You are viewing a plain text version of this content. The canonical link for it is here.

Posted to c-dev@xerces.apache.org by bu...@apache.org on 2001/09/17 21:29:09 UTC

DO NOT REPLY [Bug 3660] New: - Off-by-one error in DOMString.cpp?

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=3660>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=3660

           Summary: Off-by-one error in DOMString.cpp?
           Product: Xerces-C++
           Version: 1.5.1
          Platform: Sun
        OS/Version: Solaris
            Status: NEW
          Severity: Major
          Priority: Other
         Component: DOM
        AssignedTo: xerces-c-dev@xml.apache.org
        ReportedBy: tom.foottit@bridgewatersystems.com


Using Sun workshop 5 on Solaris 7 with access checking on reports an access 
violation error in DOMString.cpp line 651 during the final time through that 
loop.

Looking through the code, it appears that the loop condition on line 650 (in 
DOMString::appendData(const DOMString)) should read:

for (i=0; i<other.fHandle->fLength; i++)

instead of:

for (i=0; i<=other.fHandle->fLength; i++)

If you use i<=other.fHandle->fLength I think you are copying fLength + 1 bytes 
into a buffer of length fLength (plus the original buffer length). 

If I have missed something here please let me know.

---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-c-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-c-dev-help@xml.apache.org