak. > {noformat} > 0 0x8791409 in operator new(unsigned int) > /src/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99:3 > 1 0xbd147f7 in xercesc_4_0::MemoryManagerImpl::allocate(unsigned int) > gdal/xerces-c/src/xercesc/internal/MemoryManagerImpl.cpp:40:18 > 2 0xbe8c73e in xercesc_4_0::IconvGNULCPTranscoder::transcode(char const*, > xercesc_4_0::MemoryManager*) > gdal/xerces-c/src/xercesc/util/Transcoders/IconvGNU/IconvGNUTransService.cpp:870:32 > 3 0xbc22ca2 in xercesc_4_0::XMLString::transcode(char const*, > xercesc_4_0::MemoryManager*) > gdal/xerces-c/src/xercesc/util/XMLString.cpp:621:25 > 4 0xbe8f4ad in xercesc_4_0::InMemMsgLoader::loadMsg(unsigned int, char16_t*, > unsigned int, char const*, char const*, char const*, char const*, > xercesc_4_0::MemoryManager*) > gdal/xerces-c/src/xercesc/util/MsgLoaders/InMemory/InMemMsgLoader.cpp:157:16 > 5 0xbc20175 in > xercesc_4_0::XMLException::loadExceptText(xercesc_4_0::XMLExcepts::Codes, > char const*, char const*, char const*, char const*) > gdal/xerces-c/src/xercesc/util/XMLException.cpp:241:23 > 6 0xbc48bee in > xercesc_4_0::UTFDataFormatException::UTFDataFormatException(char const*, > unsigned long long, xercesc_4_0::XMLExcepts::Codes, char const*, char const*, > char const*, char const*, xercesc_4_0::MemoryManager*) > gdal/xerces-c/src/xercesc/util/UTFDataFormatException.hpp:31:1 > 7 0xbc4824e in xercesc_4_0::XMLUTF8Transcoder::transcodeFrom(unsigned char > const*, unsigned int, char16_t*, unsigned int, unsigned int&, unsigned char*) > gdal/xerces-c/src/xercesc/util/XMLUTF8Transcoder.cpp:182:13 > 8 0xbd27d7e in xercesc_4_0::XMLReader::xcodeMoreChars(char16_t*, unsigned > char*, unsigned int) gdal/xerces-c/src/xercesc/internal/XMLReader.cpp:1926:34 > 9 0xbd271dd in xercesc_4_0::XMLReader::refreshCharBuffer() > gdal/xerces-c/src/xercesc/internal/XMLReader.cpp:571:19 > 10 0xbd15c63 in xercesc_4_0::XMLReader::peekNextChar(char16_t&) > gdal/xerces-c/src/xercesc/internal/XMLReader.hpp:767:14 > 11 0xbd15aaf in xercesc_4_0::ReaderMgr::peekNextChar() > gdal/xerces-c/src/xercesc/internal/ReaderMgr.cpp:158:21 > 12 0xbd328da in xercesc_4_0::XMLScanner::scanProlog() > gdal/xerces-c/src/xercesc/internal/XMLScanner.cpp:1241:45 > 13 0xbd31ef4 in xercesc_4_0::XMLScanner::scanFirst(xercesc_4_0::InputSource > const&, xercesc_4_0::XMLPScanToken&) > gdal/xerces-c/src/xercesc/internal/XMLScanner.cpp:549:9 > 14 0xbdadcff in > xercesc_4_0::SAX2XMLReaderImpl::parseFirst(xercesc_4_0::InputSource const&, > xercesc_4_0::XMLPScanToken&) > gdal/xerces-c/src/xercesc/parsers/SAX2XMLReaderImpl.cpp:500:22 {noformat} > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Updated] (XERCESC-2094) Memory leak related to invalid encoding
[ https://issues.apache.org/jira/browse/XERCESC-2094?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Even Rouault updated XERCESC-2094: -- Description: Issue originally found through OSS-Fuzz on GDAL ( for reference https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1685 : the link will not be publicly accessible until 90 days have passe), but can be reproduced with Xerces-C SAX2Count utility. On the attached file, Valgrind reports a memory leak: The content of the file is: {{{ http://schemas.opengis.net/gml"/> }}} valgrind --leak-check=full /home/even/install-xerces-c-3.1.4/bin/SAX2Count xerces-c-leak.xml ==21268== Memcheck, a memory error detector ==21268== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==21268== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==21268== Command: /home/even/install-xerces-c-3.1.4/bin/SAX2Count /home/even/gdal/trunk/gdal/xerces-c-leak.xml ==21268== Fatal Error at