[ expat-Bugs-434664 ] utf8_toutf16 infinite loop

noreply@sourceforge.net noreply@sourceforge.net
Sun Jul 28 18:07:02 2002 

Bugs item #434664, was opened at 2001-06-19 22:44
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=434664&group_id=10127

Category: None
Group: None
>Status: Closed
Resolution: None
Priority: 4
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: utf8_toutf16 infinite loop

Initial Comment:
I believe this is a low priority bug since I can't see 
how it could ever get tickled calling only the 
interface in expat.h, but I came across it while 
calling into xmltok directly. If the input buffer 
contains a BT_LEAD4 character with only space left for 
one output character, the routine goes into an 
infinite loop. I fixed it with the following goto --- 
your tolerance of goto may vary.

Michael Isard.

[ I am waiting for sourceforge to fix their new 
account procedure which seems to have been broken for 
some days --- in the meantime you can mail me directly 
at michael.isard@compaq.com ]

--------

from expat/xmltok/xmltok.c

static
void utf8_toUtf16(const ENCODING *enc,
		  const char **fromP, const char 
*fromLim,
		  unsigned short **toP, const unsigned 
short *toLim)
{
  unsigned short *to = *toP;
  const char *from = *fromP;
  while (from != fromLim && to != toLim) {
    switch (((struct normal_encoding *)enc)->type
[(unsigned char)*from]) {
    case BT_LEAD2:
      *to++ = ((from[0] & 0x1f) << 6) | (from[1] & 
0x3f);
      from += 2;
      break;
    case BT_LEAD3:
      *to++ = ((from[0] & 0xf) << 12) | ((from[1] & 
0x3f) << 6) | (from[2] & 0x3f);
      from += 3;
      break;
    case BT_LEAD4:
      {
	unsigned long n;
	if (to + 1 == toLim)
	  goto after; /* BUGBUG this used to say 
break; which keeps
                               looping */

	n = ((from[0] & 0x7) << 18) | ((from[1] & 
0x3f) << 12) | ((from[2] & 0x3f) << 6) | (from[3] & 
0x3f);
	n -= 0x10000;
	to[0] = (unsigned short)((n >> 10) | 0xD800);
	to[1] = (unsigned short)((n & 0x3FF) | 0xDC00);
	to += 2;
	from += 4;
      }
      break;
    default:
      *to++ = *from++;
      break;
    }
  }
 after: /* BUGBUG new jump target added to escape from 
loop */

  *fromP = from;
  *toP = to;
}


----------------------------------------------------------------------

>Comment By: Karl Waclawek (kwaclaw)
Date: 2002-07-28 21:06

Message:
Logged In: YES 
user_id=290026

Finally applied the patch.

----------------------------------------------------------------------

Comment By: Fred L. Drake, Jr. (fdrake)
Date: 2001-08-09 14:20

Message:
Logged In: YES 
user_id=3066

This is not XML::Parser specific, so I'm changing the
categorization.  Forcing SF to send me a copy of the
properly-indented code is a nice side-effect.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=434664&group_id=10127