[Expat-bugs] [ expat-Bugs-3541525 ] Infinite loop in lib/xmlparse.c:XML_GetBuffer

SourceForge.net noreply at sourceforge.net
Tue Jul 24 07:59:36 CEST 2012


Bugs item #3541525, was opened at 2012-07-09 00:12
Message generated for change (Comment added) made by polinenibharat
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3541525&group_id=10127

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: http://kasten76.myopenid.com/ ()
Assigned to: Nobody/Anonymous (nobody)
Summary: Infinite loop in lib/xmlparse.c:XML_GetBuffer

Initial Comment:
Hi,
first thanks for maintaining expat.

I found this bug in version 2.0.1 but the code is the same in the current developement version.

When XML_GetBuffer is called and bufferSize is 0 it will be initialised to INIT_BUFFER_SIZE (1024). Which is doubled until it is bigger than needeSize (line 1718). For my example neededSize was 
(gdb) p neededSize
$2 = 2128558980

The doubling is optimized to a shift opertaion (gcc 4.7.0). The doubling shifts the true bit in bufferSize out of scope without breaking the loop.

(gdb) p 1024 << 20
$10 = 1073741824
(gdb) p 1024 << 21
$11 = -2147483648
(gdb) p 1024 << 22
$12 = 0

And then goes into an endless loop.

Still searching why the buffer is so huge but i wanted to mention this bug anyway.

Regards.

----------------------------------------------------------------------

Comment By: Bharat (polinenibharat)
Date: 2012-07-23 22:59

Message:
Hi this looks great. I started working on it. Please assign it to me.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3541525&group_id=10127


More information about the Expat-bugs mailing list