[Expat-bugs] [ expat-Bugs-214050 ] Segmentation fault in libxmltok

nobody nobody@usw-sf-web1.sourceforge.net
Wed, 07 Mar 2001 01:55:34 -0800 

Bugs #214050, was updated on 2000-09-11 07:41
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=110127&aid=214050&group_id=10127

Category: None
Group: None
Status: Open
Priority: 5
Submitted By: christian liesch
Assigned to: Nobody/Anonymous
Summary: Segmentation fault in libxmltok

Initial Comment:
If I parse the following file (with an error near !DOCTYPE):

<?xml version="1.0" standalone="no"?>

<!-- etwas kommentar -->

!DOCTYPE OReilly:Books SYSTEM "dummy.dtd" [
  <!ELEMENT OReilly:Books (OReilly:Product, OReilly:Price)>
  <!ELEMENT OReilly:Product ANY>
  <!ELEMENT OReilly:Price ANY>
]>

<OReilly:Books>
  <OReilly:Product>XML Pocket Ref</OReilly:Product>
  <OReilly:Price>8.95
</OReilly:Books>

I got the following with my gdb:

!DOCTYPE OReilly:Books SYSTEM "dummy.dtd" [
error:no element found 
Program received signal SIGSEGV, Segmentation fault.
0x400269c5 in normal_updatePosition () from /usr/lib/libxmltok.so.1
(gdb) where
#0  0x400269c5 in normal_updatePosition () from /usr/lib/libxmltok.so.1
#1  0x4001b0d9 in XML_GetCurrentColumnNumber () from /usr/lib/libxmlparse.so.1
#2  0x8049154 in test_parse ()
#3  0x80491f5 in main ()
#4  0x4004da5e in __libc_start_main () at ../sysdeps/generic/libc-start.c:93
(gdb) 


----------------------------------------------------------------------

Comment By: Nobody/Anonymous
Date: 2001-03-07 01:55

Message:
Logged In: NO 

I could reproduce this on the a May 29 1999 version of
expat.  The problem seems to be that *ptr in
PREFIX(updatePosition)() is a null byte, which chokes
somewhere inside the BYTE_TYPE macro.  I fixed this (I
think), by testing for *ptr in the while loop.  Here's the
patch:

*** xmltok_impl.c	1999/09/03 14:54:37	1.1.1.1
--- xmltok_impl.c	2001/03/07 09:49:46
***************
*** 1709,1715 ****
  			    const char *end,
  			    POSITION *pos)
  {
!   while (ptr != end) {
      switch (BYTE_TYPE(enc, ptr)) {
  #define LEAD_CASE(n) \
      case BT_LEAD ## n: \
--- 1709,1715 ----
  			    const char *end,
  			    POSITION *pos)
  {
!   while (*ptr && ptr != end) {
      switch (BYTE_TYPE(enc, ptr)) {
  #define LEAD_CASE(n) \
      case BT_LEAD ## n: \


----------------------------------------------------------------------

Comment By: Sam TH
Date: 2001-02-02 06:47

Message:
Could not reproduce this with CVS expat.  

----------------------------------------------------------------------

Comment By: Sam TH
Date: 2001-02-02 06:38

Message:
Could not reproduce this with CVS expat.  

----------------------------------------------------------------------

Comment By: Jacob Refstrup
Date: 2000-11-28 14:11

Message:
This appear to be fixed in 1.95.1

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=110127&aid=214050&group_id=10127