[GitHub] [xerces-c] scantor commented on pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()
scantor commented on PR #47: URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1688246591 It has not, and I don't think it's even known that the fix is correct. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[GitHub] [xerces-c] johnjamesmccann commented on pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()
johnjamesmccann commented on PR #47: URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1688282792 Thanks for your response Scott, How does it get to be known that the "fix is correct."? It appears that the tests are passing and there are no regressions. This hotfix is really important for one of our customers, so we would like to work with you to get it into the codebase. Looking forward to your response John -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[GitHub] [xerces-c] johnjamesmccann commented on pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()
johnjamesmccann commented on PR #47: URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1688371818 [Apache-496067-disclosure-report.pdf](https://github.com/apache/xerces-c/files/12409994/Apache-496067-disclosure-report.pdf) Hello Scott here is the vulnerability report as reported by the UK National Cyber Security Center, which outlines the vulnerability and even mentions the problematic lines which are part of the #47 thread I have noted that @rleigh-codelibre comment on Feb 2, 2022 which states "the changes look good and the unit tests are passing and not reporting any leaks, so I think merging this should be fairly risk-free." I will consider becoming a committer to this project to fix this vulnerability Kind regards John -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[GitHub] [xerces-c] scantor commented on pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()
scantor commented on PR #47: URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1688414268 > I will consider becoming a committer to this project to fix this vulnerability Only if you're in it for the long haul, it's a commitment (pun intended) to actually sustain the code base, not just a means of getting one fix applied. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[GitHub] [xerces-c] rleigh-codelibre closed pull request #16: XERCESC-2200: Update AppVeyor for VS2017 and vcpkg
rleigh-codelibre closed pull request #16: XERCESC-2200: Update AppVeyor for VS2017 and vcpkg URL: https://github.com/apache/xerces-c/pull/16 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[GitHub] [xerces-c] DDoS opened a new pull request, #52: Fix macOS platform check when finding transcoders
DDoS opened a new pull request, #52: URL: https://github.com/apache/xerces-c/pull/52 The check must verify the target platform, instead of the host. This fixes cross-compiling on macOS. Also when targeting iOS, install(TARGET) commands require a BUNDLE destination for executables. This was missing for the samples. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[GitHub] [xerces-c] ffontaine commented on pull request #23: fix static linking with curl
ffontaine commented on PR #23: URL: https://github.com/apache/xerces-c/pull/23#issuecomment-1440532507 I'm closing this PR as building statically xerces has been disabled in buildroot -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[GitHub] [xerces-c] ffontaine closed pull request #23: fix static linking with curl
ffontaine closed pull request #23: fix static linking with curl URL: https://github.com/apache/xerces-c/pull/23 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[GitHub] [xerces-c] DDoS commented on pull request #52: Fix macOS platform check when finding transcoders
DDoS commented on PR #52: URL: https://github.com/apache/xerces-c/pull/52#issuecomment-1412150888 The cygwin build is failing because Cygwin fails to install. I doubt that's related to my changes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[GitHub] [xerces-c] Torbjorn-Svensson opened a new pull request, #53: The windows.h header files is with lower case
Torbjorn-Svensson opened a new pull request, #53: URL: https://github.com/apache/xerces-c/pull/53 Contributed by STMicroelectronics -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[GitHub] [xerces-c] boris-kolpackov merged pull request #53: The windows.h header files is with lower case
boris-kolpackov merged PR #53: URL: https://github.com/apache/xerces-c/pull/53 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[GitHub] [xerces-c] boris-kolpackov commented on pull request #53: The windows.h header files is with lower case
boris-kolpackov commented on PR #53: URL: https://github.com/apache/xerces-c/pull/53#issuecomment-1584340715 Merged to `master` and `xerces-3.2`, thanks! Not sure about CI build failures, someone else will need to look into this. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[GitHub] [xerces-c] rleigh-codelibre commented on pull request #53: The windows.h header files is with lower case
