[XML-SIG] [ pyxml-Bugs-473195 ] Uninit Memory Read in pyexpat.c
noreply@sourceforge.net
noreply@sourceforge.net
Sat, 20 Oct 2001 10:05:22 -0700
Bugs item #473195, was opened at 2001-10-20 10:05
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=106473&aid=473195&group_id=6473
Category: expat
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Neal Norwitz (nnorwitz)
Assigned to: Nobody/Anonymous (nobody)
Summary: Uninit Memory Read in pyexpat.c
Initial Comment:
UMR: Uninitialized memory read (18 times)
Also note that self->handlers[i]=NULL; is done twice in
clear_handlers(), once in if (decref), once after.
What's happening is that while iterating through the
loop
on the 1st (StartElement), before the 2nd (EndElement)
is initialized,
EndElement is checked in pyxml_SetStartElementHandler.
Not sure how to fix, other than create another loop to
initialize
the handler or do a calloc, instead of malloc in
pyexpat_ParserCreate [pyexpat.c:1407].
Neal
--
This is occurring while in:
pyxml_SetStartElementHandler
[pyexpat.c:1680]
&& self->handlers[endHandler] !=
Py_None) {
start_handler =
handler_info[startHandler].handler;
}
=> if (self->handlers[EndElement]
&& self->handlers[EndElement] !=
Py_None) {
end_handler =
handler_info[endHandler].handler;
}
clear_handlers [pyexpat.c:1661]
Py_XDECREF(temp);
}
self->handlers[i]=NULL;
=>
handler_info[i].setter(self->itself, NULL);
}
}
newxmlparseobject [pyexpat.c:1178]
pyexpat_ParserCreate [pyexpat.c:1407]
----------------------------------------------------------------------
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=106473&aid=473195&group_id=6473