[jira] [Resolved] (XERCESC-2066) Exception handling mistake in DTDScanner
[ https://issues.apache.org/jira/browse/XERCESC-2066?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Scott Cantor resolved XERCESC-2066. --- Resolution: Fixed Applied to trunk, r1799527. > Exception handling mistake in DTDScanner > > > Key: XERCESC-2066 > URL: https://issues.apache.org/jira/browse/XERCESC-2066 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.1.0, 3.1.1, 3.1.2, 3.1.3 >Reporter: Scott Cantor >Assignee: Scott Cantor > Fix For: 3.2.0, 3.1.4 > > > Index: src/xercesc/validators/DTD/DTDScanner.cpp > ==The DTDScanner > fails to account for the fact that peeking characters in the XMLReader class > can raise an exception if an invalid character is encountered, and the > exception crosses stack frames in an unsafe way that causes a higher level > exception handler to access an already-freed object. > The proposed patch below traps the exception locally and records the parser > error in the appropriate frame. > We should also review the code for other calls to the XMLReader methods that > can throw. > {code} > --- src/xercesc/validators/DTD/DTDScanner.cpp (revision 1741478) > +++ src/xercesc/validators/DTD/DTDScanner.cpp (working copy) > @@ -2509,7 +2509,15 @@ > { > while (true) > { > -const XMLCh nextCh = fReaderMgr->peekNextChar(); > +XMLCh nextCh; > + > +try { > +nextCh = fReaderMgr->peekNextChar(); > +} > +catch (XMLException& ex) { > +fScanner->emitError(XMLErrs::XMLException_Fatal, > ex.getCode(), ex.getMessage(), NULL, NULL); > +nextCh = chNull; > +} > > if (!nextCh) > { > {code} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2066) Exception handling mistake in DTDScanner
[ https://issues.apache.org/jira/browse/XERCESC-2066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15683618#comment-15683618 ] Scott Cantor commented on XERCESC-2066: --- I don't know or care, 2.x has been EOL for many years. > Exception handling mistake in DTDScanner > > > Key: XERCESC-2066 > URL: https://issues.apache.org/jira/browse/XERCESC-2066 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.1.0, 3.1.1, 3.1.2, 3.1.3 >Reporter: Scott Cantor >Assignee: Scott Cantor > Fix For: 3.2.0, 3.1.4 > > > Index: src/xercesc/validators/DTD/DTDScanner.cpp > ==The DTDScanner > fails to account for the fact that peeking characters in the XMLReader class > can raise an exception if an invalid character is encountered, and the > exception crosses stack frames in an unsafe way that causes a higher level > exception handler to access an already-freed object. > The proposed patch below traps the exception locally and records the parser > error in the appropriate frame. > We should also review the code for other calls to the XMLReader methods that > can throw. > {code} > --- src/xercesc/validators/DTD/DTDScanner.cpp (revision 1741478) > +++ src/xercesc/validators/DTD/DTDScanner.cpp (working copy) > @@ -2509,7 +2509,15 @@ > { > while (true) > { > -const XMLCh nextCh = fReaderMgr->peekNextChar(); > +XMLCh nextCh; > + > +try { > +nextCh = fReaderMgr->peekNextChar(); > +} > +catch (XMLException& ex) { > +fScanner->emitError(XMLErrs::XMLException_Fatal, > ex.getCode(), ex.getMessage(), NULL, NULL); > +nextCh = chNull; > +} > > if (!nextCh) > { > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Commented] (XERCESC-2066) Exception handling mistake in DTDScanner
[ https://issues.apache.org/jira/browse/XERCESC-2066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15679729#comment-15679729 ] Moti commented on XERCESC-2066: --- Hi Scott, You specified that the affected versions are 3.1.0, 3.1.1, 3.1.2, 3.1.3. However, the NVD says (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2099) that all the versions below 3.1.3 are vulnerable to this (CVE-2016-2099) security issue. I wanted to ask specifically for v2.7 whether it's vulnerable to it or not. Can you put some light here? Thanks! > Exception handling mistake in DTDScanner > > > Key: XERCESC-2066 > URL: https://issues.apache.org/jira/browse/XERCESC-2066 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.1.0, 