[jira] Created: (XALANC-438) Memory corruption when the encoding of the output of the transform is set to UTF-16

Mon, 01 Nov 2004 06:56:35 -0800 

Memory corruption when the encoding of the output of the transform is set to UTF-16 
------------------------------------------------------------------------------------

         Key: XALANC-438
         URL: http://nagoya.apache.org/jira/browse/XALANC-438
     Project: XalanC
        Type: Bug
  Components: XalanC  
    Versions: 1.6, 1.8    
 Environment: Windows
    Reporter: Bob Bisso


Memory corruption occurs when a large buffer, greater than 512 bytes

Memory corruption occurs when the encoding of the output of a transform is set to 
UTF-16 (either programmatically or by inserting "<xsl:output encoding='UTF-16' />" in 
the style sheet). The function FormatterToXML_UTF16::write() in the file 
FormatterToXML_UTF16.cpp (in "src\xalanc\XMLSupport" folder) is used in serializing 
the transformed output in UTF-16 encoding. It uses a buffer of 512 characters long to 
store the output before writing it to the output device. At the top of the function, 
it attempts to check if the length of the data (in double byte characters) it is asked 
to write to the output device is bigger than the size of the buffer (in bytes). So the 
code to handle this is not executed due to this problem, and the code merrily goes 
along to write the data into the buffer, hence corrupting memory. There is a second 
problem, and that is in the code that actually handles the case where the length of 
the data exceeded the buffer size, it flushes the buffer, and then use the wrong 
overloaded write() function to write the data to the output device.

Proposed fix, for FormatterToXML_UTF16::write() in the file FormatterToXML_UTF16.cpp, 
is as follows:

inline void
FormatterToXML_UTF16::write(
                        const XalanDOMChar*                     theChars,
                        XalanDOMString::size_type       theLength)
{
        if (theLength > sizeof(m_buffer)/sizeof(XalanDOMChar))
        {
                flushBuffer();

                m_writer->write((const char*)theChars, 0, theLength * 
sizeof(XalanDOMChar));
        }
        else
        {
                if (m_bufferRemaining < theLength)
                {
                        flushBuffer();
                }

                for(XalanDOMString::size_type i = 0; i < theLength; ++i)
                {
                        *m_bufferPosition = theChars[i];

                        ++m_bufferPosition;
                }

                m_bufferRemaining -= theLength;
        }
}


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://nagoya.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to