file /home/even/gdal/trunk/gdal/xerces-c-leak.xml, line 1, char 35 Message: unable to create converter for 'U' encoding ==21268== ==21268== HEAP SUMMARY: ==21268== in use at exit: 76,348 bytes in 10 blocks ==21268== total heap usage: 9,244 allocs, 9,234 frees, 1,282,907 bytes allocated ==21268== ==21268== 52 (40 direct, 12 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 10 ==21268==at 0x4C2E0EF: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21268==by 0x4FF9B58: xercesc_3_1::MemoryManagerImpl::allocate(unsigned long) (MemoryManagerImpl.cpp:40) ==21268==by 0x4F7EE05: xercesc_3_1::XMemory::operator new(unsigned long, xercesc_3_1::MemoryManager*) (XMemory.cpp:68) ==21268==by 0x4F7E660: xercesc_3_1::ENameMapFor::makeNew(unsigned long, xercesc_3_1::MemoryManager*) const (TransENameMap.c:50) ==21268==by 0x4F7AF20: xercesc_3_1::XMLTransService::makeNewTranscoderFor(unsigned short const*, xercesc_3_1::XMLTransService::Codes&, unsigned long, xercesc_3_1::MemoryManager*) (TransService.cpp:147) ==21268==by 0x5010A75: xercesc_3_1::XMLReader::refreshCharBuffer() (XMLReader.cpp:523) ==21268==by 0x4FFA5AA: peekNextChar (XMLReader.hpp:767) ==21268==by 0x4FFA5AA: xercesc_3_1::ReaderMgr::peekNextChar() (ReaderMgr.cpp:158) ==21268==by 0x5016297: xercesc_3_1::XMLScanner::scanProlog() (XMLScanner.cpp:1238) ==21268==by 0x4FEE371: xercesc_3_1::IGXMLScanner::scanDocument(xercesc_3_1::InputSource const&) (IGXMLScanner.cpp:206) ==21268==by 0x5017E6D: xercesc_3_1::XMLScanner::scanDocument(unsigned short const*) (XMLScanner.cpp:400) ==21268==by 0x5018221: xercesc_3_1::XMLScanner::scanDocument(char const*) (XMLScanner.cpp:408) ==21268==by 0x5044F47: xercesc_3_1::SAX2XMLReaderImpl::parse(char const*) (SAX2XMLReaderImpl.cpp:451) ==21268== ==21268== LEAK SUMMARY: ==21268==definitely lost: 40 bytes in 1 blocks ==21268==indirectly lost: 12 bytes in 1 blocks ==21268== possibly lost: 0 bytes in 0 blocks ==21268==still reachable: 76,296 bytes in 8 blocks ==21268== suppressed: 0 bytes in 0 blocks ==21268== Reachable blocks (those to which a pointer was found) are not shown. ==21268== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==21268== ==21268== For counts of detected and suppressed errors, rerun with: -v ==21268== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) I've found that the leak occurs only if the following conditions are met: there is a newline character between https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1685 : the link will not be publicly accessible until 90 days have passe), but can be reproduced with Xerces-C SAX2Count utility. On the attached file, Valgrind reports a memory leak: The content of the file is: {{{ http://schemas.opengis.net/gml"/> }}} valgrind --leak-check=full /home/even/install-xerces-c-3.1.4/bin/SAX2Count xerces-c-leak.xml ==21268== Memcheck, a memory error detector ==21268== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==21268== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==21268== Command: /home/even/install-xerces-c-3.1.4/bin/SAX2Count /home/even/gdal/trunk/gdal/xerces-c-leak.xml ==21268== Fatal Error at file /home/even/gdal/trunk/gdal/xerces-c-leak.xml, line 1, char 35 Message: unable to create converter for 'U' encoding ==21268== ==21268== HEAP SUMMARY: ==21268== in use at exit: 76,348 bytes in 10 blocks ==21268== total heap usage: 9,244 allocs, 9,234 frees, 1,282,907 bytes allocated ==21268== ==21268== 52 (40 direct, 12 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 10 ==21268==at 0x4C2E0EF: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21268==by 0x4FF9B58: xercesc_3_1::MemoryManagerImpl::allocate(unsigned long) (MemoryManagerImpl.cpp:40) ==21268==
