[Expat-bugs] [ expat-Bugs-1452136 ] Expat-2.0.0: Win2003 - Buffer Overrun in XML_Parse

SourceForge.net noreply at sourceforge.net
Wed Mar 22 15:32:07 CET 2006 

Bugs item #1452136, was opened at 2006-03-17 04:53
Message generated for change (Comment added) made by kwaclaw
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=1452136&group_id=10127

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: Platform Specific
>Status: Closed
>Resolution: Rejected
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: Expat-2.0.0: Win2003 - Buffer Overrun in XML_Parse

Initial Comment:
The following problem only occurs in Windows 2003 
platform !

Buffer Overrun occurs when the following XML data is 
being parsed:

---------xml---------
<?xml version="1.0" encoding="UTF-8"?> 
<FileTransfer> 
  <Service>LN.MRS.MRS.JE.EOS.EOS.ACCOUNT</Service> 
  <FTFNative>-label JE.EOS.EOS.ACCOUNT -sqm LNGDC1P1 -
dqm JEEOS1P1 at JECHQ1P1 -
spath /shared/home/mrsop/fub/ACCT.CSV -dpath 
E:\ISIS\FINRPT\Account_Master.CSV -type text  -exit 8 -
exitdll isispost.dll -exitentry isispost -exitdata 
&quot;@JBE:\\ISIS\\scripts\\FINRPT.BAT;@JBE:\\ISIS\\scr
ipts\\FINRPT\_FAIL.BAT&quot; -exit 4 -exitdll 
isispost -exitentry isispost -exitdata 
&quot;@JB/shared/home/mrsop/scr/isis\_postproc.sh_/shar
ed/home/mrsop/fub/ACCT.CSV_ARC;@JB/shared/home/mrsop/sc
r/isis\_failproc.sh_/shared/home/mrsop/fub/ACCT.CSV_ERR
OR&quot; -oqm LNGDC1P1</FTFNative> 
  <ServiceOwner>Future Bank</ServiceOwner> 
  <FTFid>16162f01-ad5c-11da-9fb4-92c88c876801</FTFid> 
</FileTransfer>
---------xml---------

Below are the list of function calls to describe the 
steps:

int depth = 0;
int done  = 0 ;
int XML_rc;
char    MQ_buffer[8192];
MQLONG  MQ_buffer_len;

XML_Parser parser = XML_ParserCreate(NULL);
XML_SetUserData(parser, &depth);
XML_SetDefaultHandler(parser, XMLParse);


XML_rc = XML_Parse(parser, MQ_buffer, MQ_buffer_len, 
done);

-------Parser Function-----------
void XMLParse(void *userData, const char *name, int 
len ) {
	strncpy(temp,name,len);
    temp[len]='\0'; 

	TrimString(temp);

	if ( StartCheck == 0 ) {
		if (strcmp(temp, "<FTFStatDetail>"  ) 
== 0 ) MessageType = MSG_DETAIL;
		else if (strcmp
(temp, "<FTFStatControl>" ) == 0 ) MessageType = 
MSG_CONTROL;
		else if (strcmp
(temp, "<FileTransfer>"   ) == 0 ) MessageType = 
MSG_TRANSFER;
		else if (strncmp(temp,"<?xml",5) == 
0 )           MessageType = MSG_SKIP;
		else if (strlen(temp) == 
0 )                      return;
		else 
			MessageType = MSG_XML_POISON;
	}

    if ( MessageType != MSG_SKIP ) StartCheck = 1 ;
    
    if (( MessageType != MSG_XML_POISON ) &&
		( MessageType != MSG_POISON )     &&
		( MessageType != MSG_INITIAL )    &&
		( MessageType != MSG_NULL)        &&
		( MessageType != MSG_SKIP))
			XMLProcessElement
(temp,MessageType);
    
    if ((strcmp(temp, "</FTFStatDetail>") == 0 ) || 
        (strcmp(temp, "</FTFStatControl>") == 0 ) ||
        (strcmp(temp, "</FileTransfer>") == 0 )) {
            StartCheck = 0 ; 
		}
}
-------Parser Function-----------

If you have any suggestion, please let me know.

Thanks & Regards,
Madavan Raman
madavan.raman at my.standardchartered.com




----------------------------------------------------------------------

>Comment By: Karl Waclawek (kwaclaw)
Date: 2006-03-22 09:32

Message:
Logged In: YES 
user_id=290026

OK, closing this item.

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2006-03-22 07:08

Message:
Logged In: NO 

Managed to track down the error in the default handler. 
Line which was causing the error was a string manipulation 
code using "strcat()" function. I have fixed it 
using "strncat()" to control the size.

Surprisingly this code is running fine in Win2000 platform.

Thanks for your help. We can close this item. 

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2006-03-22 06:35

Message:
Logged In: NO 

If I remove the default handler, I dont get the buffer 
overrun error. 


----------------------------------------------------------------------

Comment By: Karl Waclawek (kwaclaw)
Date: 2006-03-20 08:56

Message:
Logged In: YES 
user_id=290026

What happens if you don't set the default handler?
Do you still get a buffer overrun?

Karl

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2006-03-20 01:51

Message:
Logged In: NO 

It breaks at doContent() function. The sequence is 
doProlog-> contentProcessor-> doContent()

The memory violation occurs when processing "<FTFNative>" 
tag.


----------------------------------------------------------------------

Comment By: Karl Waclawek (kwaclaw)
Date: 2006-03-17 08:53

Message:
Logged In: YES 
user_id=290026

Since I don't have access to Windows 2003 I cannot debug it.
I suggest you create a debug build (VC++ 6.0 or later) and
find out where the buffer overrun is happening. That will
give me a starting point for my investigation.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=1452136&group_id=10127

More information about the Expat-bugs mailing list