rleigh-codelibre commented on PR #53: URL: https://github.com/apache/xerces-c/pull/53#issuecomment-1584388338 The CI has been broken for some time, particularly the AppVeyor build environment. It needs updating, but I'm afraid I can no longer spend any time on this, and someone else will need to pick it up. I think AppVeyor is also using my credentials, so that might also need transferring. Ideally the CI needs switching over to use GitHub Actions to replace Travis, and ideally also AppVeyor. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[GitHub] [xerces-c] Torbjorn-Svensson commented on pull request #53: The windows.h header files is with lower case
Torbjorn-Svensson commented on PR #53: URL: https://github.com/apache/xerces-c/pull/53#issuecomment-1578649721 The build failure appears to be unrelated to the case change. Can someone look at why the windows build fails to install the required cygwin components? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[GitHub] [xerces-c] labossip commented on a diff in pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()
labossip commented on code in PR #47: URL: https://github.com/apache/xerces-c/pull/47#discussion_r1231205312 ## src/xercesc/internal/ReaderMgr.cpp: ## @@ -1080,10 +1099,7 @@ bool ReaderMgr::popReader() // Delete the current reader and pop a new reader and entity off // the stacks. // -delete fCurReader; -fCurReader = fReaderStack->pop(); -fCurEntity = fEntityStack->pop(); - +popReaderAndEntity(); Review Comment: The call to popReaderAndEntity may delete fCurEntity. This will result in the deleted pointer being passed to the EndOfEntityException through prevEntity resulting in potential issues when this pointer is dereferenced in the code that handles the exception. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[GitHub] [xerces-c] labossip commented on a diff in pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader()
labossip commented on code in PR #47: URL: https://github.com/apache/xerces-c/pull/47#discussion_r1231205312 ## src/xercesc/internal/ReaderMgr.cpp: ## @@ -1080,10 +1099,7 @@ bool ReaderMgr::popReader() // Delete the current reader and pop a new reader and entity off // the stacks. // -delete fCurReader; -fCurReader = fReaderStack->pop(); -fCurEntity = fEntityStack->pop(); - +popReaderAndEntity(); Review Comment: The call to popReaderAndEntity may delete fCurEntity. This will result in the deleted pointer being passed to the EndOfEntityException through prevEntity resulting in potential issues when this pointer is derefernenced in the code that handles the exception. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
Re: [PR] autotools: Add ws2_32 library for Windows platform [xerces-c]
Biswa96 closed pull request #50: autotools: Add ws2_32 library for Windows platform URL: https://github.com/apache/xerces-c/pull/50 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
Re: [PR] build: Install XercesMessages_en_US.cat to /usr/share/xerces-c/msg [xerces-c]
scantor commented on PR #7: URL: https://github.com/apache/xerces-c/pull/7#issuecomment-1843295992 I applied the patch directly as I cannot do that with GitHub due to their terms of service, this can be closed by somebody that knows how. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
Re: [PR] [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader() [xerces-c]
boris-kolpackov closed pull request #47: [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader() URL: https://github.com/apache/xerces-c/pull/47 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
Re: [PR] [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader() [xerces-c]
boris-kolpackov commented on PR #47: URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1853495327 PR #54 has been merged: `master`: https://github.com/apache/xerces-c/commit/b38ab79e934b9c27de191ee7af6926c7af42069d `xerces-3.2`: https://github.com/apache/xerces-c/commit/e0024267504188e42ace4dd9031d936786914835 So I am going to close this PR. Thanks for the idea of the fix, on which PR 54 is based! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
Re: [PR] XERCESC-2188 - Use-after-free on external DTD scan [xerces-c]
boris-kolpackov commented on PR #54: URL: https://github.com/apache/xerces-c/pull/54#issuecomment-1853490361 This PR has been merged (with whitespace issues addressed): `master`: https://github.com/apache/xerces-c/commit/b38ab79e934b9c27de191ee7af6926c7af42069d `xerces-3.2`: https://github.com/apache/xerces-c/commit/e0024267504188e42ace4dd9031d936786914835 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
Re: [PR] XERCESC-2188 - Use-after-free on external DTD scan [xerces-c]
boris-kolpackov closed pull request #54: XERCESC-2188 - Use-after-free on external DTD scan URL: https://github.com/apache/xerces-c/pull/54 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[PR] Update version.rc.cmake.in [xerces-c]
ssattl opened a new pull request, #55: URL: https://github.com/apache/xerces-c/pull/55 The code page for translation must be set to Unicode instead of EN-US like in rc block. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
Re: [PR] Update version.rc.cmake.in [xerces-c]