[jira] [Created] (XERCESC-2094) Memory leak related to invalid encoding
Even Rouault created XERCESC-2094: - Summary: Memory leak related to invalid encoding Key: XERCESC-2094 URL: https://issues.apache.org/jira/browse/XERCESC-2094 Project: Xerces-C++ Issue Type: Bug Affects Versions: 3.1.4, 3.1.3 Environment: Probably all. In that case Ubuntu 16.04 x86_64 Reporter: Even Rouault Attachments: xerces-c-leak.xml Issue originally found through OSS-Fuzz on GDAL ( for reference https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1685 : the link will not be publicly accessible until 90 days have passe), but can be reproduced with Xerces-C SAX2Count utility. On the attached file, Valgrind reports a memory leak: The content of the file is: {{{ http://schemas.opengis.net/gml"/> }}} valgrind --leak-check=full /home/even/install-xerces-c-3.1.4/bin/SAX2Count xerces-c-leak.xml ==21268== Memcheck, a memory error detector ==21268== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==21268== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==21268== Command: /home/even/install-xerces-c-3.1.4/bin/SAX2Count /home/even/gdal/trunk/gdal/xerces-c-leak.xml ==21268== Fatal Error at file /home/even/gdal/trunk/gdal/xerces-c-leak.xml, line 1, char 35 Message: unable to create converter for 'U' encoding ==21268== ==21268== HEAP SUMMARY: ==21268== in use at exit: 76,348 bytes in 10 blocks ==21268== total heap usage: 9,244 allocs, 9,234 frees, 1,282,907 bytes allocated ==21268== ==21268== 52 (40 direct, 12 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 10 ==21268==at 0x4C2E0EF: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21268==by 0x4FF9B58: xercesc_3_1::MemoryManagerImpl::allocate(unsigned long) (MemoryManagerImpl.cpp:40) ==21268==by 0x4F7EE05: xercesc_3_1::XMemory::operator new(unsigned long, xercesc_3_1::MemoryManager*) (XMemory.cpp:68) ==21268==by 0x4F7E660: xercesc_3_1::ENameMapFor::makeNew(unsigned long, xercesc_3_1::MemoryManager*) const (TransENameMap.c:50) ==21268==by 0x4F7AF20: xercesc_3_1::XMLTransService::makeNewTranscoderFor(unsigned short const*, xercesc_3_1::XMLTransService::Codes&, unsigned long, xercesc_3_1::MemoryManager*) (TransService.cpp:147) ==21268==by 0x5010A75: xercesc_3_1::XMLReader::refreshCharBuffer() (XMLReader.cpp:523) ==21268==by 0x4FFA5AA: peekNextChar (XMLReader.hpp:767) ==21268==by 0x4FFA5AA: xercesc_3_1::ReaderMgr::peekNextChar() (ReaderMgr.cpp:158) ==21268==by 0x5016297: xercesc_3_1::XMLScanner::scanProlog() (XMLScanner.cpp:1238) ==21268==by 0x4FEE371: xercesc_3_1::IGXMLScanner::scanDocument(xercesc_3_1::InputSource const&) (IGXMLScanner.cpp:206) ==21268==by 0x5017E6D: xercesc_3_1::XMLScanner::scanDocument(unsigned short const*) (XMLScanner.cpp:400) ==21268==by 0x5018221: xercesc_3_1::XMLScanner::scanDocument(char const*) (XMLScanner.cpp:408) ==21268==by 0x5044F47: xercesc_3_1::SAX2XMLReaderImpl::parse(char const*) (SAX2XMLReaderImpl.cpp:451) ==21268== ==21268== LEAK SUMMARY: ==21268==definitely lost: 40 bytes in 1 blocks ==21268==indirectly lost: 12 bytes in 1 blocks ==21268== possibly lost: 0 bytes in 0 blocks ==21268==still reachable: 76,296 bytes in 8 blocks ==21268== suppressed: 0 bytes in 0 blocks ==21268== Reachable blocks (those to which a pointer was found) are not shown. ==21268== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==21268== ==21268== For counts of detected and suppressed errors, rerun with: -v ==21268== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) I've found that the leak occurs only if the following conditions are met: there is a newline character between