3.1.1, 3.1.2, 3.1.3 >Reporter: Scott Cantor >Assignee: Scott Cantor > Fix For: 3.2.0, 3.1.4 > > > Index: src/xercesc/validators/DTD/DTDScanner.cpp > ==The DTDScanner > fails to account for the fact that peeking characters in the XMLReader class > can raise an exception if an invalid character is encountered, and the > exception crosses stack frames in an unsafe way that causes a higher level > exception handler to access an already-freed object. > The proposed patch below traps the exception locally and records the parser > error in the appropriate frame. > We should also review the code for other calls to the XMLReader methods that > can throw. > {code} > --- src/xercesc/validators/DTD/DTDScanner.cpp (revision 1741478) > +++ src/xercesc/validators/DTD/DTDScanner.cpp (working copy) > @@ -2509,7 +2509,15 @@ > { > while (true) > { > -const XMLCh nextCh = fReaderMgr->peekNextChar(); > +XMLCh nextCh; > + > +try { > +nextCh = fReaderMgr->peekNextChar(); > +} > +catch (XMLException& ex) { > +fScanner->emitError(XMLErrs::XMLException_Fatal, > ex.getCode(), ex.getMessage(), NULL, NULL); > +nextCh = chNull; > +} > > if (!nextCh) > { > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
RE: XERCESC-2066 (Exception handling mistake in DTDScanner)
Thank you for clarification. Regards, Vladimir. -Original Message- From: Cantor, Scott [mailto:canto...@osu.edu] Sent: October-21-16 1:24 PM To: c-dev@xerces.apache.org Subject: RE: XERCESC-2066 (Exception handling mistake in DTDScanner) > Hi Scott, > I checked Xerces 3.1.4 sources( > src/xercesc/validators/DTD/DTDScanner.cpp) > > The fix is missing in them. > const XMLCh nextCh = fReaderMgr->peekNextChar(); calls without try > catch . The fix I intended to aply is in 3.1.4 and I just verified that. -- Scott - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
RE: XERCESC-2066 (Exception handling mistake in DTDScanner)
Hi Scott, I checked Xerces 3.1.4 sources( src/xercesc/validators/DTD/DTDScanner.cpp) The fix is missing in them. const XMLCh nextCh = fReaderMgr->peekNextChar(); calls without try catch . Does the fix will be in Xerces 3.1.5? Regards, Vladimir. -Original Message- From: Cantor, Scott [mailto:canto...@osu.edu] Sent: October-21-16 12:52 PM To: c-dev@xerces.apache.org Subject: RE: XERCESC-2066 (Exception handling mistake in DTDScanner) > > Does somebody know when it will be fixed in official patch? > > Months ago? > > https://urldefense.proofpoint.com/v2/url?u=http-3A__svn.apache.org_viewvc-3Fview-3Drevision-26revision-3D1747619=DQIFAg=ZgVRmm3mf2P1-XDAyDsu4A=Go-zk3wwFXw3zk6IKI5viJn9Qf3N2dP8AA11tevsqfk=Z1iJtUb3kO64ypZrVXuv_5eWJsIAENmMp9gowKA4Kco=2RYr1B-G8DJYMTi7wK98HImnweDSBSo-ixJ5NOgrhp0= > Meant to link to advisory. https://urldefense.proofpoint.com/v2/url?u=http-3A__xerces.apache.org_xerces-2Dc_secadv_CVE-2D2016-2D4463.txt=DQIFAg=ZgVRmm3mf2P1-XDAyDsu4A=Go-zk3wwFXw3zk6IKI5viJn9Qf3N2dP8AA11tevsqfk=Z1iJtUb3kO64ypZrVXuv_5eWJsIAENmMp9gowKA4Kco=a_7XsYlyztGFIc2FHL-UqwUj0ZePqrh2W9MyMb3kotk= > -- Scott - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
RE: XERCESC-2066 (Exception handling mistake in DTDScanner)
> > Does somebody know when it will be fixed in official patch? > > Months ago? > > http://svn.apache.org/viewvc?view=revision=1747619 Meant to link to advisory. http://xerces.apache.org/xerces-c/secadv/CVE-2016-4463.txt > -- Scott - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
RE: XERCESC-2066 (Exception handling mistake in DTDScanner)
> Does somebody know when it will be fixed in official patch? Months ago? http://svn.apache.org/viewvc?view=revision=1747619 Red Hat still hasn't backported it to my knowledge. -- Scott - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
XERCESC-2066 (Exception handling mistake in DTDScanner)
Hi National Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2099 tracks https://issues.apache.org/jira/browse/XERCESC-2066 as a Critical Vulnerability issue. Does somebody know when it will be fixed in official patch? Regards, Vladimir. - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Updated] (XERCESC-2066) Exception handling mistake in DTDScanner