scantor commented on PR #55: URL: https://github.com/apache/xerces-c/pull/55#issuecomment-1881018330 This isn't a GitHub project, if you want patches considered, file issues at https://issues.apache.org -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
Re: [PR] [XERCESC-2188] Fix potential double-free in usage of ReaderMgr::pushReader() [xerces-c]
boris-kolpackov commented on PR #47: URL: https://github.com/apache/xerces-c/pull/47#issuecomment-1840893452 FYI: https://github.com/apache/xerces-c/pull/54 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[PR] XERCESC-2188 - Use-after-free on external DTD scan [xerces-c]
boris-kolpackov opened a new pull request, #54: URL: https://github.com/apache/xerces-c/pull/54 These are the instructions for observing the bug (before this commit): $ git clone https://github.com/apache/xerces-c.git $ cd xerces-c $ mkdir build $ cd build $ cmake -G "Unix Makefiles" -DCMAKE_BUILD_TYPE=Debug .. $ make -j8 $ cp ../samples/data/personal.xml . $ cat
Re: [PR] XERCESC-2188 - Use-after-free on external DTD scan [xerces-c]
boris-kolpackov commented on PR #54: URL: https://github.com/apache/xerces-c/pull/54#issuecomment-1840890853 This fix follows the same overall idea as https://github.com/apache/xerces-c/pull/47 with the following key differences: 1. It addresses the lifetime issue when throwing `EndOfEntityException` (mentioned in a review comment to that PR). 2. It is binary backwards-compatible so can be used for a patch release. Besides the instructions for observing the bug under the debugger (and confirming that it is no longer observed after the fix), we've also added a direct test for `ReaderMgr` to our package of Xerces-C++ that can can be used to reproduce the issues/confirm the fix: https://github.com/build2-packaging/xerces-c/tree/3.2.5/libxerces-c/tests/reader-mgr So the fix is reasonably well testes and we haven't observed any regressions. We've also run our CI which covers all the major platforms/compilers (but not in C++98): https://ci.stage.build2.org/@2177ad08-5621-4300-807f-8861b54c54c0 I've also reviewed this patch and it looks good to me. Please review and/or test and let us know if there are any issues. Note that while this commit is against the `master` branch, it can be cleanly cherry-picked to the `xerces-3.2` branch. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
Re: [PR] XERCESC-2188 - Use-after-free on external DTD scan [xerces-c]
theta682 commented on code in PR #54: URL: https://github.com/apache/xerces-c/pull/54#discussion_r1416808653 ## src/xercesc/internal/ReaderMgr.cpp: ## @@ -1020,7 +1070,9 @@ ReaderMgr::getLastExtEntity(const XMLEntityDecl*& itsEntity) const // search the stack; else, keep the reader that we've got since its // either an external entity reader or the main file reader. // -const XMLEntityDecl* curEntity = fCurEntity; +const XMLEntityDecl* curEntity = + fCurReaderData? fCurReaderData->getEntity() : 0; Review Comment: ```suggestion fCurReaderData? fCurReaderData->getEntity() : 0; ``` ## src/xercesc/internal/ReaderMgr.hpp: ## @@ -208,36 +214,96 @@ private : ReaderMgr(const ReaderMgr&); ReaderMgr& operator=(const ReaderMgr&); +// --- +// Private data types +// --- +class ReaderData : public XMemory +{ +public : + // - + // Constructors and Destructor + // - + ReaderData + (XMLReader* const reader + , XMLEntityDecl* const entity + , const bool adoptEntity + ); + + ~ReaderData(); + + // -- + // Getter methods + // -- + XMLReader* getReader() const; + XMLEntityDecl* getEntity() const; + bool getEntityAdopted() const; + + XMLEntityDecl* releaseEntity(); Review Comment: ```suggestion // - // Constructors and Destructor // - ReaderData (XMLReader* const reader , XMLEntityDecl* const entity , const bool adoptEntity ); ~ReaderData(); // -- // Getter methods // -- XMLReader* getReader() const; XMLEntityDecl* getEntity() const; bool getEntityAdopted() const; XMLEntityDecl* releaseEntity(); ``` ## src/xercesc/internal/ReaderMgr.hpp: ## @@ -208,36 +214,96 @@ private : ReaderMgr(const ReaderMgr&); ReaderMgr& operator=(const ReaderMgr&); +// --- +// Private data types +// --- +class ReaderData : public XMemory +{ +public : + // - + // Constructors and Destructor + // - + ReaderData + (XMLReader* const reader + , XMLEntityDecl* const entity + , const bool adoptEntity + ); + + ~ReaderData(); + + // -- + // Getter methods + // -- + XMLReader* getReader() const; + XMLEntityDecl* getEntity() const; + bool getEntityAdopted() const; + + XMLEntityDecl* releaseEntity(); + +private : + // - + // Unimplemented constructors and operators + // - + ReaderData(); + ReaderData(const ReaderData&); + ReaderData& operator=(const ReaderData&); + + // - + // Private data members + // + // fReader + // This is the pointer to the reader object that must be destroyed + // when this object is destroyed. + // + // fEntity + // fEntityAdopted + // This is the pointer to the entity object that, if adopted, must + // be destroyed when this object is destroyed. + // + // Note that we need to keep up with which of the pushed readers + // are pushed entity values that are being spooled. This is done + // to avoid the problem of recursive definitions. + // - + XMLReader* fReader; + XMLEntityDecl* fEntity; + bool fEntityAdopted; Review
