[Expat-bugs] [ expat-Bugs-3596044 ] Parser crash with *.xml.tar.gz file as input.
SourceForge.net
noreply at sourceforge.net
Tue Dec 18 01:20:16 CET 2012
Bugs item #3596044, was opened at 2012-12-14 10:18
Message generated for change (Comment added) made by shanmukhpatel
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3596044&group_id=10127
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: www.libexpat.org
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Shanmukh (shanmukhpatel)
Assigned to: Karl Waclawek (kwaclaw)
Summary: Parser crash with *.xml.tar.gz file as input.
Initial Comment:
I was using xml library to parse a file which is compressed. I was expecting an error message if the format is invalid, but the parser crashes if I provide the *.xml.tar.gz file. I have attached the file (the same file got it from https://sourceforge.net/tracker/?func=detail&aid=1990430&group_id=10127&atid=110127).
----------------------------------------------------------------------
>Comment By: Shanmukh (shanmukhpatel)
Date: 2012-12-17 16:20
Message:
I didn't realize that I was using the old version 2.0.1 has these issues.
These issues have been fixed in latest source 2.1.0. Sorry about that !
----------------------------------------------------------------------
Comment By: Karl Waclawek (kwaclaw)
Date: 2012-12-14 17:36
Message:
I cannot reproduce the issue with your file.
What version of Expat are you using?
Could you please try the latest source in CVS and let me know if you still
have the issue.
----------------------------------------------------------------------
Comment By: Shanmukh (shanmukhpatel)
Date: 2012-12-14 13:48
Message:
This issue looks similar to
https://sourceforge.net/tracker/?func=detail&aid=2855609&group_id=10127&atid=110127
----------------------------------------------------------------------
Comment By: Shanmukh (shanmukhpatel)
Date: 2012-12-14 12:21
Message:
The issue is in updatePosition()
part of call stack :
#0 normal_updatePosition (enc=0x171db220, ptr=0xd4fa6005 "",
end=0x2580b2d00 "", pos=0x2580b3f60)
#1 0x00000000171b32dd in XML_GetCurrentLineNumber (parser=0x2580b3b50)
after continue with the above context, the parser crashed.
0x00000000171c5794 in normal_updatePosition (enc=0x171db220, ptr=0xd4fa7000
<Address 0xd4fa7000 out of bounds>, end=0x2580b2d00 "", pos=0x2580b3f60)
notice the ptr address is out of bounds.
Issue is that ptr is assigned with a far address from "end" pointer
address. Say my string length is 3 ("abc") and the ptr address is 1234 and
the end address is 9999. In this case, the loop has to iterate for 3 times
as my string length is 3, but based on the condition (ptr < end), the loop
may iterate (9999-1234) number of times and crashes in between.
void PREFIX(updatePosition)(const ENCODING *enc,
const char *ptr,
const char *end,
POSITION *pos)
{
while (ptr < end ) {
...
}
temporary fix made to fix this issue is by relying on string length.
int str_len = strlen(ptr);
while (ptr < end && str_len--) {
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3596044&group_id=10127
More information about the Expat-bugs
mailing list