DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14494>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14494 buffer overruns in Win32LCPTranscoder::transcode()? Summary: buffer overruns in Win32LCPTranscoder::transcode()? Product: Xerces-C++ Version: 2.1.0 Platform: PC OS/Version: Windows NT/2K Status: NEW Severity: Normal Priority: Other Component: Utilities AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Most of the variants of Win32LCPTranscoder::transcode() contain code like mbstowcs(toFill, toTranscode, maxChars + 1) where maxChars is the buffer size passed into XMLString::transcode() by the client application. I'm finding my stack gets blown if I try to transcode 8 or 16 character strings (tried a whole bunch; no particular characters seem special), but everything works fine if I pad my toFill buffers by one element. It seems like something this blatant would probably have been caught by now, but the maxChars + 1 bit is the obvious culprit, as it allows mbstowcs() to overrun. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
