You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-dev@xerces.apache.org by bu...@apache.org on 2003/04/02 16:40:09 UTC
DO NOT REPLY [Bug 18611] New: -
Scanner permits some invalid character references.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18611>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18611
Scanner permits some invalid character references.
Summary: Scanner permits some invalid character references.
Product: Xerces-C++
Version: Nightly build (please specify the date)
Platform: All
OS/Version: All
Status: NEW
Severity: Minor
Priority: Other
Component: Miscellaneous
AssignedTo: xerces-c-dev@xml.apache.org
ReportedBy: mrglavas@ece.uwaterloo.ca
Revision 1.40 of xercesc/internal/XMLScanner.cpp in CVS.
I haven't tested this, but just looking at the code, there's no check for
overflow when computing the value of a character reference.
Assuming an unsigned int is 32-bit, it looks like � (2^32) is going
to be treated as if it were �. This is a problem for any ref mod 2^32 (ref >
2^32 -1) which falls between 0x10000-0x10FFFF, and less than 0xFFFD.
See bool XMLScanner::scanCharRef(XMLCh& toFill, XMLCh& second).
---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-c-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-c-dev-help@xml.apache.org