Re: [PR] XERCESC-2188 - Use-after-free on external DTD scan [xerces-c]
boris-kolpackov commented on code in PR #54: URL: https://github.com/apache/xerces-c/pull/54#discussion_r1417168833 ## src/xercesc/internal/ReaderMgr.cpp: ## @@ -873,33 +921,50 @@ bool ReaderMgr::isScanningPERefOutOfLiteral() const return false; } - bool ReaderMgr::pushReader( XMLReader* constreader , XMLEntityDecl* constentity) +{ +return pushReaderAdoptEntity(reader, entity, false); +} + +bool ReaderMgr::pushReaderAdoptEntity( XMLReader* constreader + , XMLEntityDecl* constentity + , const bool adoptEntity) { // // First, if an entity was passed, we have to confirm that this entity -// is not already on the entity stack. If so, then this is a recursive +// is not already on the reader stack. If so, then this is a recursive // entity expansion, so we issue an error and refuse to put the reader // on the stack. // // If there is no entity passed, then its not an entity being pushed, so // nothing to do. If there is no entity stack yet, then of coures it // cannot already be there. // -if (entity && fEntityStack) +if (entity && fReaderStack) { -const XMLSize_t count = fEntityStack->size(); +// @@ Strangely, we don't check the entity at the top of the stack +//(fCurReaderData). Is it a bug? +// +const XMLSize_t count = fReaderStack->size(); const XMLCh* const theName = entity->getName(); for (XMLSize_t index = 0; index < count; index++) { -const XMLEntityDecl* curDecl = fEntityStack->elementAt(index); +const XMLEntityDecl* curDecl = + fReaderStack->elementAt(index)->getEntity(); + if (curDecl) { if (XMLString::equals(theName, curDecl->getName())) { -// Oops, already there so delete reader and return +// Oops, already there so delete reader and entity and +// return. +// delete reader; + +if (adoptEntity) + delete entity; Review Comment: Ok, thanks, we will fixup the final version of the commit. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
Re: [PR] build: Install XercesMessages_en_US.cat to /usr/share/xerces-c/msg [xerces-c]
boris-kolpackov commented on PR #7: URL: https://github.com/apache/xerces-c/pull/7#issuecomment-1846909947 I am closing this per the above comment. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
Re: [PR] build: Install XercesMessages_en_US.cat to /usr/share/xerces-c/msg [xerces-c]
boris-kolpackov closed pull request #7: build: Install XercesMessages_en_US.cat to /usr/share/xerces-c/msg URL: https://github.com/apache/xerces-c/pull/7 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[PR] cmake: use enumerations for possible values, so that cmake-gui offersa drop-down selection [xerces-c]
dilyanpalauzov opened a new pull request, #57: URL: https://github.com/apache/xerces-c/pull/57 I have read on https://xerces.apache.org/xerces-c/source-repository.html that Jira.apache is the preferred way for submitting changesets, but it is unclear how long getting an account there will take. The current change allows the cmake-gui (like `ccmake`) to offer the user a fixed enumeration of possible values, so that the user can select one from a drop-down menu. In case of `ccmake` the possible values are toggled by pressing enter and it is not anymore possible for the user to enter text as value. I have very basic knowledge about cmake, so there might be a different way to achieve the same result. If a different way is preferred, please go forward with it, without asking me to adopt it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[PR] Fix improper check for `mbrlen`/`mblen`, to deal with the configuration failure for Android below API level 26 [xerces-c]
zjyhjqs opened a new pull request, #56: URL: https://github.com/apache/xerces-c/pull/56 (I know this is not a GitHub project. But my application for JIRA account hasn't been replied yet.) The usage place (`IconvLCPTranscoder::calcRequiredSize`) will check the existence of `::mbrlen` first. If not then use the `::mblen` as alternative. https://github.com/apache/xerces-c/blob/5fe4f4b5a861fa8acf4bb66d3a2ad3e4396d68ec/src/xercesc/util/Transcoders/Iconv/IconvTransService.cpp#L237-L241 NDK doesn't provide the implementation of `::mblen` below API level 26. Only checks `HAVE_MBLEN` would consequence to configuration failure. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
Re: [PR] XERCESC-2208: XMLSize_t size_t revert [xerces-c]
Tyrben commented on PR #41: URL: https://github.com/apache/xerces-c/pull/41#issuecomment-2124463834 There is still one reference to type `XMLSSize_t` in _src/xalanc/Include/PlatformDefinitions.hpp.in_ l.123 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
Re: [PR] XERCESC-2208: XMLSize_t size_t revert [xerces-c]
boris-kolpackov commented on PR #41: URL: https://github.com/apache/xerces-c/pull/41#issuecomment-2124857712 > ... in `src/xalanc/...` Hm, this seems to be about Xalan, not Xerces-C? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org