[Expat-bugs] [ expat-Bugs-3596044 ] Parser crash with *.xml.tar.gz file as input.
SourceForge.net
noreply at sourceforge.net
Fri Dec 14 22:48:00 CET 2012
Bugs item #3596044, was opened at 2012-12-14 10:18
Message generated for change (Comment added) made by shanmukhpatel
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3596044&group_id=10127
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: www.libexpat.org
Group: Third-party Bug
Status: Open
Resolution: None
>Priority: 5
Private: No
Submitted By: Shanmukh (shanmukhpatel)
Assigned to: Fred L. Drake, Jr. (fdrake)
Summary: Parser crash with *.xml.tar.gz file as input.
Initial Comment:
I was using xml library to parse a file which is compressed. I was expecting an error message if the format is invalid, but the parser crashes if I provide the *.xml.tar.gz file. I have attached the file (the same file got it from https://sourceforge.net/tracker/?func=detail&aid=1990430&group_id=10127&atid=110127).
----------------------------------------------------------------------
>Comment By: Shanmukh (shanmukhpatel)
Date: 2012-12-14 13:48
Message:
This issue looks similar to
https://sourceforge.net/tracker/?func=detail&aid=2855609&group_id=10127&atid=110127
----------------------------------------------------------------------
Comment By: Shanmukh (shanmukhpatel)
Date: 2012-12-14 12:21
Message:
The issue is in updatePosition()
part of call stack :
#0 normal_updatePosition (enc=0x171db220, ptr=0xd4fa6005 "",
end=0x2580b2d00 "", pos=0x2580b3f60)
#1 0x00000000171b32dd in XML_GetCurrentLineNumber (parser=0x2580b3b50)
after continue with the above context, the parser crashed.
0x00000000171c5794 in normal_updatePosition (enc=0x171db220, ptr=0xd4fa7000
<Address 0xd4fa7000 out of bounds>, end=0x2580b2d00 "", pos=0x2580b3f60)
notice the ptr address is out of bounds.
Issue is that ptr is assigned with a far address from "end" pointer
address. Say my string length is 3 ("abc") and the ptr address is 1234 and
the end address is 9999. In this case, the loop has to iterate for 3 times
as my string length is 3, but based on the condition (ptr < end), the loop
may iterate (9999-1234) number of times and crashes in between.
void PREFIX(updatePosition)(const ENCODING *enc,
const char *ptr,
const char *end,
POSITION *pos)
{
while (ptr < end ) {
...
}
temporary fix made to fix this issue is by relying on string length.
int str_len = strlen(ptr);
while (ptr < end && str_len--) {
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3596044&group_id=10127
More information about the Expat-bugs
mailing list