[Expat-bugs] [ expat-Bugs-3596044 ] Parser crash with *.xml.tar.gz file as input.

SourceForge.net noreply at sourceforge.net
Fri Dec 14 22:48:00 CET 2012 

Bugs item #3596044, was opened at 2012-12-14 10:18
Message generated for change (Comment added) made by shanmukhpatel
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3596044&group_id=10127

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: www.libexpat.org
Group: Third-party Bug
Status: Open
Resolution: None
>Priority: 5
Private: No
Submitted By: Shanmukh (shanmukhpatel)
Assigned to: Fred L. Drake, Jr. (fdrake)
Summary: Parser crash with *.xml.tar.gz file as input. 

Initial Comment:
I was using xml library to parse a file which is compressed. I was expecting an error message if the format is invalid, but the parser crashes if I provide the *.xml.tar.gz file. I have attached the file (the same file got it from https://sourceforge.net/tracker/?func=detail&aid=1990430&group_id=10127&atid=110127). 



----------------------------------------------------------------------

>Comment By: Shanmukh (shanmukhpatel)
Date: 2012-12-14 13:48

Message:
This issue looks similar to
https://sourceforge.net/tracker/?func=detail&aid=2855609&group_id=10127&atid=110127


----------------------------------------------------------------------

Comment By: Shanmukh (shanmukhpatel)
Date: 2012-12-14 12:21

Message:
The issue is in updatePosition()

part of call stack :
#0  normal_updatePosition (enc=0x171db220, ptr=0xd4fa6005 "",
end=0x2580b2d00 "", pos=0x2580b3f60) 
#1  0x00000000171b32dd in XML_GetCurrentLineNumber (parser=0x2580b3b50) 

after continue with the above context, the parser crashed. 
0x00000000171c5794 in normal_updatePosition (enc=0x171db220, ptr=0xd4fa7000
<Address 0xd4fa7000 out of bounds>, end=0x2580b2d00 "", pos=0x2580b3f60)

notice the ptr address is out of bounds. 

Issue is that ptr is assigned with a far address from "end" pointer
address. Say my string length is 3 ("abc") and the ptr address is 1234 and
the end address is 9999. In this case, the loop has to iterate for 3 times
as my string length is 3, but based on the condition (ptr < end), the loop
may iterate (9999-1234) number of times and crashes in between.

void PREFIX(updatePosition)(const ENCODING *enc,
			    const char *ptr,
			    const char *end,
			    POSITION *pos)
{
  while (ptr < end ) {
...
}
temporary fix made to fix this issue is by relying on string length.

	int str_len = strlen(ptr);
  while (ptr < end && str_len--) {
 

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3596044&group_id=10127

More information about the Expat-bugs mailing list