[ https://issues.apache.org/jira/browse/XERCESC-2066?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Scott Cantor updated XERCESC-2066: -- Fix Version/s: 3.2.0 > Exception handling mistake in DTDScanner > > > Key: XERCESC-2066 > URL: https://issues.apache.org/jira/browse/XERCESC-2066 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.1.0, 3.1.1, 3.1.2, 3.1.3 >Reporter: Scott Cantor >Assignee: Scott Cantor > Fix For: 3.2.0, 3.1.4 > > > Index: src/xercesc/validators/DTD/DTDScanner.cpp > ==The DTDScanner > fails to account for the fact that peeking characters in the XMLReader class > can raise an exception if an invalid character is encountered, and the > exception crosses stack frames in an unsafe way that causes a higher level > exception handler to access an already-freed object. > The proposed patch below traps the exception locally and records the parser > error in the appropriate frame. > We should also review the code for other calls to the XMLReader methods that > can throw. > {code} > --- src/xercesc/validators/DTD/DTDScanner.cpp (revision 1741478) > +++ src/xercesc/validators/DTD/DTDScanner.cpp (working copy) > @@ -2509,7 +2509,15 @@ > { > while (true) > { > -const XMLCh nextCh = fReaderMgr->peekNextChar(); > +XMLCh nextCh; > + > +try { > +nextCh = fReaderMgr->peekNextChar(); > +} > +catch (XMLException& ex) { > +fScanner->emitError(XMLErrs::XMLException_Fatal, > ex.getCode(), ex.getMessage(), NULL, NULL); > +nextCh = chNull; > +} > > if (!nextCh) > { > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Updated] (XERCESC-2066) Exception handling mistake in DTDScanner
[ https://issues.apache.org/jira/browse/XERCESC-2066?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Scott Cantor updated XERCESC-2066: -- Fix Version/s: 3.1.4 > Exception handling mistake in DTDScanner > > > Key: XERCESC-2066 > URL: https://issues.apache.org/jira/browse/XERCESC-2066 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.1.0, 3.1.1, 3.1.2, 3.1.3 >Reporter: Scott Cantor >Assignee: Scott Cantor > Fix For: 3.2.0, 3.1.4 > > > Index: src/xercesc/validators/DTD/DTDScanner.cpp > ==The DTDScanner > fails to account for the fact that peeking characters in the XMLReader class > can raise an exception if an invalid character is encountered, and the > exception crosses stack frames in an unsafe way that causes a higher level > exception handler to access an already-freed object. > The proposed patch below traps the exception locally and records the parser > error in the appropriate frame. > We should also review the code for other calls to the XMLReader methods that > can throw. > {code} > --- src/xercesc/validators/DTD/DTDScanner.cpp (revision 1741478) > +++ src/xercesc/validators/DTD/DTDScanner.cpp (working copy) > @@ -2509,7 +2509,15 @@ > { > while (true) > { > -const XMLCh nextCh = fReaderMgr->peekNextChar(); > +XMLCh nextCh; > + > +try { > +nextCh = fReaderMgr->peekNextChar(); > +} > +catch (XMLException& ex) { > +fScanner->emitError(XMLErrs::XMLException_Fatal, > ex.getCode(), ex.getMessage(), NULL, NULL); > +nextCh = chNull; > +} > > if (!nextCh) > { > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Created] (XERCESC-2066) Exception handling mistake in DTDScanner
Scott Cantor created XERCESC-2066: - Summary: Exception handling mistake in DTDScanner Key: XERCESC-2066 URL: https://issues.apache.org/jira/browse/XERCESC-2066 Project: Xerces-C++ Issue Type: Bug Components: Validating Parser (DTD) Affects Versions: 3.1.0, 3.1.1, 3.1.2, 3.1.3 Reporter: Scott Cantor Assignee: Scott Cantor Index: src/xercesc/validators/DTD/DTDScanner.cpp ==The DTDScanner fails to account for the fact that peeking characters in the XMLReader class can raise an exception if an invalid character is encountered, and the exception crosses stack frames in an unsafe way that causes a higher level exception handler to access an already-freed object. The proposed patch below traps the exception locally and records the parser error in the appropriate frame. We should also review the code for other calls to the XMLReader methods that can throw. --- src/xercesc/validators/DTD/DTDScanner.cpp (revision 1741478) +++ src/xercesc/validators/DTD/DTDScanner.cpp (working copy) @@ -2509,7 +2509,15 @@ { while (true) { -const XMLCh nextCh = fReaderMgr->peekNextChar(); +XMLCh nextCh; + +try { +nextCh = fReaderMgr->peekNextChar(); +} +catch (XMLException& ex) { +fScanner->emitError(XMLErrs::XMLException_Fatal, ex.getCode(), ex.getMessage(), NULL, NULL); +nextCh = chNull; +} if (!nextCh) { -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org
