> Hi all, yeah, I'm a newbee here... > > Maybe I'm doing something wrong or maybe it's just Friday afternoon and I want to go home, > but I can't seem to find Xerces-C++ on the product list page to submit this bug to Bugzilla. > I see Xerces-J and Xerces-P but no Xerces-C. :-( >
Xerces-C is using Jira now: http://xml.apache.org/xerces-c/bug-report.html There is a link in the sidebar on the main page. > Anyway... > I'm using xerces-c-2.2.0 on Win32 (XP Pro) with VC++6.0. > > Passing in -1 as the value of 'count' to DOMCharacterData::substringData (), the documentation > states a DOMException will be thrown. During testing of my code, instead of getting the expected > exception, I get an access violation. > I think this is really a documentation bug, because the parameters are unsigned, so it's not possible to pass in a negative value. The documentation is probably just a legacy from the Java version, where the parameters are ints. > I tracked the problem to the following check in DOMCharacterDataImpl::substringData (): > > if (offset > len || offset < 0 || count < 0) > throw DOMException(DOMException::INDEX_SIZE_ERR, 0); > > Note that 'count' and 'offset' are type XMLSize_t which is typedef'd as 'unsigned long'. By the > time this check is performed, 'count' is a very large > integer. (count == -1) gets past this > check and eventually leads to the access violation. Yup, that logic is sure busted, but I don't think the fix is to cast anything to long. It looks to me like the fix is something like this: if (offset >= len) throw DOMException(DOMException::INDEX_SIZE_ERR, 0, GetDOMCharacterDataImplMemoryManager); then, a check to adjust count is necessary. Perhaps something like this: if (len - offset < count) count = len - offset; Dave --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
