You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-dev@xerces.apache.org by "Scott Cantor (Jira)" <xe...@xml.apache.org> on 2020/04/01 16:31:00 UTC
[jira] [Assigned] (XERCESC-2189) XMLChar with NEED_TO_GEN_TABLE has
2 buffer out of bounds reads
[ https://issues.apache.org/jira/browse/XERCESC-2189?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Scott Cantor reassigned XERCESC-2189:
-------------------------------------
Assignee: Scott Cantor
> XMLChar with NEED_TO_GEN_TABLE has 2 buffer out of bounds reads
> ---------------------------------------------------------------
>
> Key: XERCESC-2189
> URL: https://issues.apache.org/jira/browse/XERCESC-2189
> Project: Xerces-C++
> Issue Type: New Feature
> Components: Utilities
> Affects Versions: 3.2.2
> Reporter: Alexey Roytman
> Assignee: Scott Cantor
> Priority: Minor
> Fix For: 3.2.3
>
>
> During scan with cppcheck 1.90, the XMLChar's code under #ifdef NEED_TO_GEN_TABLE has two out-of-bounds reads in initCharFlagTable() and in initCharFlagTable1_1():
> fprintf(outFl, "XMLByte ...[0x10000] =\n{");
> for (unsigned int index = 0; index <= 0xFFFF; index += 16)
> {
> fprintf(...
> , (unsigned int)gTmpCharTable[index]
> ...
> , (unsigned int)gTmpCharTable[index+15]);
> }
> fprintf(outFl, "};\n");
>
> But the gTmpCharTable's size is 0xffff (which is 1 less than 0x10000), and at the last loop, when index==0xFFF0, we access gTmpCharTable[0xFFF0+15] which is gTmpCharTable[0xFFFF], which is 1 after the end of buffer.
>
> I'd say that gTmpCharTable shall have 0x10000 elements, and not 0xFFFF...
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org