[jira] [Updated] (XERCESC-2241) Integer overflows in DFAContentModel class
[ https://issues.apache.org/jira/browse/XERCESC-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Scott Cantor updated XERCESC-2241: -- Fix Version/s: 4.0.0 > Integer overflows in DFAContentModel class > -- > > Key: XERCESC-2241 > URL: https://issues.apache.org/jira/browse/XERCESC-2241 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (XML Schema) >Affects Versions: 3.2.3 >Reporter: Even Rouault >Assignee: Scott Cantor >Priority: Major > Fix For: 4.0.0, 3.2.4 > > > On .xsd files like the following ones (generated by ossfuzz, so broken), > integer overflows can happen in DFAContentModel::countLeafNodes() and > DFAContentModel::buildDFA() which can later cause out-of-bounds access. > Found in [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52025] > > ``` > http://www.w3.org/2001/XMLSchema; > xmlns:myns="http://myns; > targetNamespace="http://myns; > elementFormDefault="qualified" attributeFormDefault="unqualified"> > > > > > > > > > > > > > > ame="x" type="xs:int" maxOccurs="1"/> > > > > > > > ``` -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Updated] (XERCESC-2241) Integer overflows in DFAContentModel class
[ https://issues.apache.org/jira/browse/XERCESC-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Scott Cantor updated XERCESC-2241: -- Affects Version/s: 3.2.3 > Integer overflows in DFAContentModel class > -- > > Key: XERCESC-2241 > URL: https://issues.apache.org/jira/browse/XERCESC-2241 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (XML Schema) >Affects Versions: 3.2.3 >Reporter: Even Rouault >Assignee: Scott Cantor >Priority: Major > Fix For: 3.2.4 > > > On .xsd files like the following ones (generated by ossfuzz, so broken), > integer overflows can happen in DFAContentModel::countLeafNodes() and > DFAContentModel::buildDFA() which can later cause out-of-bounds access. > Found in [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52025] > > ``` > http://www.w3.org/2001/XMLSchema; > xmlns:myns="http://myns; > targetNamespace="http://myns; > elementFormDefault="qualified" attributeFormDefault="unqualified"> > > > > > > > > > > > > > > ame="x" type="xs:int" maxOccurs="1"/> > > > > > > > ``` -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Updated] (XERCESC-2241) Integer overflows in DFAContentModel class
[ https://issues.apache.org/jira/browse/XERCESC-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Scott Cantor updated XERCESC-2241: -- Fix Version/s: 3.2.4 > Integer overflows in DFAContentModel class > -- > > Key: XERCESC-2241 > URL: https://issues.apache.org/jira/browse/XERCESC-2241 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (XML Schema) >Reporter: Even Rouault >Assignee: Scott Cantor >Priority: Major > Fix For: 3.2.4 > > > On .xsd files like the following ones (generated by ossfuzz, so broken), > integer overflows can happen in DFAContentModel::countLeafNodes() and > DFAContentModel::buildDFA() which can later cause out-of-bounds access. > Found in [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52025] > > ``` > http://www.w3.org/2001/XMLSchema; > xmlns:myns="http://myns; > targetNamespace="http://myns; > elementFormDefault="qualified" attributeFormDefault="unqualified"> > > > > > > > > > > > > > > ame="x" type="xs:int" maxOccurs="1"/> > > > > > > > ``` -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org