Hi, On Mon, 2005-12-19 at 14:14 -0800, Judy Hay wrote: > Hi, > > I'm running into a problem with the XML schema validation code when > applied to CDATA sections that happen to have some trailing > whitespace. It seems to be isolated to cases where a namespace is > being used. > > The following XML and XSD snippets will cause the crash in the latest > (2.6.22) version of xmllint I have: > > XML: > <?xml version="1.0" encoding="utf-8"?> > <ex:List xmlns:ex="http://www.foo.com";> > <ex:Item> > <![CDATA[A single item]]> > </ex:Item> > </ex:List> > > XSD: > <?xml version="1.0" encoding="utf-8" ?> > <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"; > targetNamespace="http://www.foo.com"; xmlns:ex="http://www.foo.com"; > elementFormDefault="qualified" attributeFormDefault="qualified"> > <xs:element name="List" type="ex:ListT"/> > > <xs:complexType name="ListT"> > <xs:sequence> > <xs:element name="Item" type="xs:string" minOccurs="0" > maxOccurs="1"/> > </xs:sequence> > </xs:complexType> > </xs:schema> > > If you remove the whitespace from around the CDATA section, you do not > get a crash and the XML validates just fine. > > The crash is happening in xmlschemas.c at line 23877 (in > xmlSchemaVPushText). xmlStrncat is called with a "len" variable that > was passed in from the calling function as -1 (other parts of > xmlSchemaVPushText consider this). Eventually that -1 gets passed > into a memcpy call by xmlStrncat and causes a seg fault. > > I don't think this line is ever called if namespaces aren't being used > -- at least, I couldn't reproduce this error in that case. > > Anyway, I was wondering if this is a known bug and if there are any > plans to fix it in the near future. Or if I'm just using really bad > XML/XSD and if so, please let me know (well, I don't have any control > over the XML I'm getting, but it would be good to know if there's > something wrong with it, too).
It was a bug. Thank you for the thorough analysis of the problem; it was easy to spot this way. We'll now compute the length of the value beforehand, to be on the safe side in xmlSchemaVPushText(). Additionally we changed xmlStrncat() to return NULL if @len < 0 is given. Fixed in CVS, xmlschemas.c revision 1.188. Thanks for the report! Regards, Kasimier _______________________________________________ xml mailing list, project page http://xmlsoft.org/ [email protected] http://mail.gnome.org/mailman/listinfo/xml
