[Expat-bugs] [ expat-Bugs-615606 ] Buffer overrun with
XML_ParserCreateNS
noreply@sourceforge.net
noreply@sourceforge.net
Fri, 27 Sep 2002 11:30:56 -0700
Bugs item #615606, was opened at 2002-09-27 14:06
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=615606&group_id=10127
Category: None
Group: Test Required
Status: Open
Resolution: None
Priority: 5
Submitted By: Daniel Bowen (daniel_bowen)
Assigned to: Nobody/Anonymous (nobody)
Summary: Buffer overrun with XML_ParserCreateNS
Initial Comment:
Expat 1.95.5 on Win32 using MSVC 6, 7
A buffer overrun occurs under the following set of
circumstances:
* In a test program, create an XML_Parser using
XML_ParserCreateNS (instead of XML_ParserCreate)
* Parse a file (or stdin) where the number of bytes is
greater than the size of your buffer (so that you have to
do multiple passes). It seems to happen with both
XML_GetBuffer / XML_ParseBuffer as well as allocating
your own buffer and calling XML_Parse.
To see that an error occurs:
* Compile a debug version of expat (DLL or static library)
* Compile a debug version of your test program that
uses the debug version of expat
* You get a dialog similar to the following:
---------------------------
Microsoft Visual C++ Debug Library
---------------------------
Debug Error!
Program: ...\Expat-1.95.5
\Source\examples\Debug\elements.exe
DAMAGE: after Normal block (#88) at 0x002F7798.
(Press Retry to debug the application)
---------------------------
Abort Retry Ignore
---------------------------
If you click "Retry", it takes you to the _free_dbg
function in dbgheap.c, line 1066 in MSVC 6, as a result
of a "CheckBytes" call. The call stack indicates that
this is on the "XML_ParserFree" call. In the output
window, it lists a handful of addresses where the bytes
should be "0xFD", such as:
memory check error at 0x002F77BF = 0x69, should be
0xFD.
If you view memory at this address, you see parts of the
input XML file have been written there. If you set a
breakpoint to break when data at this location in
memory changes, you break at line 2110 in xmlparse.c
in the function doContent, at the line:
/* don't need to check for space - already done
in storeAtts() */
while (*localPart) *uri++ = *localPart++;
If you watch memory changing as you do multiple
passes through XML_Parse/XML_ParseBuffer, it seems
that instead of reusing the internal buffer starting at the
beginning, the internal buffer keeps getting appended to
(beyond the size of its allocation).
This should be easily reproducable. For example, in
the "elements" sample, change the "XML_ParserCreate
(NULL)" line on line 32 in elements.c
to "XML_ParserCreateNS(NULL, '|')".
I haven't tested this scenario in builds other than 1.95.5,
so I'm not sure if this is a new bug or a bug that hasn't
yet been tripped across.
Thanks!
-Daniel
----------------------------------------------------------------------
>Comment By: Karl Waclawek (kwaclaw)
Date: 2002-09-27 14:30
Message:
Logged In: YES
user_id=290026
I am using XML_ParserCreateNS with multiple buffers
all the time and have never had that problem.
Could you please attach a complete but simple
test case, so that we can reproduce the error.
Thanks,
Karl
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=615606&group_id=10127