[jira] [Updated] (XERCESC-2066) Exception handling mistake in DTDScanner
[ https://issues.apache.org/jira/browse/XERCESC-2066?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Scott Cantor updated XERCESC-2066: -- Description: Index: src/xercesc/validators/DTD/DTDScanner.cpp ==The DTDScanner fails to account for the fact that peeking characters in the XMLReader class can raise an exception if an invalid character is encountered, and the exception crosses stack frames in an unsafe way that causes a higher level exception handler to access an already-freed object. The proposed patch below traps the exception locally and records the parser error in the appropriate frame. We should also review the code for other calls to the XMLReader methods that can throw. {code} --- src/xercesc/validators/DTD/DTDScanner.cpp (revision 1741478) +++ src/xercesc/validators/DTD/DTDScanner.cpp (working copy) @@ -2509,7 +2509,15 @@ { while (true) { -const XMLCh nextCh = fReaderMgr->peekNextChar(); +XMLCh nextCh; + +try { +nextCh = fReaderMgr->peekNextChar(); +} +catch (XMLException& ex) { +fScanner->emitError(XMLErrs::XMLException_Fatal, ex.getCode(), ex.getMessage(), NULL, NULL); +nextCh = chNull; +} if (!nextCh) { {code} was: Index: src/xercesc/validators/DTD/DTDScanner.cpp ==The DTDScanner fails to account for the fact that peeking characters in the XMLReader class can raise an exception if an invalid character is encountered, and the exception crosses stack frames in an unsafe way that causes a higher level exception handler to access an already-freed object. The proposed patch below traps the exception locally and records the parser error in the appropriate frame. We should also review the code for other calls to the XMLReader methods that can throw. --- src/xercesc/validators/DTD/DTDScanner.cpp (revision 1741478) +++ src/xercesc/validators/DTD/DTDScanner.cpp (working copy) @@ -2509,7 +2509,15 @@ { while (true) { -const XMLCh nextCh = fReaderMgr->peekNextChar(); +XMLCh nextCh; + +try { +nextCh = fReaderMgr->peekNextChar(); +} +catch (XMLException& ex) { +fScanner->emitError(XMLErrs::XMLException_Fatal, ex.getCode(), ex.getMessage(), NULL, NULL); +nextCh = chNull; +} if (!nextCh) { > Exception handling mistake in DTDScanner > ---- > > Key: XERCESC-2066 > URL: https://issues.apache.org/jira/browse/XERCESC-2066 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD) >Affects Versions: 3.1.0, 3.1.1, 3.1.2, 3.1.3 >Reporter: Scott Cantor >Assignee: Scott Cantor > > Index: src/xercesc/validators/DTD/DTDScanner.cpp > ==The DTDScanner > fails to account for the fact that peeking characters in the XMLReader class > can raise an exception if an invalid character is encountered, and the > exception crosses stack frames in an unsafe way that causes a higher level > exception handler to access an already-freed object. > The proposed patch below traps the exception locally and records the parser > error in the appropriate frame. > We should also review the code for other calls to the XMLReader methods that > can throw. > {code} > --- src/xercesc/validators/DTD/DTDScanner.cpp (revision 1741478) > +++ src/xercesc/validators/DTD/DTDScanner.cpp (working copy) > @@ -2509,7 +2509,15 @@ > { > while (true) > { > -const XMLCh nextCh = fReaderMgr->peekNextChar(); > +XMLCh nextCh; > + > +try { > +nextCh = fReaderMgr->peekNextChar(); > +} > +catch (XMLException& ex) { > +fScanner->emitError(XMLErrs::XMLException_Fatal, > ex.getCode(), ex.getMessage(), NULL, NULL); > +nextCh = chNull; > +} > > if (!nextCh) > { > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org